The Cloud Computing era

In 2025, we hear about the Cloud a lot, even among people who don't work in the IT industry. This computing model is present in everyday life; we use it practically every second of our day, without even realizing it. For example, when we use an app on our smartphone, the app is most likely using cloud computational resources to obtain data to show to the user, or when we back up photos to iCloud or Google Photos, we are using cloud resources to store our data and other resources to recover them.

Yes, but...what is cloud computing, technically?

When they ask me what cloud computing is, I like to answer with the definition given by NIST (National Institute of Standards and Technology) and reported in the SP 800-145 specification:

"Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models."

So, in other words, "is it just someone else's computer"? Yes, but that is too simplistic a definition. Cloud computing is a model that allows you to rent and release hardware resources as needed, of any power and type. And this can be done comfortably from home, using the Internet. The definition talks about five essential characteristics, three service models, and four deployment methods: let's see them.

Essential characteristics

NIST outlines five essential characteristics that define cloud computing. These characteristics serve as guidelines to ensure the efficiency, scalability, and reliability of cloud computing:

• On-demand self-service: This is quite self-explanatory: A user can provision the infrastructure themselves, through a dashboard provided by the provider or using APIs.
• Broad Network Access: Cloud resources are accessible using the internet and any device. Latency plays a key role.
• Resource Pooling: Multiple customers share the same physical resources under a multi-tenant model. The cloud assigns and removes resources based on requests, and this is completely transparent to the customer. Isolation and security under the multi-tenant model are guaranteed.
• Rapid Elasticity: Capabilities can be scaled elastically, meaning they can be increased or decreased quickly and automatically, based on demand. For the consumer, it often appears as unlimited. Imagine a website that suddenly gets a huge surge in traffic. The cloud can automatically scale up resources to handle the load, and then scale back down when the traffic subsides.
• Measured service: Cloud systems automatically control and optimize resource usage by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage is monitored, and this data can be used for billing or other purposes. This is similar to how you are billed for electricity or water consumption – you pay for what you use.

Service Models

NIST outlines three fundamental service models for cloud computing. These models describe the different levels of responsibility shared between the cloud provider and the customer. Understanding these models is key to choosing the right cloud service for your needs.

• Infrastructure as a Service (IaaS): This model provides you with the most basic building blocks – virtualized computing resources like servers, storage, and networking. You have control over the operating system, middleware, and applications you install. Think of it like renting the land and building materials; you are responsible for constructing the house (your IT infrastructure) yourself. Examples include Amazon EC2, Microsoft Azure Virtual Machines, and Google Compute Engine. With IaaS, you have a high degree of control, but also a high degree of responsibility for managing the underlying infrastructure.
• Platform as a Service (PaaS): This model provides a platform for developing, running, and managing applications without managing the underlying infrastructure. The cloud provider handles the operating system, middleware, and other runtime environment components, allowing you to focus solely on your application code. Think of it like renting an apartment; the landlord (cloud provider) takes care of the building's maintenance, while you furnish and decorate your space (develop and deploy your application). Examples include Google App Engine, Heroku, and AWS Elastic Beanstalk. PaaS offers a balance between control and ease of use, simplifying application development and deployment.
• Software as a Service (SaaS): This model provides ready-to-use software applications over the internet. You access the software on demand, without worrying about installation, maintenance, or updates. Think of it like subscribing to a streaming service; you access the content (software) without managing the underlying infrastructure. Examples include Salesforce, Gmail, and Dropbox. SaaS offers the simplest user experience, as the cloud provider manages everything, but you have the least amount of control over the underlying infrastructure and application settings.

Deployment Models

The National Institute of Standards and Technology (NIST) defines four deployment models for cloud computing, which describe where the cloud infrastructure is located and who has access to it. These models help organizations choose the right cloud deployment strategy based on their specific needs and requirements:

• Private Cloud: The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or a third party, and may exist on or off premises. Think of it like a company's own private data center, but with the characteristics of cloud computing (on-demand self-service, resource pooling, etc.). Private clouds offer the greatest level of control and security but often require significant investment.
• Community Cloud: The cloud infrastructure is shared by a specific community of organizations with shared interests (e.g., security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party, and may exist on or off premises. Imagine a group of hospitals sharing a cloud infrastructure to store and manage patient data, while adhering to specific healthcare regulations.
• Public Cloud: The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. This is the most common type of cloud deployment. Think of services like AWS, Azure, or Google Cloud Platform. Public clouds offer scalability and cost-effectiveness, but organizations may have less control over security and compliance compared to private or community clouds.
• Hybrid Cloud: The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). This allows organizations to combine the benefits of different cloud deployment models. For example, an organization might use a private cloud for sensitive data and a public cloud for less sensitive workloads.

But in the end...is data in the cloud really safe?

It's really difficult to answer this question. Generally, yes, but there are some aspects to consider.

When data is uploaded to the cloud, it is encrypted (at rest) using a key generated directly by the cloud provider. This suggests a high level of security, but there are some aspects to consider, such as the fact that the key to decrypt the data is, in fact, in the possession of the cloud provider. This could expose the data to potential internal data breaches caused by cloud provider employees.

To mitigate this problem, the customer could encrypt the data with a customer-managed encryption key (CMEK). Cloud providers offer virtual HSMs (Hardware Security Models) where it is possible to store the keys created by the customer in a totally secure manner.

Another important issue concerns data deletion. Often, when we no longer need the block storage (perhaps connected to a VM, therefore in an IaaS context) and we remove it, it could happen that the data still physically resides on the storage devices for a short period. To mitigate this problem, an operation called cryptoshredding can be performed. In essence, before deprovisioning the storage devices, the data is encrypted, and once the process is finished, the key is destroyed. This applies if a CMEK approach has not been used; otherwise, it is sufficient to simply destroy the CMEK to carry out cryptoshredding. This way, even though the data might still reside on the physical devices, without the key (which has been destroyed), it would be impossible to recover the data.

So, is the cloud provider directly responsible for everything?

Absolutely not! Remember this: the customer, in any service model, is ALWAYS responsible for their data. But there are some things that the customer is responsible for and others that the cloud provider is responsible for, and this depends on the service model.

The shared responsibility model in cloud computing clarifies the security responsibilities between the cloud provider and the customer. Understanding this model is crucial to ensure your data and applications are adequately protected in the cloud. Look at this diagram

As you can see, responsibilities vary depending on the service model. With IaaS the customer has more control, but also greater responsibility, while with SaaS the customer will have less control, but less responsibility.