UCSF IT Security Cloud Computing Guidance - Cloud Service Basics
What is the "cloud"?
The "cloud" is a continually evolving term which broadly references cloud services or cloud computing. Cloud services can mean collections of applications, information, infrastructure components, and/ or services which are provided as pools of resources.
The ability for these broadly accessible services to be rapidly provisioned, deprovisioned, expanded and contracted based on demand creates a demand driven service model which can be seen as a "pay for what you use" type of IT service.
The technologies behind cloud services can blur the lines of certain traditional computing definitions with combined products from vendors and the level of control, risk, capability, and dependence on additional solutions all vary depending on the mix of products which make up a distributed system and/ or application.
There are also commercial and consumer cloud services providing many different capabilities. Most people use free or almost free cloud services for things like email, calendaring, music services, social media, online storage, and photo storage. These consumer focused technologies may seem as if they would meet business needs and some of them can be used under certain circumstances but in general they are not approved for use at UCSF.
The "click through" agreements for services available on the Internet are not approved by UCOP or UCSF legal and procurement departments and only authorized individuals can enter into agreements for UC. Additionally, these agreements contain language and clauses that are problematic for business and patient care data.
Cloud Computing Service Models
NIST has created a conceptual model which depicts these interdependencies and shows how the various models and consumption of cloud services interact. The model facilitates discussions and considerations irrespective of vendor and/ or product specific terms for areas such as contracting, compliance, legal, security, privacy, architecture, design, roles and responsibilities, data classification, operations, consulting, and business requirements to name a few.
This section will introduce service and deployment models. For more detailed guidance please see the UCSF IT Security Wiki here (login required): https://wiki.library.ucsf.edu/display/ITSI/UCSF+IT+Security+Cloud+Comput...
There are generally three service models for cloud computing; Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).
Software as a Service (SaaS)
SaaS is generally considered an application provided to the consumer running on a cloud infrastructure. The application will be made accessible via different client platforms and devices and or application programming interfaces (API). The consumer of the application will not have management responsibility or control of the underlying network, physical infrastructure, servers, databases, programming platform, storage, operating systems, or most security elements. There may be some options and capabilities exposed for use or management of the application however these are generally focused on the consumer's portion of the application and the respective data.
Examples of Software as a Service at UCSF includes:
- SalesForce - available here
- Box - available here
- ServiceNow - available here
- Qualtrics - available here
- CrashPlan - available here
- UCSF Drupal (Acquia hosted) - available here
- Amazon Web Services - please contact UCSF Procurement
- Microsoft Azure - please contact UCSF Procurement
- Amazon Web Services
- Microsoft Azure
- UCSF Datacenter VMware Hosting
Cloud Computing Deployment Models
In addition to the various Cloud Computing Service Models these services can be deployed with varying points of access and integration within an organization's computing infrastructure and network. Leveraging the National Institute of Standards and Technology (NIST) definitions there are four deployment models for cloud computing; private cloud, community cloud, public cloud, and hybrid cloud.
A cloud infrastructure or service which is provisioned for use by a single organization which may be comprised of multiple consumers. This is generally owned and operated by the organization, a contracted third party or a combination and this infrastructure may reside on or off premises.
The community cloud model is a cloud infrastructure which is provisioned for use by a specific community of consumers who are from different organizations and have a shared concern or business need. This community cloud may be owned, managed and operated by one or many of the organizations participating in the community. The cloud infrastructure may also be provided by a third party or a combination of community members and third party companies and may exist on or off premises.
Public cloud infrastructures are provisioned for use by the general public and are generally open to use. The infrastructure will exist on the premises of the cloud provider and may be owned, managed and operated by a combination of the businesses, academic institutions, government organizations, or third parties who consume the cloud service.
This cloud infrastructure model is a composition of two or more of the previous models whereby there are unique components bound together by technologies enabling data and resource portability within the distributed system.