Week 5: Cloud Reference Architecture Flashcards
Enabling technology vs capability
–There is a difference between enabling technologies (such as virtualization) and the capabilities or features that are required for a cloud
–A specific capability may be achieved by alternative technologies
Cloud Essential Characteristics
On-demand self-service Broad network access Resource pooling Rapid elasticity Measured service
The cloud model won’t work for the consumer without ___ and without the ___
reliable network connectivity, right bandwidth
In security terms, reliability is a synonym of ___
availability
SPI Model
SaaS, PaaS, IaaS
The three service models represent
The three service models represent three broad classes of capabilities that reside on top of physical cloud infrastructure
Cloud Security Alliance has taken the following view
“IaaSis the foundation of all cloud services, with PaaSbuilding upon IaaS, and SaaSin turn building upon PaaS…. In this way, just as capabilities are inherited, so are information security issues and risk. It is important to note that commercial cloud providers may not neatly fit into the layered service models. Nevertheless, the reference model is important for relating real-world services to an architectural framework and understanding the resources and services requiring security analysis”
It is important to make two points about the NIST Cloud Model
A customer or tenant can have greater security control over more resourcesas one moves from SaaSto PaaSand again from PaaSto the IaaSservice model
A customer or tenant can achieve greater security control over more resourceswhen moving from a Public cloud to a community cloud and again from a community cloud to a Private cloud
IaaS Abstraction
IaaSdoes not typically expose actual hardware or networking layers to the tenant of the service
These underlying resources are abstracted for the consumer
PaaS Abstraction
PaaSabstracts infrastructure to a greater extentand generally presents middleware containers that are tailored for categories of usage, such as development
These containers provide tools to simplify application development and limit application interactions with the underlying systems
SaaS Abstraction
SaaSabstracts even further and generally exposes narrow-functionality software-based services such as Customer Relationship Management (CRM) or e-mail
Security Control in Deployment Model
Similar to how different service models have an impact on the extent of control over security, the deployment model also impacts the degree of control over security
The degree of control that a tenant or customer has in a public cloud is minimal
The tenant organization has maximum control with a private cloud
The degree of control will vary for community and hybrid clouds
Private vs Public Cloud
When considering how to secure public versus private cloud architectures, the security concerns are more different than common
Community clouds can be viewed as special cases of private cloudswhere organizational control is delegated to a proxy
the principles in securing it vary greatly from those of a publiccloud hosted externally by a third party
• For example, a private cloud doesn’t have the data confidentiality and legality concerns that a public cloud might have
Cloud Application Programming Interfaces (APIs)
Cloud Application Programming Interfaces (APIs)are mechanisms that abstract cloud implementation details and define an interface between a cloud service and other entities
proprietary APIs
Where proprietary APIs are used, possible lock-in benefits the providerby making it difficult to switch service providers
Open and standards-based APIs
Open and standards-based APIs can more readily lead to an ecosystem of services built up by customers across cloud providers
Cross Platform-based APIs
Allow applications to use a single API regardless of the back-end cloud