top of page

    Cyber (Anything-as-a-Service – XaaS)

 

  • The relatively-new service model Anything-as-a-Service (XaaS) has expanded the older Software-as-a-Service (SaaS) model beyond any limitations, to include any product or service that may be provided by a cloud service provider (CSP) to a buyer/customer on the CSP’s own intranet, network or virtual private network (VPN), where such product or service is sold by the CSP to the buyer/customer on a subscription basis, and never leaves the CPS’s own intranet, network or VPN.

 

  • Not only may the XaaS model be applied strictly to computer situations, but other industries also sell their proprietary products and services on the internet and world-wide web using the XaaS model; most-commonly, in the music industry, the streaming services such as Apple Music and Spotify provide Music-as-a-Service (MaaS) are based on the XaaS model; in the architecture world, the leading computer-aided design (CAD) provider uses the XaaS model exclusively for solutions that might be called CAD-as-a-Service (CADaaS), and the most-iconic architectural reference book – Architectural Graphic Standards (AGS) – has a XaaS offering, in effect, AGS-as-a-Service (AGSaaS); in the construction industry, the most-iconic and voluminous building products and specifications catalogue – Sweet’s Catalogue (SC) – also has a XaaS offering, which could easily be characterized as SC-as-a-Service (SCaaS).

 

  • So today, in the computing world, besides SaaS, there are also many variations of XaaS offerings such as, for example: Analytics-as-a-Service (AnaaS); Authentication-as-a-Service (AuaaS); Backend-as-a-Service (BaaS); Bot-as-a-Service (BoaaS); Containers-as-a-Service (CaaS); Data-as-a-Service (DaaS); Database-as-a-Service (DbaaS); Desktop-as-a-Service (DeaaS); Function-as-a-Service (FaaS); Infrastructure-as-a-Service (IaaS); Platform-as-a-Service (PaaS); Robotic-Process-Automation-as-a-Service (RPA-a-a-S); Security-as-a-Service (SecaaS); Security-Operations-Center-as-a-Service (SOCaaS); Storage-as-a-Service (StaaS); Testing-as-a-Service (TaaS); Windows-as-a-Service (WiaaS); Workspace-as-a-Service (WoaaS); and the like.

 

  • Analytics-as-a-Service (AnaaS) agreements generally facilitate a fully-customizable platform – including, for example, dashboarding, a data warehouse (DWh), extract/load/transform or extract/transform/load (ELT/ETL) capabilities, online analytical processing (OLAP), reporting and various other common data-manipulation tools – to provide subscription-based data analytics software and procedures through the cloud, and typically including a business intelligence (BI) solution with end-to-end capabilities, to analyze, organize, present and systematically-extract relevant information from big data (data sets so complex and massive as to be almost impervious to penetration through traditional data-processing application software), in a manner most-suited to the particular enterprise; requires server hardware with massive storage capabilities, processing power and speed; uses artificial intelligence (AI), data mining and predictive analytics to effectively reveal insights and trends extracted from the big data sets; very suitable for working with data warehouses, reducing big data sets through data cleaning, to parse the most-relevant data; provides descriptive, diagnostic, predictive and prescriptive data analytics for analysis of big data through aggregation, data science and grouping; generally International Standardization Organization (ISO) 9001 and 27001 certified, at a minimum.

 

  • Authentication-as-a-Service (AuaaS) agreements address the authentication of users, which is generally-considered to be the weakest aspect of cloud security; by creating a service that collects many authentication mechanisms – including for example: single sign-on (one password); multi-factor (password plus immediate call to the user’s smartphone, and/or either some behavioral biometric method such as some pre-measured user behavioral characteristic like a handwritten signature by the user, or some physical biometric device such as with a face, fingerprint, hand, retina or voice scanner) – combined with anti-malware, anti-virus, encryption algorithms – such as for example the Advanced Encryption Standard (AES), data encryption standard (DES), MD5 hashing, one-time password (OTP), Rijndael encryption (RE) and Rivest-Shamir-Adleman (RSA) – firewalls and password management (requiring users to generate new passwords on a consistent basis), AuaaS providers hope to create an environment that may facilitate authentication of a user quickly, while simultaneously blocking unauthorized individuals from entering the particular cloud ecosystem; the AuaaS solution will be inserted in a daisy-chain arrangement between the general internet or world-wide web and the ultimate cloud goal of a user, such as a SaaS cloud ecosystem; may generally comply with standards such as, for example – Open Authorization (OAuth), Security Assertion Markup Language (SAML) and Web Services Federation (WS-Federation); may have typical security components such as, for example – access controls, anomaly detection, authentication strategies, authorization controls, certificate controls, fraud detection, graphical authentication, identity management (IdM), key management, one-time authentication (a password good for only one use), public-key infrastructure (PKI) (for use with security protocols such as SSL/TLS and SSH), security policy management (SPM), social authentication (login information gleaned from the user’s verified social media websites), trusted computing group (including mobile trusted module – MTM – or trusted platform module – TPM); may utilize technologies such as for example – extensible authentication protocol (EAP), Kerberos protocol, lightweight directory access protocol (LDAP), representation state transfer (REST) application programming interfaces (APIs), SAML-based authentication.

 

  • Backend-as-a-Service (BaaS) agreements facilitate access to a suite (collection) of a cloud-based application programming interfaces (APIs) and software development kits (SDKs) – such as, for example: data management; databases; email notifications; file storage; login authentication; push notifications; representation state transfer (REST) and GraphQL APIs; social media integration – that may be used for development of other applications or to run other applications themselves, thus eliminating infrastructure compatibility issues, focusing development efforts on the frontend of an application, improving the scalability of applications, reducing overall development costs, and removing repetitive development tasks from application development; since the BaaS model is focused more on development than on security, an enterprise employing a BaaS model should not rely on such model as their sole source for data security, but rather should employ further security solutions in a daisy-chain arrangement, with the general internet or world-wide web at the originating end, then the various security solutions, and then finally the BaaS interface at the authorized user end.

 

  • Bot-as-a-Service (BoaaS) agreements facilitate the provision of any sort of “bot” (an automated software application intended for use on the internet or world-wide web that is programmed – “trained” – to either independently do certain repetitive tasks or to emulate certain human behavior) to an authorized buyer/customer on a subscription basis; such bots may be benign bots – such as chatbots (which attempt to emulate a person conversing with an actual human visitor to a website through short message service – SMS – messages in real time), search engine bots (which index the content on website pages), social bots (residing in social media platforms), web crawlers (a/k/a Googlebots, which continuously search for new websites and pages on websites) – or malicious bots, which may “scrape” content from website pages (meaning duplicate such content or even an entire website without the website owner’s prior expressed permission, which might then be used to create “spoof” – fake – websites luring unsuspecting visitors in, to perpetrate some fraud upon them) or may perpetrate credential stuffing attacks (finding personal information such as credit card numbers or bank accounts and then using such information to make purchases or to empty the bank accounts), so although such scraper bots may be categorized by some pundits as benign purveyors of Data-as-a-Service (DaaS), merely collecting data perhaps already in the public domain for their handlers, such scraper bots are actually highly-controversial, because they are in reality stealing the intellectual property (IP) content produced by owners, without such owners’ prior expressed permission, often for nefarious purposes, which might then result in a chain of liability, leading back to such owners from countless unknown third-parties who may have been somehow injured through the misuse of the content stolen by such scraper bots; legitimate bot providers can “train” – program – the bots to perform whatever legal task may be requested by the buyer/customer, and may also provide the buyer/customer with bot management applications (“anti-bots”) to protect against attacks by malicious bots; the most-developed and sought-after bots are robotic process animation (RPA) bots (such as web crawlers – a/k/a “spiders”), which have the highest capabilities for independent “thought” (meaning the that they have the most artificial intelligence – AI – so they are capable of adjusting themselves to changed circumstances without human input); basically, any type of legal bot may be provided “as-a-service” (XboaaS), such as for example – Chatbot-as-a-Service (CboaaS) or Voicebot-as-a-Service (VboaaS), and the like.

 

  • Containers-as-a-Service (CaaS) agreements facilitate automated hosting and deployment of cloud services that manage and manipulate “containers” (virtual data structures that includes all dependencies, such as – code, configuration, runtime and system libraries – so they can store and organize virtual objects in discrete environments, creating database transportation mechanisms spanning from cloud to cloud) on alarge scale, and includes capabilities for organizing, scaling, starting and stopping containerized workloads; provides more functionality than function-as-a-service (FaaS) solutions by providing direct access to infrastructure and more agile capabilities than infrastructure-as-a-service (IaaS) solutions, but has fewer features than most platform-as-a-service (PaaS) solutions; suitable for situations involving analytics, consulting, deployment, integration, maintenance, management information dissemination, monitoring, networking, security, storage, support, training; generally may be deployed hybrid, private or public clouds.

 

  • Data-as-a-Service (DaaS) agreements facilitate a data management model that attempts to leverage data as a business asset for greater business agility, by providing an enterprise-wide solution for managing the massive amounts of data organizations generate every day and then to deliver such data across the enterprise to enable cooperative data-driven decision-making; DaaS focuses on providing data from a variety of sources on demand through a series of interconnected application programming interfaces (APIs), intended to simplify data access; DaaS architecture may include a range of data management technologies, such as for example – data cataloging (the process of making an organized inventory of an existing unorganized data trove through the use of data mapping each individual data entry to create a searchable and sortable index of all the data in the trove), data services (web-based services engaged to handle the programming logic for data virtualization in a cloud-hosted data storage infrastructure), data virtualization (provides a central virtual data layer that enables users to rapidly access, combine, manipulate, transform and then deliver datasets when and where required throughout the enterprise, to big data sources, cloud repositories, internet of things – IoT – ecosystems and traditional databases, at greatly-reduced time and cost when compared to traditional data warehousing solutions or extract/transform/load – ETL – technology) and self-service analytics (aform of business intelligence – BI – in which users perform queries and generate reports, often characterized by simple-to-use BI tools with basic analytic capabilities and an underlying data model that has been simplified or scaled-down for ease of understanding and facilitated data access).

 

  • Database-as-a-Service (DbaaS) (a/k/a managed database service) agreements simply facilitate a user’s access to a particular cloud-based database, such as a traditional relational database management system (RDBM) or a NoSQL database (a/k/a a “non-SQL” database or a “not only SQL” database), that enables the storage and querying of data outside the traditional structures found in relational databases, and associated query tools through a subscription arrangement; most-efficient for small- to medium-sized enterprises with no or small IT support departments; security measures may include added controls for regulatory compliance, data encryption (of data both at rest within the database and also when in transit between the user and the intended recipient), end-to-end CSP network security (including hardware and software solutions such as packet sniffers, penetration testing – a/k/a “pen testing” – security information and event management – SIEM – tools and vulnerability scanners – intended to prevent access to the network by unauthorized users), integrated access management strategies, network segmentation (in which the CSP partitions a large macro-network into smaller micro-networks, similar to the concept of partitioning a hard disk into multiple partitions) with authorized users assigned to various segments.

 

  • Desktop-as-a-Service (DeaaS) agreements facilitate the provision of a cohesive and independent virtual desktop interface to all authorized users within the enterprise that supersedes the individual application interfaces generated by users with many open applications; there are generally two types of available desktops in a DeaaS solution – persistent (which allows an authorized user to customize their particular desktop to remain in the same configuration after such authorized user logs out, so the desktop will have the same appearance when such authorized user logs back on) and non-persistent (whatever changes an authorized user has made to their particular desktop will be deleted once they log off, so they will have to make all the same adjustments to their desktop that they may wish for their convenience, once they log back on); since the DeaaS model is focused more on appearance than on security, an enterprise employing a DeaaS model should not rely on such model as their sole source for data security, but rather should employ further security solutions in a daisy-chain arrangement, with the general internet or world-wide web at the originating end, then the various security solutions, and then finally the DeaaS interface at the authorized user end.

 

  • Function-as-a-Service (FaaS) agreements provide a platform relying on event-driven programming (meaning that applications do not run continuously in the background, but only start when they are called by some specific command, and thus per-function startup times may be multiplied, resulting in slower program speed) to allow authorized users to develop, manage, run and test small, modular pieces of code known as functions, for applications and solutions in a serverless architecture environment, typically used when building microservices applications; since the FaaS model is focused more on application development and running than on security, an enterprise employing a FaaS model should not rely on such model as their sole source for data security, but rather should employ further security solutions in a daisy-chain arrangement, with the general internet or world-wide web at the originating end, then the various security solutions, and then finally the FaaS interface at the authorized user end.

 

  • Infrastructure-as-a-Service (IaaS) agreements may seem similar to service level agreements (SLAs) in format; often-used for data center outsourcing, hosting, and network services; the metrics (KPIs) for which, pursuant to the CSA, may only be applicable to the CSP’s own intranet or network itself, and may involve high-level performance requirements applied against basic infrastructure service limitations of the CSPs equipment itself; examples of such metrics (KPIs) may be, for example, grouped into the general categories of: computational (including: acceptable length of outages; availability of service; server reboot time); networking (including: availability of service; bandwidth – the maximum amount of data transmitted over an internet connection in a given amount of time; latency – the time it takes for data to be transferred between its original source and its destination, measured in milliseconds – ms;maximum-mean jitter – meaning the maximum or the average variation in delay for packet transfers between selected routers, measured in nanoseconds – ns; packet loss – which tracks the number of data packets that do not reach their intended destinations within a particular time period); and, storage (including: availability of service; input/output per second; latency; maximum time to restore data; processing speed); several trade organizations have attempted to formulate standards to govern the language and meanings of common IaaS terms, such as for example – Distributed Management Task Force (DMTF) CIMI (Cloud Infrastructure Management Interface); DMTF OVF (Open Virtualization Format); International Standardization Organization (ISO)/International Electrotechnical Commission (IEC) JTC 1/SC 38 Working Group 3 on Cloud Computing; Open Grid Forum (OGF) OCCI (Open Cloud Computing Interface); Open Group (OG) SOCCI (Service-Oriented Cloud-Computing Infrastructure); and, Storage Networking Industry Association (SNIA) CDMI (Cloud Data Management Interface).

 

  • Platform-as-a-Service (PaaS) agreements are generally intended for either of two situations, referenced in the industry as – integrated solutions (web-accessible development environments which enable platform developers to build an application using only the infrastructure and middleware services provided by the CSP, which then manages the resulting application), and deploy-based solutions (which enable the deployment of middleware on top of resources acquired from an IaaS cloud provider, and offer deployment services which automate the process of installation and configuration of such middleware, and is generally a much more flexible environment in which the platform developer can operate); the Organization for the Advancement of Structured Information Standards (OASIS) Topology and Orchestration Specification for Cloud Applications (TOSCA) is an example of one trade organization’s attempt to standardize common PaaS terms.

 

  • Robotic-Process-Automation-as-a-Service (RPAaaS) agreements facilitate outsourcing business task automation (meaning the attempt to automate repetitive, high-volume business tasks, such as posting positive reviews on social media websites) to service providers with expertise in the development of currently the most-coveted and sought-after bots, robotic process animation (RPA) bots (such as web crawlers – a/k/a “spiders”), which have the highest capabilities for independent “thought” (meaning the that they have the most artificial intelligence – AI – programming, so they are capable of adjusting themselves to changed circumstances without human input), in order to leverage the “intelligence” (AI) of such RPA bots to perform complex tasks continuously on the internet or world-wide web without human intervention or supervision.

 

  • Security-as-a-Service (SecaaS) agreements facilitate the provisioning of security controls and solutions – such as anti-malware anti-virus, anti-keylogging, anti-spam filters, and the like – as a managed service paid on a subscription basis; the theoretical advantages to a buy/customer may be access management, business continuity, data loss prevention, email security, encryption, identity management, intrusion management, network security, periodic security assessments, periodic vulnerability scans, rapid disaster recovery, security information and event management (SIEM), web assess security; the greatest disadvantage of the SecaaS model is that the buyer/customer voluntarily abrogates all security functions for their entire enterprise to an disinterested third-party.

 

  • Security-Operations-Center-as-a-Service (SOCaaS) agreements may be considered as hybrid subsets of the SecaaS model, in which an entire outsourced physical security operations center (which may be in a foreign jurisdiction), replete with supposedly highly-trained security personnel and state-of-the-art, cutting-edge, super-high-speed hardware and software solutions, will provide all the virtual cyber-security that any buyer/customer may ever need to protect their enterprise.

 

  • Software-as-a-Service (SaaS) agreements are currently-utilized for software distribution in all industries, and may be measured with metrics (KPIs) including for example, application response time, automatic scalability, customer information persistence and monthly cumulative application downtime; SaaS CSAs may be categorized generally in various deployment models: community (shares CSP resources as a closed environment, generally only between organizations with similar purposes, such as with government institutions); hybrid (shares CSP services between public and private clouds depending on their purpose; generally common in high-access enterprise situations; a specific standard should be specified to describe the interface and security requirements); private on-site (similar considerations to the traditional SLA, not shared with the public or any other entity, and offers services over a private internal network typically hosted on-premises, applied to an enterprise); private outsourced (similar to the private on-site, except that the CSP has outsourced the actual cloud services to an offsite external CSP, but such services may still be offered to only one buyer/customer, thus perhaps mitigating some of the security risks; added expense due to the outsourcing of the cloud services by the CSP); or, public (CSP resources are shared with multiple buyer/customers, and offered to the general public, thus requiring increased availability, metrics accuracy, reliability, response time, scalability, security and speed).

 

  • Storage-as-a-Service (StaaS) agreements facilitate the provision of virtual storage space on a provider’s servers to a buyer/customer on a subscription basis; StaaS can be facilitated either virtually, through the provider’s server network, or on-site at the buyer/customer’s facility, through servers that the provider installs and maintains for the buyer/customer; since the StaaS model is focused only on the provision of virtual storage space and thus perhaps includes only very minimal security protections (such as perhaps only single authentication through one password), and so an enterprise employing a StaaS model should not rely on such model as their sole source for data security, but rather should employ further security solutions in a daisy-chain arrangement, with the general internet or world-wide web at the originating end, then the various security solutions, and then finally the StaaS interface at the authorized user end.

 

  • Testing-as-a-Service (TaaS) agreements facilitate an outsourcing model in which software testing activities (such as the identification of software bugs and recommendations for the remediation thereof) are performed through the cloud on behalf of an authorized buyer/customer by third-party subject matter expert (SME) providers on a subscription basis; there may be currently at least three types of TaaS situations, such as for example – functional TaaS (testing the user-facing parts of an application or website, including but not limited to the graphical user interface – GUI – to see how users may interact with and react to such GUI), performance TaaS (the performance of “stress testing” on an application or website, to determine how well it reacts to multiple users, which may involve the creation of numerous virtual users, to simulate competing and conflicting simultaneous input from diverse and numerous sources) and security TaaS (probably the most-critical testing from the buyer/customer’s perspective, generally scanning and probing the applications and websites for vulnerabilities, and perhaps developing a virtual layer of learned behavior in applications and websites utilizing some flavor of artificial intelligence – AI, analogous to the immunization humans may develop from vaccinations); some key TaaS features may be for example – metering functions that monitor resource use and testing costs, on-demand testing environments that may be automated to run multi-tier tests simultaneously, self-service portals that allow applications and websites to run in a sandbox (partitioned from actual user activity) during functional and load tests so that users may continue with their work uninterrupted, testing library with security capabilities and the ability to save test results, user-friendly dashboard for tracking diagnostics and metrics.

 

  • Windows-as-a-Service (WiaaS) agreements relate only to the provision of any hardware or software solution necessary to install or maintain any Microsoft product in an enterprise, through Microsoft’s vast cadre of certified Microsoft service providers;Microsoft determines the requirements for licensing the Microsoft service providers, and what services the Microsoft service providers may perform, based on their certification level and resources; the Microsoft service providers may perform their services either remotely, through the Microsoft cloud, or on-site, as may be requested or required; some of the services that the Microsoft service providers may provide are – deployment rings (groups of devices used to initially pilot, and then to broadly deploy, each feature update throughout an enterprise), feature updates, insider previews, Microsoft endpoint configuration manager, quality updates, servicing channels (whether through the general availability channel – which provides feature updates annually – or through the long-term servicing channel – for specialized devices, such as medical equipment or bank ATMs running Windows – which only receive updates every 2 or 3 years), windows server update services (WSUS); the Microsoft service providers themselves do not provide any specialty security troubleshooting services, other than what may be provided in the regular Microsoft security updates.

 

  • Workspace-as-a-Service (WoaaS) agreements facilitate the provision of a complete virtual desktop environment along with all the applications used in the enterprise to authorized users on a subscription basis; although WoaaS may seem similar to Desktop-as-a-Service (DeaaS), DeaaS is actually more limited than WoaaS, since DeaaS provides basically only the virtual desktop environment, whereas WoaaS provides the virtual desktop environment as well as all the enterprise applications.

 

  • Drafting, negotiation or review of various types of XaaS-model agreements, contracts, documents, forms, guidelines, policies and templates, such as for example: Analytics-as-a-Service (AnaaS); Authentication-as-a-Service (AuaaS); Backend-as-a-Service (BaaS); Bot-as-a-Service (BoaaS); Cloud Services Agreement (CSA); Containers-as-a-Service (CaaS); Data-as-a-Service (DaaS); Database-as-a-Service (DbaaS); Desktop-as-a-Service (DeaaS); Function-as-a-Service (FaaS); Infrastructure-as-a-Service (IaaS); Platform-as-a-Service (PaaS); Robotic-Process-Automation-as-a-Service (RPA-a-a-S); Security-as-a-Service (SecaaS); Security-Operations-Center-as-a-Service (SOCaaS); Software as a Service (SaaS); Storage-as-a-Service (StaaS); Testing-as-a-Service (TaaS); Windows-as-a-Service (Wiaas); Workspace-as-a-Service (WoaaS); and the like.

    Progress_Page_Last_Updated_220124_2101

bottom of page