It is fair to say that the top IT priority for most businesses is managing the migration of existing applications into virtualized environments (Kepes, 2011). True cloud computing is different than virtualization, and those differences are clarified later in this article, but both virtualization and cloud computing do share this key point of interest: small businesses, large enterprises, and government agencies are all moving their activities in the virtual/cloud direction, at a very fast pace. An IBM study declares that ninety percent of businesses are already using cloud or plan to do so by 2015.
Cloud computing is considered as unlimited, on-demand access to shared computing resources, requiring minimal effort on the part of the end user. It is within the public form of Infrastructure as a service (Iaas) that we really find new innovation. Two points: 1) It is often reported that the innovation stems from the way public cloud infrastructure shifts the costs of IT from a capital expenditure to an operating expenditure, but it is more accurate to say that it is the flexibility that is made available by Iaas for the usage model to go either way, from CapEx to OpEx or vice versa, that has enabled modification to the elder market structure. 2) A “private cloud” is nothing more than a buzzword inaccurately describing the virtualization of your own internal server infrastructure. When an organization pays for all its software development, server configuration, hosting, and it procures additional hardware to set up within the boundary of its own walls, it is neither reducing the load on the IT staff; introducing flexibility into the budget; or getting the advantages of unlimited resources; it is simply changing an old legacy deployment. The characteristic of on-demand driven commerce is crucial to the definition of a cloud. When you demand something from yourself, there is no commercial exchange of goods or services.
Currently, most cloud spending goes toward Software-as-a-service (Saas), and Saas continues to be the most appropriate cloud service for small businesses, as it allows users to access and run vendor supplied (off-the-shelf) applications that live on the internet. This is all that most small companies demand. With Platform-as-service (Paas), users have access to an environment with which they can develop their own software applications on vendor supplied tools that live on the internet. Note that an outsourced, third party data center is supplying service to the business in these situations. The main complaint with Paas and Saas, is there is commonly an issue when wanting to take all of your data with you when you leave your current cloud service provider; this is referred to as “vendor lock in.” Lock in is a very pervasive concern for organizations (Glaros, 2011).
Iaas environments let their users go even farther, to choose both the hardware and software combinations they want to run, thus giving the user the most control over configuration; again, the point is that as-a-service, a third party data center (usually remotely located) is supplying the shared infrastructure for the business as it is needed. One advantage of the additional control available in Iaas is that an enterprise’s existing off-premise data can be more easily migrated to or from different locations. Thus Infrastructure-as-a-service is the biggest departure from what has been available in the past. Its elasticity and levels of user control over configuration make it a significant evolutionary step in IT. It is probably not appropriate for most small business. Iaas diverges into different types: Private, Hybrid, Dedicated Host, Community, and Public, but as previously noted “private cloud” is a misleading term.
Public clouds are enabling modification to the existing market structure. Unlike “private clouds”, where the equipment and software require a large up-front investment, public clouds are usually less costly because the computing power can be purchased for as little as one hour, quickly brought online, and then quickly terminated when no longer required. By allowing for rapid scale up and scale down, the category of the IT cost is shifted from its traditional account, Capital Expenditure, to an Operating Expenditure.
The flexibility of the OpEx IT structure provides freedom. Departmental level managers in medium sized businesses can save 30% over internal IT expenses, and small business owners can save about 15% over managed services. Indirect savings can also be realized through reduced electricity use, reduced real estate space requirements, and because the business has the ability to apply more focus toward its core specialty. Keep in mind that the flexibility to choose between options is the real value concept, not necessarily in converting IT from a CapEx to OpEx. For example, game provider Zynga did the opposite and chose to go from OpEx to CapEx. At one point Zynga’s entire infrastructure was in the public cloud with Amazon Web Services (AWS). This makes sense when you hear that the game Farmville went from zero to one million users in five days, when it launched in 2009. Zynga eventually realized that they were better off owning and operating their own private infrastructure for the base of their data needs, because the AWS system could not be tailored well enough to optimize the unique performance requirements of various (mature) individual games. But they still needed Amazon’s massive capacity to scale up quickly for “bursting” and spikes in demand, so Zynga settled on a hybrid cloud structure where they own part of the infrastructure they need and rent some from AWS.
Personal computers and mobile devices including smart phones and tablets act as access gateways to the cloud. As we shift more toward the use of mobile technology for moving data, and using tablets on WiFi and smart phones for computing, we need the computational power of the cloud to run our processes and applications because the small devices do not have the needed power. Mobile devices present significant security issues to networks however, and require additional measures for protection of data, above and beyond older technologies.
No matter the hardware, cloud services create concerns for systems that are fielded by federal government agencies and large enterprises, as these networks must comply with various information security requirements and regulations including FIPS, HIPAA, ECPA, Gramm-Leach-Bliley, HITECH, or the E-Government Act of 2002.
Cloud also creates concerns for business, and the adoption of public Iaas is hindered by fears over loss of privacy. This is a natural human sensitivity, but exacerbated by the fact that digital hacking is in open season on the internet. Ironically, the major crucial threat to protecting data that goes into the cloud has been found on multiple occasions to be a human factor, that being, the careless behavior of users. The breach into Amazon’s Web Services may be the most publicized example of public Iaas vulnerability. After the big headlines, Amazon has since received PCI level 1 certification, a move that has the fragrance of an ad hoc response intended to maintain their reputation, but as it turned out the main reason for the security failures were technically not Amazon’s fault. CASED scientists studied AWS and found users ignored or underestimated stated recommendations from Amazon. CASED has “developed a vulnerability scanner for virtual machines that customers create to run on Amazon’s infrastructure. It can be freely downloaded” at http://trust.cased.de/AMID (ScienceDaily, 2011).
It is important to understand where upon the stack the service provider’s accountability for security ends. Generally speaking, with Iaas, responsibility for implementing security on the higher layers of the stack usually falls on the consumer. With Saas, the details are ironed out in the SLA and remain close to the application or uppermost layers, and with Paas, the hand-off is somewhere in the middle.
When a firm does a risk assessment (RA) and balances the risk it wants to mitigate against its available resources, it can come up with a statement of applicability (SOA) to address which security controls to implement based on costs and benefits. Then the issue of assessing a provider’s claim of compliance to government regulations, or compliance to the contract with the customer and other cloud operations can be controlled. The current reality is that risks to compliance are managed, while managing disclosure of information is lacking in consistent methodologies. This is directly tied to calls for transparency from service providers (Ward, 2011).