Cloud Deployment and Service Models

Kent Institute Australia Pty. Ltd.

ABN 49 003 577 302 CRICOS Code: 00161E
RTO Code: 90458 TEQSA Provider Number: PRV12051
Version 2 – 18th December 2015
Prescribed Text:
Roger McHaney, (2021), Cloud Technologies, Kansas State University,
Manhattan USA, John Wiley & Sons, Ltd

Kavis, M. (2014) Architecting the Cloud, John Wiley, Hoboken, NJ

Erl,T. Puttini, R. Mahmood, Z. (2013) Cloud Computing: Concepts,

Technology & Architecture, Pearson Higher Ed USA

Additional Text:

Bond, J. (2015) The Enterprise Cloud - Best Practices for

Transforming Legacy IT, O’Reilly Media

Rafaels, R. (2015) Cloud Computing: From Beginning to End,

available online CreateSpace Independent Publishing Platform

Kent Institute Australia Pty. Ltd.

ABN 49 003 577 302 CRICOS Code: 00161E
RTO Code: 90458 TEQSA Provider Number: PRV12051
 Cloud Deployment Models:
1- Public cloud:
The cloud infrastructure is provisioned for open use by the
general public. It may be owned, managed, and operated by a
business, academic, or government organization, or some
combination of them. It exists on the premises of the cloud
provider.

2- Private cloud:
 The cloud infrastructure is provisioned for exclusive use by
a single organization comprising multiple consumers (e.g.,
business units).
 It may be owned, managed, and operated by the
organization, a third party, or some combination of them,
and it may exist on or off premises.
Cloud Deployment Models:
3- Hybrid cloud:
The cloud infrastructure is a composition of two or more distinct
cloud infrastructures (private, community, or public) that remain
unique entities, but are bound together by standardized or
proprietary technology that enables data and application portability
(e.g., cloud bursting for load balancing between clouds).

4- Community cloud:
 The cloud infrastructure is provisioned for exclusive use by a specific
community of consumers from organizations that have shared
concerns (e.g., mission, security requirements, policy, and compliance
considerations).
 It may be owned, managed, and operated by one or more of the
organizations in the community, a third party, or some combination of
them, and it may exist on or off premises
What are the Different Types of Cloud Service Solutions?
Cloud Service Models:
1- Software as a Service (SaaS):
 The capability provided to the consumer is to use the provider’s applications running on a
cloud infrastructure.
 The applications are accessible from various client devices through either a thin client
interface, such as a web browser (e.g., web-based email), or a program interface.
 The consumer does not manage or control the underlying cloud infrastructure including
network, servers, operating systems, storage, or even individual application capabilities,
with the possible exception of limited user specific application configuration settings.
SaaS examples:
Google Apps, Salesforce, Dropbox ..
Cloud Service Models: (cont’d)
2- Platform as a Service (PaaS):
 The capability provided to the consumer is to deploy onto the cloud infrastructure.
 Consumer-created or acquired applications created using programming languages, libraries,
services, and tools supported by the provider.
 The consumer does not manage or control the underlying cloud infrastructure including network,
servers, operating systems, or storage, but has control over the deployed applications and possibly
configuration settings for the application-hosting environment.
Examples:
AWS Elastic Beanstalk, Windows Azure,
Force.com, Google App Engine..
Cloud Service Models: (cont’d)
3- Infrastructure as a Service (IaaS):
The capability provided to the consumer is to provision processing, storage, networks, and other
fundamental computing resources.
The consumer is able to deploy and run arbitrary software, which can include operating systems and
applications.
The consumer does not manage or control the underlying cloud infrastructure but has control over
operating systems, storage, and deployed applications; and possibly limited control of select
networking components (e.g., host firewalls).
Examples:
Amazon Web Services (AWS), Cisco Metapod,
Microsoft Azure..
Cloud Computing Users
Cloud Service Models: specialized variations
Many specialized variations of the three base cloud delivery models have
emerged, each comprised of a distinct combination of IT resources. Some
examples include:
• Storage-as-a-Service
• Database-as-a-Service
• Security-as-a-Service
• Communication-as-a-Service
• Integration-as-a-Service
• Testing-as-a-Service
• Process-as-a-Service
Note also that a cloud delivery model can be referred to as a cloud service
delivery model because each model is classified as a different type of
cloud service offering.
Combining Cloud Delivery Models - IaaS + PaaS
A PaaS environment will be built upon an underlying infrastructure comparable to
the physical and virtual servers and other IT resources provided in an IaaS
environment. Figure 4.14 shows how these two models can conceptually be
combined into a simple layered architecture.

Figure 4.14 A PaaS environment based on the IT resources

provided by an underlying IaaS environment.

From Cloud Computing by Thomas Erl, Zaigham Mahmood, and Ricardo Puttini
(ISBN: 0133387526) Copyright © 2013 Arcitura Education, Inc. All rights reserved.
Combining Cloud Delivery Models - IaaS + PaaS

A cloud provider would not normally need to provision an IaaS environment from its
own cloud in order to make a PaaS environment available to cloud consumers.
Figure 4.15 shows an example of a contract between Cloud Providers X and Y, in which
services offered by Cloud Provider X are physically hosted on virtual servers belonging
to Cloud Provider Y. Sensitive data that is legally required to stay in a specific region is
physically kept in Cloud B, which is physically located in that region.

The motivation for such an arrangement may be influenced by economics or maybe

because the first cloud provider is close to exceeding its existing capacity by serving
other cloud consumers. Or, perhaps a particular cloud consumer imposes a legal
requirement for data to be physically stored in a specific region (different from where
the first cloud provider’s cloud resides)
Combining Cloud Delivery Models - IaaS + PaaS

Figure 4.15 An example of a contract between Cloud Providers X

and Y, in which services offered by Cloud Provider X are
physically hosted on virtual servers belonging to Cloud Provider
Y. Sensitive data that is legally required to stay in a specific
region is physically kept in Cloud B, which is physically located in
that region.

From Cloud Computing by Thomas Erl, Zaigham Mahmood, and Ricardo Puttini
(ISBN: 0133387526) Copyright © 2013 Arcitura Education, Inc. All rights reserved.
Combining Cloud Delivery Models - IaaS + PaaS+ SaaS
All three cloud delivery models can be combined to establish layers of IT resources that build upon each
other. For example, by adding on to the preceding layered architecture shown in Figure 4.15, the ready-
made environment provided by the PaaS environment can be used by the cloud consumer organization
to develop and deploy its own SaaS cloud services that it can then make available as commercial
products (Figure 4.16).

Figure 4.16 A simple layered view of an architecture comprised of IaaS

and PaaS environments hosting three SaaS cloud service
implementations.

From Cloud Computing by Thomas Erl, Zaigham Mahmood, and Ricardo Puttini
(ISBN: 0133387526) Copyright © 2013 Arcitura Education, Inc. All rights reserved.
What are Cloud Computing Challenges?
 Cloud servers and data storage generally require network connectivity
for resource access. If a network disruption occurs, service interrupted.
 Cloud security considerations.
 Cloud services can be costly.
 Vulnerability to attacks.
 Loss of control.
 Technical problems. If technical problems emerge, the fix might depend
on cloud service providers.
Who Uses the Cloud?
Cloud Computing has broad appeal for:
People operating at the individual level
Employees of small and medium businesses
People in corporate environments
Individual Users
• Personal storage of digital resources has grown tremendously
• People store photos, videos, movies, music collections, eBooks, documents, family records,
recorded television programs, digitized art, souvenirs, digital keepsakes, correspondence, text
message streams, and countless other artifacts
Individual Motivations for Cloud Use
• All digital resources handily stored in a single place
• Provides backup for digital resources
• Cloud storage separates data from fragile digital devices
• Safeguards valuable digital holdings.
• Provides access to software and services for individuals

Provides access to low cost, easy to maintain and deploy software.

Security issues in service delivery models of cloud computing
The architecture of cloud poses such a threat to the security of the existing
technologies when deployed in a cloud environment.

Cloud service users need to be vigilant in understanding the risks of data breaches in
this new environment.

Today Small and Medium Business (SMB) companies are increasingly realizing that
simply by tapping into the cloud they can gain fast access to best business applications
or drastically boost their infrastructure resources, all at negligible cost.

Cloud providers currently enjoy a profound opportunity in the marketplace. The

providers must ensure that they get the security aspects right, for they are the ones
who will shoulder the responsibility if things go wrong.
Security issues in SaaS
• In SaaS, the client has to depend on the provider for proper security measures.
• The provider must do the work to keep multiple users’ from seeing each other’s
data. So it becomes difficult to the user to ensure that right security measures
are in place and also difficult to get assurance that the application will be
available when needed.
• With SaaS, the cloud customer will by definition be substituting new software
applications for old ones.
• Therefore, the focus is not upon portability of applications, but on preserving or
enhancing the security functionality provided by the legacy application and
achieving a successful data migration.

Resources: Choudhary V. Software as a service: implications for investment in software development. In:
International conference on system sciences, 2007, p. 209
Seccombe A, Hutton A, Meisel A, Windel A, Mohammed A, Licciardi A, et al. Security guidance for critical
areas of focus in cloud computing, v2.1. CloudSecurityAlliance, 2009, 25 p.
Security issues in SaaS: Key Security Elements

• The following key security elements should be carefully considered as an integral part of
the SaaS application development and deployment process:
1) Data security
2) Network security
3) Data locality
4) Data integrity
5) Data segregation
6) Data access
7) Authentication and authorization.

Resources: Choudhary V. Software as a service: implications for investment in software development. In:
International conference on system sciences, 2007, p. 209
Seccombe A, Hutton A, Meisel A, Windel A, Mohammed A, Licciardi A, et al. Security guidance for critical
areas of focus in cloud computing, v2.1. CloudSecurityAlliance, 2009, 25 p.
Security issues in SaaS: Key Security Elements
1) Data security
In the SaaS model, the enterprise data is stored outside the enterprise
boundary, at the SaaS vendor. Consequently, the SaaS vendor must adopt
additional security checks to ensure data security and prevent breaches due to
security vulnerabilities in the application or through malicious employees.
Malicious users can exploit weaknesses in the data security model to gain
unauthorized access to data.

Resources: Choudhary V. Software as a service: implications for investment in software development. In:
International conference on system sciences, 2007, p. 209
Seccombe A, Hutton A, Meisel A, Windel A, Mohammed A, Licciardi A, et al. Security guidance for critical
areas of focus in cloud computing, v2.1. CloudSecurityAlliance, 2009, 25 p.
Security issues in SaaS: Key Security Elements
2) Network Security

All data flow over the network needs to be secured in order to prevent leakage of sensitive
information.
This involves the use of strong network traffic encryption techniques such as Secure Socket
Layer (SSL) and the Transport Layer Security (TLS) for security.
Malicious users can exploit weaknesses in network security configuration to sniff network
packets.

Resources: Seccombe A, Hutton A, Meisel A, WindelChoudhary V. Software as a service: implications for

investment in software development. In: International conference on system sciences, 2007, p. 209
A, Mohammed A, Licciardi A, et al. Security guidance for critical areas of focus in cloud computing, v2.1.
CloudSecurityAlliance, 2009, 25 p.
Security issues in SaaS: Key Security Elements
3) Data Locality
In a SaaS model of a cloud environment, the consumers use the applications provided by
the SaaS and process their business data.
But in this scenario, the customer does not know where the data is getting stored. In many
a cases, this can be an issue.
Due to compliance and data privacy laws in various countries, locality of data is of utmost
importance in many enterprise architecture.
For example, in many EU and South America countries, certain types of data cannot leave
the country because of potentially sensitive information.
In addition to the issue of local laws, there’s also the question of whose jurisdiction the
data falls under, when an investigation occurs.
A secure SaaS model must be capable of providing reliability to the customer on the
location of the data of the consumer.
Security issues in SaaS: Key Security Elements
4) Data Integrity

• Data integrity is one of the most critical elements in any system. Data integrity is easily
achieved in a standalone system with a single database.
• Data integrity in such a system is maintained via database constraints and transactions.
Transactions should follow ACID (atomicity, consistency, isolation and durability) properties
to ensure data integrity.
• Most databases support ACID transactions and can preserve data integrity.
• The lack of integrity controls at the data level (or, in the case of existing integrity controls,
bypassing the application logic to access the database directly) could result in profound
problems.
• Architects and developers need to approach this danger cautiously, making sure they do not
compromise databases’ integrity in their zeal to move to cloud computing..
Security issues in SaaS: Key Security Elements
5) Data Segregation

• Multi-tenancy is one of the major characteristics of cloud computing. So data of various users
will reside at the same location.
• Intrusion of data of one user by another becomes possible in this environment. This intrusion
can be done either by hacking through the loop holes in the application or by injecting client
code into the SaaS system.
• A SaaS model should therefore ensure a clear boundary for each user’s data. The service
should be intelligent enough to segregate the data from different users.
Security issues in SaaS: Key Security Elements
6) Data Access
• Data access issue is mainly related to security policies provided to the users while accessing
the data.
• In a typical scenario, a small business organization can use a cloud provided by some other
provider for carrying out its business processes. This organization will have its own security
policies based on which each employee can have access to a particular set of data.
• The security policies may entitle some considerations wherein some of the employees are
not given access to certain amount of data. These security policies must be adhered by the
cloud to avoid intrusion of data by unauthorized users.
• SaaS customers must remember to remove/disable accounts as employees leave the
company and create/enable accounts as come onboard. In essence, having multiple SaaS
products will increase IT management overhead.
• For example, SaaS providers can provide delegate the authentication process to the
customer’s internal server, so that companies can retain control over the management of
users.
Security issues in SaaS: Key Security Elements
7) Authentication and Authorization
Since the web applications and SaaS are tightly coupled in providing services to the cloud users,
most of the security threats of web application are also posed by the SaaS model of the cloud.
• Authentication is the process of validating that users are whom they claim to be. This is the first
and an important step in any security process.
• Authorization is the process in a system security which allows a user permission to access a
specific resource or function. It is the same as access control or client privilege for any user.
Security issues in PaaS
• In PaaS, the provider might give some control to the people to build applications on top of the
platform.

• But any security below the application level such as host and network intrusion prevention will
still be in the scope of the provider and the provider has to offer strong assurances that the data
remains inaccessible between applications.

• PaaS is intended to enable developers to build their own applications on top of the platform.

• As a result it tends to be more extensible than SaaS, at the expense of customer-ready features.

• This tradeoff extends to security features and capabilities, where the built-in capabilities are less
complete, but there is more flexibility to layer on additional security.
Security issues in IaaS

• With IaaS the developer has better control over the security
as long as there is no security hole in the virtualization
manager.

• Also, though in theory virtual machines might be able to

address these issues but in practice there are plenty of
security problems.
Security issues in IaaS
Impact of deployment model
• IaaS is prone to various degrees of security issues based on the cloud deployment model
through which it is being delivered. Public cloud poses the major risk whereas private cloud
seems to have lesser impact.
• Physical security of infrastructure and disaster management if any damage is incurred to the
infrastructure (either naturally or intentionally), is of utmost importance. Infrastructure not only
pertains to the hardware where data is processed and stored but also the path where it is
getting transmitted.
• In a typical cloud environment, data will be transmitted from source to destination through
umpteen number of third-party infrastructure devices.
• A robust set of policies and protocols are required to help secure transmission of data within the
cloud. Concerns regarding intrusion of data by external non users of the cloud through the
internet should also be considered.
• Measures should be set in place to make the cloud environment secure, private and isolated in
the Internet to avoid cyber criminals attacking the cloud.
 kent.edu.au
Kent Institute Australia Pty. Ltd.
ABN 49 003 577 302 ● CRICOS Code: 00161E ● RTO Code: 90458 ● TEQSA Provider Number: PRV12051

31