Cloud service providers (CSP), such as AWS, Microsoft Azure, or Google, allow companies to take advantage of the benefits of cloud computing without the strain of managing the required infrastructure. The level of responsibility that you as the consumer of these services retain versus the responsibility taken on by the CSP is determined by the cloud security service model.
You can choose an infrastructure-as-service model, where you are still responsible for almost everything except the physical servers, or you can opt for a serverless route, where you’re only writing code and the CSP manages everything else, including the scaling of your server capacity. Many organizations utilize a variety of these services, often from different service providers, to meet the varied needs of their organization.
Infrastructure-as-a-Service (IaaS) allows you to maintain the highest level of control over your cloud environment. The cloud service provider is responsible solely for the cloud itself, meaning the servers, network, virtualization, and data storage. They are responsible in the event of an outage or anything impacting the physical security of the infrastructure, but you maintain responsibility for your operating system, applications, and the security of the data that you’re storing in the cloud.
Use cases for IaaS include:
- If you just want to cost-effectively scale up your capacity without the costs of maintaining additional on-premises servers, you can use IaaS to simply rehost your current workloads in the cloud without making fundamental changes to them.
- You may be interested in using the cloud as a backup for your on-premises environment.
- IaaS services make it cost-effective to scale up development environments to test and launch new applications.
A Platform-as-a-Service (PaaS) model includes the infrastructure as well as an application-software platform on which to run your apps. In a PaaS model, you get all the benefits of an IaaS model, plus additional tools from the cloud service provider that can facilitate the web application lifecycle. You still manage the applications that you develop, but you don’t have to worry about software licenses, middleware, database management systems, etc. because these tools are provided by the CSP.
Use cases for PaaS include:
- You want to be able to develop cloud-based applications with less coding. With PaaS, you can use built-in software components to avoid needing to code from scratch things like search, directory services, workflow, etc. This can benefit smaller teams that may not have the development capabilities in-house. You also have the advantage of being able to access these development tools remotely, which can be beneficial for remote development teams.
- CSPs provide other services such as business intelligence and analytics that can help you gain insights from the data you have stored in the cloud.
Software-as-a-Service is the most common type of cloud offering. In fact, according to 2021 Productiv data, the average company is using 254 SaaS applications. A SaaS application is any application that is accessed over the internet, such as Salesforce or email clients like Microsoft 365.
Use cases for SaaS include:
- SaaS applications have become extremely popular in recent years with the shift to remote work, as they provide the ability for users to access the applications they need, from anywhere, on any device, without the application needing to be installed on the computer.
- SaaS applications offer access to convenient data reporting and storage. They also allow for convenient scalability for apps without the traditional challenges of licensing management.
The term serverless is a bit of a misnomer because there are still servers involved in serverless computing, but in this model, developers don’t have to concern themselves with them. In a serverless model, the cloud service provider is not only responsible for the infrastructure, they’re also responsible for scaling the application. In an infrastructure-as-a-service model, you, as the user of the service, must pre-purchase a certain level of server capacity to run your apps. It is up to you to decide when to scale up server capacity to meet demand. Even if an app isn’t running, you’re still paying for the server capacity to host it.
In a serverless model, however, you only pay for server usage when the app is running. When an event triggers the app code to run, the CSP allocates resources to run it, and you pay for the exact amount of capacity you use while the app is running. Think of serverless as paying a water bill. You only pay for the water you use, while IaaS is like paying for a water cooler delivery service. You’ve chosen how many jugs you want to be delivered, but you’re still being charged regardless of whether or not you use all the water you purchased.
Use cases for a serverless service model include:
- You can lower your cloud costs by moving applications that run infrequently to a serverless pay-as-you-go model.
- Serverless also offers developers the opportunity to take advantage of prepacked backend services to focus on frontend development, which may be beneficial if you have a small team.
- Serverless also helps companies quickly increase their capacity in times of high demand, or when rapid application development is needed.
Serverless offerings can either be Backend-as-a-Service or Function-as-a-Service. BaaS provides developers with the backend services that take place on the server, so the developer only needs to focus on frontend development, such as the user interface. FaaS is a serverless offering that allows users to cost-effectively implement microservices. Microservice architecture is where the pieces of an application are broken up into modular components. This allows one segment of the code to be changed without the potential of breaking the entirety of the application. In FaaS, the CSP takes care of deploying the microservices in containers so that developers can focus on writing the application code.
Selecting the Right Service Model
According to Palo Alto’s 2022 Cloud Native Security Report, the number of workloads hosted in PaaS and serverless environments rose by 20 percentage points in 2021. This may partly be due to the support these environments provide for rapid application development, a priority for many companies in response to the digitalization during the COVID-19 pandemic. That being said, utilizing cloud provider services does mean giving up a level of security control. Plus, a serverless model is also not always cost-efficient if you’re constantly running applications, as you pay per the capacity you use.
Selecting which cloud service models to take advantage of will depend on the capabilities you have in-house to manage them, as well as the level of control you want to have over the development and security of your applications. RH-ISAC members can seek advice from fellow members on the best cloud services on Member Exchange, RH-ISAC’s member community. Learn more about how RH-ISAC membership can benefit your company.