Clouds by definition are nebulous and vague. Their use in IT models and discussions goes back decades, long before the current cloud computing models. A ‘cloud’ was convenient shorthand for showing a link between a system on one side and a terminal or another system on the other. Today however, the concept has evolved. Not only do such clouds link computers, but increasingly they are the computer. Aspects of on-site IT security therefore apply to cloud computing too. For that reason alone, it’s time to firm up definitions about the type of computing that goes on in the cloud, and the IT security approaches suited to each one.
The current segmentation of cloud computing activities is SaaS, IaaS and PaaS. SaaS or Software as a Service refers to software applications made available to client organisations by providers. Clients may have some latitude in configuring the application for their use, but usually cannot access underlying operating systems or hardware. IaaS, which is Infrastructure as a Service, operates at a level below. The provider supplies computing resources including for example database software. The client then loads its own applications on top. Finally, PaaS, or Platform as a Service, is the ‘bare metal’ service that provides raw computing power (processors and memory), on which the client builds the operating system/database/application stack of its choice.