An increasing number of organizations are moving their existing infrastructure to the cloud because of the benefits it affords them. It is crucial that companies have an understanding of the various cloud deployment models, considerations that must be taken into account, and the benefits of moving to the cloud.
In this episode of The CSIAC Podcast, Sean Bird talks with Nicholas Maida and Michael VanSteenburg, Cybersecurity Analysts for Quanterion Solutions Incorporated about cloud infrastructure deployment models and their pros and cons.
An increasing number of organizations are moving their existing infrastructure to the cloud because of the benefits it affords them. According to RightScale, 72 percent of enterprises have adopted a private cloud model (2017). It is crucial that companies have an understanding of the various cloud deployment models, considerations that must be taken into account, and the benefits of moving to the cloud. In this CSIAC podcast, Quanterion Solutions Inc. discusses the advantages and disadvantages for each deployment along with the security concerns and the hurdles a company may face moving to the cloud.
Cloud Deployment Models
Three primary types of cloud deployment models exist as options if an organization is interested in moving their infrastructure to the cloud. These cloud models include public, private, and hybrid. Variations of these models must be tailored to fit an organization’s needs and infrastructure and can include a large variety of technologies and tools.
A public cloud deployment is operated by a cloud service provider (on their infrastructure) and made available to the public (NIST, 2011). A cloud service provider (CSP) is an entity that offers one or more cloud services in one or more deployment models (Microsoft, 2017). Examples of public cloud service providers include Microsoft’s Azure, Amazon’s EC2/AWS, and Google’s Cloud Platform. An advantage with a public cloud deployment is that an organization can offload its current infrastructure to a CSP. Public clouds could potentially free up physical space, lower utility cost, minimize or eliminate maintenance on servers and reduce IT staffing. Another advantage of a public cloud deployment is that an organization only pays for what they use. Most CSPs will use a ‘pay-as-you-go’ on-demand IT provisioning model.
Disadvantages and risks that are associated with a public cloud deployment include tradeoffs between security and control over the organization’s data and reduced infrastructure costs. Organizations that chose to move infrastructure and services to a CSP will hand over their data and resources and therefore must then depend on the CSP for the confidentiality, integrity, and availability of their data. Because the organization will no longer have full control over its own data and the security of that data, it may become difficult for some organizations to meet compliance standards/governance obligations. Most regulations, such as PCI DSS compliance, require the ability for organizations to control and protect their data and physical assets (PCI Security Standards Council, 2016). Organizations need to prove where information is stored, what information is stored on a system, who can access the system and is the access appropriate. These regulations would require detailed service level agreements with the CSP to ensure compliance.
Private clouds are provisioned for exclusive use by a single organization that can comprise of multiple consumers, in which all infrastructure and data exists on or off premise and is in full control of the user (NIST, 2011). The infrastructure resides entirely in-house where all data is maintained by the host organization. As with the public cloud deployment model, private cloud deployments come with their own benefits and drawbacks.
Private clouds are ideal for organizations looking forward to taking advantage of cloud computing at their own expense. By keeping the data and physical assets in the organization’s hands, meeting compliance standards and governance obligations should be much easier to achieve. Organizations can also use orchestration tools (tools used to organize and script automated changes to resource configurations) to tailor their private cloud to meet specific needs for computing, storage, and network requirements. Similar to public cloud deployments, private cloud has similar agility, scalability, and efficiency benefits, but with granular control over data and security policy/implementation. The efficient provisioning of resources enables more capacity and cost-effective growth. Though, with this increased control, private clouds suffer from unique disadvantages.
When an organization decides to migrate all or part of its infrastructure to a cloud environment, the organization must account for the costs that would be absorbed by the CSP for a public cloud deployment. These migration costs include building the infrastructure to house the required equipment, personnel to maintain this equipment, and the equipment and software licensing itself.
A hybrid cloud deployment consists of both a public cloud and a private cloud bound together but remaining unique entities (NIST, 2011). Non-sensitive operations should be hosted on a CSP while having business-critical operations contained on the private (dedicated) cloud. The concept of hybrid cloud is the combination of using a public (hosted) solution to either use as an Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS) models with the use of a private (on-premises, dedicated) solution to maintain full control of the data or infrastructure being held on site. An IaaS is the most basic category of cloud computing services offered by CSPs. A CSP will provide their physical data center plant/building for storage and their networking firewalls and security for the user’s applications and data on a pay-as-you-go basis. With this service, the user will be able to scale up and down with demand, and only pay for what they use. Companies have the opportunity to eliminate in-house servers and the need to purchase new servers. A PaaS is includes everything an IaaS does but with the addition of operating systems, development tools, database management, and more. Users will have the opportunity to avoid the purchasing and managing of software licenses, tools, and other resources. A SaaS allows users to connect to and use cloud-based apps over the internet. A user will purchase the type of app for certain duration or use free client software if available. Some common examples of these apps include Microsoft Office 365 and Google Drive.
The advantages of hybrid cloud deployments include the ability to meet the frequent fluctuation of computing demands, add/remove resources to meet business demands, optimize IT needs/costs, all while maintaining full control over specific data that an organization would like to host in its own private cloud.
With a hybrid cloud deployment, companies can use the public cloud for resource agility (scale up/down resources on demand). One example of this is a term known as cloud bursting. Cloud bursting is a deployment model in which an application runs in a private cloud and quickly transfers into a public cloud when the demand spikes (Microsoft, 2017). Similar to public cloud advantages, hybrid cloud deployment can help save infrastructure data center costs with a ‘pay-as-you-go’ on-demand model. This model is highly flexible, agile and cost-effective.
However, there are a variety of difficulties organizations may face when running a hybrid cloud. The organization would have to define the appropriate boundary between the public and private assets that work best and is the most cost-effective implementation. Defining this boundary can be difficult, especially when migrating apps and services not initially architected for the cloud. Lastly, the organization would be required to develop an appropriate new network architectural solution, followed by a migration plan to move assets such as apps, services, and other resources over to the cloud.
Benefits in Moving to the Cloud
While organizations must carefully evaluate which cloud deployment model is appropriate for their situation, the shift to cloud-based infrastructure offers many benefits to organizations. The primary advantage that companies get when moving to the cloud is time. Cloud-based solutions provide organizations with more time to work on other projects. In traditional environments, personnel spend time updating software, replacing hardware, and troubleshooting issues when they arise. The time spent doing these tasks can be significantly lessened when using cloud-based infrastructure. Instead of building servers from the ground up and connecting them with physical network cables, an entire network (with firewalls, routers, workstations, etc.) can be created in the cloud with the press of a button. Fewer individuals can do more work through automation.
Additionally, automation allows for changes to be phased in and out behind the scenes without interrupting service uptime. Infrastructure can be created or redeployed without changes being noticeable to users. Furthermore, automation relies upon templates or scripts that can be easily changed or reused by personnel. As mentioned previously, in traditional deployment models machines require a significant investment in terms of time and money to stand up. A script is much more configurable compared to the purchasing of a new server, installing that server, and then installing the requisite software.
Working on creating flexible scripts for automation requires increased collaboration between employees. In traditional environments employees tend to be segmented based upon their role within the organization. For instance, companies may have individuals responsible for networking, web design, software development, and cybersecurity. For the setup and maintenance of cloud-based infrastructure all of these individuals are forced to interact with one another to be successful as automation scripting may span multiple areas of expertise.
Lastly, operating in a cloud environment allows for organizations to have better control of their resources. Resources are fixed when using traditional infrastructure. Once a machine has been built, it cannot scale to accommodate additional demand if required. The cloud is a scaling elastic environment where resources are consolidated within a single location. For example, if an organization’s website traffic increases after a public mention, they can scale to meet demand and scale back down once those additional resources are no longer needed. This ability to scale is particularly beneficial to startups that do not know how quickly or if their products will take off.
Considerations and Hurdles
Before any organization quickly jumps into the cloud, it is imperative to conduct research and understand some of the hurdles they may face. One of the more essential considerations a company must take into account is cost. If an organization is looking to experiment with deploying a private cloud model, they will need robust servers consisting of many CPU’s, a significant amount of memory (RAM), and lots of hard drive (storage) space. It will depend on the project and goals of an organization on what they would like to do with the cloud to determine the amount of resources needed. Infrastructure requirements can make cloud deployment not feasible for some companies because of the cost of purchasing hardware and equipment.
In that case, some organizations may turn to a public cloud in which they can purchase only the assets they need or wish to have. Depending on the goal or interest of the company, they can buy infrastructure, software, or a platform as a service. Purchasing services may be a less costly alternative solution for an organization. However, understanding the amount of usage, data transmission, licensing, users, and projects a company plans on using should be considered, as these are all related to the cost of a public cloud.
Organizations must also take into consideration the substantial investment needed to learn multiple aspects of the cloud. QSI had spent a considerable amount of time researching and developing its private cloud. Research must be undergone to understand networking, services, automation, and the creation of servers in the cloud. For example, there are four services in its OpenStack (Glance, Keystone, Neutron, and Nova) that are required. However, organizations can choose to implement the additional optional services as they see fit. Proper implementation, installation, and configuration of each of these services must be appropriately understood before initialized. Tools such as Heat and Ansible can be used for automation in building infrastructure and configuring servers with a click of a button. These new tools require research and development of scripts to accomplish this task.
In addition to the learning curve associated with moving to the cloud, organizations must understand where their data is being held. It is important to realize that connections are no longer occurring on a company’s private network. As such, the transfer of data may cause performance to be slower than it was previously. Remote connections could be initialized to another part of the world. Additionally, if not thought about before moving, the constant transferring of data to hybrid or public cloud-based infrastructure could lead to significant costs.
Perhaps most importantly, organizations need to read and understand the Service Level Agreement (SLA) that they have with their CSP if they chose to use a public cloud. The SLA will contain specific parameters and minimum levels for the service they will provide, along with the remedies for failure to meet these requirements. It will also address the ownership of its data stored on the CSPs system and your rights to get that data back if the organization chooses to revert to traditional deployments or migrate to another CSP. The SLA will contain the system’s infrastructure and security standards to be maintained by them and the organization’s rights and cost to use and discontinue using the service. These are just some of the necessary aspects an SLA should contain. Any company, if planning to use a public cloud, should read and review the cloud provider’s SLA very carefully.
Keeping data secure in the cloud necessitates that encryption is implemented, both for data at rest and data in transit. An organization using a public cloud is required to send data back and forth to the CSP and their internal network. This data, if not set up with end-to-end encryption, can become victim to various attacks. It is highly recommended that the organization implements this security procedure to prevent data leakage. Any data that is stored in the cloud should be encrypted when it is at rest as well. In the event of a data breach/unauthorized access encryption of data at rest prevents customer data otherwise stored in the clear from easily being exposed. To check whether cloud service providers encrypt data at rest customers must read their service level agreement.
As mentioned before, it is highly advised to perform research when selecting a cloud service provider. Looking into the SLA and security history for each provider will help choose the right one for your organization’s needs. If you are a government organization this is particularly relevant to meet compliance demands. Corporations such as Microsoft and Amazon offer government cloud options that ensure data is hosted in the United States and is only available to background checked U.S. citizens (Amazon Web Services, 2017; Microsoft, 2017). The movement to a cloud-based solution means organizations must put their trust in their cloud service provider. The security of the infrastructure and the applications hosting the provider’s cloud can place users of this infrastructure at risk if not properly handled. Additionally, the cloud service provider controls who can see your data, if that data is deleted once your subscription expires, and the availability of your systems. Research is of critical importance before deciding to move to the cloud.
When discussing service level agreements, it is necessary to mention that many cloud service providers place security in the hands of the user. Vulnerabilities that are executed in the cloud are often the same as those exploited on conventional infrastructure. Attackers commonly take advantage of unpatched systems, hacked API’s, and insecure credentials (Rashid, 2016). As such, when selecting a cloud service provider organizations must read their service level agreement to understand the data privacy and security offerings are provided. Users must know what is left in their hands and what will be taken care of by the cloud service provider. For example, in many service level agreements keeping hosted software up to date is the user’s responsibility. In addition to reading service level agreements, organizations must understand the systems that they are planning on moving to the cloud.
Many of the same security concerns that exist in traditional environments must also be considered in the cloud. Planning is vital to inventory assets, identify any risks to these assets, implement countermeasures to these risks, and continually test machines and applications for vulnerabilities. When determining dangers that may exist, organizations can talk with the CSP to gain a better of understanding of the risks that they have seen in the past. Furthermore, other concerns that must be evaluated are how often data is backed up, how the data is encrypted, and if there are any disaster recovery plans in place. Planning for security concerns will mitigate surprises that may occur when organizations are transitioning to the cloud.
Moving to the cloud can be very beneficial to most organizations. However, careful planning and research will need to be conducted to verify the best possible option for your company’s needs. If planning on using a private or hybrid cloud model, an organization must have a capable machine equipped to provide the needed services. Along with the hardware, the organization must be willing to invest in their personnel to conduct research to deploy and secure the cloud correctly. If moving to a cloud service provider, companies will want to make sure the SLA meets their expectation and needs. Additionally, organizations will want to review the multiplicity of costs associated with the purchased infrastructure, platform or software as a service.
- Amazon Web Services. (2017). AWS GovCloud (US). Retrieved from https://aws.amazon.com/govcloud-us/
- Microsoft. (2017). Microsoft Azure Government trial. Retrieved from https://azure.microsoft.com/en-us/overview/clouds/government/request/
- Microsoft. (2017). What is cloud bursting?. Retrieved from https://azure.microsoft.com/en-us/overview/what-is-cloud-bursting/
- Microsoft. (2017). What is cloud computing?. Retrieved from https://azure.microsoft.com/en-us/overview/what-is-cloud-computing/
- Microsoft. (2017). What is a cloud service provider?. Retrieved from https://azure.microsoft.com/en-us/overview/what-is-a-cloud-provider/
- National Institute of Standards and Technology. (2011). The NIST Definition of Cloud Computing [PDF]. Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
- PCI Security Standards Council. (2016). PCI DSS Quick Reference Guide. Retrieved from https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_2.pdf?agreement=true&time=1513875014124
- RightScale. (2017). 2017 State of the Cloud Report [PDF]. Retrieved from https://assets.rightscale.com/uploads/pdfs/RightScale-2017-State-of-the-Cloud-Report.pdf
- Rashid, F. Y. (2017). The dirty dozen: 12 cloud security threats. Retrieved from https://www.infoworld.com/article/3041078/security/the-dirty-dozen-12-cloud-security-threats.html