XaaS, Part 2: Infrastructure as a Service (IaaS)

Aug 27, 2019 9:05:33 AM |

Brigitte Baucke

Social Share:

Getting Started with IaaS

As a businessperson, deciding whether to deploy an aspect of your business to the cloud can be an ordeal, especially if cloud computing discussions are not a standard part of your workday. In XaaS Part 1, we defined cloud computing, the three standard cloud services models, and four cloud computing architectures. AdobeStock_211795866

This post will delve into Infrastructure as a Service (IaaS), one of the three standard cloud services models. Before moving on, here are key terms to note:

  • Deploy – The processes (installation, configuration, testing) involved in getting a new software or hardware up and running.
  • Infrastructure – The physical or virtualized foundation (hardware and software) that supports a system.
  • Managed Service Provider (MSP) – A vendor that supplies IT services as an alternative to in-house IT personnel or departments. Can manage on-premises and cloud services depending on the terms of service.
  • On-Premises ("on-prem”) – Refers to software installed and directly managed in-house by the organization rather than remotely via a third-party.
  • Platform – The base upon which other applications and processes are developed in computing. The hardware device and an operating system from which software is executed.
  • Small and Medium-Sized Business (SMBs) – Businesses with fewer than 1000 employees. Sometimes referred to as Small and Medium-Sized Enterprises (SMEs). Label also used to describe businesses that have less than $1 billion in annual revenue.

On-Premises vs IaaS

Traditionally, organizations have managed enterprise applications on-premises with the use of in-house IT resources and personnel or an MSP to oversee the underlying infrastructure. This deployment method affords the organization full responsibility and control over the server(s), storage, networking, virtualization, operating system(s), middleware, runtime, data, and application(s). With on-premises deployment, the infrastructure is housed by the organization in a data center.

IaaS is the alternative to this traditional deployment method. Through this cloud service model, organizations use provider-managed servers, storage, networking, and virtualization resources to support enterprise applications. Organizations may use IaaS to host custom applications or off-the-shelf software. Some providers even offer the convenience of cost-efficient bundled licenses. Well-known cloud infrastructure service providers include Amazon Web Services (AWS) EC2, DigitalOcean, Google Compute Engine (GCE), Microsoft Azure, and Rackspace.

Though not necessarily low-cost, cloud infrastructure saves organizations from the capital investment necessary to deploy and support required hardware and software. Through shared resources, organizations have access to processing power and rapid deployment capabilities. Not surprisingly, IaaS gives SMBs the ability to catch up to competitors with larger IT budgets.

Even so, a capital investment may be more economical than pay-per-use given the organization’s size and capacity. There are online calculators that help you decide whether to build or buy services based on your organization’s technical needs. The decision should align with organizational goals and to help improve overall efficiency.

Benefits of IaaS

Regardless of the size of your organization, it cannot be said enough: compulsory due diligence is necessary to reap the benefits associated with cloud-based infrastructure. After all, there is not a one size fits all solution. Benefits include:

  • Reduced Maintenance Expenses - Third-party providers handle maintenance of the hardware and enable in-house or outsourced IT personnel to narrow their focus to the management of the operating system(s), middleware, runtime, data, and application(s) the enterprise relies on for operations.
  • Flexibility to Scale up or Down – On demand access to cloud-based resources means your organization can adapt to ever-changing business demands and pay based on usage. Note, cloud infrastructure is not necessarily cheaper, but reducing costs associated with buying expensive proprietary hardware no longer becomes the focal point.
  • Improved Security and Availability – Depending on your organization’s needs, the cloud infrastructure provider may also serve as a means of improving the security and availability of the organizations data. The provider may offer business continuity and disaster recover features improving your ability to protect customer and proprietary data from catastrophic incidents in the process.

These three benefits are not exhaustive; however, they are major influencing factors in the decision to choose cloud-based infrastructure. It is important to note, though visibility into the infrastructure changes, there are still things the organization must manage, even if remotely.

Risks Associated with IaaS

As we saw above, your organization is only shifting the responsibilities associated with installing and supporting servers, storage, networking, and virtualization resources. They supply the foundation on which your organization’s IT infrastructure exists. The rest is the responsibility of the organization, including the operating system(s), middleware, runtime, data, and application(s).

Misunderstanding these responsibilities has dire outcomes. Here are a few risks to consider when shopping around for a provider and ironing out contracts and service level agreements (SLAs).

  • Insufficient Service Monitoring - Not keeping up with the cloud infrastructure and relying entirely on the third-party without understanding which services the agreements include may lead to unwanted surprises and avoidable costs. It is important to understand what level of availability the provider considers adequate to fulfill agreements in place since availability is your organization’s responsibility.
  • Weak Data Security – While security and availability at a third-party data center may be leagues beyond what your organization can provide, it cannot be taken for granted. Data security is the responsibility of your organization and must be a primary concern. This means having to have safeguards in place to account for system failures at the cloud service provider. These contingencies can be developed alongside the provider or using outside services.
  • Inconsistent Service Quality – Not all cloud service providers can manage your business needs. Having proper policies and procedures in place before and after picking a third-party service provider can protect your organization. This can include vendor risk assessments, enforced business associate agreements, and vendor review processes that include updating contracts, revisiting SLAs, and requesting independent audit reports.
  • Poor Access Controls – Multi-tenant environments that are associated with public, hybrid, and community cloud architectures bring with them the need for increased watchfulness. Without proper access controls, organizations risk leaking information and falling prey to insider abuse. Adequate logical and physical controls need to be in place to prevent the unauthorized access and misuse of confidential data.

Asking the right questions upfront and ensuring your organization has the foundation required to incorporate a third-party participant is crucial. This process does not have to be daunting. Seek out the help of consultants knowledgeable about your business and involve key IT personnel throughout the process.

Security Considerations

Once you have determined that IaaS makes sense for your organization, it is important to understand the security concerns unique to or magnified by the cloud.

  • Multi-Tenant Breach – While your logical and physical controls may be far above most, that does not create an impenetrable barrier against the impact of a multi-tenant cyber-attack. Having enterprise credentials on the dark web or customer data can be permanently damaging depending on who gets the credentials. It is important to understand what mitigating controls your prospective service provider has in place to prevent such threats and to protect you from the poor security habits of other tenants.
  • Right to Audit – Cutting corners is not advisable when it comes to finding a service provider who understands your business and has the ability to keep your organization protected. There should be reasonable assurance that your data is secure. For this reason, organizations often choose to rely on well-known service providers. Ensure your final agreement includes a provision that give you the right to audit or the right to see a third-party audit report for the service organization.
  • Disaster Recovery – Protecting your organization’s sensitive and confidential data from loss is vital. Keep and test backups regularly to safeguard from the full impact of catastrophic data loss. The cloud infrastructure provider does not automatically factor backups or disaster recovery into your services.

By including IT leadership or the services of an MSP in the absence of inhouse resources, your organization can determine which mitigating controls are already in place and which need to be for a successful transition.

Final Thoughts

As cloud computing becomes more widespread, cloud service providers are competing to exceed the expectations of their customers. In addition to the larger providers, there are providers who specialize in specific industries such as banking, government services, and healthcare. Regardless of who you choose, having a long-term vision is critical when wading through potential providers. While committing is often extremely simplified, transitioning from one provider to another is another feat altogether.

With that in mind, keep educating yourself on the various cloud service models so that you can determine which combination of features work best to boost efficiency at your organization. In the next part of the series, we will explore Platform as a Service (PaaS). This cloud service model builds on IaaS by also offering provider-hosted and managed operating systems, middleware, and runtime. While the organization is still responsible for the data and applications on the cloud infrastructure, visibility into the underlying cloud architecture shrinks even further. Understanding changing responsibilities will enable your organization to reap the benefits of each cloud computing service model.

Additional Resources:

https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=528530

https://searchcloudcomputing.techtarget.com/definition/Infrastructure-as-a-Service-IaaS

https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/mistakes-in-the-iaas-cloud-could-put-your-data-at-risk.pdf

https://webobjects.cdw.com/webobjects/media/pdf/Solutions/Cloud-Computing/122220-White-Paper-Banking-on-IaaS.pdf

COMMENTS

THIS POST WAS WRITTEN BY Brigitte Baucke

Brigitte serves as a cyber risk analyst at HORNE LLP where she specializes in IT risk related assurance services for the HORNE Cyber Assurance group. She provides analytic expertise regarding policy design and implementation as well as IT compliance. Brigitte also consults on information systems environment compliance and management for public and middle market clients.