Earlier this month, the Computer Security Division of the National Institute of Standards and Technology (NIST) issued draft recommendations on cloud computing (PDF). As many of you know, NIST is an agency of the U.S. Department of Commerce. Founded in 1901, the agency was the nation’s first physical science research laboratory.
In the e-discovery field, we know it better for its list of 65 million hash values of system and program files (the “NIST” list). We use the list to remove unwanted files before we process documents and other data. The NIST list is the gold standard for our industry and we use it every day.
NIST is involved in many other areas of inquiry, including the International System of Units (as discussed in my recent post, How Many Bytes in a Gigabyte? My Answer Might Surprise You). It also recently issued draft guidelines on security and privacy in cloud computing and launched the NIST Cloud Computing Collaboration wiki to encourage collaboration in refining its cloud standards.
What is Cloud Computing?
In the 84-page draft, Cloud Computing Synopsis and Recommendations, published May 12, the NIST team set out to write a primer on the cloud—types, deployment models, service models, cloud security and, ultimately, the benefits of cloud computing. They start with NIST’s definition of cloud computing, which is tricky because:
Cloud computing is not a single kind of system, but instead spans a spectrum of underlying technologies, configuration possibilities, service models, and deployment models.
Thus, while the term “cloud” is often used as a synonym for the Internet, cloud computing means more than simply the transmission of data over the Internet.
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
According to the NIST definition, cloud computing has five essential characteristics:
- On-demand self service.
- Broad network access.
- Resource pooling.
- Rapid elasticity.
- Measured service.
Following this logic, one could argue either way for many of the e-discovery providers who bill themselves as cloud providers. While they may offer a hosted product via the Internet, they may not meet NIST’s requirements for on-demand self service, resource pooling and rapid elasticity.
There are several service models for cloud computing, each with different strengths and weaknesses:
- Cloud Software as a Service (SaaS): Cloud e-discovery providers would fall under this category. They offer a product accessible via a browser but manage the underlying infrastructure including network, servers, operating system, storage and applications.
- Cloud Platform as a Service (PaaS): This allows consumers to deploy their applications on top of a cloud infrastructure.
- Cloud Infrastructure as a Service (IaaS): Consumers essentially rent the infrastructure but determine their own software and even the OS they will use.
There are also four different deployment models for cloud computing:
- Private cloud: This refers to infrastructure that is operated solely for one organization. It may be managed by a third party but is dedicated to that purpose.
- Community cloud: In this case, a group of users provision a cloud infrastructure for a common purpose.
- Public cloud: Here, the infrastructure is made available to the general public, although owned by the organization selling the service.
- Hybrid cloud: This would be a combination of two or more clouds (private, community or public) that are connected by technology that allows data or application portability.
Why Read the Guidelines
If you are considering the cloud for any of your applications, this is a helpful document. The authors discuss operational characteristics, standards for service-level agreements and security considerations. Ultimately, they talk about the benefits of cloud computing and why organizations like law firms and corporations businesses might consider it.
Cloud computing is relatively new to the legal community, as it is to the rest of the business world. Why use it? Here is the NIST view:
In outsourced and public deployment models, cloud computing provides convenient rental of computing resources: users pay service charges while using a service but need not pay large up-front acquisition costs to build a computing infrastructure. … By using an elastic cloud, customers may be able to avoid excessive costs from overprovisioning, i.e., building enough capacity for peak demand and then not using the capacity in non-peak periods.
Earlier this year, we dumped our Exchange servers in favor of Gmail (via Google Apps). There was some grumbling at first but the transition was a success. The service has worked as well as Exchange, the product is continually updated and we don’t have to worry about hardware or software upgrades. Although email is critical to our business, it isn’t one of our core services. So why run it ourselves? Turns out we don’t need to and we get the added benefit of Google Docs, Google Calendar and other features.
Is it right for you? I would give it a good look the next time you think about upgrading or switching providers. It is the way the computing world seems to be going.
As for NIST’s draft guide to cloud computing, the agency is seeking comments from the public. The U.S. government’s CIO has asked NIST to lead federal efforts on developing standards for data portability, cloud interoperability and security. The goal, according to NIST, “is to help the federal government reap the benefits of cloud computing.” Comments must be submitted by June 13.