By Jen Schellinck
In a previous article John and I provided some useful analogies to help people become comfortable with the ideas associated with AI, IT and cloud technologies. We did this by relating these new technologies to existing technologies that people already understand. In this second note, I’ll dispense with the analogies and describe, at a high-level, how the internet and the cloud work. This more literal overview will further facilitate discussions with people who have a more in-depth knowledge of these technologies.
What does it mean for something computer-related (an application, a computer or a computer network) to be on the cloud? What does it mean for it to be on a private cloud vs a public cloud, or for an application to be ‘on-prem’ or ‘as-a-service’. To understand all of this, you’ll benefit from a bit of information about networked computers and how they work. Relatively quickly, you’ll start to get a good sense of the important differences between these possible digital technologies.
Step 1: Single Computer
It’s useful to start from the very basics, and build up from there. The simplest case to consider is a single computer, sitting in your home office, and not connected to anything else (except perhaps a keyboard and monitor). In the case of this stand-alone computer, the only way to get information into or out of the computer is to connect it to an external storage device (e.g a USB device) and move the relevant information (usually in the form of a file) onto that external storage. Then, if I wanted to, I could connect this external device to another computer, and move the information onto that computer.
Step 2: Simple Network
However, it is also possible to directly connect one computer – for example the computer in your office – to another, for example the computer in your living room, and then move information between them. To connect a computer to another computer, we can either use a wire (e.g. a phone-line, a coaxial cable) or use radio waves (e.g. Wi-Fi, Bluetooth).
A computer that is not physically connected to any other computer is referred to as ‘air-gapped’ – it’s called this because there is only air between it and any other computer. This is a bit confusing when we include Wi-Fi or Bluetooth in the picture since we can’t see the radio waves in the air, but a computer is only air-gapped if there are neither wires nor radio-waves connecting it to another computer. To enforce this, computers air-gapped for security reasons usually have these devices removed or disabled so no accidental connections can be created.
By contrast, when computers are physically connected to other computers, either by wire or radio-waves, the result is called a computer network. An entire computer network can be air-gapped if it is not connected to any other computer network.
Within computer networks, there are two main issues: 1. how does one computer find a specific other computer on the network, in order to send and receive information, and 2. how do we ensure that people don’t access computers they aren’t supposed to access on the network, via other computers on the network (or attach new computers to the network, and then use these to access the rest of the network)?
In this regard, computers and computer networks are similar to buildings in a neighbourhood, town, city, etc. Just as buildings in a defined area are all given unique addresses, computers can be given unique addresses (in the form of strings of numbers). And just as buildings have security to prevent the wrong people from getting into a building, in the form of locks, physical barriers at access points and security badges, computers also have these preventative measures, in the form of passwords, firewalls and user authentication and identification.
There is nothing preventing someone who is setting up a group of computers that are physically connected together from devising their own strategies and protocols for how these computers locate and access other computers on their network. For example, I might choose to connect all of the computers in my house using coaxial cable and give them each a unique name, stored in their memory. In terms of the connection strategy, I might connect each computer by a single cable to one central hub computer. Each of the non-hub computers would then communicate only with that hub computer, which would know where to find the other computers and how to communicate with the other computers. Computers would communicate by sending pre-defined patterns of electrical pulses to the hub computer. The hub-computer would run specific software that would allow it to decode these pulses, determine which other computer the message was for, and then send the relevant part of the message to the intended computer recipient of the message.
To flesh out this scenario, we can imagine a situation where one of our home computers has a much more powerful processor than the others, so we set our network of computers up to automatically send large computing jobs to this specific, more powerful computer. Since all of the computers in our network are trusted, and our network as a whole is air-gapped, we don’t need to worry too much about other people trying to break into our network and gain access to our powerful computer for their own computing uses. Perhaps one of our other computers has a large hard drive and we use that computer to store all of our digital movie files. When I want to watch a movie in my office, it sends the correct file through the hub-computer and then over to my requesting office computer.
A set of connected computers that are all geographically local (e.g. all within the same house) are called a Local Area Network (LAN). A set of computers connected across a larger area is called a Wide Area Network( WAN). Due to the signal sent across the connecting wires fading over large distances, special technology can be required for WANs.
Step 3: Connecting to the Internet: Routers and Firewalls
With the advent of the internet (originally called the world-wide-web due to the large, international web of networked computers it represents), universal protocols were developed that would enable huge numbers of physically distant but connected computers to find and communicate with each other. This was hugely beneficial, as it allowed for blindingly fast access to other computers with relevant information and capabilities. At the same time, this required the development of security protocols, to make sure that access to these networked computers was not exploited and abused.
What is the difference, if any, between one computer connected to another within my house, and the computer in my brother’s house across the street that is connected to other computers via the internet? His computer is still in close physical proximity to mine, so in that sense it seems like his computer would still be a part of my LAN.
Internally, the computers in my house LAN are most likely connected to each other through a specialized computer called a router. A router is not strictly necessary in a LAN, but it makes things easier. This is the computer that acts as the hub to direct messages properly to the other computers in my LAN. The router can also connect my LAN to the internet as a whole. When this happens, my LAN is no longer air-gapped from the internet. However, the router can still restrict access to my LAN using a firewall. A firewall is a piece of software that sits on a special computer in the LAN (in the case of the home network the firewall is in the router). The firewall monitors the computers connecting to, and information flowing across the router, blocking access and information that should not be flowing from my internal network to the internet.
If my brother’s computer was able to connect directly to my router – e.g. using Wi-Fi – and he had the right password to get through the firewall, then his computer could become a part of my LAN. But what if my brother was in another city? Could he still connect to my LAN? One problem, apart from the distance, would be that my home router doesn’t have the internet equivalent of a permanent unique street address. It does have a temporary unique address, but that address changes, for example, when the router is re-booted (it does this for complicated reasons relating to the limited number of possible internet addresses in the current internet address system).
This doesn’t cause problems for me when I want to a computer on my LAN to connect to other computers on the internet because in that case, these other computers don’t need to know my address, in the same way that you don’t need to know my phone number in order for me to phone you. To get a permanent address of my own, for my LAN, I would need to make arrangements with my service provider (and typically pay more), in order to give my router what is called a ‘static IP address’.
Step 4: Servers (Serving up Your Information to the World)
I could then set-up a specialized computer on my LAN specifically for serving information (e.g. web-pages) to people from the internet who are visiting my LAN. I would also need to carry out a bunch of administrative activities, as determined by the organization that runs the internet, to establish it as an available web server on the internet. As part of this I could also connect a nice name (a domain name) to my permanent string-of-numbers address, to make the whole experience more user-friendly.
This specialized computer would be called a server, because it would be set up to serve information to other computers – in this specific case, computers that are visiting from the internet. There are different types of servers: for example, in our earlier description of our home LAN we also had a ‘movie server’ that was set up to provide movie files across the rest of our LAN. When a server is typically used to provide files to the internet it is often called a ‘web server’, although this name can also be used just for specific software on this server that only serves web-pages.
Once everything has been set up, my brother could connect to my LAN, through the internet. However, a major difference between how my brother connects to my LAN vs. how my internal computers connect to the LAN is that, in his case, he would have to connect to my computer network through my router using this newly available external static internet address and using world wide web protocols. One side effect of using these protocols is that, to get to my LAN, his message might first need to travel through many other cities and computers. Then he would most likely be directed by my router to my web server, in order to get access to any information that I wanted to make available through the internet.
Somewhat confusingly, but very importantly, once I had set up my permanent address, there would be nothing stopping me from connecting to one of the other computers on my LAN by using the internet and going through the exact same steps as my brother’s computer. It could be more efficient to connect more directly to another part of my LAN through the internal facing part of my router, but it might also be very easy to just type in the external static address of my router and access my LAN that way, particularly if I wanted to access something readily available on my web server.
Step 5: The Cloud (Renting the Computers of a 3rd Party)
So far we have discussed local networks and also the internet as a whole, and how they relate, but we have not yet discussed the cloud. However, perhaps you can see where things are heading. As the internet matured, some companies began specializing in providing computers and computing services and entire computer networks that could be rented out by other organizations or individuals. In some cases these computers might be physically accessible, but often they might be accessible only over the internet, because they might physically exist a great distance away, and be surrounded by many security measures. Either way, these rented computers could then be used similarly to the computers existing on my local area network. So, for example, instead of keeping all of my digital movies on a computer physically located in my house, I could rent a computer on a server farm – which is to say, one of a bunch of computers connected to the internet through a web server – and store all of my movies on that computer. Then I could access this computer through the internet, no matter where I was, using any device connected to the internet.
People started to refer collectively to hardware and software that could be rented via the internet as ‘the cloud’. This was made technologically feasible by a number of developments on the computer technology front, including improved distributed computing and the ability to create web applications.
Web applications are applications that can be accessed through the internet using a web browser (and which are served by a web server). Because they are run through a web browser, they must conform to the existing standards for web browsers, which can make them harder to create. However, this difficulty on the creation side is greatly outweighed by other benefits. The first is that everyone has a web brower, which means the web-app will be much easier to access than a stand-alone application. As well, because the web browser connects to the web app through a computer network, there can be much greater interaction between the user of the web-app and the creators and maintainers of the web-app. For example, if there is bug in the web-app, the creator can quickly and easily fix it and the user will get the new and improved version right away.
Step 6: Web Applications
As web applications (or networked applications more broadly) became more popular and sophisticated, organizations started to want to use these web applications within their own organizations, rather than having everyone within the organization running their own individual applications on their own computers. Organizations also realized that having an organizational presence on the internet (as opposed to only having a LAN) would be beneficial. By running their own web-server on their own LAN, and making parts of their LAN accessible through their firewall, they could install a web application on a server and make this application available on the internet, but carefully restrict access to it via user authentication (e.g. user-name and password). In this way a computer not on the LAN (e.g. my computer at home) could access the relevant application, allowing someone to work from their home computer.
Step 7: Private Cloud and On Premise Solutions (For Greater Security)
Or, if the organization preferred a more secure approach, they could run the web-app on an internal server and only allow computers specifically connected within the LAN access to this server and its web-app. Even before web apps were popular, organizations often took this approach with database software, which typically requires special hardware and software to run, particularly when there is a lot of data involved. The software runs on an internal database server, and people within the organization who have computers connected to the LAN can access this server by running a special application on their computer that knows how to connect to the database software on the database server.
This whole situation led to the development of some new concepts, including ‘private cloud’, ‘on-premises software’ and ‘software as a service’. Somewhat confusingly, these terms aren’t always defined the same way by the same people.
With respect to a private cloud, the definition provided by Microsoft is: “computing services offered either over the Internet or a private internal network and only to select users instead of the general public.” (https://azure.microsoft.com/en-us/overview/what-is-a-private-cloud/). Other people sometimes specify that in the case of a private cloud that uses computers rented from the internet, rather than computers owned by the organization, the computers and software that are rented and accessed over the internet should not be shared by multiple organizations in order to be considered a private cloud.
Going by these definitions, it is technically the case that a private cloud might just be a LAN that has internal servers that provide software to users of the LAN, but the term ‘private cloud’ is not typically used to refer to this situation, even if technically it fits the definition. More typically, the private cloud is a set of computers being rented by the organization that are accessed via the internet. The term might also refer to a LAN with a web server that allows access to software on the LAN through the internet, but where the access is strictly for people within the organization. Or an organization’s private cloud might be some combination of all of these elements.
Software itself is considered to be ‘on-premises’ software if it is hosted by an organization on their private internal network of computers owned by the organization. The term comes from the idea that the software is run on a computer that is physically connected to other computers situated on the same premises, connected in a local area network. This is in contrast to Software as a Service (SaaS). This is software that is being run on computers owned by another organization, but provided to the client organization as a web-app, accessible through web-browsers. Typically the software is then offered as a subscription service by that organization. In this second case, the first organization has no direct access to the computers running the software, and they only have access to the software for as long as they are paying the subscription fee.
There are a variety of somewhat complicated but also very common hybrid setups relating to public or private cloud and on-prem or SaaS. For example, there could easily be a situation where a software application is owned by, installed on, and hosted by the web server of an organization, and consequently is accessible via the internet, but it is only accessible by employees of the organization, because only they are given usernames and passwords. In this case, the software might have much of the feel and functionality of SaaS – e.g. it is accessed via a web-browser on a home computer with a login – even though it is in fact being hosted by the LAN of the organization. Similarly, if a software application is being hosted on private cloud infrastructure that operates effectively like a LAN, even though the physical computers are not local, it might feel more like on-prem software because, for example, people must log on to the organization private cloud network, but then can access the software as if it were stand-alone software on their desktop.
Ultimately, there are many different combinations and permutations of both computer network setups and software sharing setups, and organizations often use all of these options at once. The goal of this discussion is to help those using and managing these setups to be able to better distinguish between the sometimes nuanced options available to them, and to feel comfortable discussing these options with those who are making them available to the organization.