Cloud NIST Architecture

            
 

            

        

          

          
          

         





  

    
A Comprehensive Guide to Actors, Roles, and Activities






    
What is NIST?

    

        The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the United States Department of Commerce. 
        Founded in 1901, its mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology. 
        The Reference Architecture (SP 500-292) serves to explain the various actors involved in cloud computing and their interactions.
    






    

        
The Five Key Actors

        
NIST identifies five essential actors in the cloud computing ecosystem:

        
    
            
  • Cloud Consumer: The person or organization that uses services from Cloud Providers.
    • 
            
  • Cloud Provider: The entity responsible for making services available and managing infrastructure.
    • 
            
  • Cloud Auditor: An independent party that assesses security, performance, and compliance.
    • 
            
  • Cloud Broker: A middleman that manages use, performance, and delivery of services.
    • 
            
  • Cloud Carrier: The intermediary providing connectivity and transport of services.
    • 
        

    






    
1. Cloud Consumer

    

        The Cloud Consumer is the central stakeholder who maintains the business relationship with the Provider. 
        Their core activities include:
    

    
    
        
  • Service Retrieval: Browsing catalogs and selecting appropriate services.
    • 
        
  • Contracting: Setting up Service Level Agreements (SLAs) and contracts.
    • 
        
  • Service Use: Performing technical tasks like running code or entering data.
    • 
        
  • Billing & Payment: Paying based on a "Measured Service" (pay-per-use) model.
    • 
    

    
Shared Responsibilities: Consumers must verify SLAs for uptime requirements, plan for data portability to avoid vendor lock-in, and ensure their specific instances meet regulatory compliance.






    
2. Cloud Provider

    
The Cloud Provider manages five core activity areas:

    
    
        
  • Service Orchestration: Coordinating CPU, storage, and networking to deliver IaaS, PaaS, or SaaS.
    • 
        
  • Cloud Service Management: Handling business support (billing/accounts) and technical provisioning/configuration.
    • 
        
  • Service Deployment: Deciding the environment (Public, Private, Hybrid, or Community).
    • 
        
  • Security & Privacy: Implementing physical and logical security while protecting Personal Identifiable Information (PII).
    • 
    






    
3. Cloud Auditor

    
An independent party verifying claims about security, privacy, and performance.

    

        

            Global Audit Firms:
            
    
                
  • Deloitte: Risk advisory and security assessments.
    • 
                
  • PwC: Cyber risk quantification and SOC 2/ISO compliance.
    • 
                
  • EY: Global compliance and digital trust.
    • 
                
  • KPMG: Financial-grade cloud security.
    • 
            

        

        

            Specialized & Government:
            
    
                
  • Coalfire: FedRAMP and PCI-DSS standards.
    • 
                
  • FedRAMP 3PAO: Authorized to audit providers for U.S. government data.
    • 
                
  • Internal Auditors: Large enterprises use tools like AWS Audit Manager or Prisma Cloud for internal private clouds.
    • 
            

        

    






    
4. Cloud Broker

    
Brokers manage relationships in complex multi-cloud environments through several roles:

    
    
        
  • Service Intermediation: Adding value (security, cost analytics) to existing services (e.g., CloudZero, Bitglass).
    • 
        
  • Service Aggregation: Combining multiple services into a single platform/bill (e.g., Pax8, AppDirect).
    • 
        
  • Service Arbitrage: Automatically switching between providers based on cost or performance (e.g., Jamcracker, Morpheus Data).
    • 
        
  • Marketplace Broker: Platforms like AWS Marketplace that allow buying third-party software on a single bill.
    • 
    






    
5. Cloud Carrier

    
The "invisible backbone" that transports data between the Provider and Consumer. 

    
    
    
        
  • Network Provisioning: Ensuring sufficient bandwidth to prevent lag.
    • 
        
  • Traffic Management: Using routers and fiber optics for reliable transfer.
    • 
        
  • SLA Maintenance: Carriers must ensure connectivity uptime; without it, the cloud is inaccessible.
    • 
        
  • Physical Transport: Physically moving storage media (hard drives) for datasets too large for the internet.
    •