What is the cloud and how does it work

  • Daniel Marsh
  • |
  • November 09, 2021

What is the cloud?

Two standards are now widely accepted as defining cloud computing, published by the International Standards Organisation (ISO) in 2014 and the National Institute of Standards and Technology (NIST) in 2011.

The ISO standard incorporated many of the basic definitions defined by the 2011 NIST standard.

Both standards agree that cloud computing includes the following five essential characteristics.

  • On-demand self-service: the consumer can unilaterally access server time and network storage, as needed, automatically.
  • Broad network access: the services are available over a suitable network and can be accessed by mobile phones, tablets, laptops, workstations and other devices.
  • Resource pooling: the cloud provider’s computing resources are pooled to provide a service to multiple customers (so-called multi-tenancy), with the physical resources (the infrastructure) and virtual resources (software) dynamically assigned and reassigned according to consumer demand. The consumer might not know the exact location of these resources.
  • Rapid elasticity and scalability: the resources are elastically released so that an increase in demand can be accommodated. Scalability should appear to have unlimited potential to the consumer and should be on tap at any time.
  • Measured service: cloud systems automatically control and optimise resource use that at some level is ‘metered’ according to the type of service (storage, processing, bandwidth and user accounts). Hence resource usage can be monitored, controlled and reported, providing transparency for both the provider and consumer of the utilised service.

Where is the cloud?

The servers that host the virtual machines at the heart of the cloud are located in large air-conditioned rooms in data centres just like the one below:

A major consideration when selecting the location of a data centre is latency (the time it takes for a request to travel from a user to the data centre and the response to come back again); in general, the closer a data centre is to the user, the lower the latency.

Placing a data centre in a cool climate minimises the amount of energy needed to cool the servers. Likewise, a dry climate means that less energy is used to remove humidity. (High humidity is bad for the servers because it can cause condensation, which damages the electronic components.)

Types of cloud

You might think that the idea of a cloud is quite nebulous – an anonymous, unknown location that is shared by many unrelated users. This is a pretty spot-on description of a public cloud. It is owned, managed and operated by a business, or academic or government organisation, or some combination of these, and the hardware infrastructure physically exists on one or more of the premises owned by the cloud provider or one of their partners.

This is the cloud that everyone knows and uses. Cloud providers, such as Amazon Web Services, Microsoft and Google, have constructed vast data centres to house thousands of servers and the necessary associated networking equipment. To ensure that they can comply with local privacy and protection laws, the large cloud providers have built data centres in multiple separate legal jurisdictions.

On the other hand, the term private cloud has come to mean a cloud infrastructure that is for the exclusive use of a single organisation (which might itself comprise multiple business units). It may be owned, managed and operated by the organisation, a third party or some combination of these, and it may exist on or off the premises of the organisation.

Although private clouds offer some of the advantages of public clouds, compared to a public cloud, they are likely to be on a much smaller scale with far fewer servers.

Some people say that by the definition of a cloud set out in the ISO standard, private clouds are not clouds at all, and to call them clouds raises false expectations in the people who use them.

The third type of cloud, a community cloud, is a cloud infrastructure that is exclusively for a specific community of consumers from organisations that have shared concerns (e.g. mission, security requirements, policy and compliance considerations). It may be owned, managed and operated by one or more of the organisations in the community, a third party, or some combination of them, and it may exist on or off-premises.

The cloud and I

If you use Facebook, Twitter, Dropbox or Gmail on a PC, tablet or phone, your data is already being stored, and possibly processed, in the cloud. The companies behind these social interactions, file storage and communication tools use vast data centres that house the servers, databases and networking equipment to support millions of users around the world. 

Some companies mine the data that you provide them with when you sign on for ‘free’ services. This can be directly sold to others or can be collated into audience types and marketed to advertisers to enable them to target particular adverts to particular target groups. Other companies might tempt you in with modest free services in the hope that you will sign up for additional chargeable services. Or you may be bombarded by adverts, the revenue from which goes to the company. The fact that Google and other providers of ‘free’ services are incredibly profitable may suggest that we underestimate the revenue that they accrue from their ‘free’ offerings.

Cloud architecture

Cloud providers must have a mechanism to allow multiple users to access the same physical resources, which are usually large servers located at a distance from the consumers. This can be achieved using a technology called virtualisation.

The virtual machine form of virtualisation takes the resources of a single physical host computer (CPUs, memory and input/output devices) and divides them into multiple virtual machines. Each virtual machine appears to be an independent, self-contained computer with its processor, memory and peripherals, running a standard operating system. In a hosted environment, the hypervisor software provides the communication between the operating system of the host (which, in turn, directly manipulates the hardware) and one or more ‘guest’ virtual machines.

This kind of virtualisation allows a single piece of hardware (a server) to be shared by many different cloud customers. This is an example of abstraction – the user of a virtual machine sitting ‘on top of’ the server does not need to know the details of the particular hardware that the server employs.

The following image shows a triangle with layers of abstraction in cloud computing. Note that each layer is dependent on the layers below it:

The lowest layer is the infrastructure layer and is mostly composed of the physical kit, such as servers, storage and networking hardware. A customer that wants to operate within this layer is willing to pay the cloud provider to be responsible for the infrastructure.

The middle layer is the platform layer and provides an interface between the applications and the infrastructure. This layer includes an operating system plus other software (collectively called middleware) that is needed to write and run applications. A customer that wants to operate within this layer, is willing to pay the cloud provider to be responsible for both the infrastructure and the platform.

Finally, the top layer, sometimes called the application layer, includes the data and applications. A customer that wants to operate within this layer, is willing to pay the cloud provider to be responsible for the infrastructure, the platform and the applications.

Pizza as a Service

The following image shows a famous infographic developed by Albert Barron, a Senior Software Client Architect at IBM. He uses the different ways a customer can obtain a pizza dinner as an analogy for who manages what when a customer buys a cloud service.

In this analogy, the ‘infrastructure’ is the raw ingredients of the pizza (dough, tomato sauce, toppings and cheese). The ‘platform’ is what is needed to process the raw ingredients into a pizza (an oven, fire, electricity or gas). Finally, the ‘application layer is what you need to realise your complete pizza experience (a dining table and a soda).

Each column shows different ways of getting a pizza dining experience, and who manages which elements in each case. Although this is just a bit of fun, the basic idea of how responsibilities are divided up for Pizza as a Service is very helpful in the understanding cloud.

Cloud services for business

The NIST standard defined three major cloud services, which still form the backbone of the services offered by cloud providers today.

The following image below provides a comparison of what the cloud provider manages and what the customer manage with different cloud services.

Infrastructure as a Service

If, as a business, you select Infrastructure as a Service (IaaS), you are essentially outsourcing your hardware needs to a cloud provider. IaaS cloud providers sell virtual access to off-site servers, storage and networking hardware. As the customer, you can build your platform on this hardware and access it at any time, paying only for the resources you use.

IaaS can have many advantages for businesses. It means that they do not have to buy and maintain expensive equipment. They also do not have to pay their own IT professionals to run it, or to manage data security and disaster recovery processes.

Businesses can also scale their use of infrastructure as demand goes up or down, which is of particular advantage for web-hosted businesses that may have widely fluctuating demands. IaaS can also enable a cheaper way to build testing and development environments to explore new opportunities in an agile way because the customer only pays for the resources they use when they use them. Even large companies with their infrastructure may use IaaS, rather than wait for their own Research and Development units to acquire the appropriate equipment and expertise needed to pursue a new opportunity.

Platform as a Service

The second category of service is known as Platform as a Service (PaaS). In this model, the cloud provider takes responsibility for managing both the infrastructure and the software platform, which includes the operating system and middleware such as a runtime environment. In this service, the actual applications and data continue to be the responsibility of the customer.

Although similar to conventional web hosting, most PaaS providers add value by way of pluggable services such as authentication and authorisation, email, user interface components, and an application platform interface (or API - that is a set of routines, protocols and tools for building software applications) that allow the customer to monitor and manage the applications.

PaaS provides one or more platforms on which a business can run existing applications or develop and test new ones without being at risk of compromising their internal systems. It also enables development teams that are geographically distributed to work together on the same software project.

PaaS is particularly useful for companies that build and deploy software applications that run in the cloud, such as web application management, application design, app hosting, storage, security and app development collaboration tools. Such businesses can easily test their products on several different platforms and host their final products on websites hosted on cloud-based platforms.

Another scenario where PaaS is particularly appropriate is for businesses that rely on simulations that require intensive processing of data that comes from a large number of distributed sources. PaaS can offer additional functionalities built into the platform, such as software for distribution, messaging, monitoring, managing databases, workflows, etc.

Software as a Service

Any application hosted on a remote server that can be accessed over the internet is considered to be Software as a Service (SaaS). This is the kind of cloud computing that you are most likely to be familiar with as an individual. However, these services are also being widely taken up by businesses that appreciate the scalability when new users come on board or leave. In addition, many SaaS contracts include automatic control of the version of the software that is being used. Alternatively, SaaS customers can also negotiate that they are upgraded to new releases of the software only when they want to be, or that they can use new software on a trial basis before committing to it.

Downtime and uptime

Downtime is the time during which cloud services are not available. The cloud service providers have to juggle demand, and there is always a danger that, despite their claims to provide an ‘on-demand service, they may be overwhelmed. Unscheduled outages can also occur because of technical problems, and scheduled downtime might be necessary for routine maintenance – not to mention that a lost internet connection can cause the entire business to grind to a halt.

Uptime is the time during which cloud services are available. In general, cloud providers like to talk about uptime but cloud customers tend to focus on downtime!


Although good cloud service providers implement the best security standards and industry certifications, storing data and important files on external clouds and moving them across networks always opens up risks. In addition, the multi-tenancy aspect of cloud architecture, where customers share infrastructure, platforms and applications, means that if a security issue arises in any of these layers, it affects everyone. A single vulnerability, misconfiguration or malicious hacker can cause a security breach across an entire provider’s cloud.

Cloud users might also want to ensure that their cloud service provider has chosen sites for their data centres in locations that minimise the risks of natural disasters, intruders and terrorism. It is important that cloud users can trust their cloud provider to vet and carefully manage their employees and contractors, as a great deal of data theft, even from high-security data centres, is perpetrated by insiders.

Limited control

Since the cloud infrastructure is entirely owned, managed and monitored by the service provider, the customer has very little control, particularly over any downtime, trouble-shooting, back-ups and disaster recovery. In many SaaS situations, the customer may have little or no control over the version of the software they are using.