NIST Definition v15… Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
Characteristics/Deployment models (NIST) On-demand self-service Broad network access Resource pooling Rapid elasticity Measured Service Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise. Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).
Service Models (NIST) Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
Evolution Over The Years Adoption Time 1961 John McCarthy proposed 'computer time-sharing technology' to be sold through utility business model (like electricity) in a lecture at MIT Mid 90’s ASP (Application Service Provider) model with single tenant hosting of applications Early 00’s SaaS (Software as a Service) model with multi-tenant hosting of applications Late 00’s Cloud Computing with pay as you go model, leveraging virtualization for data center efficiencies and faster networks
New? Cloud computing is an amalgam of mostly existing technologies and services Some use models, coupled with scope of availability and ease of use are part of what’s new The access and availability of computing, storage and applications enables individual users to be content creators, publishers and application developers. Further developments and roles are expanding in new and innovative ways. Are existing regulatory paradigms relevant or applicable?
Virtualization Virtualization is “ separating the computing workload from the hardware. ” * Once computers have become more or less disembodied, all sorts of possibilities open up. Virtual machines … can be moved around while running, perhaps to concentrate them on one server to save energy. They can have an identical twin which takes over should the original fail. And they can be sold prepackaged as “ virtual appliances ”… eventually to turn a data centre — or even several of them — into a single pool of computing, storage and networking resources that can be allocated as needed. The Economist: Special Report – Where the Cloud Meets the Ground; Oct 23, 2008 *Quoting Paul Maritz of VMware
Cloud Computing Architecture Web Services Commodity Hardware Virtual Machines Dynamic Application Provisioning CRM Database BI Email Virtualization Layer
Cloud Computing – Benefits Reduce capital expenditures Low barrier to entry Scalable infrastructure Cost-effective – Pay for what you use Acquire resources on demand Release resources when not needed Virtually infinite compute and storage resources Turn Organization’s fixed cost into variable cost May improve security Patch management/professionally managed services
Cloud Computing Vs. Traditional Hosting – Key Differences AspectTraditional HostingCloud Computing Procurement CycleWeeks/MonthsMinutes Deployment CycleWeeks/MonthsMinutes Total CostRelatively fixed, highPay per use, low FlexibilitySlow to scaleFast to scale (up or down) Application Owner Connectivity Dedicated link/VPNInternet Physical Deployment Architecture More transparent, more control Less transparent, less direct control Application PerformanceFast Slow for part-cloud, part-outside applications Fast for fully cloud based applications
Familiar Questions… Cloud? Abstraction Layer Where is my information? Who controls it? Who has access? How is being used? Who is it being shared with? Who is looking out for my interests?
Cloud computing – operational concerns: the back end Performance/availability/Service Level Support Interoperability Audits/Oversight Termination/Lock-in Less by design and more by inertia… Role of open standards Portability
Cloud computing – legal concerns Privacy International data transfers Consistent treatment Lawful access issues Export control Data breach notification laws Data retention laws E-discovery Government regulation Jurisdiction/Conflict of Laws
Cloud computing – contractual concerns All of the operational/legal issues plus - Data ownership IP Limitation of liability issues SLAs Indemnities Subcontracting Dispute resolution Audits Notice/ consent for transfer, where applicable
Desirable characteristics Extended corporate controls Good security/privacy policies, practices and controls* Up-to-date; patched 24x7x356 service Mapping to legal requirements *Tools – PIA, Audit reports, Gap Analysis to 27001 Privacy/Security by Design Ecosystem Accountability