Week 5: Cloud Reference Architecture Flashcards
Enabling technology vs capability
–There is a difference between enabling technologies (such as virtualization) and the capabilities or features that are required for a cloud
–A specific capability may be achieved by alternative technologies
Cloud Essential Characteristics
On-demand self-service Broad network access Resource pooling Rapid elasticity Measured service
The cloud model won’t work for the consumer without ___ and without the ___
reliable network connectivity, right bandwidth
In security terms, reliability is a synonym of ___
availability
SPI Model
SaaS, PaaS, IaaS
The three service models represent
The three service models represent three broad classes of capabilities that reside on top of physical cloud infrastructure
Cloud Security Alliance has taken the following view
“IaaSis the foundation of all cloud services, with PaaSbuilding upon IaaS, and SaaSin turn building upon PaaS…. In this way, just as capabilities are inherited, so are information security issues and risk. It is important to note that commercial cloud providers may not neatly fit into the layered service models. Nevertheless, the reference model is important for relating real-world services to an architectural framework and understanding the resources and services requiring security analysis”
It is important to make two points about the NIST Cloud Model
A customer or tenant can have greater security control over more resourcesas one moves from SaaSto PaaSand again from PaaSto the IaaSservice model
A customer or tenant can achieve greater security control over more resourceswhen moving from a Public cloud to a community cloud and again from a community cloud to a Private cloud
IaaS Abstraction
IaaSdoes not typically expose actual hardware or networking layers to the tenant of the service
These underlying resources are abstracted for the consumer
PaaS Abstraction
PaaSabstracts infrastructure to a greater extentand generally presents middleware containers that are tailored for categories of usage, such as development
These containers provide tools to simplify application development and limit application interactions with the underlying systems
SaaS Abstraction
SaaSabstracts even further and generally exposes narrow-functionality software-based services such as Customer Relationship Management (CRM) or e-mail
Security Control in Deployment Model
Similar to how different service models have an impact on the extent of control over security, the deployment model also impacts the degree of control over security
The degree of control that a tenant or customer has in a public cloud is minimal
The tenant organization has maximum control with a private cloud
The degree of control will vary for community and hybrid clouds
Private vs Public Cloud
When considering how to secure public versus private cloud architectures, the security concerns are more different than common
Community clouds can be viewed as special cases of private cloudswhere organizational control is delegated to a proxy
the principles in securing it vary greatly from those of a publiccloud hosted externally by a third party
• For example, a private cloud doesn’t have the data confidentiality and legality concerns that a public cloud might have
Cloud Application Programming Interfaces (APIs)
Cloud Application Programming Interfaces (APIs)are mechanisms that abstract cloud implementation details and define an interface between a cloud service and other entities
proprietary APIs
Where proprietary APIs are used, possible lock-in benefits the providerby making it difficult to switch service providers
Open and standards-based APIs
Open and standards-based APIs can more readily lead to an ecosystem of services built up by customers across cloud providers
Cross Platform-based APIs
Allow applications to use a single API regardless of the back-end cloud
Cross Platform-based APIs
Allow applications to use a single API regardless of the back-end cloud
Infrastructure-as-a-Service Examples
- Amazon’s Elastic Compute Cloud (EC2)
- Rackspace’s Cloud Offerings
- IBM’s BlueCloud
Platform-as-a-Service Examples
- Google’s AppEngine
* Windows’AzureServices platform
Public clouds can be formed by service providers wishing to build out a __and lease pieces of it to a variety of clients
high-capacity infrastructure
In public cloud, data might..
become comingled on common storage devices
This makes identity, access control, and encryption very important
There is a certain amount of inherent trustby subscribers with their public cloud providers
In its simplest definition, a public cloud exists ____ to its end user and is generally available with little restriction as to who may pay to use it
externally
In contrast to a public cloud, a private cloud is ___hosted
internally
Although there is no comingling of data or sharing of resources with external entities, different departments within the organization may have strong requirements to maintain data isolationwithin their shared private cloud
Organizations deploying private clouds often do so utilizing virtualization technology within their own data centers
Private Cloud Security
Some of the security concerns of a public cloud may not apply to private clouds
However, private does not necessarily mean more secure
In a private cloud, considerations such as securing the virtualization environment itself must still be addressed, whereas in a public cloud, you would rely on the provider to do so
Advantage of private cloud
The true advantage of a private cloud is that the provider has interest in making the service interface match the tenant needs
Community cloud
Community clouds allow multiple independent entities to gain the cost benefits of a shared nonpublic cloud whileavoiding security and regulatory concerns that might be associated with using a generic public cloud
This model has tremendous potential for entities that are subject to identical regulatory, compliance, or legal restrictions
Hybrid Clouds
Hybrid clouds could be formed when an organization builds out a private cloud and wishes to leverage public or community clouds in conjunction with its private cloud for a particular purpose
Hybrid Cloud Example
An example of a hybrid cloud could be a web portalwhere its core infrastructure is private to the company, but certain components are hosted externally - like streaming video or image caching
Certain requirements can prevent hybrid clouds from being fully adopted by an organization - like financial organization, who may not be able to meet compliance regulations if customer data is hosted at an external site
Software-as-a-Service
SaaSdelivers software or, more generally, applications to its end user
The end user doesn’t usually need to understand or be concerned with the supporting infrastructure and simply utilizes an application
Software-as-a-Service Examples
For instance, Salesforce.com provides a Customer Relationship Management (CRM) SaaS
Google’s GMAILor Yahoo Mail provide email services
Even former premise-based software-only solutions like Microsoft Share Pointare now available as SaaSonline, via a Web browser
Platform-as-a-Service
PaaS providers usually
- deliver a bundling of software and infrastructure in the form of a programmable container
- provide a cloud for end users to host their own developed applications or services
With PaaS, the service is the entire application environment
- PaaS includes the computing platform as well as the development stack
In both cases, the end user receives an environment from the provider (a container) that is ready to host user-developed applications/services
Platform-as-a-Service Examples
Google’s App Engine platform
Salesforce.com’sForce.complatform
Infrastructure-as-a-Service
In general, IaaSdelivers virtualized resources, such as guest virtual machines (ready to load an operating system), storage, or database services
The tenant interacts with IaaSclouds as he would interact with an IT department to setup the IT infrastructure
–This is the virtual equivalent to physically deploying servers, storage, etc.
Typically, end users have the ability to manage their infrastructure at the operating system level, but outsource as-a-service the details of managing and maintaining the servers, switching, routing, firewalling, and connectivity concerns
Infrastructure-as-a-Service Examples
Amazon’s Web Servicesor RackSpace’sCloud Servicesare prime examplesof IaaSproviders
There are two most common and generally accepted ways of forming clouds
Virtualization Formed Clouds
Application/Service Formed Clouds
Virtualization Formed Clouds
Clouds that are formed using virtualization technology such as from VMware, the open source community (Xen, Virtualbox), Citrix, and Microsoft
Application/Service Formed Clouds
Clouds that are formed not necessarily using virtualization or virtual machines
–The applications or services they provide are written inherently to be cloud based
39
Virtualization has several key attributes, which also happen to be key attributes of cloud computing
Sharing of Infrastructure - A single physical server can run multiple virtual servers, allowing for economies of scale
Scalability and Elasticity - If physical infrastructure is abstracted and made available as virtual resources, adding or releasing capacity can be performed quickly and in an automated manner
Resiliency and Redundancy - Because the applications/operating systems are not physically married to a physical server, they are by their very nature portable
Agility - Virtual servers can literally be created in a matter of seconds
Location Independence - A server that is virtualized doesn’t have to exist only within a single data center and can be copied or moved to other data centers very quickly
The tradeoff to all of these virtualization benefits is the fact that with ___can come ___
more abstraction. greater complication
hypervisor
The hypervisor, or Virtual Machine Manager, presents to the guest (virtual) operating systemsa virtual operating platform and manages the execution of the guest operating systems
Securing the hypervisor is one of the most actively investigated areas of cloud security
DaaSor Desktop-as-a-Service
Virtualization can exist all the way to the desktop level
A user canuse a thin-client that basically provides input (keyboard/mouse) and output (monitor) to the cloud hosting the virtual desktop
Similar principlesfor securing clouds apply for desktop virtualization
Using Applications/Services to Form Clouds
Applications can be developed to leverage the cloud by forming a cloud within their software architecture and not by simply running in a virtualized environment
In other words, an application can form a cloud by applying the same concepts of virtualization to its own internal software architecture
•sharing of infrastructure
•scalability and elasticity
•resiliency and redundancy
There are several compelling scenarios in which using cloud-based virtual servers is advantageous
Testing and Quality Assurance
Web-based Application Hosting -Web applications suffer from peak demand issues
Outsourcing Needs
High-performance Computing
Small Organizations
Virtualization Formed Private Clouds
High Availability/Business Continuity. As more applications and resources become virtualized, the virtualized environment itself needs to become highly available
Scale. As information technology continues to modernize business and becomes more and more an essential part of operations, the demand on the infrastructure increases