In the digital age in which we live, cloud computing has become a ubiquitous and essential tool for storing and accessing data online.
By Gigi Agassini, CPP*
With the mass adoption of cloud services, new concerns arise about information security and the protection of sensitive data. Cybersecurity and cloud are inextricably linked, and it's crucial to understand the challenges and opportunities this presents.
The idea of sharing computational resources and services over a network has roots in the 1950s, at that time, computers were very expensive and people were looking for ways to optimize their use as best as possible. Mainframes allowed multiple users to access them remotely using terminals.
As technology evolved, concepts such as "distributed computing" and "virtualization" emerged in the 1960s and 1970s. The creation of what was considered the first "ARPANET" internet had as its main objective the use as a means of communication between different state academic institutions in the United States, its first "node" was created at the University of California at Los Angeles (UCLA). ARPANET became the backbone of the Internet until 1990, after completing the transition to the TCP/IP protocol model that began in 1983, its invention was in charge of the Department of Defense.
The term "cloud computing" began to gain popularity in the late 1990s and early 2000s, by which time several technology companies began exploring ways to provide services and applications over the web. Let's not forget that email, which today has undoubtedly become an indispensable tool for everyone, on a personal and business level, dates back to 1962.
Amazon Web Services (AWS) in 2006 marks a significant milestone in the development of "cloud computing", allowing companies to rent computing resources, such as servers and storage, generating savings. This innovative "pay-as-you-go" business model is characteristic of the cloud, with companies such as Microsoft joining Azure and Google with Google Cloud to create competition and encourage innovation in cloud computing.
Cloud computing is a widely used, but often misunderstood, term. When people hear that "their data" is in the cloud, they often imagine an amorphous, almost magical computing and storage environment. Others associate cloud computing with a specific service offering, such as Amazon Web Services (AWS), Google Cloud Platform, Microsoft Azure, Oracle Cloud, IBM Cloud, Alibaba Cloud, and others. But as Paul Maitz, CEO of VMWare, put it: "The cloud is about how you do computing, not where you do it."
In fact, the cloud is not amorphous but a very physical, but ever-changing collection of servers and storage drives in data centers, linked through fiber-optic networks routed through interconnection points that can be accessed through your internet service provider in your home or office. or accessible through your cellular network provider and smartphone.
One of the key features of the cloud is the emergence of infinite computing and storage resources. When you access a cloud provider, such as Amazon Web Services (AWS), you can activate any number of virtual machines (VMs) and link them to as many terabytes of storage as you want. From the cloud provider's perspective, you should have only one more VM available than the largest number of VMs ordered to create the illusion of infinite compute capacity. Similarly, if there is at least one terabyte of unreserved storage on the cloud provider's premises, the consumer keeps their illusion of infinite storage at their disposal.
Another key feature of the cloud is rapid scalability. We often hear about Netflix's use case in this context. Netflix will double its streaming capacity just before the weekend by expanding its AWS infrastructure on Friday. It will then "turn off" excess capacity on Monday at the level required for the workweek when there is less demand for your streaming service, allowing you to generate savings without disrupting your service.
Another example of the use of scalability is the testing and prototyping of systems. Activating multiple test environments in the cloud just before a major release and then freeing up those resources at the end of the quality assurance (QA) cycle reduces testing costs and increases software quality by enabling a more comprehensive test environment; Many deployments rely on this agility to create multiple test environments.
The National Institute of Standards and Technology (NIST) defines cloud computing as "a ubiquitous model that enables convenient, on-demand network access to a shared pool of configurable computing resources that can be quickly provisioned and released with minimal management effort or service provider interaction." This cloud model is composed of five essential features, three service models, and four deployment models" (NIST, 2011).
Service models share the same five essential characteristics of cloud computing:
1. On-demand self-service; where the end user can add or remove services by themselves without the intervention of a technical support person.
2. Wide network access; usually via the internet bus, but also via dedicated fiber links.
3. Pooling of resources; through virtualization and partitioning techniques.
4. Fast elasticity; that allows you to add or remove compute resources dynamically or in a matter of seconds or minutes, as if you had infinite computing resources.
5. Metered service; with a pay-as-you-go model.
The three service models are:
1. Software as a Service (SaaS) is a specific application that is designed for end users to perform useful work delivered over the web. The tenant of a SaaS service delegates many activities to the SaaS service provider.
According to NIST, a SaaS is "the ability provided to the consumer to use the provider's applications running on a cloud infrastructure. Applications can be accessed from multiple client devices through a thin client interface, such as a web browser or program interface.
The underlying cloud infrastructure, including the network, servers, operating systems, storage, or even the capabilities of individual applications, is not managed or controlled by the consumer, with the possible exception of user-specific application configuration settings.
SaaS makes sense when there are extensive mobility requirements or meaningful interactions with third-party stakeholders that represent that the user organization doesn't have to build an extensive distribution network. Similarly, with broad third-party access, user controls and organizations don't have to grant external access to their internally hosted systems.
SaaS solutions are popular for non-core business functions that can operate more or less independently, e.g.: CRM, payroll, recruiting, etc.
Other areas where SaaS solutions are becoming more dominant are video conferencing, web content management, software development, customer service, and many others.
2. Platform as a Service (PaaS*) is the set of tools and services designed to make coding and deploying those applications fast and efficient. *PaaS is a registered trademark of Signature Brands LLC for a brand of Easter egg coloring.
According to NIST, PaaS (Platform as a Service) is "the ability provided to the consumer to deploy consumer-created or acquired applications to the cloud infrastructure using vendor-supported programming languages, libraries, services, and tools. The consumer does not manage or control the underlying cloud infrastructure, including the network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application hosting environment" (NIST, 2011).
It is a development and IT platform that allows you to create applications quickly and easily and without the complexity of buying and maintaining the software and all the related infrastructure.
While there are many PaaS options, some of the common ones are:
- Services for developing, testing, deploying, hosting, and managing applications in an integrated development environment
- UI authoring tools that enable the creation, modification, testing, and deployment of the application's UI layer.
- Ability to scale the processing power supported by deployed software to meet variations in workloads.
- Integration with web services and database services.
Some examples are SalesForce which offers Force.com as a Platform-as-a-Service solution, Heroku is a PaaS solution that has greater independence for programming languages and databases, other examples of PaaS include Google App Engine and Microsoft Azure Services.
3. Infrastructure-as-a-Service (IaaS) is the hardware and software that underlies all computer storage and processing servers, SANs, networks, and operating systems. The IaaS tenant delegates a much more limited set of responsibilities and keeps the rest.
According to NIST, Infrastructure-as-a-Service (IaaS) is "the ability provided to the consumer to provide compute, storage, networking, and other critical computing resources where the consumer can deploy and run arbitrary software, which may include operating systems and the consumer does not manage or control the underlying cloud infrastructure, but has control over the operating systems, storage, deployed applications, and possibly limited control of selected network components" (NIST, 2011).
An IaaS solution is particularly suitable for certain use cases, such as:
- A start-up that doesn't have a lot of capital to invest.
- Companies that are growing rapidly.
- Solutions where demand fluctuates significantly.
- For specific lines of business, testing, or temporary needs
All three models present a defined and usable service to a consumer, whether that consumer is an application user, a software developer, or an IT system administrator. Each service features a different level of abstraction from the actual physical hardware and differs in what the tenant controls and manages compared to the "as-a-service" provider. The difference between these three models is in the depth of the services provided, in what is commonly referred to as a Cloud Stack.
Note: The second part of this article will be published in the next issue (27-5), and soon on the website, where we will look at the implementation models for cloud computing and the risks to be taken into account in the adoption of this technology.
* Gigi Agassini, CPP
International Security Consultant