Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Defining Clouds - " A Cloud by any Other Name Would be a Lot Less Confusing" - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Defining Clouds - " A Cloud by any Other Name Would be a Lot Less Confusing"


So What is Cloud Computing Anyway? Do you find yourself saying "am I the only one that is confused about this?"

The short answer is No, you're not the only one confused about this.  Most of the people who put the word "Cloud" in their headline are confused as well (except us of course).  Over the last couple of years, the amount of press about "Cloud Computing" has been steadily increasing, as interest in virtualization grows.  However, it seems like everyone who writes a "Cloud" article means something different when they use the word, and in many cases it's easy to see some real mis-understanding of key details around some of the virtualization and service

So, let's dive right in - when someone says "Cloud", they generally mean one of several things:

Colocation Services
Colocation Services (often shortened to "Colo") is the oldest service of the bunch, and essentially offers an empty rack with very fast communications, reliable power and air conditioning.  Colos are often serviced by several ISP's (Internet Service Providers).  Providing server hardware, firewalls and load balancers are the responsibility of the customer.   Colo services generally aren't included when people reference "clouds", but they're included here to provide a more complete picture  

Host as a Service (HaaS) / Infrastructure as a Service (IaaS)

Most commonly called IaaS, this offering uses virtualization to provide computing cycles, memory and storage.  IaaS vendors provide the communications, power and environmental controls of a Colo, but also provide the hardware in the form of a "home" for virtual machines (VMs).  

The VMs are provided by the customer, which are uploaded, deployed to the IaaS storage pool and started using a management interface.  Because virtualization is used, IaaS clouds can offer enhanced services based on what their virtualization platform has available.  For instance, when one VM ramps up it's CPU requirements, other VMs that might be on that same server can automatically migrate to a less busy hardware platform, maintaining a consistent profile of available CPU resources for all customers.  Similarly, if maintenance is required on a host or storage platform, VMs can be manually migrated away, ensuring constant uptime, even during hardware maintenance.

Some IaaS vendors have extended their service to include additional services such as database, queueing, backup and remote storage.  This reduces the software license costs for the customers, but of course also increases the monthly costs of the IaaS service. 

IaaS services typically charge their clients based on Compute Usage, Data transfered in and out, Database requests, Storage used, and Storage requests and transfers.  IaaS vendors include Amazon EC2 services ( based on XEN), Rackspace and Terremark (based on VMware's vSphere products).

Computer as a Service (CaaS) or Desktop as a Service (DaaS) are special cases of an IaaS service.  These generally referes to VDI (Virtual Device Infrastructure) solutions such as VMware View.  These solutions are a special case of an Iaas, but delivering a desktop operating system such as Windows XP, Windows 7 or a desktop Linux OS.  These are often used to deliver applications that for one reason or another don't belong on the actual physical desktops in the environment.  They might be easier to maintain on the server, there might be bandwidth issues, where the VDI traffic overhead might be substantially less the "fat" application, or regulatory requirements, where the data and application can't live on the remote desktop computer, in case of theft or compromise.


Platform as a Service (Paas)
Platform as a Service takes the environment offered by IaaS, and adds the operating system, patching, and a back-end interface for applications.  The customer uploads their application in a standard format, written to use the PaaS interfaces, and the rest is up to the PaaS vendors.For instance, Microsoft's Azure services platform offers .Net Framework and PHP as back-end interfaces,  Google App engine has backend interfaces based on Java and Python, and Salesforce.com has proprietary interfaces for business logic and user interface design.

Software as a Service (SaaS)

Software as a Service delivers a fully functional application to the end user, generally with per-user billing.

Google Apps is the latest entry into this field, and seems to have the most press lately - they offer a full office suite including the pre-existing mail (gmail) service.  However, lots of other vendors offer SaaS products - Microsoft offers online versions of Exchange, Sharepoint and Dynamics CRM.  Salesforce.com has their Salesforce CRM product, and IBM offers LotusLive, which is a hosted Domino environment.

Private Clouds
The thing about all of these "Cloud" architectures we've just described is that none of them are really new.  They've all existing in the datacenters of many corporations, running as VMware, XEN, Hyper-V or Citrix servers, and have been there in some cases for 10 years or more.  What the new IaaS, PaaS and SaaS services offer is a mechanism to outsource these private infrastructures, generally over the internet.  The new functions that these Public Cloud infrastructures bring to the table new management interfaces and most importantly a billing interface.

An interesting thing that we're seeing more and more of lately is internal billing for private cloud services, where production departments within a company are billed by their IT group for use of services in the Datacenter.  This has been a slow-moving trend over the last 10 years or so, but with the new API's offered by virtualization platforms, the interfaces required for billing purposes are much more easy to write code for.  The goal of these efforts is often a "zero cost datacenter", where production departments actually budget for IT services, rather than IT.  While this may be a goal to shoot for, it's not one that is commonly realized today.

=============== Rob VandenBrink Metafore ===============

 

Rob VandenBrink

458 Posts
ISC Handler
It’s interesting that you bring up the definitions of Cloud computing. I was just having a discussion the other day with a few colleagues.
So what is “Cloud” computing any way? To me it seems to be the new buzz word for virtualization that’s been extremely overhyped. And in a nutshell, that’s all it really is, virtualization. “Cloud” and virtualization are really one in the same. Whether you’re vitalizing the entire infrastructure or just vitalizing a few apps, people today consider it “Cloud” computing in one form or another.
To me, a real “Cloud” platform would be a site agnostic virtual datacenter that has no real location logistics. A true “Cloud” would not be in jeopardy of a single site failure. A true “Cloud” would mean that I can put my application into the “Cloud” and not ever worry about a single site outage or even a single continent outage for that matter.
I’m sure that the “Cloud” will someday mature to this definition, but until then, today’s “Cloud” is really just a new name applied to virtualization technology that has been maturing for years and is available in almost every datacenter in the world. Someday, virtualization will exist outside of the single site topology and earn the right to actually be called a “Cloud”.
Anonymous

Posts
One conspicuously missing variant in the list lies between colocation and IaaS.

The service provider simply rents an entire colocated physical machine to you. They install a bare OS configured for remote access, and you take over from there. They provide power and network and service the hardware on request.

It's less flexible than virtualized services because every server order involves physical objects that have to be moved around by physical employees in the data centre. On the other hand, they tend to be cheaper for the performance you get, and you don't have the resource contention issues of a shared VM. You can run also your own virtualization layers on it.
Anonymous

Posts
One conspicuously missing variant in the list lies between colocation and IaaS.

The service provider simply rents an entire colocated physical machine to you. They install a bare OS configured for remote access, and you take over from there. They provide power and network and service the hardware on request.

It's less flexible than virtualized services because every server order involves physical objects that have to be moved around by physical employees in the data centre. On the other hand, they tend to be cheaper for the performance you get, and you don't have the resource contention issues of a shared VM. You can run also your own virtualization layers on it.
Anonymous

Posts

I so disagree with this taxonomy, I had to search for my login everywhere ;-) I find it too complex, too many conditions.

To me, "Cloud Computing" is data outsourcing, period. Whether it's the [storage, processing, display, sharing, etc.] of your data does not matter.

Plus, one should always associate the term "cloud computing" with the loss of physical security to one's data, thus including the risk of loss of pivacy. (Do I hear "facebook God-like password" in the back rows?)

Strangely enough, outsourcing contracts, like banks / financial asset management contracts to information system ASP's will stay safe, as they can get the physical (and other types) of security audited. SAS70 comes to mind.

So maybe we can further reduce cloud computing to say cloud computing is when you cannot audit the security and privacy of your data.

My two bits...
Anonymous

Posts
I agree with many of your points - now that this article sets the taxonomy down, look for an article on security issues in clouds this coming Monday.
Rob VandenBrink

458 Posts Posts
ISC Handler
Look forward to Rob's article Monday. Also want to disagree w/ Protissimo's statements that 1) cloud computing should always be associated with the loss of physical security and 2) cloud computing is when you cannot audit the security and privacy of your data. Depending upon the provider and negotiated contracts and agreements, outsourced operations may be better managed and more secure than if you handled operations internally.
Dean

135 Posts Posts
NIST has a good document defining the Cloud.... http://csrc.nist.gov/groups/SNS/cloud-computing/
Anonymous

Posts
I agree 100% with this definition: Cloud Computing is a set of Use Cases. It's not
the servers, networks or other wiz-bang gizmos that make an environment a Cloudy one - it's the use cases they enable.

I am co-authoring an internal white paper on our company's Cloud strategy based on exactly this approach (a large defense contractor w/>100k employees)

Prontissimo - you are a pessimist ;)
Anonymous

Posts
I agree 100% with this definition: Cloud Computing is a set of Use Cases. It's not
the servers, networks or other wiz-bang gizmos that make an environment a Cloudy one - it's the use cases they enable.

I am co-authoring an internal white paper on our company's Cloud strategy based on exactly this approach (a large defense contractor w/>100k employees)

Prontissimo - you are a pessimist ;)
Anonymous

Posts
I see the term Cloud Computing in a similar light to the term Web 2.0. It is used by many to mean many different things.

When I say out in the cloud, I usually mean a service provided somewhere in a network by a third party. I am clear on the service they provide, however have no knowledge of where or how the service is physically provisioned.

The key to this is the lack of definition around location and physical implementation for me.

I think there are lots of good comments and facts here. Mostly around the making of clouds rather than how they are seen by most IT folk who use them.

Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!