Cloud Confusion

Vendors are loosely using the term cloud computing, and it's causing confusion for users in the market for buying and securing these services.

Information Security
magazine, June issue

Download the entire June issue of Information Security magazine in PDF format.

Writing in his blog recently, Misha Govshteyn, co-founder and CTO of log management software-as-a-service vendor, AlertLogic, notes that some vendors at the RSA Conference 2009 were using the term cloud computing rather loosely.

Govshteyn points out that Netgear uses "cloud" to describe its line of unified threat management (UTM) appliances. Netgear says it has a "hybrid-in-the-cloud security architecture." Endpoint security vendor Prevx uses "cloud" to describe its endpoint agents using the "power of the cloud."

"Those are some of the more absurd examples," Govshteyn says. "Cloud is really about moving complex computing workloads off premise and delivering them as a service. At the end of the day, cloud at its core is cost effective and simple."

Even IBM is coining the term for what it isn't. Big Blue describes its new WebSphere SOA appliance as the WebSphere CloudBurst Appliance. It's deployed in-house, but that doesn't stop IBM from calling it an SOA appliance, which deploys and manages SOA in a private cloud.

Like Govshteyn, other security experts and industry observers agree that the loose use of the term cloud has fueled some confusion about what it really comprises.

"I've heard from a lot of end users saying that they are sick of the word cloud because it's used in every conversation they have with vendors," says Chenxi Wang, a principal analyst at Forrester Research. "The industry is sick of getting another buzzword, but cloud computing and cloud services are here to stay."

More from the June issue
SIMs: More Than a Pile of Logs: They've come a long way from the early days of log aggregation and correlation; enterprises now glean value from SIMs for compliance, visualization, and even overall business intelligence.
A Method[ology] to the Madness: One security professional describes a homegrown risk methodology currently being used by a large university and a private corporation.
A Sustainable Relationship: If your organization is serious about managing risk and total asset protection, then physical-logical convergence is a necessary step.
Cloud Confusion: Vendors are loosely using the term cloud computing, and it's causing confusion for users in the market for buying and securing these services.
Perspecitves: Tread Carefully into the Cloud: Cloud computing carries risks that enterprises need to weigh before they forge ahead.
A Little Ingenuity: The economy is forcing organizations to be more resourceful and bury the hatchet. And that's a good thing.

Web-based service offerings are what primarily make up the cloud. In a recent Forrester report, Wang describes three markets associated with cloud computing: App-components-as-a-service, software-platform-as-a-service and virtual-infrastructure-as-a-service.

The app-components-as-a-service market includes Web-based email and other social networking applications where the application is owned by the provider. Google's Web-based word processing and spreadsheet applications fall into this market. and other vendors that sell their software via the Web would qualify for the software-platform-as-a-service market. Microsoft Azure Services Platform and Amazon's S3 data storage services also make up this market, according to Wang.

The third and final piece of the cloud-based services market includes the virtual-infrastructure-as-a-service market. The space is made up of traditional outsourcing services, such as when a company hosts a Web server at a remote data center where a service provider provides maintenance and upgrades.

Having a firm grasp of what really makes up the cloud is mixed among different organizations, Wang says. In fact, some companies may not realize that a small division is using cloud computing for a certain business process, she says.

"Many are just starting to get their feet wet and those companies tend to be less versed in the benefits and risks and even the functionality," Wang says.

Even the National Institute of Standards in Technology (NIST) is weighing in on an official definition. In a working definition released in April, NIST called cloud computing an "evolving paradigm." The organization narrows the term down to five key characteristics, three delivery models and four deployment models.

"Cloud computing is a pay-per-use model for enabling available, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction," NIST says.

Jim Reavis, a security consultant and director of the Cloud Security Alliance, a non-profit organization seeking ways to better secure cloud-based services, says the term "cloud" should be simplified for the average customer to understand.

"Cloud computing is in my view an on-demand usage of information technology delivered to the customer as a subscription-based service," Reavis says. "The customer is not aware of a lot of the interworkings of these shared resources."

And according to AlertLogic's Govshteyn, if customers aren't aware of the interworkings of the shared resources, they probably shouldn't worry about the definition of the cloud.

"Understanding the definition of cloud isn't really going to have any bearing on how you make your buying decision," Govshteyn says.

Robert Westervelt is news editor of Send comments on this article to

Dig Deeper on Secure SaaS: Cloud application security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.