In recent years, the term “cloud computing” has been used and abused by vendors and their marketing groups to denote just about anything the vendor offers other than on-premise systems. Analysts too have piled on, each offering their own definition of cloud computing. This 2009 Wall Street Journal article outlined the confusion. The result has been fruitless arguments over what is “true cloud” or “false cloud,” as in the recent tit-for-tat speeches by Larry Ellison and Marc Benioff during Oracle Open World.
Such debates are likely to continue, but now there is at least one official source for the definition of cloud computing. The National Institute of Standards and Technology (NIST), an arm of the US Department of Commerce, has now published The NIST Definition of Cloud Computing. Though other standards bodies may (or may already have) published their own definitions, NIST carries particular weight as it is often referenced in U.S. governmental procurement. The NIST definition is vendor-agnostic and buyer-centric.
The NIST Definition
The NIST document is short–the body of the document comprises just three pages, with the definition itself taking up less than two pages. In it, the authors describe the essential characteristics, service models, and deployment models for cloud computing.
- The five essential characteristics are: on-demand service, broad network access, resource pooling, rapid elasticity, and measured service.
- They go on to then list three service models, which should be already familiar to most observers: software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS).
- Finally, they list four possible deployment models for cloud computing: private cloud, community cloud, public cloud, and hybrid cloud.
In my mind, the section that is most useful for distinguishing what is or is not cloud computing is the first one, the “essential characteristics.” So, let me quote NIST directly (emphasis mine).
- On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider.
- Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).
- Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter).Examples of resources include storage, processing, memory, and network bandwidth.
- Rapid elasticity. Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.
- Measured service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.
Keep these key points in mind.
Cutting Through the Ellison/Benioff Fog
So, let’s apply these characteristics to what Larry Ellison and Marc Benioff each describe as cloud computing. In my opinion, both are right and both are wrong.
Benioff’s service, Salesforce.com, certainly meets the NIST definition of cloud computing, both in its CRM application, which meets NIST’s definition of SaaS, and in its Force.com offering, which meets the definition of PaaS. He is also correct in criticizing the labeling of Oracle’s Exalogic hardware as a “cloud in a box.” By my reading of NIST’s essential characteristics, one could construct a cloud service using Oracle’s hardware, but the hardware itself should not be considered a cloud.
But if Benioff is referring to Oracle’s newly announced Public Cloud Services as a “false cloud,” he is wrong. Oracle’s Public Cloud Services certainly meet the NIST definition of cloud computing. But it is primarily an IaaS offering, similar to Amazon’s EC2. Assuming that Oracle will offer development capabilities on top of its Public Cloud Service, those would be PaaS, and if it chooses to run applications on top of its Public Cloud Service, such as Oracle CRM On-Demand, those would be SaaS.
On the other hand, Ellison is wrong to label Salesforce.com’s PaaS offering as a “false cloud.” Ellision’s argument is that Force.com utilizes proprietary extensions to Java and other programming languages, which make it difficult to migrate applications to other cloud providers. But there is nothing in the NIST definition of cloud computing that requires interoperability between different cloud service providers, as desirable as that may be. Ellison is simply turning what he sees as a disadvantage of Benioff’s cloud into an argument that it is by definition not a cloud.
Cutting Through the Application Hosting Fog
The NIST definition is also useful for cutting through vendor marketing efforts to label anything they do off-premise as cloud computing. In particular, application vendors that simply host their on-premise solutions in their own, or partner, data centers should not be labeling those as cloud computing. In particular, simple hosting of an application does not qualify as cloud computing because it lacks the essential characteristics (see bolded sections in the quoted definition above).
With a hosted application, the customer generally cannot “unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction.” In addition, with a hosted application there is generally no “sense of location independence.” Rather, the customer usually knows the data center and may even know the data center, cage, or rack in which his hosted application resides, even if the application is hosted on a virtual server. Finally, with a hosted application, computing resources generally cannot be “elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand.” Rather, the customer must negotiate provision of additional computing resources.
Notice also that the NIST definition does not mention anything about how cloud services are contracted. Some vendors point to subscription pricing as evidence of their hosted applications being cloud offerings. According to NIST, how the customer pays for the service has no bearing as to whether the service is cloud computing. It could be subscription pricing, it could be a perpetual license, or it could be something else.
The marketing hype and confusion over cloud computing will no doubt continue. But at least now NIST offers a reasonable and objective definition.