“IaaS, PaaS and SaaS explained
IaaS, PaaS, SaaS… It can sometimes feel like we are in acronym hell. What are the correct definitions and how does each service differ?
IT organizations have historically been using their own Private Cloud Infrastructure either on premise or inside their own external datacenters to host servers, applications and data etc. Move forward 20 years and we have moved into a service provider era containing Public Cloud Infrastructure and Hybrid Public Cloud Infrastructure. Organizations called service providers exist specifically to provide, manage and maintain the infrastructure on which their client organization’s servers, application or data are hosted. The client organization gets access controls to manage their servers, applications and data hosted on the remote server. This is the basis behind cloud computing so where does IaaS, PaaS, SaaS fit into this scenario?
In an IaaS (Infrastructure as a Service) model sometimes called Hardware as a Service, a third-party service provider hosts hardware, software, servers, storage, networking and other infrastructure components on behalf of an organization; including managing tasks such as system maintenance, upgrading, backup and disaster recovery planning.
Some of the main vendors of IaaS are Amazon Elastic Compute Cloud, Rackspace Cloud Hosting, Microsoft Windows Azure, Google Compute and Openstack Open Source Cloud There are also numerous other IaaS Vendors with their own offerings such as IBM, VMWare, HP, SAP and Oracle and many more.
As a client of cloud service providers, you can focus on your own applications & databases, websites and IT systems without the obligation and capital expenditure of managing your own IT hardware, maintenance, datacentre space and extensive support.
- Cloud Service Providers have the ability to provide a variety of hardware and technologies such as Linux and Open Source to cater for all organizations requirements
- Cloud Service Providers offer pricing models which allow for companies to only pay for the storage and hours they need to use servers for. This billing method offers a significant cost saving against having to buy, maintain and then run your own hardware and networks
- Location independent
- Cloud Providers have the ability to offer scalability and sustainability. The ability to have an immediate increase in web services or resources in line with end of year financial runs or busy work periods such as Christmas can prove invaluable.
- Highly automated. Regular task and daily tasks can be automated saving time and increasing productivity in other areas
- Service Level agreements for standards of service.
- In regards to company sensitive data, there may be an issue as to who within the Service Provider could potentially have access to or monitor your data.
- When customer data resides in with external service providers, there is the question of how security compliant the service provider is or can they offer you the type of physical and virtual security required including adhering to external data security regulations required by certain customers. Does the provider have security measures in place to manage communications outages such as denial of service and attacks including authentication issues such as IP spoofing, DNS poisoning, arp poisoning and RIP attacks?
- The cloud service provider needs to make sure the system is always available for its clients. Companies need to be assured of relying on the high availability and performance of another providers’ systems.
- Can a service provider verify the security of your data from end to end during transit, at rest or backup?
- Often you will be sharing space with other organisations on the same infrastructure. The service provider should be able to clearly show secure segregation between customers.
- If the service provider has a lack of employee processes and procedures such as how it monitors its employees and how access is granted and used, there could be a risk of malicious insiders who having access to client’s infrastructure and data could cause a significant security breach given the level of access and ability to infiltrate organizations and assets. Thus, damage to company brands, financial implications or penalties and productivity issues may cause damage to the service provider and the client’s reputation and business.
- Different countries have different regulations and security considerations. Certain companies will need data to reside in countries which adhere to their own regulations and know the data is not able to be transferred into countries where data could be at considerable risk of exposure or data loss/leaking.
The PaaS (Platform as a Service) model, is a computing platform or environment allows developers to have the complete tools, operating systems, middleware and programming languages to build software or website applications. Everything is then hosted and stored by the PaaS Service Provider. PaaS offers developers a solution that is a complete software development, testing and deployment environment. In addition it has the benefit that the operating system, virtual machines, and infrastructure are hidden and not a concern to the developer. PaaS service models have automatic scalability to allow for increased usage or spikes in activity – therefore making PaaS a really useful way to build high traffic applications.
Some of the main vendors of PaaS include Amazon Web Services, Cloud Foundry (Open Source project run by VMware), AppHarbour and Heroku owned by Salesforce. There are various other vendors such as IBM Smartcloud, Redhat Openshift, openStack, Google App Engines and Engine Yard
A PaaS Service Provider generally offers the following
- Operating System – Windows, Linux or Open Source
- Programming Languages – C#, Python, Java, Ruby and Node.js etc.
- Virtual Machines – Servers to run the applications
- Databases – SQl or Oracle databases
- Web Servers – Apache or IIS etc.
- Distributed Computing – Messaging and Big Data technologies
- Developers have no concern for the underlying infrastructure. They don’t need to buy, implement, manage and maintain the hardware that the applications run on.
- Bandwidth and resources are instantly scalable with increased workload and similar to IaaS, pricing models to allow for the peaks and troughs of workloads at certain times of the week, month or year.
- Databases, VMs and complete environments can be commissioned very quickly reducing build times, developer costs and allowing applications to enter the market quickly.
- Developers can collaborate worldwide very easily
- Developers can use their own software on the platform
- Developers responsible for the updating and upgrading of the applications
- Often you will be sharing space with other organisations on the same infrastructure. The service provider should be able to clearly show secure segregation between customers
- Not as cost effective as SaaS and not as much control over VM as IaaS.
- Changing providers may prove difficult
- Compliance with all applicable regulations concerning security, privacy, and data retention needs the same considerations as IaaS
Software as a Service (SaaS)
The SaaS (Software as a Service) model is the simplest and most straightforward model for clients which is hosted on a Service Providers infrastructure, not a company’s own private network. Users basically log on to an application via a web browser or dedicated desktop icon. CRM, E-mail, Games and almost any application could potentially be hosted by the SaaS Cloud platform including virtual desktops
- Users can log on to the application anytime/anywhere with an internet connection
- The Cloud provider will monitor, maintain, upgrade and backup the underlying infrastructure and software versions automatically
- Good pricing models including the ability to scale up and scale down users sometimes on a month by month basis
- Minimal planning and easy to set up. Solutions can be implemented in weeks rather than months
- Cloud Providers have an extremely resilient infrastructure tied into service level agreements for quality and uptime of service
- No license fees to manage, just subscription fees
- Little control over deployment, upgrade and testing methodology
- The SaaS Cloud provider has full access to customers’ data, unless encryption is used
- It is important to ensure that the application is compliant in terms of the location it is hosted due to certain countries and industries having strict regulations as to where data is stored
- Currently there are limited applications which are not available on a hosted platform although IBM for example has over 100 SaaS hosted applications
- Reliant on clients having a stable internet connection
- Hosted applications can be variable in their features and functionalities compared to being managed and adjusted in-house
- Currently SaaS applications are seen to be slightly slower than an in-house application however the comparison will be minimal and continually improving.
- It is important to make sure a proper recovery and backup plan should be in place. The infrastructure hosting the application should be highly available and replicated across potentially multiple locations. In addition, the timeframe to recover from any potential attacks or failures must be clearly stated or part of the service agreement held with the SaaS provider
In this age of “Anything as a Service”, Cloud providers offer clients the pretty picture of unlimited computing, network, and storage capacity. One of the main concerns behind these outsourced cloud models is the location, security and safety of the data being created, transmitted and managed. It is critical to ensure that there are correct processes and compliance of the internal security procedures, segregation of services, configuration hardening, patching, upgrading, auditing, and logging. The development software including APIs supplied for PaaS needs to be as secure as possible whilst working in injunction with any other software in the environment. Criminals continue to leverage new technologies and ways to penetrate the service providers in order to tamper with data causing loss and theft. IaaS offerings have hosted the Zeus botnet, Infostealer Trojan horses and Adobe PDF exploits. Aside from outside security concerns, it is vital to know who is managing your applications and data internally. Security is not just restricted to IT Processes. People also need to be subject to stringent security policies and procedures to prevent malicious attempts to infiltrate organizations and confidential data. Service providers must be able to stay one step ahead to continually maintain confidentiality, integrity and availability of those services.
These models are all evolving into exciting offerings with the potential to streamline IT, increase the use of automation and create secure highly available controlled environments with minimal disruption and ease of use. Although there are obvious learning curves for Cloud Infrastructure specialists including an understanding of multiple different platforms alongside an understanding of the increasing integration of automated services, these XaaS service models seem to be the way forward into a new era of Public Cloud Computing.