Unit-4

Resource Provisioning
The allocation of resources and services from a cloud provider to
a customer is known as resource provisioning in cloud computing,
sometimes called cloud provisioning.
Resource provisioning is the process of choosing, deploying, and
managing software and hardware resources to assure application
performance.
Power usage is another significant restriction. Care should be
taken to reduce power consumption, dissipation, and VM
placement.
There should be techniques to avoid excess power consumption.
Therefore, the ultimate objective of a cloud user is to rent
resources at the lowest possible cost, while the objective of a
cloud service provider is to maximize profit by effectively
distributing resources.

Importance of Cloud Provisioning:

 Scalability: Being able to actively scale up and down with flux

in demand for resources is one of the major points of cloud
computing
 Speed: Users can quickly spin up multiple machines as per
their usage without the need for an IT Administrator
 Savings: Pay as you go model allows for enormous cost
savings for users, it is facilitated by provisioning or removing
resources according to the demand

Challenges of Cloud Provisioning:

 Complex management: Cloud providers have to use various

different tools and techniques to actively monitor the usage of
resources
 Policy enforcement: Organisations have to ensure that users
are not able to access the resources they shouldn’t.
 Cost: Due to automated provisioning costs may go very high if
attention isn’t paid to placing proper checks in place. Alerts
about reaching the cost threshold are required.

Types of Cloud Provisioning:

 Static Provisioning or Advance Provisioning: Static
provisioning can be used successfully for applications with
known and typically constant demands or workloads.
 In this instance, the cloud provider allows the customer with a
set number of resources.
 The client can thereafter utilize these resources as required.
 When a consumer contracts with a service provider for
services, the supplier makes the necessary preparations before
the service can begin. Either a one-time cost or a monthly fee
is applied to.

 Dynamic provisioning or On-demand provisioning: With

dynamic provisioning, the provider adds resources as needed
and subtracts them as they are no longer required.

 Self-service provisioning or user self-provisioning: In

user self-provisioning, sometimes referred to as cloud self-
service, the customer uses a web form to acquire resources
from the cloud provider, sets up a customer account, and pays
with a credit card. Shortly after, resources are made accessible
for consumer use.

Various Cloud Security Challenges

Cloud Computing is a type of technology that provides remote services on
the internet to manage, access, and store data rather than storing it on
Servers or local drives.
This technology is also known as Serverless technology. Here the data
can be anything like Image, Audio, video, documents, files, etc.

Security Issues in Cloud Computing :

There is no doubt that Cloud Computing provides various Advantages but

there are also some security issues in cloud computing.

1. Data Loss:
Data Loss is one of the issues faced in Cloud Computing. This is also
known as Data Leakage. As we know that our sensitive data is in the
hands of Somebody else, and we don’t have full control over our
database. So, if the security of cloud service is to break by hackers then it
may be possible that hackers will get access to our sensitive data or
personal files.

2. Interference of Hackers and Insecure API’s:

As we know, if we are talking about the cloud and its services it means
we are talking about the Internet. Also, we know that the easiest way
to communicate with Cloud is using API.

3. User Account Hijacking:

Account Hijacking is the most serious security issue in Cloud

Computing. If somehow the Account of User or an Organization is
hijacked by a hacker then the hacker has full authority to perform
Unauthorized Activities.

4. Changing Service Provider:

Vendor lock-In is also an important Security issue in Cloud Computing.

Many organizations will face different problems while shifting from one
vendor to another.

5. Lack of Skill:

While working, shifting to another service provider, need an extra

feature, how to use a feature, etc. are the main problems caused in IT
Companies who doesn’t have skilled Employees. So it requires a
skilled person to work with Cloud Computing.

7. Denial of Service (DoS) attack:

This type of attack occurs when the system receives too much traffic.
Mostly DoS attacks occur in large organizations such as the banking
sector, government sector, etc.

8. Shared Resources: Cloud computing relies on a shared infrastructure.

If one customer’s data or applications are compromised, it may
potentially affect other customers sharing the same resources, leading
to a breach of confidentiality or integrity.
8. Compliance and Legal Issues: Different industries and regions have
specific regulatory requirements for data handling and storage.
Ensuring compliance with these regulations can be challenging when
data is stored in a cloud environment that may span multiple
jurisdictions.

9. Data Encryption: While data in transit is often encrypted, data at rest

can be susceptible to breaches. It’s crucial to ensure that data stored in
the cloud is properly encrypted to prevent unauthorized access.
10. Insider Threats: Employees or service providers with access to
cloud systems may misuse their privileges, intentionally or
unintentionally causing data breaches. Proper access controls and
monitoring are essential to mitigate these threats.

11. Data Location and Sovereignty: Knowing where your data

physically resides is important for compliance and security. Some cloud
providers store data in multiple locations globally, and this may raise
concerns about data sovereignty and who has access to it.

12. Loss of Control: When using a cloud service, you are entrusting a
third party with your data and applications. This loss of direct control
can lead to concerns about data ownership, access, and availability.

13. Data Backup and Recovery: Relying on cloud providers for data
backup and recovery can be risky. It’s essential to have a robust
backup and recovery strategy in place to ensure data availability in
case of outages or data loss.

15. Vendor Security Practices: The security practices of cloud service

providers can vary. It’s essential to thoroughly assess the security
measures and certifications of a chosen provider to ensure they meet
your organization’s requirements.

17. Social Engineering and Phishing: Attackers may use social

engineering tactics to trick users or cloud service providers into
revealing sensitive information or granting unauthorized access.

Cloud Security Governances Challenges

1. Cloud security governance refers to the management model that

facilitates effective and efficient security management and operations in
 the cloud environment so that an enterprise's business targets are
achieved.

2. This model incorporates a hierarchy of executive mandates,

performance expectations, operational practices, structures, and metrics
that when implemented, result in the optimization of business value for
an enterprise

Cloud security governance challenges:

1. Lack of senior management participation and buy-in:

i. The lack of a senior management influenced and initial security policy is

one of the common challenges faced by cloud customers.

ii. An enterprise security policy is intended to set the executive tone,

principles and expectations for security management and operations in
the cloud

iii. The result of this situation is the ineffective definition and

communication of executive tone and expectations for security in the
cloud.

iv. To resolve this challenge, it is essential to engage enterprise executives

in the discussion and definition of tone and expectations for security
that will feed a formal enterprise security policy

2. Lack of embedded management operational controls:

i. Controls are interpreted as an auditor's checklist or repackaged

procedures, and as a result, are not effectively embedded into
security operational processes and procedures as they should be
for purposes of optimizing value and reducing day-to-day
operational risks.

ii. This Iack of embedded controls may result in operational risks that
may not be apparent to the enterprise.

3. Lack of operating model, roles, and responsibilities:

 i. Many enterprises moving into the cloud environment tend to lack
a formal operating model for security, or do not have strategic
and tactical roles and responsibilities properly defined and
operationalized.

ii. This situation stifles the effectiveness of a security management

and operational function/organization to support security in the
cloud.

iii. Establishing a hierarchy help an enterprise to better manage and

control security in the cloud, and protect associated investments
in accordance with enterprise business goals.

iv. IV. This hierarchy can be employed as in-sourced, out-sourced, or

co sourced model depending on the culture, norms, and risk
tolerance of the enterprise.

4. Lack of metrics for measuring performance and risk:

i. Another major challenge for cloud customers is the lack of defined

metrics to measure security performance and risks. A problem
that also stifles executive visibility into the real security risks in the
cloud.
Objectives of cloud security governance:

1. Strategic alignment: Enterprises should mandate that security investments,

services, and projects in the cloud are executed to achieve established
business goals (For example, market competitiveness, financial, or operational
performance).

2. Value delivery: Enterprises should define, operationalize, and maintain an

appropriate security function/organization with appropriate strategic and
tactical representation, and charged with the responsibility to maximize the
business value (Key Goal Indicators, RGI) from the pursuit of security initiatives
in the cloud.

3. Risk mitigation: Security initiatives in the cloud should subject to

measurements that gauge effectiveness in mitigating risk to the
enterprise (Key Risk Indicators). These initiatives should also yield results that
progressively demonstrate a reduction in these risks over time

4. Effective use of resources: It is important for enterprises to establish a

practical operating model for manging and performing security operations in
the cloud, including the proper definition and operationalization of due
process the institution of appropriate roles and responsibilities, and use of
relevant tools for overall efficiency and effectiveness.

Sustained performance: Security initiatives in the cloud should be measurable

in terms of performance, value and risk to the enterprise Key Performance
Indicators, Key Risk Indicators), and yield results that demonstrate attainment
of desired targets (Key Goal Indicators) over time.

IAM
i. Identity and Access Management (IAM) is a system that secures, stores, and
manages user identities and access privileges.

ii. It ensures that users are who they say they are and will grant access to applications
and resources only if they have the permission to use them.

iii. Some of the most common IAM solutions include Single Sign-On (SSO), Multi-Factor
Authentication (MFA), and access management, all of which can be deployed on-
premises or in the cloud.

iv. Modern technology enables businesses to be more agile and efficient than ever
before.

v. For instance, the cloud lets the employees work from anywhere at any device.

vi. However, this means that the workforce has moved beyond the protections of on-
premise security.

Benefits of IAM
Improving user experiences:

i. SSC SSO eliminates the need for users to remember and input multiple
passwords to access different areas of the system.
ii. All vendors offer a variety of user authentication schemes ranging from
more strict multi-factor authentication to federated solutions that leverage
existing user security profiles.

2 Enhancing security profiles:

i IAM systems can authenticate and authorize users based on the access level
indicated in their directory profiles.

ii. IAM system can also automatically control user access using other factors to
specific functions of our system.

3. Simplifies auditing and reporting:

i. Consolidating user identities and passwords with SSO makes it easier for IT
departments to audit where and how these user credentials are used. A

ii. In the event that user credentials are compromised, IAM systems make it
easier for IT departments to identify which user was compromised and which
data was accessed during the breach.

4. Allows easy access no matter where we are:

i IAM/SSO allows users to access to all interconnected systems, regardless of

where the user is physically located.

ii. This can be especially useful for large companies doing business globally,
providing ease of access to employees, partners and clients alike.

5. Increases productivity and reduces IT costs:

i. The original benefit of SSO for IT departments was to eliminate the cost of
internal help desks helping users locked out of their application accounts.

ii. IAM leverage in already existing identity stores such as Active Director. IAM
allows to extend what we have into the future.

iii Cloud-based and mobile-based IAM tools not only allow users to
authenticate from anywhere anytime, they also provide the extensive audit
trails, analytics, access rules and policies to truly automate identity access and
management across the enterprise.

Advantages of IAM are:

1. Users have fewer accounts and passwords to manage.

2. Less password fatigue related to managing multiple passwords. 3. Less user time needed
to log separately into different systems.

4. Fewer support requests for password resets.

5. Provides a central location for administrative management of accounts.

Disadvantages of IAM are:

1. The primary concern with SSO systems is that it creates a single point of failure if the
authentication server fails. This forces the added burden of multiple authentication servers
to provide redundancy.

2. This single point also creates a single breach point. If a user account is breached, an
attacker can gain access to all protected systems that the compromised user account has
access to.

Architecture of IAM are:

i Cloud-based and multi-tenant architecture:

a. A multi-tenant architecture provides lots of benefit such as the vendor can issue updates,
security fixtures, and improves performance.

b. It also modifies the capability to manage access provision and governance effectively.

ii. Security, management architecture:

a. The most important need of IAM is identity and access management.

b. IAM in Cloud computing offer features like multi-factor authentication, digital access
cards, and biometrics.

C. These features help to easily retrieve the information in a secure manner.

iii. Single Sign-On (SSO) and federation:

a. SSO enhances the experience of the end user while maintaining security and availability
of the network to users as intended.
b. The user can use the safest password combination without working hard to remember,
which is used to access services on regular basis.

C It also benefits in another way, as it helps to manage secure authentication for third-party
cloud services.

iv. Analytics and intelligence:

a. Analytics and intelligence capabilities are used to report the use of access privileges in the
context of multifaceted relationships.

b. This relationship is between users, their roles and responsibilities, job function, and data
usage.

C. This information allows the organization to identify anomalies for former employee's
awesome specific type of workforce segment.

v. Governance, risk, and compliance:

a. The governance, risk and compliance are supported by modifying the automation and
intelligence capabilities of an identity as a service system.

b. This IAM function helps an organization to define and automate the application specific
processes, which will get familiar with the access and usage patterns.

Virtual Machine
Virtual machine is open-source software that runs an operating system and application. It is
comprised of a set of specification and configuration files and is backed by the physical
resource of a host.

Virtual machine properties:

1. Dispatcher: Hypervisor starting point to decide which module to call for the given trap.

2. Allocator: It has to decide what system resources are to be provided.

3. Interpreter: It needs one interpreter routine per privileged instruction, each routine has
to simulate the effect of the instruction which is trapped.

Characteristics of VM:

1. A virtual machine (VM) is a special program, which must meet the following three
characteristics:

a The efficiency property

 b. The resource control property

C The equivalence property

2. The virtual machine can run any program in its virtual environment.

3. The efficiency property requires that the large portion of the program instructions will be
executed directly on the physical processor, without any changes or interventions from the
virtual machine monitor.

4. This requirement is not only set for performance reasons, but also to exclude emulators
or simulators from the virtual machine definition.

implementations of virtual machines.

There are two main implementations of Virtual Machines (VMs)

i. Process virtual machines:

Process VM is a virtual machine capable of supporting an individual process as long as the
process is alive.

Application
Guest Application
Processes
Processes Guest VM

OS
Runtime Virtualization
software
Virtualization
software
OS Hypervisor

Host
Host
Hardware Machine Hardware

A B

2. A process VM terminates when the hosted process ceases. From a process VM

perspective, a machine consists of a virtual memory address space, user-level registers and
instructions assigned to a single process so as to execute a user program.

3. A regular process in a general-purpose OS can also be deemed a machine. However, a

process in an OS can only support user program binaries compiled for the ISA of the host
machine. In other words, executing binaries compiled for an ISA different than that of the
host machine cannot be ensued with regular processes.
4. Conversely, a process VM allows emulation. As shown in Fig. 4.20.2, emulation is the
process of allowing the interfaces and functionalities of one system (the source) to be
employed on a system with different interfaces and functionalities (the target).

Guest
(Source ISA)

Host
(Target ISA)

5. The abstraction of the process VM is provided by a piece of virtualizing software called

the runtime as shown in Fig. 4.20.1(a). The runtime is placed at the Application Binary
Interface (ABI), on top of the host OS, and the underlying hardware. It is this runtime that
emulates the VM instructions and system calls when guest and host ISAs are different.

6. A process VM may I may not directly correspond to any physical platform but employed
mainly to offer cross-platform portability. Such kinds of process VMs are known as High
Level Language Virtual Machines (HLL VMs).

7. An HLL VM abstracts away details of the underlying hardware resources and the OS and
allows programs to run in the same way on any platform. Java VM (JVM) and Microsoft
Common Language Infrastructure (CLI) are examples of HLL VMs.

8. A process VM is similar to a regular process running on an OS.

However, a process VM allows, through emulation, the execution of an application compiled

for an ISA different than that of the host machine.

ii. System virtual machines:

a. A system VM is a virtual machine capable of virtualizing a full set of hardware

resources including processors, memories, and IO devices, thus providing a
complete system environment.

b. A system VM can support an OS along with its associated processes as long as

the system environment is alive. Fig. 4.20.1(b) illustrates system VMs. The
hypervisor (or the Virtual Machine Monitor (VMM) is a piece of software that
provides abstraction for the system VM.

c. It can be placed at the ISA level directly on top of the raw hardware and
below system images (for example, OSs). The hardware resources of the host
platform can be shared among multiple guest VMs. The hypervisor manages
the allocation of, and access to, the hardware resources to/by the guest VMs.
 d. The hypervisor provides an elegant way to logically isolate multiple guest
VMs sharing a single physical infrastructure (for example. the cloud
datacentres). Each guest VM is given the illusion of acquiring the hardware
resources of the underlying physical machine.
Guest
Guest
Guest applications
applications
applications
Guest OS Guest OS
Guest Unprivileged
Applicatio OS mode
n Hypervisor Hypervisor
OS e. In aHypervisor
conventional time-shared system, the OS runs in privileged mode (systemprivileged
mode) while the applications Host OS
associated withHost OS in unprivileged mode
it run
Hardware mode
Hardware
(user mode).
Hardware Hardware
Traditional f. With
Native system
system virtualization, however, the rest will WI privileged mode while
System VMs can operate
the hypervisor User-mode hosted Dual-mode
in unprivileged. Such a system hosted
is denoted as
native system VM. In nativesystem VMs
mode. VM, every system VMs
privileged instruction issued by
a user program at any guest OS has to trap to the hypervisor.

g. The hypervisor needs to specify and implement every function required for
managing hardware resources. In contrary, if the hypervisor operates in
unprivileged mode on top of a host OS, the guest OS(s) will also operate in
unprivileged mode.

h. This system is called user-mode hosted system VM. In this case, privileged
instructions from guest OS(s) still need to trap to the hypervisor. In return,
the hypervisor also needs to trap to the host OS.

i. Clearly, this increases the overhead by adding one more trap per every
privileged instruction. The hypervisor can utilize the functions already
available on the host OS to manage hardware resources.

j. Finally, the hypervisor can operate partly in privileged mode and partly in
user-mode in a system referred to as dual-mode hosted system VM. This
way, the hypervisor can make use of the host OS's resource management
functions and also preclude the one more trap per each privileged instruction
incurred in user-mode hosted system VMs.