Cloud Computing #

The NIST standard defines Cloud computing as "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment." These are detailed below. Cloud Stakeholders are defined on an extra page.

Cloud Characteristics #

The main features of a Cloud platform according to the NIST Standard are on-demand self-service, broad network access, resource pooling, rapid elasticiy, and measured service. The exact NIST definitions are pasted below. 

In practise, 'broad network access' means that the X a user gets at an XaaS system can be accessed over network by hundres, thousands or even hundres of thousand users at the same time. 'Measured service' in turn means that the user can check the resources he is using. 'Resource pooling' means that the provider has the capacity to server multiple (many, many) users and is able to sustain the increasing demands of customers. 

The key differentiating factors that differentiate cloud platforms from other forms of hosting providers is the on-demand self-service in combination with the rapid elasticity property. In that sense a user will not only be able to automatically request a resource without human interaction, but also to get the response that request in the order of seconds.

On-demand self-service.  #

A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service provider

Broad network access.  #

Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations).

Resource pooling.  #

The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, and network bandwidth.

Rapic elastictiy.  #

Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.

Measured service. #

Cloud systems automatically control and optimize resource use by leveraging a metering capability (on a pay per use or charge per use basis) at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.

Cloud Service Models #

Cloud Service Models define what kind of service/entity the cloud customer buys from the cloud provider. The "NIST cloud computing reference architecture" refers to service model as "Service Layer".

Software as a Service (SaaS) #

SaaS is defined by NIST as the capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user specific  application configuration settings.

Beside  the  application  specific  data  protection  challenges  and  control  of  certain  connectivity constraints (such as enforcing encrypted communications over the web front-end using https) the consumer must delegate the enforcement completely to the provider  as  the  underlying  infrastructure  and  services  are  unknown  in  terms  of  technology, geographical location.  An  assessment  of  the  data  protection  is  not possible via the client interfaces.

Platform as a Service (PaaS) #

Platform as a Service (PaaS) is defined by NIST as "The capability provided to the consumer  is  to  deploy  onto  the  cloud  infrastructure  consumer created  or  acquired applications  created  using  programming  languages,  libraries, services,  and  tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control  over  the  deployed  applications  and  possibly configuration  settings  for  the application-hosting environment."

Similar to the SaaS model the consumer has only a very limited ability to control the enforcement and enactment of data protection policies and must rely on the provider to deliver the services in accordance to the required procedures and levels.

Infrastructure as a Service (IaaS) #

Infrastructure as a Service (IaaS) is defined by NIST as "The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing  resources  where  the  consumer  is  able  to  deploy  and run  arbitrary software, which can include operating systems and applications. The consumer does not  manage  or  control  the  underlying  cloud  infrastructure  but has  control  over operating systems, storage, and deployed applications; and possibly limited control of select networking components (e.g., host firewalls)."

As  this  model  provides  more  control  to  the  consumer  it  also comes  with  more possibilities  to  enforce  data  protection  independently  from  the IaaS  provider.  For example  on  top  of  the  provided  storage  infrastructure  (e.g. Dropbox)  a  user  can perform  the  necessary  encryption  or  distribution  of  data  parts to  meet  certain requirements but has no control about constraining the physical location of the server,  the surroundings of the server (e.g. type of room, thickness of the walls around the servers, access policies of system administrators etc.) 

Cloud Operation Models #

The Term Clouds can not only be defined along horizontal layers but orthogonally one need to consider also different operation models. Both schemes are independent so that for example there can be public IaaS and public SaaS Clouds.

Public Cloud #

Starting again with the definition from NIST defining a Public Cloud as an “infrastructure [is] provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.” This means that the infrastructure is used simultaneously be a potentially very large number of other consumers (“multi-tenancy”). Consumers are not aware or have any knowledge about their fellow consumers and have no control or information if their services run on the same physical hardware, share network connections or similar with other consumers.

Private Cloud #

In contrast to the public cloud a private cloud according to NIST is defined as “infrastructure [is] provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.” Such an infrastructure is under complete control of the provider who is as the same time the only consumer. Such an infrastructure does not differ from a data protection viewpoint from any virtualised or physical server infrastructure widely used in any business as of today.

Community Cloud #

The definition of the community cloud is different from the private cloud that it is not only one organization operating the cloud but a group of collaborators. NIST defines this type of cloud as “infrastructure [is] provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.”

Hybrid Cloud #

The models mentioned above are not excluding each other. Quite often a mixture of the models is applied in particular for different application different infrastructure might be more suitable. The NIST definition says that hybrid cloud “infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).”

Cloud Architecture #

Physical Resource Layer #

Includes all the physical resources used to provide cloud services, most notably, the hardware and the facility.

Resource Abstraction Layer #

Entails software elements, such as hypervisor, virtual machines, virtual data storage, and supporting software components, used to realize the infrastructure upon which a cloud service can be established.

Other Terms #

Cloud Service Orchestration #

Refers to the arrangement, coordination and management of cloud infrastructure to provide different cloud services to meet IT and business requirements.

Guest Operating System #

An Operating System under the control of the cloud customer (running in a virtualised environment).

Virtual Machine #

A Virtual Machine provides a complete virtual computer including CPU, RAM, and storage which supports the execution of a full-blown operating systems called Guest Operating System.