Cloud Computing Business Models (Saas, Paas, Iaas) and Some Security Challenges

Using cloud computing has become increasingly common among organizations. Most organizations have increasingly transitioned their systems from on-premise computing environments to cloud computing environments hosted by cloud service providers especially after the Covid-19 pandemic. Cloud computing technology allows individuals, corporate companies and even governments to store and process information and data at data centers through a simple remote access.

It is also an appealing computing application providing affordable access to advanced technology and allowing end users to use and process their IT infrastructure, platforms, and software on a host system over a communication network.

There are many cloud computing models with different characteristics therefore, we find it necessary to briefly review the framework of cloud computing solutions and service models that frequently appear in business and social life.

Cloud Computing Infrastructures

Cloud computing services are provided under four different categories:

Public Cloud

In Public Cloud infrastructure, storage and other sources are offered to the public/general users by a service provider. In this model, data processing applications are run over sources on an infrastructure set up by a service provider and leased by users. This solution is suitable especially for individual use/clients. It can be claimed that this type of cloud is a low security structure compared to other cloud infrastructures. Public Cloud infrastructure provides relatively low cost solutions and is usually priced on a pay-per-use basis. It can even be offered to individual users/clients for free of charge.

Private Cloud

Private Cloud infrastructure is set up and operated solely for a single institution/organization; public/third party access is not allowed. In this infrastructure architecture, the infrastructure is either stored internally in the organization or by a third party on behalf of the organization. Private Cloud infrastructure is mostly preferred by corporate/large companies and institutions that prioritize data security. Although it is costlier compared to public cloud infrastructure, it provides appealing advantages in terms of data processing investments and expenses.

Hybrid Cloud

Hybrid Cloud infrastructure is a composition of two or more of private, community or public clouds. Relatively sensitive, secret data and critical applications are stored in the private cloud within the Hybrid Cloud while applications that require less security are stored in the public cloud.

Community Cloud

Community Cloud can be defined as sharing the cloud infrastructure between several organizations from a specific community with a common purpose and common security and compliance requirements. Community Cloud can be designed as a public or private cloud.

Cloud Computing Service Models

Software as a Service, Saas

In SaaS, multiple users are provided access to the application software hosted on the server by the service provider. Users can access and interact with the cloud applications via the Internet, using interfaces such as web browsers, without the need to install any applications on their own systems. In Saas, software is provided as a service via the Internet and the service is priced on a pay-per-use basis. In Saas model, users do not manage or monitor the infrastructure components such as network, platform, operating system and storage devices. Users are only authorized to change configuration/structure settings specific to the application provided as a service.

Platform and Function as a Service, PaaS- Faas

In PaaS cloud computing system, the service provider delivers users a computing platform where they can develop and run their own applications using programming languages, software databases, services and tools provided by the service provider and also provides supplementary services. In PaaS model, users are not authorized to control or manage the servers, operating systems, storage spaces and other components that make up the platform infrastructure. Users’ authority is limited to adjustments related to the software transferred to the cloud and configuration settings of the platform the software runs on.

Function asaService, FaaS, is a cloud computing solution that enables programmers to create and operatesoftware applications as procedures without maintaining servers. This system allows its clients to create applications and deploy features while only being billed by the service providerwhen such feature is used. FaaS and PaaS cloud systems mainly differ in terms of scalability, performance, and cost.

Infrastructure as a Service, IaaS

In IaaS model, users can configure processing, storage, networks and other fundamental computing resources required for running applications and install the operating system and applications required. Users are not fully authorized to manage and control the physical infrastructure. However, users can control the system at the level of storage and operating system and manage specific network components. IaaS model is referred to as “Hardware as a service, HaaS” in some sources.

Cloud Computing Security Challenges

Cloud computing infrastructure and business models differ in terms of whether the system is shared or specific to a single organization, whether the system is hosted within the organization or in an outside institution, whether the customer has the opportunity to intervene in the architectural infrastructure of the service, and the capacity of the system to adapt to customer needs. These business models are assessed by users in terms of characteristics such as cost and level of user control on the system and scalability. Cloud computing should certainly be considered as a revolutionary innovation in terms of Internet use, but as in all new systems, it contains challenges and disadvantages besides its advantages.

Upon reviewing the infrastructure and service models briefly explained above, one can claim that the major problem in cloud computing is “data security”. It is a matter of concern for organizations or individuals to store their information and data in a third-party service providers’ system.

When this issue is addressed in terms of personal data protection legislation, use of cloud systems brings with it certain risks for “data controllers” who are obliged to ensure the security of personal data stored in the cloud.Therefore, security measures taken by the cloud service provider should be evaluated by the data controller in terms of their sufficiency and complexity. In fact, Personal Data Protection Authority in Türkiye ("PDPA") presents useful methods with regards to security measures in its “Personal Data Security Guide- Technical and Administrative Measures”. PDPA recommends that personal data stored in cloud systems should be detectable and such data should be backed up and synchronized at all times. PDPA also suggests implementation of two-step authentication control for remote access to such data. In addition, during the storage and use of personal data in cloud systems, data should be encrypted with cryptographic methods and transferred to cloud environments after such encryption, and if possible, separate encryption keys should be used for each cloud solution. Finally, when the cloud computing service relationship ends, it is recommended that all copies of encryption keys that can be used to make personal data available should be destroyed.

One of the leading reasons why cloud systems are preferred is that their data storage costs are lower compared to other systems. It can easily be observed that especially companies providing hosting services abroad, offer systems with higher security standards at lower costs. This causes technology companies in Türkiye to prefer to work with cloud service providers that host their servers (and therefore, data) abroad. Turkish Data Protection Law has regulated transfer of personal data to foreign countries. Transfer of personal data abroad can be conducted on a legal basis if (i) sufficient protection  is provided in the country where the data is transferred, (ii) a commitment for sufficient protection  is provided in writing by the data controllers in Türkiye and the relevant foreign country, and PDPA’s approval is obtained with regards to such commitment or, (iii) the data subject’s explicit consent is collected. However, PDPA has not been able to list the countries providing sufficient protection as of today and the approval procedure before the PDPA is not seen as a preferred procedure due to its ineffectiveness, thus, for now, the most viable method seems obtaining explicit consent from data subjects. Due to the difficulties stated above, it can be concluded that data controllers are having difficulty in using cloud service providers having their servers abroad.

Accordingly, the security risks arising out of these shared and remotely accessed systems and the requirements of data protection laws should be considered cautiously. In this way, each organization can determine the most appropriate cloud infrastructure and service model for them and reconfigure their computing system affordably to comply with technology.