The Commercial Advantages of Infrastructure as a Service Cloud Computing

The variant of cloud computing known as Infrastructure as a Service (IaaS) is not a technological innovation, but rather a radically new way of utilizing existing software and facilities. However, this novel practice could not have been developed without several historical predecessors such as time-sharing supercomputers, parallel server processing and the radical growth of Internet network connectivity. Distributing mainframe processing power and space between multiple terminals has existed since the use of ‘time-sharing’ in the supercomputers of the mid-1960s. These early projects, such as Donald Bitzer’s Plato II or MIT’s project MAC, featured simple interface systems whereby several individuals could access the same pool of memory and computing power simultaneously. Despite their benefits (such as added economy and unified specialization), these systems could only support a certain number of users at a time, and were therefore bound by the strength of whatever particular hardware at hand. This limit was permanent removed, however, following the University of California, Berkeley’s 1995 project Network of Workstations (NOW) - which was the first system to successfully string together multiple computers to accomplish an individual task. Suddenly, there was no limit to the processing power that a server could produce, simply by joining adjacent CPUs. Also during the 1990’s, governments in the Unites States and abroad began installation of networking cables that made possible the near exponential growth in global Internet access and connectivity that characterized the early 2000s. The World Wide Web quickly grew to be a dominant means of communication, documentation, and commerce. This ‘internet revolution’ required that many business build expensive in-house server facilities simply to remain afloat in highly competitive markets. Following these new developments in information technology, the stage was therefore set when, in 2002, Amazon launched the first major initiative that offered Infrastructure as a Service: Amazon Web Services (AWS). The company, which until that point had solely been an online warehouse retailer, found itself with an excess of server capacity and memory space. This vast amount of computing power that Amazon had accrued was only rarely utilized during times of high demand (such as during the Christmas holidays). Therefore, the firm began to offer a service whereby individuals or groups could connect to Amazon’s servers through the Internet and ‘rent’ computing power at a set rate, for a fixed amount of time. As larger numbers of groups began turning to AWS in order to avoid steep startup costs, the project quickly expanded, and Amazon began building additional servers specifically for the purpose of public lending. The utilities model of distribution from a central hub to disconnected users soon expanded to include Software as a Service (SaaS) and Platform as a Service (PaaS) lending systems - and all three practices became joined under the more general title of ‘cloud computing’. In 2009, the company Eucalyptus was founded with the purpose of providing an IaaS service specifically tailored to individual businesses and communities, establishing a practice of more secure lending practice commonly known as “Private” cloud computing. Other forms of IaaS cloud computing services include Community systems (a service managed by and servicing one particular group) and Hybrid systems (which combine elements of private and public infrastructure lending). In the past 12 years since the introduction of IaaS cloud computing, other firms such as VMware, IBM, and Rackspace have begun offering similar services. While some organizations have expressed doubts regarding the security, legal status, and cost of Infrastructure as a Service cloud computing, the degree of specialization and efficiency afforded by infrastructure service programs – particularly private IaaSs - ultimately make businesses’ online endeavors safer, cheaper, and more dependable.

Any time that multiple users attempt to utilize the same information, processing, or memory services, security concerns begin to arise. A 2008 report published by the National Institute of Standards and Technology defines a security breach as “a loss of confidentiality, integrity, or availability” (Scarfone – Guide). In contemporary cloud computing, as with older methods of virtual hosting, methods of physical and protocol-based security are necessary to insure that important data will not be inappropriately accessed, tampered, or even destroyed. The Oracle Corporation, in its white paper “Security in Private Database Clouds” proposes that an essential feature of secure systems is the implementation of ‘defense in depth’ - a practice where multiple levels of redundant security exist at the levels of “hardware (physical access), operating system, hypervisor, virtual machines, storage, database, application servers, applications, networks, consumer portals, and the interfaces for Cloud automation and management” (Oracle). Of these, the three most important areas to examine when assessing the security of a network are a) user interface, b) hypervisor organization of virtual machines, and c) the access to physical hardware. In addition, a major concern for a business or group interested in employing an infrastructure renting firm is the ability to trust that the Cloud Service Provider will not itself pose a threat to privacy or integrity of data stored in its facilities.

Security violations on the level of user interface can be prevented by i) limiting an individual’s access to certain parts of the system and ii) applying systems of encryption. The NIST, in its previously referenced paper “Guide to General Server Security”, recommends that in-house or cloud based servers implement a ‘principle of least privilege’ - a organizational structure wherein each user can only view and modify a specific segment of the total system’s total memory and processing (NIST). This principle is usually applied through a ‘login’ structure: a procedure whereby each user must authenticate their identity before they may use the processing and memory storage services of the server. Once a specific user submits information into their monitor to be transferred over to the processor, this data may be protected from unwanted access through a process of end-to-end encryption. The Electronic Frontier foundation defines encryption as “a technique that uses math to transform information in a way that makes it unreadable to anyone except those with special knowledge, usually referred to as a ‘key’ (ssd.eff.org). A handful of public IaaS networks either already employ end-to-end encryption (like Google Cloud Storage) or are currently in the process of adopting it (among them Windows Azure), however most services do not offer such protection because, as Gary Anthes suggests in his article “Security in the Cloud,” full IaaS encryption can be “a cumbersome and costly process” (Anthes). Despite this slow rate of adoption, several end-to-end encryption programs are already available (although they are primarily utilized by SaaS programs), including XML Encryption, Layer 2 Tunneling Protocol (L2TP), and Point-to-Point Tunneling Protocol (PPTP) (Dawoud). Therefore, at least for now, most private clouds can provide far better cryptographic protection than their larger, public, counterparts.

To prevent more complex forms of improper computer use, hypervisors - the programs responsible for authenticating, authorizing and networking virtual machines within a cloud - can actively monitor the behavior of individual users to discover the presence of inappropriate user activity or inhuman ‘bots’ (Sabahi). Bots are self-sustaining programs that function without the direct supervision of a user and are often used towards malicious ends, such as information stealing, data destruction, and Denial of Service attacks (SANS). Hypervisors, which are alternatively called Virtual Machine Monitors or VMMs, can “distinguish an infected host from a normal host by detecting specific behavior patterns” (Hsiao & Chen). Lionel Litty, in his thesis “Hypervisor-based Intrusion Detection” details the functioning of Intrusion Detection Systems (IDS) and describes two alternative forms of intrusion detection: Network based IDSs (NIDS) - that examine the actions of the traffic of users for suspicious activity - and Host based IDSs (HIDS) - who monitor the very servers off of which they run. Hypervisor-based IDS programs appear to be halfway between these two levels of access, since they monitor the myriad virtual machines that are often generated by a single server center and with which a large number of users are able to connect. Therefore hypervisor-based Intrusion Detection Systems are able to detect unsavory activities both in the behavior of users (in a manner similar to NIDSs) and observe unwanted changes in the servers’ projection of virtual machines (akin to the functioning of HIDSs). From this unique vantage point, VMMs are in a unique position to observe malicious activity performed within IaaS clouds. Admittedly, not all information systems are equally susceptible to hacker or bot based attacks. Because the usership in private infrastructure networks is far more controlled, harmful intrusions present much more of a threat to public IaaS providers than to their more exclusive counterparts. Nonetheless, due to the widespread potential for damage that malignant agents can inflict, strong hypervisor security should an important security measure any infrastructure renting relationship.

Physical interference is another method by which users’ data and processes may be harmfully altered. To combat this threat, IaaS services typically offer safeguards against physical tampering such as isolation, private guards, and security barriers, that go above and beyond the layers of security a private, in-house data center could provide. Infrastructure service providers, because they do not require direct contact with any one host company, can construct their headquarters in geographically desolate areas, where there is almost no risk of devious agents interacting with the computing hardware. Furthermore, because IaaS companies usually do not perform any day-to-day business interactions, the flow of individuals in and out of their server compounds can be tightly monitored and controlled (Armburst). Lacking most of the labor-based operating costs that many other companies have, Cloud Service Providers can typically afford to hire security personnel who can closely observe their premises and its operation.

One privacy concern specific to cloud computing is the fear that a host corporation will inappropriately access or alter the contents stored on their servers. However, this worry can be largely resolved through the signing of ‘Service Level Agreements’ (SLA) - contracts that both the clients and the providers can agree to, and which can be overseen by a third party moderator of the kind Alexander Keller and Heiko Ludwig put forward in their essay “The WSLA Framework: Specifying and Monitoring Service Level Agreements for Web Services” (Keller ). Furthermore, Private and Hybrid IaaS systems’ ability to relegate some or all of a client’s information out of the general circulation and behind a firewall adds an additional layer of protection both from outside intrusions and in-house tampering. With the protective measures of SLA contracts and Private cloud servers in place, groups can feel confident that their cloud provider will not inappropriately disrupt or tamper with their work.

Doubts surrounding security remains one of the central reasons why businesses might hesitate to employ an infrastructure Cloud Service Provider. However, these qualms are largely unfounded - as the vast majority of IaaS provide their clients with an impressive degree of ‘defense in depth’ protective measures. An additional consideration that groups should bear in mind when choosing a CSP is that private IaaS companies – due to their smaller and more exclusive usership base - are notably better at procedural, physical, and fifth-column protection than their public competitors. With some examination, it becomes clear that infrastructure lending practices are better than traditional on-site data centers at preventing user-based manipulation, server tampering through bot attacks, and physical infiltration.

In comparison with the traditional process of constructing data centers, it is often far more cost effective for a business or group to hire an Infrastructure service provider. This is because cloud computing infrastructure firms offer lower overhead expenses, increased efficiency, and a fewer costs associated with upscaling. Therefore, despite the relatively high price of transporting data and the expenses associated with initially transferring to the cloud, renting computing infrastructure is still a far less expensive option than other on-site methods of server processing and memory storage.

Before the advent of IaaS cloud computing, many companies were unable to utilize large amounts of computer processing and data storage due to the prohibitively high costs of server construction and maintenance. A 2003 study conducted by the American Power Conversion corporation determined that “the Total Cost of Ownership of a rack in a data center is approximately $120K over the data center lifetime” (LinuxLabs). This calculation factors in auxiliary expenses such as allocating space, performing repairs, cooling and powering. By contrast, AT&T’s “Compute as a Service” charges its clients $0.03 per website per hour, which equals approximately $262 per year (AT&T). A data center rack made for the purpose of processing a single website’s data would therefore need to last 458 years in order to prove a more prudent investment than IaaS cloud computing. Cloud infrastructure renting, since it requires no initial capital expenses, could drastically change the landscape of modern computing - allowing groups and companies too small to construct in-house servers an opportunity to use large quantities of processing power and memory storage.

In addition, businesses that use traditional in-house servers are typically less efficient than those who use Infrastructure as a Service firms. In many major computing operations, it can be extremely difficult to anticipate the peak level of processing that may be required at some future time. Under the older system of on-site computing, companies’ attempts to predict in advance their future computing requirements can fail in one of two ways: a) a group overestimates future demand can installing more server space than is ultimately needed; or b) a group underestimates their processing and/or memory needs, and is left without sufficient servers. In case a) - the comparatively better scenario - firms lose money from wasted excess, having spent an unnecessarily large amount on computing power that is never put to use. In b), however, when the demand for servers grows beyond all previous predictions, businesses can experience hardware failure during those moments when the need for processing is highest. Routine computing failure during times of high demand can lead to other, secondary losses; for instance, if an in-house server is being used for the purpose of supporting a website, repeated failures can result in losing dedicated users, thereby shrinking the site’s revenue source in a process known as ‘transference’ (Armburst). By contrast, businesses that host on the cloud can tailor their costs based on the amount of power they require at any particular time. This means that a firm can decrease the amount of processing speed rented when the need lessens and drastically increase the quantity borrowed whenever it becomes necessary.

Another benefit of employing infrastructure services is that scaling up the size of enterprises to meet a growing demand is a remarkably inexpensive process. IaaS providers, who typically have a large number of available servers on hand, can easily handle geometric or even exponential growth in a company’s processing and memory demands with only a linear rise in associated costs (Scarfone A View). Enlarging in-house data centers, on the other hand, is a costly process, often necessitating added investment in hardware purchasing, construction, electricity, and security.

Two possible factors that might deter businesses from switching to cloud computing are the high prices of initially transferring, and the costs incurred from continually shifting information across large distances. For businesses switching to cloud based infrastructure, some revenue can be generated by selling already owned data processing hardware, although not enough to significantly outweigh the price of moving (Violino). These moving costs are primarily incurred from the initial process of transportation of data from privately owned hardware onto IaaS servers. To move huge amounts of information across large geographical distances incurs significant energy and time costs (Zhang). However, these problems can largely be avoided through physical delivery systems, which can ship hard drives or even entire servers at a relatively small price (Fox). Therefore, the ultimate savings generated by switching to an IaaS provider are more than enough to make transferring to cloud computing a valuable investment for many large businesses and corporations.

Two legal questions quickly arise when data is stored on cloud computing infrastructure: a) who can claim copyright ownership over the information?; and b) how can/should federal governments interact with transactions performed through IaaS providers? The relative dearth of precedents pertaining to cloud computing makes these judicial issues relatively uncertain, however accurately understanding the terms and conditions of an infrastructure renting arrangement can usually prevent ownership disputes and unexpected government involvement.

It is often difficult to determine who owns data hosted on cloud servers because in many countries, the legal classification of digital information is still a matter of contention. In England, the 1979 precedent Oxford v Moss ruled, “information is not a form of intangible property” (OXcheps). Therefore, in a 2010 article entitled “Information ‘Ownership’ and the Cloud,” published on behalf of Queens Mary College of London, the author asserts that under British law, “it is at many points unclear as to the precise nature of ownership rights and who can exercise them” (Reed). A similar vagueness pervades American copyright law, since the policies regarding digital information’s legal status frequently vary by state. For instance, a 2010 Vermont technical statute (which has since been repealed) went as far as saying that “computer memory is a tangible personal property” (PWC). These discrepancies that exist between states’ computing laws, when applied to geographically sprawling IaaS providers, can frequently lead to jurisdictional confusion and contradiction. In Australia, there are no measures in place - comparable to the Unites States and the United Kingdom’s Fair Use and Fair Dealing clauses respectively - that could allow for the temporary release of copyright ownership for a specific amount of time. Therefore, under current Australian law, IaaS providers could face prosecution for holding information that they do not legally own - however, this is a condition that may change if the government adopts measures suggested in a February 2014 report published by the Australian Law Reform Commission (AFR). These differences that exist between the legal copyright policies of major English-speaking countries can frequently lead to confusion for infrastructure service providers who happen to operate across national borders. Without an international consensus on the status of cloud-based digital information, there will continue to be a large grey area of actions that have a legally uncertain character. Thankfully, many of these legislative oversights can be remedied through

When potentially lucrative information is generated or stored through a Cloud Service Provider, operating contract are often an important measure preventing IaaSs from inappropriately accessing and exploiting their users’ data. Since existing laws in the United States have thus far been largely silent on the topic of user-service provider relationships, the bulk of the protective copyright measures in place are instituted through a contract known a ‘Terms and Conditions’ or ‘Terms of Use’. These terms can vary widely between different Cloud Service Providers. For instance, the terms for the IaaS storage platform Dropbox actively guarantee the ownership rights of its users, stating that “You retain full ownership to your stuff. We don’t claim any ownership to any of it” (Dropbox). By contrast, the contract connected to Google’s Compute Engine asserts that:

When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. (Google)

Therefore, the ownership rights that a user maintains over his or her data may differ depending on the type of contract put forth, and some businesses who handle sensitive information would do well to carefully examine the copyright terms and conditions stipulated by a particular Cloud Service Provider.

In United States, when the federal government believes that some cybercrime is being committed through a cloud computing service, users of public infrastructure services no longer retain a fourth amendment rights over their data, once it has been given over to IaaS servers. This is largely due to the “third-party doctrine” set by the 1979 precedent of Smith v. Maryland, which dictates that “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties” (Villasenor). Due to this ruling, writer Cody Ruegger, writing in the Columbia Science and Technology Law Review, posits that under federal law, users relinquish all legal claims to their data once it is hosted on cloud-based infrastructure (Ruegger). This “third party doctrine” was applied when, in 2012 the United States government seized and examined all of the data that Software as a Service provider Megaupload stored through their IaaS, Carpathia - suggesting that the US law enforcement does not require specific warrants to commandeer users’ data from IaaS providers (EFF). Issues of ownership rights become even more blurred when cloud processing and hosting is done across borders, particularly in cases when the national laws vary widely, or when one Cloud Service Provider operates across multiple countries. Admittedly, the law is still in a state of flux concerning the role of ownership rights and privacy - a view that was expressed by the Supreme Court when Justice Kennedy stated on behalf of the majority that “the judiciary risks error by elaborating too fully on the Fourth Amendment implications of emerging technology before its role in society has become clear” (supremecourt.gov). Despite this flummoxing ambiguity, businesses contemplating an IaaS service provider can largely the risks of unwarranted federal search and seizure can be largely avoided by establishing a private Infrastructure service, by knowing the legal mandates applicable in the country of server storage, and by carefully monitoring the type of data hosted within that infrastructure.

Although legal, economic and security aspects of IaaS cloud computing have heretofore in this essay been treated as separate entities, the three issues are, in reality, inexorably intertwined. What constitutes an illegal security breach or a copyright-infringing use of data within cloud computing is an area of the law still not clearly defines. Infrastructure as a Service companies’ ability to provide both physical and protocol-based data protection en masse is a benefit that drastically lowers the overhead costs of storing data or using processing power. And as more and more of the IT consuming market begins moving to Infrastructure renting services, new legal and privacy problems will likely arise in turn. All three of these sides must therefore be examined before a company can make an informed decision regarding server allocation and expansion. Despite the reservations that some businesses may have towards cloud computing, the economic and security benefits of IaaS providers more than outweigh the potential troubles that may arise from Cloud Service Providers’ ambiguous legal status.

In the past twelve years since they were first introduced, infrastructure-renting providers have demonstrated a remarkable capacity to provide individuals, businesses, and groups with valuable processing power and data storage. Practitioners of traditional on-site IT have been wary of the security, costs, and legal status of contemporary cloud computing. However, these doubts are largely unfounded – and exaggerate the potential risks associated with this novel practice of infrastructure utility lending. IaaSs frequently use defense-in-depth protective methods to ensure data security, including limiting privileges and encrypting data on the level of user interface, using hypervisor based bot-detection software to monitor a cloud’s virtual machines, and implementing rigorous physical security to protect the processing servers themselves. Therefore, so long as a client initially signs a Service Level Agreement to ensure a consistent quality of service, businesses should face far fewer security risks after moving their data to the cloud. Costs associated with running a processing-heavy enterprise also drop considerably following a transition to IaaS provider. This is because, in comparison to traditional computing systems, cloud service providers can offer a service that involves no overhead costs, elastic use resources and inexpensive scalability. These savings are large enough to substantially overshadow the new costs associated with infrastructure renting, such as data transportation. Additionally, while the legal status of copyright claims still varies between different states and nations, the majority of copyright protections in place stem from the signing of thorough ‘Terms of Use’ policies, which fall safely under the purview of existing contract laws. Therefore, because cloud computing provides cheaper and safer processing and data storage without necessarily incurring additional legal hassles, many large businesses would greatly benefit from switching to an infrastructure renting arrangement.

Works Cited

Armbrust, Michael, Armando Fox, Rean Griffith, Andy Konwinski, Gunho Lee, David Patterson, Ariel Rabkin, Ion Stoica, and Matei Zaharia. "A View of Cloud Computing." Communications of the ACM Apr. 2010: 50-58. ACM Digital Library.

Dawoud, Wesam, Ibrahim Takouna, and Christoph Meinel. "Infrastructure as a Service Security: Challenges and Solutions." Hasso Plattner Institute, n.d.

"Determining Total Cost of Ownership for Data Center and Network Room Infrastructure." American Power Conversion. Linuxlabs, n.d.

"Dropbox - Terms." Dropbox. N.p., 26 Mar. 2012.

"Encryption Basics." EFF Surveillance Self-Defense Project. N.p., n.d.

Fox, Armando. "CS10 Fall 2010 Lecture 20, Cloud Computing." Professional Development for High School Teachers. University of California, Berkeley. 21 Mar. 2014. Lecture.

"Google Terms of Service, Policies & Principles." Google. N.p., 11 Nov. 2013.

Hsiao, Shun-wen, Yi-Ning Chen, Yeali S. Sun, and Meng C. Chen. "A Cooperative Botnet Profiling and Detection in Virtualized Environment." Institute of Information Science, Academia Sinica, Taiwan. N.p., n.d.

Keller, Alexander, and Heiko Ludwig. "The WSLA Framework: Specifying and Monitoring Service Level Agreements for Web Services. “Journal of Network and Systems Management 11.4 (2003): 513-16.

Kennedy, Anthony M. "Opinion of the Court - City of Ontario, California Petitioners v. Jeff Quon." Whitehouse.gov. Supreme Court of the United States, 17 June 2010.

Litty, Lionel. "Hypervisor-Based Intrusion Detection." Graduate Department of Computer Science. University of Toronto, 2005.

Reed, Chris. "Information 'Ownership' in the Cloud." Social Science Research Network. Queen Mary University of London, School of Law, 2 Mar. 2010.

Ruegger, Cody. "Legal Issues in Cloud Computing." Columbia Science and Technology Law Review Legal Issues in Cloud Computing Comments. N.p., 18 Nov. 2013.

Sabahi, Farzad. "Secure Virtualization for Cloud Environment Using Hypervisor-based Technology." International Journal of Machine Learning and Computing. N.p., Feb. 2012.

Scarfone, Karen, Wayne Jansen, and Miles Tracy. "A View of Cloud Computing." National Institute of Standards and Technology. U.S. Department of Commerce, n.d.

Scarfone, Karen, Wayne Jansen, and Miles Tracy. "Guide to General Server Security." National Institute of Standards and Technology. U.S. Department of Commerce, n.d.

Smith, and Weinand. "Oxford v. Moss Divisional Court QBD." Oxford Center for Higher Education Policy Studies. N.p., n.d.

Vengurlekar, Nitin. "Security in Private Cloud Databases." Oracle. N.p., July 2012.

Villasenor, John. "What You Need to Know about the Third-Party Doctrine." The Atlantic. Atlantic Media Company, 30 Dec. 2013.

Violino, Bob. "Preparing for the Real Costs of Cloud Computing." Computerworld. N.p., 5 Dec. 2013.

Zhang, Linquan, Chuan Wu, Zongpeng Li, Chuanxiong Guo, Minghua Chen, and Francis C.M. Lau. "Moving Big Data to The Cloud." The University of Hong Kong, Hong Kong. N.p., n.d.