In the previous video, we introduced data and storage in Cloud service models. Here we continue with platform as a service and infrastructure as a service. As we said last video, we did the first of the three service models and here we're talking about the second and third. Now, the problems we ran into with SaaS Software as a service are these five mentioned here. I repeat them because they show up in the later service models as well. So weak administrator credentials, and that's on the part of the Cloud consumer. That's the organizations using the Cloud for their application. Then there's incorrect data protection, another Cloud consumer error where the consumer fails to save information in a place where it's appropriately protected. Third, it's plugin vulnerabilities where the consumer installs a software plugin whose software is vulnerable to attacks from the internet. Forth, there's Cloud provider risks, and those are risks of data leakage or spillage such that the Cloud provider has access to it when it's neither necessary nor desirable to do so. Then finally, there's the SOC 2 report. Maybe there are surprises in there. You'll never know unless you read it. You have to read the SOC 2 report to see what kind of access protections they really are providing, and that have been reviewed by outside reviewers. Platform as a Service. As we have said earlier, you started out with Software as a Service, everything is provided by the provider. Here, the Cloud consumer provides an application and possibly some layers of middleware, and then the provider provides all the rest of the software, some middleware perhaps plus the operating system, plus the computer hardware. Platform as a Service, using a web hosting example, the consumer provides the upper layers, definitely the content and configuration, as we did in SaaS, but they may also provide the content management system. Perhaps it's a customized version of WordPress or Drupal or one of the other management systems, or perhaps it's built on a special framework that they're maintaining. Then there's user-level application controls. Another thing that has to be handled in the upper layer by the Cloud consumer. You know how your data has to be protected, you have to implement those controls so that the data remains protected. This remains the biggest way that web data gets leaked, is because the consumer failed properly protected. Then at the lower layers, the provider posts the software, supports it, provides updates as they appear and so on. Now, some PaaS providers may actually use third parties as their hosts. For example, there are PaaS providers who then let you host your service on one of the better known infrastructures like say Amazon web services, Google or one of the other big ones, Microsoft, IBM, whatever. Data handling. Now, in SaaS, we don't worry so much about data handling because we don't really have our fingers into the software to the point where we're accessing particular named objects or files or databases or fields and databases. This is something that starts to happen with PaaS. You've got block storage. That's essentially like the old-style hard drive or the modern solid state drive where everything is block addressable. If you're running a standard file system somewhere, that standard file system can provide file structure or provide your file structure for the block storage. Now, a lot of people don't see that as especially practical. Practical for PaaS, it makes more sense to use an object store provided by the cloud service provider. For example, you've got buckets or blobs or some of the names that gets used. Also there's files as a service. You could just go out to a file services like Dropbox or Box or Google Drive and pull files that way. Also, a lot of sites provide database management as a service. Let's talk a bit about Cloud object storage. Now, what we're talking about is something like Amazon's S3, simple storage system, Google Object Storage, Microsoft Azure also has this type of feature, and you'll probably find it in most vendors. Essentially, each blob or bucket contains a bunch of uniquely named objects, and the entire bucket can be access-controlled. In other words, you can limit access to only that particular Cloud consumer or a particular authorized process IDs within that Cloud consumer. Then within the storage, you've got objects which are these essentially like files. Each one is a block of application data just like a file is. It has a set of attributes associated with it, like a file would, and there’re access controls available. It's very file-like, but it's a bit more flexible than a file storage. You don't actually have a hierarchical file system, although most systems have a way by which you can get the benefits of that type of organization if you wanted. Database as a Service. Now, there are a bunch of standard off-the-shelf database management systems. You can just go out and get a copy of MySQL or Oracle or whatever Microsoft's database is called. On the other hand, if you go to a Cloud provider, they will probably have their own custom database systems that they provide to their Cloud consumers. Yeah, they'll have a relational SQL driven database, but it won't just be MySQL, it will be their version of those functions. So they may have their own access controls that don't appear in other types of relational SQL databases. There are also NoSQL databases, or Not-Only-SQL databases. These are systems that use something other than relational and SQL, like our key-value database we talked about earlier. You've also got databases designed to work in the Hadoop MapReduce environment, where the data is easily distributed across multiple computers so that it can be operated on in parallel. Now Platform as a Service has all the same issues as SaaS plus software updates. You as the Cloud consumer need to update the software that is above the level of the Cloud provider. So if you're providing some middle-ware, when you're providing your own software, you need to provide that. Then there's a problem of coordinating user contexts. We'll talk about that a little more in a moment. Then data access controls, which are essentially making sure that we've set up access controls that work properly for the different user contexts we have to deal with. Because some access controls we need to set up at the Cloud producer or Cloud consumer, Cloud provider level and some we have to set up at the application and user level. Then finally, logging and monitoring. It's up to us to set up logging and monitoring in a lot of PaaS environments. A good vendor will provide tools to make this easier, but you do have to set that up and make sure it's running and keeping track of what your system's doing. Okay. The user context problem. You have different classes of user IDs when you have a cloud application, especially in a situation like PaaS, because you'll have application user IDs that may be associated with a collection of end users that may be your customers, your employees, other business partners and then you have Cloud consumer user IDs that are associated with software development and different components within your Cloud application. So you can run different applications with different IDs and have different access permissions. So, you need to be able to find ways to map, say, the application user ID's onto the cloud consumer IDs so that if somebody has an administrative access to the application, they're mapped to a different consumer ID than most of your regular customer users would be mapped to. Okay, infrastructure as a service. Now, this is the classic piece of cloud technology. Essentially, the cloud service provider, provides hardware or it provides simulations of hardware and then the consumer provides all the software from the operating system on up. Cloud consumer responsibilities, user and administrative controls, all the software. Now there's still a little bit of control that has to be taken care of to make sure that the cloud systems are protected from outside interference. That again, involves configuring the storage areas that are being used by the cloud software. Then the cloud provider, provides real or virtual infrastructure or maybe both and then it's up to them to make sure that the infrastructure is secure, the infrastructure is reliable, and then it's up to the consumer to do everything else. Okay, data handling in IaaS. Well, you start with block storage, which is essentially your classic drive that has block addressable storage. Now since you're running an entire operating system, that works fine because you can use the built-in file service technology in whatever operating system you're running and it takes care of everything else. Now if you have appropriate software libraries on your IaaS based application, then it can reach out and talk to APIs for the object storage provided by your cloud service provider or files as a service or database manager as a service. Those are options. It's all still there. It's just you need additional library support to do it. Now, IaaS security issues, these are essentially the same as the platform issues. We have, the SaaS issues as we did before and software update all up to us. Coordinating user contexts. It's a bit clearer because there aren't that many things, you're not in protecting nearly as many things or different types of things in IaaS as you are with PaaS, and then data access controls that ties back to our user contexts logging and monitoring. That's probably hardest in this context because you have to find all the tools and make them work on your own.
