This content is part of the Essential Guide: Your manual to the modern cloud computing network
Get started Bring yourself up to speed with our introductory content.

The definition of cloud computing: Why it matters to IT security

So, what is cloud computing anyway? The definition isn't always clear. Ravila Helen White helps enterprise security professionals figure it out.

Cloud computing is a ubiquitous part of nearly every current enterprise IT strategy and organizational architecture,...

with operational overheads increasingly being transferred to third parties to manage and maintain traditional in-house enterprises services.

Knowledge of cloud computing is now an essential element in protecting enterprise users, data and infrastructure successfully.

Cloud providers now offer diverse services ranging from payroll, recruiting, performance management, training and storage. As average computing costs decline, expertise for technology and its associated resources has increased, largely due to interconnectivity requirements between consumers of services and providers of services.

Due to the influence of cloud computing, security practitioners of all stripes are in a unique position compared to their IT peers. Whereas the span of control and responsibility of the latter is often limited to corporate offices and data centers, security practitioners must also consider third-party networks, typically referred to as the cloud, and devices outside of their control. Whether you are a CISO managing a team of security professionals or an engineer tasked with securing an organization's key assets, knowledge of cloud computing is now an essential element in protecting enterprise users, data and infrastructure successfully.

Of course, before security pros can protect cloud-related assets, they need to be able to answer a seemingly simple question: What is the cloud? In this tip, we'll look at existing cloud computing definitions, and then attempt to fill in the security gaps left by those definitions for the benefit of enterprise security professionals.

Reassessing current definitions of cloud computing

Though we discussed some loose definitions for cloud computing, it's vital that security pros have a firm grasp of cloud technologies rather than just vague ideas. The National Institute of Standards and Technology (NIST) actually provides a useful cloud computing definition, which goes as follows: "A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction." The NIST also breaks down the cloud model by essential characteristics, service models and deployment models. The table below provides an overview of this model:

Cloud computing


Service model

Deployment model

On-demand self-service Software as a Service (Saas) Private cloud
Broad network access Platform as a Service (PaaS) Community cloud
Resource pooling Infrastructure as a Service (Iaas) Public cloud
Rapid elasticity   Hybrid cloud
Measured service    

Some analysts and vendors have defined cloud computing narrowly as an updated version of utility computing (basically, virtual servers available over the Internet). Other security figures go broader with their definitions, arguing that anything consumed outside the corporate firewall is "in the cloud," even going as far as including conventional outsourcing.

These definitions are useful, yet we are left with several obvious gaps. For example, the bring your own device (BYOD) movement, one of the most revolutionary changes to business environments in recent years, is not included in the discussion. Through BYOD traditional consumer and/or private networks (e.g. home or small businesses) are extended into large corporate settings. Home networks also possess all the elements of NIST's cloud computing definition and are outside corporate firewalls, but do security practitioners think of home networks as part of the cloud?

From the editors: More on NIST cloud guidance

Beyond providing a definition for cloud computing, NIST has analyzed other key cloud security issues that have the potential to plague enterprises. In this tip, Karen Scarfone, principal consultant at Scarfone Cybersecurity, reviews Draft NIST Interagency Report 7904, which demonstrates how to establish a hardware root of trust in order to secure cloud geolocation techniques.

In this case, the traits that distinguish the cloud from BYOD and home networks are location, sphere of control and contractual obligations. Whereas the service models defined by NIST provide some level of obligation through contracts, BYOD largely operates on the honor system. For example, if my home network is breached, I am under no obligation to disclose the breach to my employer, even if I am provided access to company assets through a VPN connection. If my employer's network becomes compromised as a result, I will not be held liable for breach notification or damages, nor is my employer aware of who has access to my home computing network.

To provide comprehensive protection, IT security teams must also consider those extended, employee-owned infrastructures -- we'll call them Consumer as a Service (CaaS) infrastructures – and, just as importantly, treat them as untrusted by default, with enterprise controls and countermeasures designed from that perspective. These CaaS infrastructures will require a security posture similar to that of other hybrid cloud computing implementations.

The deep Web, or dark Web, as it is also often called, creates another gap in those cloud definitions. Unavailable to modern search engines, this area of the Internet is the bread and butter of security practitioners and the bane of those affected by its hostile anonymity. The deep Web's structure of covert channels, encryption and distributed file systems, which scale on demand with little cost, render it fairly impenetrable. This Threat as a Service (TaaS) model can be extended on demand from an attacker's home or a compromised infrastructure, providing malicious actors the ability tooverwhelm vulnerable targets with traffic regardless of geographic locale or industry.

For the purposes of this discussion, one must also consider the inert cloud, which is the final security gap in our cloud definitions. Considered inert because we bare little influence in the laws and regulations that govern it it consists of entities that govern, police and regulate the Internet. Despite having little control over them, organizations must comply with (or successfully circumnavigate) these inert entities or face removal from the Internet.

The Internet (e.g., registrars, ISPs, telecommunication entities, etc.) is a superset system comprising subset systems in a mutually inclusive relationship: One cannot exist without the other. Therefore, one must consider the whole of the system to ensure end-to-end protection. Below is the NIST chart for cloud computing, updated to reflect the complete system that is the cloud with these gaps plugged.

Cloud computing


Service model

Deployment model

On-demand self-service Software as a Service (Saas) Private cloud
Broad network access Platform as a Service (PaaS) Community cloud
Resource pooling Infrastructure as a Service (Iaas) Public cloud
Rapid elasticity Consumer as a Service (CaaS) Hybrid cloud
Measured service Threat as a Service (TaaS) Inert cloud

Reviewing cloud activity

As we've shown, the cloud is an often hazily defined concept, with even such a respected agency as NIST leaving gaps. With the updated definition we've provided, however, security practitioners should consider reassessing their IT environments with some of the issues we've raised in mind. Hopefully, the definition will provide an introspective view of corporate infrastructures and insight regarding the breadth of protection required at most organizations.

About the author:
Ravila Helen White is the director of IT architecture for a healthcare entity. She is a CISSP, CISM, CISA, CIPP and GCIH, and a native of the Pacific Northwest.

Dig Deeper on Cloud Network Security Trends and Tactics

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.