Cloud Computing Concepts

CS3132
Dr. Anand Kumar Mishra
NIIT University
Topic – 1
• Concepts of Cloud Computing - Defining a Cloud Computing, Essential
Characteristics
• Historical developments: Distributed systems, Web 2.0, Service-oriented
computing, Utility-oriented computing
• Building cloud computing environments: Application development,
Infrastructure and system development, Computing platforms and
technologies
• Service Models: Software as a Service (SaaS), Platform as a Service (PaaS),
Infrastructure as a Service (IaaS)
• Deployment Models: Private cloud, Community cloud, Public cloud, Hybrid
cloud
• Cloud Computing Reference Architecture: Consumer, Provider, Auditor,
Broker, Carrier
 Cloud Service Providers
• Amazon Web Services - The leader in IaaS and branching out
• Microsoft Azure
• Google Cloud Platform
• Etc.

Dr. Anand Kumar Mishra

 Cloud Computing
• NIST - “A model for enabling ubiquitous,
convenient, on-demand network access to a
shared pool of configurable computing resources
(e.g., servers, storage, networks, applications,
and services) that can be rapidly provisioned and
released with minimal management effort or
service provider interaction.”

Dr. Anand Kumar Mishra

 Cloud Computing
• NIST - “A model for enabling ubiquitous, convenient, on-demand
network access to a shared pool of configurable computing resources
(e.g., servers, storage, networks, applications, and services) that can
be rapidly provisioned and released with minimal management effort
or service provider interaction.”
• Ubiquitous - Seeming to be everywhere or in several places at the
same time
• Convenient - Suitable or practical for a particular purpose
• Configurable - Capable of being customizable
• Provision - Making something available for somebody to use

Dr. Anand Kumar Mishra

 Cloud Computing
• Essential Cloud Characteristics
• On-demand self-service
• Broad network access
• Resource pooling
• Rapid elasticity
• Measured service
Dr. Anand Kumar Mishra
Cloud Computing - Essential Characteristics
 Cloud Computing - On-Demand Self-Service
• Enables consumers to get computing resources as and when required,
without any human intervention
• Facilitates consumer to leverage “ready to use” services or, enables to
choose required services from the service catalog
• Allows provisioning of resources using self-service interface
• Self-service interface should be user-friendly

Dr. Anand Kumar Mishra

 Cloud Computing - Broad Network Access
• Cloud services are accessed via the network, usually the internet, from a
broad range of client platforms such as:
• Desktop computer
• Laptop
• Mobile phone
• Thin Client
• Eliminates the need for accessing a particular client platform to access the
services
• Enables accessing the services from anywhere across the globe

Dr. Anand Kumar Mishra

 Cloud Computing - Resource Pooling
• IT resources (compute, storage, network) are pooled to serve multiple
consumers
• Based on multi-tenant model
• Consumer has no knowledge about the exact location of the
resources provided
• Resources are dynamically assigned and reassigned based on the
consumer demand

Dr. Anand Kumar Mishra

 Cloud Computing - Rapid Elasticity
• Ability to scale IT resources rapidly, as required, to fulfill the changing
needs without interruption of service
• Resources can be both scaled up and scaled down dynamically
• To the consumer, the Cloud appears to be infinite
• Consumers can start with minimal computing power and can expand their
environment to any size

Dr. Anand Kumar Mishra

 Cloud Computing - Measured Service
• Consumers are billed based on the metered usage of Cloud resources
• Cost incurred on a pay-per-use basis
• Pricing/billing model is tied up with the required service levels
• Resource usage is monitored and reported, which provides transparency for
chargeback to both Cloud service provider and consumer about the utilized service
• Cloud systems automatically control and optimize resource use
• By leveraging a metering capability at some level of abstraction appropriate to the
type of service
• storage, processing, bandwidth, and active user accounts
• Resource usage can be monitored, controlled, and reported, providing
transparency for both the provider and consumer of the utilized service

Dr. Anand Kumar Mishra

Cloud Computing Concepts
CS3132
Dr. Anand Kumar Mishra
NIIT University
 Cloud Service Models - Three main categories

• Infrastructure-as-a-Service (IaaS)
• Platform-as-a-Service (PaaS)
• Software-as-a-Service (SaaS)

Dr. Anand Kumar Mishra

 Infrastructure-as-a-Service

• Provides capability to the consumer to hire

infrastructure components such as servers,
Application
storage, and network
Databases

• Enables consumers to deploy and run OS

software, including OS and applications Compute

• Pays for infrastructure components usage, Storage

for example, Storage capacity, CPU usage, Network

etc.

Dr. Anand Kumar Mishra

 IaaS Examples
• Amazon Elastic Compute Cloud (EC2) is an IaaS model that provides
resizable compute capacity on a pay-per-use basis
• Allows consumers to hire virtual compute on which they run their own
applications
• EMC Atmos Online provides Storage as a service
• Internet accessible, on demand storage

Dr. Anand Kumar Mishra

 Platform-as-a-Service

• Capability provided to the consumer to deploy

consumer-created or acquired applications on the
Cloud provider’s infrastructure
Application

• Consumer has control over Databases

• Deployed applications OS

• Possible application hosting environment Compute

configurations Storage

• Consumer is billed for platform software

Network

components
• OS, Database, Middleware

Dr. Anand Kumar Mishra

 PaaS Examples
• Google App Engine provides platform for consumers to deploy or
create their own applications
• Allows dynamic allocation of system resources for an application based on the
actual demand
• Provides Java and Python environment to create and deploy application
• Microsoft Azure Platform provides diverse functionalities to build
applications
• Uses existing skills with Visual Studio and .Net to build applications
• Builds applications also in Java and PHP using Eclipse and other tools

Dr. Anand Kumar Mishra

 Software-as-a-Service

• Capability provided to the consumer to use Consumer

provider’s applications running in a Cloud

infrastructure
• Complete stack including application is Application

provided as a service Databases

• Application is accessible from various client OS

devices, for example, via a thin client Compute

Hired Resources

interface such as a Web browser Storage

• Billing is based on the application usage

Network

Dr. Anand Kumar Mishra

 SaaS Examples
• EMC Mozy is a Software-as-a-Service solution for on-line backup
• Consumers can leverage the Mozy console to perform automatic, secured,
online backup and recovery of their data with ease
• Salesforce.com is a Software-as-a-Service solution for CRM
application
• Consumers can access CRM applications from anywhere, any time

Dr. Anand Kumar Mishra

 Understanding the Cloud Infrastructure
1.Existing infrastructure - Classical Data Center
2.Virtualize the infrastructure
• resource pooling
• rapid elasticity
3.Deploying Service Management Tools
• To deliver cloud services
• On demand self service of computing resources
Dr. Anand Kumar Mishra
 Classic Data Center
1.Existing infrastructure - Classical Data Center

• CDC provides IT resources to

process data
• CDC Core Elements
• Application
• Database Management System
(DBMS)
• Compute
• Storage
• Network
 Classical Data Center - Application
• Business applications
• E-mail, Enterprise Resource Planning (ERP), Decision Support System (DSS),
Data Warehouse (DW)
• Management applications
• Resource management, performance tuning
• Data protection applications
• Backup, replication
• Security applications
• Authentication, antivirus

Dr. Anand Kumar Mishra

 Classical Data Center - DBMS
• Database is a structured way to store data in logically organized tables
that are interrelated
• Helps to optimize the storage and retrieval of data
• DBMS is a collection of computer programs that control the creation,
maintenance, and use of databases
• Processes an application’s request for data
• Instructs the OS to retrieve the appropriate data from storage
• Popular DBMS examples are MySQL, Oracle RDBMS, SQL Server, etc.

Dr. Anand Kumar Mishra

 Classical Data Center - Compute
• A resource that runs applications with the help of underlying computing
components
• Compute consists of -
• Physical components (hardware devices) and
• CPU, Memory, and Input/Output (I/O) devices
• I/O devices facilitate the following types of communication:
• User to compute: Handled by basic I/O devices such as keyboard, mouse, etc.
• Compute to compute/storage: Enabled using host controller or host adapter
• Logical components (software and protocols)

Dr. Anand Kumar Mishra

 Classical Data Center - Compute System -
Examples
• Laptops/Desktops
• Complex cluster of servers
• Mainframes
• Bladed server technology is commonly used to deploy compute systems in a CDC
• Consolidates power- and system-level function into a single, integrated chassis
• Enables the addition of server modules as hot-pluggable components
• Provides increased server performance and availability without increase in size, cost, or
complexity

Dr. Anand Kumar Mishra

 Classical Data Center - Compute System -
Server Clustering
• Multiple servers (nodes ) are brought together in a cluster to improve
availability and performance
• When a failure occurs on one node in a cluster, resources and workload are
redirected to another node
• Exchange heartbeat is a checkup mechanism between two nodes
• To see whether a node is up and running
• A failover is initiated, if heartbeat fails

Dr. Anand Kumar Mishra

 Classical Data Center - Storage
• It is a resource that stores data persistently for subsequent use
• Data created by individuals/businesses must be stored for further
processing
• The type of storage device used is based on the type of data and the
rate at which it is created and used
• A storage device may use magnetic, optical, or solid state media
• Examples: Disk drive (magnetic), CD (optical), Flash drive (solid state)

Dr. Anand Kumar Mishra

 Classical Data Center - Network –
Compute to Compute Communication
• Typically uses Ethernet or TCP/IP protocol - LAN, MAN, and WAN
• Communication is enabled using various components:
• Network Interface Card (NIC)
• Switches and routers
• Switch provides scalability and interconnection between multiple
compute systems
• Routers allow different networks to communicate with each other
• Cables - Twisted pair, co-axial cable, optical fiber

Dr. Anand Kumar Mishra

 Classical Data Center - Network –
Compute to Storage Communication
• Communication is enabled using various hardware components (HBA,
CNA, NIC, switch, router, gateway ,and cables) and protocols
• Communication between compute and storage can be done using
channel or network technologies

Dr. Anand Kumar Mishra

 2. Virtualize the infrastructure - Virtualization
Technique
• Technique of abstracting physical resources - Logical Resources
• It may be implemented at
• compute, storage, network, and/or application layers
• Virtualized Data Center (VDC)
• Benefits:
• Optimizes utilization of IT infrastructure
• Reduces cost and management complexity
• Reduces deployment time
• Increases flexibility
Dr. Anand Kumar Mishra
 3. Deploying Service Management Tools –
To create and deliver Cloud services
• Automates and Optimizes:
• Service request processes
• Provision and delivery of services
• Enables Metering of resource usage
• Manages of physical and virtual resources

Dr. Anand Kumar Mishra

 Cloud Infrastructure Management and
Service Creation Tools

Applications and
Platform Software

Virtual
Infrastructure

Physical
Infrastructure
 Cloud Computing - Benefits

1. Reduced IT Cost - Avoids the up-front capital expenditure

2. Business agility support - Provides the ability to add new resources quickly

3. Flexible scaling - Scales up and down easily and instantly, based on demand

4. High availability - Ensures application availability at varying levels

5. Less energy consumption - Enables organizations to reduce power consumption

and space usage

Dr. Anand Kumar Mishra

Cloud Computing Concepts
CS3132
Dr. Anand Kumar Mishra
NIIT University
 Cloud Computing - Technological Foundations
• Grid Computing –
• Form of distributed computing which applies the resources of numerous
computers in a network to work on a single complex task at the same time
• Utility Computing –
• Service provisioning model that offers computing resources as a metered
service

Dr. Anand Kumar Mishra

 Cloud Computing - Technological Foundations
• Virtualization –
• Provides improved utilization of resources
• Enables optimization of resources by over subscription

• Service Oriented Architecture (SOA) –

• An architectural approach in which applications make use of services available in the
network
• Each service provides a specific function, for example, business function (Payroll Tax
calculation)

Dr. Anand Kumar Mishra

 Cloud Computing - Deployment Models - NIST
• A cloud computing system
• may be deployed privately or hosted on the premises of a cloud customer,
• may be shared among a limited number of trusted partners,
• may be hosted by a third party
• may be a publically accessible service, i.e., a public cloud.
• The different deployment models present a number of tradeoffs in
how customers can control their resources, and the scale, cost, and
availability of resources.

2012 NIST SP 800-146 Cloud Computing Synopsis and Recommendations

Dr. Anand Kumar Mishra

Cloud Computing
• Cloud consumer or customer
• a person or organization that is a customer of a cloud;
NOTE- A cloud customer may itself be a cloud and that clouds may
offer services to one another; ?????
• Client:
• a machine or software application that accesses a cloud over a
network connection, perhaps on behalf of a consumer
• Cloud provider or provider:
• an organization that provides cloud services
2012 NIST SP 800-146 Cloud Computing Synopsis and Recommendations
 Cloud Computing - Deployment Models
• Private Cloud
• Community Cloud
• Public Cloud
• Hybrid Cloud

Dr. Anand Kumar Mishra

 Cloud Computing - Deployment Models -
Private Cloud
• “Cloud infrastructure”
• Provisioned for exclusive use by -
• a single organization
• comprising multiple consumers (e.g., business units)

• Owned, Managed, and Operated by

• Organization
• Third party, or some combination of them

Dr. Anand Kumar Mishra

 Cloud Computing - Deployment Models -
Private Cloud
• A high level of security and privacy to data
• through firewalls and internal hosting
• Ensures
• operational and sensitive data are not accessible to third-party providers
• Medical offices, banking institutions, and other organizations
• Required to meet guidelines for data controls use a private cloud
• VMWare

Dr. Anand Kumar Mishra

 Cloud Computing - Deployment Models -
Public Cloud
• “Cloud infrastructure”
• Provisioned for open use by
• the general public
• Owned, Managed, and Operated by
• A business,
• Academic, or government organization, or some combination of them
• It exists on the premises of the cloud provider
• Google, Amazon, Microsoft

Dr. Anand Kumar Mishra

 Cloud Computing - Deployment Models -
Hybrid Cloud
• “Cloud infrastructure”
• A composition of two or more distinct cloud infrastructures
• (private, community, or public) - remain unique entities
• Bound together by standardized or proprietary technology that -
• Enables data and application portability
• e.g. - load balancing between clouds

Dr. Anand Kumar Mishra

 Cloud Computing - Deployment Models -
Hybrid Cloud
• Aim - To create a unified, automated, and well-managed computing
environment
• IBM, HP, VMWare vCloud

Dr. Anand Kumar Mishra

 Cloud Computing - Deployment Models -
Community Cloud
• “Cloud infrastructure”
• Provisioned for exclusive use by
• a specific community of consumers from organizations
• That have shared concerns
• Mission, Security Requirements, Policy, and Compliance Considerations
• Owned, Managed, and Operated by
• One or more of the organizations in the community
• A third party, or some combination of them

Dr. Anand Kumar Mishra

 Cloud Computing - Deployment Models -
Community Cloud
• A cloud platform that is accessible only for a specific subset of
customers
• Example - U.S.-based dedicated IBM SoftLayer cloud for federal
agencies

Dr. Anand Kumar Mishra

 Cloud Computing
Public Cloud Private Cloud

• Publicly shared virtualised • Privately shared virtualised

resources resources

• Supports multiple customers • Cluster of dedicated customers

• Suited for less confidential • Suited for secured confidential
information information

Dr. Anand Kumar Mishra

Cloud Computing Concepts
CS3132
Dr. Anand Kumar Mishra
NIIT University
Topic – 1
• Concepts of Cloud Computing - Defining a Cloud Computing, Essential
Characteristics
• Historical developments: Distributed systems, Web 2.0, Service-oriented
computing, Utility-oriented computing
• Building cloud computing environments: Application development,
Infrastructure and system development, Computing platforms and
technologies
• Service Models: Software as a Service (SaaS), Platform as a Service (PaaS),
Infrastructure as a Service (IaaS)
• Deployment Models: Private cloud, Community cloud, Public cloud, Hybrid
cloud
• Cloud Computing Reference Architecture: Consumer, Provider, Auditor,
Broker, Carrier
Cloud Computing Reference
Architecture
 Cloud Computing
• Cloud Consumer - A person or organization
• maintains a business relationship with Cloud Providers
• uses service from, Cloud Providers

Dr. Anand Kumar Mishra 2011 NIST Cloud Computing Reference Architecture500-292
Scope of Control between Provider and Consumer
Scope of Control between Provider and
Consumer
• The application layer includes software applications targeted at end
users or programs
• The applications are used by SaaS consumers, or installed/managed/
maintained by PaaS consumers, IaaS consumers, and SaaS providers
• The middleware layer provides software building blocks (e.g.,
libraries, database, and Java virtual machine) for developing
application software in the cloud
• The middleware is used by PaaS consumers, installed/managed/maintained
by IaaS consumers or PaaS providers, and hidden from SaaS consumers.
Scope of Control between Provider and
Consumer
• The OS layer includes operating system and drivers, and is hidden
from SaaS consumers and PaaS consumers.
• An IaaS cloud allows one or multiple guest OS‟s to run virtualized on a single
physical host
• Generally, consumers have broad freedom to choose which OS to be hosted
among all the OS‟s that could be supported by the cloud provider
• The IaaS consumers should assume full responsibility for the guest OSs, while
the IaaS provider controls the host OS
 Cloud Computing
• Cloud Carrier - An intermediary that provides
• connectivity and
• transport of cloud services
• from Cloud Providers to Cloud Consumers

Dr. Anand Kumar Mishra 2011 NIST Cloud Computing Reference Architecture500-292
Cloud Computing - Cloud Carrier
• Cloud carriers provide access to consumers through network,
telecommunication and other access devices
• For example, cloud consumers can obtain cloud services through
network access devices, such as computers, laptops, mobile phones,
mobile Internet devices (MIDs), etc
• The distribution of cloud services is normally provided by
• network and telecommunication carriers or a transport agent
• transport agent refers to a business organization that provides physical transport of
storage media such as high-capacity hard drives
 Cloud Computing
• Cloud Auditor - A party
• conduct independent assessment of cloud services,
• information system operations,
• performance, security and privacy impact of the cloud implementation
• Auditing is especially important for federal agencies
• Ensuring that the correct policies are applied

Dr. Anand Kumar Mishra 2011 NIST Cloud Computing Reference Architecture500-292
 Cloud Computing
• Cloud Broker - An entity that manages
• use, performance and delivery of cloud services, and
• negotiates relationships between Cloud Providers and Cloud Consumers
• Services in 3 Categories:
• Service Intermediation
• Service Aggregation
• Service Arbitrage

Dr. Anand Kumar Mishra 2011 NIST Cloud Computing Reference Architecture500-292
 https://aws.amazon.com/partners/servicebroker/

Cloud Computing - Cloud Broker –

AWS Service Broker

https://www.ibm.com/services/cloud/multicloud
Benefits of Cloud Service Brokerage
• CSB has significantly
• reduced processing costs,
• increase flexibility and
• reduced downtime
as global offices, suppliers and other partners in the production chain can share
information at real time with each other.
• Integrated service management:
• provides key services, such as backup and recovery, resiliency, and security. These
services ensure that your system is running all year round.
• Access to IT resources anytime, anywhere:
• Cloud services remove your data from their physical silos and makes them readily
available for use whenever and wherever you need them.
Benefits of Cloud Service Brokerage
• Flexible scaling of resources:
• with advancing years and changes in business, so also there is a change in
your data needs. There are plans in place to help scale your data solution
investments with your current needs for maximum resource optimization.
• Lowers total cost of ownership (TCO):
• Expedite delivery of your complex data projects helps reduce capital
expenditures.
• Automated self-service delivery:
• automation simplifies and speeds up the integration and deployment of
services. Cloud service brokerage provides options to automate your services
and the possibility of designing the automation as your needs require.
Jamcracker Cloud Brokerage Platform
• Providing services catalogue as a centralized resource for all users' needs, including
private and public cloud services.
• Unifying security, auditing, and policy enforcement for internal and external cloud
providers.
• Consolidating enterprise-wide license management and internal usage monitoring.
• Providing multi-level cloud service usage and show-back reporting.
• Centralizing service and user lifecycle management across disparate services.
• Integrating provider offerings into a standardized catalogue for automated provisioning
across providers, consolidated billing, and SLA governance.
• Providing services marketplaces that include complementary third-party offerings.
• Merging third-party services with your core offerings.
• Providing a unified usage experience across the user/services lifecycle.
• Enabling existing and new services channels.
 Cloud Computing - Cloud Broker –
Service Intermediation
• Provision of value-added services or basically improving a capability
without actually providing any of the cloud services itself
• A cloud broker enhances a given service by improving some specific
capability and providing value-added services to cloud consumers
• Managing access to cloud services
• Identity management
• Performance reporting
• Enhanced security

Dr. Anand Kumar Mishra 2011 NIST Cloud Computing Reference Architecture500-292
 Cloud Computing - Cloud Broker –
Service Aggregation
• combining and integrating multiple services,
• data integration, safeguarding process integrity and ensuring data portability
between the cloud customer and the various cloud services providers
• A cloud broker combines and integrates multiple services into one or
more new services
• Data integration
• Ensures the secure data movement between the cloud consumer and
multiple cloud providers

Dr. Anand Kumar Mishra 2011 NIST Cloud Computing Reference Architecture500-292
 Cloud Computing - Cloud Broker –
Service Arbitrage
• Similar to service aggregation
• except that the services being aggregated are not fixed
• Service arbitrage means a broker has the flexibility to choose services
from multiple agencies
• The cloud broker, for example, can use a credit-scoring service to
measure and select an agency with the best score

Dr. Anand Kumar Mishra 2011 NIST Cloud Computing Reference Architecture500-292
Service Arbitrage
• The difference between service arbitrage and service aggregation is
that the services being aggregated aren‟t fixed.
• Indeed the goal of arbitrage is to provide flexibility and opportunistic
choices for the service aggregator, e.g.,
• providing multiple email services through one service provider or providing a
credit-scoring service that checks multiple scoring agencies and selects the
best score
Service Arbitrage
• Some cloud broker services providers are not directly involved in
cloud customer contact, but rather enable other cloud broker services
providers to provide their brokerage services.
• Examples of these cloud brokerage enablers are providers of cloud
aggregation platforms or other (software) technology that enable
aggregation providers to combine various cloud services into one or
more aggregated cloud services to the cloud customer
 Cloud Computing - Cloud Actors -
Example Usage Scenario 1
• A cloud consumer may request service from a cloud broker instead of
contacting a cloud provider directly
• The cloud broker may create a new service by combining multiple
services or by enhancing an existing service
 Cloud Computing - Cloud Actors - Example
Usage Scenario 2
• For a cloud service, a cloud auditor conducts independent assessments
of the operation and security of the cloud service implementation
• The audit may involve interactions with both the Cloud Consumer and
the Cloud Provider
 Cloud Computing
• Cloud Provider - A person, organization, or entity
• responsible for making a service available to interested parties

Dr. Anand Kumar Mishra 2011 NIST Cloud Computing Reference Architecture500-292
 Cloud Provider - Activities
• Service deployment
• Service orchestration
• Cloud service management
• Security
• Privacy

Dr. Anand Kumar Mishra 2011 NIST Cloud Computing Reference Architecture500-292
 Cloud Provider - Activities –
Service Deployment
• Public cloud - general public
• Private cloud - a single Cloud Consumer’s organization
• Community cloud - a group of Cloud Consumers (shared concerns)
• Hybrid cloud - a composition of two or more clouds

Dr. Anand Kumar Mishra 2011 NIST Cloud Computing Reference Architecture500-292
 Cloud Provider - Activities –
Service Orchestration
• Service Layer
• Resource abstraction and control layer
• Physical resource layer
• Arrangement
• Coordination and
• Management of computing resources
• To provide cloud services to Cloud Consumers

Dr. Anand Kumar Mishra 2011 NIST Cloud Computing Reference Architecture500-292
 Cloud Provider – Service Orchestration -
Service layer
• Cloud Providers define interfaces for Cloud Consumers
• To access the computing services
• SaaS applications can be built on top of PaaS components
• A SaaS application can be implemented and hosted on VMs from an IaaS
cloud or
• It can be implemented directly on top of cloud resources without using IaaS
VMs.
• PaaS components can be built on top of IaaS components
• Each of the service component can stand by itself

Dr. Anand Kumar Mishra 2011 NIST Cloud Computing Reference Architecture500-292
 Cloud Provider - Service orchestration -
Resource abstraction and control layer
• Cloud Providers use to provide and manage access to the physical
computing resources through software abstraction
• Software elements such as hypervisors, VMs, virtual data storage,
etc.
• Control aspect - resource allocation, access control, and usage
monitoring
• Resource pooling, dynamic allocation
• Various open source and proprietary cloud software

Dr. Anand Kumar Mishra 2011 NIST Cloud Computing Reference Architecture500-292
 Cloud Provider - Service orchestration -
Physical resource layer
• Hardware resources
• computers (CPU and memory),
• networks (routers, firewalls, switches, network links and interfaces),
• storage components (hard disks)
• Facility resources
• heating, ventilation and air conditioning (HVAC)
• power, communications, and other aspects of the physical plant

Dr. Anand Kumar Mishra 2011 NIST Cloud Computing Reference Architecture500-292
 Cloud Provider - Cloud Service Management

Dr. Anand Kumar Mishra 2011 NIST Cloud Computing Reference Architecture500-292
Cloud Provider - Cloud Service Management

2011 NIST Cloud Computing Reference Architecture500-292

 Cloud Provider - Cloud service management -
Business support
• Business-related services dealing with clients
• Customer management - manage user profiles
• Contract management - service contract , negotiations
• Inventory management - service catalogs
• Account and Billing - customer billing info., payments
• Reporting and Auditing - monitoring user operations, reports
• Pricing and Rating - evaluate cloud services and determine prices

Dr. Anand Kumar Mishra 2011 NIST Cloud Computing Reference Architecture500-292
 Cloud Provider - Cloud service management -
Provisioning/Configuration
• Rapid provisioning - automatically deploying cloud systems
• Resource changing - adjusting configuration/resource assignment for
repairs
• Upgrades and joining new nodes into the cloud
• Monitoring and Reporting - monitoring virtual resources, cloud
operations
• Metering - providing a metering capability
• SLA management - SLA contract definition

Dr. Anand Kumar Mishra 2011 NIST Cloud Computing Reference Architecture500-292
 Cloud Provider - Cloud service management -
Portability/Interoperability
• Portability - customers are interested to know
• whether they can move their data or applications across multiple cloud
environments at low cost and minimal disruption.
• Interoperability - customers are concerned about the
• capability to communicate between or among multiple clouds

Dr. Anand Kumar Mishra 2011 NIST Cloud Computing Reference Architecture500-292
 Cloud Provider - Security
• Security requirements such as
• Authentication
• Authorization
• Availability
• Confidentiality
• Identity management
• Integrity, audit, security monitoring, incident response, and security
policy management

Dr. Anand Kumar Mishra 2011 NIST Cloud Computing Reference Architecture500-292
 A A A
Authentication, Authorization, Accounting
• Authentication - Process by which it can be identified that the user, which want to access
the resources, valid or not by asking some credentials such as username and password
• Authorization - After the authentication is successful,
• authorisation can be used to determine that what resources is the user allowed to access
and the operations that can be performed
• Accounting - Monitoring and capturing the events done by the user while accessing the
resources
• Keeps track of a user’s activity while attached to a system
• How long the user has an access to the network
• the amount of time attached, the resources accessed, and how much data transferred

Dr. Anand Kumar Mishra

 Cloud Provider - Privacy
• Cloud providers should protect -
• personal information (PI)
• personally identifiable information (PII)

Dr. Anand Kumar Mishra 2011 NIST Cloud Computing Reference Architecture500-292
 PI and PII
• PI - Information relating to a person, directly or indirectly
• PII - Information that can be used to identify a person
• This could be a single piece of data or multiple pieces of data that when
compiled, or seen together, can identify a person or distinguish one person
from another

Dr. Anand Kumar Mishra

Cloud Computing Concepts
CS3132
Dr. Anand Kumar Mishra
NIIT University

Dr. Anand Kumar Mishra

Comparative Overview: Web 1.0, Web 2.0, Web
3.0, Semantic Web, and Cloud Computing
• Web 1.0:
• known as the "static web" or "read-only web," refers to the early days of the internet
when websites primarily provided static content
• During this phase, websites were mainly informational and lacked user interaction
• The focus was on delivering information to users, and there was limited collaboration
or user-generated content
• Web 2.0:
• the "social web" or "read-write web," marked a significant shift in the internet
landscape
• It introduced interactive and dynamic features that allowed users to contribute,
share, and collaborate
• Examples include social media platforms, blogs, wikis, and online communities. Web 2.0
emphasized user-generated content, social networking, and collective intelligence.

Dr. Anand Kumar Mishra

Comparative Overview: Web 1.0, Web 2.0, Web
3.0, Semantic Web, and Cloud Computing
• Web 3.0:
• represents the next phase of internet evolution
• It aims to create a more intelligent and interconnected web by enhancing
data sharing and understanding among machines
• Web 3.0 utilizes technologies like artificial intelligence, natural language
processing, and linked data to enable machines to understand context and
meaning
• This allows for more advanced and personalized user experiences

Dr. Anand Kumar Mishra

Comparative Overview: Web 1.0, Web 2.0, Web
3.0, Semantic Web, and Cloud Computing
• Semantic Web:
• Semantic web is closely related to Web 3.0
• It's a concept that involves structuring data on the internet in a way that
allows machines to understand the relationships between various pieces of
information
• It aims to make the web more meaningful and intelligent by enabling
computers to process and interpret data like humans do
• Linked data, ontologies, and RDF (Resource Description Framework) are key
components of the semantic web

Dr. Anand Kumar Mishra

Comparative Overview: Web 1.0, Web 2.0, Web
3.0, Semantic Web, and Cloud Computing
• Cloud computing
• Cloud computing refers to the delivery of computing services (such as storage,
processing power, and software) over the internet
• It enables users to access and use resources without the need for owning
physical hardware or infrastructure
• Cloud computing offers scalability, flexibility, and cost-efficiency
• It is categorized into three main service models:
• Infrastructure as a Service (IaaS),
• Platform as a Service (PaaS), and
• Software as a Service (SaaS).

Dr. Anand Kumar Mishra

Parameter Web 1.0 Web 2.0 Web 3.0 Semantic Web Cloud Computing
Internet-based
Static, read- Interactive, user-generated Intelligent, Structured,
Definition computing
only content content interconnected web meaningful web
services

Extensive, user-generated Enhanced

Contextual Remote access to
User Interaction Limited or none content sharing and personalization,
understanding resources
collaboration intelligent interactions

Information Social media, blogs, wikis, AI, natural language Data structuring, Scalability,
Key Features
delivery online communities processing, linked data ontologies, RDF flexibility

Enhanced machine
Information User-generated content, Meaningful data Resource delivery
Focus understanding,
dissemination social networking relationships over the internet
context awareness
Advanced AI AI for data AI-powered
AI Integration Limited Basic
technologies interpretation services
Enhanced
Data Limited AI-based Advanced AI-driven AI-driven analysis
Minimal semantic
Interpretation suggestions context understanding and insights
interpretation

Dr. Anand Kumar Mishra

Parameter Web 1.0 Web 2.0 Web 3.0 Semantic Web Cloud Computing
Collaborative Intelligent data
Structured data, Resource
Information content understanding,
Main Advantage meaningful scalability, cost-
sharing creation, personalized
relationships efficiency
networking experiences
Social media Virtualization,
Main HTML, static AI, NLP, linked RDF, OWL,
platforms, distributed
Technologies websites data, ontologies SPARQL
blogs, wikis computing

Interactive, Advanced, Remote resource

Limited Semantic
User Experience social personalized access,
interaction understanding
networking experiences availability

Contextual AI Amazon Web

Early Facebook, Linked data
Examples assistants, smart Services, Google
websites Wikipedia repositories
searches Cloud

Dr. Anand Kumar Mishra

Historical developments
• 5 core technologies that played an important role in the realization of
cloud computing
• Distributed systems
• Virtualization
• Web 2.0
• Service-oriented computing
• Utility-oriented computing

Dr. Anand Kumar Mishra

What is a Distributed System?
• A distributed system is a collection of multiple physically separated
servers and data storage that reside in different systems worldwide.
• These components can collaborate, communicate, and work together
to achieve the same objective, giving an illusion of being a single,
unified system with powerful computing capabilities.

• A distributed computing server, databases, software applications, and

file storage systems can all be considered distributed systems

Dr. Anand Kumar Mishra

Distributed systems must have a
network that connects all components
(machines, hardware, or software)
together so they can transfer
messages to communicate with each
other.
Examples of Distributed Systems
• Networks: The internet (World Wide Web) itself
• Telecommunication networks with multiple antennas, amplifiers, and
other networking devices appear as a single system to end-users
• Distributed Real-time Systems
• Airlines use flight control systems
• Uber and Lyft use dispatch systems
• Manufacturing plants use automation control systems
• Logistics and e-commerce companies use real-time tracking systems
• Content Delivery Networks (CDNs) utilize geographically separated
regions to store data locally in order to serve end-users faster
Dr. Anand Kumar Mishra
Historical developments - Distributed systems
• Clouds are essentially large distributed computing facilities that make
available their services to third parties on demand

• A distributed system is a collection of independent computers that

appears to its users as a single coherent system:
• composed of multiple independent components
• components are perceived as a single entity by users

Dr. Anand Kumar Mishra

Historical developments - Distributed systems
Two general ways that distributed systems function:
• Each machine works toward a common goal and the end-user views
results as one cohesive unit
• Each machine has its own end-user and the distributed system
facilitates sharing resources or communication services

Dr. Anand Kumar Mishra

Important functions of distributed computing
• Resource sharing - whether it’s the hardware, software or data that can be
shared
• Openness - how open is the software designed to be developed and shared
with each other
• Concurrency - multiple machines can process the same function at the
same time
• Scalability - how do the computing and processing capabilities multiply
when extended to many machines
• Fault tolerance - how easy and quickly can failures in parts of the system be
detected and recovered
• Transparency - how much access does one node have to locate and
communicate with other nodes in the system.

Dr. Anand Kumar Mishra

Historical developments - Virtualization
• Virtualization is another core technology for cloud computing
• It encompasses a collection of solutions allowing the abstraction of
some of the fundamental elements for computing, such as
• hardware, runtime environments, storage, and networking

Dr. Anand Kumar Mishra

Historical developments – Web 2.0
• The Web is the primary interface through which cloud computing
delivers its services
• Web 2.0 brings interactivity and flexibility into Web pages
• providing enhanced user experience by gaining Web-based access to all the
functions that are normally found in desktop applications
• These capabilities are obtained by integrating a collection of
standards and technologies such as XML, Asynchronous JavaScript
and XML (AJAX), Web Services, and others
• These technologies allow to build applications leveraging the
contribution of users, who now become providers of content
Dr. Anand Kumar Mishra
Historical developments – Service-oriented
computing
• Service orientation is the core reference model for cloud computing
systems
• Adopts the concept of services as the main building blocks of
application and system development
• Service-oriented computing (SOC) supports:
• the development of rapid, low-cost, flexible, interoperable, and evolvable
applications and systems

Dr. Anand Kumar Mishra

Historical developments – Service-oriented
computing - [Service]
• Virtually any piece of code that performs a task can be turned into a
service and expose its functionalities through a network-accessible
protocol
• A service is supposed to be:
• loosely coupled, reusable,
• programming language independent, and
• location transparent
• Loose coupling allows services to serve different scenarios more easily and
makes them reusable
• Independence from a specific platform increases services accessibility
• Services are composed and aggregated into a service-oriented architecture
(SOA)

Dr. Anand Kumar Mishra

Historical developments – Service-oriented
computing
• Service-oriented computing introduces and diffuses two important
concepts, which are also fundamental to cloud computing:
• Quality of service (QoS)
• identifies a set of functional and nonfunctional attributes that can be used to evaluate
the behavior of a service from different perspectives
• Software-as-a-Service (SaaS)
• delivery model for applications

Dr. Anand Kumar Mishra

Historical developments: Utility-oriented
computing
• Utility computing is a vision of computing that defines a service-
provisioning model for compute services in which resources such as
storage, compute power, applications, and infrastructure are
packaged and offered on a pay-per-use basis

Dr. Anand Kumar Mishra

Building cloud computing environments
• The creation of cloud computing environments encompasses both the
development of applications and systems that leverage cloud
computing solutions and the creation of frameworks, platforms, and
infrastructures delivering cloud computing services
• Application development,
• Infrastructure and system development,
• Computing platforms and technologies

Dr. Anand Kumar Mishra

Building cloud computing environments -
Application development
• Applications that leverage cloud computing benefit from its capability
to dynamically scale on demand
• Web applications
• Resource-intensive applications

Dr. Anand Kumar Mishra

Building cloud computing environments -
Application development
• Web applications
• Enterprise applications that now leverage the Internet as the preferred
channel for service delivery and user interaction
• An enterprise application (EA) is a business software system that orchestrates
a specific operation
• Accounting and Billing
• Business Intelligence
• Customer Relationship Management
• Enterprise Content Management, Point-of-Sale Software

Dr. Anand Kumar Mishra

Building cloud computing environments -
Application development
• Resource-intensive applications
• By resource-intensive software we mean program code which efficiently uses
abilities of multiprocessor systems and large amount of memory
• Either data intensive or compute-intensive applications
• In both cases, considerable amounts of resources are required to complete execution in
a reasonable timeframe
• These large amounts of resources are not needed constantly or for a long
duration
• Example: Scientific applications can require huge computing capacity to
perform large-scale experiments once in a while, so it is not feasible to buy
the infrastructure supporting them
• In this case, cloud computing can be the solution

Dr. Anand Kumar Mishra

Building cloud computing environments -
Application development
• Cloud computing provides a solution for on-demand and dynamic
scaling across the entire stack of computing
• This is achieved by –
• providing methods for renting compute power, storage, and networking
• offering runtime environments designed for scalability and dynamic sizing
• providing application services that mimic the behavior of desktop
applications but that are completely hosted and managed on the provider
side
• All these capabilities leverage service orientation, which allows a simple and
seamless integration into existing systems

Dr. Anand Kumar Mishra

Building cloud computing environments -
Infrastructure and system development
• Objective- to understand technology used under this development
• Distributed computing is a foundational model for cloud computing because
cloud systems are distributed systems
• Web 2.0 technologies constitute the interface through which cloud
computing services are delivered, managed, and provisioned
• Service orientation is the underlying paradigm that defines the architecture
of a cloud computing system
• Virtualization

Dr. Anand Kumar Mishra

Building cloud computing environments -
Computing platforms and technologies
• Development of a cloud computing application happens by leveraging
platforms and frameworks that provide different types of services,
from the bare-metal infrastructure to customizable applications
serving specific purposes
• Amazon web services (AWS)
• Google AppEngine is a scalable runtime environment mostly devoted to
executing Web applications
• Microsoft Azure is a cloud operating system and a platform for developing
applications in the cloud
• Force.com - for developing social enterprise applications
• The platform is the basis for SalesForce.com, a Software-as-a-Service solution for
customer relationship management

Dr. Anand Kumar Mishra

Cloud Computing Concepts
CS3132
Dr. Anand Kumar Mishra
NIIT University

Dr. Anand Kumar Mishra

Topic 2 – Virtualization Technologies –

Hosted Architecture,
Bare-Metal (Hypervisor) Architecture
Virtualization Technologies
[Virtual Infrastructure]
• It provides a layer of abstraction between :
computing
storage
networking hardware

AND

the applications running on it

Dr. Anand Kumar Mishra

Dr. Anand Kumar Mishra
Virtualization Technologies
Before Virtualization After Virtualization

• Single OS image per machine • Hardware-independence of

• Software and hardware operating system and
tightly coupled applications
• Running multiple • Virtual machines can be
applications on same provisioned to any system
machine • Can manage OS and
• Underutilized resources application as a single unit
by encapsulating them into
• Inflexible and costly virtual machines (VMs)
infrastructure
Virtualization Technologies- Key benefit
• Ability to run multiple operating systems on a single physical system
and
• Share the underlying hardware resources – known as partitioning

Dr. Anand Kumar Mishra

VMWare - Virtualization Overview
Virtualization Technologies
• Software-based partitioning
• Hosted architecture
• A hosted approach provides partitioning services on top of a standard
operating system
• Hypervisor architecture
• The first layer of software installed on a clean x86-based system
• It is often referred to as a “bare metal” approach
• It has direct access to the hardware resources
• A hypervisor is more efficient than hosted architectures
• Enabling greater scalability
• Robustness
• Performance

Dr. Anand Kumar Mishra

Dr. Anand Kumar Mishra
Virtualization Technologies
Hosted Architecture Bare-Metal (Hypervisor) Architecture
Type 2 Hypervisor Type 1 Hypervisor (Native)
• Installs and runs as an • Lean virtualization-centric
application kernel
• Relies on host OS for – • Service Console for agents and
• device support helper applications
• physical resource management
Virtualization Technologies
• Hosted Architecture Bare-Metal (Hypervisor) Architecture
• Type 2 Hypervisor Type 1 Hypervisor (Native)
• Oracle VM Virtual Box: Cross- • VMware vSphere ESXi
platform means that it installs on • Elastic Sky X
Windows, Linux, Mac OS X and • vSphere Hypervisor is a bare-metal
Solaris x86 computers. hypervisor
• XenServer runs directly on server
hardware without requiring an
underlying operating system
• Oracle VM - Oracle VM Server can be
installed on either x86 or SPARC
hardware platforms
Topic – 2
• Virtualization Technologies –
• Hosted Architecture,
• Bare-Metal (Hypervisor) Architecture
• Characteristics of Virtualization
• Virtual Appliances: Components and Benefits
• Types of Virtualization

Dr. Anand Kumar Mishra

Virtualization
• Already discussed Virtualization, Type 1, Type 2

• Virtualization
• Assigns a logical name for a physical resource
• Provides a pointer to that physical resource when a request is made

Dr. Anand Kumar Mishra

Dr. Anand Kumar Mishra
Transforms farms of individual x86 servers, storage, and networking into a pool of computing resources

Dr. Anand Kumar Mishra

VMWare - Virtualization Overview
Virtualization
• Key enabler of the following attributes of cloud computing
• Service-based:
• A service-based architecture is where clients are abstracted from service
providers through service interfaces
• Scalable and elastic:
• Services can be altered to affect capacity and performance on demand
• Shared services:
• Resources are pooled in order to create greater efficiencies.

Dr. Anand Kumar Mishra

Virtualization Technologies
• Virtual Machine
• A representation of a real machine using software that provides an operating
environment which can run or host a guest OS
• Guest OS
• An OS running in a virtual machine environment
• Virtual Machine Monitor
• Software that runs in a layer between
• A hypervisor or host OS and one or more VM

Dr. Anand Kumar Mishra

A brief history of virtualization
• Batch processing – routine task
• Predefined sequence of commands, programs and data as a single unit
• A number a jobs in memory and executes them without any manual
information
• FCFS based processing
• Time-sharing - isolate the users within OS;
• Inadvertently leading to other operating systems like UNIX, which eventually
gave way to Linux

Dr. Anand Kumar Mishra

A brief history of virtualization
• 1990s
• Most enterprises had physical servers and single-vendor IT stack
• That didn’t allow legacy apps to run on a different vendor’s hardware
• As companies updated their IT environments with less-expensive commodity
servers:
• OS, and applications from a variety of vendors were bound to underused physical hardware
• Each server could only run 1 vendor-specific task
• Virtualization - Solution to 2 problems:
• Companies could partition their servers and
• Run legacy apps on multiple OS
• Servers started being used more efficiently
• Reducing the costs associated with purchase, set up, cooling, and maintenance

Dr. Anand Kumar Mishra

Cloud Computing Concepts
CS3132
Dr. Anand Kumar Mishra
NIIT University

Dr. Anand Kumar Mishra

Characteristics of virtualized environments
• Increased security
• Managed Execution
• sharing, aggregation, emulation, and isolation
• Portability

Dr. Anand Kumar Mishra

Characteristics of virtualized environments
• Increased security:
• The ability to control the execution of a guest in a completely transparent
manner opens new possibilities for delivering a secure, controlled execution
environment
• All the operations of the guest are generally performed against the VM, which
then translates and applies them to the host
• This level of indirection allows the virtual machine manager to control and
filter the activity of the guest, thus preventing some harmful operations
from being performed

Dr. Anand Kumar Mishra

Characteristics of virtualized environments
• Managed execution:
• sharing,
• aggregation,
• emulation,
• isolation

Dr. Anand Kumar Mishra

Functions enabled by managed execution
Characteristics of virtualized environments
• Managed execution: Sharing
• Virtualization allows the creation of a separate computing environments
within the same host

Dr. Anand Kumar Mishra

Characteristics of virtualized environments
• Managed execution: Aggregation
• A group of separate hosts can be tied together and represented to
guests as a single virtual host
• This function is naturally implemented in middleware for
distributed computing
• With a classical example represented by cluster management
software, which harnesses the physical resources of a homogeneous
group of machines and represents them as a single resource

Dr. Anand Kumar Mishra

Characteristics of virtualized environments
• Managed execution: Emulation
• Emulation, in a software context, is the use of an application program
or device to imitate the behavior of another program or device.

• Guest programs are executed within an environment that is controlled by the

virtualization layer, which ultimately is a program
• This allows for controlling and tuning the environment that is exposed to guests

• For instance, a completely different environment with respect to the host can
be emulated, thus allowing the execution of guest programs requiring specific
characteristics that are not present in the physical host

Dr. Anand Kumar Mishra

Characteristics of virtualized environments
• Managed execution: Isolation
• Virtualization allows providing guests with a completely separate
environment, in which they are executed
• —whether they are operating systems, applications, or other entities

• Isolation brings several benefits;

• It allows multiple guests to run on the same host without interfering with each other
• It provides a separation between the host and the guest
• The virtual machine can filter the activity of the guest and prevent harmful operations
against the host

Dr. Anand Kumar Mishra

Characteristics of virtualized environments
• Portability
• It allows having your own system always with you and ready to use as long as
the required virtual machine manager is available

• In the case of a hardware virtualization solution:

• The guest is packaged into a virtual image that, in most cases, can be safely moved and
executed on top of different VMs
• Except for the file size, this happens with the same simplicity with which we can display a
picture image in different computers.
• Virtual images are generally proprietary formats that require a specific virtual machine
manager to be executed

Dr. Anand Kumar Mishra

ISA
Microarchitecture
Processor (CPU)

Dr. Anand Kumar Mishra

ISA - Instruction Set Architecture
• The ISA specifies what the processor is capable of doing
• To command the computer, you need to speak its language and the
instructions are the words of a computer’s language and the
instruction set is basically its vocabulary
• Unless you know the vocabulary and you have a very good vocabulary, you
cannot gain good benefits out of the machine

Dr. Anand Kumar Mishra

ISA - Instruction Set Architecture
• The instruction set architecture is the specification of what the
computer can do and the machine has to be fabricated
in such a way that it will execute whatever has been specified in your
ISA
• The only way that you can talk to your machine is through the ISA
• ISA defines the set of instructions that the processor can execute, as
well as the format of data that is passed between the processor and
memory

Dr. Anand Kumar Mishra

ISA - Instruction Set Architecture
• The ISA specifies what the processor is capable of doing
• An Instruction Set Architecture (ISA) is part of the abstract model of a
computer that defines how the CPU is controlled by the software
• The ISA acts as an interface between the hardware and the software,
specifying both what the processor is capable of doing as well as how
it gets done
• The ISA provides the only way through which a user is able to interact
with the hardware

Dr. Anand Kumar Mishra

ISA - Instruction Set Architecture
• An ISA contains
• the functional definition of storage locations (registers, memory) &
operations (add, multiply, branch, load, store, etc)
• precise description of how to invoke & access them
• ISA does not contain non-functional aspects
• How operations are implemented
• Which operations are fast and which are slow
• Which operations take more power and which take less
• Instructions are bit-patterns. Hardware interprets as commands

Dr. Anand Kumar Mishra

ISA - Instruction Set Architecture
An ISA contains ISA does not contain non-functional
aspects
• the functional definition of storage locations • How operations are implemented
(registers, memory) & operations (add, multiply,
branch, load, store, etc) • Which operations are fast and which are slow
• precise description of how to invoke & access • Which operations take more power and which take
them less
• What instructions are available? • What are procedure calling conventions?
• What addressing modes are available? • What are cache replacement policies?
• What is the format of data? • What happens on a page fault?
• How many and what kind of registers are
available? {Example with x86 register}
• What condition codes, if any, are defined?
• How are exceptions handled?
• How are interrupts handled?

Dr. Anand Kumar Mishra

ISA - Instruction Set Architecture
• The ISA defines:
• the supported data types,
• the registers,
• how the hardware manages main memory,
• key features (such as virtual memory),
• which instructions a microprocessor can execute, and
• the input/output model of multiple ISA implementations
• The ISA can be extended by adding instructions or other capabilities,
or by adding support for larger addresses and data values

Dr. Anand Kumar Mishra

 Microarchitectural
level lies just below
the ISA level and
hence is concerned
with the
implementation of the
basic operations to be
supported by the
Computer as defined
by the ISA

Dr. Anand Kumar Mishra

Dr. Anand Kumar Mishra
Examples of ISAs include
• x86:
• The x86 ISA is used by most personal computers and servers.
• ARM:
• The ARM ISA is used in most mobile devices and embedded systems.
• RISC-V:
• The RISC-V ISA is an open-source ISA that is gaining popularity in a variety of
applications.

Dr. Anand Kumar Mishra

x86 Architecture
• The Intel x86 processor uses complex instruction set computer (CISC)
architecture
• The X86 architecture is a computer language instruction set executed
by a microprocessor

Dr. Anand Kumar Mishra

 x86 Architecture - Registers
• The x86 architecture consists of the following unprivileged integer registers.

eax Accumulator
ebx Base register
ecx Counter register
edx Data register - can be used for I/O port
access and arithmetic functions

esi Source index register

edi Destination index register
ebp Base pointer register
esp Stack pointer
Dr. Anand Kumar Mishra
X86 Architecture - Data Types
• byte: 8 bits
• word: 16 bits
• dword: 32 bits
• qword: 64 bits (includes floating-point doubles)
• tword: 80 bits (includes floating-point extended doubles)
• oword: 128 bits

Dr. Anand Kumar Mishra

 x86 Architecture - Flags

• These are single-bit registers and have a variety of uses

Flag Code Flag Name Value Flag Status Description

of Overflow Flag 01 nvov No overflow - Overflow
df Direction Flag 01 updn Direction up - Direction down
if Interrupt Flag 01 diei Interrupts disabled - Interrupts enabled
sf Sign Flag 01 plng Positive (or zero) - Negative
zf Zero Flag 01 nzzr Nonzero - Zero
af Auxiliary Carry Flag 01 naac No auxiliary carry - Auxiliary carry

pf Parity Flag 01 pepo Parity odd - Parity even

cf Carry Flag 01 nccy No carry - Carry
tf Trap Flag If tf equals 1, the processor will raise a STATUS_SINGLE_STEP exception after the execution of
one instruction. This flag is used by a debugger to implement single-step tracing. It should not
be used by other applications.
iopl I/O Privilege Level I/O Privilege Level This is a two-bit integer, with values between zero and 3. It is used by the
operating system to control access to hardware. It should not be used by applications.

Dr. Anand Kumar Mishra

Microarchitecture
• A microarchitecture is a concrete (real) implementation of an ISA
• Micro-architecture includes things like:
• Pipeline length and layout
• Number and sizes of caches
• Cycle counts for individual instructions
• Which optional features are implemented
• The microarchitecture of a processor is the design of the processor at
the lowest level
• It describes how the processor's components are interconnected and
how they operate
Dr. Anand Kumar Mishra
Microarchitecture
• The microarchitecture of a machine is usually represented as
diagrams
• that describe the interconnections of the various microarchitectural elements
of the machine,
• which may be anything from single gates and registers, to complete arithmetic logic units
(ALUs) and even larger elements.

Dr. Anand Kumar Mishra

Diagram of the Intel Core 2 microarchitecture

Dr. Anand Kumar Mishra

Dr. Anand Kumar Mishra
Microarchitecture
• The microarchitecture of a processor is implemented to implement a
particular ISA
• Same ISA can be implemented with different microarchitectures
• For example, the x86 ISA has been implemented by many different companies
over the years, each with its own unique microarchitecture

Dr. Anand Kumar Mishra

Cortex-A53 and Cortex-A72 are both implementations of the Armv8-A architecture. This means that they
have the same architecture, but they have veryDr.different micro-architectures
Anand Kumar Mishra
Architecture Cortex-A53 Cortex-A72
Optimized for power
Target Optimized for performance
efficiency
8 stages 15+ stages
Pipeline
In-order Out-of-order
L1 I cache: 8KB - 64KB L1 I cache: 48KB fixed
L1 D cache: 8KB - 64KB L1 D cache: 32KB fixed
Caches
L2 cache: optional, up to L2 cache: mandatory, up to
2MB 2MB

Dr. Anand Kumar Mishra

Microarchitecture
• The components of a microarchitecture are the fundamental building
blocks of a processor. They include:
• Arithmetic logic unit (ALU):
• The ALU performs arithmetic and logical operations on data.
• Control unit:
• The control unit reads instructions from memory and controls the execution of those
instructions.
• Register file:
• The register file stores temporary data that is being used by the processor.
• Cache:
• The cache stores frequently accessed data to improve the performance of the processor.

Dr. Anand Kumar Mishra

Microarchitecture
• Other components of a microarchitecture may include:
• Branch prediction unit:
• The branch prediction unit predicts which branch of a conditional statement
will be taken. This can improve performance by allowing the processor to
prefetch the instructions that will be executed next.
• Out-of-order execution unit:
• The out-of-order execution unit allows the processor to execute instructions
in any order, regardless of the order in which they appear in the program. This
can improve performance for certain types of applications.

Dr. Anand Kumar Mishra

Processor
• known as a central processing unit (CPU)
• Processor is the physical implementation of a microarchitecture
• It is the chip that is installed in a computer and that executes instructions
• It is responsible for executing instructions and processing data

Dr. Anand Kumar Mishra

Processor
• The processor includes all of the components of the microarchitecture,
as well as other components such as:
• Memory controller:
• The memory controller manages the flow of data between the processor and memory
• Input/output (I/O) controller:
• The I/O controller manages the flow of data between the processor and peripheral devices
such as disks, networks, and displays

Dr. Anand Kumar Mishra

Examples of Processors
• Intel Core i7
• The Intel Core i7 is a high-performance processor that is used in desktop
computers and servers.
• AMD Ryzen 7
• The AMD Ryzen 7 is a high-performance processor that is used in desktop
computers and servers
• Apple M1
• The Apple M1 is a high-performance processor that is used in Apple Mac
computers

Dr. Anand Kumar Mishra

 https://cs.lmu.edu/~ray/notes/cpu/

Intel Processors
Architecture Microarchitecture Processors
IA-32 P6 Pentium Pro, Pentium II, Pentium |||

IA-32 Pentium M Pentium M

IA-32 Enhanced Pentium M Core Solo, Core Duo, Xeon LV
IA-32 NetBurst Pentium 4, Pentium 4F
x86-64 or Intel 64 NetBurst Pentium 4F, Pentium D, Pentium
Extreme Edition, Xeon 5000, Xeon
7100
Intel 64 Intel Core Pentium Dual Core, Core 2 Duo, Core
2 Quad, Core 2 Extreme
Intel 64 Nehalem, Sandy Bridge, Ivy Bridge Core i3, Core i5, Core i7
Dr. Anand Kumar Mishra
Difference between the microarchitecture
and the processor
• Microarchitecture:
• The microarchitecture of a processor defines how the processor's
components are interconnected and how they operate
• For example, the microarchitecture may define whether the processor has a
pipeline, a cache, and a branch prediction unit.
• Processor:
• The processor is the physical implementation of the microarchitecture
• For example, the processor may be a quad-core processor with a 64-bit
architecture and a 3 MB cache.

Dr. Anand Kumar Mishra

Relationship between ISA, microarchitecture,
and processor
• The ISA defines the set of instructions that the processor can execute,
and the microarchitecture is how the processor is designed to execute
those instructions
• The processor is the physical implementation of the microarchitecture
• ISA is the what
• Microarchitecture is the how
• How the ISA is implemented
• Processor is the physical embodiment of the how
Dr. Anand Kumar Mishra
Dr. Anand Kumar Mishra
Relationship between ISA, microarchitecture,
and processor
• ISA (instruction set architecture) or “architecture”
• the set of instructions supported by a processor
• Microarchitecture concepts deal with how the ISA is implemented
• concepts such as instruction pipelining, branch prediction, out of order
execution are all employed to achieve an efficient realization of the ISA
• Example:
• ARMv7 architecture refers to a particular ISA
• On the other hand, the term core refers to an implementation of ISA using a
microarchitecture
• ARM cortex A-5 core is an implementation of ARMv7-A ISA using a particular
microarchitecture

Dr. Anand Kumar Mishra

Relationship between ISA, microarchitecture,
and processor
• Different processors may support same ISA, but may have different
microarchitecture
• Example
• Intel and AMD both implement x86 ISA using different microarchitectures
• x86 was a CISC architecture while ARM (Advanced RISC machines)
was a RISC architecture

Dr. Anand Kumar Mishra

API and ABI

Dr. Anand Kumar Mishra

Application Programming Interface

• The highest level of abstraction is represented by the application

programming interface (API), which interfaces applications to libraries and/or
the underlying operating system
• For any operation to be performed in the application level API, ABI and ISA
are responsible for making it happen

Dr. Anand Kumar Mishra

API - Application Programming
Interface

• An application programming interface (API) is a set of rules and specifications

that define how computers communicate with each other
• It is a way for two or more software programs to interact with each other
and exchange data
• APIs are used in a wide variety of applications, including websites, mobile
apps, and enterprise software

Dr. Anand Kumar Mishra

How APIs work?

• APIs work by providing a way for software programs to make requests and
receive responses from each other
• The request typically includes a set of parameters, such as the type of
data being requested or the action that needs to be performed
• The response includes the requested data or the results of the requested
action

Dr. Anand Kumar Mishra

How APIs work?

• APIs can be implemented in a variety of ways, but they typically use a

standard communication protocol – HTTP, RPC, etc.
• These protocols provide a common way for software programs to
communicate with each other, regardless of the programming language or
operating system they are using

Dr. Anand Kumar Mishra

Dr. Anand Kumar Mishra
Example: Google Drive API

Dr. Anand Kumar Mishra

Examples of APIs
• This API allows developers to embed Google Maps into their own websites
Google Maps API and applications.

• This API allows developers to access Twitter data and functionality, such as
Twitter API posting tweets, getting user information, and searching for tweets.

• This API allows developers to access Facebook data and functionality, such as
Facebook API posting to user walls, getting friend information, and sending messages.

• These APIs allow developers to accept payments through their websites and
Payment processing APIs applications.

Weather APIs • These APIs allow developers to get weather data for specific locations.

Dr. Anand Kumar Mishra

Practical examples of API implementations
and uses
• When you use a weather app on your phone,
• the app uses an API to get the weather data from a weather service
• When you book a flight online,
• the website uses an API to communicate with the airline's reservation system
• When you use a social media app to log in with your Google account,
• the app uses an API to authenticate your login with Google
• When you use a ride-sharing app to request a ride,
• the app uses an API to communicate with the ride-sharing company's dispatch
system

Dr. Anand Kumar Mishra

Some common types of APIs
• Public APIs
• These APIs are available to anyone who wants to use them
• They are often used by developers to build new products and services
• Examples include the Google Maps API, the Twitter API, and the Facebook API.
• Partner APIs
• These APIs are only available to a select group of people, such as employees
of a company or its partners
• They are often used to integrate different systems within a company or to
provide access to data and functionality to partners
• Examples include the Salesforce API and the HubSpot API

Dr. Anand Kumar Mishra

Some common types of APIs
• Internal APIs
• These APIs are only available to employees of a company
• They are often used to integrate different systems within a company or to
provide access to data and functionality to employees
• Examples include the Netflix API and the Amazon internal APIs

Dr. Anand Kumar Mishra

APIs can also be classified based on
their architecture

• Monolithic APIs
• These APIs are designed as a single, coherent codebase that provides access to
a complex data source
• Microservices APIs
• These APIs are designed as a set of loosely coupled services that each perform a
specific task
• Composite APIs
• These APIs combine multiple APIs into a single interface

Dr. Anand Kumar Mishra

APIs can also be classified based on the
communication protocol they use
• REST APIs [representational state transfer architectural style]
• SOAP APIs [Simple Object Access Protocol]
• RPC APIs [Remote Procedure Call]

Dr. Anand Kumar Mishra

APIs can also be classified based on the
communication protocol they use
• REST APIs [representational state transfer architectural style]
• These APIs use the HTTP protocol to communicate with a server
• REST APIs are designed to be simple, flexible, and scalable.
• SOAP APIs [Simple Object Access Protocol ]
• These APIs use SOAP to communicate with a server
• SOAP APIs are more complex than REST APIs, but they offer more features,
such as support for transactions and security
• SOAP is often used for enterprise applications

Dr. Anand Kumar Mishra

APIs can also be classified based on the
communication protocol they use
• RPC APIs [Remote Procedure Call ]
• These APIs use RPC protocol to communicate with a server
• RPC APIs are designed to be efficient, but they are less flexible than REST APIs
• RPC is often used for high-performance applications

Dr. Anand Kumar Mishra

Benefits of using APIs

• Abstraction
• APIs provide a layer of abstraction between applications and libraries
• This means that applications do not need to know the underlying implementation details
of the libraries they are using
• This can make applications more robust and easier to maintain
• Modularity
• APIs allow applications to be built in a modular wa
• This means that applications can be composed of different modules that each perform a
specific task
• This can make applications more scalable and easier to develop

Dr. Anand Kumar Mishra

Benefits of using APIs

• Interoperability
• APIs allow applications to interoperate with each other
• This means that applications can communicate with each other and share
data
• This can make it possible to build complex applications that are composed
of multiple different applications

Dr. Anand Kumar Mishra

Libraries
• A library in computer science is a collection of pre-written code that
can be used by programmers to develop software
• Libraries typically contain functions, classes, and other data structures
that can be used to perform common tasks, such as reading and
writing files, manipulating data, and communicating with networks
• A library is a collection of code that is shared between different
programs
• Libraries can be defined in the source code of a program, or they can
be compiled into separate files that can be linked to a program at
runtime
Dr. Anand Kumar Mishra
Examples of libraries

• The C standard library

• provides functions for performing common tasks such as memory management,
input/output, and mathematical operations.
• The Java standard library
• provides a wide variety of functions and classes for developing Java applications
• The Python standard library
• provides a wide variety of functions and modules for developing Python
applications

Dr. Anand Kumar Mishra

Application Binary Interface (ABI)

• ABI separates the operating system layer from the applications and libraries,
which are managed by the OS
• ABI covers details such as low-level data types, alignment, and call conventions
and defines a format for executable programs
• System calls are defined at this level
• API: "Here are all the functions you may call."
• ABI: "This is how to call a function."

Dr. Anand Kumar Mishra

Application Binary Interface (ABI)
• ABI defines how to access data structures or computational routines
in a low-level, hardware-dependent format, machine code
• ABIs are typically used to define the interaction between different
programs, or between programs and the operating system
• ABIs typically define things like:
• The calling conventions for functions, such as the order of arguments and the
return value
• The layout of data structures in memory
• The way that programs interact with the operating system, such as how to
request system resources or handle interrupts

Dr. Anand Kumar Mishra

Dr. Anand Kumar Mishra
 Application
Binary
Interface
(ABI)

Dr. Anand Kumar Mishra

Dr. Anand Kumar Mishra
Dr. Anand Kumar Mishra
Examples of ABIs:
• The x86-64 ABI is a standard ABI for the x86-64 architecture
• It is used by most operating systems that run on x86-64 processors, such as
Linux, macOS, and Windows
• The ARM ABI is a standard ABI for the ARM architecture
• It is used by most operating systems that run on ARM processors, such as
Android and iOS
• The Java Virtual Machine (JVM) ABI is a standard ABI for Java
applications
• It allows Java applications to run on a variety of different platforms, such as
Linux, macOS, and Windows

Dr. Anand Kumar Mishra

ABI conventions depend on two main things
1. The Instruction Set Architecture (ISA) — mainly for calling
conventions
2. The operating system (OS) being used — system calls, runtime
libraries, etc.
• This dual dependency is why code compiled for Windows won’t work
on an OS X machine, even though they might use the same CPU with
the same ISA.

Dr. Anand Kumar Mishra

Examples of how the ABI is used in operating
system software
• When a program makes a system call, the ABI defines how the operating
system should handle the system call.
• When a program accesses a library function, the ABI defines how the
program should call the function and how the function should return its
results.
• When a program communicates with another program over a network,
the ABI defines how the program should format the messages and how it
should interpret the messages received from the other program.

Dr. Anand Kumar Mishra

API and ABI

API ABI
• ABI defines the mechanics of
API defines the order in how these arguments are passed
which we pass arguments to (registers, stack, etc.).
a function • ABI defines how your code is
stored inside the library file, so
that any program using the
API defines which functions library can locate the desired
are part of your library. function and execute it

Dr. Anand Kumar Mishra

System Call and ABI
• System calls are a way for programs to request services from the
operating system
• They allow programs to perform tasks such as
• reading and writing files,
• creating and managing processes, and
• communicating with other devices
• ABI defines how programs should make system calls
• ABI specifies the calling conventions for system calls, such as
the number and order of arguments, and the return value

Dr. Anand Kumar Mishra

System Call and ABI
• ABI specifies how the operating system should handle system calls,
such as
• how to validate the arguments
• how to return the results

Dr. Anand Kumar Mishra

System Call and ABI - Example
1. A program calls the open() system call to open a file.
2. The ABI specifies the calling conventions for the open() system call, such
as the number and order of arguments.
3. The operating system validates the arguments to the open() system call.
4. The operating system opens the file and returns a file descriptor to the
program.
5. The ABI specifies how the operating system should return the file
descriptor.
❖The program can then use the file descriptor to read and write data to the
file.
Dr. Anand Kumar Mishra
ABI calling conventions
• ABI calling conventions are a set of rules that define:
• how functions are called and
• how arguments are passed and returned
• They are important for ensuring compatibility between different
programs and libraries
• There are many different ABI calling conventions, but they all share
some common features. For example, most ABIs define the following:
• The order in which arguments are passed to a function
• Whether arguments are passed on the stack, in registers, or a mix of both
• Which registers are used to return the results of a function
• Who is responsible for cleaning up the stack after a function call

Dr. Anand Kumar Mishra

Common ABI calling conventions
• Cdecl
• used by most C and C++ compilers
• It passes arguments on the stack & returns the result in the EAX register
• Stdcall
• used by most Windows APIs
• It passes arguments on the stack & returns the result in the EAX register
• The caller is responsible for cleaning up the stack after the function call
• Fastcall
• This is a calling convention that is designed for performance
• It passes the first few arguments in registers & the remaining arguments on the stack
• The caller is also responsible for cleaning up the stack after the function call
Dr. Anand Kumar Mishra
ABI calling conventions

• ABI calling conventions used by a particular program or library are typically

defined in the documentation for that program or library
• It is important to use the correct calling conventions when calling functions, as
otherwise the program may crash or produce unexpected results

Dr. Anand Kumar Mishra

Examples of how ABI calling conventions are
used in practice:
• When a program calls a library function,
• the ABI calling conventions define how the program should pass the
arguments to the function and how the function should return the result
• When a program makes a system call,
• the ABI calling conventions define how the program should call the system
call and how the operating system should handle the system call
• When a program communicates with another program over a
network,
• the ABI calling conventions may be used to define how the programs should
format the messages and how they should interpret the messages received
from the other program

Dr. Anand Kumar Mishra

Cloud Computing Concepts
CS3132
Dr. Anand Kumar Mishra
NIIT University

Dr. Anand Kumar Mishra

Hypervisor
• A fundamental element of hardware virtualization is the hypervisor,
or virtual machine manager (VMM)
• It recreates a hardware environment in which guest operating
systems are installed
• There are two major types of hypervisor: Type I and Type II

Dr. Anand Kumar Mishra

Hypervisor – Type I
• Type I hypervisors run directly on top of the hardware
• Interact directly with the ISA interface exposed by the underlying
hardware, and they emulate this interface in order to allow the
management of guest operating systems.
• A native virtual machine since it runs natively on hardware

Dr. Anand Kumar Mishra

Hypervisor – Type II
• Type II hypervisors require the support of an operating system to
provide virtualization services
• This means that they are programs managed by the operating system,
which interact with it through the ABI and emulate the ISA of virtual
hardware for guest operating systems
• This type of hypervisor is also called a hosted virtual machine since it
is hosted within an operating system

Dr. Anand Kumar Mishra

Dr. Anand Kumar Mishra
Virtualization Techniques
• Process-level techniques are implemented on top of an existing
operating system, which has full control of the hardware
• System-level techniques are implemented directly on hardware and
do not require (or require a minimum of support from) an existing
operating system
• Hardware virtualization techniques
• Hardware assisted Virtualization (known as System Virtualization)
• Full Virtualization
• Paravirtualization
• Partial Virtualization

Dr. Anand Kumar Mishra

 Virtual Memory
Virtual Address Space
User Mode
Kernel Mode
Privileged Instruction
Sensitive Instruction
User Instruction
Virtual Memory
• Virtual memory as a concept is that memory can be backed
differently
• Some memory of a process can be on disk, some in main memory,
some could even be on a remote network
• This is managed by the OS and transparent to the running user
process
• To the user process it's just memory

Dr. Anand Kumar Mishra

Virtual Memory
• Virtual memory is a memory management technique where
secondary memory can be used as if it were a part of the main
memory
• Virtual memory is a common technique used in a computer's
operating system (OS)
• Virtual memory uses both hardware and software to enable a
computer to compensate for physical memory shortages, temporarily
transferring data from random access memory (RAM) to disk storage
• Mapping chunks of memory to disk files enables a computer to treat
secondary memory as though it were main memory.
Dr. Anand Kumar Mishra
Virtual Address Space
• Virtual memory is a memory management technique developed for
multitasking kernels
• Virtual address space is a memory mapping mechanism available in
modern operating systems

Dr. Anand Kumar Mishra

Virtual Address Space
• The virtual address space for a process is the set of virtual memory
addresses that it can use
• The address space for each process is private and cannot be accessed
by other processes unless it is shared

Dr. Anand Kumar Mishra

Dr. Anand Kumar Mishra
Virtual Address Space
• A virtual address does not represent the actual physical location of an
object in memory; instead,

• the system maintains a page table for each

process, which is an internal data structure
used to translate virtual addresses into their
corresponding physical addresses

Dr. Anand Kumar Mishra

User mode and kernel mode
• A processor in a computer running Windows has two different
modes: user mode and kernel mode
• The processor switches between the two modes depending on what
type of code is running on the processor:
• Applications run in user mode, and
• Core operating system components run in kernel mode

Dr. Anand Kumar Mishra

Dr. Anand Kumar Mishra
User Mode
• Every user process operates under the user mode
• In this mode, processes do not have direct access to the RAM or
other hardware resources
• Processes have to make system calls to the underlying APIs to access
these resources

Dr. Anand Kumar Mishra

Kernel Mode
• The kernel mode has direct access to all the underlying hardware
resources
• In the kernel mode, all memory addresses are accessible and all CPU
instructions are executable
• Kernel mode is usually reserved for drivers which need finer control
over the hardware they are operating on

Dr. Anand Kumar Mishra

Kernel
• The kernel is a software program
• It is the core of an operating system and is responsible for managing
the system's resources, such as the CPU, memory, and devices
• The kernel also provides an interface between the operating system
and the hardware
• The kernel is typically loaded into memory when the computer boots
up and remains in memory until the computer is shut down

Dr. Anand Kumar Mishra

Kernel
• Kernel is responsible for many important tasks, including:
• Starting and stopping programs
• Managing memory and CPU usage
• Handling interrupts from devices
• Providing a file system
• Providing a network interface

Dr. Anand Kumar Mishra

Kernel
• The kernel is essential for the operation of an operating system
• Without the kernel, the operating system would not be able to
manage the system's resources or provide an interface to the
hardware
• Here are some examples of kernels:
• Linux kernel
• Windows kernel
• macOS kernel
• iOS kernel
• Android kernel

Dr. Anand Kumar Mishra

Dr. Anand Kumar Mishra
Dr. Anand Kumar Mishra
Architecture of Linux

Dr. Anand Kumar Mishra

Architecture of Windows NT

Dr. Anand Kumar Mishra

Kernel Components
• The kernel is divided into several different components, each of which has a
specific responsibility. The main components of the kernel are:
• Process scheduler:
• The process scheduler is responsible for deciding which process to run next
• Memory manager:
• The memory manager is responsible for allocating and managing memory
• File system:
• The file system provides a way for programs to access and store data on disk
• Network interface:
• The network interface provides a way for programs to communicate with other computers
over a network
• Device drivers:
• Device drivers provide an interface between the kernel and the hardware devices connected
to the computer

Dr. Anand Kumar Mishra

Kernel Code
• Operating system (OS) kernel code is typically written in a low-level
programming language, such as C or C++
• This is because kernels need to be efficient and need to have direct
access to the hardware
• Kernel code is typically divided into several different files, each of
which contains code for a specific component of the kernel
• For example, there might be a file for the process scheduler, a file for the
memory manager, and a file for the file system

Dr. Anand Kumar Mishra

// This function is called when the system needs to schedule a new process. simple example of kernel code. In reality,
void schedule() {
kernel code is much more complex and
// Get the next process to run. contains code for many other different
struct process *next_process = get_next_process(); tasks
// Switch to the next process.
switch_to_process(next_process);
}

// This function is called when the system needs to allocate memory for a process.
void *malloc(size_t size) {
// Allocate memory from the heap.
void *ptr = heap_alloc(size);

// If the allocation failed, return NULL.

if (ptr == NULL) {
return NULL;
}

// Return the pointer to the allocated memory.

return ptr;
}

// This function is called when the system needs to free memory that was allocated by malloc().
void free(void *ptr) {
// Free the memory back to the heap.
heap_free(ptr);
}
Dr. Anand Kumar Mishra
Emulator
• An emulator is a software or hardware tool that replicates the
functionality of one computer system on another
• It allows a computer system, known as the host, to mimic the
behavior of a different computer system, known as the guest or target
• Emulators are designed to run software or programs written for the
guest system on the host system
• Example:
• Android Emulator is a popular example. It allows developers to run Android
applications on a desktop computer for testing and development, even if the
developer's machine is not an Android device

Dr. Anand Kumar Mishra

Simulator
• A simulator is a software tool that models the behavior of a system or
process without necessarily replicating the underlying hardware
• Simulators are used to understand and study the behavior of a system
under various conditions or scenarios
• They often provide a higher-level abstraction of a system's functionality
• They allow users to study and experiment with the behavior of a system
without the need for the actual hardware
• Example:
• The Microsoft Flight Simulator is a well-known example of a simulator. It provides a
realistic simulation of flying an aircraft, modeling various aspects of flight physics and
environmental conditions, but it doesn't emulate a specific physical aircraft.

Dr. Anand Kumar Mishra

Emulator and Simulator - Key Differences:
• Scope:
• Emulators replicate the entire hardware and software environment of a
specific system, aiming to run software designed for that system on a
different one
• Simulators focus on modeling the behavior and functionality of a system
without necessarily replicating its hardware
• Purpose:
• Emulators are primarily used for running existing software on different
platforms, ensuring compatibility
• Simulators are used for experimentation, testing, training, and research to
understand system behavior

Dr. Anand Kumar Mishra

Emulator and Simulator - Key Differences:
• Level of Abstraction:
• Emulators aim to replicate the exact behavior of the target system, down to
the hardware level
• Simulators provide a higher-level abstraction, focusing on system behavior
and functionality
• Examples:
• Emulator examples include Android Emulator, game console emulators, and
virtual machines (e.g., VMware)
• Simulator examples include flight simulators, network simulators (e.g., NS-3),
and hardware description language (HDL) simulators for designing integrated
circuits

Dr. Anand Kumar Mishra

QEMU - Quick Emulator
• Open-source emulator and virtualization tool
• allows users to run virtual machines (VMs) on a host system
• It provides a versatile and flexible platform for emulating a wide range
of computer architectures, making it a valuable tool for various
purposes, including development, testing, and running legacy
software on modern hardware
• QEMU can emulate the behavior of various computer architectures,
including x86, ARM, PowerPC, MIPS, and more
• It can also operate as a hypervisor to provide full virtualization for
running multiple guest operating systems on a single host
Dr. Anand Kumar Mishra
Privilege instruction, Sensitive
instruction, and User instruction

Dr. Anand Kumar Mishra

Privileged instructions
• Privileged instructions are instructions that can only be executed by
the CPU in a higher privilege mode, typically referred to as "kernel
mode" or "privileged mode"
• These instructions are typically used to perform low-level tasks such
as managing memory, handling interrupts, and accessing hardware
devices.
• Example:
• An example of a privilege instruction is an instruction that directly accesses or
modifies a control register, such as the Control Register 0 (CR0) on x86
architecture, which controls features like paging and protection. Changing
these settings requires elevated privileges, and only the kernel (operating
system) should be able to execute such instructions.

Dr. Anand Kumar Mishra

Control Registers
• A control register is a processor register which changes or controls
the general behavior of a CPU or other digital device
• Common tasks performed by control registers include interrupt
control, switching the addressing mode, paging control, and
coprocessor control
• Processors based on the Intel architecture have a set of control
registers that are used for configuration of the processor at run time
(such as switching between execution modes)
• These registers are 32-bit wide on x86 and 64-bit wide on AMD64 (long
mode)

Dr. Anand Kumar Mishra

Control Registers
• Control registers in x86 series
• CR0
• CR1 – Reserved
• CR2 - Contains a value called Page Fault Linear Address (PFLA)
• CR3
• CR4
• Additional Control registers in x86-64 series
• EFER - Extended Feature Enable Register is a register added in the AMD K6
processor

Dr. Anand Kumar Mishra

CPU Registers x86
• General Purpose Registers
• Pointer Registers
• Segment Registers
• EFLAGS Register
• Control Registers
• Extended Control Registers
• Debug Registers
• Test Registers
• Protected Mode Registers
• GDTR - Global Descriptor Table Register
• LDTR - Local Descriptor Table Register
• IDTR - Interrupt Descriptor Table Register

Dr. Anand Kumar Mishra

Privileged Instructions
• The Instructions that can run only in Kernel Mode are called
Privileged Instructions
• If any attempt is made to execute a Privileged Instruction in User
Mode, then it will not be executed and treated as an illegal
instruction - The Hardware traps it in the Operating System
• Before transferring the control to any User Program, it is the
responsibility of the Operating System to ensure that the Timer is set
to interrupt
• Thus, if the timer interrupts then the Operating System regains the control.
• Thus, any instruction which can modify the contents of the Timer is Privileged
Instruction

Dr. Anand Kumar Mishra

Examples of Privileged Instructions
• Privileged Instructions are used by the Operating System in order to
achieve correct operation
• I/O instructions and Halt instructions
• Turn off all Interrupts
• Set the Timer
• Context Switching
• Clear the Memory or Remove a process from the Memory
• Modify entries in the Device-status table

Dr. Anand Kumar Mishra

Examples of Privileged Instructions
• Turn off all Interrupts
• This is an exception that a user prefers
• It is applicable by the division of zero or any invalid memory access
• It is useful for invoking a kernel routine (a system call)
• Further, this happens due to the run of a priority function rather than the
user code
• I/O instructions and Halt instructions
• I/O (input and output) instructions are the processes between a computer
and the outside world
• Halt is an assembly language instruction
• It halts the CPU till the upcoming external interrupt is not coming in

Dr. Anand Kumar Mishra

Examples of Privileged Instructions
• Context Switching
• This is the process that consists of involving the context storage or state of the
process
• It happens so that the switching process will reload and execute from the
same point as before
• Set the Timer
• This is a feature that helps to set a perfect period of interruption for a
computer
• The right time is to set within the counter to finish or start all your needed
instructions

Dr. Anand Kumar Mishra

Examples of Privileged Instructions
• Adapt entries in the Device-status table
• The right device status comes with the indication of the type, state, and
address for each input/output device
• It is the entry of every device
• Remove a process or clear the memory from memory
• A task is only executable when a memory already installed within the
computer system allows it
• This type of operation is possible in privileged instructions

Dr. Anand Kumar Mishra

Non-Privileged Instructions
• The Instructions that can run only in User Mode are called Non-
Privileged Instructions
• Reading the status of Processor
• Reading the System Time
• Generate any Trap Instruction
• Sending the final printout of Printer
• Common user instructions include arithmetic and logical operations
(e.g., addition, subtraction, bitwise operations), data movement (e.g.,
load and store), and branching (e.g., jump and conditional jump)
instructions. These instructions perform fundamental tasks within a
program.

Dr. Anand Kumar Mishra

Sensitive Instructions
• Sensitive instructions are those that have the potential to
compromise system security or stability if misused or executed by
unauthorized users or processes
• These instructions often include operations that can directly affect
memory management, hardware control, or access to sensitive data
• Example:
• An example of a sensitive instruction is an instruction that can manipulate
page tables or memory protection attributes
• For instance, on x86, instructions like mov can be sensitive when used to
modify page table entries to change memory access permissions

Dr. Anand Kumar Mishra

Sensitive Instructions
• Sensitive instructions are not explicitly defined as a separate category
in most computer architectures or instruction set architectures (ISAs)
• Sensitive instructions can be thought of as instructions that have the
potential to impact system security or stability, especially when
executed by an unauthorized or unprivileged process
• Whether an instruction is sensitive or not depends on the system's
security model and the access control mechanisms in place

Dr. Anand Kumar Mishra

How sensitivity relates to privilege
instructions
• In many computer architectures, sensitive instructions may overlap
with privilege instructions because instructions that can potentially
compromise system security or stability are often restricted to higher
privilege levels (e.g., kernel mode)
• However, not all privilege instructions are necessarily sensitive, and
not all sensitive instructions are necessarily privilege instructions.

Dr. Anand Kumar Mishra

mov instruction (x86 architecture)
• mov instruction moves data from the source to the destination
• typical syntax for the mov instruction in x86 assembly language is as
follows:
mov destination, source
• Destination: This is where the data will be moved or copied to. It is
typically a register or a memory location.
• Source: This is the data to be moved or copied. It can be a register, an
immediate value (a constant), or a memory location.

Dr. Anand Kumar Mishra

mov instruction (x86 architecture)
• Common examples of how the mov instruction is used in x86 assembly
language:
• Register-to-Register Transfer: mov ebx, eax
• Immediate Value to Register: mov ecx, 42
• Memory-to-Register Transfer: mov edx, [ebx]
• Register-to-Memory Transfer: mov [edi], esi
• Memory-to-Memory Transfer (Not Directly Supported)
• It's important to note that the x86 architecture doesn't directly support memory-to-
memory transfers using a single mov instruction. You typically need to move data
between memory and a register first and then between registers and memory to
achieve memory-to-memory copying.
etc.

Dr. Anand Kumar Mishra

How sensitivity relates to privilege
instructions
• Example: consider an instruction like "mov" (move) in x86 assembly
language
• When executed in user mode,
• it is typically not considered a privilege instruction, and user-level programs
can execute it to move data within their own memory space
• However, if a user-level program tries to use "mov" to modify critical
system data or control registers, it becomes sensitive and would not
be allowed due to privilege restrictions

Dr. Anand Kumar Mishra

How sensitivity relates to privilege
instructions - behavior of the mov instruction
• User Instruction: mov is used for standard data copying operations
within the user process's memory space
mov eax, ebx
• Privilege Instruction: mov may be used to access and manipulate
critical system data structures and hardware control registers
mov cr0, eax
• Sensitive Instruction:
• Memory Protection Attribute Modification
• Changing Interrupt Descriptor Table (IDT)
• Control Register Sensitive Modification

Dr. Anand Kumar Mishra

How sensitivity relates to privilege
instructions - behavior of the mov instruction
• Sensitive Instruction:
• Memory Protection Attribute Modification – Altering memory protection
attributes using mov can be sensitive, especially when attempting to change
page table entries to grant or restrict access to memory regions
• Changing Interrupt Descriptor Table (IDT) - Modifying the IDT with mov can be
sensitive, as it controls how the CPU responds to interrupts and exceptions
mov idtr, edx
• Control Register Sensitive Modification

Dr. Anand Kumar Mishra

Rings in Operating Systems

Dr. Anand Kumar Mishra

Rings in Operating Systems
• Operating systems manage computer resources, like processing time
on the CPU and accessing the memory
• Since computers run more than one software process, this will bring
some issues
• Protection rings are one of the key solutions for sharing resources and
hardware
• Protection rings are mechanisms to protect data and functionality
from:
• faults (by improving fault tolerance)
• malicious behaviour (by providing computer security)
Dr. Anand Kumar Mishra
the protection rings Dr.
for x86 processor architecture
Anand Kumar Mishra
Protection Rings
• Ring 0 - operating system kernel, system drivers
• Ring 1 - equipment maintenance programs, drivers, programs that
work with the ports of the computer I / O
• Ring 2 - database management system, the expansion of the
operating system
• Ring 3 - applications, user-run

Dr. Anand Kumar Mishra

Dr. Anand Kumar Mishra
 Operating System Utilities

Windows OS Utilities Linux OS Utilities

• Windows Diagnostics • ps
• Windows Performance Monitor • iostate
• Windows Event Viewer • vmstat
• Windows Registry Editor
• Windows Task Manager

Dr. Anand Kumar Mishra

Ring 0
• The code that runs here is said to be in kernel mode
• Kernel-mode processes have the potential to affect the entire system
• If something goes wrong here, the system would most likely crash
• This ring has direct access to both CPU and system memory

Dr. Anand Kumar Mishra

Ring 3
• User processes running in user mode have access to Ring 3
• Therefore, this is the least privileged ring
• This is where we’ll find the majority of our computer applications

Dr. Anand Kumar Mishra

Ring 1 and Ring 2
• The OS uses ring 1 to interact with the computer’s hardware
• This ring would need to run commands such as streaming a video through a
camera on our monitor
• Instructions that must interact with the system storage, loading, or
saving files are stored in ring 2
• These rights are known as input and output permissions because they
involve transferring data into and out of working memory, RAM
• In ring 2, for example, loading an Excel file document from storage
• In such a case, ring 3 will be responsible for editing and saving the data

Dr. Anand Kumar Mishra

Implementation Protection Rings
• Most of the CPU architectures such as x86 include some form of
protection rings
• While Linux and Windows use only ring 0 and ring 3, some other
operating systems can utilize three different protection levels
• OS such as Linux, macOS, and Windows doesn’t fully utilize these
feature
• ARM 7 - processor architectures implements three privilege levels:
application, operating system, and hypervisor
• ARM 8 implements four protection levels: +secure monitor level

Dr. Anand Kumar Mishra

Hypervisor Mode
• Modern CPUs offer x86 virtualization instructions for hypervisor to
control “Ring 0” hardware access
• In order to help virtualization, VT and Pacifica insert new privilege
level below “Ring 0” :
• Ring −1 and intended to be used by hypervisor

Dr. Anand Kumar Mishra

 CPU protection ring levels
Dr. Anand Kumar Mishra
x86 Architecture
• Its an instruction set architecture (ISA) series for computer processors
• [An ISA specifies the behavior of machine code and defines how the software
controls the CPU]
• Developed by Intel Corporation
• x86 architecture defines how a processor handles and executes
different instructions passed from the operating system (OS) and
software programs
• Designed in 1978, x86 architecture was one of the first ISAs for
microprocessor-based computing
• x86 architecture is based on Intel's 8086 microprocessor

Dr. Anand Kumar Mishra

x86 architecture
• It primarily handles programmatic functions and provides services,
such as:
• memory addressing
• software and hardware interrupt handling
• data type
• registers and input/output (I/O) management
• Classified by bit amount, the x86 architecture is implemented in
multiple microprocessors, including 8086, 80286, 80386, Core 2,
Atom and the Pentium series
• Other microprocessor manufacturers, like AMD and VIA Technologies,
have adopted the x86 architecture

Dr. Anand Kumar Mishra

x86 Key features
• Provides a logical framework for executing instructions through a
processor
• Allows software programs and instructions to run on any processor in
the Intel 8086 family
• Provides procedures for utilizing and managing the hardware
components of a central processing unit (CPU)

Dr. Anand Kumar Mishra

Dr. Anand Kumar Mishra
Dr. Anand Kumar Mishra
Dr. Anand Kumar Mishra
• VIA Technologies Inc. is a Taiwanese manufacturer of integrated circuits,
mainly motherboard chipsets, CPUs, and memory.

• It was the world's largest independent manufacturer of motherboard chipsets.

Dr. Anand Kumar Mishra
Dr. Anand Kumar Mishra
x86 Hardware Virtualization
• x86 operating systems are designed to run directly on the bare-metal
hardware, so they naturally assume they fully ‘own’ the computer
hardware
• x86 architecture offers four levels of privilege known as Ring 0, 1, 2
and 3 to operating systems and applications to manage access to the
computer hardware
• Virtualizing the x86 architecture requires placing a virtualization layer
under the operating system to create and manage the virtual
machines that deliver shared resources
• [Knowing that OS expects to be in the most privileged Ring 0]

Dr. Anand Kumar Mishra

x86 privilege
level
architecture
without
virtualization

Dr. Anand Kumar Mishra

Privileged instructions
• Privileged instructions - that are executed under specific restrictions
and are mostly used for sensitive operations, which:
• expose (behavior-sensitive)
• operate on the I/O
• modify (control-sensitive) the privileged state
• alter the state of the CPU registers

Dr. Anand Kumar Mishra

Type 1 Hypervisor
• Theory: Type 1 virtualization is feasible if sensitive instruction is subset of
privileged instructions or all sensitive instructions always cause a trap
• Reasoning:
• On booting a Type 1 hypervisor, it runs in kernel mode
• A Windows VM run on the hypervisor should not be trusted as much as the
hypervisor and is therefore run in user mode
• Windows assumes it is the kernel and can run sensitive instructions, but these
sensitive instructions won’t run because it will be running in user mode
• The solution is that the hypervisor intervenes and runs each sensitive instruction
attempted by the Windows VM
• How will the hypervisor be alerted when Windows attempts so?
• If the sensitive instruction causes a trap, the hypervisor intervenes and executes it for the VM

Dr. Anand Kumar Mishra

Type 1 Hypervisor
• NOTE:
• Early Intel processors did not have Type 1 support
• Recent Intel/AMD CPUs have hardware support, named Intel VT and AMD
SVM
• The idea is to create containers where a VM and guest can run and that
hypervisor uses hardware bitmap to specify which instruction should trap, so
that sensitive instruction in guest traps to hypervisor
• This bitmap property can also be turned off

Dr. Anand Kumar Mishra

Type 1 Hypervisor - Examples
1. VMWare ESXI running, a specialized OS kernel that can run any
arbritary VMs on it
2. Windows Hyper-V creates partitions, runs Windows in the parent
partition (one copy of windows is mandatory), and the child
partitions can run Linux or any other OS. Less flexible than ESXI.
3. Linux KVM or kernel virtual machine: Implemented as a device
driver that gives barebone support for Type 1. Along with some
other components (like QEMU) gives the functionality for Type 1
hypervisor.

Dr. Anand Kumar Mishra

Type 2 Hypervisor
• A Type 2 hypervisor runs as an application on the host OS and therefore
does not have kernel level privileges
• Type 2 hypervisor performs dynamic code translation
• It scans instructions executed by the guest OS, replacing the sensitive instructions
with function calls
• These function calls in turn make system calls to the OS,
• thereby involving the host OS
• This process is called binary translation
• This leads to slowdown as every piece of sensitive code has to be
translated
• Therefore, VT support is not needed, no support is needed from the
hardware to ensure that all sensitive instructions are privileged
Dr. Anand Kumar Mishra
Type 2 Hypervisor - Example
• VMware Fusion delivers the best way to run Windows, Linux and
more on Apple Macs without rebooting
• Fusion 13 supports Intel and Apple Silicon Macs running macOS 12
and newer, and includes features for developers, IT admins and
everyday users
• VMWare Fusion, upon loading program, scans code for basic blocks
and replaces sensitive instructions by VMWare procedure using
binary translation
• Only the guess OS’s instructions need to be scanned, not the
applications
Dr. Anand Kumar Mishra
VMWare
• VMware ESXi - bare-metal hypervisor that installs directly onto your
physical server
• VMware vSphere - Virtualize servers to manage your IT infrastructure;
allowing you to consolidate your applications
• VMware Fusion - to run Windows, Linux, containers, Kubernetes and more
in virtual machines (VMs) without rebooting
• With Fusion Player and Fusion Pro, run nearly any OS as VMs on Mac
• VMware Workstation Pro - Run Windows, Linux and BSD virtual machines
on a Windows or Linux desktop with VMware Workstation Pro, the industry
standard desktop hypervisor
• VMware Workstation Player - Easily run multiple operating systems as
virtual machines on your Windows or Linux PC with VMware Workstation
Player
Dr. Anand Kumar Mishra
Virtual Machine Manager
• Three main modules:
• dispatcher,
• allocator, and
• interpreter,
• coordinate their activity in order to emulate the underlying hardware

Dr. Anand Kumar Mishra

VMM - dispatcher
• The dispatcher constitutes the entry point of the monitor and
reroutes the instructions issued by the virtual machine instance to
one of the two other modules
OR
• The dispatcher is the component that receives the instructions sent
from the virtual machine. It does not carry out these instructions, but
instead, it just forwards them to one of the other two modules

Dr. Anand Kumar Mishra

VMM - allocator
• The allocator is responsible for deciding the system resources to be
provided to the VM:
• whenever a virtual machine tries to execute an instruction that results in
changing the machine resources associated with that VM, the allocator is
invoked by the dispatcher
• The allocator responds to the dispatcher’s commands to determine
the resources needed and allocates them
• The interpreter module has stored routines that are executed based
on the allocator’s commands.

Dr. Anand Kumar Mishra

VMM - interpreter
• Allocator: allocates system resources
• Interpreter: instructions that are executed
• The interpreter module consists of interpreter routines
• These are executed whenever a virtual machine executes a privileged
instruction:
• a trap is triggered and the corresponding routine is executed

Dr. Anand Kumar Mishra

Dr. Anand Kumar Mishra
Formal Requirements for Virtualizable Third
Generation Architectures
• Research Paper by –
• Gerald J. Popek University of California, Los Angeles
• Robert P. Goldberg Honeywell Information Systems and Harvard University
• THEOREM 1.
• For any conventional third generation computer, a virtual machine monitor may be
constructed if the set of sensitive instructions for that computer is a subset of the
set of privileged instructions.
• THEOREM 2.
• A conventional third generation computer is" recursively virtualizable if it is: (a)
virtualizable, and (b) a VMM without any timing dependencies can be constructed
for it.
• THEOREM 3.
• A hybrid virtual machine monitor may be constructed for any conventional third
generation machine in which the set of user sensitive instructions are a subset of the
set of privileged instructions.
Dr. Anand Kumar Mishra
Dr. Anand Kumar Mishra
Complicated Situation in x86 Virtualization
• Some sensitive instructions can’t effectively be virtualized as they
have different semantics when they are not executed in Ring 0
• Challenge: Difficulty in trapping and translating these sensitive and
privileged instruction requests at runtime
• This made x86 architecture virtualization look impossible

Dr. Anand Kumar Mishra

Major challenges to building a VMM for the
x86 architecture
1. The x86 architecture was not virtualizable
2. The x86 architecture was of daunting (Discouraging) complexity
• The x86 architecture was a big CISC (Complex Instruction Set) architecture
• CISC Characteristics
• Complex instruction, hence complex instruction decoding
• Complex Addressing Modes

Dr. Anand Kumar Mishra

Major challenges to building a VMM for the
x86 architecture
3. x86 machines had diverse peripherals
• vendor-specific device drivers, virtualizing all these peripherals was
intractable
4. Need for a simple user experience
• It was required to add VMM to existing systems
• Focus to consider software delivery options
• A user experience that encouraged simple user adoption

Dr. Anand Kumar Mishra

Three core attributes of a virtual machine to x86-
based target platform (adopted by VMware)
• Compatibility:
• The notion of an essentially identical environment meant that any x86
operating system, and all of its applications, would be able to run without
modifications as a virtual machine
• A VMM needed to provide sufficient compatibility at the hardware level such
that users could run whichever operating system, down to the update and
patch version, they wished to install within a particular virtual machine,
without restrictions

Dr. Anand Kumar Mishra

Three core attributes of a virtual machine to x86-
based target platform (adopted by VMware)
• Performance
• Minor decreases in speed - meant sufficiently low VMM overheads that users
could use a virtual machine as their primary work environment
• Aim: To run relevant workloads at near native speeds, and
• in the worst case: To run them on then-current processor with the same
performance as if they were running natively on the immediately prior
generation of processors

Dr. Anand Kumar Mishra

Three core attributes of a virtual machine to x86-
based target platform (adopted by VMware)
• Isolation
• A VMM had to guarantee the isolation of the virtual machine without making
any assumptions about the software running inside
• A VMM needed to be in complete control of resources
• Software running inside virtual machines had to be prevented from any
access that would allow it to modify or subvert its VMM
• A VMM had to ensure the privacy of all data not belonging to the virtual
machine
• A VMM had to assume that the guest operating system could be infected with
unknown, malicious code (a much bigger concern today than during the
mainframe era)

Dr. Anand Kumar Mishra

Resolving the complication x86 Virtualization
• VMware resolved the challenge in 1998
• Developed - binary translation techniques
• that allow the VMM to run in Ring 0 for isolation and performance,
• while moving the OS to a user level ring with greater privilege than
applications in Ring 3 but less privilege than the virtual machine monitor in
Ring 0

Dr. Anand Kumar Mishra

Binary Translation Technique
• Binary translation involves dynamically translating binary instructions
from the guest's architecture (source architecture) to the host's
architecture (target architecture) as they are executed
• This technique is used in both Type 1 and Type 2
• Use Case:
• Cross-Architecture Virtualization:
• Running software built for one CPU architecture on a host with a different architecture
• For example, running x86 applications on an ARM-based host
• Legacy Software Support:
• Allowing older applications or operating systems to run on modern hardware that may
not natively support their architecture

Dr. Anand Kumar Mishra

Binary translation involves several steps and
techniques
1. Decoding:
• The binary code of the guest application or OS is decoded to understand the
instructions.
2. Analysis:
• The translator analyzes the decoded instructions to determine their purpose and
potential dependencies.
3. Translation:
• The translator converts the guest architecture instructions into equivalent host
architecture instructions. This is often the most complex and critical step.
4. Optimization:
• The translated code may undergo further optimization to improve performance. For
instance, it can reduce the number of translations by caching already translated
code.

Dr. Anand Kumar Mishra

Binary translation involves several steps and
techniques
5. Execution:
• The translated code is executed on the host machine, and the results are
returned to the guest OS or application.
6. Handling Exceptions:
• Special handling is required for exceptions and interrupts that may occur
during translation to ensure correct operation.

Dr. Anand Kumar Mishra

Cloud Computing Concepts
CS3132
Dr. Anand Kumar Mishra
NIIT University

Dr. Anand Kumar Mishra

Techniques
• Alternative techniques for handling sensitive and privileged
instructions to virtualize the CPU on the x86 architecture
• Full virtualization using binary translation
• OS assisted virtualization or paravirtualization
• Hardware assisted virtualization (first generation)

Dr. Anand Kumar Mishra

Technique 1 – Full
Virtualization using
Binary Translation
• VMware can
virtualize any x86
operating system
using a combination
of binary translation
and direct execution
techniques

Dr. Anand Kumar Mishra

Dr. Anand Kumar Mishra
Technique 1 – Full Virtualization using
Binary Translation
• User level code is directly executed on
the processor for high performance
virtualization
• Translates kernel code to replace
nonvirtualizable instructions with new
sequences of instructions that have the
intended effect on the virtual hardware
• Virtual Machine Monitor provides each
Virtual Machine with all the services of
the physical system, including a virtual
BIOS, virtual devices and virtualized
memory management
Dr. Anand Kumar Mishra
Technique 1 – Full Virtualization using Binary
Translation
• This combination of binary translation and direct execution provides
Full Virtualization as the guest OS is fully abstracted (completely
decoupled) from the underlying hardware by the virtualization layer
• The guest OS is not aware it is being virtualized and requires no
modification
• Full virtualization is the only option that requires no hardware
assist or operating system assist to virtualize sensitive and
privileged instructions

Dr. Anand Kumar Mishra

Technique 1 – Full Virtualization using Binary
Translation
• The hypervisor translates all operating system instructions and caches
the results for future use, while user level instructions run unmodified
at native speed
• Full virtualization offers the best isolation and security for virtual
machines, and simplifies migration and portability as the same guest
OS instance can run virtualized or on native hardware
• VMware’s virtualization products are examples of full virtualization

Dr. Anand Kumar Mishra

Technique 2 – OS
Assisted Virtualization
or Paravirtualization

Dr. Anand Kumar Mishra

The Paravirtualization approach to x86 Virtualization
Technique 2 – OS Assisted Virtualization or
Paravirtualization
• Paravirtualization involves modifying the OS kernel to replace
nonvirtualizable instructions with hypercalls that communicate
directly with the virtualization layer hypervisor
• The hypervisor also provides hypercall interfaces for other critical
kernel operations such as memory management, interrupt handling
and time keeping
• As paravirtualization cannot support unmodified operating systems
(e.g. Windows 2000/XP), its compatibility and portability is poor

Dr. Anand Kumar Mishra

Technique 2 – OS Assisted Virtualization or
Paravirtualization
• Instead of dynamically translating the sensitive instructions, leading
to overhead, we can categorically change the kernel instructions to
replace the sensitive instructions with hypercalls (call to the
hypervisor) to get a modified OS with no sensitive instructions
• Every time a sensitive function needs to be executed, a hypercall is
made instead
• Both Type 1 and 2 hypervisors work on unmodified OS
• In contrast, para-virtualization modifies OS kernel to replace all sensitive
instructions with hypercalls
• Thus, the OS behaves like a user program making system calls and the
hypervisor executes the privileged operation invoked by hypercall

Dr. Anand Kumar Mishra

Technique 2 – OS Assisted Virtualization or
Paravirtualization
• Paravirtualization can also introduce significant support and
maintainability issues in production environments as it requires deep
OS kernel modifications
• The open source Xen project is an example of paravirtualization
that virtualizes the processor and memory using a modified Linux
kernel and virtualizes the I/O using custom guest OS device drivers

Dr. Anand Kumar Mishra

Technique 2 – OS Assisted Virtualization or
Paravirtualization
• While it is very difficult to build the more sophisticated binary
translation support necessary for full virtualization, modifying the
guest OS to enable paravirtualization is relatively easy
• The VMware tools service provides a backdoor to the VMM
Hypervisor used for services such as:
• time synchronization
• logging and
• guest shutdown

Dr. Anand Kumar Mishra

Technique 2 – OS Assisted Virtualization or
Paravirtualization
• Vmxnet is a paravirtualized I/O device driver that shares data structures
with the hypervisor
• It can take advantage of host device capabilities to offer improved throughput and
reduced CPU utilization
• It is important to note for clarity that the VMware tools service and the
vmxnet device driver are not CPU paravirtualization solutions
• They are minimal, non-intrusive changes installed into the guest OS that do not
require OS kernel modification
• Xen ran as a para-virtualized version of Linux when the hardware did not
support Type 1 hypervisors
• Xen needed Linux to run in domain 0 (master partition) just like HyperV
Dr. Anand Kumar Mishra
Technique 3
– Hardware
Assisted
Virtualization

The hardware assist approach to x86 virtualization

Dr. Anand Kumar Mishra
Technique 3 – Hardware Assisted Virtualization
• Hardware vendors are rapidly embracing virtualization and
developing new features to simplify virtualization techniques
• First generation enhancements include Intel Virtualization Technology
(VT-x) and AMD’s AMD-V which both target privileged instructions
with a new CPU execution mode feature that allows the VMM to run
in a new root mode below ring 0
• Privileged and Sensitive calls are set to automatically trap to the
hypervisor, removing the need for either binary translation or
paravirtualization

Dr. Anand Kumar Mishra

Technique 3 – Hardware Assisted Virtualization
• The guest state is stored in Virtual Machine Control Structures (VT-x)
or Virtual Machine Control Blocks (AMD-V)
• Processors with Intel VT and AMD-V became available in 2006, so
only newer systems contain these hardware assist features

Dr. Anand Kumar Mishra

Dr. Anand Kumar Mishra
Dr. Anand Kumar Mishra
Cloud Computing Concepts
CS3132
Dr. Anand Kumar Mishra
NIIT University

Dr. Anand Kumar Mishra

Virtual Appliance
• Pre-configured Software Solution
• A new paradigm for software delivery
• Improves the experience for developers and customers
• By packaging -
• Pre-configured,
• Virtualization-ready solutions
• In a single software package that is -
• Secure, easy to distribute, and easy to manage

Dr. Anand Kumar Mishra

Virtual Appliance
• A virtual appliance uses -
• A pre-installed, pre-configured operating system and an application stack that
is customized to provide a specific set of functions
• A virtual appliance typically comes in the open virtualization format
(OVF)

Dr. Anand Kumar Mishra

A Virtual Appliance Running on Mishra
Dr. Anand Kumar VMware Infrastructure
Virtual Appliance Packaging withMishra
Dr. Anand Kumar VMware Studio
Virtual Appliance - Examples
• Virtual appliances in IaaS systems such as Amazon’s Elastic Compute
Cloud (EC2)
• VMware Ready virtual appliances created using VMware Studio run
seamlessly on VMware products such as
• VMware Infrastructure, VMware ESXi, VMware Workstation, VMware
Fusion™ and VMware Server
• Third-party virtualization products that support the OVF specification

Dr. Anand Kumar Mishra

Components of a Virtual Appliance
• A thin operating system layer called just enough operating system
(JeOS)
• Required operating system packages
• Final application
• The self-contained virtual appliance can run directly on hypervisors
such as VMware vSphere or Amazon EC2

Dr. Anand Kumar Mishra

Dr. Anand Kumar Mishra
Virtual Appliances vs. Virtual Machines
• Virtual appliances, like virtual machines, incorporate
• an application, OS and virtual hardware
• Virtual appliances differ from virtual machines -
• They are delivered to customers as preconfigured solutions
• Simplify deployment for customers by eliminating the need for manual
configuration of the VMs and OSs used to run the appliance

Dr. Anand Kumar Mishra

Virtual Appliance - Benefits

Group Benefits
Developers and a) Reduce development and distribution costs.
Appliance Vendors b) Accelerate time to market and expand customer
reach.
c) Strengthen security and improve the customer
experience
Customers i. Reduce the cost of owning and operating software.
ii. Accelerate evaluations, deployment and time to
value.
iii. Leverage integration with virtualization platforms.
Dr. Anand Kumar Mishra
Cloud Computing Concepts
CS3132
Dr. Anand Kumar Mishra
NIIT University

Dr. Anand Kumar Mishra

Topic – 3
• Service Oriented Architecture –
• Role: Service Provider, Service Broker, Service Requester
• Quality of Service
• Protocol stack for SOA architecture
• Advantages of SOA
• Applications

Dr. Anand Kumar Mishra

Service
• With computer software, a service is software that performs
automated tasks, responds to hardware events, or listens for data
requests from other software
• In a user's operating system, these services are often loaded
automatically at startup, and run in the background, without user
interaction
• For example, in Microsoft Windows, many services are loaded to
accomplish different functions
• They respond to user keyboard shortcuts, index and optimize the file system,
and communicate with other devices on the local network

Dr. Anand Kumar Mishra

Dr. Anand Kumar Mishra
Dr. Anand Kumar Mishra
Service Oriented Architecture
• A loosely-integrated suite of services
• The service interfaces provide loose coupling,
• meaning they can be called with little or no knowledge of how the service is
implemented underneath,
• Reducing the dependencies between applications
• A standard method for requesting services from distributed
components and managing the results

Dr. Anand Kumar Mishra

Service Oriented Architecture
• Clients requesting services
• Components providing the services
• Protocols used to deliver messages
• Responses
• SOA provides
• translation and management layer in an architecture
• removes the barrier for a client obtaining desired services

Dr. Anand Kumar Mishra

Service-Oriented Architecture contains three
roles
• Service Requester
• Service Provider
• Service Registry

Dr. Anand Kumar Mishra

SOA - Service Provider
• A service provider is responsible for:
• creating a service description,
• publishing that service description to one or more service registries, and
• receiving Web service invocation messages from one or more service
requestor
• A service provider can be any company that hosts a Web service
made available on some network
• Think of a service provider as the "server side" of a client-server relationship
between the service requestor and the service provider

Dr. Anand Kumar Mishra

Service Description
• Service description that is retrieved by the service requestor as a
result of the find operation
• Service description tells the service requestor everything it needs to
know in order to bind to or invoke the Web service provided by the
service provider
• The service description also indicates what information (if any) is
returned to the service requestor as a result of the Web service
invocation

Dr. Anand Kumar Mishra

SOA – Service Registry
• The service registry is responsible for:
• Advertising Web service descriptions published to it by service providers and
for allowing service requestors to search the collection of service descriptions
contained within the service registry
• The service registry role is simple:
• be a match-maker between service requestor and service provider
• Once the service registry makes the match, it is no longer needed in the
picture;
• the rest of the interaction is directly between the service requestor and the
service provider for the Web service invocation

Dr. Anand Kumar Mishra

SOA – Service Requester
• A service requestor is responsible for:
• finding a service description published to one or more service registries and
• It is responsible for using service descriptions to bind to or invoke Web
services hosted by service providers
• Any consumer of a Web service can be considered a service requestor
• Think of a service requestor as the "client side" of a client-server relationship
between the service requestor and the service provider

Dr. Anand Kumar Mishra

Dr. Anand Kumar Mishra
SOA Operations
• Publish
• Find
• Bind

Dr. Anand Kumar Mishra

SOA – Publish Operation
• The publish operation is an act of service registration or service
advertisement
• It acts as the contract between the service registry and the service
provider
• When a service provider publishes its Web service description to a
service registry, it is advertising the details of that Web service to a
community of service requestors
• The actual details of the publish API depend on how the service
registry is implemented

Dr. Anand Kumar Mishra

SOA – Find Operation
• The find operation is the contract between a service requestor and a service
registry
• With the find operation:
• the service requestor states a search criteria, such as:
• type of service,
• various other aspects of the service such as -
• quality of service guarantees

• The service registry matches the find criteria against its collection of published
Web service descriptions
• The result of the find operation is a list of service descriptions that match the find
criteria
• Find operation always returns all Web services published to the service registry
• Its the service requestor's job to figure out which Web service description matches its need

Dr. Anand Kumar Mishra

SOA – Bind Operation
• The bind operation embodies the client-server relationship between
the service requestor and the service provider
• The bind operation can be quite sophisticated and dynamic, such a:
• on-the-fly generation of a client-side proxy based on the service description
used to invoke the Web service; or
• it can be a very static model, where a developer hand-codes the way a client
application invokes a Web service

Dr. Anand Kumar Mishra

SOA – Quality of Service
• Policy
• Set of protocols according to which a service provider make and provide the
services to consumers
• Security
• Set of protocols required for identification and authorization
• Transaction
• Complete a business function
• Management
• Set of attributes used to manage the services

Dr. Anand Kumar Mishra

Basic principles of SOA
• Interoperability - Any client system can run a service, regardless of the
underlying platform or programming language
• For instance, business processes can use services written in both C# and
Python. Since there are no direct interactions, changes in one service do not
affect other components using the service

Dr. Anand Kumar Mishra

Basic principles of SOA
• Loose coupling - Services in SOA should be loosely coupled, having as
little dependency as possible on external resources such as data
models or information systems
• They should also be stateless without retaining any information from past
sessions or transactions
• This way, if you modify a service, it won’t significantly impact the client
applications and other services using the service

Dr. Anand Kumar Mishra

Basic principles of SOA
• Abstraction - Clients or service users in SOA need not know the
service's code logic or implementation details
• To them, services should appear like a black box
• Clients get the required information about what the service does and how to
use it through service contracts and other service description documents.
• Granularity - Services in SOA should have an appropriate size and
scope, ideally packing one discrete business function per service
• Developers can then use multiple services to create a composite service for
performing complex operations

Dr. Anand Kumar Mishra

Benefits of service-oriented architecture
• Faster time to market
• Developers reuse services across different business processes to save time
and costs
• They can assemble applications much faster with SOA than by writing code
and performing integrations from scratch
• Efficient maintenance
• It’s easier to create, update, and debug small services than large code blocks
in monolithic applications
• Modifying any service in SOA does not impact the overall functionality of the
business process

Dr. Anand Kumar Mishra

Benefits of service-oriented architecture
• Greater adaptability
• SOA is more adaptable to advances in technology. You can modernize your
applications efficiently and cost effectively
• For example, healthcare organizations can use the functionality of older
electronic health record systems in newer cloud-based applications

Dr. Anand Kumar Mishra

Limitations in implementing service-oriented
architecture
• Limited scalability - System scalability is significantly impacted when
services share many resources and need to coordinate to perform
their functionality
• Increasing interdependencies – SOA systems can become more
complex over time and develop several interdependencies between
services
• They can be hard to modify or debug if several services are calling each other
in a loop
• Shared resources, such as centralized databases, can also slow down the
system

Dr. Anand Kumar Mishra

Limitations in implementing service-oriented
architecture
• High overhead - A validation of input parameters of services is done
whenever services interact this decreases performance as it increases
load and response time
• High investment - A huge initial investment is required for SOA

Dr. Anand Kumar Mishra

A protocol stack for SOA showing the relationship of each protocol to its function
Communication protocols
• Services communicate using established rules that determine data
transmission over a network
• These rules are called communication protocols. Some standard
protocols to implement SOA include the following:
• Simple Object Access Protocol (SOAP)
• RESTful HTTP
• Apache Thrift
• Apache ActiveMQ
• Java Message Service (JMS)

Dr. Anand Kumar Mishra

Web Services Description Language (WSDL)
• Describe the service interface
• How to bind information
• Nature of the component’s service or endpoint

Dr. Anand Kumar Mishra

Service Component Definition Language
(SCDL)
• To define the service component
• Performs the service
• Providing the component service information

Dr. Anand Kumar Mishra

Universal Description Discovery & Integration
(UDDI)
• Most commonly used to broadcast and discover available Web
services,
• Often passing data in the form of an Electronic Business using
eXtensible Markup Language (ebXML) documents

Dr. Anand Kumar Mishra

Cloud Computing Concepts
CS3132
Dr. Anand Kumar Mishra
NIIT University

Dr. Anand Kumar Mishra

Topic – 4
• Cloud Security
• Attacks on Cloud Environment:
• Attacks on Virtual Network,
• Virtual Machine,
• Virtual Machine Monitor,
• Virtual Storage, and
• Hardware (Low-Level)
• Security Enterprise Architecture
• NIST Security Reference Architecture
• Architectural Components and Sub-Components of Cloud Actors

Dr. Anand Kumar Mishra

Vulnerabilities, Threats, and Risks

A vulnerability is a flaw or
weakness in an asset’s design,
A threat is a potential for a threat
implementation, or operation and
agent to exploit a vulnerability.
management that could be
exploited by a threat.

More vulnerabilities you have, the

A risk is the potential for loss when
greater potential for threats and
the threat happens
the higher your risk

Dr. Anand Kumar Mishra

 Asset
• Asset includes people, property, and information
• People includes employees and other stakeholders of an organization,
• Property means both tangible and intangible items carrying some value
• Information means any kind of useful data such as accounts, records, etc.
• These assets are exposed to a threat, risk, and vulnerability

An intangible asset is a non-monetary asset that cannot be seen or touched. Ex. trademark, Patents, Software

Tangible assets are physical assets that can be seen, touched and felt.
Dr. Anand Kumar Mishra
 exposes your organization to threats

Vulnerability
• A vulnerability is a weakness, flaw or other shortcoming in a system
(infrastructure, database or software), but it can also exist in a process, a set of
controls, or simply just the way that something has been implemented or
deployed
• Identifying vulnerabilities is akin to answering the question,
• “How could harm occur?”
• Sometimes, a vulnerability can exist simply from an asset’s implementation or
deployment
• Example:
• A vulnerability is leaving your car unlocked in a public parking lot. Leaving the doors unlocked
does not necessarily mean harm will occur, but it is an opening for someone to go through
your car
• A vulnerability is leaving your door unlocked overnight. It alone isn’t a problem, but if a
certain person comes along and enters that door, some bad, bad things might happen.

Dr. Anand Kumar Mishra

 a malicious or negative event that takes advantage of a vulnerability

Threat
• Anything that could exploit a vulnerability, which could affect the
confidentiality, integrity or availability of your systems, data, people and
more.
• Identifying threats is akin to answering the question,
• “Who or what could cause harm?”
• A threat is anything that could exploit a vulnerability and hinder the
confidentiality, integrity, and availability of anything valuable
• Threats can either be natural or human-made and accidental or deliberate
• Example:
• the owner of the car did not lock their door, so a carjacker could exploit the
opportunity. This means the threat is human-made and deliberate.

Dr. Anand Kumar Mishra

Threat

When an adversary or attacker has the

opportunity, capability and intent to bring An attacker may have the intent and
a negative impact upon your operations, capability to do harm, but no opportunity
assets, workforce and/or customers
• Examples of this can include malware, • Example: Your organization may have no
ransomware, phishing attacks and more vulnerabilities to exploit due to a solid
patch management program or strong
network segmentation policies that
prevent access to critical systems.
Chances are likely, however, that you do
have vulnerabilities, so let’s consider the
risk factor.

Dr. Anand Kumar Mishra

 the potential for loss and damage when the threat does occur

Risk
• Once we know an asset’s vulnerabilities and threats, we can
determine
• how much risk is posed to the asset owner
• This measure is the combination of the likelihood that a threat
exploits a vulnerability and the scale of harmful consequences
• Example:
• If you drive a fancy car and keep valuables in it, then your cost is high
• Also, if you park the unlocked car in a crime-laden area, then the probability
that a threat occurs is also high
• Combining these two factors shows your car is at elevated risk in this
situation.

Dr. Anand Kumar Mishra

Risk
• Risk is the probability of a negative (harmful) event occurring as well
as the potential of scale of that harm
• Cybersecurity teams begin to measure the risk:
1. Estimate how often an adversary or attacker is likely to attempt to exploit a
vulnerability to cause the desired harm.
2. Gauge how well your existing systems, controls and processes can standup
to those attempts.
3. Determine the value of the impact or harm the adversary may cause if the
adversary is indeed successful.
• Risk = threat x vulnerability

Dr. Anand Kumar Mishra

Cloud security
• Cloud security is the set of cybersecurity measures used to protect
cloud-based applications, data, and infrastructure
• This includes –
• applying security policies, practices, controls, and other technologies like
• identity and access management and
• data loss prevention tools
• to help secure cloud environments against unauthorized access, online attacks, and
insider threats

Dr. Anand Kumar Mishra

Cloud security

Cloud security refers to the Cloud security works to provide

cybersecurity policies, best storage and network
practices, controls, and protection against internal and
technologies used to secure external threats, access
applications, data, and management, data governance
infrastructure in cloud and compliance, and disaster
environments recovery

Dr. Anand Kumar Mishra

Cloud Security – how does it work?

Cloud security mainly focuses on

• how to implement policies, processes, and technologies together
• so they ensure:
• data protection, support regulatory compliance, and provide control over privacy, access,
and authentication for users and devices
Cloud service providers (CSPs) typically follow a shared responsibility model,
• which means implementing cloud computing security is both the responsibility of the cloud
provider and the customer
• Think of it as a responsibility framework that defines which security tasks belong to the cloud
provider and which are the duty of the customer

Dr. Anand Kumar Mishra

Cloud Security – how does it work?

CSP is always responsible for the cloud and its core infrastructure,

Customer is expected to secure

network controls, identity and access
anything that runs “in” the cloud, management, data, and applications
such as

Shared responsibility models vary depending on the service provider

and the cloud computing service model you use—the more the
provider manages, the more they can protect
Dr. Anand Kumar Mishra
Cloud computing
Your responsibility CSP responsibility
service model

Infrastructure as a You secure your data, applications, The cloud provider secures compute,
service (IaaS) virtual network controls, operating storage, and physical network, including
system, and user access. all patching and configuration.

Platform as a service You secure your data, user access, and The cloud provider secures compute,
(PaaS) applications. storage, physical network, virtual network
controls, and operating system.

Software as a service You are responsible for securing your The cloud provider secures compute,
(SaaS) data and user access. storage, physical network, virtual network
controls, operating system, applications,
and middleware.

Dr. Anand Kumar Mishra

Cloud security solutions

• Cloud security is constantly evolving and adapting as new security threats

emerge
• As a result, many different types of cloud security solutions are available on
the market today, and the list below is by no means exhaustive
• Identity and access management (IAM):
• Data loss prevention (DLP):
• Security information and event management (SIEM):
• Public key infrastructure (PKI):
Dr. Anand Kumar Mishra
Identity and access management (IAM)

• IAM services and tools allow administrators to centrally manage and control
who has access to specific cloud-based and on-premises resources
• IAM can enable you to actively monitor and restrict how users interact with
services, allowing you to enforce your policies across your entire
organization.

Dr. Anand Kumar Mishra

Data loss prevention (DLP)

• DLP can help you gain visibility into the data you store and process by
providing capabilities to automatically discover, classify, and deidentify
regulated cloud data

Dr. Anand Kumar Mishra

Security information and event
management (SIEM)

• SIEM solutions combine security information and security event

management to offer automated monitoring, detection, and incident
response to threats in your cloud environments
• Using AI and ML technologies, SIEM tools allow you to examine and analyze
log data generated across your applications and network devices—and act
quickly if a potential threat is detected

Dr. Anand Kumar Mishra

Public key infrastructure (PKI)

• PKI is the framework used to manage secure, encrypted information

exchange using digital certificates
• PKI solutions typically provide authentication services for applications and
verify that data remains uncompromised and confidential through transport
• Cloud-based PKI services allow organizations to manage and deploy digital
certificates used for user, device, and service authentication.

Dr. Anand Kumar Mishra

Benefits of Cloud Security

Greater visibility Centralized security

Only an integrated cloud-based security stack is Cloud security allows you to consolidate
capable of providing the centralized visibility of protection of cloud-based networks for
cloud resources and data that is vital for streamlined, continuous monitoring and analysis
defending against breaches and other potential of numerous devices, endpoints, and systems
threats It also enables you to centrally manage software
Cloud security can provide the tools, updates and policies from one place and even
technologies, and processes to log, monitor, and implement and action disaster recovery plans.
analyze events for understanding exactly what’s
happening in your cloud environments
Dr. Anand Kumar Mishra
Benefits of Cloud Security

Reduced costs Data protection

With cloud security, you don’t have to pay for The best cloud computing providers will provide
dedicated hardware to upgrade your security or data security by design, offering strong access
use valuable resources to handle security controls, encryption for data at rest and in
updates and configurations transit, and data loss prevention (DLP) to secure
CSPs provide advanced security features that your cloud data wherever it’s located or
allow for automated protection capabilities with managed.
little to no human intervention

Dr. Anand Kumar Mishra

Benefits of Cloud Security

Cloud compliance Advanced threat detection

Cloud providers go to great lengths to comply Reputable CSPs also invest in cutting-edge
with both international and industry compliance technologies and highly skilled experts to provide
standards, often undergoing rigorous real–time global threat intelligence that can
independent verifications of their security, detect both known and unknown threats in the
privacy, and compliance controls wild and in your networks for faster remediation

Dr. Anand Kumar Mishra

Cloud security risks and challenges
• Cloud suffers from similar security risks that you might encounter in
traditional environments, such as insider threats, data breaches and
data loss, phishing, malware, DDoS attacks, and vulnerable APIs
• Lack of visibility
• Cloud-based resources run on infrastructure that is located outside your
corporate network and owned by a third party
• As a result, traditional network visibility tools are not suitable for cloud
environments, making it difficult for you to gain oversight into all your cloud
assets, how they are being accessed, and who has access to them

Dr. Anand Kumar Mishra

Cloud security risks and challenges
• Misconfigurations
• Misconfigured cloud security settings are one of the leading causes of data breaches
in cloud environments
• Cloud-based services are made to enable easy access and data sharing, but many
organizations may not have a full understanding of how to secure cloud
infrastructure
• This can lead to misconfigurations, such as leaving default passwords in place, failing
to activate data encryption, or mismanaging permission controls
• Access management
• Cloud deployments can be accessed directly using the public internet, which enables
convenient access from any location or device
• At the same time, it also means that attackers can more easily gain authorized
resources with compromised credentials or improper access control

Dr. Anand Kumar Mishra

Cloud security risks and challenges
• Dynamic workloads
• Cloud resources can be provisioned and dynamically scaled up or down based on
your workload needs
• However, many legacy security tools are unable to enforce policies in flexible
environments with constantly changing and ephemeral workloads that can be added
or removed in a matter of seconds
• Compliance
• The cloud adds another layer of regulatory and internal compliance requirements
that you can violate even if you don’t experience a security breach
• Managing compliance in the cloud is an overwhelming and continuous process
• Unlike an on-premises data center where you have complete control over your data
and how it is accessed, it is much harder for companies to consistently identify all
cloud assets and controls, map them to relevant requirements, and properly
document everything.

Dr. Anand Kumar Mishra

 Top Threats
to
Cloud Computing V1.0
Prepared by the
Cloud Security Alliance
March 2010
 Top Threats to Cloud Computing V1.0

Introduction

The permanent and official location for the Cloud Security Alliance Top Threats research is:

http://www.cloudsecurityalliance.org/topthreats

© 2010 Cloud Security Alliance.

All rights reserved. You may download, store, display on your computer, view, print, and link to the
Cloud Security Alliance “Top Threats to Cloud Computing” at
http://www.cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf subject to the following: (a) the
Guidance may be used solely for your personal, informational, non-commercial use; (b) the Guidance
may not be modified or altered in any way; (c) the Guidance may not be redistributed; and (d) the
trademark, copyright or other notices may not be removed. You may quote portions of the Guidance as
permitted by the Fair Use provisions of the United States Copyright Act, provided that you attribute the
portions to the Cloud Security Alliance “Top Threats to Cloud Computing” Version 1.0 (2010).

Copyright © 2010 Cloud Security Alliance 2

 Top Threats to Cloud Computing V1.0

Table of Contents

Introduction................................................................................................................................... 2
Foreword........................................................................................................................................ 4
Executive Summary ...................................................................................................................... 6
Threat #1: Abuse and Nefarious Use of Cloud Computing .......................................................... 8
Threat #2: Insecure Interfaces and APIs ....................................................................................... 9
Threat #3: Malicious Insiders...................................................................................................... 10
Threat #4: Shared Technology Issues ......................................................................................... 11
Threat #5: Data Loss or Leakage ................................................................................................ 12
Threat #6: Account or Service Hijacking.................................................................................... 13
Threat #7: Unknown Risk Profile ............................................................................................... 14

Copyright © 2010 Cloud Security Alliance 3

 Top Threats to Cloud Computing V1.0

Foreword

Welcome to the Cloud Security Alliance’s “Top Threats to Cloud Computing”, Version 1.0. This is one
of many research deliverables CSA will release in 2010.

Also, we encourage you to download and review our flagship research, “Security Guidance for Critical
Areas of Focus in Cloud Computing”, which you can download at:

http://www.cloudsecurityalliance.org/guidance

The Cloud Security Alliance would like to thank HP for their assistance in underwriting this research
effort.

Best Regards,

Jerry Archer Dave Cullinane Nils Puhlmann

Alan Boehme Paul Kurtz Jim Reavis

The Cloud Security Alliance Board of Directors

Underwritten by HP

Copyright © 2010 Cloud Security Alliance 4

 Top Threats to Cloud Computing, Version 1.0

Acknowledgments
Working Group Leaders

Dan Hubbard, Websence

Michael Sutton, Zscaler

Contributors
Amer Deeba, Qualys
Andy Dancer, Trend Micro
Brian Shea, Bank of America
Craig Balding, CloudSecurity.org
Dennis Hurst, HP
Glenn Brunette, Oracle
Jake Lee, Bank of America
Jason Witty, Bank of America
Jim Reavis, Cloud Security Alliance
John Howie, Microsoft
Josh Zachry, Rackspace
Ken Biery, Verizon Business
Martin Roesler, Trend Micro
Matthew Becker, Bank of America
Mike Geide, Zscaler
Scott Matsumoto, Cigital
Scott Morrison, Layer 7 Technologies
William Thornhill, Bank of America
Wolfgang Kandek, Qualys

Advisory Committee
Archie Reed, HP
Daniele Cattedu, ENISA – European Network and Information Security Agency
Dave Cullinane, eBay
Giles Hogben, ENISA – European Network and Information Security Agency
Gunter Ollmann, Damballa
Jens Jensen, Open Grid Forum
Joshua Pennell, IOActive
Nils Puhlmann, Zynga
Rick Howard, VeriSign

Copyright © 2010 Cloud Security Alliance 5

 Top Threats to Cloud Computing, Version 1.0

Executive Summary
Cloud Computing represents one of the most significant shifts in information technology many of us are
likely to see in our lifetimes. Reaching the point where computing functions as a utility has great
potential, promising innovations we cannot yet imagine.

Customers are both excited and nervous at the prospects of Cloud Computing. They are excited by the
opportunities to reduce capital costs. They are excited for a chance to divest themselves of infrastructure
management, and focus on core competencies. Most of all, they are excited by the agility offered by the
on-demand provisioning of computing and the ability to align information technology with business
strategies and needs more readily. However, customers are also very concerned about the risks of Cloud
Computing if not properly secured, and the loss of direct control over systems for which they are
nonetheless accountable.

To aid both cloud customers and cloud providers, CSA developed “Security Guidance for Critical Areas
in Cloud Computing”, initially released in April 2009, and revised in December 2009. This guidance has
quickly become the industry standard catalogue of best practices to secure Cloud Computing, consistently
lauded for its comprehensive approach to the problem, across 13 domains of concern. Numerous
organizations around the world are incorporating the guidance to manage their cloud strategies. The
guidance document can be downloaded at www.cloudsecurityalliance.org/guidance.

The great breadth of recommendations provided by CSA guidance creates an implied responsibility for
the reader. Not all recommendations are applicable to all uses of Cloud Computing. Some cloud services
host customer information of very low sensitivity, while others represent mission critical business
functions. Some cloud applications contain regulated personal information, while others instead provide
cloud-based protection against external threats. It is incumbent upon the cloud customer to understand
the organizational value of the system they seek to move into the cloud. Ultimately, CSA guidance must
be applied within the context of the business mission, risks, rewards, and cloud threat environment —
using sound risk management practices.

The purpose of this document, “Top Threats to Cloud Computing”, is to provide needed context to assist
organizations in making educated risk management decisions regarding their cloud adoption strategies. In
essence, this threat research document should be seen as a companion to “Security Guidance for Critical
Areas in Cloud Computing”. As the first deliverable in the CSA’s Cloud Threat Initiative, the “Top
Threats” document will be updated regularly to reflect expert consensus on the probable threats which
customers should be concerned about.

There has been much debate about what is “in scope” for this research. We expect this debate to continue
and for future versions of “Top Threats to Cloud Computing” to reflect the consensus emerging from
those debates. While many issues, such as provider financial stability, create significant risks to
customers, we have tried to focus on issues we feel are either unique to or greatly amplified by the key
characteristics of Cloud Computing and its shared, on-demand nature. We identify the following threats
in our initial document:

 Abuse and Nefarious Use of Cloud Computing

 Insecure Application Programming Interfaces
 Malicious Insiders
 Shared Technology Vulnerabilities
 Data Loss/Leakage
 Account, Service & Traffic Hijacking

Copyright © 2010 Cloud Security Alliance 6

 Top Threats to Cloud Computing, Version 1.0

 Unknown Risk Profile

The threats are not listed in any order of severity. Our advisory committee did evaluate the threats and
each committee member provided a subjective ranking of the threats. The exercise helped validate that
our threat listing reflected the critical threat concerns of the industry, however the cumulative ranking did
not create a compelling case for a published ordered ranking, and it is our feeling that greater industry
participation is required to take this step. The only threat receiving a consistently lower ranking was
Unknown Risk Profile, however the commentary indicated that this is an important issue that is simply
more difficult to articulate, so we decided to retain this threat and seek to further clarify it in future
editions of the report.

Selecting appropriate security controls and otherwise deploying scarce security resources optimally
require a correct reading of the threat environment. For example, to the extent Insecure APIs
(Application Programming Interfaces) is seen as a top threat, a customer’s project to deploy custom line-
of-business applications using PaaS (Platform as a Service) will dictate careful attention to application
security domain guidance, such as robust software development lifecycle (SDLC) practices. By the same
token, to the extent Shared Technology Vulnerabilities is seen as a top threat, customers must pay careful
attention to the virtualization domain best practices, in order to protect assets commingled in shared
environments.

In addition to the flagship CSA guidance and other research in our roadmap, this research should be seen
as complimentary to the high quality November 2009 research document produced by ENISA (European
Network and Information Security Agency), “Cloud Computing: Benefits, Risks and Recommendations
for Information Security”. ENISA’s research provides a comprehensive risk management view of Cloud
Computing and contains numerous solid recommendations. The ENISA document has been a key
inspiration, and we have leveraged the ENISA risk assessment process to analyze our taxonomy of
threats. We encourage readers of this document to also read the ENISA document:
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment

Our goal is to provide a threat identification deliverable that can be quickly updated to reflect the
dynamics of Cloud Computing and its rapidly evolving threat environment. We look forward to your
participation on subsequent versions of “Top Threats to Cloud Computing”, as we continue to refine our
list of threats, and to your input as we all figure out how to secure Cloud Computing.

Copyright © 2010 Cloud Security Alliance 7

 Top Threats to Cloud Computing, Version 1.0

Impact
Threat #1: Abuse and Nefarious Use of Cloud Criminals continue to leverage
Computing new technologies to improve
their reach, avoid detection,
Description and improve the effectiveness
IaaS providers offer their customers the illusion of unlimited compute, of their activities. Cloud
network, and storage capacity — often coupled with a ‘frictionless’ Computing providers are
registration process where anyone with a valid credit card can register actively being targeted,
and immediately begin using cloud services. Some providers even offer partially because their
free limited trial periods. By abusing the relative anonymity behind relatively weak registration
these registration and usage models, spammers, malicious code authors, systems facilitate anonymity,
and other criminals have been able to conduct their activities with and providers’ fraud detection
relative impunity. PaaS providers have traditionally suffered most from capabilities are limited.
this kind of attacks; however, recent evidence shows that hackers have
begun to target IaaS vendors as well. Future areas of concern include
CSA Guidance
password and key cracking, DDOS, launching dynamic attack points,
hosting malicious data, botnet command and control, building rainbow Reference
tables, and CAPTCHA solving farms. Domain 8: Data Center
Operations
Examples Domain 9: Incident Response,
IaaS offerings have hosted the Zeus botnet, InfoStealer trojan horses, Notification and Remediation
and downloads for Microsoft Office and Adobe PDF exploits.
Additionally, botnets have used IaaS servers for command and control Service Models
functions. Spam continues to be a problem — as a defensive measure, IaaS PaaS SaaS
entire blocks of IaaS network addresses have been publicly blacklist.
Remediation
 Stricter initial registration and validation processes.
 Enhanced credit card fraud monitoring and coordination.
 Comprehensive introspection of customer network traffic.
 Monitoring public blacklists for one’s own network blocks.
References
 http://www.malwaredomainlist.com/
 http://blogs.zdnet.com/security/?p=5110
 http://voices.washingtonpost.com/securityfix/2008/07/amazon_
hey_spammers_get_off_my.html

Copyright © 2010 Cloud Security Alliance 8

 Top Threats to Cloud Computing, Version 1.0

Impact
Threat #2: Insecure Interfaces and APIs While most providers strive to
ensure security is well
Description
integrated into their service
Cloud Computing providers expose a set of software interfaces or APIs models, it is critical for
that customers use to manage and interact with cloud services. consumers of those services to
Provisioning, management, orchestration, and monitoring are all understand the security
performed using these interfaces. The security and availability of implications associated with
general cloud services is dependent upon the security of these basic the usage, management,
APIs. From authentication and access control to encryption and orchestration and monitoring
activity monitoring, these interfaces must be designed to protect against of cloud services. Reliance on
both accidental and malicious attempts to circumvent policy. a weak set of interfaces and
Furthermore, organizations and third parties often build upon these APIs exposes organizations to
interfaces to offer value-added services to their customers. This a variety of security issues
introduces the complexity of the new layered API; it also increases risk, related to confidentiality,
as organizations may be required to relinquish their credentials to third- integrity, availability and
parties in order to enable their agency. accountability.
Examples
Anonymous access and/or reusable tokens or passwords, clear-text CSA Guidance
authentication or transmission of content, inflexible access controls or Reference
improper authorizations, limited monitoring and logging capabilities, Domain 10: Application
unknown service or API dependencies. Security
Remediation
 Analyze the security model of cloud provider interfaces. Service Models
 Ensure strong authentication and access controls are IaaS PaaS SaaS
implemented in concert with encrypted transmission.
 Understand the dependency chain associated with the API.
References
 http://www.programmableweb.com
 http://securitylabs.websense.com/content/Blogs/3402.aspx

Copyright © 2010 Cloud Security Alliance 9

 Top Threats to Cloud Computing, Version 1.0

Impact
Threat #3: Malicious Insiders The impact that malicious
insiders can have on an
Description
organization is considerable,
The threat of a malicious insider is well-known to most organizations. given their level of access and
This threat is amplified for consumers of cloud services by the ability to infiltrate
convergence of IT services and customers under a single management organizations and assets.
domain, combined with a general lack of transparency into provider Brand damage, financial
process and procedure. For example, a provider may not reveal how it impact, and productivity
grants employees access to physical and virtual assets, how it monitors losses are just some of the
these employees, or how it analyzes and reports on policy compliance. ways a malicious insider can
To complicate matters, there is often little or no visibility into the hiring affect an operation. As
standards and practices for cloud employees. This kind of situation organizations adopt cloud
clearly creates an attractive opportunity for an adversary — ranging services, the human element
from the hobbyist hacker, to organized crime, to corporate espionage, takes on an even more
or even nation-state sponsored intrusion. The level of access granted profound importance. It is
could enable such an adversary to harvest confidential data or gain critical therefore that
complete control over the cloud services with little or no risk of consumers of cloud services
detection. understand what providers are
doing to detect and defend
Examples
against the malicious insider
No public examples are available at this time. threat.
Remediation
 Enforce strict supply chain management and conduct a CSA Guidance
comprehensive supplier assessment. Reference
 Specify human resource requirements as part of legal contracts. Domain 2: Governance and
 Require transparency into overall information security and Enterprise Risk Management
management practices, as well as compliance reporting. Domain 7: Traditional
 Determine security breach notification processes. Security, Business Continuity,
and Disaster Recovery
References
 http://blogs.bankinfosecurity.com/posts.php?postID=140
 http://technicalinfodotnet.blogspot.com/2010/01/tethered- Service Models
espionage.html IaaS PaaS SaaS

Copyright © 2010 Cloud Security Alliance 10

 Top Threats to Cloud Computing, Version 1.0

Impact
Threat #4: Shared Technology Issues Attacks have surfaced in
Description recent years that target the
IaaS vendors deliver their services in a scalable way by sharing shared technology inside
infrastructure. Often, the underlying components that make up this Cloud Computing
infrastructure (e.g., CPU caches, GPUs, etc.) were not designed to offer environments. Disk partitions,
strong isolation properties for a multi-tenant architecture. To address CPU caches, GPUs, and other
this gap, a virtualization hypervisor mediates access between guest shared elements were never
operating systems and the physical compute resources. Still, even designed for strong
hypervisors have exhibited flaws that have enabled guest operating compartmentalization. As a
systems to gain inappropriate levels of control or influence on the result, attackers focus on how
underlying platform. A defense in depth strategy is recommended, and to impact the operations of
should include compute, storage, and network security enforcement and other cloud customers, and
monitoring. Strong compartmentalization should be employed to ensure how to gain unauthorized
that individual customers do not impact the operations of other tenants access to data.
running on the same cloud provider. Customers should not have access
to any other tenant’s actual or residual data, network traffic, etc.
CSA Guidance
Examples
Reference
 Joanna Rutkowska’s Red and Blue Pill exploits
Domain 8: Data Center
 Kortchinksy’s CloudBurst presentations.
Operations
Remediation Domain 13: Virtualization
 Implement security best practices for installation/configuration.
 Monitor environment for unauthorized changes/activity. Service Models
 Promote strong authentication and access control for
administrative access and operations. IaaS PaaS SaaS
 Enforce service level agreements for patching and vulnerability
remediation.
 Conduct vulnerability scanning and configuration audits.
References
 http://theinvisiblethings.blogspot.com/2008/07/0wning-xen-in-
vegas.html
 http://www.blackhat.com/presentations/bh-usa-
09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-
PAPER.pdf
 http://www.microsoft.com/technet/security/Bulletin/MS10-
010.mspx
 http://blogs.vmware.com/security/2010/01/announcing-
vsphere-40-hardening-guide-public-draft-release.html

Copyright © 2010 Cloud Security Alliance 11

 Top Threats to Cloud Computing, Version 1.0

Impact
Threat #5: Data Loss or Leakage Data loss or leakage can have
a devastating impact on a
Description
business. Beyond the damage
There are many ways to compromise data. Deletion or alteration of to one’s brand and reputation,
records without a backup of the original content is an obvious example. a loss could significantly
Unlinking a record from a larger context may render it unrecoverable, impact employee, partner, and
as can storage on unreliable media. Loss of an encoding key may result customer morale and trust.
in effective destruction. Finally, unauthorized parties must be prevented Loss of core intellectual
from gaining access to sensitive data. property could have
The threat of data compromise increases in the cloud, due to the competitive and financial
number of and interactions between risks and challenges which are implications. Worse still,
either unique to cloud, or more dangerous because of the architectural depending upon the data that
or operational characteristics of the cloud environment. is lost or leaked, there might
be compliance violations and
Examples
legal ramifications.
Insufficient authentication, authorization, and audit (AAA) controls;
inconsistent use of encryption and software keys; operational failures;
persistence and remanence challenges: disposal challenges; risk of CSA Guidance
association; jurisdiction and political issues; data center reliability; and Reference
disaster recovery. Domain 5: Information
Remediation Lifecycle Management
 Implement strong API access control. Domain 11: Encryption and
Key Management
 Encrypt and protect integrity of data in transit.
Domain 12: Identity and
 Analyzes data protection at both design and run time.
Access Management
 Implement strong key generation, storage and management,
and destruction practices.
 Contractually demand providers wipe persistent media before it
Service Models
is released into the pool.
 Contractually specify provider backup and retention strategies. IaaS PaaS SaaS
References
 http://en.wikipedia.org/wiki/Microsoft_data_loss_2009
 http://news.cnet.com/8301-13846_3-10029707-62.html
 http://nylawblog.typepad.com/suigeneris/2009/11/does-cloud-
computing-compromise-clients.html

Copyright © 2010 Cloud Security Alliance 12

 Top Threats to Cloud Computing, Version 1.0

Impact
Threat #6: Account or Service Hijacking Account and service hijacking,
usually with stolen credentials,
Description remains a top threat. With
Account or service hijacking is not new. Attack methods such as stolen credentials, attackers
phishing, fraud, and exploitation of software vulnerabilities still can often access critical areas
achieve results. Credentials and passwords are often reused, which of deployed cloud computing
amplifies the impact of such attacks. services, allowing them to
Cloud solutions add a new threat to the landscape. If an attacker gains compromise the
access to your credentials, they can eavesdrop on your activities and confidentiality, integrity and
transactions, manipulate data, return falsified information, and redirect availability of those services.
your clients to illegitimate sites. Your account or service instances may Organizations should be aware
become a new base for the attacker. From here, they may leverage the of these techniques as well as
power of your reputation to launch subsequent attacks. common defense in depth
protection strategies to contain
Examples the damage (and possible
No public examples are available at this time. litigation) resulting from a
breach.
Remediation
 Prohibit the sharing of account credentials between users and
services. CSA Guidance
 Leverage strong two-factor authentication techniques where Reference
possible. Domain 2: Governance and
 Employ proactive monitoring to detect unauthorized activity. Enterprise Risk Management
 Understand cloud provider security policies and SLAs. Domain 9: Incident Response,
Notification and Remediation
References Domain 12: Identity and
 http://www.infoworld.com/d/cloud-computing/hackers-find- Access Management
home-in-amazons-ec2-cloud-742
 http://vmetc.com/2009/03/12/virtual-machine-sniffer-on-esx- Service Models
hosts/ IaaS PaaS SaaS

Copyright © 2010 Cloud Security Alliance 13

 Top Threats to Cloud Computing, Version 1.0

Impact
Threat #7: Unknown Risk Profile When adopting a cloud
Description service, the features and
One of the tenets of Cloud Computing is the reduction of hardware and functionality may be well
software ownership and maintenance to allow companies to focus on advertised, but what about
their core business strengths. This has clear financial and operational details or compliance of the
benefits, which must be weighed carefully against the contradictory internal security procedures,
security concerns — complicated by the fact that cloud deployments configuration hardening,
are driven by anticipated benefits, by groups who may lose track of the patching, auditing, and
security ramifications. logging? How are your data
Versions of software, code updates, security practices, vulnerability and related logs stored and
profiles, intrusion attempts, and security design, are all who has access to them? What
important factors for estimating your company’s security posture. information if any will the
Information about who is sharing your infrastructure may be pertinent, vendor disclose in the event of
in addition to network intrusion logs, redirection attempts and/or a security incident? Often such
successes, and other logs. questions are not clearly
Security by obscurity may be low effort, but it can result in unknown answered or are overlooked,
exposures. It may also impair the in-depth analysis required highly leaving customers with an
controlled or regulated operational areas. unknown risk profile that may
Examples include serious threats.
 IRS asked Amazon EC2 to perform a C&A; Amazon refused.
http://news.qualys.com/newsblog/forrester-cloud-computing- CSA Guidance
qa.html
Reference
 Heartland Data Breach: Heartland’s payment processing Domain 2: Governance and
systems were using known-vulnerable software and actually Enterprise Risk Management
infected, but Heartland was “willing to do only the bare Domain 3: Legal and
minimum and comply with state laws instead of taking the Electronic Discovery
extra effort to notify every single customer, regardless of law, Domain 8: Data Center
about whether their data has been stolen.” Operations
http://www.pcworld.com/article/158038/heartland_has_no_hea
Domain 9: Incident Response,
rt_for_violated_customers.html Notification and Remediation
Remediation
 Disclosure of applicable logs and data. Service Models
 Partial/full disclosure of infrastructure details (e.g., patch
levels, firewalls, etc.). IaaS PaaS SaaS
 Monitoring and alerting on necessary information.
References
 http://searchsecurity.techtarget.com/magazineFeature/0,296894
,sid14_gci1349670,00.html
 http://chenxiwang.wordpress.com/2009/11/24/follow-up-cloud-
security/
 http://www.forrester.com/cloudsecuritywebinar
 http://www.cerias.purdue.edu/site/blog/post/symposium_summ
ary_security_in_the_cloud_panel/

Copyright © 2010 Cloud Security Alliance 14

Cloud Computing Concepts
CS3132
Dr. Anand Kumar Mishra
NIIT University

Dr. Annad Kumar Mishra

Dr. Annad Kumar Mishra
Attacks on Cloud Computing Environment
Attacks on Cloud Environment

Attacks on
Attacks on Attacks on
Virtual Machine
Virtual Network Virtual Machine
Monitor

Attacks on
Attacks on
Hardware (Low-
Virtual Storage
Level)
Attacks on Virtual Network

• Man-In-The-Middle attack
• VM Traffic Sniffing
• VM Traffic Spoofing
• VM Port Scanning
• Denial of Service
Attacks on Virtual Network

Man-In-The-Middle attack:

• Adversary may sit between two VM machines and may try to sniff the packets passing
through it when VM is migrated, or when VMs communicate with each other.
• An attacker can modify the data in communication by generating its private key and
sending to the CSP on behalf of the legitimate user.

VM Traffic Spoofing:

• All VMs on the same network segment are open to attacks and compromise from other
VMs present on the same network.
• A malicious user on one VM can perform IP spoofing in which attack traffic is generated
on behalf of legitimate tenant user and sent to destination VM
Attacks on Virtual Network
VM Port Scanning:

• Port scanning is an attack that does not cause any harm on the VMs, but it gives
the attacker some specific information about the status of the ports that can be
used for further attacks such as DoS attacks.

Denial of Service:

• Attacker floods with spoofed packets to the broadcast address. The sender
address is target VM's IP address providing a service on the cloud.
• On receiving the packet, each node responds to the server hosting the VM with
particular spoofed IP, consuming the resources so that it can no longer provide
its intended service.
Attacks on Virtual Network
• VM Traffic Sniffing:
• VMs are connected via virtual switches, packet sniffing
is done at the virtual switch level.
• Physically the VMs share the same hardware resources.
• Attacker can exploit this vulnerability in sniffing the
virtual network to gain sensitive information of VMs.
Attacks on Virtual Machine
VM Cross Side Channel
Guest Denial-of-Service
VM Escape
VM Information leakage
VM Sprawling
Malware Infection
Attack on Web Applications Hosted on VM
Attacks on Virtual Machine

Cross VM Side Channel:

• Time, cache, heat and power used to extract confidential information

Guest Denial-of-Service:
• A VM can consume all the resources causing DoS to other applications

VM Escape:
• An attack in which attacker gain access to the memory that is beyond access of
compromised tenant VM. Its breaking out of a VM and interacting with VMM /
host Operating System
Attacks on Virtual Machine
VM Information leakage:

• This can be caused by VMI functions and access hardware states, system call
information or breakpoint injection

Malware Infection:

• Attacker can inject malware in a VM to gain root access. Malware can be a worm or
can be malicious code injected into normal program

Attack on Web Applications Hosted on VM:

• Cross Site Scripting, Phishing, Cookie Manipulation

 VMM DoS

Attacks on
Virtual VMM Malware Injection
Machine
Monitor VMM Hyperjacking

VMM Backdoor
 VMM DoS:

Attacks on • Resource starvation of RAM, CPU

Virtual and bandwidth cause DoS resulting
in shutdown of the VM or restart
Machine each time.
Monitor
VMM Malware Injection:

• Injected Malware can disable or

infect critical component like VMM
 VMM Hyperjacking:

• Installing a rogue hypervisor that can take

Attacks on complete control of a server. Hypervisor
level root kits exploit hardware
Virtual virtualization features.
Machine
Monitor VMM Backdoor:

• An attacker can take a backdoor entry into

hypervisors privilege domains by
overwriting the hypervisor code and
manipulating kernel data structures of
guest OS
 Data Leakage

Data Remanence
Attacks on Virtual
Storage
Dumpster Diving

Hash Value Manipulation

Attacks on Virtual Storage

• Data Leakage:
• Attacks such as password guessing and dumpster
diving can lead to VM data leakage

• Attacker can also use key logger and gain

authentication into target VM and breach its data.
Attacks on Virtual Storage

• Data Remanence:
• Data Remanence represents residual information
of the data remained after deletion.

• Various file handling operations such as the

reformatting of storage, deletion operation may
result in data remanence.

• Such operations can cause disclosure of sensitive

information
Attacks on Virtual Storage

• Dumpster Diving
• Dumpster diving is an attempt of deriving
information from data which is declared as waste.

• The data is recovered by the attacker that is

discarded by cloud users or admin to gain useful
information out of it.
Attacks on Virtual
Storage
• Hash Value Manipulation:
• An attacker may manipulate the hash value of the message
and can get authorized access to the file stored in the server.

• If manipulated hash value exists in the database, server links

the file to that hash value.

• If the modified hash value does not exist, server requests a file
from the user.
Attacks on Hardware (Low-Level)
Direct Memory Access (DMA) Attack

System Management Mode (SMM)

Basic input/output System (BIOS)

If physical access to the host machine is obtained, it may facilitate hardware

threats on the machine
Attacks on Hardware
(Low-Level)

• Direct Memory Access (DMA) Attack:

• DMA code can be subjected to malware
infections to launch stealthy attacks
against host-kernel by executing on
dedicated hardware.

• An attacker can access cryptographic keys

for the hard disk and user's sensitive
information located in a cache
Attacks on Hardware
(Low-Level)

• System Management Mode (SMM)

• SMM is the highly privileged mode of CPU which
deals with system security and power
management functions

• On insertion of the SMM pin, the CPU saves its

entire state in separate address location called as
SMRAM.

• SMM is vulnerable to cache poisoning attack

which allows an attacker to insert malicious code
temporarily in SMRAM.
Attacks on Hardware
(Low-Level)

• Basic input/output System (BIOS)

• BIOS is responsible for implementation of
SMM

• Any vulnerability in BIOS can be used to

tamper the SMM functioning and allows
an attacker to take illegitimate access to
system security functions
Top Threats to Cloud Computing
Insecure Interfaces and APIs
• Cloud Computing providers expose a set of software interfaces or APIs that
customers use to manage and interact with cloud services
• Provisioning, management, orchestration, and monitoring are all performed using
these interfaces
• The security and availability of general cloud services is dependent upon the
security of these basic APIs
• From authentication and access control to encryption and activity monitoring,
these interfaces must be designed to protect against both accidental and
malicious attempts to circumvent policy
• Furthermore, organizations and third parties often build upon these interfaces to
offer value-added services to their customers
• This introduces the complexity of the new layered API; it also increases risk, as organizations
may be required to relinquish their credentials to third parties in order to enable their
agency.

Dr. Annad Kumar Mishra

Insecure Interfaces and APIs
• Impact
• While most providers strive to ensure security is well integrated into their
service models, it is critical for consumers of those services to understand the
security implications associated with the usage, management, orchestration
and monitoring of cloud services
• Reliance on a weak set of interfaces and APIs exposes organizations to a
variety of security issues related to confidentiality, integrity, availability and
accountability.

Dr. Annad Kumar Mishra

Insecure Interfaces and APIs

Examples Remediation

• Anonymous access and/or • Analyze the security model of

reusable tokens or passwords, cloud provider interfaces
clear-text authentication or • Ensure strong authentication and
transmission of content, inflexible access controls are implemented
access controls or improper in concert with encrypted
authorizations, limited transmission
monitoring and logging • Understand the dependency
capabilities, unknown service or chain associated with the API
API dependencies

Dr. Annad Kumar Mishra

Malicious Insiders
• This threat is amplified for consumers of cloud services by the convergence
of IT services and customers under a single management domain,
combined with a general lack of transparency into provider process and
procedure
• For example,
• a provider may not reveal how it grants employees access to physical and virtual
assets, how it monitors these employees, or how it analyzes and reports on policy
compliance
• To complicate matters, there is often little or no visibility into the hiring standards
and practices for cloud employees
• This kind of situation clearly creates an attractive opportunity for an adversary —
ranging from the hobbyist hacker, to organized crime, to corporate espionage, or
even nation-state sponsored intrusion. The level of access granted could enable such
an adversary to harvest confidential data or gain complete control over the cloud
services with little or no risk of detection

Dr. Annad Kumar Mishra

Malicious Insiders - Impact
• The impact that malicious insiders can have on an organization is
considerable, given their level of access and ability to infiltrate
organizations and assets. Brand damage, financial impact, and
productivity losses are just some of the ways a malicious insider can
affect an operation
• As organizations adopt cloud services, the human element takes on
an even more profound importance. It is critical therefore that
consumers of cloud services understand what providers are doing to
detect and defend against the malicious insider threat.

Dr. Annad Kumar Mishra

Malicious Insiders - Remediation
• Enforce strict supply chain management and conduct a
comprehensive supplier assessment
• Specify human resource requirements as part of legal contracts.
• Require transparency into overall information security and
management practices, as well as compliance reporting
• Determine security breach notification processes.

Dr. Annad Kumar Mishra

Cloud Computing Concepts
CS3132
Dr. Anand Kumar Mishra
NIIT University

Dr. Anand Kumar Mishra

Security and Privacy Issues and
Recommendations
NIST Guidelines on Security and Privacy in Public Cloud Computing
Security and Privacy Issues and
Recommendations
• Governance
• Compliance
• Trust
• Architecture
• Identity and Access Management
• Software Isolation
• Data Protection
• Availability
• Incident Response

Dr. Anand Kumar Mishra

Security and Privacy Issues and
Recommendations
• Governance - policies, procedures, and standards
• Compliance - data location, privacy and security controls, records
management, and electronic discovery requirements
• Trust - Continuously monitor the security state of the information
system to support on-going risk management decisions
• Architecture - underlying technologies that the cloud provider uses to
provision services, its security

Dr. Anand Kumar Mishra

Security and Privacy Issues and
Recommendations
• Identity and Access Management
• Ensure that adequate safeguards are in place to secure authentication,
authorization, and other identity and access management functions
• Software Isolation
• Understand virtualization and other logical isolation techniques, assess the
risks involved for the organization
• Data Protection
• Data management solutions for the organizational data concerned
• Ability to control access to data, to secure data while at rest, in transit, and in
use, and to sanitize data

Dr. Anand Kumar Mishra

Security and Privacy Issues and
Recommendations
• Availability
• Understand the contract provisions and procedures for availability
• Data backup and recovery
• Disaster recovery
• Ensure that they meet the organization’s continuity and contingency planning
requirements
• Incident Response
• Transparent response process in place and sufficient mechanisms to share
information during and after an incident

Dr. Anand Kumar Mishra

Need of Compliance Standard
• You may also need to account for any compliance standards that are
required for your industry
• Payment Card Industry Data Security Standards (PCI-DSS)
• Health Insurance Portability and Accountability Act (HIPPA)
• Gramm–Leach–Bliley Act (GLBA) - companies that offer consumers financial
products or services like loans, financial or investment advice
• Sarbanes–Oxley Act (SOX) - to help protect investors from fraudulent financial
reporting by corporations

Dr. Anand Kumar Mishra

Security of Data
• Securing data
• sent to,
• received from, and
• stored in the cloud

“The single largest security concern that most organizations should have with
cloud computing”

Dr. Anand Kumar Mishra

Security of Data
• Key mechanisms for protecting data
• Access control
• Auditing
• Authentication
• Authorization
• Whatever service model you choose should have mechanisms
operating in all four areas that meet your security requirements

Dr. Anand Kumar Mishra

Identity Management
• Establishing Identity and Presence
• Cloud computing requires the following:
• Establish an identity
• Identity be authenticated
• Authentication be portable
• Authentication provide access to cloud resources

Dr. Anand Kumar Mishra

Identity Management
• Identity protocol standards
• OpenID 2.0
• The standard associated with creating an identity and having a third-party service
authenticate the use of that digital identity
• Key to creating Single Sign-On (SSO) systems
• OpenID 2.0 has been superseded by OpenID Connect
• [https://openid.net/connect/]

Dr. Anand Kumar Mishra

Dr. Anand Kumar Mishra
Identity Management
• Identity protocol standards
• Security Assertion Markup Language (SAML)
• An open standard that allows identity providers (IdP) to pass authorization credentials to
service providers (SP)

Dr. Anand Kumar Mishra

Single sign-on using SAML in a Web browser

Dr. Anand Kumar Mishra

Identity Management
• Identity protocol standards
• OAuth
• An open-standard authorization protocol or framework
• Describes how unrelated servers and services can safely allow authenticated access
• Known as secure, third-party, user-agent, delegated authorization

Dr. Anand Kumar Mishra

Identity Management
• Identity protocol standards
• OAuth 2.0 authorization framework
• Enables a third-party application to obtain limited access to an HTTP service
• Either on behalf of a resource owner by orchestrating an approval interaction between the
resource owner and the HTTP service
• or By allowing the third-party application to obtain access on its own behalf
• This specification replaces and obsoletes the OAuth 1.0 protocol

Dr. Anand Kumar Mishra

Dr. Anand Kumar Mishra
Dr. Anand Kumar Mishra
Cloud Computing Concepts
CS3132
Dr. Anand Kumar Mishra
NIIT University
Cloud Security

• Cloud computing has all the vulnerabilities associated with

• Internet applications, and
• Additional vulnerabilities arise from
• pooled, virtualized, and outsourced resources
Cloud Security

• Assessing the Security Risks of Cloud Computing by Jay Heiser and

Mark Nicolett
• Auditing
• Data integrity
• e-Discovery for legal compliance
• Privacy
• Recovery
• Regulatory compliance
Cloud Security

• To evaluate risks
• Determine which resources (data, services, or applications)
you are planning to move to the cloud
• Determine the sensitivity of the resource to risk
• Loss of privacy
• Unauthorized access by others
• Loss of data, and
• Interruptions in availability
Cloud Security

• To evaluate risks
• Determine the risk associated with the particular cloud type for a resource
• Cloud types include
• public,
• private
• hybrid, and
• shared community types
• With each type, you need to consider where data and functionality will be
maintained
Cloud Security

• To evaluate risks
• Take into account the particular cloud service model that you will
be using
• Different models such as
• IaaS,
• SaaS, and
• PaaS
• require their customers to be responsible for security at
different levels of the service stack
Cloud Security

• To evaluate risks
• If you have selected a particular cloud service provider,
• you need to evaluate its system to understand
• how data is transferred,
• where it is stored, and
• how to move data both in and out of the cloud.
Cloud Security - AWS Service - Identity & access management

• Securely manage access to services and resources

• AWS Identity & Access Management (IAM)
• Cloud single-sign-on (SSO) service
• AWS Single Sign-On
• Identity management for your apps
• Amazon Cognito

https://aws.amazon.com/products/security/?nc=sn&loc=2
Cloud Security - AWS Service - Identity & access management

• Managed Microsoft Active Directory

• AWS Directory Service
• Simple, secure service to share AWS resources
• AWS Resource Access Manager
• Central governance and management across AWS accounts
• AWS Organizations

https://aws.amazon.com/products/security/?nc=sn&loc=2
Cloud Security Alliance (CSA)

• Cloud Security Alliance (CSA) operational domains:

• Governance and enterprise risk management
• Legal and electronic discovery
• Compliance and audit
• Information lifecycle management
• Portability and interoperability
• Traditional security, business continuity, and disaster recovery
Cloud Security Alliance (CSA)

• Cloud Security Alliance (CSA) operational domains:

• Governance Datacenter operations
• Incidence response, notification, and remediation
• Application security
• Encryption and key management
• Identity and access management
• Virtualization
Cloud Security Alliance (CSA)

• Cloud Security Alliance (CSA) operational domains:

• Information lifecycle management
• Managing data that is placed in the cloud
• Identification and control of data in the cloud
• Compensating controls loss of physical control when moving data to the cloud
• Who is responsible for data confidentiality, integrity, and availability are mentioned.
Cloud Security Alliance (CSA)

• Cloud Security Alliance (CSA) operational domains:

• Incidence response, notification, and remediation
• Proper and adequate incident detection, response, notification, and remediation
• Address items that should be in place at both provider and user levels to enable proper
incident handling and forensics
• Understand the complexities the cloud brings to your current incident handling program
Cloud Security Alliance (CSA)

• Cloud Security Alliance (CSA) operational domains:

• Application security
• Securing application software that is running on or being developed in the cloud
• Whether it’s appropriate to migrate or design an application to run in the cloud, and if
so,
• What type of cloud platform is most appropriate (SaaS, PaaS, or IaaS)
Security Guidance For Critical Areas of Focus in Cloud Computing v2.1
CSA Enterprise Architecture
Cloud Security Alliance

• CSA - Security and Risk Management

• Provides the core components of an organization's Information Security
Program
• To safeguard assets
• Monitor risks inherent in operating activities
CSA - Security and Risk Management

• CSA - Security and Risk Management

• Capabilities include:
• Identity and Access Management,
• GRC (Governance, Risk Management, and Compliance),
• Policies and Standards,
• Threat and Vulnerability Management, and
• Infrastructure and Data Protection
NIST Security Reference Architecture
NIST Security Ref Arch. - Components

• NIST Security Ref Arch. - Components

• Cloud Consumer:
• Secure Cloud Consumption Management:
• Secure Configuration,
• Secure Portability and Interoperability,
• Secure Business Support,
• Secure Organizational Support.
• Secure Cloud Ecosystem Orchestration:
• Secure Functional Layers
NIST Security Ref Arch. - Components
• NIST Security Ref Arch. - Components
• Cloud Provider:
• Secure Cloud Service Management:
• Secure Provisioning and Configuration,
• Secure Portability and Interoperability,
• Secure Business Support
• Secure Cloud Ecosystem Orchestration:
• Secure Physical Resource Layer (Hardware & Facility) – only for a Primary Provider,
• Secure Resource Abstraction and Control Layer (Hardware & Facility) – only for a Primary
Provider,
• Secure Deployment & Service Layers
NIST Security Ref Arch. - Components

• NIST Security Ref Arch. - Components

• Cloud Carrier:
• Secure Transport Support
• Cloud Auditor:
• Secure Auditing Environment
NIST Security Ref Arch. - Components

• NIST Security Ref Arch. - Components

• Cloud Broker
• Secure Cloud Service Management
• Secure Cloud Ecosystem Orchestration
• Secure Service Aggregation
• Secure Service Intermediation
• Secure Service Arbitrage
Cloud Computing Concepts
CS3132
Dr. Anand Kumar Mishra
NIIT University

Dr. Anand Kumar Mishra

Topic – 5
• Applied Areas of Cloud Computing
• Hybrid cloud and Multicloud,
• Edge computing,
• Cloud computing in IoT,
• Serverless Architecture,
• Containers, Microservices,
• Artificial Intelligence (AI) services

Dr. Anand Kumar Mishra

Deep Learning Architectures in Emerging Cloud Computing Architectures: Recent Development, Challenges and Next Research Trend

Emerging Cloud Computing Taxonomy

Dr. Anand Kumar Mishra
 Internet of Things: A Survey on Enabling Technologies,
Protocols, and Applications

The overall picture of IoT emphasizing the vertical

markets and the horizontal integration between
Dr. Anand Kumar Mishra them
 Internet of Things
• Internet of Things (IoT) is a universal framework that:
• connects things which may be physical as well as virtual,
distinguished, and
• incorporated within communication networks,
• depending on prevailing and emerging collaborative
information and communication technologies (ICT)
• to facilitate enhanced service

Recent Advances in Evolving Computing Paradigms: Cloud, Edge, and Fog Technologies

Dr. Anand Kumar Mishra

IoT
• The fundamental characteristics of the Internet of Things include:
• Interconnectivity—the IoT may be connected to global
communication infrastructure
• Things-related services—IoT is adept at offering physical/virtual
things, privacy, as well as semantic consistency services within the
limits of things
• Heterogeneity—the IoT devices pertain to diverse hardware platforms
and networks
• Constrained resources—the IoT devices encounter computational and
energy restrictions

Dr. Anand Kumar Mishra

IoT
• The fundamental characteristics of the Internet of Things include:
• Dynamic change—the state of devices and the related environment
are subject to dynamic change
• Uncontrolled environment—the IoT devices are deployed in an
uncontrolled setting
• Massive scale—the devices to be monitored and those that connect
with one another are enormous and will continue to surge
exponentially into the future

Dr. Anand Kumar Mishra

 Internet of Things (IoT)

• IoT - the collective network of connected devices and the technology that
facilitates communication between devices and the cloud, as well as
between the devices themselves

• Everyday devices like toothbrushes, vacuums, cars, and machines can

use sensors to collect data and respond intelligently to users

• The Internet of Things integrates everyday “things” with the internet

https://aws.amazon.com/what-is/iot/
 How does IoT work?

• A typical IoT system works through the real-time collection and exchange
of data
• An IoT system has three components:
• Smart devices
• IoT application
• A graphical user interface
 How does IoT work?

• Smart devices - a device, like a television, security camera, or exercise

equipment that has been given computing capabilities
• It collects data from its environment, user inputs, or usage patterns and
communicates data over the internet to and from its IoT application
 How does IoT work?

• IoT application - Its a collection of services and software that integrates

data received from various IoT devices
• It uses machine learning or artificial intelligence (AI) technology to
analyze this data and make informed decisions
• These decisions are communicated back to the IoT device and the IoT
device then responds intelligently to inputs
 How does IoT work?

• A graphical user interface - The IoT device or fleet of devices can be

managed through a graphical user interface
• Common examples include a mobile application or website that can be
used to register and control smart devices
 Examples of IoT devices

• Connected cars

• Connected homes

• Smart cities

• Smart buildings
 Examples of IoT devices
• Connected cars - There are many ways vehicles, such as cars, can be connected to the
internet
• It can be through smart dashcams, infotainment systems, or even the vehicle's
connected gateway
• They collect data from the accelerator, brakes, speedometer, odometer, wheels, and
fuel tanks to monitor both driver performance and vehicle health
• Connected cars have a range of uses:
• Monitoring rental car fleets to increase fuel efficiency and reduce costs.
• Helping parents track the driving behavior of their children.
• Notifying friends and family automatically in case of a car crash.
• Predicting and preventing vehicle maintenance needs.
 Examples of IoT devices
• Connected homes - Smart home devices are mainly focused on improving the
efficiency and safety of the house, as well as improving home networking
• Devices like smart outlets monitor electricity usage and smart thermostats provide
better temperature control
• Hydroponic systems can use IoT sensors to manage the garden while IoT smoke
detectors can detect tobacco smoke
• Home security systems like door locks, security cameras, and water leak detectors
can detect and prevent threats, and send alerts to homeowners.
• Connected devices for the home can be used for:
• Automatically turning off devices not being used.
• Rental property management and maintenance.
• Finding misplaced items like keys or wallets.
• Automating daily tasks like vacuuming, making coffee, etc.
 Examples of IoT devices
• Smart cities - IoT applications have made urban planning and
infrastructure maintenance more efficient
• Governments are using IoT applications to tackle problems in
infrastructure, health, and the environment
• IoT applications can be used for:
• Measuring air quality and radiation levels.
• Reducing energy bills with smart lighting systems.
• Detecting maintenance needs for critical infrastructures such as
streets, bridges, and pipelines.
• Increasing profits through efficient parking management.
 Examples of IoT devices
• Smart buildings - Buildings such as college campuses and commercial
buildings use IoT applications to drive greater operational efficiencies

• IoT devices can be use in smart buildings for:

• Reducing energy consumption.

• Lowering maintenance costs.

• Utilizing work spaces more efficiently

 Industrial IoT

• Industrial IoT (IIoT) refers to smart devices used in manufacturing, retail,

health, and other enterprises to create business efficiencies

• Industrial devices, from sensors to equipment, give business owners

detailed, real-time data that can be used to improve business processes

• They provide insights on supply chain management, logistics, human

resource, and production – decreasing costs and increasing revenue
streams.
IIoT - existing smart industrial systems
• Manufacturing - Enterprise IoT in manufacturing uses predictive maintenance to
reduce unplanned downtime and wearable technology to improve worker safety
• IoT applications can predict machine failure before it happens, reducing
production downtime
• Wearables in helmets and wristbands, as well as computer vision cameras, are
used to warn workers about potential hazards
• Automobile - Sensor-driven analytics and robotics increase efficiency
in automobile manufacturing and maintenance
• For example, industrial sensors are used to provide 3D real-time images of
internal vehicle components
• Diagnostics and troubleshooting can be done much faster while the IoT system
orders replacement parts automatically
IIoT - existing smart industrial systems
• Logistics and transport - Commercial and Industrial IoT devices can help
with supply chain management, including inventory management, vendor
relationships, and scheduled maintenance
• Shipping companies use Industrial IoT applications to keep track of
assets and optimize fuel consumption on shipping routes
• Useful for tight temperature control in refrigerated containers
• Supply chain managers make informed predictions through smart
routing and rerouting algorithms
• Retail - Amazon is driving innovation in automation and human-machine
collaboration in retail
• Amazon facilities make use of internet-connected robots for tracking,
locating, sorting, and moving products
 Benefits of IoT for business
• Accelerate innovation - The Internet of Things gives businesses access
to advanced analytics that uncover new opportunities

• For example, businesses can create highly targeted advertising

campaigns by collecting data on customer behavior

• Turn data into insights and actions with AI and ML - Collected data and
historical trends can be used to predict future outcomes.

• For example, warranty information can be paired with IoT-collected data

to predict maintenance incidents

• This can be used to proactively provide customer service and build

customer loyalty
 Benefits of IoT for business
• Increase security - Continuous monitoring of digital and physical
infrastructure can optimize performance, improve efficiency and
reduce safety risks

• For example, data collected from an onsite monitor can be

combined with hardware and firmware version data to
automatically schedule system updates.

• Scale differentiated solutions - IoT technologies can be deployed

in a customer focused way to increase satisfaction

• For example, trending products can be restocked promptly to

avoid shortages
 IoT technologies
• Edge computing - It refers to the technology used to make smart devices do
more than just send or receive data to their IoT platform
• It increases the computing power at the edges of an IoT network, reducing
communication latency and improving response time
• Cloud computing - Cloud technology is used for remote data storage and
IoT device management – making the data accessible to multiple devices in
the network
• Machine learning - Machine learning refers to the software and algorithms
used to process data and make real-time decisions based on that data
• These machine learning algorithms can be deployed in the cloud or at the
edge
Multicloud
 Multicloud

• Multicloud - the use of cloud services from two or more vendors - gives
organizations more flexibility to optimize performance, control costs, and
leverage the best cloud technologies available
• Organizations that do not want to depend on a single cloud vendor may
choose to use resources from several different providers to get the best
benefits from each unique service
 Difference between multicloud and hybrid cloud

• Multicloud refers to the presence of more than 1 cloud deployment of the

same type (public or private), sourced from different vendors
• A multicloud approach could involve 2 public cloud environments or 2
private cloud environments
• Hybrid cloud refers to the presence of multiple deployment types (public
or private) with some form of integration or orchestration between them
• A hybrid cloud approach could involve a public cloud environment and a
private cloud environment
 Value and benefits of multicloud
• The overarching value of multicloud to the enterprise is that it prevents
‘vendor lock-in’ -
• performance problems,
• limited options,
• unnecessary costs resulting from using only one cloud vendor
• Flexibility to choose cloud services from different cloud providers based on
the combination of pricing, performance, security and compliance
requirements, geographical location that best suits the business;
 Value and benefits of multicloud
• Ability to rapidly adopt best technologies from any vendor, as needed
or as they emerge, rather than limiting customers to whatever offerings or
functionality a single vendor offers at a given time;
• Reduced vulnerability to outages and unplanned downtime (because
an outage on one cloud won’t necessarily impact services from other
clouds);
• Reduced exposure to the licensing, security, compatibility - users
independently signing up for cloud services that an organization using just
one cloud might not offer
 Multicloud: Disadvantages

• Complexity of management:
• A multicloud deployment means interfacing with several different
vendors, each with different processes and technology

• In addition, it becomes harder to have complete visibility into the

technology stack with data stored and processes running in multiple
clouds
 Multicloud: Disadvantages
• Increased latency:
• If services in multiple clouds need to talk to one another in order to fulfill
user requests, that can introduce latency
• Greater attack surface:
• The more pieces of software and hardware that are integrated, the more
vulnerabilities there likely are
• Performance and reliability:
• It can be difficult to balance loads across different clouds
 Shadow IT
• A multicloud deployment can come about unintentionally, as a result of
shadow IT
• Shadow IT is when internal teams set up technical systems or use software
products without official approval or oversight from the larger organization
• Example: if a company's employees use a chat app that isn't sanctioned or
managed by the company to communicate about business activities
• Shadow IT can find its way into application architecture too
• Either as a short cut for getting things done, or out of necessity, employees
may incorporate cloud services into a company's technology stack before
receiving official approval
 Multicloud [Google Cloud]

• Manage apps and data anywhere

• Google Cloud empowers you to quickly build new apps and modernize
existing ones to increase your agility and reap the benefits of the
multicloud

• Google Cloud offer a consistent platform and data analysis for your
deployments no matter where they reside, along with a service-centric
view of all your environments

https://cloud.google.com/multicloud
 Anthos
https://cloud.google.com/multicloud

• Google Cloud launched the Anthos platform in April 2019, promising

customers a way to run Kubernetes workloads on-premises, in the Google
Cloud, and, crucially, in other major public clouds including Amazon Web
Services (AWS) and Microsoft Azure.

• Speaking at Google Cloud Next in San Francisco in 2019, Google CEO

Sundar Pichai said the idea behind Anthos is to allow developers to “write
once and run anywhere”—a promise to simplify the development,
deployment, and operation of containerized applications across hybrid and
multiple public clouds by bridging incompatible cloud architectures.
Cloud Computing Concepts
CS3132
Dr. Anand Kumar Mishra
NIIT University

Dr. Anand Kumar Mishra

Edge Computing
• Edge computing is a distributed computing framework that brings
enterprise applications closer to data sources such as IoT devices or
local edge servers
• This proximity to data at its source can deliver strong business
benefits:
• including faster insights
• improved response times and
• better bandwidth availability

Dr. Anand Kumar Mishra

Dr. Anand Kumar Mishra
Possible components of edge include –
Edge Devices
• Edge devices: We already use devices that do edge computing every
day:
• smart speakers,
• watches and phones
• Internet of Things (IoT) devices
• point of sales (POS) systems,
• robots,
• vehicles and sensors can all be edge devices—if they compute locally and talk
to the cloud

Dr. Anand Kumar Mishra

Possible components of edge include –
Network Edge
• For Internet devices, the network edge is where the device, or the
local network containing the device, communicates with the Internet
• A user’s computer or the processor inside of an IoT camera can be
considered the network edge, but the user’s router, ISP, or local edge
server are also considered the edge
• The edge of the network is geographically close to the device, unlike
origin servers and cloud servers, which can be very far from the
devices they communicate with

Dr. Anand Kumar Mishra

Possible components of edge include –
Network Edge
• Edge computing doesn’t require a separate “edge network” to exist
• it could be located on individual edge devices or a router
• When a separate network is involved, this is just another location in the
continuum between users and the cloud and this is where 5G can come
into play
• 5G brings extremely powerful wireless connectivity to edge computing
with low latency and high cellular speed, which brings exciting
opportunities like:
• autonomous drones
• remote telesurgery, smart city projects and much more
• The network edge can be particularly useful in cases where it is too costly
and complicated to put compute on premises and yet high responsiveness
is required (meaning the cloud is too distant).

Dr. Anand Kumar Mishra

Possible components of edge include –
On-premises infrastructure
• These are for managing local systems and connecting to the network
and could be servers, routers, containers, hubs or bridges.

Dr. Anand Kumar Mishra

How edge relates to cloud computing
• Cloud computing is the act of running workloads within clouds—
which are IT environments that abstract, pool, and share scalable
resources across a network.
• Traditionally, cloud computing has focused on centralized cloud
services into a handful of large datacenters
Centralization allowed resources to be highly scalable and shared
more efficiently, while maintaining control and enterprise security

Dr. Anand Kumar Mishra

How edge relates to cloud computing
• Edge computing addresses those use cases that cannot be adequately
addressed by the centralization approach of cloud computing, often
because of networking requirements or other constraints.
• Additionally, a cloud strategy of running software in containers
complements the edge computing model. Containers make apps
portable, allowing businesses to run them wherever they make the
most sense. A containerization strategy allows an organization to shift
apps from datacenter to edge, or vice versa, with minimal operational
impact.

Dr. Anand Kumar Mishra

What differentiates edge computing from
other computing models?
• Early computing
• Centralized applications only running on one isolated computer
• Personal computing
• Decentralized applications running locally
• Cloud computing
• Centralized applications running in data centers
• Edge computing
• Centralized applications running close to users, either on the device itself or
on the network edge

Dr. Anand Kumar Mishra

Example of Edge computing – Part 1
• Consider a building secured with dozens of high-definition IoT video
cameras
• These are "dumb" cameras that simply output a raw video signal and
continuously stream that signal to a cloud server
• On the cloud server, the video output from all the cameras is put through a
motion-detection application to ensure that only clips featuring activity are
saved to the server’s database
• This means there is a constant and significant strain on the building’s Internet
infrastructure, as significant bandwidth gets consumed by the high volume of
video footage being transferred
• Additionally, there is very heavy load on the cloud server that has to process
the video footage from all the cameras simultaneously

Dr. Anand Kumar Mishra

Example of edge computing – Part 2
• Now imagine that the motion sensor computation is moved to the
network edge
• What if each camera used its own internal computer to run the motion-
detecting application and then sent footage to the cloud server as needed?
• This would result in a significant reduction in bandwidth use, because much of the
camera footage will never have to travel to the cloud server
• Additionally, the cloud server would now only be responsible for
storing the important footage
• meaning that the server could communicate with a higher number of cameras
without getting overloaded
This is what edge computing looks like

Dr. Anand Kumar Mishra

Other possible use cases for edge computing
• IoT devices
• Smart devices that connect to the Internet can benefit from running code on
the device itself, rather than in the cloud, for more efficient user interaction
• Self-driving cars
• Autonomous vehicles need to react in real time, without waiting for
instructions from a server

Dr. Anand Kumar Mishra

Other possible use cases for edge computing
• Medical monitoring devices
• It is crucial for medical devices to respond in real time without waiting to hear
from a cloud server.
• Video conferencing
• Interactive live video takes quite a bit of bandwidth, so moving backend
processes closer to the source of the video can decrease lag and latency.

Dr. Anand Kumar Mishra

Drawbacks of edge computing
• One drawback of edge computing is that it can increase attack vectors
• With the addition of more "smart" devices into the mix, such as edge servers
and IoT devices that have robust built-in computers
• there are new opportunities for malicious attackers to compromise these devices
• Requirement of more local hardware
• For example, while an IoT camera needs a built-in computer to send its raw
video data to a web server, it would require a much more sophisticated
computer with more processing power in order for it to run its own motion-
detection algorithms

Dr. Anand Kumar Mishra

Cloud Computing Concepts
CS3132
Dr. Anand Kumar Mishra
NIIT University

Dr. Anand Kumar Mishra

 Containerization
• Containerization has become a major trend in software development as an
alternative or companion to virtualization
• It involves encapsulating or packaging up software code and all its
dependencies so that it can run uniformly and consistently on any
infrastructure
• Containerization allows developers to create and deploy applications
faster and more securely
• Containerization allows applications to be “written once and run
anywhere.”
 Container
• Container technology is a method of packaging an application so it can be
run with isolated dependencies
• A container is a standard unit of software that packages up code and all its
dependencies so the application runs quickly and reliably from one
computing environment to another
• A Docker container image is a lightweight, standalone, executable
package of software that includes everything needed to run an application:
code, runtime, system tools, system libraries and settings.
 Container Engine Technologies Provider
• Docker is one of the most well-known and highly used container
engine technologies, but it is not the only option available
• Other alternatives:
• CoreOS rkt
• Mesos Containerizer
• LXC Linux Containers
• OpenVZ, and crio-d
• Features and defaults may differ, but adopting and leveraging OCI
specifications as these evolve will ensure that solutions are vendor-
neutral, certified to run on multiple operating systems and usable in
multiple environments
 Open Container Initiative (OCI)
• The Open Container Initiative (OCI), established in June 2015 by Docker
and other industry leaders, is promoting common, minimal, open
standards and specifications around container technology
• OCI is helping to broaden the choices for open source engines
• Users will not be locked into a particular vendor’s technology, but
rather they will be able to take advantage of OCI-certified
technologies
• that allow them to build containerized applications using a diverse set of
DevOps tools and run these consistently on the infrastructure(s) of their
choosing
 Containerization - Benefits
• Containerization offers significant benefits to developers and development
teams. Among these are the following:

• Portability: A container creates an executable package of software that is

abstracted away from (not tied to or dependent upon) the host operating
system, and hence, is portable and able to run uniformly and consistently
across any platform or cloud

• Agility: Software developers can continue using agile or DevOps tools

and processes for rapid application development and enhancement
 Containerization - Benefits
• Speed: Containers are often referred to as “lightweight,” meaning they
share the machine’s operating system (OS) kernel
• Not only does this drive higher server efficiencies, it also reduces server
and licensing costs while speeding up start-times as there is no
operating system to boot
• Fault isolation: Each containerized application is isolated and operates
independently of others. The failure of one container does not affect the
continued operation of any other containers
• Efficiency: Containers are inherently smaller in capacity than a VM and
require less start-up time, allowing far more containers to run on the same
compute capacity as a single VM
 Containerization - Benefits
• Ease of management: A container orchestration platform automates the
installation, scaling, and management of containerized workloads and
services
• Container orchestration platforms can ease management tasks such as
scaling containerized apps, rolling out new versions of apps, and
providing monitoring, logging and debugging, among other
functions. Kubernetes, the most popular container orchestration system
available
• Security: The isolation of applications as containers inherently prevents
the invasion of malicious code from affecting other containers or the host
system
 Microservices Architecture (or Microservices)

• Microservices architecture refers to an architectural style for developing

applications

• Microservices allow a large application to be separated into smaller

independent parts, with each part having its own realm of responsibility

• To serve a single user request, a microservices-based application can call on

many internal microservices to compose its response

• A microservices architecture is a type of application architecture where the

application is developed as a collection of services

• It provides the framework to develop, deploy, and maintain microservices

architecture diagrams and services independently
Microservices Architecture (or Microservices)

• Containers are a well-suited microservices architecture example,

since they let you focus on developing the services without worrying
about the dependencies

• Modern cloud-native applications are usually built as microservices

using containers

• Within a microservices architecture, each microservice is a

single service built to accommodate an application feature and
handle discrete tasks

• Each microservice communicates with other services through

simple interfaces to solve business problems
 Serverless Architecture

• Serverless architecture [or, serverless computing] is an approach to

software design that allows developers to build and run services without
having to manage the underlying infrastructure

• Developers can write and deploy code, while a cloud provider provisions
servers to run their applications, databases, and storage systems at any
scale.
 Serverless services on AWS

• AWS Lambda is a serverless, event-driven compute service that lets you

run code for virtually any type of application or backend service without
provisioning or managing servers.
 Serverless services on AWS

• AWS Fargate is a serverless, pay-as-you-go compute engine that lets you

focus on building applications without managing servers

• AWS Fargate is compatible with both Amazon Elastic Container

Service (ECS) and Amazon Elastic Kubernetes Service (EKS)
How are serverless computing and Platform-as-a-Service
(PaaS) different?
 Artificial Intelligence & Cloud Computing

• Merging cloud technology with AI is an essential part of the modern

world’s business and commerce

• It creates a seamless, flexible environment allowing better data

management, storage, structure, optimisation and real-time insights to
improve business decisions

• Along with improving day to day experience, it also allows businesses to

be more agile, flexible and cost-efficient due to a substantial decrease in
infrastructure management
AI integration with Cloud Computing: Benefits

• Cost-effectiveness

• Enhanced data management

• Accelerated productivity

• Intelligent automation

• Deeper actionable insights

• Increased security

• Reliability
 AI improving cloud computing
• AI powers a self-managed cloud:
• Cloud computing is using Artificial intelligence to manage the
automation of routine activities
• AI tools are used to monitor and manage private & public cloud
services, making routine tasks a more sophisticated independent
procedure
• With more data being fed into the Cloud Computing model by leveraging
AI, the prediction gets better and accuracy too
• Cloud provides advanced computation techniques that provides
incredibly powerful GPUs thus supporting the AI infrastructure and
contributing to better technology and outcomes
 AI improving cloud computing
• AI improves data management:
• AI integration with data management systems boost database query
accuracy and performance while saving system resources
• Additionally, the database created and accessed using a cloud platform
increases the flexibility of cloud computing
• As businesses deal with larger chunks of digital data, it becomes easy
to stay organized with the help of AI tools
• It also helps enterprises to streamline data to ingest, update and
manage finances over real-time information along with aiding malicious
activities and potential risks
 AI improving cloud computing
• AI-SaaS integration to increase productivity:

• AI and SaaS (Software-as-a-Service) benefits businesses in the areas of

customer service, personalisation & security

• This combination helps businesses to provide more functionality and

value to clients

• The AI & SaaS integration allows enterprises to track consumer

behavior, demand and thus, provide better service

• With Saas model, not only is hosting data and complex software
requirements easier, but having the entire data on cloud makes it easier
for business to access & use as per requirements.
 AI improving cloud computing
• AI reduces errors & costs:

• Integrating Artificial Intelligence into Cloud computing offers great task

automation

• This ensures minimum human interference and the tasks getting automated

• With minimal human interference and creating a self-learning model,

businesses can have a positive impact in terms of faster decision making,
reduction in the number of people getting involved

• This will directly impact costs and also reduce errors

• A cloud module when coupled with AI guarantees the best service assistance
by analyzing demand, available resources, competition & market trends without
major human interference
 AI improving cloud computing
• AI offers enhanced security:

• The integration of AI with the cloud automatically enhances the security of

resources and data and vice versa

• AI tools better data processing and error spotting

• It also reduces unauthorized access and human errors along with detecting and
blocking unusual events or interference

• Security Automation in the Cloud using AI helps detect and block threats thus
limiting the exposure of security compromises

• There has been a considerable rise in cloud security automation for these very
notable reasons that makes AI contribution into the Cloud Computing area
noteworthy