**4. What is in the 'Cloud'**

The survey report conducted by Sahandi et al. [3] revealed that 25.1% of participants were not sure about the term cloud computing; therefore, this section fills in this gap by providing substantial evidence on what the 'cloud' literally means. This is important because the increase of cloud computing understanding is expected to accelerate cloud adoption by enterprises. Cloud separates application and information resources from the underlying infrastructure, and the mechanisms used to deliver them. Cloud computing, more specifically, refers to the use of a set of services, applications, information and infrastructure made up of pools of compute, network, information and storage resources that can be quickly orchestrated, provisioned, implemented and decommissioned, as well as scaled up or down, enabling on-demand utility-like (as in electricity) models of allocation and consumption. More discussion, from the standpoint of the introduction, is focused on how the cloud differs from and is similar to the current computing models, as well as how these similarities and differences affect organisational, operational and technological approaches to network and information security practices. The keys to understanding how cloud architecture affects lock-in parameters are a common, succinct vocabulary, along with a consistent taxonomy [24], of offerings, by which cloud services and architecture can be dissected, mapped to a method of compensating security and operational controls, risk assessment and management frameworks and ultimately to business process compliance standards. Cloud is usually the preferred option when organisations procure new ICT services, as reflected in the UK government's cloud first policy. Against this background, it is essential that new services are chosen and built in a way that reflects their security needs. The European Council (EC) has pushed cloud computing because it may make cutting-edge software and services affordable for SMEs and other customers, driving the digitalisation of society and the economy. The US National Institute for Standards and Technology's (NIST) most official explanation of the cloud model explains why cloud computing is often likened to a utility model, similar to electricity or gas distribution. However, the cloud model is also widely used by universities and research centres for scientific computing and by governments for online public services. As companies continue to pursue the cloud for data processing needs, cloud data centres are becoming the new enterprise data repository. CSA [25] report suggests that consumers' understanding of the cloud has matured and signals a technology landscape where consumers are actively considering cloud migration.

The cloud is a service from the user's point of view. However, the architecture for cloud service providers, integrators and channel partners who build or construct the

#### *Perspective Chapter: Cloud Lock-in Parameters – Service Adoption and Migration DOI: http://dx.doi.org/10.5772/intechopen.109601*

cloud is made up of numerous cloud computing components. Hypervisors, cloud operating system components and other such cloud components are examples of, virtual desktop infrastructure platforms, cloud dedicated firewalls, etc. The most basic cloud computing is the operating system (OS). Through the utilisation of virtualisation technology, cloud OS virtualised hardware resources of physical servers and storage area network devices and supported software-defined networking. Cloud OS enhances the performance and security of cloud computing systems as well as the user experience of administrators and users. Cloud is a primary accelerator of innovation. As pointed out in ITU [26], understanding the emerging trend in ICT services known as cloud computing is a requirement for businesses to successfully utilise it and all of its advantages. Before implementing the cloud concept, it is frequently necessary to obtain specialised knowledge in the areas of data centre administration and commercial interactions.

Cloud simplifies rapid application development, allowing resources to scale on demand with flexible, consumption-based billing models. Migrating to the cloud also allows enterprises to implement turnkey solutions that use consistent processes and protocols while ensuring regulatory and business process compliance. Despite the benefits of the cloud, any change brings new risks. Ultimately, cloud services offer organisations and research institutes security protection beyond anything an individual agency could deliver in-house. Although the cloud may be secure in and of itself, it is still the organisation's job to ensure the security of applications developed and deployed to production in the cloud. Because there are many different types of code and application building blocks to secure while developing cloud-native applications, application security safeguards enterprise data. When working with cloud products and services, the remaining section of this chapter is aimed at providing businesses with recommendations on how to best achieve portability and interoperability. As cloud standards customer council [27] concurs that the lack of portability and interoperability between components of cloud solutions could mean that the potential business benefits of cloud computing are not met.

Cloud computing is one of the enablers of the European Commission Digital Strategy (ECDS) transformation [28]. The European Commission (EC) has promoted cloud computing towards companies and public administrations alike since the adoption of the first European cloud computing strategy in 2012. Cloud first with a secure hybrid multi-cloud service offering is the EC's vision for cloud computing. The cloud first approach implies that any development should preferably be cloud-native, and existing information systems would be reassessed for transformation, rewiring or replacement within the context of the modernisation plans foreseen by the ECDS, setting the opportunities arising in the business and application lifecycle. Cloud computing relies on the sharing of resources to achieve coherence and economies of scale, similar to a public utility. The international market for cloud services has led to the development of a new paradigm for transformational programming in which cloud-native information systems are constructed without reference to the underlying ICT infrastructure on top of a variety of cloud-based services. Code written at a much higher abstraction level results in a large reduction in the amount of code required to achieve the same functionality. This reduced code base enables faster rewrites to adapt to changes, boosts agility, lowers operational costs and requires less maintenance work. All of this enables companies to focus on business issues rather than ICT issues. Besides, the real value of cloud computing can only be unlocked by moving information systems to a cloud-native development pattern. ICT teams must start employing agile and cloud-native development practices such as DevSecOps and design systems

according to modern data-centric architectures supporting the consumption of loosely-coupled micro-services. Cloud systems should be conceived in such a way that they can benefit from the advantages of cloud-based delivery models regardless of whether the data or processing capabilities are on-premise or in the public cloud.

Cloud services must be designed and operated according to security best practices. The designers of new information systems would only be able to use a limited number of services if they tied an organisation to a single cloud provider. In order to avoid being dependent on a single public cloud provider, the organisation should opt for a multi-cloud strategy. As a result, the cloud service consumer organisation will, in a vendor-neutral manner, obtain ICT services from the cloud provider that is best suited for the services required, depending on the use case. The secure and safe usage of cloud services is intrinsically linked to an appropriate data classification for all data assets of an information system. Moreover, one of the most relevant factors for the success of the cloud is the ability to enable a modern way of managing Big Data. Cloud-based data services and solutions to manage the high volume of data and data operations are key elements for shaping the organisation of tomorrow. The usage of vendor-specific advanced cloud services increases the risk of lock-in with one particular cloud supplier. Such a situation is not inevitable though, but the switchability of one cloud provider to another one should just be a refactoring cycle away. Information systems that are cloud-native are always designed and built with a certain cloud platform in mind. The information system may be created in ways that make it difficult for portability and reusability in order to get the most out of the chosen cloud platform. This may result in a situation known as vendor lock-in, in which data or information systems are dependent on a single provider and are immobile [29]. The council recognises that one of the crucial elements for guaranteeing the stability and security of the internal market is avoiding vendor lock-in and diversifying ICT suppliers. Emphasises the importance of advocating for and putting into practice suitable measures that support vendor diversity and competitiveness in a way that is technology-neutral, further supports including provisions relating to preventing vendor lock-in in EU legislation. Accepts the proposal for a Regulation on Harmonised Rules on Fair Access to and Use of Data (Data Act), which aims to improve the interoperability of data processing services and remove barriers to switching between providers of data processing services. The next subsection(s) will discuss the different cloud delivery mechanisms and service deployment models as well as emerging trends in these aspects.

#### **4.1 Service models**

The choice of service models is important because it will largely determine the types and effectiveness of security separation mechanisms that are available. However, this choice of service model will also affect the amount of responsibility that one has for securing your data and workloads within the service and how much responsibility the cloud provider will take on your behalf.

• Infrastructure as a Service (IaaS)—According to Sen [30], cloud infrastructure can be a real risk as each implementation choice affects future scalability, service level and flexibility of the services being built. It is fair to denote that 'futureproofing' should be the primary concern of every system architect. There are huge incentives for any vendor to increase lock-in through contractual, fiscal and technical constrictions. Interest in cloud infrastructure has been driven by a
