Cloud computing is the buzzword in the computing industry, but it can mean many things to many people. Trend Micro is challenged to use a common vocabulary to describe the various facets of cloud computing. This post articulates the various aspects of cloud computing so we can speak a similar language. It is intended to be more pragmatic than doctrinaire and express what we see customers saying in their conversations around cloud computing and the different cloud formations.
Lots of smart people have started looking at cloud computing security and the ways in which we consume cloud computing. The delivery models shown below, along with a working cloud definition, are elegantly described in a presentation (http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2008-12/cloud-computing-standards_ISPAB-Dec2008_P-Mell.pdf ) authored by Peter Mell and Tim Grance from the US National Institutes of Standards & Technology Information Technology Lab (www.nist.gov) .
Software as a Service (SaaS) refers to internet-based access to applications (examples: Salesforce.com, Trend Micro HouseCall).
Platform as a Service (PaaS) refers to services to deploy customer-created applications to the cloud (examples: Google AppEngine and Microsoft Azure).
Infrastructure as a Service (IaaS), sometimes called “utility computing,” refers to renting processing, storage, network and other resources (examples: Amazon’s EC2, Rackspace, and GoGrid). The consumer does not manage the underlying cloud infrastructure, but does control the operating systems, storage, networking, deployed applications and select network components (firewall).
There are others ways to gaze at clouds, and organizations such as the Jericho Forum (http://www.opengroup.org/jericho/ ) (associated with the Open Group, disclaimer: Trend Micro is a member of the Jericho Forum) have created a definition of cloud computing and the Jericho Cloud Cube model that define various cloud formations and their characteristics.
The Jericho Forum is also an affiliate member of the Cloud Security Alliance (CSA), which published “Security Guidance for Critical Areas of Focus in Cloud Computing” (http://www.cloudsecurityalliance.org/guidance/csaguide.pdf , disclaimer: Trend Micro is a member of the CSA). The CSA document might lack pretty pictures, but provides a nice overview and summary of 15 different security domains critical to operating in public cloud environments.
We did some customer surveys recently and found that what the cloud cognoscenti refer to as SaaS is called “hosted” by a plurality of IT professionals. While the terminology is in flux and will evolve over time, having a mental framework and common vocabulary helps to better communicate cloud concepts. It enables us to mentally map cloud-based or hosted security (can be SaaS offerings), cloud protection (protecting SaaS/PaaS/IaaS infrastructure), hosting (can be a form of SaaS/IaaS), and come to terms with things like cloud-client architectures (a hybrid with some SaaS/PaaS/IaaS services in the cloud combined with client software). I’m a marketing guy who communicates ideas for a living, and sharing the above vocabulary with my colleagues allows us to have clear conversations with a minimum of puzzled looks.
Cloud computing implies a number of changes for how IT does IT as businesses consider moving sensitive applications into the cloud. The threats will change and how the security industry responds to those threats will make for interesting times. Stay tuned for postings as I dig into some of the security impacts of public cloud computing.