The Enterprise Cloud: Best Practices for Transforming Legacy IT (2015)
Glossary
The definitions in this glossary are intentionally not “straight from a dictionary.” Rather, they are intended to provide more clarity and relevance to cloud computing within the context of this book.
Accreditation
The process by which an organization evaluates the security of a computer system against one or more security standards or policies. An accredited system is one that is “certified” to have successfully completed this process.
Agile
A software development and delivery methodology based on iterative and incremental improvements for software releases. Agile is intended to speed time-to-market of software updates, new features, or patches on a continuous basis, usually measured in weeks or months.
Allocated services
The practice of selling resources such as processors, memory, storage, or network based on a fixed prepaid amount or ceiling. Customers pay a fixed price for services, even if their actual utilization is less. See also Metering.
Application service provider
Internet-based provider of application hosting services. A precursor to today’s more popular term, Software as a Service (SaaS), whereby applications are hosted, managed, and licensed by the provider, often charging customers on a per-user or per-month basis.
Application transformation
The process of adapting or rewriting an application so that it can be hosted in a cloud deployment model. Specific features of cloud-enabled software include elasticity, resiliency, and micro-application services running across one or more computers or virtual machines.
Automation
The process of computer scripting, programming, and other tools deployed to perform a series of processes without human intervention. By programming software and tools to allocate processors, storage, network, and applications, cloud services can be deployed and ready for use within minutes rather than hours, days, or weeks if deployed manually by traditional means. Automation is particularly important in cloud computing, because many cloud providers process hundreds or thousands of orders for new services each hour.
Availability
Refers to the amount of time a computing resource, application, or data is available for use or is online for use, as opposed to being offline for maintenance or in a failed state. Availability is often measured as a percentage of time that services are available compared to the amount of time in a specified period of time.
Backup/Recovery as a Service
A cloud service offering which provides data backup and recovery. This service might include a certain frequency and data retention level included in price by default, with optional enhancements to these defaults at additional cost.
Broker (cloud broker)
A function or role in cloud management that integrates multiple Anything as a Service (XaaS) cloud providers into a single cloud management system. The broker performs aggregation of services offered by multiple cloud providers, centralized cloud management portals, reporting, and system and data portability between downstream cloud providers.
CIPA
Children’s Internet Protection Act. This is a federal law enacted by U.S. Congress to address concerns about access to offensive content over the Internet on school and library computers. CIPA imposes certain types of requirements on any school or library that receives funding for Internet access or internal connections from the E-rate program, which is a program that makes certain communications technology more affordable for eligible schools and libraries.
Cloud compute
This refers to the processor, memory, storage, and networking resources provided to customers, typically via a virtual machine.
Cloud-native application
An application that is designed specifically to run in and take advantage of a cloud infrastructure. Characteristics of cloud-native applications include elasticity, composability, and resilience.
Commercial-off-the-shelf (COTS)
Software packaged and sold via retail channels and widely available from major software vendors.
Common Criteria/ISO 15408
A framework that provides assurance that the process of specification, implementation, and evaluation of a computer security product has been conducted in a rigorous and standard manner. The Common Criteria for Information Technology Security Evaluation (CC) and its companionCommon Methodology for Information Technology Security Evaluation (CEM) are the technical basis for an international agreement, the Common Criteria Recognition Arrangement (CCRA).
Community cloud
A cloud service that provides for a community of consumers or organizations with shared interest or concerns. The system is managed by one or more of the organizations, by a central provider, or a combination. Organizations utilizing this cloud service have a shared mission, governance, security requirements, and policies.
Continuity of operations (CoO)
The concept of offering services even after a significant failure or disaster. The dictionary definition is more generic, stating that CoO is the ability to continue performing essential functions under a broad range of circumstances. For the purposes of being a cloud provider, CoO is a series of failover techniques to keep networks, servers, storage, and applications running and available to your customers.
Continuous delivery
Also referred to as continuous application development. A software development and delivery approach used to automate and improve the process of software releases to production. Automated processes are used for testing and promotion of software code from development to testing, quality assurance, and production, which improves consistency and reduces overall cost. Continuous delivery is often combined with the Agile approach to software development delivery.
COPPA
Children’s Online Privacy Protection Act. Effective April 21, 2000, this law applies to the online collection of personal information from children under the age of 13. The new rules stipulate what a website operator must include in a privacy policy, when and how to seek verifiable consent from a parent, and what responsibilities an operator has to protect children’s privacy and safety online.
Data as a Service
Similar to Platform and Software as a Service, Data as a Service is the hosting of a centralized repository of data. This data, often in the form of a large searchable database, is gathered by the provider, often from numerous sources. The service offering is provided to customers that need to access, search, view, and download the data.
Data sovereignty
The concept that computer data is subject to the laws of the country in which it is located, thus preventing foreign governments from subpoenaing the host country and cloud provider where the datacenter is located.
Development/Testing as a Service (Dev/Test)
A cloud service often considered a PaaS offering with IaaS-type compute services being offered along with numerous application lifecycle management (ALM) tools, code libraries, and developer tools.
DIACAP
DoD Information Assurance Certification and Accreditation Process. This is the U.S. Department of Defense (DoD) process to ensure that risk management is applied on information systems. DIACAP defines a DoD-wide formal and standard set of activities, general tasks and a management structure process for the certification and accreditation (C&A) of a DoD information system that will maintain the information assurance (IA) posture throughout the system’s lifecycle.
DISA
Defense Information Systems Agency. This is the U.S. government agency that governs IT standards, guidance, and provides some centralized IT services to U.S. Department of Defense organizations. DISA has produced several cloud security guidelines with the latest called Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) initially published in January 2015, which replaces the previous Cloud Security Model (CSM). The SRG defines roles, and standard for private cloud and external cloud service providers based on four Impact Levels. This is a relatively new standard and likely to mature over time, this DISA SRG is more specific to cloud than the DIACAP standard for overall DoD IT. Refer to DoD Cloud Computing SRG at www.disa.gov.
This DISA standard is intended for DoD organizations and it contains more security controls and requirements than FedRAMP or FISMA. The four SRG levels are described in Chapter 6.
Disaster recovery
Process, policies, and procedures for recovering from a natural or human-induced disaster. This is a subset of the continuity of operations plan focused on how to restore systems and services to an operational level.
Elastic or elasticity
Refers to the ability of a computing resource or application to automatically scale out (adding more compute resources or additional virtual machines) to handle an increase in workload/utilization.
FedRAMP
Federal Risk and Authorization Management Program. This is a government-wide program in the United States that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is a set of cloud security standards followed by most civilian (non-DoD) United States Government agencies and their certified public cloud providers.
FERPA
Family Educational Rights and Privacy Act. The Education Department is releasing a Notice of Proposed Rule Making (NPRM) under the Family Educational Rights and Privacy Act. The proposed regulations would give states the flexibility to share data to ensure that taxpayer funds are invested wisely in effective programs.
FIPS
Federal Information Processing Standards. 140-2 standards provide guidance and minimums characteristics for data encryption. Many U.S. federal government agencies are required to adhere to this policy for protected data.
FISMA
Federal Information Security Management Act. Title III of the E-Government Act. This requires each federal agency to develop, document, and implement an agency-wide program to provide information security for information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
Geographically diverse
Refers to having datacenters and cloud compute server farms in different physical locations from each other. The separation of datacenters is usually 500 miles or more so that any regional disasters (natural or intentional) are unlikely to affect both datacenters. Ideally, geographically diverse datacenters are more than 1,500 miles apart, and neither datacenter is in an earthquake or flood-prone area. Note that having datacenters in different countries is also common, but this presents additional issues as some customers need guarantees that their data is not hosted in certain countries (see also data sovereignty).
High availability
Refers to percentages of how much time a system is online versus unscheduled outages. High availability is also something you design and build in to your cloud solution using redundant components and continuity of operations to achieve a high level of availability measured by system availability to the customer.
HIPAA
Health Insurance Portability and Accountability Act of 1996. Legislation that provides privacy and security protection of individually identifiable health information.
Hybrid cloud
A cloud service that is a combination of two or more cloud deployment models. Cloud systems are managed through standardized or proprietary technologies often called the broker system, or broker provider. See also Broker.
Hypervisor
A software system that is installed on a physical server and then creates multiple virtual machines, each having a configurable amount of processor, memory, storage, and network resources.
Infrastructure as a Service (IaaS)
Cloud compute services, normally in the form of virtual machines, with configurable processor, memory, storage, and networking. Infrastructure as a Service often includes other cloud services such as Storage as a Service, Backup/Recovery as a Service and Development/Test as a Service.
ISO
International Organization for Standardization. A standards organization that plays a role similar to that of the National Institute for Standards and Technology (NIST); however, ISO is an international, nongovernment entity that is widely accepted or adopted worldwide. NIST is primarly followed by U.S. government organizations.
ISO 27002
This document provides best-practice recommendations on information security management for use by those responsible for initiating, implementing, or maintaining Information Security Management Systems (ISMS). Information security is defined within the standard in the context of the C-I-A triad. The C-I-A triad is the preservation of confidentiality (ensuring that information is accessible only to those authorized to have access); integrity (safeguarding the accuracy and completeness of information and processing methods), and availability (ensuring that authorized users have access to information and associated assets when required).
LDAP
Lightweight Directory Access Protocol. This is a standard API for accessing and distributing directory/identity services. See also SAML.
Load balancing
A load balancer distributes workloads (network traffic) across multiple computing resources or applications. The load balancer attempts to equally use each computing resource, balancing the utilization of each; however, it also monitors availability and will automatically redirect traffic should one or more computing devices go offline due to maintenance or failure.
Managed cloud
A cloud environment where systems management, upgrades, and support are performed by a third party provider on behalf of the customer organization — usually under contract and governed by a service agreement. A managed cloud can be hosted at a customer, provider, or third-party data center. Managed cloud normally associated with a private or virtual private cloud where the routine management is outsourced to a third party.
Managed services model
In this model, subscribers pay a fee to an IT service integrator or outsourcing provider to perform day-to-day computer management, operations, and support services.
Metering (metered services)
The practice of measuring resources (processors, memory, storage, and networking) consumer and billing for actual utilization of these services. Metering is the opposite of allocated services within the cloud computing industry.
Mission critical
Services or functions of the business that are essential for the success of the business or customers. mission-critical refers to computer systems and applications that are considered vital and must maintain a high-availability rating. Failures of mission-critical systems are catastrophic to the organization or customer.
Multitenant (multitenancy)
Software architecture in which multiple customers use a shared system but are separated from one another. Customers share the resources but are prevented from interacting or seeing other customers in the environment.
NIST
The National Institute of Standards and Technology. This agency is responsible for publishing computer standards and guidance under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347.
OBM A-130
The Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources, requires executive agencies within the federal government to (a) plan for security; (b) ensure that appropriate officials are assigned security responsibility; (c) periodically review the security controls in their information systems; and (d) authorize system processing prior to operations and, periodically, thereafter.
Open source
Computer software that is available in source code form. An open-license allows users to study, change, improve, and sometime distribute the software. Open source software is often improved upon by many individuals, universities, and other organizations for the benefit of all users or the system.
PCI DSS
A multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
Platform as a Service (PaaS)
Cloud service providing a set of applications, tools, and potentially database system to the consumer. Provider manages all underlying server farms, networking, storage, operating system, and core applications. PaaS is similar to IaaS, but the provider has preconfigured and is responsible for not only the compute infrastructure but also the applications, tools, and resources.
Private cloud
Cloud services offered exclusively to a single consumer at either a provider’s facilities, a consumer’s own facilities, or a third party. Multiple business units within the consumer organization can access the system. Management of the system can be performed by the provider, consumer organization, or third party, regardless of where the physical resources are located.
Public cloud
Cloud service offered to the general public. The provider owns, manages, and operates all compute resources located within the provider’s facilities. Resources available to consumers are shared across all customers.
Redundancy
The concept of duplicating components or systems with the purpose of keeping the system online and available should a single component fail.
Resilient
Normally refers to a characteristic of cloud-native applications that can sustain errors or failures in the cloud infrastructure and still function. A resilient application will have embedded self-healing logic to retry, reroute, throttle, and queue failed transactions rather than generate a user-facing error. See also cloud-native.
Return on investment (ROI)
A measurement used to evaluate the efficiency gained or effect of a given investment. ROI is calculated by taking the gain from the investment minus the cost of the investment, then dividing by the cost of the investment.
SAML
Security Assertion Markup Language. An XML standard for authentication considered an industry standard for cloud computing single sign-on, federated identity authentication.
Scale down
The concept of reducing computer instances, after a scale out has occurred, when peak utilization has subsided and the additional computing resources are no longer needed.
Scale out
The concept of adding additional computers, usually virtual machines, in a cloud environment to handle more workload or peak utilization. Scale out is not the same as scale up, but these terms are often misused.
Scale up
The concept of increasing the size of computing resources such as memory or processors to handle more workload or utilization.
Scaling
The concept of resizing computing resources to handle increases or decreases in workload or utilization. See also scale-up, scale-down, and scale-out.
Software as a Service (SaaS)
Cloud service offering that provides one or more applications to the consumer. Applications are hosted and managed by the provider in the cloud, with the consumer accessing the application services from various end-computing devices such as PCs, laptops, tablets, smartphones, or web browsers.
STIG
Security Technical Implementation Guide. A methodology for standardized secure installation and maintenance of computer software and hardware. The term was coined by DISA, which creates configuration documents in support of the U.S. Department of Defense. The implementation guidelines include recommended administrative processes and span the device’s lifecycle.
Storage area network (SAN)
A dedicated network that provides block-level data storage. A SAN is typically a large consolidated system, with one or more head units and numerous disk drives. Sophisticated RAID, striping, cache, and processing algorithms are used to maximize storage performance and reliability.
Storage as a Service
Cloud service, often part of IaaS, that provides storage on demand. This service often involves multiple levels of storage performance, as well as block and network-attached storage (NAS) types. Customers are normally charged for the amount of allocated or metered per gigabyte or terabyte.
Thin client
An end-user computing device that has only a portion of a typical desktop computer’s processing power, memory, and storage. The thin end device often does not have internal storage, so a minimal operating system is stored in read-only, nonvolatile memory. Thin-client devices — similar to dumb terminals use in mainframe environments — need to connect to a larger computer environment through the network in order to run software applications. Thin-client devices are similar to zero-client devices, with the difference being that zero-client devices have no local operating system or software and can only be used when connected to a larger computer network.
Virtual machine (VM)
An isolated guest computer and operating system running within a physical computer’s hypervisor. One physical server running a hypervisor can host numerous virtual machines, each having a configurable amount of processor, memory, storage, and network allocated.
Virtual machine image (or template)
A file that contains a snapshot or copy of a preconfigured operating system and potentially some applications. This image file is used to instantiate or create a new virtual machine quickly rather than having to run an operating system installation process for every new virtual machine.
Virtual private cloud (VPC)
A variation of public cloud where a segmented compartment of an otherwise public cloud infrastructure is dedicated to one customer. VPC offerings bring some of the price advantages of a large cloud provider, but with a bit more customization, security, and segmentation of VMs, storage, and networking.
Virtualization
Virtualization of computing resources is defined as a virtual machine. Virtualization can also have an extended meaning, whereby networking, storage, and applications are no longer hardcoded or assigned to specific compute devices. Resources as mapped in a logical manner then can be changed easily, often while systems are still online, rather than hardcoding, cabling, or allocated resources to an individual compute device.
Workplace/Virtual Desktop as a Service (WPaaS)
Cloud service providing a remotely hosted desktop operating system, commonly Microsoft Windows or Linux, and applications to consumer end-users. Some cloud providers categorize this as part of IaaS or PaaS, but many utilize a unique name for this service to differentiate this virtual desktop offering from other products.
XaaS
Anything as a Service (X = anything). Could be any IaaS, PaaS, SaaS, or future unknown cloud-based service.