Federal Office for Information Security (BSI)

Cloud Computing Basics

Target groups

The following basic information is relevant to all target groups.

What is Cloud Computing?

So far, no generally applicable definition for the term cloud computing has gained acceptance. In publications or speeches, definitions are frequently used that are similar in most cases, but which still vary again and again. A definition which is mostly used among experts is the definition of the US-American standardisation centre NIST (National Institute of Standards and Technology). This definition is also used by the ENISA (European Network and Information Security Agency):

"Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computer resources (e.g. networks, servers, storage systems, applications and services) that can be provisioned rapidly and released with minimum management effort or service provider interaction."

According to the NIST definition, a cloud service is characterised by the following five characteristics:

  1. On-Demand Self-Service: The resources (e.g. computing power, storage) are provisioned automatically without any interaction with the service provider.
  2. Broad Network Access: The services are available with standard mechanisms via the network and are not bound to a specific client.
  3. Resource Pooling: The resources of the provider are available in a pool which many users can draw on (multi-tenant model). The users do not know where the resources are, but can agree the storage location, such as region, country or computer centre by contract.
  4. Rapid Elasticity: The services can be provided rapidly and elastically, in some cases also automatically. From the user’s point of view, the resources thus seem to be infinite.
  5. Measured Services: The utilisation of resources can be measured and monitored and the cloud users may be provisioned adequately.

This definition reflects the vision of cloud computing, but one should abstain from seeing the individual aspects dogmatically. In case of private clouds, for example, ubiquitous availability might not be sought for at all.

According to the Cloud Security Alliance (CSA), cloud computing has also the following characteristics in addition to the elasticity and the self-service mentioned above:

  • A service-oriented architecture (SOA) is one of the basic prerequisites for cloud computing. The cloud services are usually offered via a so-called REST-API.
  • In a cloud environment, many users share the jointly used resources, which means that the cloud environment must be multi-client capable.
  • Only the resources actually used are paid for (pay-per-use model), but there may also be flat-rate models.

Definition of Terms

To ensure that a uniform basis is available for all future work related to cloud computing, the BSI has specified the following definition for the term "cloud computing":

Cloud computing is understood as offering, using, and billing IT services dynamically adapted to the requirements, via a network. Here, these services are only offered and used by means of defined technical interfaces and logs. The range of the services offered within the cloud computing framework covers the entire spectrum of information technology and, among other things, includes infrastructure (e.g. computing power, storage space), platforms and software.

What Distinguishes a Public Cloud from a Private Cloud?

NIST differentiates between four deployment models:

  1. In a private cloud, the cloud infrastructure is only operated for one organisation. It can be organised and managed by the organisation or a third party and can be located in the computer centre of the organisation or a third-party organisation.
  2. The term public cloud is used if cloud services may be used by the general public or a large group, such as an entire industry, and the services are made available by one provider.
  3. Within a community cloud, the infrastructure is shared by several organisations with similar interests. Such a cloud may be operated by one of these organisations or a third party.
  4. If several cloudinfrastructures, each of which is independent, are used jointly via standardised interfaces, this is referred to as a hybrid cloud.

The definitions above, however, do no cover all versions of cloud offers, which results in additional definitions such as “virtual private cloud” etc.

Which Different Service Models are Offered in Cloud Computing?

In general, a distinction can be made between three different categories of service models:

  1. Infrastructure as a Service (IaaS)
    In the case of IaaS, IT resources such as computing power, data storage devices or networks are offered as a service. A cloud customer purchases these virtualised and highly standardised services and builds their own services for internal or external use. For example, a cloud user may rent computing power, memory and data storage devices and run an operating system with applications of their choice on it.
  2. Platform as a Service (PaaS)
    A PaaS provider makes an entire infrastructure available and, on the platform, offers the customer standardised interfaces which are used by services of the customer. For example, the platform can provide multi-client capability, scalability, access control, database accesses etc. as a service. The customer has no access to the underlying layers (operating system, hardware), but is able to run its own applications on the platform, for the development of which the cloud service provider (CSP) usually offers their own tools.
  3. Software as a Service (SaaS)
    This category includes all offers of applications meeting the criteria of cloud computing. There are no limits to the range of offers. Examples include contact data management, financial accounting, word processing or collaboration applications.

The term “as a service” is also used for a number of additional offers, such as for Security as a Service, BP as a Service (Business Process), Storage as a Service, so that frequently “XaaS” is talked about, i.e. “something as a service”. Most of these offers can be assigned at least roughly to one of the categories above.

The service models also differ in the customer’s influence on the security of the offered services. In case of IaaS, the customer has full control of the IT system from the operating system upwards, since everything is operated within their sphere of responsibility. In case of PaaS, the customer only has control of their applications that run on the platform and, in case of SaaS, the customer practically hands over the entire control to the CSP.

What Distinguishes Cloud Computing from Conventional IT Outsourcing?

For outsourcing, work, production or business processes of an organisation are outsourced completely or partially to external service providers. This is an established part of organisation strategies today. In most cases, conventional IT outsourcing is designed so that the complete infrastructure rented is used exclusively by a single customer (single-tenant architecture) even if outsourcing providers usually have several customers. Moreover, outsourcing contracts are most often concluded over longer contract periods.

Using cloud services is similar to conventional outsourcing in many respects, but there are also several differences which have to be taken into account:

  • For economic reasons, several users share a jointly used infrastructure in a cloud.
  • Cloud services are dynamic and thus scalable in both directions within much shorter periods. Thus, cloud-based offers can be adapted more quickly to the customer’s actual needs.
  • The cloud services used are usually controlled by means of a web interface by the cloud user themselves. Thus, the user can automatically tailor the services used to their individual needs
  • With the technologies used for cloud computing, it is possible to distribute the IT performance dynamically over several locations that can be widely distributed geographically (both at home and abroad).
  • The customer can easily administrate the services used and their resources via web interfaces or other suitable interfaces, requiring little interaction with the provider.

All information are also available in German.