@CloudExpo Authors: Pat Romanski, Yeshim Deniz, Mehdi Daoudi, Elizabeth White, Liz McMillan

Related Topics: @CloudExpo

@CloudExpo: Blog Feed Post

Get Your SaaS Off My Cloud

Why architecture matters not only to security but to the future of cloud computing

It seems the phrase “in the cloud”, sadly, has become a marketing-hyped euphemism for “the Internet.” I say sadly because the use of cloud to refer to every and any service delivered over the Internet dirties up the cloud. It obscures the intent of cloud computing and makes it difficult for technologists in the trenches to get a handle on how cloud – both external and internal – can provide benefits and solutions to problems they have right now. The very loose use of the term means that every last little web application on the web could be (and sometimes is) called “cloud computing”.

And while that may be technically true based on the very loose definition of “compute resources”, the problem really is in the use of “cloud” to refer to very different architectural models that just all happen to fit a very broad definition.

Of late, the use of the term “cloud computing” to specifically mean SaaS (Software as a Service) is one that’s not only getting under my skin but causing a great deal of irritation sitting there. Every trade publication, every analyst and research firm has been digging into the adoption of cloud computing and every one of them ends up with essentially the same conclusion: organizations aren’t ready to buy into it. Yet.

But then we see news about “cloud computing” like this report titled, “IT spending on cloud computing up 22% in 2009 to $9.6 billion” on TechRepublic. The entire report is about SaaS. Period. There’s nothing in it about the market for IaaS (Infrastructure as a Service) or PaaS (Platform as a Service). It’s all about SaaS. And SaaS is hardly cloud computing in the same way that IaaS is cloud computing. This lack of qualification between the two makes the market look much more robust, mature, and mainstream than it actually is. It is misleading, and that can eventually backfire by leaving would-be customers to continue to question viability long after maturation because they can’t trust the information.


There is a very real difference between the architectural models and benefits of cloud computing (i.e. compute resources as a service) and multi-tenant hosted software, a.k.a. SaaS. These architectural differences are important to every discussion we have about cloud because they affect the security and costs of cloud computing. Those architectural differences manifest themselves with very different issues surrounding integration, data integrity, internetworking, and efficiency.

Invariably when the question of “cloud” security comes up someone brings up SaaS and the fact that organizations have been safely using it for years. This fact is then used to dismiss the very real concerns surrounding security issues and cloud computing. Let’s take just a moment to consider the differences and why this is such a problem.

  1. SaaS is all about the database The way in which multi-tenant hosted software like Salesforce.com and SugarCRM provide security and services is at the database layer. The software, the interface, is the same for every customer. Customization is accomplished through data-driven layout and field definition. The networking stack, the servers, the operating system is all the same. Every customization, every unique process, every branded page is driven solely through data in the database. Security in a SaaS is inherently tied to the robustness of the security model on the database.

    Database security is well-understood, well-known, and very mature. The ability to restrict access down to a single-cell if necessary has long been available and it is this flexibility in database access security that makes SaaS possible.
  2. Many well-known SaaS offerings are not about customer data Another argument tries to dismiss security concerns by pointing out the widespread use of hosted services like Ceridian (payroll and HR) and Concur (travel, expenses). While it is true that these SaaS vendors have long been popular amongst a wide variety and very disparate set of industries, both are focused on employee data, not customer data. While employers are certainly protective of and concerned with the security of their employee’s data, this data is not a competitive advantage, it is not tied directly to revenue, and it is governed by a completely different set of regulations. It’s a completely different set of risks that are managed in a completely different way.
  3. SaaS has a smaller attack surface IaaS has to expose a lot more of the stack to end-users while SaaS has to essentially expose a web  imageinterface. Even integration with SaaS software is via the web (SOAP, REST, etc…) and in a way that is very well controlled. IaaS? There’s very little control because the provider has no idea what application you’ll be deploying. As Hoff pointed out via Twitter, this does not prove that SaaS is more secure even though it seems logical to deduce that; it’s just a different set of risks that need to be managed. Understanding the differences in what those risks are is important when choosing a provider or implementing a cloud model internally.
  4. IaaS introduces the unknown SaaS is well-understood. It’s software stack and therefore its potential vulnerabilities are well-documented, well-understood, and relatively easy to protect if you know what to look for. SaaS, because it is essentially just hosted software, has been very well exercised over the past decade. Its vulnerabilities and potential points of exploitation have been discovered, tested, exposed, and closed. IaaS, however, introduces a new layer where vulnerabilities are not well-understood, not well-known, and not-well exercised. The virtualization layer is completely new and should be considered an “unknown” risk at this point.

    The “sharing of resources” in a SaaS model is really about sharing the database, and even that is strictly contained by very granular security. Code is shared, but in such a way as to make it less relevant. I don’t have to, as a customer, worry about the quality or security of an application of another organization or individual that may be executing on the same hardware as mine and may, through the exploitation of some yet unknown virtualization vulnerability, cause my application to become another 'bot in a giant distribution network for malware.

    The “sharing of resources” in cloud computing is about sharing everything – from the network to the operating system to the infrastructure. Every aspect of cloud computing is about sharing and reusing resources in a way that makes it efficient for both the provider and the customer.

The goal of SaaS is to deliver software. But the software it is delivering is pre-defined. It’s a constrained set of features/functions that are designed to perform a specific task. IaaS, on the other hand, is about delivering on-demand computing resources for use in whatever way the end-user/customer wants to use it.

They are not the same – not architecturally, not in implementation, and not in the issues they bring to the table.


NIST has recently published a working definition of cloud that takes pains to distinguish between the various subtypes of cloud computing:

Cloud computing is a pay-per-use model for enabling available, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is comprised of five key characteristics, three delivery models, and four deployment models.

The document goes on to describe, succinctly and with what I think is more than good enough accuracy the characteristics, delivery and deployment models. I could (and may in the future) argue against the inclusion of “applications” in the definition of “computing resources” and am fairly certain it is included solely because people assume SaaS is cloud computing but for now I’ll let sleeping dogs lie. The important part of the definition, I think, is the separation and qualification of each type of “cloud computing”. NIST provides this type of delineation because architecture matters when you’re discussing things like security, reliability, and data integrity as well as who the end user of the cloud service really is.

When organizations ask for direction and guidance on building their own “clouds” they aren’t asking about deploying a SaaS. They want to create an on-demand, dynamic data center that affords them many of the same benefits as “cloud computing” – efficiency, sharing of resources, automation. They want the IaaS version of cloud computing, not SaaS or PaaS. But the lack of qualification around the term “cloud” confuses the issue and makes it difficult to have a conversation about specific models.

No wonder people aren’t flocking to “the cloud” – they aren’t even sure what the heck we mean when we say it because we use it as a broad brush with which to paint every service on the Internet these days.

The more I hear and the more I read and the more I see the dismissal of very real issues with IaaS cloud computing that need solutions because of the successful adoption of SaaS the more I think that SaaS either needs to be excluded from discussions of “cloud computing” or that we need to do a better job qualifying the term “cloud” when we discuss it.

The issues with SaaS are not the issues with “IaaS cloud”; they are very different simply because they are two different architectural models with two very different goals. Applying the success or failure of one to the other isn’t realistic, nor is it benefiting cloud computing as a paradigm in any way to mix them up.


Follow me on Twitter View Lori's profile on SlideShare friendfeedicon_facebook AddThis Feed Button Bookmark and Share

Related blogs & articles:

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

@CloudExpo Stories
@DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises - and delivering real results.
DXWorldEXPO LLC announced today that Dez Blanchfield joined the faculty of CloudEXPO's "10-Year Anniversary Event" which will take place on November 11-13, 2018 in New York City. Dez is a strategic leader in business and digital transformation with 25 years of experience in the IT and telecommunications industries developing strategies and implementing business initiatives. He has a breadth of expertise spanning technologies such as cloud computing, big data and analytics, cognitive computing, m...
DXWorldEXPO LLC announced today that Kevin Jackson joined the faculty of CloudEXPO's "10-Year Anniversary Event" which will take place on November 11-13, 2018 in New York City. Kevin L. Jackson is a globally recognized cloud computing expert and Founder/Author of the award winning "Cloud Musings" blog. Mr. Jackson has also been recognized as a "Top 100 Cybersecurity Influencer and Brand" by Onalytica (2015), a Huffington Post "Top 100 Cloud Computing Experts on Twitter" (2013) and a "Top 50 C...
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities - ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups.
Poor data quality and analytics drive down business value. In fact, Gartner estimated that the average financial impact of poor data quality on organizations is $9.7 million per year. But bad data is much more than a cost center. By eroding trust in information, analytics and the business decisions based on these, it is a serious impediment to digital transformation.
Daniel Jones is CTO of EngineerBetter, helping enterprises deliver value faster. Previously he was an IT consultant, indie video games developer, head of web development in the finance sector, and an award-winning martial artist. Continuous Delivery makes it possible to exploit findings of cognitive psychology and neuroscience to increase the productivity and happiness of our teams.
Predicting the future has never been more challenging - not because of the lack of data but because of the flood of ungoverned and risk laden information. Microsoft states that 2.5 exabytes of data are created every day. Expectations and reliance on data are being pushed to the limits, as demands around hybrid options continue to grow.
The standardization of container runtimes and images has sparked the creation of an almost overwhelming number of new open source projects that build on and otherwise work with these specifications. Of course, there's Kubernetes, which orchestrates and manages collections of containers. It was one of the first and best-known examples of projects that make containers truly useful for production use. However, more recently, the container ecosystem has truly exploded. A service mesh like Istio addr...
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
Evan Kirstel is an internationally recognized thought leader and social media influencer in IoT (#1 in 2017), Cloud, Data Security (2016), Health Tech (#9 in 2017), Digital Health (#6 in 2016), B2B Marketing (#5 in 2015), AI, Smart Home, Digital (2017), IIoT (#1 in 2017) and Telecom/Wireless/5G. His connections are a "Who's Who" in these technologies, He is in the top 10 most mentioned/re-tweeted by CMOs and CIOs (2016) and have been recently named 5th most influential B2B marketeer in the US. H...
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City. Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of bus...
Cloud Expo | DXWorld Expo have announced the conference tracks for Cloud Expo 2018. Cloud Expo will be held June 5-7, 2018, at the Javits Center in New York City, and November 6-8, 2018, at the Santa Clara Convention Center, Santa Clara, CA. Digital Transformation (DX) is a major focus with the introduction of DX Expo within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive ov...
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
The dynamic nature of the cloud means that change is a constant when it comes to modern cloud-based infrastructure. Delivering modern applications to end users, therefore, is a constantly shifting challenge. Delivery automation helps IT Ops teams ensure that apps are providing an optimal end user experience over hybrid-cloud and multi-cloud environments, no matter what the current state of the infrastructure is. To employ a delivery automation strategy that reflects your business rules, making r...
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Digital transformation is about embracing digital technologies into a company's culture to better connect with its customers, automate processes, create better tools, enter new markets, etc. Such a transformation requires continuous orchestration across teams and an environment based on open collaboration and daily experiments. In his session at 21st Cloud Expo, Alex Casalboni, Technical (Cloud) Evangelist at Cloud Academy, explored and discussed the most urgent unsolved challenges to achieve fu...