People often use the word "cloud" without really knowing what it means. Simply put, it is someone else's computer that runs constantly and on which the owner can rent you disk space and computing resources. It has huge benefits for businesses and individuals as it provides various services and applications managed by third parties in remote locations. Major cloud service providers include Google, Amazon and Microsoft. This article is just the first of several follow-up articles where I will introduce you to the principles of different cloud technologies and of course focus on their security.
Advantages and disadvantages of cloud computing
An important feature of the cloud is that all resources, infrastructure and applications can be provided to subscribers as metered services over the network. The user pays for what they actually use and does not have to worry about issues regarding physical security of servers, power or cooling. In addition to transferring responsibility for the physical operation of servers, clients are attracted to the use of the cloud for other reasons:
- On-demand self-service – A type of service offered by cloud service providers that enables the provision of cloud resources, such as computing power, storage and networking, on-demand and without the need for human interaction with service providers.
- Distributed storage – This feature of cloud services makes scaling storage much easier. You can simply add or remove the disk space you pay for. Potentially, distributed storage can raise security and compliance concerns, so it's important to choose the right cloud provider and be familiar with their security policies.
- Fast elasticity – The cloud offers instant provisioning of features that can be quickly scaled up or down depending on demand. Imagine that as an online store owner, you expect a larger influx of users for the holidays. To keep your website up and running even with the high volume of requests, you create a second identical web server with a few clicks. You now have double the computing power between which this traffic can be better spread. To consumers, cloud resources seem limitless and can be purchased in any quantity and at any time.
- Automated management – Minimising user involvement in cloud automation is what speeds up the process and reduces labour costs and the potential for human error.
- Availability – Cloud resources are available over the network and can be accessed through a wide range of platforms such as laptops, mobile phones, etc.
- Service metering – Used by pay-per-use systems. It is common to use some form of monthly subscription or just by resource usage (e.g. price per hour of computing power). This measurement is completely transparent to the clients, who can always see exactly what they are paying for.
- Virtualisation – Leveraging virtualisation technology enables cloud providers and clients to scale resources very quickly in ways that non-virtualised environments cannot achieve.
We now know that there are many advantages to using the cloud. However, there are also potential limitations when using cloud platforms. These are:
- Limited control and flexibility of organisations
- Susceptibility to outages and other technical problems
- Security, privacy and compliance issues
- Contractual obligations and adhering to them
- Dependence on network connections
- Potential vulnerability to attacks because every component is online
- Difficulty in migrating from one provider to another
Types of cloud services
There are seven basic types of cloud services. One could write a lengthy article about each of them, but to give you an overview, I will try to summarise them here.
IaaS – Infrastructure as a service
This service offers management of virtual machines and other abstracted hardware and operating systems. These systems then appear as separate units that can be folded into more complex systems. They are controlled through exposed application interfaces and are operated primarily by system administrators. Examples are Amazon EC2, GoGrid, Linode, Microsoft OneDrive or RackSpace.
PaaS – Platform as a service
An environment primarily for developers that contains the necessary development tools for specific applications, configuration tools and a comprehensive environment on which applications can be developed and tested. Specific platforms include Google App Engine, Salesforce or Microsoft Azure.
SaaS – Software as a service
This category includes applications that are already intended for end users. For example, Google Docs, Google Calendar, Salesforce CRM, Freshbooks and others.
IDaaS – Identity as a service
This cloud computing service offers authentication services to subscription businesses and is managed by a third-party vendor to provide identity and access management services. It provides services such as Single-Sign-On (SSO), Multi-Factor-Authentication (MFA), Identity Governance and Administration (IGA), access control and information gathering. These services allow subscribers to securely access sensitive data both on and off-site (e.g. OneLogin, Centrify Identity Service, Microsoft Azure Active Directory, Okta).
SECaaS – Security as a service
This service is based on the previously mentioned SaaS and is intended for use primarily by security professionals. It can include various tools to support penetration testing as well as services to enhance security such as various authentication and authorisation services, IDS/IPS systems, anti-malware or SIEM systems.
CaaS – Container as a service
This is a service that is designed to support virtualisation and containers. All containers, clusters and applications running in them can be fully controlled through the exposed application interfaces. The issue of containers, their use and security is a very broad topic and will be covered in future articles in this series. Examples of this class include Amazaton AWS EC2, Docker and Google Kubernetes Engine (GKE).
FaaS – Function as a service
This cloud computing service provides a platform for developing, operating and managing application functions without the complexity of building and maintaining the necessary infrastructure (serverless architecture). This model is mostly used in the development of applications for microservices. It provides subscribers with on-demand functionality that shuts down the supporting infrastructure and charges no fees when not in use. It provides data processing services such as Internet of Things (IoT) services for connected devices, mobile and web applications, and batch and stream processing such as AWS Lambda, Google Cloud Functions, Microsoft Azure Functions and Oracle Cloud Fn.
Separation of duties
V Cloud computingu je oddělení odpovědností předplatitelů a poskytovatelů služeb zásadní. Oddělení povinností zabraňuje střetu zájmů, nezákonným činům, podvodům, zneužití a chybám a pomáhá při identifikaci selhání bezpečnostních kontrol, včetně krádeží informací, narušení bezpečnosti a vyhýbání se bezpečnostním kontrolám. Pomáhá také omezit množství vlivu, který má jakýkoliv jednotlivec, a zajišťuje, že neexistují žádné konfliktní odpovědnosti.
Máme tři hlavní typy cloudových služeb. Jmenovitě IaaS, PaaS a SaaS. Při přístupu ke konkrétním cloudům a jejich modelům je nezbytné znát omezení každého modelu poskytování cloudových služeb. Obrázek níže ilustruje oddělení cloudových odpovědností specifických pro modely poskytování služeb.
In this article, the basic concepts of cloud computing and its advantages and disadvantages were introduced. In the next parts, I will discuss technologies, tools and best practices to maximise the security of your cloud infrastructure and applications.