##
NIST: Three Service Models
- SaaS: Software-as-a-Service - PaaS: Platform-as-a-Service - IaaS: Infrastructure-as-a-Service
### SaaS: Software-as-a-Service - Vendor controlled applications that are accessed over the network by users. - Characteristics: - Network-based access - Multi-tenancy - Single software release for all - Examples: - Applications in the Google Suite - Dropbox - Cisco WebEx
### SaaS Application Design - Net native - Cloud-specific design, development, and deployment - Multi-tenant data - Built-in metering and management - Browser-based - Customization via configuration - High degree of configurability, efficiency, and scalability
### SaaS Disadvantages - SaaS providers are dependent on network and cloud service providers. - [A Dropbox story](https://www.wired.com/2016/03/epic-story-dropboxs-exodus-amazon-cloud-empire/) - Performance is dependent on individual client's bandwidth. - Security - Good: Better security than personal computers - Bad: SaaS vendors (and cloud providers) are in charge of the data - Ugly: Privacy
### SaaS and Privacy - Who owns your data in SaaS? - [Google Drive ToS](https://support.google.com/drive/answer/2450387?hl=en)
### SaaS and Privacy - Who has access to your data in SaaS? - [Google ToS](https://policies.google.com/terms?hl=en&gl=us)
### PaaS: Platform-as-a-Service - Vendors provide development environment. - Tools and technologies are selected by vendors. - Users maintain control over data (application) life-cycle. - Examples: - Google App Engine - AWS Elastic Beanstalk - Heroku
### PaaS Architectural Characteristics - Support multi-tenancy at various scale: sessions, processes, and data. - Isolation at: physical, virtual, and logical levels - [Oracle multi-tenancy strategy for PaaS](https://www.oracle.com/technetwork/topics/cloud/paas-multi-tenancy-092593.html) - Native scalability - Load balancing and fail-over (AWS Elastic Beanstalk) - Native integrated management - Performance - Resource consumption/utilization - Load
### PaaS Disadvantages - Inherits all from SaaS - Options on technologies and tools are limited by the PaaS vendors
### IaaS: Infrastructure-as-a-Service - Vendors provide computing resources. - Users provision computing resources. - Compute resources include processing, storage, memory, network etc. - Users are provided with customized virtual machines. - Users maintain control over: - Operating system, memory - Storage, - Servers and deployment configurations - Some limited control over network resources via software-defined networking - Examples: - Amazon Elastic Compute Cloud (EC2) - Google Cloud Platform
### IaaS Advantages - Infrastructure scalability - Native-integrated management via vendors' utilities - Performance, resource consumption/utilization, load - Economical cost - Hardware, IT support
### IaaS Disadvantages - Require more technical efforts than SaaS and PaaS.
### Comparing Services Models ![service-models](https://www.cs.wcupa.edu/lngo/assets/images/csc-496-2/intro_cloud/cloud-options.png)
### Comparing Services Models *Visualization from https://kscottmorrison.com/2009/12/01/visualizing-the-boundaries-of-control-in-the-cloud/* ![cloud-boundary](https://www.cs.wcupa.edu/lngo/assets/images/csc-496-2/intro_cloud/cloud-boundary.png)
### XaaS: Everything-as-a-Service - Composite second level services - [NIST Evaluation of Cloud Computing Services (2018)](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.500-322.pdf)
##
NIST: Four Deployment Models
- Private Cloud - Community Cloud - Public Cloud - Hybrid Cloud
### Private Cloud - Infrastructure is organized solely for an organization - Infrastructure is managed by the organization or by a third party
### Community Cloud - Supports a specific community - Infrastructure is shared by several organizations
### Public Cloud - Infrastructure is made available to the general public - Infrastructure is owned by an organization selling cloud services
### Hybrid Cloud - Infrastructure is a composition of two or more clouds deployment models - Enables data and application portability
### Is It a Cloud? [NIST Checklists](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.500-322.pdf)
##
Security in the Cloud
### Who is doing what? - The cloud provider is responsible for the security **OF** the Cloud. - The cloud consumer (users) is responsible for the security **IN** the Cloud.
### Cloud Consumer - SaaS/PaaS: - Standard security procedure for online presences. - IaaS: - Standard security procedure as any on-premise infrastructures. - Benefits from native administrative tools.
### Cloud Provider: SaaS - Web application security - [OWASP's Top 10](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) - Multi-tenancy - Data isolation/leakage - Data security - Accessibility versus Security trade-off
### Cloud Provider: PaaS - Similar security concerns as SaaS - Complex security schemes due to potential third-party relationships. - Development Lifecycle - Users depend on PaaS providers to patch security issues of the individual tools.
### Cloud Provider: IaaS - Standard security measures. - To Cloud Provider, cloud resources are on-premise. - Concerns with virtual machines' security - Concerns with virtual networking security - [An analysis of security issues for cloud computing (2013)](https://link.springer.com/article/10.1186/1869-0238-4-5)