Many Clouds in the Sky
A couple of days ago, I posted an article about Penetration Testing within AWS. I made comment on the different kinds of testing within this kind of environment however I didn’t add much detail regarding the kinds of environments – as I was speaking specifically of AWS.
So I decided to break things down a little further:
Part 1. An Introduction to Cloud Computing (you are here)
I’m going to do a short piece here to discuss a little more about the concepts of cloud itself, for those who haven’t made the jump. What is cloud computing? Microsoft neatly defines it as “the delivery of computing services over the Internet, typically charged based on usage.” Whereas Amazon words it as: on-demand delivery of IT resources via the internet with pay-as-you-go pricing.
Taking it a step further though – however you think about it, there are multiple clouds. Although people often speak as those there is only one “We host our applications on the cloud”, there is in fact multiple clouds however you think of cloud computing. Whilst some people will use “The Cloud” as a synonym for “The Internet”, when we think of “Cloud Services” and “Cloud Providers” there are multiple of each.
We can break cloud computing down into types of cloud, types of service delivery, or by provider themselves. That is looking at the difference between “Public” and “Private” clouds. The differences between service delivery models such as “Infrastructure as a Service”, “Platform as a Service”, and “Software as a service”. Alternatively we could break down based on vendors such as Amazon, Microsoft, or Google. I’ll take a look at each of these below:
Public and Private
For the definitions here I’ll defer to a NIST document, SP 800-145 – “The NIST Definition of Cloud Computing”, which defines a private cloud as:
“The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.”
The same document defines a public cloud as:
“The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.”
To confuse matters there are two additional terms which are important, virtual private cloud and hybrid cloud. A virtual private cloud (VPC) is simply an isolated area of a public cloud allocated for a single organisation. A hybrid cloud is a composition of (two or more) private and public clouds, which enables data or application portability whilst remaining unique entities. An example of hybrid cloud use might be where an organisation deploys their infrastructure in such a way that it runs within their private cloud but can scale to utilise public cloud resources when required, due to spikes in demand.
Cloud Service Models
Cloud services can be further broken down into categories such as Infrastructure, Platform, Software. These allow an organisation to vary the amount of management they are responsible for when utilising systems. Incidentally these are also defined within NIST SP 800-145.
The differences between cloud service models are which components, or aspects, are under which parties control and responsibility. Therefore, the responsibilities of each service model can be visually represented as:
On one hand there is a benefit to an organisation in having fine-grained control over their systems and on the other you have reduced complexity in utilising system when less control is retained. For example, if you want minimal control and simple want to utilise an application then software-as-a-service allows for this. Examples of popular SaaS platforms are Office365, Netflix, G Suite, and Adobe Creative Cloud. These allow companies and users to make use of an application without having to worry about deploying and managing the systems themselves.
A more flexible approach however is platform-as a-service, where the operating systems, servers, storage, and network, for example, are all managed by the provider. This allows developers to create and deploy applications whilst not worrying about applying security patches to the operating system or the availability of the underlying compute, storage, and networking.
Finally, infrastructure-as a-service also gives the customer control over the operating system whilst retaining the benefit of only paying for resources based on actual consumption.
Providers and Market Share
Finally, the last way I mentioned to break cloud down into categories were by the providers. Amazon has retained the greatest market share for a long time, but they are certainly not the only provider. An SRG Research article describes the breakdown as: Amazon 33%, Microsoft 13%, IBM 8% and Google 6% – in Q1 2018.
Visually, that is:
So in closing, there is not a single cloud, there are many clouds. However you choose to consider the concept of cloud computing there are competing ideas, models, and providers. Therefore, if somebody says “We’d like to move to the cloud.” Maybe the correct response should be: “Which one?”