Application Security Testing: An Integral Part of DevOps
The Cloud Computing industry is starting to settle on some common terminology that is making it easier for customers to understand the products and services available, and how they might fit into their company's portfolio and needs.
What are the Types of Cloud Services?
Three types of services have gained popularity, and I have found that almost anywhere you go these are now the common terms. Each of them addresses the standard definitions of cloud computing in their own way.
A Spectrum of Choice
You can think of the types of cloud services on a spectrum. The left side of this spectrum represents total control and enjoys the least economies of scale (or cost savings). The right side of this spectrum represents the least amount of control and the greatest economies of scale.
Running Your Application On-Premises
You are likely using an on-premises hosting model today. In doing so you are determining which hardware and software to buy, and exactly how it is housed and managed. You decide when patches are deployed, how much you spend on air conditioning and salaries, and just how you manage backup, high availability and disaster recovery. You are managing the complete stack that you need in place to run the applications important to your business. Parts of this stack include: Networking, storage, physical servers, virtualization software, operating systems, any middleware, the runtime (Java, .NET, etc.), housing of your data, and the application itself.
This gives you the most control possible, but in so doing you are bearing the complete cost of the infrastructure yourself. There aren't any economies of scale where you can share the burden of management with other people, or leverage the cost savings a really large company might enjoy.
Using a Hosting Provider
Using a hosting provider is also quite common today. With hosting you have selected a vendor with a specific set of tasks and goals. When signing the hosting contract with them you determined exactly what hardware would be used (sometimes moving your own hardware to their facility) and how it will be patched and managed.
In this scenario you have effectively outsourced the 'doing' of your IT infrastructure, but have kept a modicum of control over what is happening and how.
This model usually does represent some costs savings, and it does mean you have given up some control. You are usually locked into a vendor with a specific contract over a period of years.
IaaS - Infrastructure as a Service
The concept of Infrastructure as a Service is to provide the infrastructure your application needs, as a service. You will usually pay an hourly or monthly fee for the infrastructure you choose to consume. This is the first step of cloud computing.
IaaS typical manages networking, storage, physical servers, and the virtualization software. You generally need to still maintain the operating system, any middleware, the runtime (Java, .NET, etc.), housing of your data, and the application itself.
This frees you from worrying about hardware at all, and the infrastructure to create virtual servers. When you say you need ten servers, you get ten servers. You can then remote desktop into them and manage them like you would any normal virtual server. The servers will be hosted and maintained against whatever SLA your vendor has agreed to. As a shortcut you can think of IaaS as very sophisticated virtual server hosting. You are giving up a little more control in that you have no idea what hardware is being used, or how it is maintained, but you are also saving by not having to buy all that hardware, especially when you don't need it.
While there are many, many vendors in this space, Amazon is the most well-known.
PaaS - Platform as a Service
Platform as a Service is the next stop as we cross the spectrum of choices. PaaS is the next step up from IaaS. With PaaS the vendor is providing everything you need to run your application. All you need to worry about is the application itself and the model you describe that tells the vendor how the application should be run.
This model will determine how big the servers should be, how many servers with which standard image to use, what networking and firewall configuration should be used, and a host of other knobs that can be controlled. You can usually determine which datacenter your application will run in.
I think this is as close to cloud computing as you can get when you are running your own code. The burden of the infrastructure has been offloaded to someone else, leaving you with the control points you care about. In a true PaaS environment you have no direct control over each server, and you really don't care. You only care about saying 'I need ten servers to run this code, with this configuration. Make is so.'
With PaaS you have given up even more control compared to IaaS, freeing you up to focus on the management and code of the application itself. Along with this comes even more cost savings. Your staff can focus on the application tier (the code, the health and performance, etc.), and not worry anymore about deploying or configuring operating system and middleware patches.
Microsoft Windows Azure is the most popular PaaS platform right now. They do offer a way to directly control each server (via Remote Desktop). Even with this feature, you should embrace what PaaS is, and learn to let the details go, and focus on your application.
SaaS - Software as a Service
Software as a Service is the oldest and most mature part of the cloud. This has been part of the IT industry for decades. It's most recent permutation was the ASP craze during the dot-com boom. ASP stood for Application Service Provider, and is exactly what SaaS is today, just a little more grown up.
SaaS is when you rent or license an application through the cloud. All of the other types of services let you run your own code or an application you bought yourself. With SaaS you are engaging a vendor to use their software. You don't know where they run it, how they manage it, or any other detail. All you have is a price and an SLA.
There are many, many examples of this. With Microsoft's Business Productivity Online Suite (soon re-launching with the name Office 365) you could get Exchange, SharePoint, CRM, and Live Meeting in any combination you wanted. They currently have 40 million users. Other examples include online project management software, time keeping software, and payroll and billing.
The advantages of SaaS are that you no longer need to deal with any of the infrastructure demands an off-the-shelve package may place on you. You can usually also adjust up or down the number of users that can use the product. With a normal on-premises package you would have to buy licenses for users, and manage who was using each license. In the cloud you simply add or remove users as needed, usually paying a monthly fee per user.
While SaaS gives you the least amount of control, you usually get the most cost saving from economies of scale that are possible.
How to Choose
With all of these options, and all of the daily advancements in cloud computing, it can be hard to pick which type of service you should select. In general, you should try to be as far right on the spectrum as you can. For example, if you are replacing your email infrastructure, it is far better to use a SaaS email service (such as Exchange mentioned above) rather than any of the other options. This will save you the most money, in licensing, hardware, and staff costs.
If you are looking to migrate an application to the cloud, or build one for the cloud, this still holds true. The only reason you would move to the left on the spectrum is to meet some limitation the application might have. For example, most applications will work in a PaaS environment, but maybe the old application you are trying to migrate just can't work in that environment because of some server customization that is not available. This would be a good time to move from PaaS to IaaS. Remember that as you move from right to left you will lose some savings and gain some manual work and you want to avoid that if you can.
And then last but not least, sometimes the application just cannot be run in the cloud (this is usually more to do with an organizations comfort with risk than anything else). In this case it is ok to determine that a particular application is too complicated to move to the cloud and should stay put.
The cloud isn't about moving everything to the cloud, despite what some vendors try to tell you. It is about giving you more options on how you run your applications. There are simply more options out there now that can help you save money. In an economy where every IT department is being asked to shave 5%-10% off of their budget, using the cloud can mean the difference between maintaining your current service level and laying someone off. Think of the hero you would be if you achieved the savings needed before you were told to.
About the Author:
Brian H. Prince is an Architect Evangelist for Microsoft. He gets super excited whenever he talks about technology, especially cloud computing, patterns, and practices. His job is to help customers strategically leverage MS technology, and help them bring their architecture to a super level. In a past life Brian was a part of super startups, super marketing firms, and super consulting firms. Much of his super architecture background includes building super scalable applications, application integration, and award winning web applications. All of them were super. Further, he is a co-founder of the non-profit organization CodeMash (www.codemash.org) and of WindowsAzureBootCamp.com. Brian was the co-author for "Azure in Action." He speaks at various regional and national technology events including TechEd. He only wishes his job didn't require him to say 'super' so much. Brian holds a Bachelor of Arts degree in Computer Science and Physics from Capital University, Columbus, Ohio. He is also a zealous gamer. For example, he is a huge fan of Fallout 3 and Borderlands.