Many people are using "the Cloud" quite naturally. But it seems that most people do not really know what it actually means. The "Cloud" is something abstract, doesn't denote a thing really, but many. This article wants to shed a light on the various subject-specific and technical aspects from the perspective of an engineer and entrepreneur: the question what the different kinds of "Cloud" really are technically speaking to economic risks and chances as well as the question of the security of (personal) data.

Intro

Around the year 2010 I thought that "Cloud" was merely a marketing buzzword and that the whole issue would disappear fast. I was completely wrong. It wasn't more than a buzzword then, but it did not disappear. It rather established itself firmly within the IT sector. I am frequently asked: "Pablo, what's the Cloud anyway?" Many have a vague notion, but most do not have a solid picture. To help clarifying this matter I wrote this article. It is written for people that are interested in IT, that might even be professionally related to IT, but are not very familiar with the "Cloud."

A buzzword cloud
A buzzword cloud

The Cloud - A General definition

If one wants to give a broad definition of the "Cloud", one might use this: "Cloud" refers to the possibility to obtain IT as a service. To rent software rather than buying it; to let compute rather than purchase one's own computer; to store data on someone else's drive; use software as a service rather than deploy it oneself. This is a definition that entails for example the "Adobe Creative Cloud" - the familiar software products for Windows and macOS that run on one's own computer but are rented rather than bought.

A more strict definition would be that the "Cloud" is elsewhere. That is, things are not happening on one's own computer or server, but somewhere else on the Internet, like with "Office 365" from Microsoft, "Salesforce", Google Drive or Apple's iCloud for example.

There is one notion I'd rather get rid of right away: "Cloud" is not a foggy thing or something one cannot grasp fully. It's someone else's computer, Microsoft's or Google's or Salesforce's servers. But since it is not something magic, loss of data is possible in the "Cloud" as well. The systems might fail, too, the service provider might go out of business or might shut down the used service. Furthermore: one should not speak of "the Cloud", but rather of "Cloud" or "a Cloud", for there are many different "Cloud" providers and not one single entity.

The experts differentiate three separate variants of "Cloud" services:

Infrastructure-as-a-Service (IaaS)

IaaS is the basic type of Cloud computing. It means that I rent computing capacity, storage and bandwidth. It is therefore a means to run software programs and / or store and transport data. This computing capacity is provided by deploying virtual machines, that is: something that acts like a real computer, but is just one of possibly many operating systems running on one single piece of hardware. The "Cloud" provider has therefore the possibility to offer services to different customers and using the same physical server for it without them knowing it. Those virtual machines can be moved from one physical machine to another and one is thus able to react to new hardware or a change in resource demands. The customer / user does not need to buy own hardware, an operating system is often already installed, but one still needs to have an administrator deploying the software that one wants to use, installing security updates or adjusting the packet filter (firewall). One prototypical example of such a service would be AWS, the "Cloud" of Amazon.

Storage services: another often used variant of IaaS are services such as Dropbox that first and foremost offer storage capacity. Since they are used very frequently and were called "the Cloud" first, this variant is understood by some as being the same thing as "Cloud." This is confusing if one knows that "Cloud" could be just about anything really.

Platform-as-a-Service (PaaS)

The next step after IaaS is PaaS. Platform here means that I do not only get a bare (albeit virtual) computer, but that I really get something on which everything already runs that I need like monitoring software (Does everything work as expected?) or a runtime system like the Java Virtual Machine (JVM), Ruby or Python. In short: a system where I just need to "install" my properly packaged application for it to be run on. That means that I do not need to bother myself with the operating system or security updates, let alone the network configuration. This is quite similar to running an app on a smartphone. I do have an application that knows everything important already, eg. on which system it runs, which functionality and permissions it needs or how big it is. The user does not need to bother herself with that, does not need to tweak things for it to run. Often PaaS services are based on the concept of a software container. Related topics would be technologies like CoreOS, Docker, MesOS or Nix(OS). Prototypical service providers are Google (App Engine), Giant Swarm and Heroku.

Software-as-a-Service

The farthest away from an actual computer (in terms of abstraction level) is the next variant of "Cloud," the Software-as-a-Service concept. Not computing capacity as such is rented, but a software. This could be something simple like a mail program on the Internet (Google Mail for example), something more complex like Google Docs or even something huge as a complete ERP solution for larger companies such as (hosted) SAP.

Usually the software is worked with by using the web browser. This leads to SaaS being platform agnostic, which means it could be used from any desktop computer running Windows, macOS or an operating system based on the Linux kernel.

Modern SaaS solutions often support tablets or smartphones and it does not matter here as well whether one is using Android, iOS or even Windows (Phone).

IaaS, Paas and Saas compared.
IaaS, Paas and Saas compared.

Security in the Cloud

Security in "the Cloud" is an important issue. The software does not run in a small and isolated network, but on the Internet - open to anyone in principle. The data of not one person or company is stored, but those of many at once. This leads to a larger attack surface and attacking it is more attractive, too. Potential attackers are manifold, it could be (computer) criminals, competitors, but domestic or foreign intelligence agencies as well.

Encryption

When talking about "Cloud", encryption is a rather often mentioned topic. One has to differentiate two different kinds of encryption here: end-to-end encryption on the one hand, and encrypting the communication channels on the other.

End-to-end encryption

End-to-end encryption means that the data is encrypted on the computer of the sender and decrypted on the computer of the recipient only. Examples for this are secure messaging applications like Signal, Threema or sayHEY (an application developed by bevuta IT GmbH). The service provider has no direct access to the data in this case, but this form of encryption is a rare sight in the world of "Cloud" services. One should not simply assume that a "Cloud" service uses end-to-end encryption. If a "Cloud" service provider advertises encryption, it is often simply an encryption of the communication between one's own computer and the service provider's server (TLS). Or it might be a disk encryption (see below). If one is not certain what kind of encryption is deployed, one should ask an expert. If no end-to-end encryption is used, the data is in principle accessible by attackers, the service provider or governmental agencies.

TLS and disk encryption

If "encryption" is advertised, TLS is meant most of the time. In this case the communication channel between the provider's server and the computer one uses to access the provided service is encrypted. Sometimes, disk encryption is used as well, but this only helps if the attacker does not have access to the running system. If that would be the case, the data would be obtainable unencrypted in both cases. One ensures that the data is safe on its way through the Internet and in the case the server (or the disk) is stolen. It does not help, however, against access through the service provider, criminals or governmental agencies. To them the data is as open - in principle - as it would be for the user on the computer of the user itself.

Examples for this kind of service where others are able to access the user's data are Facebook, the mail services of Telekom/Google/Microsoft, online banking or the "classic" DE-Mail.

Data privacy

Since companies often deal with customer data, one has to think about the fact that if one uses a "Cloud" based service this data (e.g. address data, account data, customer habits or private messages) are open to at least one other party - namely the "Cloud" provider. The customer in question might not even be aware of that.

Dependencies

Another (possibly large) problem is the dependence on the service provider. If the service provider updates, one has to go along. If the service provider's servers fail, one does not have the possibility to remedy the situation (see Amazon). If the service provider discontinues the service (see Google Reader and Google Wave for example), the service one used to use does not exist any longer. If the service provider goes broke, one might not be able to access the provided service, the stored data or the virtual machine any longer overnight. On a side note: a service provider should definitely enable backups of the data such that it could be used using other services, too. Alas, this is not often the case and means that one needs technology "at home" anyway.

Other peoples computer.
Other peoples computer.

Scaling

Especially with regard to SaaS and IaaS it is often suggested that "what runs in the 'Cloud'" scales without limits, that the system adapts to a change in capacity needs such as how much data is transferred or how many requests need to be handled. It does not matter, it is suggested, how intense the service is used, it might mean that one has to dig a little bit deeper into one's pocket, but that would be it. Unfortunately, that's wishful thinking of many providers and users as well.

IaaS and PaaS often means relatively small units: Many small virtual computers with limited computing capacity that get powerful only if they are interconnected. If the software is built with that scenario in mind, it might work pretty well for many load ranges and maybe even automatically. But this is rather the exception than the norm.

Out scaling

To distribute a software product on multiple "Cloud" servers to be able to answer more requests simultaneously is called out scaling. This is the prototypical approach to using "the Cloud". It usually needs to be thought of right from the start when designing the software. To adapt it to that later is often not doable with reasonable effort. In addition to that one must think about how much complexity distributing the software adds to it. Distributed systems tend to be difficult to understand fully and developing them is therefore more complicated than developing a more monolithic system would be.

Up scaling

One alternative to the above described out scaling is up scaling. One simply uses a more powerful computer instead of a manifold of computers with limited computing capacity. It is often cheaper to buy a more powerful machine than re-writing the software. However, this is in stark contrast to "Cloud" concepts and is often not even offered by the service providers or only for a much higher price.

Pricing

Initial costs

This is one of the main selling points of "Cloud." The service provider does not ask a high amount of money initially (sometimes even no money at all), one does simply "pay per use." Consulting support or adaptation of software does cost money however.

Running costs

Costs per computation time or storage unit are often higher "in the Cloud" in comparison to a dedicated server. If one designs the software skillfully, it just uses the really needed resources "in the Cloud" - using it then becomes cheaper. This often increases the costs of developing the software however.

Economic risks

Depending on a service provider and - sometimes - on its interfaces the increased attack surface for attackers who might attack from the inside (by using the same servers) rather than from the outside; unreliable or criminal staff of the service provider or of governmental agencies - one hands over the data which might have catastrophic consequences for enterprises in the age of information.

Final words about "the Cloud"

If one takes a closer look at "the Cloud", it is much more than a mere buzzword. It is rather a manifold of different more or less complex concepts that one is able to understand and control as well. "Cloud" offers huge possibilities, for instance with regard to scaling and the amount of money one has to pay initially. One should not however trust "Cloud" services blindly.

If you do feel more informed than before, but feel the need for advice before starting the first "Cloud" project, I'd be happy to help.