Okay, I've read Chapter 5, "The Importance of Cloud Computing," from the document "Digital

Transformation and Financial Services Fintech-by-Pranay-Gupta - Copy.pdf". I'll explain the

whole chapter, except for the "Cloud Architecture" section, using simpler sentences and practical
examples.

Here's a breakdown:

The Importance of Cloud Computing

Cloud computing is essentially using software and computing services that run on someone else's
computers (remote servers) and are accessed over the internet through a web browser or an app.
Think of it like using an online email service (like Gmail or Yahoo Mail) or a streaming service
(like Netflix). You don't own the servers or the main software, but you can use them anytime you
have an internet connection. Companies pay for these services, often based on how much they
use, which can be cheaper than buying and maintaining all their own computer systems.

It Can Rain Too (The Downsides)

While the cloud sounds great, there are potential problems.

 Internet Dependency: If your internet goes down, you can't access your cloud
applications or data.
o Example: If your office internet connection fails, you might not be able to access
your company's customer database stored in the cloud until the internet is
restored.
 Vendor Issues: If the cloud provider has technical problems, you're affected and have
little control over fixing it.
o Example: If the cloud company's data center has a power outage, your online
store hosted there might go offline, and you have to wait for them to resolve it.
 Loss of Control: Your data and applications are on the vendor's servers, meaning you're
trusting them with security and access.
o Example: A small business uses a cloud service for its accounting software. They
trust the cloud provider to keep their financial data safe from hackers.

Governmental Access

There's a risk that government agencies could legally access your data stored in the cloud. If the
data is on a cloud vendor's server, the government might serve legal notice to the vendor, who
might have to hand over the data, possibly without informing you due to a gag order.

 Example: A law enforcement agency, with a proper warrant, could request a cloud
storage provider to share files belonging to a user under investigation. Microsoft has
reported receiving thousands of such demands. Some companies, like Microsoft, are
trying to address these privacy concerns by measures like relocating servers and
transferring data access control to a trustee.
The Cloud and Data Science

Data science (often called "big data") is about finding useful patterns in huge amounts of data to
make predictions. Before the cloud, data scientists were limited by the computing power and
storage their own organizations had. Analyzing massive datasets was slow and difficult.

The cloud changed this by offering almost unlimited, affordable computing power and storage.

 Example: A research company wants to analyze global weather patterns to predict

climate change impacts. Storing and processing petabytes of satellite imagery and sensor
data would be too expensive with their own servers. Using the cloud allows them to scale
their computing resources as needed and pay only for what they use, making the project
feasible. Cloud providers even offer specialized services for managing and analyzing big
data.

The Cloud Services

Cloud services have evolved from older computing models. Traditionally, you had a
"client/server" setup where your computer (client) connected to a company's server for
applications and data. This didn't scale easily; more capacity meant buying more hardware and
software licenses.

Cloud providers offer three main types of services:

1. Software as a Service (SaaS): You access applications hosted by the cloud provider
through a web browser. The provider handles all the maintenance.
o Example: Using Google Docs or Salesforce. You subscribe to the service, and
Google or Salesforce manages the software and infrastructure.
2. Platform as a Service (PaaS): The provider offers a platform (like operating systems,
hardware, and network infrastructure) for you to develop and run your own applications.
You focus on building your app, and the provider handles the underlying platform.
o Example: A software developer uses Google App Engine to build and host a new
mobile game. They don't have to worry about managing servers; they just upload
their game code.
3. Infrastructure as a Service (IaaS): The provider offers basic building blocks like virtual
servers, storage, and networking. You can assemble these resources on demand to build a
virtual data center.
o Example: A growing e-commerce company uses Amazon Web Services (AWS)
to get virtual servers, storage for their product images, and networking capacity.
They can add more servers during peak shopping seasons and reduce them later,
paying only for what they use. This is sometimes called "utility computing"
because you pay for it like electricity.

The Private Cloud

A private cloud is like a traditional data center but provides services only to entities within the
organization. Internal departments are like "clients" of the group operating the private cloud. It
offers more security and control because resources aren't shared with other organizations.
Communication usually happens over secure, private lines.

A private cloud can be:

 Owned and operated by the organization itself.

 Outsourced to a vendor where the computing resources are dedicated solely to that
organization.
 A hybrid approach called "cloud bursting," where the organization uses its own private
cloud for most things but uses a public cloud vendor for extra capacity when needed (e.g.,
moving non-sensitive tasks to the public cloud to free up private resources).
 Example: A large bank might use a private cloud to host its core banking systems and
sensitive customer data because it needs tight control over security and compliance.

The downside is that private clouds can be more expensive because the organization bears the
entire cost, and economies of scale are limited compared to public clouds.

The Public Cloud

The public cloud offers computing resources to the general public (individuals and
organizations) over the internet, usually for a monthly fee. It's for those who don't need the
extreme security of a private cloud.

Public clouds offer significant economies of scale because expensive infrastructure is shared
among many clients. This allows vendors to provide state-of-the-art operations with redundancy
(backup systems) to ensure services are always available as long as you have internet. The
vendor handles operational risks, updates, and security measures.

 Example: A startup creating a photo-sharing app might use a public cloud like Google
Cloud. They get access to powerful servers, storage, and application hosting without the
upfront cost of building their own data center. They pay a monthly fee based on their
usage.

Hybrid Clouds

A hybrid cloud combines a private cloud and a public cloud. Sensitive operations are done in the
private cloud, while less sensitive tasks use the public cloud. Users typically access both
seamlessly through a single portal or browser.

This allows organizations to meet security and regulatory needs with the private cloud while
using the flexible and scalable public cloud for growth and less critical tasks.

 Example: A hospital might use a private cloud to store and manage confidential patient
records (to comply with health data regulations). For its public website, appointment
 scheduling, and general information, it might use a public cloud for cost-effectiveness
and scalability.

An organization can use two different vendors for this, or one vendor might offer both dedicated
(private) and shared (public) resources, or the organization might run its own private cloud and
use a public cloud vendor.

Why Implement a Cloud?

There are many advantages to using cloud computing, especially for growing organizations or
those with fluctuating needs:

 Easy Capacity Increase & Scalability: Quickly add or reduce computing power as
needed.
o Example: An online retailer can easily scale up server capacity during a holiday
sale and then scale down afterwards.
 Competitive Advantage: Respond to market changes quickly without long-term
financial commitments for hardware.
 Latest Technology: Access new technologies without buying expensive resources.
 Reduced Time to Market: Get computing resources in days instead of months.
 Disaster Recovery: Cloud providers usually have multiple data centers, making recovery
from disasters easier.
 Frees Real Estate: Less need for on-site data centers frees up physical space.
 No Upfront Investment: Pay via subscription instead of buying hardware.
 No Maintenance: The vendor handles software updates and security patches.
 Focus on Core Business: Shifts IT management to the vendor, whose core business is
the cloud.
 Collaboration: Enables staff to work together in real-time from anywhere.
 Flexible Work: Staff can access resources on the go using mobile devices.
 Reduced Carbon Footprint: Shared resources are often more energy-efficient.
 Staff Focus: Frees up IT staff for business-focused tasks instead of infrastructure
management.
 Hidden Security: Files can be automatically saved to the cloud, protecting against local
device crashes.

Why Not Use the Cloud?

There are also disadvantages:

 Connectivity Issues: Relies on internet connections; no internet means no access.

o Example: If a company's remote office has an unstable internet connection,
employees there might struggle to consistently access cloud-based sales tools.
 Traffic Volume & Slow Response: High demand on the public network or the provider's
infrastructure can lead to slow performance if not managed well by the vendor.
 Software Incompatibility: Older or custom applications might not work well with the
cloud provider's resources or newer software versions they use.
 o Example: A company has a 15-year-old custom inventory system. Migrating it to
a modern cloud platform might require significant reprogramming or might not be
feasible.
 Support for Legacy Systems: Cloud vendors might not have specialists for very old or
niche applications, or they might charge a premium.
 Security Concerns: Responsibility shifts to the provider. A breach at the provider could
affect many clients. While providers have sophisticated security, they also have many
potential points of attack due to their large infrastructure.
 Dependency on Vendor: Your business becomes reliant on the cloud provider's stability
and business practices. Switching vendors can be difficult and disruptive.
o Example: If your cloud provider is bought by a competitor, you might be forced
to share computing resources with that competitor or face changes in service
terms.

Mitigating Risk

Organizations can take steps to reduce cloud-related risks when choosing a provider by
addressing these in a Service Level Agreement (SLA):

 Encryption: Ensure data is always encrypted (e.g., using AES-256).

 Demarcation: The provider must show how your data and applications are kept separate
from other tenants (e.g., physical caging of servers).
 Data Replication & Restoration: Understand how the provider backs up and restores
data in case of a disaster.
 Data Ownership: Clarify that your organization owns its data and its format.
 Application Ownership: Clarify who owns custom applications or queries developed,
especially if the provider's staff helps create them.
 Termination Terms: Define how the relationship ends, who owns what, how data will
be moved or destroyed, and conditions for termination, before signing up.
 Costs: Identify all potential costs upfront: setup, ongoing fees, maintenance, changes, and
termination costs.
 Security Standards: Ensure the provider meets your minimum security requirements.
 Provider Limitations & Experience: Verify the provider has the promised resources,
staff, and up-to-date technology. Years of operation aren't the only factor.
 Bandwidth: Ensure the provider has enough network capacity for current and future
needs to avoid slow performance.
 Service Level Agreement (SLA): This contract defines the entire relationship, including
expectations, liabilities, responsibilities, fees, and termination processes.

The Cloud Life Cycle

Choosing cloud options involves an eight-step process:

1. Define the Purpose: Identify your organization's specific needs (e.g., expand capacity,
update technology, offer new services).
 o Example: A software company (like Adobe) might use the cloud to offer its suite
of creative applications via a monthly subscription instead of selling individual
products.
2. Define the Hardware: Determine the type of hardware needed to run your applications
and data.
3. Define Storage Service: Choose storage optimized for backup, archiving, or active use.
4. Define the Network: Specify requirements for security, traffic volume (data, voice,
video), and transfer speeds.
5. Define Security: Outline needs for authentication (who can access), authorization (what
they can do), and encryption (protecting data at rest and in transit).
6. Define Management Processes and Tools: How will you monitor and manage your
cloud assets, applications, and data?
7. Define Building and Testing Requirements: If developers will build and test
applications in the cloud, what environment and tools do they need?
8. Define Analytics: What tools are needed to monitor operations and provide data for
decision-making?

(The "Cloud Architecture" section is skipped as requested.)

Serverless Computing

Serverless computing is a cloud model where the cloud provider dynamically manages the
allocation and provisioning of servers. You write your application code as a set of functions, and
the cloud provider runs these functions only when they're triggered by an event. You don't
manage any servers yourself.

 Example: Imagine you have an e-commerce website. Instead of having a server running
24/7 to process orders, with serverless computing, a piece of code (a function) to process
an order only runs when a customer actually clicks "buy." You only pay for the exact
time that function runs, not for idle server time. This can be very cost-efficient for
applications with variable workloads.

Cloud Security

This refers to the set of policies, technologies, applications, and controls used to protect data,
applications, and the associated infrastructure of cloud computing[cite:3 1]. It's a shared
responsibility between the cloud provider (security of the cloud) and the customer (security in the
cloud).

 Provider's responsibility (Security of the cloud): Securing the underlying infrastructure

(hardware, software, networking, and facilities that run cloud services).
o Example: Amazon Web Services is responsible for the security of its data
centers, the physical servers, and the network that connects them.
 Customer's responsibility (Security in the cloud): Securing what you put in the cloud
(data, applications, operating systems, network configurations, identity and access
management).
 o Example: If you run a virtual server on AWS, you are responsible for patching its
operating system, configuring its firewall, managing user access to it, and
encrypting the data you store on it.

Levels of Security

Cloud security involves multiple layers to protect information assets. These levels can be thought
of as a defense-in-depth strategy:

 Physical Security: Protecting the actual data centers from unauthorized physical access,
environmental threats, etc. (Primarily the provider's role).
o Example: Data centers with biometric scanners, surveillance cameras, and
restricted access.
 Infrastructure Security: Securing the network, servers, and virtualization layers.
o Example: Using firewalls, intrusion detection/prevention systems, and secure
configurations for virtual machines.
 Application Security: Ensuring the software applications running in the cloud are
secure.
o Example: Regularly scanning web applications for vulnerabilities, using secure
coding practices, and implementing web application firewalls.
 Data Security: Protecting the data itself through encryption (at rest and in transit), access
controls, and data loss prevention (DLP) techniques.
o Example: Encrypting customer databases, using strong passwords and multi-
factor authentication for access, and monitoring for unusual data access patterns.
 Identity and Access Management (IAM): Controlling who can access what resources
and what they can do with them.
o Example: Assigning specific roles and permissions to users so they only have
access to the systems and data necessary for their jobs.

By implementing security at each of these levels, organizations can build a more resilient and
secure cloud environment.

Levels of Security
A cloud provider typically has data center facilities in one or more regions, possibly in
a region of the United States or in countries outside of the United States. The organization
can select the region for its applications and data. Furthermore, the organization
can have different regions used for specific applications and databases.
The organization can add a level of security by encrypting data on the client-side,
where only the organization can decipher the data. This is in addition to encryption
provided by the cloud vendor in-transit and at-rest in the vendor’s facility. Even if
data is intercepted, encryption makes the data useless to the hacker who gains access
to this data.
Application-level security focuses on preventing unauthorized access to the
application. The organization and the cloud provider should have logs that indicate
when the application is accessed and the IDs and IP addresses that have access. Logs
should also indicate all writing and reading of data with specific information to trace
who had access or at least what computing device was used.
Another important security implementation is for the cloud provider to have
application programming interface (API) logs. The cloud offers microservices that can
be accessed from practically anywhere in the cloud. API logs record information about
when the microservice was called and the application that called it. This enables the
security staff to trace access back to the application if it was hacked.
Data import and export logs should also be in place by the cloud provider to
record any large movement of data. Ideally, the cloud has an alert system that calls
attention to unusual transfers of data. The security staff can immediately monitor
and investigate the activity and possibly halt the transfer. Similar alerts should occur
when there have been a set number of failed attempts to access the application or
data. Alerts should also be sounded when access is attempted from an unexpected IP
address. Alerts trigger a real-time response to a potential hack.
Object-level security is another area to focus on. Objects are a collection of data
in a database. Security concerns are at the database level and at the data level. Database-
level security centers on access of the database, while data-level security looks
at access to specific types of data within the database. In addition to encryption, data
can be limited by views of data. Based on authorization, the database management
system can assemble virtual tables of data from tables in the database.
Platform-level security is a security process that prevents unauthorized access to
the computing device such as computers, network services, application servers, and
database servers. Without access, data and applications are secured. It is important to
ensure that the cloud provider offers and implements all security levels to the product
and the organization’s applications and data.
Critical to successful security of the cloud is the organization’s ability to manage
security access. As employees are hired, terminated, and transferred into new roles,
the organization must modify security access to the organization’s computing
Cloud Security 69
resources. Some resources are internal and others are on the cloud. The cloud provider
should offer a way for the organization to change security access settings for
cloud resources quickly and in coordination with changes to internal security settings.
Ideally, changes to the internal security settings should flow automatically to

the cloud security settings.