CIO view: NIST helps cut vendor cloud FUD

Recently updated research from NIST helps CIOs cut through the fear, uncertainty, and doubt of vendor hype about cloud computing.
Written by Michael Krigsman, Contributor on

Cloud image credit: Michael Krigsman

Cloud image credit: Michael Krigsman

Talk to enterprise software vendors about the cloud and you will likely hear conflicting claims and phrases, such as:

  • "Cloud will replace virtually all on-premise software in the near future"
  • "On-premise software will forever play a critical role in the enterprise"
  • "Public cloud is the only economically viable cloud"
  • "Private cloud is the only economically viable cloud"
  • "Public cloud is more secure than on-premise or private cloud"
  • "Private cloud is more secure than public cloud or on-premise"
  • "On-premise is more secure than any cloud"
  • <Insert your own biased claim here>

The problem is that all (or none) of these claims may be true (or not) depending on specific circumstances and whether you take a long- or short-term perspective. Amid vendor hype that spreads fear, uncertainty and doubt, finding truth in cloud marketing is challenging at best.


To address confusion around cloud, the National Institute of Standards (NIST) recently published a document confidently called, Cloud Computing Synopsis and Recommendations (PDF download). The NIST report updates a previous version that was released in February, 2011.

Also Read: NIST Cloud Computing Reference Architecture, Version 1 (PDF download)NIST Cloud Computing Collaboration Site US Government Cloud Computing Technology Roadmap Volume II Release 1.0 (Draft) (PDF download)

The NIST document opens with a balanced statement explaining that various cloud configurations make sense, depending on the needs and goals of the buying organization:

Depending on an organization's requirements, different technologies and configurations are appropriate. To understand which part of the spectrum of cloud systems is most appropriate for a given need, an organization should consider how clouds can be deployed (deployment models), what kinds of services can be provided to customers (service models), the economic opportunities and risks of using cloud services (economic considerations), the technical characteristics of cloud services such as performance and reliability (operational characteristics), typical terms of service (service level agreements), and the security opportunities and risks (security).

The NIST recommendations are important to helping CIOs and other IT decision makers navigate the many choices and options associated with cloud computing. Although directed primarily to CIOs working in the federal government, the issues are equally relevant to private sector CIOs.


Given the political and economic sensitivities related to cloud choices, NIST does a reasonable job taking a neutral position and avoiding language or concepts that push toward (or away) from specific vendors.

That said, not everyone speaks positively about NIST's work on cloud computing. For example, cloud architect, Randy Bias, wrote:

This is why I think the NIST definition of cloud computing is such a huge FAIL. It’s focus is on the superficial aspects of ‘clouds’ without looking at the true underlying patterns of how large Internet businesses had to rethink the IT stack.

This criticism mirrors my primary issue with the NIST document -- it presents cloud as a set of mechanistic economic, technical, architectural, and security choices while ignoring the real power of cloud to change how an organization operates and creates value. However, it would be virtually impossible for NIST to dive deeper into organizational benefits without quickly losing the neutrality that is its primary benefit.

Cloud architecture and security expert, Chris Hoff, counters Randy Bias, arguing:

Frankly, NIST’s early work did more to further the discussion of *WHAT* Cloud Computing meant than almost any person or group evangelizing Cloud Computing…especially to a world of users whose most difficult challenges is trying to understand the differences between traditional enterprise IT and Cloud Computing

Chris is precisely correct - CIOs should view the NIST document as a helping hand that describes cloud options, architectures, and trade-offs. It is not a a guidebook to organizational transformation nor does it explain how to create new and better worlds of business, commerce, or life in general.

To gain additional perspectives on the NIST work, I spoke with several prominent cloud authors and analysts.

Author of the upcoming book Cloudonomics, Joe Weinman, said:

The cloud has dozens, if not hundreds, of definitions and variations, at least some created by vendors and service providers who would like to leverage customers’ immense interest in the cloud to reposition and rebrand their offers. All things considered, NIST has done an admirable job of capturing the complexity and richness of the essential characteristics and breadth of variations of the cloud model, providing an objective, non-commercial definition and balanced set of insights into the potential—and potential issues—of the cloud, while also considering the concerns of a broad variety of stakeholders.

Cloud analyst, Krishnan Subramanian, commented:

NIST's model is a very good starting point and end confusion over the very definition of cloud computing, which can help organizations kick start their cloud strategy. From this angle, I think the NIST document is very good.

However, I disagree with how they describe the Abstraction Interaction Dynamics with respect to SaaS and PaaS, because it may allow traditional vendors to "cloud wash" their offerings; I would that NIST take a more progressive stance on the topic. In short, we should not take NIST as a Bible but consider it a starting point for future innovation.

Author and fellow member of the Enterprise Irregulars group, Nenshad Bardoliwalla, added:

The NIST document provides a useful taxonomy for consumers looking to understand the essence of cloud solutions. The essential characteristics of self-service, resource pooling, and rapid elasticity are well established in the market as defining for cloud solutions, and there is little debate in the market at this point on their validity. The notion of SaaS, Paas, and IaaS service models is also now the commonly accepted way to segment the layers of cloud solutions.

Where there remains significant debate in the market is the legitimacy of the various deployment models, especially the polarities of public versus private cloud. Consumers need to look past religious postures of the various vendors to identify which type of solution makes the most sense given their requirements for control, security, portability, economic feasibility, etc.


NIST has done an excellent job describing key cloud computing issues in a vendor neutral manner, for which we should commend them. However, CIOs should remember that the true value of cloud lies in business transformation, which goes beyond mechanistic and technical approaches alone. Therefore, use the generic NIST approach as a guide, but shape and adapt the meaning to provide greatest value to your organization and stakeholders.

Editorial standards