The following basic information is relevant to all target groups.

What is Cloud Computing?

So far, no generally applicable definition for the term cloud computing has gained acceptance. In publications or speeches, definitions are frequently used that are similar in most cases, but which still vary again and again. Finally, the International Organization for Standardization (ISO) has defined cloud computing in a standard that is used by the BSI. 

The ISO standard defines cloud computing as follows (ISO/IEC 22123-1 section 3.1.1): 

cloud computing: paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources with self-service provisioning and administration on-demand

Examples of resources include “servers, operating systems, networks, software, applications and storage equipment”. In this context, the “self-service provisioning” refers to the provisioning of resources for cloud services that the cloud customers carry out with the help of automated means.

A cloud service is an information technology service offered as part of cloud computing. It includes, among others, infrastructure (e.g. computing power, storage space), platforms and software (see also section “Which Different Service Models are Offered in Cloud Computing?”)

The ISO standard defines the following six key characteristics for cloud computing (ISO/IEC 22123-2 Section 5.2):

1. Broad network access: Services are available over a network using standard mechanisms and are not tied to a specific client.
2. Measured service: Resource usage can be measured, monitored and metered accordingly. It can be made available to cloud customers.
3. Multi-tenancy: Physical or virtual resources are allocated in such a way that the processes and data of different clients are separated and inaccessible to each other.
4. On-demand self-service: Provisioning of resources (e.g. computing power or storage) runs automatically without manual interaction from the cloud provider.
5. Rapid elasticity and scalability: Cloud services can be made available quickly and elastically, in some cases automatically. From the user's perspective, the resources therefore appear to be unlimited.
6. Resource pooling: The cloud provider's resources are available in a pool from which cloud users are served (multi-tenant model). Users do not know exactly where the resources are located. However, they can often contractually specify the storage location, e.g. region, country or data center.

Cloud computing is subject to constant change and there may be cloud services for which not every characteristic fully applies. It should therefore be refrained from taking an overly dogmatic view of the individual points.

Definition of cloud computing previously used by the BSI

For a long time, the BSI used its own definition for the term “cloud computing” in order to have a consistent foundation:

Cloud computing is understood as offering, using, and billing IT services dynamically adapted to the requirements, via a network. Here, these services are only offered and used by means of defined technical interfaces and logs. The range of the services offered within the cloud computing framework covers the entire spectrum of information technology and, among other things, includes infrastructure (e.g. computing power, storage space), platforms and software.

This definition was based on the definition of the US standardization body NIST (National Institute of Standards and Technology). To avoid creating unnecessary vagueness and complexity, the BSI will refrain from using its own definition in future. The ISO definition was therefore chosen, as the BSI believes that it more accurately reflects the special features of cloud computing, such as the fact that cloud computing is a separate IT paradigm.

Link to the NIST definition of cloud: NIST-Cloud Definition

What distinguishes a public cloud from a private cloud?

The ISO standard distinguishes between four different cloud deployment models (ISO/IEC 22123-2 section 5.5):

In a private cloud, the cloud infrastructure is only operated for one institution. It can be organized and managed by the institution itself or by a third party and can be located in the institution's own data center or at a third-party institution.

The term public cloud is applicable when the services can be used by the general public or a large group, such as an entire industrial sector, and the services are made available by a provider.

In a community cloud, the infrastructure is shared by several institutions that have similar interests. Such a cloud can be operated by one of these institutions or a third party

If several cloud infrastructures that are independent of each other are used together via standardized interfaces, this is called a hybrid cloud.

However, the above definitions do not cover all variants of cloud offerings, which leads to further definitions such as “virtual private cloud”, etc.

Which Different Service Models are Offered in Cloud Computing?

In general, a distinction can be made between three different categories of service models:

1. Infrastructure as a Service (IaaS)
   In the case of IaaS, IT resources such as computing power, data storage devices or networks are offered as a service. A cloud customer purchases these virtualised and highly standardised services and builds their own services for internal or external use. For example, a cloud user may rent computing power, memory and data storage devices and run an operating system with applications of their choice on it.
2. Platform as a Service (PaaS)
   A PaaS provider makes an entire infrastructure available and, on the platform, offers the customer standardised interfaces which are used by services of the customer. For example, the platform can provide multi-client capability, scalability, access control, database accesses etc. as a service. The customer has no access to the underlying layers (operating system, hardware), but is able to run its own applications on the platform, for the development of which the cloud service provider (CSP) usually offers their own tools.
3. Software as a Service (SaaS)
   This category includes all offers of applications meeting the criteria of cloud computing. There are no limits to the range of offers. Examples include contact data management, financial accounting, word processing or collaboration applications.

The term “as a service” is also used for a number of additional offers, such as for Security as a Service, BP as a Service (Business Process), Storage as a Service, so that frequently “XaaS” is talked about, i.e. “something as a service”. Most of these offers can be assigned at least roughly to one of the categories above.

The service models also differ in the customer’s influence on the security of the offered services. In case of IaaS, the customer has full control of the IT system from the operating system upwards, since everything is operated within their sphere of responsibility. In case of PaaS, the customer only has control of their applications that run on the platform and, in case of SaaS, the customer practically hands over the entire control to the CSP.

What Distinguishes Cloud Computing from Conventional IT Outsourcing?

For outsourcing, work, production or business processes of an organisation are outsourced completely or partially to external service providers. This is an established part of organisation strategies today. In most cases, conventional IT outsourcing is designed so that the complete infrastructure rented is used exclusively by a single customer (single-tenant architecture) even if outsourcing providers usually have several customers. Moreover, outsourcing contracts are most often concluded over longer contract periods.

Using cloud services is similar to conventional outsourcing in many respects, but there are also several differences which have to be taken into account:

• For economic reasons, several users share a jointly used infrastructure in a cloud.
• Cloud services are dynamic and thus scalable in both directions within much shorter periods. Thus, cloud-based offers can be adapted more quickly to the customer’s actual needs.
• The cloud services used are usually controlled by means of a web interface by the cloud user themselves. Thus, the user can automatically tailor the services used to their individual needs
• With the technologies used for cloud computing, it is possible to distribute the IT performance dynamically over several locations that can be widely distributed geographically (both at home and abroad).
• The customer can easily administrate the services used and their resources via web interfaces or other suitable interfaces, requiring little interaction with the provider.