Clouds are everywhere. Should we fear a storm ?
What is cloud ?
Cloud refers to sharing and granting access to resources, software applications and data through a network connection instead of your computer’s hard drive. Network often refers to data centers using Wide Area Network (WAN) or Internet.
Concept of cloud has grown over time and many other related concepts have emerged among those :
- Utility computing : The process of providing computing service through an on-demand, pay-per-use billing method.
- Virtualization : That hides the physical characteristics of a computing platform from the users, presenting instead an abstract computing platform.
- Serverless computing : An execution model in which the cloud provider acts as the server, dynamically managing the allocation of machine resources.
- Grid computing : Which enables to combine computers from multiple administrative domains to reach a common goal, to solve a single task, and which might then disappear just as quickly.
According to Forbes the leading factor of cloud adoption in enterprises is a Digital Transformation plan. It’s reasonable in view of its benefits to speed, productivity, performance and global scale.
Actually, most of cloud services are provided independently and on demand and can be provisioned within minutes, enabling a lot of flexibility to users and the capacity to scale elastically.
Cloud types :
Clouds are not all the same : different types of deployment and services can be found.
The main three deployment categories are :
Public clouds, are owned and operated by cloud services providers, which deliver their computing resources like servers and storage over the Internet. The most famous Public Cloud providers are AWS, Microsoft Azure and Google Cloud Platform.
Private clouds, referring to cloud computing resources used exclusively by a single business or organization. A private cloud can be physically located on the company’s on-site datacenter. We can also find Private Cloud providers who sell cloud-ready hardware, some others sell cloud software and others sell virtual private cloud services. Among them :
- DELL EMC: Provide principally server hardware, storage hardware, software and services. According to Wikibon, DELL accounted 10% of the true private cloud market in 2016 which put it in a tie for first place.
- HPE : The Wikibon report said that HPE was in second place by offering Helion Cloud suite and managed virtual cloud services.
- VMware : Known for its virtualization software that runs many private cloud environments. It also offers the vRealize Suite Cloud Management Platform.
Hybrid clouds, combining public and private clouds, bound together by technology that allows data and applications to be shared between each other. By allowing data and applications to move between private and public clouds, a hybrid cloud gives your business greater flexibility, more deployment options, and helps optimize your existing infrastructure, security, and compliance.
Let’s now focus on services categories :
IAAS (Infrastructure As A Service), Which is the most basic category of cloud computing services. It enables to create or rent IT infrastructure such as servers, virtual machines, storage, networks, operating systems.
PAAS (Platform As A Service), refers to cloud computing services that supply an on-demand environment for developing, testing, delivering, and managing software applications. PaaS is designed to make things easier for developers to quickly create web or mobile apps, without worrying about setting up or managing the underlying infrastructure of servers, storage, network, and databases needed for development. To my mind, PaaS makes project teams more Agile and it appears nowadays very important to provide even a small catalog of services to development teams in order to provide them a good level of autonomy.
SAAS (Software As A Service) is a method for delivering software applications over the Internet, on demand and on a subscription basis. With SaaS, cloud providers host and manage the software application and underlying infrastructure, and handle every type of maintenance, like software upgrades and security patching. Users connect to the application over the Internet, usually using a web browser on their phone, tablet, or PC. Eg : Google applications, Salesforce.
Cloudy sky ?
Actually, Cloud computing currently continue to spread on and there is no slowdown forecast on the horizon. So yes the sky is basically cloudy and these clouds are more like cumulus.
Let’s talk about figures :
- “83% of enterprise workloads will be in the cloud by 2020.” (Forbes)
- “More than 3.6 billion cloud services user worldwide.” (Statista)
- More than 300 cloud provider.
- “The cloud is growing 7 times faster than the rest of IT.” (IDC)
- “Cloud computing spending is expected to grow at a whopping rate of 6 times the rate of IT spending through 2020.” (IDC)
- “Total global cloud storage capacity is up to 1.1 ZB (Zettabyte) in 2018 which nearly doubles the storage available in 2017.” (Cisco)
- “Cloud computing will hit $186B in 2018.” (Gartner)
Should we fear a storm ?
Even though clouds look like cumulus, we are still not yet facing a cumulonimbus. But it doesn’t mean that rains are not already upon us.
My point is that flaws can be observed when talking about cloud computing, and among them :
They are mainly related to provider’s technologies used and data access policies.
There is a list of most known cloud threats captured by Cloud Security Alliance:
- Insecure Interfaces and APIs : Since Providers expose APIs and interfaces to manage and monitor services, the security and availability of all services depend on these APIs.
- Malicious Insiders : There is often little or no visibility into the hiring standards and practices for cloud employees. This kind of situation clearly creates an attractive opportunity for an adversary to do inside attacks.
- Shared Technology Issues : The underlying components that make up this infrastructure (e.g., CPU caches, GPUs, etc.) have not been designed to offer strong isolation properties for a multi-tenant architecture, whereas customers could use same services with virtual isolation. This leaves sometimes some vulnerabilities.
- Data Loss or Leakage : The threat of data compromise increases in the cloud, due to the number of and the operational characteristics of the cloud environment.
- Account or Service Hijacking : If an attacker gains access to your credentials, he can basically realize all type of operations from your account, having open doors to your activity, transactions, data and can use your servers to operate other attacks or sometimes crypto money mining .
Compliance and legal risks :
Many data security regulations are intended to protect specific type of data.
As for example, GDPR in Europe or HIPAA in US require healthcare providers to protect patient data. PCI DSS requires anyone who accepts credit cards to protect cardholder data. Actually, we are currently often required to know :
* Where have been sheltered the data ?
* Who is granted access to them ?
* How are they protected ?
Although compliance and legal risks might only concern a few business sectors like Banking, or Healthcare system for now, more will be concerned in the future.
Risks related to lack of control :
Data control, data center locations control and access control are not the question here, but services control.
When we use cloud service, there is no guarantee concerning the continuity of service and we are not in control of fees evolution : the bill can easily double and we would have to pay. And if we are no more satisfied by a service, changing provider can lead us to a risk of vendor lock-in.
Potential lock with the vendor :
We may not be aware about this point but it is, to my mind, one of the most important. As cloud services are currently very easy to activate and build we find ourselves surrounded after a while by a plethoric amount of services and platforms. So far so good, but when an organization considers moving on from one cloud provider to another, one can discover the sunk costs, considering cash, energy and time. The moving costs are always higher than initially spent with the first provider, because of absence of standard and the different design of services.
Both small and big structures realize the true cost of cloud solutions as they accelerate their digital transformation and have to make evolve their business and products. Over time, we all will experience the need of scalability, performance, time-to-market and distributed platforms needs. Cloud will therefore remain a major project to activate.
With all the money spent now and in the future for cloud improvements, I think future cloud offerings will be consequently more secure, reliable and vertical-specific. More standardization will thus be considered to facilitate transition between different providers. Therefore, I also strongly believe that we are very far from the storm and clouds are not even close to disappear from our sky even though we hear a lot about Edge computing replacing Cloud computing.