Chapter 2

Cloud Service Models

This is what our customers are asking for to take them to the next level and free them from the bondage of mainframe and client-server software.

—Marc Benioff, CEO, Salesforce.com

Choosing the right service model is a critical success factor for delivering cloud-based solutions. In order to choose the right service model or combination of service models, one must fully understand what each service model is and what responsibilities the cloud service providers assume versus the responsibilities the cloud service consumer assumes.

Infrastructure as a Service

There are three cloud service models: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Each cloud service model provides a level of abstraction that reduces the efforts required by the service consumer to build and deploy systems. In a traditional on-premises data center, the IT team has to build and manage everything. Whether the team is building proprietary solutions from scratch or purchasing commercial software products, they have to install and manage one-to-many servers, develop and install the software, ensure that the proper levels of security are applied, apply patches routinely (operating system, firmware, application, database, and so on), and much more. Each cloud service model provides levels of abstraction and automation for these tasks, thus providing more agility to the cloud service consumers so they can focus more time on their business problems and less time on managing infrastructure.

Figure 2.1 displays what is called the cloud stack. At the bottom is the traditional data center, which may have some virtualization in place but does not have any of the characteristics of cloud computing.a

Figure 2.1 Cloud Stack

The next level up is IaaS. The National Institute of Standards and Technology (NIST) defines IaaS as:

The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications and possibly limited control of select networking components (e.g., host firewalls).

The Cloud Security Alliance (CSA), a standards organization for cloud security, states that IaaS:

Delivers computer infrastructure (typically a platform virtualization environment) as a service, along with raw storage and networking. Rather than purchasing servers, software, data center space, or network equipment, clients instead buy those resources as a fully outsourced service.

With IaaS, many of the tasks related to managing and maintaining a physical data center and physical infrastructure (servers, disk storage, networking, and so forth) are abstracted and available as a collection of services that can be accessed and automated from code- and/or web-based management consoles. Developers still have to design and code entire applications and administrators still need to install, manage, and patch third-party solutions, but there is no physical infrastructure to manage anymore. Gone are the long procurement cycles where people would order physical hardware from vendors that would ship the hardware to the buyer who then had to unpackage, assemble, and install the hardware, which consumed space within a data center. With IaaS, the virtual infrastructure is available on demand and can be up and running in minutes by calling an application programming interface (API) or launching from a web-based management console. Like utilities such as electricity or water, virtual infrastructure is a metered service that costs money when it is powered on and in use, but stops accumulating costs when it is turned off. In summary, IaaS provides virtual data center capabilities so service consumers can focus more on building and managing applications and less on managing data centers and infrastructure.

There are several IaaS vendors in the marketplace and too many to name in this book. The most mature and widely used IaaS cloud service provider is Amazon Web Services (AWS). Rackspace and GoGrid are also early pioneers in this space. OpenStack is an open source project that provides IaaS capabilities for those consumers who want to avoid vendor lock-in and want the control to build their own IaaS capabilities in-house, which is referred to as a private cloud. There are a number of companies that are building IaaS solutions on top of OpenStack similar to how there are many different distributions of Linux.

Platform as a Service

The next level up on the stack is PaaS. What IaaS is to infrastructure, PaaS is to the applications. PaaS sits on top of IaaS and abstracts much of the standard application stack–level functions and provides those functions as a service. For example, developers designing high-scaling systems often have to write a large amount of code to handle caching, asynchronous messaging, database scaling, and much more. Many PaaS solutions provide those capabilities as a service so the developers can focus on business logic and not reinvent the wheel by coding for underlying IT “plumbing.” NIST defines PaaS as:

The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages, libraries, services, and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, or storage, but has control over the deployed applications and possibly configuration settings for the application-hosting environment.

The CSA describes PaaS as:

The delivery of a computing platform and solution stack as a service. PaaS offerings facilitate deployment of applications without the cost and complexity of buying and managing the underlying hardware and software and provisioning hosting capabilities.

The CSA also mentions that PaaS services are available entirely from the Internet. PaaS vendors manage the application platform and provide the developers with a suite of tools to expedite the development process. Developers give up a degree of flexibility with PaaS because they are constrained by the tools and the software stacks that the PaaS vendor offers. The developers also have little-to-no control over lower-level software controls like memory allocation and stack configurations (examples: number of threads, amount of cache, patch levels, etc.).

The PaaS vendors control all of that and may even throttle how much compute power a service consumer can use so that the vendor can ensure the platform scales equally for everyone. Chapter 5 (“Choosing the Right Cloud Service Model”) explores these service model characteristics in great detail. Early PaaS pioneers like Force.com, Google Apps Engine, and Microsoft Azure dictated both the platform stack and the underlying infrastructure to developers. Force.com dictates that developers write in Apex code and the underlying infrastructure must be on Force.com’s data center. Google Apps Engine originally required that developers code in Python and on the Google data center while Azure originally required .NET technologies on Microsoft data centers. A new breed of PaaS vendors have emerged and have created an open PaaS environment where consumers can implement the PaaS platform on the infrastructure of their choice and with many options for the development stack, including PHP, Ruby, Python, Node.js, and others. This approach is critical for widespread adoption by enterprises since many enterprises require or prefer to keep some or all of the application on-premises in a private cloud. Often, large enterprises leverage hybrid clouds by keeping their data in a private cloud and moving non-mission-critical components into the public cloud.b Both Google and Microsoft now support multiple development languages, whereas in the past they only supported one.

Heroku and Engine Yard are examples of mature public PaaS solutions that provide multiple stacks for developers, although at the time of the writing of this book they can be deployed only on AWS. Another huge advantage of PaaS is that these platforms integrate with numerous third-party software solutions, which are often referred to as plugins, add-ons, or extensions. Here are some examples of categories of extensions that can be found in most mature PaaS solutions:

• Database
• Logging
• Monitoring
• Security
• Caching
• Search
• E-mail
• Analytics
• Payments

By leveraging APIs to access numerous third-party solutions, developers can provide fail over, high service level agreements (SLAs), and achieve huge gains in speed to market and cost efficiency since they don’t have to manage and maintain the technology behind the APIs. This is the power of PaaS, where developers can quickly assemble a collection of mature and proven third-party solutions simply by calling APIs and not having to go through a procurement process followed by an implementation process for each third-party tool. PaaS allows companies to focus on their core competencies and integrate with the best-of-breed tools in the marketplace. PaaS is the least mature of the three cloud service models but analysts predict a huge boom in the PaaS marketplace in the next several years.c

Software as a Service

At the top of the stack is SaaS. SaaS is a complete application delivered as a service to the service consumer. The service consumer has only to configure some application-specific parameters and manage users. The service provider handles all of the infrastructure, all of the application logic, all deployments, and everything pertaining to the delivery of the product or service. Some very common SaaS applications are customer relationship management (CRM), enterprise resource planning (ERP), payroll, accounting, and other common business software. SaaS solutions are extremely common for non-core-competency functionality. Companies choose to rely on SaaS solutions for non-core functions so they do not have to support the application infrastructure, provide maintenance, and hire staff to manage it all. Instead they pay a subscription fee and simply use the service over the Internet as a browser-based service. NIST defines SaaS as:

The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser (e.g., web-based email), or a program interface. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

Deployment Models

Even though the focus of this book is on cloud service models, it is important to understand the deployment models of cloud computing as well. Figure 2.2 shows the NIST visual model of cloud computing.

Figure 2.2 The NIST Definition of Cloud Computing

The NIST definition of a public cloud states:

The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

A public cloud is a multitenant environment where the end user pays for usage of resources on a shared grid of commodity resources alongside other customers. The end users have no visibility into the physical location of where their software is running other than where the data center is located. An abstraction layer is built on top of the physical hardware and exposed as APIs to the end user, who leverages these APIs to create virtual compute resources that run in a large pool of resources shared by many. Here are some advantages of public clouds:

• Utility pricing. The end user pays only for the resources it consumes. This allows the end user to turn on more cloud services when it needs to scale up and turn off cloud services when it needs to scale down. The end user no longer needs to procure physical hardware in this model and therefore has a huge opportunity to eliminate wasted compute cycles by consuming only what is needed, when it is needed.
• Elasticity. The end user has a seemingly endless pool of resources at its disposal and can configure its software solutions to dynamically increase or decrease the amount of compute resources it needs to handle peak loads. This allows the end user to react in real time to abnormal spikes in traffic, where in a private on-premises cloud or a noncloud solution the end user would have to already own or lease the necessary resources in order to handle peaks.
• Core competency. By leveraging public clouds, the end user is essentially outsourcing its data center and infrastructure management to companies whose core competency is managing infrastructure. In return, the end user spends less time managing infrastructure and more time focusing on its own core competency.

Public clouds have some huge benefits but they also have drawbacks. Here is a list of some of the risks of leveraging a public cloud.

• Control. End users must rely on the public cloud vendor to meet their SLAs for performance and uptime. If a public cloud provider has an outage and the end user has not architected properly for redundancy, it is at the mercy of the cloud vendor to restore services.
• Regulatory issues. Regulations like PCI DSS (Payment Card Industry Data Security Standard), HIPAA (Health Information Portability and Accountability Act), and data privacy issues can make it challenging to deploy in a public cloud. It often requires a hybrid solution to meet these regulations, although we are starting to see some companies solve these issues entirely in the public cloud by leveraging certified SaaS solutions for those components that are hard to audit in a public cloud.
• Limited configurations. Public cloud vendors have a standard set of infrastructure configurations that meet the needs of the general public. Sometimes very specific hardware is required to solve intensive computational problems. In cases like this the public cloud is often not an option because the required infrastructure is simply not offered by the vendor.

A private cloud is defined as:

The cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

The advantage of a private cloud is that it addresses the disadvantages of the public cloud defined earlier (control, regulatory issues, and configurations). Private clouds can be on-premises or hosted in a cloud provider’s data center. In either case, private cloud end users deploy on a single-tenant environment and are not comingled with other customers. For on-premises private cloud implementations, cloud service consumers are in control of their own destiny since they still manage the data center and they have the flexibility of procuring any hardware configuration they desire. Hosted private cloud users are still dependent on their cloud service provider to provide infrastructure, but their resources are not shared with other customers. This offers the user more control and security but costs more than leveraging compute resources in a multitenant public cloud. Private clouds reduce some of the regulatory risks around data ownership, privacy, and security due to the single-tenant nature of the deployment model.

However, leveraging private clouds sacrifices some of the core advantages of cloud computing, namely rapid elasticity, resource pooling, and pay-as-you-go pricing. Private clouds do allow end users to scale up and down over a shared pool of resources, but those resources are limited to the amount of infrastructure that is bought and managed internally as opposed to leveraging a seemingly endless grid of compute resources that are readily available. This drives up costs and reduces agility because internal resources have to manage all of this physical infrastructure, and excess capacity must be procured and managed. Having excess capacity also destroys the pay-as-you-go model because the end user has already paid for the infrastructure whether it uses it or not.

To get the best of both worlds, many organizations leverage both public and private clouds, which is called a hybrid cloud. A hybrid cloud is defined as:

A composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).

A best practice for hybrid clouds is to use the public cloud as much as possible to get all the benefits of cloud computing like rapid elasticity and resource pooling, but leverage the private cloud where the risks in areas of data ownership and privacy are too high for the public cloud.

The point here is that there is no one right answer to any problem. Companies have many options when it comes to cloud computing, which is why it is critical that management, architects, product managers, and developers understand the different deployment models as well as the service models. We will discuss these key decision points with more AEA examples in Chapter 5 (“Choosing the Right Cloud Service Model”).

Summary

Cloud computing is revolutionizing the way software is built and delivered. We are in a paradigm shift, moving away from a legacy model where we buy and control infrastructure and build or buy software to a new world where we consume everything as services. It is critical that managers and architects fully understand the pros and cons of cloud computing, the definitions of each cloud service model, and the definitions of each cloud deployment model. When leveraged properly, cloud computing can bring an organization unprecedented agility and greatly reduced costs while connecting the organization to a global collection of services. However, if cloud computing is not fully understood, an organization can find itself building yet another collection of IT-silo-based software solutions that never delivers on its promises to the business.

References

Gartner. (2012, November 19). “Gartner Says Worldwide Platform as a Service Revenue Is on Pace to Reach $1.2B.” Press Release. Retrieved from http://www.gartner.com/it/page.jsp?id=2242415.

Mell, P., and T. Grance (2011, September). “The NIST Definition of Cloud Computing: Recommendations of the National Institute of Standards and Technology.” Retrieved from http://csrc.nist.gov/publications/nistpubs/800–145/SP800–145.pdf.

Security Guidance for Critical Areas of Focus in Cloud Computing v3.0. (2011). Retrieved from https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf.

a The five characteristics of cloud computing are network access, elasticity, resource pooling, measured service, and on-demand self-service.

b A private cloud is an IaaS or PaaS deployed within a service consumer’s own datacenter or hosting facility’s data center and is not deployed on a shared grid with other customers. Public cloud is an IaaS or PaaS that is running on another company’s data center in a shared environment with other customers.

c Gartner predicts PaaS revenues near $1.5 billion in 2013, compared to $900 million in 2011.