Cybersecurity Internet Technology & Innovation
Report September 28, 2020

Dude, where’s my cloud? A guide for wonks and users

By Simon Handler, Lily Liu, and Trey Herr

Table of contents

Executive summary

Cloud computing is transforming society, from interactions between people to the ways by which companies do business, and even how militaries operate. Many recognize cloud computing's significance, but far fewer actually appreciate why it matters. Cloud computing's rapid adoption demands a scaled-up understanding on behalf of policymakers in order to responsibly manage the phenomenon’s economic and national security implications. This report intends to serve as a guide for anyone curious about cloud computing be they policymakers, staffers, students, or non-technologists; anyone interested in gaining a firm grasp of the importance of cloud, where it exists, who operates it, and how it works.


In just two decades since the origin of the term, “cloud computing1Antonio Regalado, “Who Coined ‘Cloud Computing’?,” October 31, 2011, has gone from nascent vision to a nearly half-trillion-dollar industry and a major part of how large organizations, from Walmart to the Defense Department, work.2“Cloud Computing Market,” Markets and Markets, July 2020, Millions of people are inundated in advertisements about cloud, read about it, and even speak about it – far fewer truly understand it.3Jade Scipioni, “Most Americans Don’t Understand ‘The Cloud,’ But They Should,” Fox Business (Fox Business, October 17, 2016),

People rely on cloud storage for their smartphone data and collaborate on cloud platforms for school and work. “It’s in the air,” so many posit in attempting to explain the cloud. Where their data really goes is a mystery to them. 

It’s hard to blame them. What exactly cloud computing is, how it works, and who builds it remain hard to access information outside of vendor marketing materials and paywalled industry analyses.

Cloud computing describes a collection of information technologies (IT), a way of delivering those technologies to users, and a commercial phenomenon that has reshaped the technology marketplace. More than that, cloud is a way of thinking about computing that challenges political boundaries. 

If you have ever been curious about what exactly “the cloud” meant; if you are a policy wonk not a technologist, a user not an admin, then this report is for you. This report will cover:

  1. Why cloud?
  2. Where is the cloud?
  3. How do providers build the cloud?
  4. Who is the cloud?
  5. How to use a cloud?

When you’re done reading, you will be able to explain to your family what happens with their iCloud backup, or just might manage to keep your boss from sounding confused in their next committee hearing with Jeff Bezos.

1 – Why cloud?

Remember the last time you backed up the photos on your smartphone? Checked your email? What about when you logged into Netflix to binge six straight hours of The Office? Or that time you relayed sensitive flight performance data from the cockpit of your F-35 Lightning II? Chances are that if you have done any one of these things, you relied on cloud computing. Cloud computing has had tangible impacts on the way we live, providing faster and more flexible access to technology, cost savings for large enterprises, and a new generation of security challenges and opportunities. Nearly every organization and industry, from agriculture4Maamar Ferkoun, “Cloud Computing Helps Agriculture Industry Grow,” Cloud computing news (IBM), January 23, 2015, to healthcare5 Vinati Kamani, “5 Ways Cloud Computing Is Impacting Healthcare,” Health IT Outcomes, October 2, 2019, to national defense,6 Dallas A. Powell, Jr., “The Military Applications of Cloud Computing Technologies,” School of Advanced Military Studies, United States Army Command and General Staff College, Fort Leavenworth, Kansas, May 15, 2013, utilizes cloud computing. But what is cloud computing – what happens when you send to, store in, and retrieve from “the cloud”?

Cloud is the moniker for a wide variety of computing and networking concepts.

The term originated in traditional enterprise computing where data or resources sent/received from another service were notated by a fuzzy bubble or cloud at the edge of a diagram.

Cloud is the moniker for a wide variety of computing and networking concepts. The term originated in traditional enterprise computing where data or resources sent/received from another service were notated by a fuzzy bubble or cloud at the edge of a diagram. Cloud computing is the delivery of computing services over the Internet on demand and for a fee. Cloud providers build large networks of computing infrastructure, rooms full of computers, and miles of cable on the assumption that these can be rented to users and kept in continuous operation. These providers bear the up-front cost of buying and maintaining this equipment, charging anyone a fee to use it. This saves users from having to buy and build their own data centers, and has led to large-scale changes in how organizations think about IT. Without the cloud, companies like Netflix would have to purchase, build, and operate data centers of their own.7 Yevgeniy Sverdlik, “Netflix Shuts Down Final Bits of Own Data Center Infrastructure,” Data Center Knowledge, February 11, 2016, Because cloud services are delivered over the Internet, organizations do not need more than a broadband connection to access sophisticated hardware and software. 

The flexibility to scale up or down as organizational needs evolve is one of cloud computing's calling cards. A surge in users uploading photos to iCloud does not mean Apple must rush to buy new servers. The company simply pays for more8 Jordan Novet, “Apple Spends More than $30 Million on Amazon’s Cloud Every Month, Making It One of the Biggest AWS Customers,” CNBC, April 22, 2019, storage space in infrastructure that also holds retail payment data from Nordstrom9 Coral Garnick, “Nordstrom Turns to the Cloud to Cure Technology Woes,” Puget Sound Business Journal, March 20, 2017, or sensor readings from a General Electric power plant.10 “General Electric on AWS,” AWS (Amazon Web Services), accessed August 14, 2020, Cloud computing allows remote access to resources in real time, as needed—from sophisticated databases and scientific software to word processors and email. As the largest cloud service providers continually expand their operations and data center locations around the globe, data can be replicated in multiple locations to serve as backups, aiding in disaster recovery and business continuity, as well as put applications as close as possible to users to reduce latency and enhance performance.

As tens of millions of people rely on the shared infrastructure of relatively few service providers, the cloud is nothing if not a juicy target for malign actors.”

When it comes to security, the cloud can be a double-edged sword. As tens of millions of people rely on the shared infrastructure of relatively few service providers, the cloud is nothing if not a juicy target for malign actors. 11C-SPAN, “Cloud Computing and Homeland Security,”  October 6, 2011,; Timothy Morrow, “12 Risks, Threats, & Vulnerabilities in Moving to the Cloud,” Software Engineering Institute (Carnegie Mellon University), March 5, 2018, Aggregating vast amounts of critical data in one spot presents legitimate individual and national security concerns. At the same time, cloud service providers can handle many of the back-end security tasks with which organizations often struggle. These providers are well equipped to invest in security, concentrate scarce security talent, and quickly learn from attacks on one user to protect others. Cloud’s security benefits are not without cost, as organizations must understand how to use sometimes unfamiliar services and share responsibility with providers for basic security tasks. Cloud providers play an important role in shaping the market for cloud services and the experience of using them. 

2 – Where is the cloud?

Data centers, acres of large buildings packed with servers, cables, power, and cooling, are the beating heart of the cloud. Each building consists of dozens of racks made up of servers, storage systems, network switches and routers, and layers of physical security controls. To ensure data centers are functioning well, cloud service providers supply uninterrupted power and cooled airflow to keep equipment from getting so hot it melts. Security of this hardware infrastructure is critical as disruptions in this complex supply chain could jeopardize millions of users across the globe who rely on the cloud.12 Adam Stubblefield, “Mitigating Risk in the Hardware Supply Chain,” Google Cloud (Google), March 22, 2019,

Cloud services are supported by a network of data centers. Each contains thousands of servers organized into racks, which are collected into clusters and then spines. At each level, there are multitudinous network connections to minimize the distance (and thus the time) it takes for information to travel from one server to another.

Figure 1: Components of a Data Center

Source: Tianjiu Zuo and Sarah Orio

Companies organize their infrastructure into regions, dividing global operations along geographic areas such as US East, France North, or Australia West, with the largest further subdividing regions into availability zones which in turn contain one or two data centers. For example, Amazon Web Services (AWS) operates 24 regions, each containing multiple availability zones – totaling 77 availability zones worldwide that contain data centers that power a variety of cloud services.13 “Global Infrastructure,” AWS (Amazon Web Services),

This regional model was originally intended to provide users the choice of locating their cloud services in a data center or region nearby, minimizing the time it took their data to travel. Many users also relied on this globally accessible infrastructure to provide redundancy, backing up data from one region in another.14 Availability zones are a way of making that kind of redundancy cheaper and easier to manage—linking together multiple data centers in a single region.  Building resilience into global infrastructure with redundant networking and power is critical for major cloud providers to maintain operations through unexpected disruptions, such as earthquakes or powerful thunderstorms. In 2018, a powerful Texas thunderstorm knocked out power at a Microsoft data center, crippling services there and requiring three days of work to come fully back online.15 Mike Wheatley, “ Severe Weather Takes Down Microsoft’s Azure Cloud Services in Texas,” SiliconANGLE, September 4, 2018, In 2017, a single typo from an Amazon engineer accidentally blocked access to a large set of servers resulting in disruption of Amazon Simple Storage Service (Amazon S3) and outages on sites such as Quora, Trello, and IFTTT.16 “Summary of the Amazon S3 Service Disruption in the Northern Virginia (US-EAST-1) Region,” AWS (Amazon Web Services), accessed August 18, 2020,; Casey Newton, “How a Typo Took Down S3, the Backbone of the Internet,” Verge, March 2, 2017,

Figure 2: Data Center Server Supply Chain

Source: Tianjiu Zuo and Sarah Orio

In some of the largest cloud providers, data centers are explicitly “paired” and data stored redundantly between them to allow some services to fail over to the second facility in the event service is disrupted to the first. With the focus of some governments squarely on requiring their citizens’ data, or the computers handling this data, to be located within their jurisdiction, these regions also provide cloud providers a way to answer some data or infrastructure localization requirements without costly new facilities.

Between data centers, the cloud exists in the form of a web of high-bandwidth fiber optic cables connecting data centers and company facilities with the rest of the Internet.17 Nick Routley, “MAPPED: The World’s Network of Undersea Cables,” Business Insider, August 26, 2017, The largest cloud providers, firms like Google and Microsoft, are so dependent on this massive bandwidth that they build or buy cables to own and operate themselves. Today, there are roughly four hundred and twenty fiber optic cables comprising the physical backbone of the global Internet, which sustained a bandwidth of more than 466 terabits per second (Tbps) as of 2019 (and likely even more now).18 Alan Mauldin, “466 Tbps: The Global Internet Continues to Expand,” TeleGeography Blog, August 22, 2019,

Data localization restrictions pose unprecedented challenges to cloud data processing and storage. The public cloud is built on a global network of computing and storage resources, located according to engineering need, not legal mandate. However, countries like China, Vietnam, and France (among others) have levied requirements that different kinds of citizen’s user data, and sometimes even the infrastructure itself, reside permanently within their borders.19 France’s Ministry of Interior and Ministry of Culture and Communication, “An informational note of April 5, 2016 regarding cloud computing,” accessed February 28, 2020,; Mai Huong Nguyen, Eddie O’Shea, and Jeff Olson, “Update: Vietnam’s New Cybersecurity Law,” Chronicle of Data Protection (Hogan Lovells), November 15, 2018, Since public cloud users may simultaneously utilize infrastructures in multiple global locations, these laws can force cloud service providers to build infrastructure to serve specific markets without the user demand to support them or costly changes in design of core infrastructure. This, in turn, makes these cloud services less cost effective and can limit providers’ ability to troubleshoot technical problems or share security data across borders.

3 – How do providers build the cloud?

Building cloud services looks a bit like assembling toys using Lego blocks. Any grand design starts with a large number of a few simple pieces. Square blocks and rectangles combine into columns and walls, stacking on top of each other to create towers and bridges and archways. Like a toy store, cloud service providers rent out assorted Lego blocks for users to build customized systems while also offering ready-to-use designs built pre-assembled. Users often mix and match the two, taking a prefabricated design and adding in just the right mix of blocks in different sizes, shapes, and colors to create something wholly new. 

Figure 3: Illustrating the Cloud Service Models

Source: Lily Liu and Sarah Orio

At the bottom of this stack of blocks is Infrastructure as a Service (IaaS). IaaS sells the basic computing pieces: storage, processing, network bandwidth, and just enough software to tie them all together. Users have a lot more work to build, maintain, and manage all of these blocks but also get to be much more selective about which blocks they use and where. Platform as a Service (PaaS) sells these prefabricated combinations of blocks in the shape of different computing services—machine translation or tools to process credit card information from point-of-sale systems. These PaaS services are not whole Lego buildings but provide more functionality than a single block. PaaS provides functionality to software developers and customers looking to connect existing applications to cloud services. At the end of a marathon Lego block building session is Software as a Service (SaaS). SaaS looks closest to the software you might find on a laptop—word processors, email clients, and chat apps. Cloud providers manage the computing infrastructure and services behind SaaS offerings, giving users comparatively less control or ability to configure but maximum gloss and functionality. 

The three services models form the business models of cloud. IaaS rents these servers directly to users. The Lego blocks are literal blocks of processor power, storage space, and networking bandwidth. IaaS users may have access to a single machine or administer huge numbers, including the networking services running between them. PaaS builds on these basic resources to run and support specialized software with much of the basic administration and IT management handled by the cloud provider. PaaS may rely on several different servers at the same time. Take machine translation as an example. Incoming language text may be stored in one server while translated text is stored in another with the act of translation relying on a processor in another server altogether. SaaS abstracts completely away from these Lego blocks so users see only the application like a Salesforce dashboard or a Dropbox folder.

The three models of cloud—SaaS, PaaS, and IaaS—are deceptively simple in this sort of abstract discussion. In reality, the lines are somewhat fuzzier, with services in the PaaS category, for example, ranging from exceedingly straightforward for users to complex beyond what might be found in an IaaS service. All of these cloud models are elastic, meaning users can increase or decrease how much of a service they are using as needed.

Why would users go to the trouble of renting these Lego blocks or pieces from the toy store instead of buying them directly? Cost. Cloud providers offer plenty of services and specialization to users on top of what they might get from buying their own equipment, but the biggest potential advantage of a cloud service is that it is cheaper to use than buying and administering a standalone computer. This is particularly true for small organizations or highly specialized equipment. Imagine a small biomedical startup that needed to model the way proteins fold in a previously undiscovered virus. Rather than buying high-performance computing, figuring out where to store it, how to take care of it, and how to pay for it, the company could log into a cloud provider and rent time on a high-performance computing service, paying only for the time the machine is in use.  

Why is it profitable for a cloud provider to buy and operate this high-performance computer, along with many others like it? Because the provider can rent that computer to many users, keeping it in nearly constant use and maximizing the efficiency of the equipment. Different users can even share the same computer at the same time, with their data kept strictly separate, further reinforcing the profitability of a cloud service. The technology that makes it possible for users to share a single computer, referred to as multitenancy, is a piece of software called the hypervisor. The hypervisor runs in between the computer’s hardware and users, creating for each a virtual representation of the machine and allowing each to interact with it as if they were alone. The hypervisor acts as a traffic cop, organizing requests to store data or access the network from each user so they stay isolated from each other. In effect, the hypervisor “virtualizes” the computer, turning one machine into many.

Figure 4: Illustrating the Multi-Tenant Model

Source: Simon Handler, Trey Herr, and Sarah Orio

This virtualization can be useful elsewhere; cloud providers increasingly take specialized hardware, like network routers, and move their functions into software that could be run on a general-purpose computer. This software-defined networking gives cloud service users and providers more control over the data moving within their network and shortens the supply chain for networking hardware, frequently a target for cyberattacks. Network virtualization allows cloud providers to offer telecommunications services; Amazon has partnered with Verizon to provide 5G services20 Jon Fortt and Annie Palmer, “Amazon Just Partnered with Verizon to Improve 5G Speeds,” CNBC, December 5, 2019, and Microsoft acquired virtualized telecommunications provider Affirmed Networks earlier this year.21 Frederic Lardinois, “Microsoft Acquires 5G Specialist Affirmed Networks,” TechCrunch, March 26, 2020, Virtualization introduces new functionality and flexibility but also new challenges for defenders: more software to protect from attackers and software that can be difficult to modify as it must be kept running. 

Cloud services can rely on servers spread across different data centers, even different countries. This is illustrated by an important fact: for the largest cloud providers, some of their largest customers are themselves. Companies like Google and Microsoft build products like G Suite or Office 365 on top of their IaaS and PaaS offerings in Google Cloud Platform (GCP) and Microsoft Azure. When a user logs into Office 365, their credentials are checked against an Azure identity management service running on another server, with information that could well be stored in another data center. The public cloud makes connecting all of this infrastructure into a single network possible.

4 – Who is the cloud?

Cloud computing companies come in all sizes, large and small, narrowly focused and generalized. Some of the best-known IT companies now offer cloud services of one kind or another. Firms like Amazon, Dell, SAP, Adobe, Salesforce, and IBM have shifted legacy software to be delivered and sold from the cloud or developed entirely new businesses that build and rent cloud infrastructure. Content delivery network firms like Akamai and Cloudflare deliver bandwidth, security, and network management services to cloud customers;22 “Security Solutions,” Akamai, accessed August 13, 2020, software companies like Salesforce and ServiceNow do not rent infrastructure directly to users but sell access to a family of software services delivered over the Internet.23 Salesforce, “Products Overview,” Salesforce, accessed August 14, 2020, Even Goldman Sachs is considering becoming cloud providers, renting access to its infrastructure to financial customers.24 Julia La Roche, “Goldman Eyes Financial Cloud, Taking a Page from Amazon’s Playbook,” Yahoo! Finance, February 4, 2020, There are dozens of specific market segments in cloud computing and many more companies that deliver their services through the cloud and so label themselves “cloud” firms; however, this report focuses on four particular companies. 

The cloud computing market is tiered – there are the four largest firms, and everyone else. These four giants—Amazon, Microsoft, Google, and Alibaba—are the “hyperscalers,” firms with the revenue to pour billions of dollars a year into building and modernizing their infrastructure and the in-house engineering talent to develop and deploy their own hardware to reach a global market. These four companies have an outsized impact on technology markets and the shape of the Internet. Their infrastructure crisscrosses the planet, with data centers on every inhabited continent and correspondingly complex management systems to keep these vast fleets of machines online, updated, and accessible.

Figure 5: IaaS & SaaS, 2019 Cloud Market Share 25Frank Della Rosa, “Worldwide Software as a Service and Cloud Software Market Shares, 2019: A New Generation of SaaS,” IDC, July, 2020, ; Donna Goodison, “Gartner: IaaS Public Cloud Services Market Grew 37.3% In 2019,” CRN, August 10, 2020,

Source: Lily Liu

Amazon (Amazon Web Services, AWS): Amazon is the 800-lb gorilla in the cloud computing market. One of the first companies to offer cloud services in 2006, Amazon has grown to be the largest of the hyperscale firms by revenue and market share, dominating the IaaS market and competing heavily in PaaS. AWS has emerged as a profit center for Amazon and enabled the company to invest heavily in new infrastructure and to enter new markets, including high-security cloud for US intelligence agencies, before its competitors.26 Frank Konkel, “The Details About the CIA’s Deal With Amazon,” Atlantic, July 17, 2014, Amazon’s play is as the everything cloud, offering a complete set of IaaS and PaaS services at low prices and with substantial technical variety.

Superpower: Amazon’s size enables it to absorb the cost of new ideas and experiment internally with new technologies at a scale that would be prohibitive for most other firms.

Microsoft (Microsoft Azure and Office 365): Microsoft is in a strong second place relative to Amazon. It hosts offerings across IaaS, PaaS, and SaaS. The Redmond, Washington-based giant’s initial foray into cloud stumbled in the early 2010s as it learned how to take existing enterprise relationships and convert them into cloud services instead of traditional software licenses. Microsoft was one of the first companies to offer hybrid computing products, offering a gentler on-ramp for firms hesitant to adopt cloud. Equipped with an army of compliance and government affairs staff and a bevy of security certifications, Microsoft’s play now is integrating cloud across all of its offerings from PowerPoint to gaming. Azure, Microsoft’s IaaS and PaaS offering, ranges widely in size and complexity. Office 365, the SaaS offering, has become a major driver of cloud revenue and ties together much of the Windows/Office ecosystem. 

Superpower: Integration. Perhaps unexpected given a history of fractious relationships between divisions, Microsoft can tie cloud into a well-staffed research arm, veteran systems management teams, strong enterprise customer relationships, and a huge suite of products and services.  

Google (Google Cloud Platform, GCP): A company with an early lead on Internet services and massive dominance in search, Google is coming from behind with respect to cloud. Despite brimming with engineering talent, Google struggled to translate its strengths as a consumer technology and search giant into cloud sales. The company has not yet been able to achieve the same variety of security certifications as Amazon and Microsoft—one of the main reasons why it withdrew from the US Department of Defense’s lucrative Joint Enterprise Defense Infrastructure (JEDI) cloud competition. In the past two years, Google has made a strategic shift toward the “multi-cloud” approach, arguing customers should embrace cloud services from multiple vendors and use its offerings as a part of any investment in cloud. In this, Google is positioning itself as a platform or layer between itself and many other cloud providers instead of a standalone provider like Amazon. 

Superpower: Machine learning (ML) standards and hardware, including the ‘Tensor-’ hardware and software.

Alibaba (Alibaba Cloud): Founded in 2009, Alibaba Cloud has grown rapidly in a model similar to AWS, its substantial growth powered off the back of an e-commerce giant. Alibaba has invested heavily in its core infrastructure and is expanding into the West, establishing new data centers in the United States and Europe. The company actually captures a larger portion of the IaaS market than Google, making it the third-leading provider. Alibaba also dominates the Chinese cloud computing market with nearly 50 percent of the market share.27 “China Cloud Services Market Q1 2020,” Canalys, 2020, The Chinese firm is investing in ML technologies and a globe-spanning infrastructure to compete on features, cost, and access with any of its rivals.

Superpower: Access to the Chinese market without substantial US rivals and an opportunity for massive capital investment. 

5 – How to use a cloud?

While thinking about Lego blocks provides an architectural perspective, there are other ways to conceptualize the cloud, particularly SaaS and PaaS. Picture a lawyer who needs to compose a long memo with several colleagues in different offices around the globe. A SaaS offering like Google Docs provides word processing software through the browser rather than a standalone product on a single computer. Google’s servers keep the multiple parties editing at once in sync and keep the data stored in multiple servers in case a networking hiccup or power surge takes one out. If the law firm operates an office in countries that impose strong data localization controls, like Vietnam, the lawyer’s colleagues may not be able to access Google Docs or share the document. 

Assume our lawyer friend wanted to give her partners a way to distribute a survey in multiple languages to collect information in support of the memo. Using a cloud vendor, say Microsoft Azure, the lawyer could set up a simple webpage and rent a machine translation service to translate submitted survey text into English. The lawyer clicks her way through a series of menus to set up the webpage and tie it to the translation service. Here, the cloud provides a platform for something new to be built, renting it out to the user as a service rather than a downloadable product. This PaaS model requires more of the user to understand how to build the ultimate service they want, cobbling together pieces as they go.

In both of these examples, the lawyer never has to buy a physical computer system or write a line of code. Cloud vendors, like Google and Microsoft, are responsible for providing all of this infrastructure and administering it. Security is more a joint responsibility. The cloud vendor has to guard these systems against physical harm, ensure that the software is secure and trustworthy, and block or investigate any malicious activity. The lawyer still has the responsibility of maintaining basic cyber hygiene, making sure that the website and translation service are configured how she wants them to be used, and protecting her password for all of these services from theft. 


Cloud computing can be an intimidating mix of technical jargon and marketing material, but it does not have to be. The cloud is playing an essential role in transforming not only the way modern organizations access and store data, but how they innovate and operate altogether. The cloud as we know it today takes computing and allows it to be distributed, remote, flexible, and metered service to pay as you go. Small businesses, hospitals, intelligence agencies, and militaries can all remotely interact with servers within large data centers according to their organizational needs, optimize cost, access new technologies, collaborate effectively, and scale rapidly with the cloud. Massive amounts of data from various owners, often across countries and continents, are hosted on the shared infrastructure of relatively few giant cloud service providers. The adoption of cloud computing has given rise to many benefits, but also new security concerns and the implementation of a variety of data localization laws. Cloud computing is not magic, but the rapidity of its rise and adoption is reshaping the landscape of both technology and corporate governance at a manic pace.

About the authors

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

Related Experts: Simon Handler and Trey Herr