Hi, my name is Jason Yates, and today I want to talk to you about cloud security. Now, unless you've been living under the rock, you've heard about the cloud. In fact, people use the cloud every day and don't even know it. The fact of the matter is the data center, the modern data center, has been transformed because of cloud technologies. It used to be a large static hardware-based computing platform, today it's been transformed to leverage virtualization and the dynamic nature of cloud computing technologies. Today, though, I want to specifically look at cloud security and address some of the implications and perhaps some of the considerations we should be thinking about when it comes to using the cloud. To answer those important questions, we best start with a more basic question. What is the cloud? That's an important question to ask and answer, because the more you understand the cloud, the more you'll understand the security implications. When I think of the cloud, I think of it as computing on tap or application and services on demand, like this drinking fountain. The whole point of a drinking fountain is to share a resource among multiple parties and to do so easily, conveniently, and on demand. Drinking fountains are also self-service and there's a minimal amount of interaction. You're really not interacting with any individual. You just walk up and use the drinking fountain. The drinking fountain is a good analogy for the cloud, but as all analogies go, it has its limits. Let's look at an official definition from the National Institute of Standards and Technology. Cloud Computing is a model for enabling ubiquitous, convenient on-demand network access to a shared pool of configurable computing resources such as network servers, storage applications, and services. They can be rapidly provisioned and released with minimal management effort or service provider interaction. There's a lot going on in this definition, so let me highlight some keywords and summarize it. Notice that like a drinking fountain, the cloud is ubiquitous, meaning it's everywhere, it's easy to get to. The cloud provides on-demand computing from a shared pool of resources, and it can easily flex based on the needs of your customer. The other keyword here is minimal, which means the cloud reduces the effort for the party consuming the service, but it also reduces the effort for the parties supporting that service. If you were to summarize the statement even further, you would come up with five key ingredients or descriptions of the cloud. On-demand self-service, network accessibility, pooled resources, rapid elasticity, and measured service because you pay for what you use in the cloud. These five key ingredients are true, regardless if the cloud is a public cloud, a private cloud, or a combination thereof. The whole point of the cloud and the reason why it's significant is because of the changes that we are seeing in the data center. Just consider for a moment where we've come from. Computing the data centers, in particular, have been growing in their capability, but also in their complexity. To respond to this increased complexity, we've added additional servers, additional locations, and that all comes with an increase of cost and administration. Turning that expensive data center into something more agile and more efficient is what the cloud is all about. The cloud transforms the computing needs of a business because it reduces the data center costs. That means less physical infrastructure, less physical servers, and that reduces your footprint in terms of real estate, and that translates into less power cooling and less Rackspace. The cloud can potentially reduce costs significantly for customers. Secondly, the cloud optimizes hardware resources. Instead of one server per application, now the cloud relies on virtualization, virtual application, and virtualized infrastructure components. Virtualization ensures there are sufficient resources for your workloads running in the cloud. I think of it like the story of Goldilocks. Remember Goldilocks? Goldilocks walked into the bear's home and there was three different chairs of three different sizes and there was only one that was just right. The other two were too small or too big. That's often the case with the data center where we have too much hardware not doing anything or we don't have enough resources. Whereas the cloud is able to provide a workload just right resources, just right compute, just right memory, and just right storage. The third item or third benefit is related to the other two, and that is the cloud maximizes the efficiency of resources and this includes everything like maintenance and upgrades and backup. Finally, there's improved operations because the cloud relies on automation. Let's say you wanted to create your own cloud and gain these benefits. What would you need? Well, the first thing you would need is virtualization. Virtualization is the bedrock of the dynamic nature of the cloud. Now, let me clarify about a myth here. Just because you have virtual machines in your data center doesn't mean you're actually using a cloud or a private cloud. Virtualization alone does not mean you're doing cloud computing because the second ingredient is you need software orchestration and management tools. In other words, you need great automation tools to accomplish those five key ingredients. In order to attain these five characteristics of a cloud, you combine software orchestration with virtualization. There's one more thing we need to talk about in regards to understanding the cloud. This is important because it also has implications for security, and that's understanding that the cloud is actually organized into three different tiers and each one of these tiers have a different level of responsibility. I like to use an analogy here because I think that helps clarify what we mean by different levels of responsibility. Think of a pizza for a moment, like the pizza I have right here. Got this box of pizza here, it's already cooked for me, it's been delivered, and all I have to do is open it up and take a bite and eat it. Now I didn't bake this pizza. It was baked for me. That's similar to software as a service. You see, software as a service is a level of cloud where the cloud service provider is doing a lot more and all I'm doing is subscribing to a pre-existing application and accessing that typically via a Web browser. Good example that would be Microsoft's Office 365 or salesforce.com. But that's only one type of cloud. The other type of cloud is platform as a service, and with platform as a service, I'm actually doing a little bit more and the cloud service provider is still providing me a service and a platform. They're hosting my application this time. In this case, it's more like a take and bake pizza, like what I got right here. In this case, the pizza is not already baked for me. It's built and I bring it home and I bake it. That's platform as a service. In cloud terms what it means is my developers can deploy their application into a cloud environment, into a cloud platform, but they don't have to worry about the infrastructure or manually creating the virtual machines. Some examples of platform as a service might be Amazon's Elastic Bienstock or Salesforce's App Force or Google's App Engine. That brings us to the third and final tier, and that's infrastructure as a service. With infrastructure as a service, well, there's a lot more responsibility on my part, but I've got a lot more opportunity, if you will, in the sense that the cloud service providers providing me a hosted data center environment, but I'm still responsible to build the virtual machines and actually build out the actual virtualize infrastructure. I'm doing a lot more, but I can also test a lot more. This will be similar to bringing home a pizza crust from the grocery store. I actually have to provide the ingredients and build it from the ground up and bake it. It's a lot more removed from a pre-created and pre-baked pizza. We've got infrastructure as a service on one hand and then software as a service on the other hand. The difference between the two has a lot to do with who's doing what and who's responsible for what. An example of infrastructure as a service might be Microsoft's Azure or Amazon's Elastic Compute Cloud. Another example would be VMware View Cloud or OpenStack's OpenStack Compute, just to name a few. The main point of this is that each one of these tiers have different implications for security and we'll get into some of that in the next part of our discussion. Cloud computing is tasty.
