AUCyber logo
Even in the technology world, ‘cloud’ is a word that means many things to many different groups.  Vendors, Providers, Media, Technology Analysts and those peddling snake oil use the term ‘cloud’ to cover a multitude of motivations.  But not all clouds are the same.

IaaS, PaaS and SaaS are globally accepted terms defined by the American National Institute of Standards in Technology (NIST) [1] covering the specific features that characterise Infrastructure-as-a-Service, Platform-as-a-Service and Software-as-a-Service.  But even within these specific service types, there are differences in operating models that significantly differentiate their service and risk models.  For example, while some providers have a broad reach and accept users from anywhere in the world based on [cloned] credit card verification, others control their environments by restricting their service offerings to defined communities or validated users.

And, unfortunately, there are many advertised ‘cloud’ solutions that don’t reflect the NIST definition at all. Private cloud, hybrid-cloud, even on-prem cloud are more than likely, vendor or CIO abuse of the NIST term to convince others that they sell/use cloud when in reality they are renting a fixed amount of virtualised resources or licences over a fixed period with limited automated commercial or technical flexibility to adjust scale to align with need.

 ‘Genuine’ cloud service, are characterised by five essential elements:

      • on demand service;
      • broad network access;
      • resource pooling (multi-tenanted with physical and virtual resources dynamically assigned/ reassigned according to customer demand);
      • rapid elasticity (to scale demand up and down as required); and
      • metering capability, i.e., resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.

My personal advice based on over ten years of delivering NIST based cloud services is:

      • if your chosen cloud isn’t built as API centric, doesn’t allow you to only pay for what you use when you need it and doesn’t have on demand scale capability, then it’s not standards based NIST cloud and it isn’t going to be effective for you in the short, medium or longer term as an effective technology model for your organisation;
      • be extremely wary of deploying your applications and workflow solutions on cloud services that provide apparently low cost enticing micro-services that are little more than switching costs, which will make it technically and commercially challenging to exit the service at a future point in time. All cloud services should be “Easy to Adopt, Easy to Use and Easy to Leave” technically and commercially; and
      • understand where in the world every aspect of each element of the cloud service that you choose to use is managed. Support services are often undertaken overseas, which means metadata and monitoring data flows overseas potentially impacting security and privacy. This sovereign resilience risk to Australian citizen data is, rightly, an increasing concern within the Australian Government and Critical National Industry community and one that CIOs and CSOs need to take seriously.

So just a few observations as to why not all clouds are the same.

[1] US Department of Commerce, The NIST Definition of Cloud Computing. Special Publication 800-145

AUCloud: Keeping the data of Australians in Australia