October 8, 2018
The tech industry is big on buzzwords. Terms like “the Internet of Things,” “Big Data,” and “Machine Learning” are just a few often found in tech blogs, but none seem as prevalent as the most nebulous culprit: “the cloud.” Although the term can seem both vague and impressive, the cloud is something anyone with internet access has encountered—it simply refers to software and services that run online rather than locally. Most cloud-based services can be accessed through a web browser; common examples are iCloud, Google Drive, Netflix, and Dropbox. Two advantages of cloud-based services are: information is accessible via any device with an internet connection, and managing local storage space is no longer a concern for the user.
Figure 1: The cloud, as it relates to your devices.
However, hosting data in the cloud can be a source of unease for many large enterprises (and some smaller ones) that have an established technical routine. IT professionals are often concerned with data security, residency, network accessibility issues, and unforeseen expenses. Although this apprehension is understandable, advances in cloud technologies by leading providers, such as Amazon, Microsoft, and Google, have all but eliminated the need for concern. This whitepaper provides an overview of three main consideration areas in cloud technology—security, availability, and expense—and highlights how today’s leading cloud technology providers address them.
Perhaps the most common fear corporations have about the cloud is that of insufficient security. After all, choosing to entrust a third party with private data is effectively entrusting them with the success of the company. Executives often believe that data could be better secured on a physical server located on the premises of the company. However, this logic is short-sighted—while it is possible that a company could secure data better than some leading cloud providers, doing so would likely require additional expenses, including hardware, supply chain, and personnel, and it would overcomplicate daily operations.
While public cloud providers do not take full responsibility for the security of user data, most providers offer some type of a shared responsibility model, which helps to ensure the safety of anything hosted in the cloud. For example, Amazon takes ownership of securing physical and environmental controls, but shares patch and configuration management responsibility with the customer.
Figure 2. Amazon’s shared responsibility model.
Because leading providers have advanced infrastructure and share other responsibilities with the consumer, enterprise data is almost always more secure in the cloud. Providers such as Amazon, Microsoft, and Google have the physical and capital resources to guard security much more closely than non-technical (or even technical, but non-cloud) corporations.
Although security is a common concern among companies considering cloud, security breaches and data leaks actually happen more frequently in traditional data centers. One example is the security breach at Anthem’s physical servers in 2015, which resulted in the theft of sensitive data from over 80 million customers, in addition to more than 100 million dollars in damages.
Of course, this is not to say that data breaches do not happen in the cloud. Apple’s iCloud was hacked in 2014, resulting in a large number of leaked personal photos from customer accounts. However, this breach was in large part attributed to the fact that Apple had delayed fixing an urgent security bug for several months. The bug allowed attackers unlimited login attempts when trying to hack accounts, resulting in successful brute force and dictionary method attacks.
It is important to note that Apple is not considered a key player in the cloud industry by many technology experts. While Apple offers cloud hosting services, they are not a strong provider of Infrastructure as a Service (IaaS) technology, which is a key service organizations must leverage when moving their assets from on-premise to hosted technology environments. Unlike most IaaS providers, Apple does not offer advanced infrastructure security to its customers. Levvel and many industry analyst firms see Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP) as leaders in the IaaS space, as each of these companies offer both free and paid security measures as part of their platforms, as well as a shared responsibility model. (Infrastructure security does not protect from application-level attacks—the 2017 Equifax breach is a prime example of this.)
When organizations decide to move their assets to the cloud, it is important that they consider service providers with the right security measures in place. The following section explores the noteworthy security attributes of today’s leading cloud/IaaS technology companies.
Amazon Web Services’ infrastructure offers several security capabilities and services to increase privacy and control network access. These include:
Figure 3: Amazon’s network security, as shown through the virtual private cloud.
Beyond infrastructure, AWS offers the ability to add an additional layer of security to data at rest and in transit in the cloud. This includes:
Moreover, AWS offers several tools that ensure resources comply with organizational standards and best practices. These include:
Figure 4: An overview of Amazon services that integrate with CloudWatch.
Microsoft Azure public cloud services support a broad selection of operating systems, programming languages, frameworks, tools, and databases that developers already trust. Because Microsoft recognizes that building on or migrating to a public cloud provider entrusts the provider with the security of these assets, Azure is designed to safely host millions of customers at once. A variety of configurable security options provide the ability to control and customize services to fit an organization’s requirements.
The security of the physical infrastructure of Azure servers is guaranteed in the following ways:
Azure also offers the following services and features for customers to further secure their data and applications:
Figure 5: Capabilities provided by Azure Log Analytics.
Google Cloud Platform builds security through progressive infrastructure layers, as outlined below:
Google offers additional network security with products that define and enforce the perimeter, allow for network segmentation, remote access, and DDoS defense in the following ways:
Figure 6: An overview of GCP security measures.
When enterprises consider moving all of their infrastructure or data into the cloud, the second priority after security is typically availability. If the success of the company were dependent upon an online shop, for example, each hour of downtime could cause significant damage to profitability. As proven by many instances in the past (e.g., outages at Dropbox and GitHub), failures may take up to several days to solve.
Cloud service providers know accessibility is a key factor for clients looking to migrate their infrastructure. Many offer over 99.0% availability guaranteed as part of their service level agreements (SLAs). The following section explores the ways in which today’s leading cloud service providers ensure availability to their customers.
Amazon (like many companies) offers a Compute SLA for all of its capabilities to guarantee uptime percentages and establish minimum expectations for users. To use one example, the S3 (storage) product SLA guarantees service credits for monthly uptime percentages less than 99.9%. In this formula, the average error rates are defined as the number of internal server errors returned by S3 in a five minute period divided by the number of requests for the applicable request type during that period. The average error rates from each five minute period in a monthly billing cycle is subtracted from 100% (no errors).
Aside from the SLA, Amazon’s global infrastructure spans 18 geographic regions that together comprise 55 availability zones (AZs) around the world. This allows AWS to provide high availability when hosting applications or storing data. Additionally, cross-region replication is available in database solutions and S3 offers redundant storage across a minimum of three availability zones.
Figure 7: The benefits of the AZ structure provided by Amazon.
Similar to AWS, Azure also offers Compute SLAs (as well as SLAs for containers, databases, Internet of Things, etc.) to guarantee certain uptime percentages. Monthly uptime percentage is calculated as (maximum available minutes - downtime) / (maximum available minutes * 1000), where maximum available minutes is defined as the total accumulated minutes during a billing month that have two or more instances deployed across two or more availability zones in the same reason. Downtime is the total number of accumulated minutes part of maximum available minutes that have no virtual machine connectivity in the region.
Azure operates in multiple data centers around the world. These data centers are grouped into geographic regions that give customers flexibility to choose where to build applications. Azure also provides availability sets, or logical groupings of VMs within a data center, that allow for application redundancy and availability. When availability sets fail, Azure provides fault domains (logical groups of underlying hardware that share common power sources and network switches) to limit the impact of potential physical hardware failures, network outages, or power interruptions.
Figure 8: An overview of the Azure Compute SLA.
Google Cloud Platform Google’s Compute SLA defines “covered service” as instances and load balancing hosted as part of the Google Compute Engine Service. “Downtime” is defined separately for instances and load balancing, but in short, it refers to loss of external connectivity (except as a result of a VPN service failing to serve traffic). A “downtime period” is a period of one or more consecutive downtime minutes; partial minutes are not counted. Similar to Amazon and Microsoft, financial credits are available for users who experience downtime and report this to Google technical support within thirty days of the incident.
Google offers regions and zones to run resources in a way that effectively handles failures and decreases network latency. A region is a specific geographical location where resources are run; regions comprise one or more zones. When resources are distributed across multiple zones and regions, outages are more easily tolerated, thus offering high availability at all times.
Regardless of the industry, executives are not keen on paying more than they have to. When the cloud was reaching widespread adoption, this was much more of an issue. Companies overestimated their needs, and cloud providers required upfront purchases of storage space for definite periods of time rather than offering the “pay as you go” model. The latter has become the standard for cloud providers now, which has led the cloud to become the arguably most cost-efficient method of application hosting and data storage. Enterprises are now able to shift capital expenditure to operating expenditure, leverage economies of scale, and not waste money on over-provisioned resources.
The following section explores the various pricing models of today’s leading cloud service providers, and how these providers help customers better manage their cloud expenses.
Figure 9: Cost benefits of the cloud.
Amazon offers a “pay as you go” pricing approach for over 100 cloud services. For businesses that are able to accurately estimate necessary computing power, further savings are available with reserved instances. EC2 (Amazon VMs) and RDS (relational database) reserved instances allow users to save up to 75% over equivalent on-demand capacity. These reserved instances also offer greater discounts for upfront payments. Should a business need heavy computing power for only a short period of time, the Amazon EC2 Spot market also offers steep discounts. Compared to on-demand pricing, bidding on available instances can reduce operating costs by up to 90%.
AWS CloudWatch, Trusted Advisor, and Cost Explorer also allow for advanced monitoring and cost analysis of services. CloudWatch tracks metrics, monitors log files, and sets alarms that can automatically react to changes in resources (including when certain billing thresholds are passed). Trusted Advisor assists in provisioning resources that follow best practices and thereby improve performance, increase security, and cut excessive costs. Cost Explorer, as the name suggests, gives in-depth reports analyzing cost and usage throughout the AWS platform.
Figure 10: An overview of AWS Trusted Advisor.
Like AWS, Azure offers flexible purchase and pricing options for all cloud scenarios. With reserved VM instances, customers can save up to 72% over “pay as you go” pricing with an up-front one- or three-year commitment. Additionally, Azure Hybrid Benefit allows on-premises Windows Server / SQL Server licenses to save money when migrating a few workloads or entire data centers to the cloud.
All cloud resources can also be monitored with Azure Cost Management, which is available for free to customers. Cost management offers all of the following:
Customers can also monitor and visualize cloud usage and costs through Azure APIs that allow for full visibility into resource consumption and costs across cloud platforms in a single, unified view. All cost management capabilities are designed to optimize cloud efficiency.
Google offers customer-friendly pricing; no upfront costs, “pay as you go” options, and no termination fees. Additionally, Google provides several benefits that are not found in other providers like Azure and AWS:
Figure 11: An example of savings possible with Google’s custom sizing.
In today’s world of mobile, social, cloud, and big data analytics, speed and security are critical, and private clouds and local servers are no longer able to support these needs. Although storing data in a “public” place seems to imply compromising the integrity of company assets, this is simply not the case. Leading cloud providers such as Amazon, Microsoft, and Google have advanced infrastructure to guarantee privacy and control network access. Enterprises also fear lack of availability in the cloud, as internet connectivity is necessary to access anything stored or hosted. However, since SLAs are in place to guarantee over 99% availability for all leading providers, it is in the best interest of the provider, to keep clients’ information accessible at all times.
Lastly, while these features may sound expensive, the public cloud still offers considerable savings compared to local hosting. With security, availability, and savings that are difficult to compete with, organizations would be wise to invest in the public cloud and take full advantage of the countless benefits it offers.
Levvel’s Cloud Practice combines decades of traditional architecture, development, security, and infrastructure experience with a complete mastery of available and emerging cloud offerings. Our client-centric approach focuses first on understanding your business needs and goals, then selecting the right cloud technology to make you efficient, agile, and scalable. We tailor custom solutions to fit within your business processes, simultaneously reducing TCO and downtime while increasing productivity, security, ROI, and speed to market. For more information, contact firstname.lastname@example.org.
Samantha is an experienced, AWS-certified cloud architect at Levvel, where she has worked with application development, cloud enablement, and architecture assessment efforts for a variety of clients. She has over five years of experience in technical strategy and delivery for clients ranging from startup to Fortune 500 companies. Samantha specializes in serverless machine intelligence and virtualized resources, and enjoys writing (technical and otherwise) in her free time. She has a B.S. in Computer Science and a B.A. in Spanish from the University of Virginia.
API design is crucial, giving structure to application interaction. Given cross-functional teams and applications, development time is reduced with a clear, intuitive way to access data. API development often follows two approaches: REST and GraphQL.
Before your data scientists wring value out of your reams of data, it has to be accessible and, on some basic level, coherently arranged. To harness all that brainpower, you need to keep the data wrangling to a minimum. Enter the data lake.
Kubernetes has become the standard when it comes to containerization. While raw Kubernetes is not easy to deploy and manage, cloud services providers such as AWS, Azure and IBM Bluemix provide managed services that significantly ease adoption.
How to use the Amazon API Gateway in a multi-account environment where one instance can be used to manage a variety of APIs deployed across multiple accounts.