Guide to Cloud Computing Paradigms.

Cloud Computing Services by type.

Cloud computing services are central to many businesses as it is used to reduce on premises hardware and software maintenance by removing what we call CapEx to OpEx or capital expenditure which would usually involve the procurement of the various licenses and hardware to support a on-premises cloud server system, this also remove the need to spend capital on the power and associated protection of that infrastructure as well. Allowing a business to transition to OpEx where the responsibility for the management of a cloud platform is Infrastructure is given to a cloud provider which have in place all the functionality, networking equipment and the only thing your business must consider is the costs to the cloud provider.

Infrastructure as a service (IaaS)

• This is probably the most simple way to obtain cloud resources. In this configuration as a business the level of responsibility is often the highest infrastructure it is often presented in a number of a few ways. Cloud platforms provide as stated above the core components to support the cloud service, networking, power, servers, storage. In this sense at the simplest level we can say that an example of such a service provided to a business is what is called "compute services" these are a form of infrastructure in the form of a physical server but when we say physical server, they are often virtualization servers in the which allow for the ease of management and those management abilities simplify both the scalability, reliability, accessibility and security of the virtualization servers.

  
  

• Cloud providers will often provide a lot of nice to have features with regards to compute workloads, health monitoring, performance and scaling monitor are often critical to the management of cloud platforms so most if not all cloud providers have access to various configuration options to deploy cloud systems with configuration options to best achieve this goal.

  • Health Monitoring - Allows for cloud systems to often autorecover from failures, or identify issues associated with a piece of infrastructure. CPU utilization, Memory Performance, Disk load, and Network Connectivity are part of the health checks applied to cloud computing environments, some cloud platforms also provide predictive analysis of your current workload using machine learning to better decide when to perform maintenance and house keeping tasks such as periods of low activity this often works hand in hand with the autoscaler.

    
    

  • Autoscaler - Most if not all providers have access to a feature called autoscaler, what this system is intended to do is when high amounts of traffic or activity are present on a cloud deployment this allows the cloud platform to automatically and dynamically increase or decreased the amount of compute power provided by the cloud platform, this is done in the form of percentages and also the types of decisions undertaken by the autoscaler. Such decisions include the kind of conditions that cause an event to occur that leads to undercapacity or overcapacity. Autoscalers will make decisions based on those choices, where if it should scale before the system becomes overloaded or after, or underloaded or after or immediate at the time it happens we call this. This process would probably best described as scaling diagonally why? Because Scaling up replaces or removes existing hardware and scaling across or horizontally results in the same resource, autoscalers can make decisions based on the current workload of moving in a diagonal direction or it would simply need a horizontal scaling

    • Past scaling - Where after the resource has exceeded or under utilized the resources provided begins to adjust the scale of the cloud platform

    • Future Scaling - Predicts ahead of time when the perform the scaling that is before it becomes a over-utilization or under-utilization

    • Immediate scaling - The cloud providers systems will automatically scale immediately upon over use or under use.

  • Load Balancer - This is a concept that many networking engineer professionals should be pretty aware of, this is also used as apart of common methods to improve Quality of Service but distributing the workload with individual nodes, however in the case of cloud computing, load balancers are the components responsible for communicating with the autoscaler and informing it of the current workload and whether the current distribution of work is necessary to trigger a new scaling condition.

    
    

  • Hardware and automated setup - In terms of resources available to you from cloud providers the choice is effectively endless, you can configure the kind of hardware, bandwidth even the kinds of applications which will be installed using Amazon provided images and those images can also have applied to them specialised configuration files which perform from end to end the configuration allowing you as a business to spend less time tinkering and more time providing top quality, products and services to your customers.

]

• Data Tenancy and Location - Most if not all cloud provides will give you the choice of where your service is deployed. That is due to many countries laws including GDPR which requires various levels of security and data tenancy data must but stored under this privacy framework so deploying a server in a GDPR country would require a local resident server in the UK, Netherlands or other European zones which have those necessary controls in place.

  
  

Examples

• University needing critical workload competition

  A very special case where the choice of hardware is very important is genomics based data processing genetics data often eats obscene amounts of information and "mining" through that data needs to be very fast, often bioinformatics using string matching and rapid extraction can be accelerated using GPGPU capabilities Amazon AWS for example provides a number of GPGPU compute cluster capabilities.

Movie production business needing deadline tied scalability

• Another case would be a movie company who needs some serious compute power which have tight deadlines no when a GPGPU task must be complete so the film company purchases an allocation in one of the many providers and allocates it based on time, this not only allows the company in the event scalability becomes important for example sometimes it is well known that movie production timelines could change constantly, in the event the rendering of the scenes is not sufficient the movie company can ask for a rapid scale up to compensate for the lack of time allowing them to reach their release wind in record time.

• Identity as a Service (IDaaS)

  Simple put this is the concept of user access control, auditing and user authentication mostly falling under the concept of AAA - Accounting, Auditing, Authentication a common pattern in the field of cybersecurity is the need to provide access control management, databases can become unwieldy very quickly without a solid identity as a service system. The types of concepts an AAA system provides commonly.

  
  

  • Access Control - At the general level access control provides a way to provide access to resources, computers, or other company assets. This also includes the remote access of company assets, it does this by creating access control rules about what can and cannot be accessed, in the form of groups, users, systems and other company resources.

    
    

  • Authentication - Determining if an access controlled user, group or system is who they say they are forming the basis of non-repudiation, authentication can be done via various methods, such as biometric, smart card, OTP codes, SMS, or hardware based cryptographic processors on existing hardware within the company network.

    
    

  • Accounting - This ensures if a known user has their detailed compromised failing the controls put in place by authentication and access control there is a record of what happened and who's credentials were used to perform an action to assets on a businesses network. That takes the form of logging authentication requests, multi-factor requests, and even monitoring of attempted accessing of certain network boundaries, such as the detection of an isolated network attempting to reach out to a portion of the network which really shouldn't have any business in attempting to communicate, this accounting can often be apart of an endpoint protection service and platform, detecting abnormal or anomalous behavior and blocking it before it can escalate to potential asset theft, destruction or fraud.

  • ZeroTrust Networks - Managing access can also be further extended to the devices used on a network and their respective identification of individuals, commonly this forms part of the basis of ZTNs - ZeroTrust Networks, are a form of highly restrictive access control where the levels of access are determined by levels of mediated control over access to assets and each level of access requires a certain level of trust, in this sense a publically accessible client being served a website would be classified as the lowest level of trust and an internal high security company server would be very high trust, which requires various identification, authentication and aduiting applied to control access to the rest of the entire companies infrastructure and assets, in this form all intially joined clients are only given trust after various checks and balances are applied to new clients and even old ones, further facilitated by EPR Endpoint Response security systems, ZeroTrust is the culimination of access control to it's maximum level ZTNs are also not unlike mandatory access control or MAC, but instead of being applied to a windows, linux or macos device it applies to the entire network and all devices connected to it.

    
    

• Security as a service (SecaaS)

  Reality is you've been using this for a long time, most antivirus and antimalware platforms come under this category. Security as a service is similar in many ways to identity as a service, however security as a service can facilitate the implementation of far more than simple antimalware solutions that include, various supporting cybersecurity suites an functions under one or more common platforms. Additional SecaaS can actually be already integrated into many cloud platforms most, platforms like Azure, Amazon AWS, Google Compute Platform all have security as a service that can be used in conjunction with IDaaS and IaaS, the unified nature of most cloud providers is they've invested a significant amount of capital in their infrastructure both software and hardware which allows you to find all your solutions in one place.

  • Instrusion Detection and Intrusion Prevention (IDS / IPS) - where intrusion detection rules are used to only detect potential events leading to device, network or system compromise, these rules are only monitoring and logging attempts, but the logs used can be comprehensive and detailed.

    
    

  • Integrated Analytics - Allow for most security response teams to have access to quick important information about the state of the security infrastructure. Which can provide breakdowns quickly of patched, systems, their current status, has any abnormal traffic been report and many other features, it can also breakdown country intrusions and with the assistance of discriminating based artificial intelligence provide suggestions to security teams about how to improve the current security posture of the company.

    
    

  • Crytographic Managers - All cloud provides give access to cryptographic management tools these allow for the access and configuration of the various security features including those found in Google Cloud computing platform, two key features found on GCP and Amazon AWS is "encrypted Instance runtime" what this effectively does is encrypt the internal system which is running on the cloud platforms infrastructure allowing businesses to enforce various protection and security frameworks like HIPPA, PCI-DSS and others, such a situation where this might be desirable would be banking or even high security government departments where secrecy is highly important using encrypted instances ensures that google or amazon can not even access the contents of your cloud system.

    
    

  • Next Generation Firewalls - Are a significant evolution upon existing IPS / IDS system is takes the capabilities of them and integrates them into unified platforms with realtime rule updates, integrated DPI and traffic inspection and in some cases decryption and scanning as an MITM monitoring system for potentially malicious code contained within data passing into a protected network, some of the higher end offerings provided by NGFFs are the realtime threat modelling, and the more advanced adaptive response system using the recent push for anonymously based detection to identify IoC -Indicators of compromise, which are simply the symptoms not unlike the process of diagnosing a medical patient IoC are the symptoms of a disease and "behaviours" of network services and other aspects of company assets form "indicators" that malware, or some other activity is going on in that network.

    
    

  • Rapid Remote Access control - Some cloud providers also allow for easy fast deployment of remote access control that is providing a rapid quick and simple to configure VPN service which does not necessarily require a comprehensive understanding of the various encryption systems and configurations needed for the use of those VPN services, like the configuration of OpenVPN, WireGuard, and others.

    
    

• Container as a service (CaaS)

  Fairly simple concept to grasp if you have ever touched on LXC, Docker, or Podman containers are basically a type of virtualization however, the kernel is shared with each instance of a container. Containers allow the bundling of many services and components into a single 'box' think of it like a flatpack where you assemble the parts you need in the docker or other configuration file, that then defines the structure which makes up containerisation systems.

  • Deployment Scalability - Containers do not require a fully started operating system to be deployed other than a currently operating kernel instance on the host which has the containers, as such those containers can be started faster than if starting a standard virtual machine, allowing them to be quickly scaled out and in, such as case would be an ecommernce website which is handling a lot of query traffic, containers can be deployed much like the concept of a micro-service to rapid scale out and in as well as up and down when the amount of available compute power is needed to be increased.

    
    

  • Response time - Containers do not need to be fully booted to begin working, they can be deployed very rapidly and be accepting requests much faster than the full POST testing found on standard based operating systems and computers, making them ideal for responding to demand quickly and effectively.

    
    

  • Virtualised network management - Groups of containers can be placed in individual networks, and use various addressing and communication methods internally including dedicated networks for one group and a completely different group for another cluster and those networks cannot communicate unless explicitly configured to do so.

    
    

  • Resource efficiency - Due to a lack of full system requirements containers will take up far less space in cpu, storage and memory usage because they do not require a fully active kernel that has completely a full boot meaning that containers can be created by the thousands and be easily managed.

    
    

  • Orchestrators and coordination - To improve the simplicity of many cloud based CaaS deployments orchestrators are used one common one is portainer and k8s, these provide dashboards, monitoring and improved GUI simplicity, however if your goal is reduced overall resource utilisation an orchestrator can be built using standard off the shelf programming langauges like python, they may not be pretty but with proper planning if you don't need massive scalability for smal jobs like home labs a orchestrator built using this method can be both simple and powerful.

    
    

  • Homogenous development - Containers also solve a massive problem with many software deployments one fo the biggest contributed to degraded DevOps teams would be the situations where one library makes sufficiently large enough changes that lead to the loss of functionality from existing code base, by creating a homogenous development environment you give your DevOps teams a simple platform to build applications and services.

    
    

• Platform as a service (PaaS)

  Eliminating a lot of the resposibility of a cloud consumer platform as a service is commonly used to provide various services, a platform could be as simple as hosting a database, all the way up to a generalised API platform for tasks such as azure machine learning Microsoft has a number of PaaS services for this task so does Amazon, and Google for example under Google GCP there is an option to use Google Cloud based TPU infrastructrue but be given an API to communicate with it, eliminating the need for massive amounts of work to get to the meat and potatos of doing machine learning, by providing a platform that is easy to work with and quick to deploy, eliminating all the management of the potential use of IaaS, or CaaS.

  • Simplify the deployment of software - Creating a simple unified environment for developers to quickly work with, and not have any of the hassles associated with the higher levels of resposibility necessary with the IaaS or CaaS route.

    
    

  • Access to Services and Simplified billing - PaaS offerings will often accompany the same benefits of scaling with none of the administrative overheads associated with "Pay as you go" method of charging meaning if you are not utilizting the resources you've been allocated you can actually potentially gain credits for when you do have need for a large amount of scale quickly for a short period of time.

    
    

  • Ease of accessibility - For businesses with the goal of getting up and running if they already have an existing workload, moving their existing website, database, or other functionality to the cloud can reduce the work needed for the various infrastructure based designations, and focus just on their business instead of the nittygritty and potentially error prone process of managing on premises hardware.

    
    

  Examples of this various situations is a data scientists or machine learning engineer is looking for a platform to access the compute power they need to complete the jobs they need quickly and efficiently, and "renting" that compute power can not only provide the compute power, but also powerful visualisation tools for things like data generated by the business that the engineer has acquired from the company to determine if what they have access to is actionable, and usable into leveraging reliable deployment of machine learning workloads, and ML an DS specialists have many to choose from, Google TPUs, Amazon AWS AI platform, and Microsofts Azure ML all provide strong foundations for accessing cloud based AI processing.

  
  

• Software as a service (SaaS)

  Probably the most familiar system that people would be aware of is the old software as a service. The reason I say this is because you probably use SaaS everyday, Google Drive, OneDrive, iCloud, Dropbox and many others, many coomon everyday applications are also considered software as service like the Microsoft 365 suite, or the Adobe Creative Cloud platform, these are SaaS at their core because you pay for a software and it is a service, giving you access to the application and it's continued updates into the future.

• Function as a Service (FaaS)

  Still is a type of server but does not appear to the development in this form, function as a service is simply an event trigger / detection system which creates a instance of that function to handle query requests from a user or individual accessing the instance and triggering an event to handle that request, this is why it is commonly referred to FaaS function as a service, because a "function" a term borrowed from the field of both mathematics and computer programming works to respond to an event and that "function" performs a task it was programmed to do, this way everything on a function based service is very tighly resource budgeted by only executing code when absolutely necessary.