Avoiding a Storm by Evaluating the Clouds: A Guide to Cloud Computing

18 04 2011

Attached to this post is the final version of my research paper entitled, Avoiding a Storm by Evaluating the Clouds: A Guide to Cloud Computing. I put a great deal of effort into this work so as to include only the most useful information from the many books and articles that I read during my research. Cloud computing is currently a very hot topic, so it is easy to find articles filled with the opinions of various writers, but I found the works quoted in this paper to contain the most substance. This paper contains vital information that could lead an organization to a successful venture into Cloud Computing – one in which the security of their data, assets, image, and customers remain intact.

Avoiding a Storm by Evaluating the Clouds: A Guide to Cloud Computing

Introduction to the cloud

12 02 2011
The Government Technology Research Alliance’s (GTRA) research showed that the most common concerns about implementing cloud programs was security and privacy, a finding supported by an IDC study of 244 CIOs on cloud computing, in which 75% of respondents listed security as their number 1 concern. It is true that moving from architectures that were built for on-premises services and secured by firewalls and threat-detection systems to mobile environments with SaaS applications make previous architectures unsuitable to secure data effectively. In addition, at a March 2009 FTC meeting discussing cloud computing security and related privacy issues, it was agreed that data management services might experience failure similar to the current financial meltdown if further regulation is not implemented. Some executives are simply too scared to move forward with cloud initiatives.
The challenge is bringing executives out of a state of unknown and fear and giving them the understanding and knowledge necessary to make informed, educated decisions regarding their cloud initiatives. 

The purpose of this book is to clear up some of the mystery surrounding the topic of cloud computing.

What is the Cloud?

The term cloud has been historically used as a metaphor for the internet. This usage was originally derived from its common depiction in the network diagrams as an outline of a cloud, used to represent the transport of data across carrier backbones to an endpoint location on the other side of the cloud. This concept dates back to 1961, when Professor John McCarthy suggested that computer time–sharing technology might lead to a future where computing power and even specific applications might be sold through a utility type business model.

Market researcher analyst and technology vendors alike tend to define cloud computing as a new type of utility computing that basically uses virtual servers that have been made available to third parties via the internet. Others tend to define the term using a very broad, all-encompassing application of the virtual computing platform. They contend that anything beyond the firewall perimeter is in the cloud. A more tempered view of cloud computing considers it the delivery of computational resources from a location other than the one from which you are computing.

The Global Nature of the Cloud

Globalization of computing assets may be the biggest contribution the cloud has made to date. For this reason, the cloud has been subject to many geopolitical issues. Cloud vendors myriad regulatory concerns in order to deliver cloud services to a global market.

Cloud Based Service Offerings

Amazon.com has played a vital role in the development of cloud computing. In modernizing its data centers after the dot-com bubble burst in 2001, it discovered that the new cloud architecture it had implemented resulted in some very significant internal efficiency improvements. By providing access to its systems for third-party users on a utility computing basis, via Amazon Web Services, introduced in 2002, a revolution of sorts began. Amazon Web Services began implementing its model by renting computing cycles as a service outside a given user’s domain, wherever on the planet that domain might be located.

By allowing their users to access technology-enabled services “in the cloud,” without any need for knowledge of, expertise with, or control over how the technology infrastructure that supports those services worked. This approach transformed cloud computing into a paradigm whereby data is permanently stored in remote servers accessible via the internet and cached temporarily on client devices that may include desktops, tablet computers, notebooks, hand-held devices, mobile phones, etc. and is often called Software as a Service (Saas).

Saas is a type of cloud computing that delivers applications through a browser to thousands of customers using a multiuser architecture. For the customer there are no up front investment costs in servers or software licensing. For the service provider, with just one product to maintain, costs are relatively low compared to the costs incurred with a conventional hosting model. Salesforce.com is by far the best known example of Saas computing among enterprise applications.

Managed Service Providers (MSPs) offer one of the oldest forms of cloud computing. A managed service is an application that is accessible to an organization’s IT infrastructure rather than to end users. Services include virus scanning for email, antispam services such as Postini, desktop management services such as those offered by CenterBeam or Everdream, and application performance monitoring. Managed security services that are delivered by third-party providers also fall into this category.

Platform-as-a-service (PaaS), sometimes referred to a web Services in the cloud delivers a platform from which to work rather than an application to work with. These service providers offer application programming interfaces (APIs) that enable developers to exploit functionality over the Internet, rather than delivering full blown applications. This variation of cloud computing delivers development environments to programmers, analyst and software engineers as a service. A general model is implemented under which developers build applications designed to run on the provider’s infrastructure and which are delivered to users in via an Internet browser. The main drawback to this approach is that the services are limited by the vendor’s design and capabilities.

Communication as a Service (CaaS)
Providers of this type of cloud computing solution are responsible for the management of hardware and software required for delivering Voice over IP (VOIP) services, Instant Messaging (IM), and video conferencing capabilities to their customers. A CaaS model allows a CaaS provider’s business customers to selectively deploy communications features and services throughout their company on a pay as you go basis for services used. All VOIP transport components are located in geographically diverse, secure data centers for high availability and survivability.

Network and capacity and feature sets can be changed dynamically, so functionality keeps pace with customer demand and provider-owned resources are not wasted. From the customer’s perspective, there is very little to no risk of the service becoming obsolete, since the provider’s responsibility is to perform periodic upgrades or replacement of hardware, and software to keep the platform technologically current. It eliminates expense for ongoing maintenance and operations overhead. Every component is managed 24/7 by a CaaS Vendor

Infrastructure as a Service (IaaS)
A model of service delivery that provisions a predefined, standardized infrastructure specifically optimized for the customer’s applications. Customers maintain ownership and management of their applications while off-loading, hosting operations and infrastructure management to the IaaS provider. 


Rather than purchasing data center space, servers, software, network equipment, etc, IaaS customers essentially rent those resources as a fully outsourced service. The customer is only charged for resources consumed.

Monitoring as a Service (MaaS)is the outsourced provisioning of security, primarily on business platforms that leverage the Internet to conduct business. Security monitoring involves protecting an enterprise or government client from cyber threats. MaaS security monitoring services offer real-time, 24/7 monitoring and nearly immediate incident response across a security infrastructure – they help to protect critical information assets of their customer.

Legal Issues When Using Cloud Models
The United States – European Union Safe Harbor Act provides a seven point framework of requirements for U.S. companies that may use data from other parts of the world. The agreement allows most US corporations to to certify that they have joined a self-regulatory organization the adhers to the following seven Safe Harbor Principles or has implemented its own privacy policies the conform with these principles:

1. Notify individuals about the purposes for which information is collected and used.

2. Give individuals the choice of whether their information can be disclosed to a third party.

3. Ensure that if it transfers personal information to a third party, that third party also provides the same level of privacy protection.

4. Allows individuals access to their personal information.

5. Take reasonable security precautions to protect collected data from loss, misuse, or disclosure.

6. Take reasonable steps to ensure the integrity of the data collected

7. Have in place an adequate enforcement mechanism

US Patriot Act expanded the definition to include domestic terriorism, thus enlarging the the number of activities to which it can be applied.

The Electronic Communications Privacy Act’s Stored Communications Act include offenses such as intentional access without authorization to a facility through which an electronic communication service is provided for intentionally exceeding an authorization to access that facility in order to obtain, alter, or prevent authorized access to a wire or electronic communication while it is in electronic storage in such a system.

Reference: Cloud Computing Implementation, Management, and Security, John W.Rittinghouse and James F. Ransome