Hanover, January 2023 | Companies are shifting their digital functions and processes to external platforms to an ever greater extent. The outsourcing of IT services to the cloud has led to a massive increase in global data centre capacity in recent years, a trend that will continue to grow. In this process, an external provider makes IT infrastructure available, manages and monitors it. For the user of the external infrastructure, organisational and cost efforts are reduced. Compared to classic IT outsourcing, cloud computing offers even more flexibility, it can be adapted to the user’s needs at shorter notice and is more cost-effective.
Antonia Herfurth, LL.M. (Göttingen), Attorney at law in Munich and Hanover
What is cloud computing?
Cloud computing describes the provision of IT infrastructure via the internet. The cloud provider provides hardware and/or software, depending on the chosen cloud computing model. Thus, cloud computing is the counterpart to the traditional IT infrastructure on the premises.
It is characteristic that users can use cloud solutions independently of the provider, have uncomplicated access via the internet and the provider provides the required capacities quickly and according to demand. The resources can be used simultaneously by several users, so the provider’s computing power and storage capacity must be sufficient.
Cloud computing relieves the user of costs, organisational effort and responsibility. They can access the IT infrastructure from anywhere. The services are scalable, so the performance can be expanded or reduced as needed. This gives the user more flexibility. Payment is usually based on usage (“pay as you go”). On the other hand, the user loses know-how when it is outsourced. One risk in cloud computing is the loss of control and security over the outsourced infrastructure.
Cloud computing models
The three best-known cloud computing models are Infrastructure as a Service, Platform as a Service and Software as a Service. Software as a Service is the most widespread, followed by Infrastructure and Platform as a Service. The models differ in the scope of the service provided.
Infrastructure as a Service (IaaS)
With IaaS, the provider makes the physical infrastructure available to the user. The user no longer needs a server on site, he does not have to worry about floor space, computing power, storage space or archiving and backing up data. The provider is responsible for failures, repairs and other hardware problems. The user, in contrast, is responsible for the operating system, middleware, runtime, applications, data and security, and the possible configuration of the firewall, i.e. the entire software.
With IaaS, the user has a high degree of control because only the hardware is outsourced; many aspects of the on-premises solutions remain. On the other hand, he is responsible for the infrastructure that is under his control. He also has to guarantee its security. If the user uses older software and applications, they may not be compatible with the hardware provided, so updates are necessary.
IaaS is an interesting solution for companies where demand fluctuates greatly, such as online shops, and for companies with rapidly increasing demand, such as dynamically growing start-ups.
Examples of IaaS are Amazon Web Services, Google Cloud and Microsoft Azure.
Platform as a Service (PaaS)
PaaS builds on IaaS. It provides the hardware and environment necessary for the development of new software. For this purpose, the user accesses an online platform. With PaaS, the provider is responsible for hardware, operating system, middleware and runtime. The user is responsible for data and applications.
PaaS is particularly aimed at software programmers and developers.
With PaaS, developers gain time and freedom to develop software because they do not have to worry about maintaining the environment. However, the environment cannot be customised. In addition, the user is dependent on the provider. If disruptions occur at the provider, they have a direct impact on the software that resides on the platform. If the provider goes out of business, the entire platform environment goes out of business. Furthermore, not all platforms fit all software, so that the developer may have to make adjustments first.
Examples of PaaS are the version control services GitHub and GitLab. Version control is a system that logs and archives changes to files and documents so that previous versions can be accessed. So if the last change made to a piece of software brings disadvantages, the developer can simply revert to the previous version.
Software as a Service (SaaS)
SaaS builds on PaaS. It provides the user with the hardware, software, data and applications, the user only accesses it via a web browser. He does not need to worry about the hardware having enough power to keep the software running smoothly, nor about installing and maintaining the software.
The model is primarily aimed at regular end users. It is particularly interesting for small businesses and start-ups that do not have the capacity to develop their own applications and do not need customised applications.
SaaS is particularly user-friendly. However, the user needs an internet connection, otherwise he cannot access the service. With large amounts of data, the transfer can take a long time, whereas a transfer with on-premises infrastructure is fast and quite resistant to interference via Giganet Ethernet (network cable). Furthermore, the user cannot make individual adjustments, he only “consumes”. It can happen that the software provided is incompatible with applications, services, the user’s operating system or browser (the latter rarely). In addition, there is a high degree of dependence on the provider; disruptions have an immediate impact on the user’s business processes. Moreover, the user has little control over SaaS because all infrastructure is outsourced. As a result, data protection and data security are even more critical with this model than with IaaS and PaaS.
Examples of SaaS are the content management system WordPress, office solutions such as Microsoft Office365, the email service Gmail and the file hosting service Dropbox.
Further “as a Service” models
Many other models exist, but ultimately they can be assigned to IaaS, PaaS and SaaS, such as Desktop as a Service or Security as a Service.
Recently, another business model has emerged, namely Data as a Service (DaaS). DaaS is enabled by SaaS, but differs from the other cloud services in that the focus of the service is solely on the provision of information, the result of data processing. Information can be text, image, sound and video files. DaaS is meant to adapt even more to the needs of the user. One example of DaaS are AI-powered translation tools such as DeepL.
An overview: IaaS, PaaS, SaaS in comparison
Private Cloud and Public Cloud
The user can decide whether to use exclusive IT resources for storing software and data or whether to share them with others.
In a private cloud, a specific IT resource is used exclusively by one user or a defined group of users, whose composition is targeted, for example due to a similar business field. In contrast, in a public cloud, users access a common external IT resource pool without the individual resource being assigned to specific users. Access is via the public internet. The hybrid cloud is a mixture of private cloud and public cloud. The user leaves sensitive areas in the private environment and uses the public resources for non-sensitive areas. The advantage is that the user benefits from the high security standards of the private cloud where necessary, but otherwise from the good scalability of the public cloud.
Cloud computing contracts
The contracts underlying cloud computing services consist of several parts. At a minimum, they consist of a general “main contract”, a comprehensive service description and provisions on security and data protection. This is often supplemented by special terms and conditions for individual services and products and documents external to the contract, e.g. standards and certificates.
The “main contract” underlying cloud computing services is usually a rental contract. The user uses the IT resources provided by the provider for a limited period of time in return for a fee. If additional services are agreed, such as maintenance, care and hotline services, these have a service or work contract character. In this case, the cloud computing contract is a mixed-type contract with essentially a rental contract character.
In addition, so-called Service Level Agreements (SLA) are concluded in which the scope of services is described. The legal model of 100% availability originates from tenancy law. However, since online services are not always 100% available in reality, providers and users agree on the quantitative and qualitative standard of the service to be provided, such as availability (e.g. 98% per month), speed, responsiveness, fault times.
If the user uses the external IT infrastructure for personal data, e.g. customer data, he must comply with data protection regulations as the controller. For this purpose, the cloud user as the controller and the cloud provider as the processor conclude a contract for data processing. The processing of personal data in third countries is particularly critical. The USA is also a third country where market-dominating cloud providers such as Amazon and Microsoft are located.
Cloud computing is suitable for users who do not want to have all IT infrastructure on the premises. The user saves time and money, and depending on the model, does not have to purchase, maintain and secure the infrastructure himself. However, the user loses control over the outsourced infrastructure to a certain extent. For users who are subject to particularly high security and data protection requirements, on-premises IT resources are more secure than those in the cloud; even if providers implement data protection and security concepts.
Users need to decide how important control, customisability and convenience are to them – then they can decide whether cloud computing suits them and, if so, which model.
+ + +