UNIT IV

Inter Cloud Resource Management – Resource Provisioning

Methods – Security Overview – Cloud Security Challenges – Data
Security –Application Security – Virtual Machine Security.

1. INTER-CLOUD RESOURCE MANAGEMENT

 Extended Cloud Computing Services
 Resource Provisioning and Platform Management
 Virtual Machine Creation and Management
 Global Exchange of Cloud Resources

1.1 Extended Cloud Computing Services

Fig: Six layers of cloud services and their providers

 Six layers of cloud services
o Software as a Service(SaaS)
o Platform as a Service(PaaS)
o Infrastructure as a Service(IaaS)
o Hardware / Virtualization Cloud Services(HaaS)
o Network Cloud Services (NaaS)
o Collocation Cloud Services(LaaS)
 The top layer offers SaaS which provides cloud application.
 PaaS sits on top of IaaS infrastructure.
 The bottom three layers are more related to physical requirements.
 The bottommost layer provides Hardware as a Service (HaaS).
 NaaS is used for interconnecting all the hardware components.
 Location as a Service (LaaS), provides security to all the physical
hardware and network resources. This service is also called as Security
as a Service.
 The cloud infrastructure layer can be further subdivided as
o Data as a Service (DaaS)

1
 o Communication as a Service (CaaS)
o Infrastructure as a Service(IaaS)
 Cloud players are divided into three classes:
o Cloud service providers and IT administrators
o Software developers or vendors
o End users or business users.
Cloud Players IaaS PaaS SaaS
IT Monitor SLAs Monitor SLAs Monitor SLAs
administrators/ and enable and deploy
Cloud Providers service software
platforms
Software To deploy Enabling Develop and
developers and store platforms deploy
(Vendors) data software
End users or To deploy To develop and Use business
business users and store test software software
data
Table: Cloud Differences in Perspective of Providers, Vendors, and Users

1.1.1 Cloud Service Tasks and Trends

 SaaS is mostly used for Business Applications
o Eg: CRM (Customer Relationship Management) used for
business promotion, direct sales, and marketing services
 PaaS is provided by Google, Salesforce.com, and Facebook etc.
 IaaS is provided by Amazon, Windows Azure, and RackRack etc.
 Collocation services Provides security to lower layers.
 Network cloud services provide communications.
1.1.2 Software Stack for Cloud Computing
 The software stack structure of cloud computing software can be
viewed as layers.
 Each layer has its own purpose and provides the interface for the
upper layers.
 The lower layers are not completely transparent to the upper layers.
1.1.3 Runtime Support Services
 Runtime support refers to software needed in applications.
 The SaaS provides the software applications as a service, rather than
allowing users purchase the software.
 On the customer side, there is no upfront investment in servers.
1.2 Resource Provisioning (Providing) and Platform Deployment
 There are techniques to provision computer resources or VMs.
1.2.1 Provisioning of Compute Resources (VMs)
 Providers supply cloud services by signing SLAs with end users.
 The SLAs must specify resources such as
o CPU

2
 o Memory
o Bandwidth
Users can use these for a preset (fixed) period.
 Under provisioning of resources will lead to broken SLAs and
penalties.
 Over provisioning of resources will lead to resource underutilization,
and consequently, a decrease in revenue for the provider.
 Provisioning of resources to users is a challenging problem. The
difficulty comes from the
o Unpredictability of consumer demand
o Software and hardware failures
o Heterogeneity of services
o Power management
o Conflict in signed SLAs between consumers and service
providers.
1.2.2 Provisioning Methods
1.2.2.1 Static cloud resource provisioning
case (a)  over provisioning(Providing) with the peak load
causes heavy resource waste (shaded area).

case (b)  Under provisioning of resources results in losses by

both user and provider. Users have paid for the demand (the
shaded area above the capacity) is not used by users.

case (c)  Declining in user demand results in worse resource

waste.

3
  Resource-provisioning methods are
o Demand-driven method
o Eventdriven method
o Popularity-Driven Resource Provisioning – Based on
Internet traffic monitored
1.2.2.1 Demand Driven Methods
o Provides Static resources
o This method adds or removes nodes (VM) based on the
current utilization(Use) level of the allocated resources.
o When a resource has surpassed (exceeded) a threshold
(Upperlimit) for a certain amount of time, the scheme
increases the resource (nodes) based on demand.
o When a resource is below a threshold for a certain
amount of time, then resources could be decreased
accordingly.
o This method is easy to implement.
o The scheme does not work out properly if the workload
changes abruptly.

1.2.2.2 Event Driven method

o Based on predicted workload
o This scheme adds or removes nodes (VM) based on a
specific time event.
o The scheme works better for seasonal or predicted events
such as (Christmas, New Year, Diwali etc).
o During these events, the number of users grows before
the event period and then decreases during the event
period.
o This scheme anticipates peak traffic before it happens.
o Results in a minimal loss of QoS, if events are predicted
correctly.

4
1.2.2.3 Popularity-Driven Resource Provisioning
o Internet searches for popularity of certain applications
and allocates resources by popularity demand.
o This scheme has a minimal loss of QoS, if the predicted
popularity is correct.
o Resources may be wasted if traffic does not occur as
expected.

1.2.2.5 Dynamic Resource Deployment

o Dynamic resource deployment can be implemented to
achieve scalability in performance.
o InterGrid is used for interconnecting distributed
computing infrastructures.
o InterGrid provides an execution environment on top of
the interconnected infrastructures.
o IGG(InterGridGateway) allocates resources from an
 Organization’s local cluster (Or)
 Cloud provider.
o Under peak demands, IGG interacts with another IGG
that can allocate resources from a cloud computing
provider.
o Component called the DVE manager performs resource
allocation and management.
o Intergrid gateway (IGG) allocates resources from a local
cluster three steps:
(1) Requesting the VMs(Resources)
(2) Enacting (Validate) the leases
(3) Deploying (install) the VMs as requested.

Fig: Cloud resource deployment using an IGG (intergrid gateway) to allocate the VMs from a Local cluster to
interact with the IGG of a public cloud provider.

5
1.2.2.6 Provisioning of Storage Resources
o Storage layer is built on top of the physical or virtual servers.
o Data is stored in the clusters of the cloud provider.
o The service can be accessed anywhere in the world.
o Eg:
 E-mail system might have millions of users and each user
can have thousands of e-mails and consume multiple gigabytes of
disk space.
 Web searching application.
o To store huge amount of information solid-state drives are used
instead of hard disk drives
In storage technologies, hard disk drives may be augmented
(increased) with solid-state drives in the future.

1.2.2.7 Virtual Machine Creation and Management

 The manager manage VMs deployed on a set of physical resources

 VIEs(Virtual Infrastructure Engine) can create and stop VMs on a
physical cluster
 Users submit VMs on physical machines using different kinds of
hypervisors
 To deploy a VM, the manager needs to use its template.
 Virtual Machine Templates contains a description for a VM with
the following static information:
 The number of cores or processors to be assigned to the
VM
 The amount of memory the VM requires
 The kernel used to boot the VM’s operating system.
 The price per hour of using a VM
 OAR/Kadeploy is a deployment tool
 API(Application Programming Interface) - An API is a software
intermediary that makes it possible for application programs to
interact with each other and share data

6
1.2.2.8 Global Exchange of Cloud Resources

Fig: Inter-cloud exchange of cloud resources through brokering

 It is not possible for a cloud infrastructure provider to establish its data
centers at all possible locations throughout the world.
 This results in difficulty in meeting the QOS expectations of their
customers.
 Hence, services of multiple cloud infrastructure service providers are
used.
 The Cloud Exchange (CEx) acts as a market maker for bringing together
service producers and consumers.
 This aggregates the infrastructure demands from brokers.
 Cloud coordinator evaluates the available resources.
 CEx allows participants to locate providers and consumers with fitting
offers.
 The availability of a banking system ensures that financial transactions
related to SLAs are carried out in a securely.
2. Resource Provisioning Methods
Note: Refer Section 1.2.2, 1.2.2.1 to 1.2.2.7
3. Security
 Cloud environment should be free from abuses, cheating, hacking,
viruses, rumors, and privacy and copyright violations.
3.1 Cloud Security Challenges
 In cloud model users lose control over physical security.
 In a public cloud, users are sharing computing resources with other
companies.
 When users share the environment in the cloud, it results in data at
risk of seizure (attack).
 Storage services provided by one cloud vendor may be incompatible
with another vendor’s services; this results in unable to move from
one to the other.
 Vendors create “sticky services”.
 Sticky services are the services which makes end user, in difficulty
while transporting from one cloud vendor to another.

7
 Example: Amazon’s “Simple Storage Service” [S3] is incompatible with
IBM’s Blue Cloud, or Google, or Dell).
 Customers want their data encrypted while data is at rest (data
stored) in the cloud vendor’s storage pool.
 Data integrity means ensuring that data is identically maintained
during any operation (such as transfer, storage, or retrieval).
 Data integrity is assurance that the data is consistent and correct.
 One of the key challenges in cloud computing is data-level security.
 It is difficult for a customer to find where its data resides on a
network controlled by its provider.
 Some countries have strict limits on what data about its citizens can
be stored and for how long.
 Banking regulators require that customers’ financial data remain in
their home country.
 Security managers will need to pay particular attention to systems
that contain critical data such as corporate financial information.
 Outsourcing (giving rights to third party) loses control over data and
not a good idea from a security perspective.
 Security managers have to interact with company’s legal staff to
ensure that appropriate contract terms are in place to protect
corporate data.
 The Intrusion Detection System(IDS) and Intrusion Prevention
Systems(IPS) detects malicious activity at virtual machine level.
 The co-location of multiple virtual machines increases the threat from
attacker.
 If Virtual machines and physical machine use the same operating
systems in a cloud environment, increases the threat from an attacker.
 A fully or partially shared cloud environment is expected to have a
greater attack than own resources environment.
 Virtual machines must be self-defending.
 Cloud computing provider is incharge of customer data security and
privacy.
3.2 Software as a Service Security (Or) Data Security (Or) Application Security
(Or) Virtual Machine Security.

Fig: Evolution of Cloud Services

8
 SaaS plays the dominant cloud service model and this is the area where the
most critical need for security practices are required
 Security issues that are discussed with cloud-computing vendor:
1. Privileged user access
 Inquire about who has specialized access to data.
2. Regulatory compliance
 Make sure that the vendor is willing to undergo external audits.
3. Data location
 Does the provider allow for any control over the location of data?
4. Data segregation
 Make sure that encryption is available at all stages.
5. Recovery
 Find out what will happen to data in the case of a disaster. Do
they offer complete restoration? If so, how long would that take?
 The security practices for the SaaS environment are as follows:
 Security Governance
A security committee should be developed whose objective is to
focus on providing guidance about security initiatives with business and
IT strategies.
 Risk Management
A risk assessment process should be created that allocates
security resources related to business continuity.
 Security Portfolio(selection) Management
Security portfolio management ensures efficient and effective
operation of any information.
 Security Awareness
Not providing proper awareness and training to the people who
may need them can expose the company to a variety of security risks
 Policies, Standards, and Guidelines
Policies, standards, and guidelines are developed that can ensure
consistency of performance.
 Secure Software Development Life Cycle (SecSDLC)
The SecSDLC involves identifying specific threats and the risks. The
SDLC consists of six phases
Phase 1.Investigation:
-Define project goals, and document them.
Phase 2.Analysis:
-Analyze current threats and perform risk analysis.
Phase 3.Logical design:
-Develop a security blueprint(plan) and business responses to
disaster.
Phase 4.Physical design:
-Select technologies to support the security blueprint(plan).
Phase 5.Implementation:
- Buy or develop security solutions.

9
Phase 6.Maintenance:
-Constantly monitor, test, modify, update, and repair to respond to
changing threats.
 Security Monitoring and Incident Response
Centralized security management systems should be used to
provide notification of security vulnerabilities and to monitor systems
continuously.
 Business Continuity Plan
Business continuity plan, ensures uninterrupted operations of
business.
 Forensics
Forensics includes recording and analyzing events to determine the
nature and source of information abuse, security attacks, and other such
incidents.
 Architecture Design
A security architecture framework should be established with the
following consideration
1. Authentication
2. Authorization
3. Availability
4. Confidentiality
5. Integrity
6. Privacy
 Data Privacy
 Depending on the size of the organization and the scale of
operations, either an individual or a team should be assigned and
given responsibility for maintaining privacy.
 A member of the security team who is responsible for privacy or
security compliance team should collaborate with the company
legal team to address data privacy issues and concerns.
 Hiring a consultant in privacy area, will ensure that your
organization is prepared to meet the data privacy demands of its
customers and regulators.
 Data Governance
The data governance framework should include:
_ Data inventory
_ Data classification
_ Data analysis (business intelligence)
_ Data protection
_ Data privacy
_ Data retention/recovery/discovery
_ Data destruction

 Data Security
The challenge in cloud computing is data-level security.
Security to data is given by
 Encrypting the data
 Permitting only specified users to access the data.

10
  Restricting the data not to cross the countries border.
For example, with data-level security, the enterprise can specify
that this data is not allowed to go outside of the India.
 Application Security
 This is collaborative effort between the security and product
development team.
 Application security processes
o Secure coding guidelines
o Training
o Testing scripts
o Tools
 Penetration Testing is done to a System or application.
 Penetration Testing is defined as a type of Security Testing used to
test the insecure areas of the system or application.
 The goal of this testing is to find all the security vulnerabilities
that are present in the system being tested.
 SaaS providers should secure their web applications by following
Open Web Application Security Project (OWASP) guidelines for
secure application development, by locking down ports and
unnecessary commands
 Virtual Machine Security
In the cloud environment, physical servers are consolidated (combined) to
multiple virtual machine instances.
Following are deployed on virtual machines to ensure security
 Firewalls
 Intrusion detection and prevention
 Integrity monitoring
 Log inspection
 Identity Access Management (IAM)
IAM is the Security & business discipline that “enables the right
individuals to access the right resource at the right times for the right
reasons”
 Change Management
 Consumer may request for changes.
 Approving change requests that do not meet security requirements
may result in service disruptions or loss of customer data.
 The security team may also create security guidelines for
standards and minor changes, to provide self-service capabilities
for changes.
 Physical Security
The key components of data center physical security are the following:
 24/7/365 onsite security
 biometric hand geometry readers
 bullet-resistant walls
 concrete bollards
 closed-circuit TV (CCTV)
 silent alarms

11
  Security personnel should request government-issued
identification from visitors
 Should record each visit.
 Security cameras should monitor activity throughout the
facility, including equipment areas, corridors, and mechanical,
shipping, and receiving areas.
 Motion detectors and alarms should be located, silent alarms
should automatically notify security and law enforcement
personnel in the event of a security breach.
 Environmental controls and backup power: Heat, temperature,
air flow, and humidity should all be kept within optimum
ranges for the computer equipment housed on-site.
 Everything should be protected by fire-suppression systems,
activated by a dual-alarm matrix of smoke, fire, and heat
sensors located throughout the entire facility.
 Business Continuity and Disaster Recovery
Customers rely heavily on 24/7 access to their services, and any
interruption in access can be catastrophic (tragic).
 The Business Continuity Plan
The BC plan has following main phases:
 analysis
 design
 implementation
 testing
 organization acceptance
 Maintenance.
 Disaster recovery is the process of preparing for recovery
after a natural or human-induced disaster.

12