CHAPTER 1
INTRODUCTION
(1.1) Cloud Computing
Cloud computing is Internet-based computing, whereby shared resources, software, and
information are provided to computers and other devices on demand, like the electricity
grid. Cloud computing is about providing IT related services through the internet. Cloud
computing allows flexible IT solutions to support the business, based on clear service
arrangements.
CLOUD
COMPUTING
INTERNET SERVICES
SHARED SCALABLE
VIRTUALISATION
Figure:1
“Cloud Computing is a method of running application software and storing related data
in central computer systems and providing customers or other users access to them
through the internet.”
- Encyclopedia Britannica(eb.com, 2012)
1
(1.2) Characteristics of Cloud
On-demand self-service: Within an existing contract, a user/customer can for
example add new services, storage space or computing power without a formal
request for change.
Broad network access: This is what Microsoft’s Bill Gates envisioned in the
nineties i.e., “anytime, anyplace and any device”. And of course with enough
bandwidth.
Resource Pooling: In the industry, this characteristic is also known as Multi-
tenancy. Many users/customers shared a varied type and level of resources.
Rapid elasticity: This characteristic has to do with the fundamental Cloud aspects
of flexibility and scalability. For example, web shops need a standard amount of
transaction ability during the year, but need to peek around Christmas. Of course
they do not want to pay for this peak ability during the rest of the year.
Measured service: This means monitored, controlled, and reported services. This
characteristic enables a pay-per-use service model. It has similarities to the mobile
telephone concept of service bundles, where you pay a standard subscription for
basic levels, and pay extra for additional service without changing the contract.
Figure:2 Why Move to Cloud?
2
CHAPTER 2
Cloud Deployment Models
In the industry there are four types of Cloud Deployment Models that are generally
accepted; most prominently by the American National Institute of Standards and
Technology (NIST).
(2.1) Private cloud
Private cloud is cloud infrastructure dedicated to a particular organization. Private clouds
allow businesses to host applications in the cloud, while addressing concerns regarding
data security and control, which is often lacking in a public cloud environment. It is not
shared with other organizations, whether managed internally or by a third-party, and it
can be hosted internally or externally.
There are two variations of private clouds:
1. On-Premise Private Cloud: This type of cloud is hosted within an organization’s own
facility. A businesses IT department would incur the capital and operational costs for the
physical resources with this model. On-Premise Private Clouds are best used for
applications that require complete control and configurability of the infrastructure and
security.
2. Externally Hosted Private Cloud: Externally hosted private clouds are also exclusively
used by one organization, but are hosted by a third party specializing in cloud
infrastructure. The service provider facilitates an exclusive cloud environment with full
guarantee of privacy. This format is recommended for organizations that prefer not to use
a public cloud infrastructure due to the risks associated with the sharing of physical
resources.
Undertaking a private cloud project requires a significant level and degree of engagement
to virtualized the business environment, and it will require the organization to reevaluate
decisions about existing resources. Private clouds are more expensive but also more
3
secure when compared to public clouds. An Info-Tech survey shows that 76% of IT
decision-makers will focus exclusively on the private cloud, as these clouds offer the
greatest level of security and control.
When is a Private Cloud for you?
You need data sovereignty but want cloud efficiencies
You want consistency across services
You have more server capacity than your organization can use
Your data center must become more efficient
(2.2) Public cloud
Public clouds are made available to the general public by a service provider who hosts
the cloud infrastructure. Generally, public cloud providers like Amazon AWS, Microsoft
and Google own and operate the infrastructure and offer access over the Internet. With
this model, customers have no visibility or control over where the infrastructure is
located. It is important to note that all customers on public clouds share the same
infrastructure pool with limited configuration, security protections and availability
variances.
Public Cloud customers benefit from economies of scale, because infrastructure costs are
spread across all users, allowing each individual client to operate on a low-cost, “pay-as-
you-go” model. Another advantage of public cloud infrastructures is that they are
typically larger in scale than an in-house enterprise cloud, which provides clients with
seamless, on demand scalability. These clouds offer the greatest level of efficiency in
shared resources; however, they are also more vulnerable than private clouds.
A public cloud is the obvious choice when:
Your standardized workload for applications is used by lots of people, such as e-
mail.
You need to test and develop application code.
You need incremental capacity (the ability to add compute resources for peak
times).
4
(2.3) Community Cloud
The Community Cloud has many similarities with the Private Cloud in that it delivers
services to a specific group of organizations and/or individuals that share a common goal.
Examples are regional or national educational or research institutes, community centers
or even commercial organizations wishing to share very high security facilities for
transaction processing like stock exchange trading companies.
The main goal for creating a Community Cloud is the ease of sharing data and platforms
and applications which otherwise would be too expensive to purchase like research
equipment. Another goal of sharing Cloud facilities with your own community may be to
reduce costs, improve performance and privacy and security without raising TCO in a
significant way. Some specific advantages could not easily be gained by runni9ng your
own local computing facilities: 24/7 access and support, shared service and support
contracts and the economics of scale.
(2.4) Hybrid cloud
Hybrid Clouds are a composition of two or more clouds (private, community or public)
that remain unique entities but are bound together offering the advantages of multiple
deployment models. In a hybrid cloud, you can leverage third party cloud providers in
either a full or partial manner; increasing the flexibility of computing. Augmenting a
traditional private cloud with the resources of a public cloud can be used to manage any
unexpected surges in workload.
Hybrid cloud architecture requires both on-premise resources and off-site server based
cloud infrastructure. By spreading things out over a hybrid cloud, you keep each aspect of
your business in the most efficient environment possible. The downside is that you have
to keep track of multiple cloud security platforms and ensure that all aspects of your
business can communicate with each other.
Here are a couple of situations where a hybrid environment is best:
Your company wants to use a SaaS application but is concerned about security.
5
Your company offers services that are tailored for different vertical markets. You
can use a public cloud to interact with the clients but keep their data secured
within a private cloud.
You can provide public cloud to your customers while using a private cloud for
internal IT.
Figure:3 TYPES OF CLOUD
6
CHAPTER 3
Service Models for Cloud Computing
There are many types of Cloud services like webmail, hosted Exchange, online storage,
online backup, social media, etc. All these services can be grouped under three main
Cloud service models: Software as a Service (SaaS), Platform as a Service (PaaS) and
Infrastructure as a Service (IaaS).
(3.1) Software as a Service (SaaS):
This is the most common type of Cloud service. SaaS is a break with tradition that
organizations buy or develop their own business applications and run and manage them
on their own IT infrastructure. Applications hosted by the third party goes back to the
mainframe days, and came into maturity with the ASP industry that emerged in the early
2000’s. Many types of SaaS services were developed from ASP solutions (i.e. application
hosting, pay per license, emulation, terminal services, etc) into Cloud solutions (i.e.
multi-tenancy, pay-per-use, web based interfaces, elastic, etc).
Key Characteristics:
Provides the same software to different customers via a network, usually the
Internet.
Managed by third party venders
Accessible via any computer without any downloads
Pay only for what you used.
User entangled with vendor
User entangles with vendor
Software on demand
The key benefits are that the customer does not need to worry about the development and
management of these applications. The provider is responsible for updates and managing
licenses, and most service management parameters like scalability, availability, and
maintenance and service continuity. Customer pays by means of pay-use-use model.
7
Typical examples of SaaS solutions are CRM, Billing and invoices, Web hosting, E-
commerce, Transaction processing, Online collaboration, etc.
(3.2) Platform as a Service (PaaS):
Key Characteristics:
Offer an Internet-based platform to developers who want to create services and
application but don't want to build their own cloud.
No need to buy hardware and software.
Servers, storage and networking managed by third party venders.
Rapid development at low cost.
Remote application support
Someone producing PaaS might produce a platform by integrating an OS, application
software, and even a development environment that is then provided to a customer as a
service. The customer interacts with the platform through the API, and the platform does
what is necessary to manage and scale itself to provide a given level of service. Virtual
appliances can be classified as instances of PaaS. A content switch appliance, for
example, would have all of its component software hidden from the customer, and only
an API for configuring and deploying the service provided to them.
PaaS offerings can provide for every phase of software development and testing, or they
can be specialized around a particular area such as content management. Commercial
examples of PaaS include the Google Apps Engine, which serves applications on
Google’s infrastructure. PaaS services such as these can provide a powerful basis on
which to deploy applications, however they may be constrained by the capabilities that
the cloud provider chooses to deliver.
Some examples of PaaS service providers are Force.com, the first PaaS provider, and
smaller players like Bungee and Heroku. A latest entry is Google with its new App
Engine.
8
(3.3) Infrastructure as a Service (IaaS):
Key characteristics:
Allows applications to be run on a cloud supplier’s hardware by allows you to
install a virtual server on their IT infrastructure
No need to purchase servers, or network equipment
Servers, storage and networking managed by venders.
Applications and updates managed by users.
Usually billed based on usage.
Infrastructure as a service delivers basic storage and compute capabilities as standardized
services over the network. Servers, storage systems, switches, routers, and other systems
are pooled and made available to handle workloads that range from application
components to high -performance computing applications. Commercial examples of IaaS
include Joyent, whose main product is a line of virtualized servers that provide a highly
available on-demand infrastructure.
Examples of IaaS are hosting services supporting e-commerce, web hosting services that
include broadband connections and storage. Many of these on demand IaaS infrastructure
are built on components from leading vendors like CISCO, HP, NetApp and VMware.
SaaS-Software as a Service
•Bussiness application users
Paas-Platform as a Service
•Platforms and middleware for application
IaaS- Infrasrtucture as a Service
•Computing power, storage and other IT
Figure:4 Service Models
9
CHAPTER 4
Security and Compliance
Cloud computing means sharing, the internet, multi-tenancy, a mix of free and non-free
services, data stored in any place of the world, anonymous customer, unclear SLAs,
many standards are used on the technical side. However, hardly any, like ISO/IEC 20000,
are used for compliance. By realizing the security risks, a customer will be able to assess
prospective providers and choose the right services that will not compromise their own
compliance to legislation and regulations.
(4.1) Security risks in the Cloud
Data loss/leakage: Data in the cloud has many advantages, but can be
compromised in many ways. It can be altered or deleted without a backup; it may
be unli9nked from its context or accessed by unauthorized people.
Shared technology vulnerabilities: A multi-tenant architecture has its own
challenges. Some components may not have been developed for this type of use
and may cause security issues.
Insecure application interfaces: Application interfaces, or APIs, are key
components for must Cloud services. If these interface are not properly designed
for security they can become a risk ‘waiting to happen’.
Malicious insiders: If Cloud providers are a cross-section of our society,
statistically seen, some of their staff or sub-contractor staff may be
untrustworthy.
Abuse and nefarious use of Cloud computing: Many Cloud providers give very
easy, and sometimes free for a trial period, access to their services. Registration is
relatively anonymous and can and will attract ‘darker customers’ like spammers
and hackers. Your Cloud provider may not only host your data and applications,
but also malicious software.
10
Unknown risk profile and account: Moving into the Cloud may make it more
difficult for organizations to provide their compliance to legislation and
regulations during external audits.
Account, service and traffic hijacking: Most private users of e-mail and the
internet will be aware of fraudulent tactics like phishing, password hacking and
identity theft. Passwords giving access to Cloud services go outside your own
company IT domain, and therefore can be compromised. For businesses this can
mean they are vulnerable to industrial espionage or can lose important business
data or processes.
(4.2) Mitigation Measures
SECURITY MITIGATIONS
RISKS
Data Loss/Leakage Authentication, Audit, Authorization, Use of
Encryption and Proper backup strategy
Shared Technology - Enhanced operations procedures for
Vulnerabilities monitoring and escalations when security
breaches
- Application of good security practice for
installation, configuration and application of
patches.
Insecure Application - Designing for security and proper testing
Interfaces methods
- Understanding how they interact with other
interfaces
-Strong authentication and access control
11
Malicious Insiders - Good HR vetting procedures
-Strong information security policies and
procedures
Abuse and Nefarious - Validation of credentials
use of Cloud - Increased monitoring of traffic between
Computing customers and known suspicious sites
Unknown risk profile - Good SLA structure including Cloud provider
and Account compliance audits
Account, service and - Strong authentication techniques
traffic hijacking - Monitoring of user behavior
Fig:5 Mitigation Measures
(4.3) Managing Identity and Privacy in Cloud
Before letting any user/customer to enter the cloud, it is necessary to recognize the
user/customer for security and privacy purposes. Once the user/customer is recognized
then the verification technique will let them enter into the cloud.
(4.3.1) Authentication in the Cloud
In a Private Cloud VM can take over the role of the domain controller or security server,
but in Hybrid Clouds scenarios it becomes more diffused. In this case the additional
security of VPN is needed for the connections between the Private and Public or
Community Cloud parts.
The real problems appear with Public Clouds. In this scenario security can be handled or
not handled in many ways, for example using the Lightweight Directory Access Protocol
(LDAP), user-id and password lookup in a database or, if you are ‘lucky’, Kerberos ( a
network authentication protocol designed to provide strong authentication for
12
client/server applications by using secret key cryptography. ). Furthermore, if you are
using different solutions from the same or even different providers it is very unlikely that
there is a single sign-on system in place like in you Private Cloud.
Since the Cloud is internet based, security will have to based on ‘Internet-routable’
protocols, and such standardization between different Cloud component infrastructure
and service providers does not yet exist.
Triple-A: Authentication, Authorization and Accounting
Triple-A or AAA are the security corner stones of IP based network management and
policy administration.
Authentication refers to the process where someone’s or something’s identity is
authenticated; examples are a digital certificate, a password and user-id or a security
token.
Authorization determines whether a particular entity is authorized for the requested
action; access to certain data may be restricted, or there can be time restrictions
preventing people from logging in to the system outside office hours.
Accounting means the tracking of resource usage by users, and can for example be used
as part of an audit trail, costing or billing, or capacity monitoring.
Single Sign On (SSO) for web services
One of the authentication challenges is formed by the fact that Cloud based security
infrastructure is distributed. Security features and algorithms are spread all over a certain
domain. A solution for this problem is offered by the SSO principle. All distributed
security elements are consolidated on one SSO-server. As a result, a user only needs to
sign on once using a security measure like a smart-card or a security token. SSO
architecture uses the so-called SOAP protocol, a protocol for the exchange of information
in the implementation of Web Services in the Cloud or any other network.
13
CHAPTER 5
Drivers and Limitations of Cloud Computing
Like any service model, Cloud has many benefits, but also some down sides.
SECURITY
COSTS
LOCATION
OF DATA
STORAGE
COMPLIANCE
BENEFITS
FLEXIBILITY
LIMITATIONS
INTERNET
DEPENDENCY
GREEN
SERVICE
LEVELS
MOBILITY MIGRATION
Figure:6 Benefits and Limitations of Cloud Computing:
(5.1) Benefits of Cloud Computing
The following are some benefits of cloud computing -based services and applications:
Cost Saving: The most important benefit one can get by using cloud computing is
cost saving and especially this has work really well for small sized companies.
Companies can reduce their capital expenditures and use operational expenditures
14
for increasing their computing capabilities. This is a lower barrier to entry and
also requires fewer in -house IT resources to provide system support.
Reduced time for implementation: Cloud computing provides the processing
power and data storage as needed at the capacity required. This can be obtained in
real time instead of weeks or months that occur when a new business initiative is
brought online in a traditional way.
Dynamic scalability: Many enterprises include a reasonably large buffer from
their average computing requirement, just to ensure that capacity is in place to
satisfy peak demand. Cloud computing provides an extra processing buffer as
needed at a low cost and without the capital investment or contingency fees to
users.
Shortened development life cycle: Cloud computing adopts the shorter
development life cycle that required by the traditional development approach.
Any new business application can be developed online, connecting proven
functional application building blocks together.
Reliability: Services using multiple redundant sites can support business
continuity and disaster recovery.
Maintenance: Cloud service providers do the system maintenance, and access is
through application programming interfaces that do not require application
installations onto PCs, thus further reducing maintenance requirements.
Mobile Accessible: Mobile workers have increased productivity due to systems
accessible in an infrastructure available from anywhere .
Monitor projects more effectively: Stay within budget and ahead of completion
cycle times. This option is really helpful for small companies or individual as they
use the resources according to their requirement and keeping in mind their
projected budget.
Less personnel training is needed: It takes fewer people to do more work on a
cloud, with a minimal learning curve on hardware and software issues. This result
in less spending on infrastructure and company would spend more on their
projects.
15
Minimize licensing new software: Stretch and grow without the need to buy
expensive software licenses or programs. Cloud does not require you to buy
hardware and software because all the maintenance will be look after by the
venders.
(5.2) Limitations of Cloud Computing:
As you explore your cloud computing options, a few disadvantages to be aware of
include:
More elasticity means less control: While public clouds are great for quickly scaling up
and down your resources, companies that require complete and total control over their
data and applications will need to avoid the public cloud. Alternative solutions include
hybrid clouds, private clouds.
Not everything fits into the cloud: Depending on the cloud provider, you may face
restrictions on available applications, operating systems, and infrastructure options.
Complicating matters more is the simple fact that not all platforms can live in the cloud.
To combat this, it is important to ensure that the cloud provider you choose also offers
physical services. Then if your platform in the cloud needs to speak to applications on
other platforms, this flexibility of physical collocation will work to ensure successful
interoperation.
Data location: Cloud computing technology allows cloud servers to reside anywhere,
thus the enterprise may not know the physical location of the server used to store and
process their data and applications. Although from the technology point of view, location
is least relevant, this has become a critical issue for data governance requirements. It is
essential to understand that many Cloud Service Providers (CSPs) can also specifically
define where data is to be located.
Data Safety: Application sharing and multi-tenancy of data is one of the characteristics
associated with cloud computing. Although many CSPs have multi-tenant applications
that are secure, scalable and customizable, security and privacy issues are still often
16
concerns among enterprises. Data encryption is another control that can assist data
confidentiality.
Cloud security policy / procedures transparency: Some CSPs may have less
transparency than others about their information security policy. The rationalization for
such difference is the policies may be proprietary. As a result, it may create conflict with
the enterprise’s information compliance requirement. The enterprise needs to have
detailed understanding of the service level agreements (SLAs) that stipulated the desired
level of security provided by the CSPs.
Cloud date ownership: In the contract agreements it may state that the CP owns the data
stored in the cloud computing environment. The CSP may demand for significant service
fees for data to be returned to the enterprise when the cloud computing SLAs terminates.
Lock-in with CSP’s application programming interfaces: Currently many CSPs
implement their application by adopting the APIs. As a result, cloud services transition
from one CSP to another CSP, has become extremely complicated, time -consuming and
labor-intensive.
Disaster recovery: It is a concern of enterprises about the resiliency of cloud computing,
since data may be commingled and scattered around multiple servers and geographical
areas. It may be possible that the data for a specific point of time cannot be identified.
Unlike traditional hosting, the enterprise knows exactly where the location is of their
data, to be rapidly retrieved in the event of disaster recovery. In the cloud computing
model, the primary CSP may outsource capabilities to third parties, who may also
outsource the recovery process. This will become more complex when the primary CSP
does not ultimately hold the data.
17