It’s not atmospheric, but the term is banner‐like: sky-borne and all powerful. Before we can discuss the hot topic of shared multi-tenant environment risk in our next article, we need to take a step back and address, “What is Cloud Computing?”
Sure, the cloud is out there, somewhere in the unknown, or most likely hidden in a gigantic building with high-level security with rows and stacks of computers. However, while this is generally true, that same set of computing resources could be sitting in the next room or in the server room. The definition allows for many different configurations in many different locations. Convenience and demand are critical components
of the cloud.
What is the cloud? A few names come to mind: Google, Microsoft or Amazon. What about DropBox, Sugar, Boxed? Or your core processor?
NIST (National Institute of Standards and Technology) gives the widely‐accepted definition:
Cloud computing is a model for enabling ubiquitous, convenient, on‐demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models and four deployment models.
That’s a lot of words, but what does it really mean? The definition is meant to provide an understanding of the terms used – in other words, Cloud 101.
For a service to fit the definition of Cloud Computing, there are several required key components. Here’s a closer look at those components.
Five Critical Characteristics
Let’s list them:
- On demand, self service
- Broad network access
- Resource pooling
- Rapid elasticity
- Measured service
On demand, self service
In some respects, this is a DIYer’s dream world. To be a cloud computing service, the user must be able to self‐configure and roll out the service. All the configuration, hardware and software are ready and just waiting for a user to request the service.
Broad network access
This service is not only easy to allocate and configure, but it’s broadly available. Where people are located is irrelevant. If there is a network connection, the cloud service is available. However, available bandwidth affects the service and location usefulness.
Resources are not necessarily dedicated, which has spanned the term shared multi‐tenant environment. The perception is that the resources are unlimited and always available. There are many considerations for this to happen. For instance, where is the data located? Who has access to the data? How is the data secured? These are critical decision points that require far more discussion than the simple listing given here because they affect how the resources might be allocated.
A key benefit of the cloud is unlimited growth capabilities. Imagine the ability to grow or shrink the required resources when accelerating expansion or drawing back; it’s a game‐changer for banks.
All these great services do come at a price. The price is typically a monthly fee for the services used during that month. Critical cost elements spelled out in a cloud contract are bandwidth use, storage used, CPU utilization, and other pricing issues that increase monthly fees. Your Vendor Management program should reveal these items.
There are three service models typically associated with cloud services:
- Software as a Service (SaaS)
- Platform as a Service (PaaS)
- Infrastructure as a Service (IaaS)
The marketing messages used around these three terms never end, but what do they really mean?
1. Software as a Service
This is finding the application and signing up for the desired service. The application lives in the cloud. In some respects, the core provider is Software as a Service. The program lives in the cloud and you use a web browser to access. An example is Office 365.
2. Platform as a Service
This service is a little harder to define. It has components that make it similar to Infrastructure as a Service. This service looks very similar to that provided by a normal server, without the hardware sitting in a closet close by. What differentiates this platform is that the customer does control what is deployed on the server, but does not have control over any of the underlying hardware.
3. Infrastructure as a Service
This is a server that is controlled by the customer in its entirety except for the underlying hardware. The underlying hardware is controlled, serviced and maintained by the provider. The customer normally has access to all settings and configurations, storage options, etc.
Four Deployment Models
There are four basic deployment models. In the real world, some services may look blended, but it all boils down to these basic models:
Cloud users should be concerned with these deployment models because it comes down to security and risk appetite. Risk is a critical component of determining which cloud deployment model works best for your bank. As we explore the different deployment models, you’ll soon understand the potential security concerns.
The cloud infrastructure is allocated for exclusive use by a single customer or organization. It may be owned, managed and operated by the organization, a third party, or some combination of them and it may exist on or off premises.
This deployment model typically means that the bank owns, controls or is the sole occupier of the hardware that runs the cloud service or servers. This service could be onsite, offsite or some combination of the two.
The cloud infrastructure is allocated for exclusive use by a specific community that has shared concerns. It may be owned, managed and operated by one or more of the organizations in the community, a third party or come,
The cloud infrastructure is allocated for exclusive use by a specific community that has shared concerns. It may be owned, managed and operated by one or more of the organizations in the community, a third party or come combination of them and it may exist on or off premises. This is akin to several banks getting together to create a shared environment of equipment for conducting ACH transactions. Everyone has the same goals, security concerns, and possibly a similar risk appetite.
The cloud infrastructure is allocated for open use by the general public. It may be owned, managed, and operated by a business, academic entity, government organization or some combination of them. It exists on the premises of the cloud provider.
This infrastructure assumes that the data, services or servers are in public with other businesses and their data, services and servers. This model does have security issues surrounding it, because it is like the front door open to all. Everyone knows it exists and someone may try to take advantage of that fact. Other services hide the server from the public.
The cloud infrastructure is a composite of two or more distinct cloud infrastructures (private, community or public) that remain unique entities.
Think of it this way: You may use multiple deployment models to reduce cost for a particular application and a different model for an application that has different security requirements. In the cloud, there isn’t just one best implementation approach – there may be several that are customized for different scenarios.
The next article will address the buzz surrounding Meltdown and Spectre hardware vulnerabilities. Call Jim Baron, TCA’s Director of Technology Risk Management Services, at (630) 770‐8982 to discuss the Cloud and better ways to manage technology risk.