CHAPTER – 2

CLOUD DEPLOYMENT AND SERVICE

DELIVERY MODELS

CLOUD SERVICE MODELS

The Cloud Service Models can be categorized into three main categories:
Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service
(SaaS) [36][3]. Apart from this another cloud service is Storage as a Service (StaaS) which
allows user to store their data and access these anytime via internet. Example: Amazon S3,
Nirvanix etc. Any cloud service provider can provide any one of the services or all three
services together. There are many more service models evolving around the cloud world,
however, in this thesis we will also look in to the advantages of having Risk Assessment as a
Service and Encryption as a Service (EaaS) as an additional security methodology.

Table 2.1 Cloud Service Models

Cloud
Service Definition Examples
Models
Applications that are deployed over a Facebook, Google Apps
SaaS
network, typically the web, accessible via (email, calendar, documents),
Software as a
browser or program interface; sometimes Salesforce.com, Twitter,
Service
referred to as software on demand ZenDesk, Zoho Office

PaaS A platform on which users can build Force.com, Google App

Platform as a applications using languages, libraries, Engine, Red Hat OpenShift,
Service services and tools supported by the provider Windows Azure

Processing and storage capacity, networking

IaaS Amazon Web Services (EC2,
and other computing resources where the user
S3, DynamoDB, others),
Infrastructure has control over operating systems and GoGrid, ServePath,
as a Service deployed applications; sometimes referred to FlexiScale, Rackspace Mosso
as utility computing
 PLATFORM-AS-A-SERVICE (PaaS)

PaaS type of cloud computing offers a full or partial product development tools or
environment that users can access and utilize online, even in collaboration with others and
hosted on the provider's infrastructure. In PaaS developers create applications on the service
provider's platform over the Internet or web. PaaS service providers may use Application
Program Interfaces (APIs), gateway software or website portals installed on the customer's
premises. GoogleApps and Force.com (an outgrowth of Salesforce.com) are good examples
of PaaS. At present in cloud computing there is no standards for interoperability or data
portability for developers [36].

SOFTWARE-AS-A-SERVICE (SaaS)

SaaS type of cloud computing model offers users the hardware infrastructure, the
software product and interrelates with the users through a front-end gateway or portal. Here a
provider authorizes an application to clients either as a service on demand in a "pay-as-you-
go" model or at no charge by a subscription. These applications can be accessed from various
thin client interfaces such as web browsers. A user for this service need not maintain, manage
or control the underlying cloud infrastructure (i.e. network, operating systems, storage etc.)
[2]. Examples for SaaS cloud's are Salesforce, NetSuite [36].

INFRASTRUCTURE-AS-A-SERVICE (IaaS)

The IaaS type of cloud computing distributes a full computer infrastructure via the
web or Internet. Most popular IaaS providers like Amazon Web Services offer virtual server
instances with unique IP addresses and block of storage on demand. In IaaS customers usually
use the service providers (SP) application program interface (API) to start, stop, access,
modify and configure their virtual servers and storage as is needed. Examples for IaaS cloud's
are Eucalyptus (The Eucalyptus Opensource Cloud-computing System), Amazon EC2,
Rackspace, Nimbus [2] [36].
 PRIVACY AND ANONYMIZATION AS A SERVICE (PAaaS)

This service is proposed as a demonstration model to provide data privacy and

protection in a particular organization. It also proposes a work-flow oriented approach to
manage data in cloud [37][38].

HARDWARE AS A SERVICE (HAAS)

The idea of buying a hardware or an entire datacenter with a pay-as-you-use scheme

which can scale up and down as per user requirements can be termed as Hardware as a
Service (HaaS) [39]. Examples for HaaS cloud's are Amazon EC2, IBM's Blue Cloud Project,
Nimbus, Eucalyptus, Enomalism [38].

IDENTITY AS A SERVICE (IDaaS)

This service is targeted for third party service providers who provide Identity and
access control functions (including users life cycle and sign-on process). This can be used in
combination with various other services (software, platform or infrastructure services) and
also for public and private clouds [42].

DATA STORAGE AS A SERVICE (DaaS)

This service allows user to pay for the amount of data storage he/she is using. With
this service there is a separate cloud formed which provides storage as a service [45].
Examples of such kinds of users are Amazon S3, Google Bigtable, Apache Hbase, etc [38].

SECURITY AS A SERVICE (SaaS)

This service allows users to create their own security policies and risk frameworks. In
this kind of service cloud users must identify, assess, measure and prioritize system risks [9].

ANYTHING AS A SERVICE (XaaS)

This is more general form of representing deployment of a service. These services

could be of any type and `X' in XaaS can be substituted by software, hardware, infrastructure,
data, business, IT, Security, monitoring, etc. These days new service models are being
developed [39][3]. Examples are: IT as a service [18], Cloud as a Service (CaaS) [3],
Management as a Service (MaaS) [3], Models like Backup as a Service (BaaS), Computing as
a Service (CaaS), Authentication as a Service (AaaS), Desktop as a Service (DaaS), Hardware
Solutions as a Service (HSaaS) and Disaster Recovery as a Service (DRaaS), etc., provided by
Various Hosing providers in the IT Market. Some of the most important services are lined up
in the figure 2.1.

Figure 2.1 Cloud Computing – Separation of Responsibilities

(http://blogs.technet.com/b/yungchou/archive/2010/12/17/cloud-computing-concepts-
for-it- pros-2-3.aspx)

In a traditional on-premise IT Environment, the customer manages everything, starting

with network and finishing with apps. When customers use some IaaS cloud service (think
Amazon EC2) vendor does all hardware management for the customer. But customer will still
be responsible for all software layers: operating system, database, frameworks, runtimes etc.
PaaS is higher level option where vendor provides customer with fully configured platform
that runs the required applications (usually it means customer might have to adopt their apps
somehow, but cost of adoption usually is not so big). SaaS is top-level service option: vendor
manages all components of customer‟s IT stack. All three models are useful while they have
different goals and user audience.
 CLOUD DEPLOYMENT SERVICES

According to deployment model, cloud computing can be categorized into four

categories, Refer Figure 2.2 [30]:

Figure 2.2 – Cloud Service and Deployment Models

(https://clickcloudit.wordpress.com/tag/saas/)

PUBLIC CLOUD

A public cloud or external cloud is one base on the usual mainstream model, in which
service provider makes resources, such as storage and application, obtainable to the general
public over the Internet or via web applications/web services. Maybe public cloud services are
free or offered on a “pay-as-you-go” model. In public cloud hardware, application and
bandwidth costs are covered by the service provider so it is easy and inexpensive set-up to the
user. Using „pay-as-you-go‟ model it may save resource from wasting [35][36]. IBM's Blue
Cloud, Sun Cloud, Google AppEngine, Windows Azure Services Platform, Amazon Elastic
Compute Cloud (EC2) are good example of public clouds [36].

PRIVATE CLOUD

The term “Private Cloud‟ is also referred to as internal cloud or corporate cloud. Here
the provider provides services to a limited number of users behind a firewall or users‟ access
is limited to mitigate the security risk [35][36]. For proprietary computing architecture it
could be a marketing term where marketing media uses the words “private cloud” to offer
organization that needs more control over their data than using a third-party hosted service
[36]. Private cloud is good for companies' own privacy policies however, from up-front
capital cost, it is not that much beneficial “still it cost money to buy, build and manage” [35].
Amazon‟s Elastic Compute Cloud (EC2) or Simple Storage Service (S3) is example of
Private Cloud [36].

HYBRID CLOUD

A hybrid cloud environment is the combination of public and private cloud where the
infrastructure partially hosted inside the organization and externally in a public cloud [35].
For example, an organization might use Amazon Simple Storage Service (Amazon S3) as
public cloud service to records their data but at the same time continue in-house storage for
instant access operational customer data. Hybrid storage clouds are often valuable for record
keeping and backup function. It is a good approach for a business to take advantage of the
cost effectiveness and scalability [36].

COMMUNITY CLOUD

A community cloud can be recognized where a number of organizations have

comparable necessities and very willing to share infrastructure so as to take in the benefits of
cloud computing. Here costs increase than a public cloud and sometimes can be more
expensive but may offer a higher level of privacy and security. Google's "Gov Cloud" is a
good example of community cloud [35].

2.3 CHOICE OF RIGHT DEPLOYMENT / DELIVERY MODEL

The choice of the right deployment model is influenced by a number of factors

including cost, manageability, integration, security, compliance and quality of service. Table
2.2 summarizes how each deployment model compares on the influencing attributes.
 Table 2.2 Comparison of Deployment Models

Deployment Models
Private Hybrid Cloud / Public On
Attribute
Cloud Community Cloud Cloud Premise
Upfront Costs High Medium Low High
Ongoing Costs Low Medium High High
Security High Medium Low High
Compliance High Medium Low High
Quality of
High Medium Low High
Service
Integration High Medium Low High
Configurability Medium Medium Low High

Based on the above it can be inferred that although cloud computing offers compelling
benefits in terms of high availability, elastic scalability and fast deployments, risks associated
with the adoption cannot be completely eliminated but can be carefully mitigated with extra
measures.

EXISTING PROBLEMS IN CLOUD COMPUTING

Cloud computing has turned into a standard information technology operation for
many small or large businesses. It offers many considerable advantages, including probable
expenditure savings. There are, however, major risk and disadvantages related with cloud
computing. Its dislocated nature is a benefit in many cases however can also be
disadvantageous because the user has no supreme control over the software applications
including secret data. Client has to depend on the provider to update, upgrade maintain and
administer it. The user does not have direct access to the software to fix the problems while
something goes wrong in any application and must rely on the service provider. The user can
experience significant problems when the cloud provider is uncaring or incapable to fix the
problem quickly.
 With respect to privacy, there is the possibility that cloud computing may lead to
“commingling of information assets with other cloud customers, including competitors” [23].
With respect to security, Viega (2009) [25] foresees that data and code residing in cloud
computing environments will become more tempting targets to hackers. With respect to
reliability, Armbrust .M et al. (2009) [27] argue that few non-cloud IT infrastructures are
asrobust as cloud computing service offerings, but organizations are still concerned about
availability in light of recent outages from Amazon and Google. The Cloud Security Alliance
(2009) [6] eschews the notion that cloud computing should be viewed as a black box. The
Information Systems Audit and Control Association (ISACA) (2009a) [23] recommends that
organizations need to conduct business impact analyses and risk assessments as part of a
major cloud computing governance initiative.

As noted by Leavitt (2009) [7], organizations are now evaluating both the risks and
rewards of cloud computing. The assumption underlying this study is that this is essential,
especially in light of the statement by Nelson (2009) [12] that “it is feasible that within the
next 5 years, more than 80% of the world‟s computing and data storage could occur in the
Cloud”. The public cloud computing IT-related risks are organized and presented by their
potential to align with three primary risk categories as identified by the European Network
and Information Security Agency (ENISA) which are: (a) policy and organizational risks, (b)
technical risks, and (c) legal risks (ENISA, 2009) [5].

In the same way, if a company becomes reliant on cloud-based services and the
provider is unable to continue with their services, you will rapidly run into trouble. This
trouble would quickly turn into much worse if the provider was not sincere to give any prior
notice in time to allow your business to take an alternative cloud service. In today‟s unstable
economic climate, cloud providers may face financial problems or impoverishment which
could critically spoil or remove the provider‟s name from cloud provider list. These kinds of
financial problems may come suddenly and company will often have inadequate alternative in
these situations.

Cloud computing can also mean big risks in the integrity, privacy areas and also
greatly in users authentication. Using a cloud system, company‟s susceptible data and
information will be stored on third-party servers, and user will possibly have very inadequate
understanding or control regarding this information. If the provider has insufficient security,
or a violation of encryption systems or procedures are performed for different reasons, thus
compromised company‟s private and confidential data. This could have devastating
consequences, and could cause lawful problems for company if third party private information
(for example, customer information) is negotiated.

Entrepreneurs and small firms face special problems when using the cloud systems.
Small size and limited resources of these companies make these much more vulnerable to the
risks related with cloud use. For example, if a cloud service provider unable or won‟t be
willing to provide service, the user‟s best option may be urgent legal action. Many small
companies are not competent to activate their lawyers effectively in this way and thus they
may not be capable to promptly mitigate such service interruption by the provider. Same fact
is for the privacy and security risks that have been mentioned above – a small company can
rapidly get into significant difficulty if a security violation occurs from use of cloud-based
systems and they may not have the assets to effectively tackle such a situation. [29]

Organizations are increasingly looking to cloud computing to improve operational

efficiency, reduce headcounts, and help with the bottom line. But security and privacy
concerns present a strong barrier-to-entry. In an age when the consequences and potential
costs of mistakes are rising fast for companies that handle confidential and private customer
data, IT security professionals must develop better ways of evaluating the security and
privacy practices of cloud services. The security and legal landscape for cloud computing is
rife with mishaps and uncertainties. In the long run, however, cloud operators will continue to
find economies of scale, not only in their core services, but also in their treatment of securit y.
To take full advantage of the power of cloud computing, end users need to attain assurance of
the cloud's treatment of security, privacy, and compliance issues. To that end, we need an
industry with open standards, clearer regulations, and community-driven interoperability. A
standards-based approach will make it easier for vendors to support flexibility, agility, and
expanded cloud service offerings such as collaboration, and it will also make it easier for
customers to evaluate cloud vendors and build trust in its privacy and security promises.

There are several problems in cloud computing and this thesis work is mainly focused
on authentication based security issues in cloud computing and how it can be mitigated, the
main focus of this thesis is to mitigate the risk of safeguarding data at rest using a hybrid new
technique.

CLOUD ADOPTION BARRIERS

Cloud computing has created a fundamental shift in how information technology

infrastructure is run and managed, changing both the business and technology sides of IT.
But, as with any major change in history, there are supporters and skeptics.

Transferring enterprise IT to the cloud is a complex task that includes both technical
and organizational challenges. The cloud is a new paradigm that doesn‟t have a clear one-
sentence definition; it includes multiple factors, and therefore transformation to a cloud-based
process may seem confusing.

Figure 2.3 – Cloud Adoption Barriers

 This complexity paired with uncertainty creates a number of organizational cloud-
adoption barriers. According to a survey conducted by KPMG (Figure 2.3 [6]), security, cost
uncertainty, and loss of control are the top three cloud-adoption barriers.

Data security is by far the most challenging barrier to cloud adoption. Data is the most
precious corporate asset, and companies want to know that their data is safe. Companies feel
confident when they store data internally because they have full control over it. Although
there is no guaranty that data is better protected internally comparing to public cloud. In fact,
there is a possibility that data could be even safer in the public cloud because public cloud
providers may possess higher level of data security expertise comparing to their customers.

When stored at public cloud, data can be compromised at several different data-
lifecycle stages: during transfer from the internal company network to the public cloud, when
data is stored in the public cloud, and during data backup and restore processes. There are
fundamental questions to ask in order to ensure data security in a public cloud:

1. Who has access to the data? What are the access-control policies? Do we have full
visibility into information regarding these access-control policies?
2. Is data encrypted during transfer from the internal network to the public cloud? What
is the encryption algorithm? Can data be encrypted when stored in the cloud? Who
holds the encryption keys?
3. If a cloud provider is not supposed to have access to the data, encryption keys should
be held only by the company that owns the data. Some of the compliance standards
mandate full data encryption, and do not permit cloud providers to hold encryption
keys.
4. What is the disaster-recovery process? Does the cloud provider replicate data across
multiple datacenters? Are these datacenters located in different geographical
locations?
5. If data is stored in only one datacenter and the cloud provider doesn‟t have the
capability to replicate it at other datacenters, this should raise a red flag.
6. What is the data-backup process? Who has access to the backup data? Where is the
backup data stored?
7. What is the data-recovery process? How long does data recovery take?
8. What is the security-breach investigation process? Does the cloud provider
have security-breach investigation capabilities? This question is often
forgotten, but it is very important – if data is compromised, the cloud
provider will be the only source of information for any investigation.