Understanding the NIST 800-145 framework is essential for any organization serious about modernizing its IT infrastructure and aligning with cloud computing standards. This technical specification, published by the National Institute of Standards and Technology, provides the definitive glossary and vocabulary for cloud computing. It serves as the foundational document that clarifies the essential characteristics, service models, and deployment models that define the cloud ecosystem, ensuring that all stakeholders share a common language.
Defining the Cloud: Core Concepts and Architecture
NIST 800-145 establishes the fundamental definition of cloud computing, moving beyond marketing buzzwords to a precise technical description. At its core, cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources. These resources, such as networks, servers, storage, applications, and services, can be rapidly provisioned and released with minimal management effort or service provider interaction. This definition emphasizes the utility-based nature of the service, where consumers pay only for the capacity they actually use, transforming capital expenditures into operational expenses.
The Essential Characteristics
The framework outlines five essential characteristics that distinguish cloud computing from traditional hosting services. These characteristics are on-demand self-service, broad network access, resource pooling, rapid elasticity or expansion, and measured service. On-demand self-service allows users to unilaterally provision computing capabilities automatically without requiring human interaction with each service provider. Broad network access ensures capabilities are available over the network and accessed through standard mechanisms, promoting use by heterogeneous thin or thick client platforms. Resource pooling involves the provider’s computing resources being pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. Rapid elasticity enables capabilities to be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. Finally, measured service involves the automatic control and optimization of resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service, allowing for transparent monitoring, control, and reporting of resource usage.
Service Models: IaaS, PaaS, and SaaS
NIST 800-145 details the three primary service models that dictate how cloud resources are delivered and managed. Infrastructure as a Service (IaaS) provides virtualized computing resources over the internet, offering fundamental building blocks like compute, storage, and networking. Platform as a Service (PaaS) delivers a platform allowing customers to develop, run, and manage applications without the complexity of building and maintaining the infrastructure typically associated with developing and launching an app. Software as a Service (SaaS) provides the capability to use the provider’s applications running on a cloud infrastructure, which are accessible from various client devices through a thin client interface, such as a web browser or a mobile app. Each model represents a different level of abstraction and management responsibility, empowering organizations to choose the service level that best fits their technical needs and operational strategy.
Deployment Models for Cloud Environments
The specification also defines four common deployment models that determine the ownership, scale, and access of the cloud infrastructure. A private cloud is provisioned for exclusive use by a single organization comprising multiple consumers. A community cloud is shared by several organizations and supports a specific community that has shared concerns. A public cloud is made available to the general public or a large industry group and is owned by an organization selling cloud services. Finally, a hybrid cloud is a composition of two or more distinct cloud infrastructures, whether private, community, or public, that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability. These deployment models provide the flexibility to adopt cloud computing in a manner that aligns with security, compliance, and business requirements.
Impact on Security and Compliance Strategies
More perspective on Nist 800-145 can make the topic easier to follow by connecting earlier points with a few simple takeaways.
