This content is viewable by Everyone
UCSF IT Security Cloud Computing Guidance - Cloud Service Basics
Impacted Services IT Security Outreach and Training
Overview | What is the "cloud"?
The "cloud" is a continually evolving concept that broadly references cloud services, or cloud computing. Cloud services can mean collections of any or all of the following: applications, information, infrastructure components and services provided as pools of resources.
The ability for these broadly accessible services to be rapidly provisioned, deprovisioned, expanded and contracted based on demand creates a demand-driven service model, which can be seen as a "Pay for what you use" type of IT service.
The technologies behind cloud services can blur the lines of certain traditional computing definitions with (1) combined products from vendors and (2) the varying levels of control, risk, capability and dependence on additional solutions, which differ according to the mix of products that make up a distributed system or application.
There are also commercial and consumer cloud services, providing many different capabilities. Most people use free or almost-free cloud services for things like email, calendaring, music services, social media, online storage and photo storage. These consumer-focused technologies may seem as if they would meet business needs as well, and some of them can be used under certain circumstances, but in general they are not approved for use at UCSF.
"Click-through" agreements for services available on the internet are not approved by UCOP or UCSF legal and procurement departments: Only authorized individuals can enter into agreements for UC. Additionally, these agreements contain language and clauses that are problematic for business and patient care data.
Cloud computing service models
The National Institute of Standards and Technology (NIST) has created a conceptual model that depicts these interdependencies and shows how the various models and consumption of cloud services interact. The model facilitates discussions and considerations irrespective of vendor- or product-specific terms for areas such as contracting, compliance, law, security, privacy, architecture, design, roles and responsibilities, data classification, operations, consulting, business requirements, and more.
This section will introduce service and deployment models. For more detailed guidance, see the UCSF IT Security Wiki (login required).
There are generally three service models for cloud computing: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).
Software as a Service (SaaS)
SaaS is generally considered an application provided to the consumer that is running on a cloud infrastructure. The application will be made accessible via different client platforms, devices and application programming interfaces (APIs). The consumer of the application will not have management responsibility or control of the underlying network, physical infrastructure, servers, databases, programming platform, storage, operating systems or most security elements. There may be some options and capabilities exposed for use or management of the application; however, these are generally focused on the consumer's portion of the application and the respective data.
Examples of Software as a Service (SaaS) at UCSF include:
Platform as a Service (PaaS)
- UCSF Drupal (Acquia hosted)
- Amazon Web Services - contact UCSF Procurement
- Microsoft Azure - contact UCSF Procurement
Infrastructure as a Service (IaaS)
IaaS models are closer to what a traditional IT infrastructure looks like and offer more control for the consumer, who can provision and configure processing, operating systems, platform components, databases, storage, networks and other foundational computing components. With these components, the consumer is free to run whatever software that will run within the distributed systems available from the IaaS provider. The consumer will likely (1) not have direct access to the physical infrastructure and (2) have only limited access to networking and storage elements.
- Amazon Web Services
- Microsoft Azure
- UCSF Datacenter VMware Hosting
Cloud Computing Deployment Models
In addition to the various cloud computing service models, these models can be deployed with varying points of access and integration within an organization's computing infrastructure and network. Leveraging the NIST definitions, there are four deployment models for cloud computing: private cloud, community cloud, public cloud and hybrid cloud.
This is a cloud infrastructure or service provisioned for use by a single organization, which may comprise multiple consumers. This cloud is generally owned and operated by the organization, a contracted third party or a combination, and this infrastructure may reside on or off premises.
The community cloud model is a cloud infrastructure provisioned for use by a specific community of consumers who are from different organizations and have a shared concern or business need. This cloud may be owned, managed and operated by one or a number of the organizations participating in the community. The cloud infrastructure may be provided by a third party or a combination of community members and third-party companies, and it may exist on or off premises.
Public cloud infrastructures are provisioned for use by the general public and are generally open to use. The infrastructure exists on the premises of the cloud provider and may be owned, managed and operated by a combination of the businesses, academic institutions, government organizations or third parties who consume the cloud service.
This cloud infrastructure model is a composite of two or more of the previous models, whereby unique components are bound together by technologies that enable data and resource portability within the distributed system.