Cloud Computing: Part-II
Soumya Mondal
SOC2 Internal Auditor, cybersec, cloud & GenAI security consultant, author and blogger
First of all I would like to thank you all for your responses and suggestions Part-I. Now in this part-II we will continue our discussion on different components of cloud infrastructure.
As per NIST there are five major components of cloud computing – (a) cloud consumer, (b) cloud provider, (c) cloud auditor, (d) cloud broker, and (e) cloud carrier.
(a) Cloud consumers can be anyone who use cloud services. It can be an organization or can be internal teams or can be any individual. In first case organizations are the consumer as they avail IAAS/PAAS/SAAS services from any cloud service providers. Internal application teams can also be the consumers when they use private cloud for application hosting.
(b) And internal infrastructure hosting teams are the cloud service providers as they build and maintained the private cloud infrastructure within the organization. So cloud provider is an entity who is responsible for making a service available to the interested consumers.
(c) You all know that ‘audit’ means an official inspection of an organization's accounts/setup, typically by an independent body. So cloud auditor is someone (person / any organization dedicated for audit activity) who conduct independent assessment of cloud services, its operations, performance and security. Their role also might include the verification of the compliance with regulation and security policy. For example, an auditor can be tasked with ensuring that the correct policies are applied to data retention according to relevant rules for the jurisdiction (rule of the land).
(d) In many cases, due to lack of knowledge, in-house skills and visions; organizations (consumers) prefer to take help from any middle-man (entity) for migration or integration of their existing application to cloud or to host any new cloud based application. This entity is called ‘Cloud Broker’ who manages the use, performance and delivery of cloud services, and maintains relationships between cloud providers and cloud consumers.
A Cloud Broker generally provides –
1. Business and relationship support services - Business intermediation
2. Technical support service - aggregation, arbitrage, and technical intermediation
Intermediation means enhancement of a given service by improving some specific capability and providing value-added services to the consumers. The improvement can be managing access to cloud services, identity management, performance reporting, enhanced security, etc.
Aggregation means integrating multiple services into one or more new services. The Broker provides data and service integration and ensures the secure data movement between the cloud Consumer and multiple cloud Providers.
Service arbitrage is similar to service aggregation except that the Broker has the flexibility to choose services from multiple service Providers.
(e) Now comes ‘Cloud Carrier’. It's an intermediary that provides connectivity and transport of cloud services from Cloud Providers to Cloud Consumers as per the agreement (SLA) between the providers and consumers. Tough to understand? Let me explain further.
Say you are hosting an application in the cloud. What all you do require to access the application and make it accessible to the intended users? Primarily, (a) Internet connectivity comprising of routers and switches, and (b) encryption to secure the Internet connectivity. And it’s also required to maintain the quality of the service in terms of confidentiality, integrity and availability (CIA triad). Arranging all these facilities is expected from ‘Cloud Carrier’.
Now what is SLA? A service level agreement (SLA) is a contract between a service provider (either internal or external) and the end user that defines the level of service expected from the service provider. In the above example, there will be a SLA between the consumer and the provider as well as another SLA between the provider and the carrier. The second SLA must compliment the requirement set by first SLA. Cloud consumers need SLAs to specify the technical performance requirements fulfilled by a cloud provider. SLAs can cover terms regarding the quality of service, security, remedies for performance failures.
A Cloud Provider acquires and manages the cloud computing infrastructure to provide the SAAS, IAAS, PAAS services. These services have been discussed in part-I. Additionally, Cloud Provider’s activities can be described in five major areas – (1) service deployment, (2) service orchestration, (3) service management, (4) security, and (5) privacy.
(1) A cloud infrastructure can be operated in one of the following deployment models: public cloud, private cloud, community cloud, or hybrid cloud. Refer to Part-I for more detail.
(2) Service orchestration means arrangement, coordination, and management of cloud infrastructure to provide cost effective cloud services. Generally it’s a three layered architecture
– Top layer is the service layer, where a cloud provider provisions each of the three service models - SAAS, PAAS, and IAAS.
– The middle layer, the resource abstraction and control layer contains the system components. This layer typically includes software elements such as hypervisors, virtual machines, virtual data storage etc.
– The lowest layer, physical resource layer includes hardware resources, such as servers, routers, firewalls, switches, network links, storage, HVAC, power, and all other aspects of the physical plant.
(3) Cloud Service Management includes all of the service-related functions that are necessary for the management and operation of those services required by or proposed to cloud consumers. It includes but not limited to customer management, contract management, inventory management, configuration management, SLA management etc.
(d) Security is a cross-cutting function that ranges from physical security to application security. In other way to say, security encompasses all layers of the cloud platform and services and the responsibility is shared between cloud provider and cloud consumer.
(e) Information privacy is the right to have some control over how your personal information is collected and used. Have you ever heard of the term 'PII'? If not, then it's okay. PII is personally identified information; i.e., any data that could potentially identify a specific individual. Cloud providers should protect the PII during processing, storing, communicating, and disposing any personal information (PI) and personally identifiable information (PII) in the cloud system.
So these all are the different cloud components in brief. Let me know if you have any queries or if you need further detail in any specific section. In the next part different security aspects of cloud environment would be discussed. Keep an eye on it.