As anyone who has watched a thunderstorm will know, clouds can be powerful and fascinating phenomena. The term cloud, when applied to computing, shrouds a useful idea in an unnecessary air of mystery.
Cloud services are commonly (but not universally) accessed via the internet, and the computer program and associated data, are not on the customer’s lap top or PC, but on a computer located elsewhere. This computer is usually designed to slot into a rack, located in a special purpose building called a data centre. It isn’t in the sky and it doesn’t float from one country to another. This is important, because laws that govern data protection vary in different countries. I’m sure everyone has heard enough about a certain European regulation recently, so I will say no more about this topic.
In 2011, the National Institute of Standards and Technology (NIST), in America, published its final definition of cloud computing in special publication 800-145.
NIST defined five essential characteristics of cloud services, which are: on-demand self-service, broad network access, resource pooling, rapid elasticity and measured service. Services which meet the five essential characteristics are then classified into three service models which, in layman’s terms, are as follows:
- Software as a Service (SaaS) is the type of cloud service that most people are familiar with, as it provides similar features to an ordinary software application.
- Platform as a Service (PaaS) is a service used by software developers and those who deploy software applications.
- Infrastructure as a Service (IaaS) provides IT infrastructure, such as processing power or data storage.
The fact that a cloud service can fit within any of the above categories gives scope for confusion; this is then amplified by the marketing practices of companies who wish to associate themselves with, or to distinguish themselves from, other cloud services.
In February 2018, NIST issued another special publication, aimed at helping organisations to evaluate cloud services. In the introduction, it said, “In the absence of clarification, organizations are at risk of adopting ‘services’ that do not provide characteristics of cloud computing. For example, some vendors reportedly decide to label their computing offerings as ‘cloud services,’ even if the offerings do not support the essential characteristics of a cloud service in the NIST definition.”
The names of the three cloud service models have also been adapted for marketing purposes, as NIST explained, “Furthermore, the frequent and common usage of the informal ‘aaS’ (as a Service) suffix in marketing, as in ‘EaaS’ (Enterprise as a Service), ‘DaaS'(Desktop as a Service or Data as a Service), ‘STaaS’ (Storage as a Service, and even ‘XaaS’ (Everything as a Service) is confusing, and (unintentionally) obfuscating the architecturally well-founded distinction of Software as a Service (SaaS), Platform as a Service, (PaaS), and Infrastructure as a Service (IaaS). These ‘cloud service types’ are generally coined by appending the suffix ‘aaS’ after a type of computing capability or marketing term. This makes it difficult to determine whether something is a cloud service and has unintended consequence for organizations trying to satisfy their cloud-first objectives.”
It is easy to be bamboozled by cloud service companies and, as a result, to apply insufficient scrutiny. Rest assured, if you use a cloud service, it is never a stupid question to ask in which country (or countries) the data is stored, and you shouldn’t take ‘in the cloud’ to be an acceptable answer. In our case, we provide a Software as a Service (SaaS) payroll solution, and all of our computers and associated data are located in the UK.