M3: CLOUD PLATFORM ARCHITECTURE

4.1.1.1 Centralized versus Distributed Computing

In centralized computing, all processing is handled by a single central system, and all users or nodes rely on that system.
Banking Systems
Social Media Platforms

In distributed computing, processing is spread across multiple systems or nodes, working together to complete tasks.
Multiplayer Online Games (PUBG, Fortnite, Call of Duty: Warzone)
Internet of Things (IoT) Systems (Smart Cities, Self-Driving Cars, Smart Grids)
Real-Life Examples

Internet:
Browsing Google, YouTube, or online
shopping on Amazon.
Sending emails through Gmail or Yahoo.
Intranet:
A university’s internal portal for
students and faculty.
A company’s HR portal for salary slips
and leave requests.
A hybrid cloud is a combination of public and private cloud environments that allows data and applications to move
between them. It provides flexibility, security, and scalability by leveraging the benefits of both cloud models.

Government (Aadhaar, Passport Services, Income Tax Department)

Private Cloud: Stores personal citizen information securely.
Public Cloud: Provides online portals for tax filings and passport applications.
Example: Aadhaar authentication is processed on a private cloud, while e-KYC services are managed via public cloud infrastruc

E-commerce (Amazon, Flipkart, Walmart, Myntra)

Private Cloud: Stores confidential sales data and customer payment details.
Public Cloud: Handles website traffic spikes during sales events.
Example: During a Big Billion Sale, Flipkart uses the public cloud to manage increased traffic.
Scaling in a data center refers to the process of increasing or decreasing computing resources to handle varying
workloads efficiently.

Vertical Scaling (Scaling Up/Down)

Involves adding more power (CPU, RAM, storage) to an existing server.
Example: Upgrading a server from 16GB RAM to 64GB RAM.

Horizontal Scaling (Scaling Out/In)

Involves adding more servers to distribute the workload.
Example: Adding more servers to a cloud cluster to handle increased traffic.
Key Difference
Supercomputers: Use a separate storage system (data farm) for handling large amounts of data.
Data Centers: Store data directly on server disks, using memory cache and databases for faster access.
Web Hosting and Application Deployment
Example: A startup uses Amazon EC2 (AWS) or Google Compute Engine to host its website instead of buying physical servers.
Why IaaS? The company can scale resources up or down as traffic increases or decreases.
Web Application Development
Example: A startup builds and deploys a web app using Google App Engine instead of managing servers.
Why PaaS? It handles scalability, load balancing, and security, so developers can focus on coding.
DATA-CENTER DESIGN AND INTERCONNECTION NETWORKS

4.2.1 Warehouse-Scale Data-Center Design

4.2.1.1 Data-Center Construction Requirements
4.2.1.2 Cooling System of a Data-Center Room

4.2.1 Warehouse-Scale Data-Center Design

Figure 4.8 shows a data center that is as large as a shopping mall (11 times the size of a football field) under one roof.

Such a data center can house 400,000 to 1 million servers.

Data centers are built to take advantage of economies of scale, which means:
The bigger the data center, the cheaper it is to run each part of it.
So, when a data center is large, it can save money overall and reduce the cost for each unit of work it does
(like storing data or running applications).

4.2.1.1 Data-Center Construction Requirements

Most data centers are built with commercially available components.

An off-the-shelf server consists

of a number of processor sockets, each with a multicore CPU and its internal cache hierarchy, local
shared and coherent DRAM, and a number of directly attached disk drives.
An off-the-shelf server (a regular server you can buy from the market) usually has:
Several processor sockets (places where CPUs are connected)
Each socket has a multi-core CPU (a processor with multiple brains inside)
Each CPU has its own internal cache (fast memory close to the processor)
The server has shared DRAM (main memory that all processors can use and access together)
And it comes with several directly connected hard drives for storage

The DRAM and disk

resources within the rack are accessible through first-level rack switches and all resources in all racks are accessible
via a cluster-level switch.

Memory (DRAM) and storage (disks) in a server rack are connected using rack switches.
To connect everything across multiple racks, a bigger switch called a cluster-level switch is used.
So in short:
Rack switch = connects parts inside one rack
Cluster switch = connects all racks together in the data center
4.2.1.2 Cooling System of a Data-Center Room

shows the layout and cooling facility of a warehouse in a data center.

The data-center room has raised floors for hiding cables, power lines, and cooling supplies. The cooling system is
somewhat simpler than the power system.

Main Parts of the Cooling System:

CRAC Units (Computer Room Air Conditioners)
Like big air conditioners for servers.
They blow cool air into the room and pull hot air out.
Raised Floor / Underfloor Cooling
Cool air flows through the floor and rises up to the servers.
Hot air goes out the back of the servers and is returned to the CRAC units.
Hot Aisle / Cold Aisle Setup
Servers are arranged so that cold air blows in the front (cold aisle)
Hot air comes out the back (hot aisle)
This setup avoids mixing hot and cold air.
Chillers and Cooling Towers (for bigger data centers)
Chillers cool water, which helps cool the air in CRAC units.
Cooling towers release heat into the outside air.
Airflow Management Tools
Blanking panels, containment walls, and floor tiles help guide air correctly and prevent hot spots.
4.2.2 Data-Center Interconnection Networks

4.2.2.1 Application Traffic Support

4.2.2.2 Network Expandability
4.2.2.3 Fault Tolerance and Graceful Degradation
4.2.2.4 Switch-centric Data-Center Design
This network design must meet five special requirements:
4.2.2.1 Application Traffic Support

Types of Communication the Network Must Support:

Point-to-Point Communication
One server talks directly to another.
Collective Communication
One server talks to many servers at once (or all servers talk together).
The network should have high bisection bandwidth to meet this requirement.

4.2.2.2 Network Expandability

4.2.2.3 Fault Tolerance and Graceful Degradation
4.2.2.4 Switch-centric Data-Center Design

Server-Centric Design:
The servers are involved in managing the network.
The operating system on servers is modified.
Special drivers are used to help relay traffic through the servers.
Switches are still used, but servers take part in the network’s routing.
4.2.3 Modular Data Center in Shipping Containers

4.2.3.1 Container Data-Center Construction

4.2.4 Interconnection of Modular Data Centers

Container-based data-center modules are meant for construction of even larger data centers using a
farm of container modules (cluster or group).

The following example is a server-centric design of the data-center module.

Example
The servers are represented by circles, and switches by rectangles. The BCube provides a
layered structure.

The example of BCube1 is illustrated in Figure 4.12, where the connection rule is that the i-th
server in the j-th BCube0 connects to the j-th port of the i-th Level 1 switch. The servers in the BCube
have multiple ports attached. This allows extra devices to be used in the server.

4.2.4.1 Inter-Module Connection Networks

The BCube is commonly used inside a server container.

The proposed network was named MDCube (for Modularized Datacenter Cube). This net work connects multiple BCube
containers by using high-speed switches in the BCube. Similarly, the MDCube is constructed by shuffling networks with
multiple containers.
4.2.5 Data-Center Management Issues

Here are basic requirements for managing the resources of a data center.

These suggestions have resulted from the design and operational experiences of many data centers in the IT and
service industries.
Google, Microsoft, and Amazon have used modular container-based systems for fast edge deployments.

Military and remote operations rely heavily on these for quick deployment
 "Custom-crafted" means:
• The design and construction are unique to each deployment.
• Servers, racks, cooling systems, and power are individually selected and installed on-site.
• The layout, equipment, and configuration are often tailored for specific needs or client preferences.
• Construction and setup might involve manual processes, engineering teams, and longer timelines.

Rather than prefab units" means:

• Prefabricated (or modular) data centers are built in advance in a factory.
• Everything — racks, servers, cooling, power, network — is pre-installed and tested.
• The unit is shipped to the site, plugged in, and goes live quickly.
• Think of it like a "data center in a box" — fast, scalable, and efficient.
4.3 ARCHITECTURAL DESIGN OF COMPUTE AND STORAGE CLOUDS

4.3.1 A Generic Cloud Architecture Design

4.3.1.1 Cloud Platform Design Goals
4.3.1.2 Enabling Technologies for Clouds
4.3.1.3 A Generic Cloud Architecture
 Enabling Technologies for Clouds

Cloud computing is growing fast because of a few key reasons:

1. Fast internet is everywhere – thanks to broadband and wireless networks.
2. Storage is cheaper – it costs less to save and store data.
3. Software keeps getting better – especially the tools that run on the internet.
This means cloud users (like businesses or developers) can:
• Get more computer power when they need it (like during busy times),
• Save money by only paying for what they use,
• Try out new things easily,
• And stop using extra resources when they're not needed.
At the same time, cloud providers (like AWS, Google Cloud, or Microsoft Azure) can:
• Use their systems more efficiently,
• Share resources between users (this is called multiplexing),
• Run many virtual systems on the same hardware (virtualization),
• And adjust resources automatically based on demand (dynamic provisioning ).
A Generic Cloud Architecture
 The internet cloud is basically a huge collection of servers. These servers work together to run websites, apps, and services,
and they are turned on or off depending on what’s needed at the time.

When you use the cloud:

• The system sets up servers, software, and databases automatically to deliver what you asked for.
• These servers can be real machines or virtual ones (VMs – virtual machines).
• You use a simple interface (like a dashboard or an app) to request the service you want.

The cloud doesn’t just need servers—it also needs:

• Distributed storage (data stored across many machines),
• And services to manage that storage.

All of this is usually hosted in data centers that are run by big cloud providers (like Amazon, Google, or Microsoft).
As a user, you don’t have to worry about how it all works behind the scenes.
In cloud computing:
• Software is delivered as a service (called SaaS – Software as a Service),
• And users must trust the cloud to safely store and manage huge amounts of data.
To handle all this data, we need a way to process large files across many servers, which is why cloud systems use something
called a distributed file system.
 Other important pieces of the cloud setup include:
• Storage networks (SANs),
• Databases,
• Firewalls, and
• Security tools to keep everything safe.
 Infrastructure Layer (IaaS – Infrastructure as a Service)
• What it is: Virtualized resources delivered over the internet.
• Who uses it: DevOps teams, IT administrators, system architects.
• Examples:
• Virtual machines (VMs)
• Storage services (e.g., Amazon S3, Google Cloud Storage)
• Networking (e.g., VPCs, load balancers)
• Popular services: AWS EC2, Google Compute Engine, Azure Virtual Machines

Platform Layer (PaaS – Platform as a Service)

• What it is: Tools and services for developers to build and deploy apps.
• Who uses it: Developers and application engineers.
• Examples:
• App hosting platforms
• Database services
• Runtime environments
• Popular services: Heroku, Google App Engine, AWS Elastic Beanstalk, Azure App Service
 Application Layer (SaaS – Software as a Service)
• What it is: End-user applications delivered via the web.
• Who uses it: General users/businesses.
• Examples:
• Email (e.g., Gmail, Outlook)
• Collaboration tools (e.g., Slack, Microsoft Teams)
• CRMs (e.g., Salesforce)
• Key benefit: No need for users to manage infrastructure or platform.
 MODULE 4
11.1 SECURITY, THE TOP CONCERN FOR CLOUD USERS

1. Data Breaches
Cloud environments store large amounts of user data (personal, financial, medical, etc.). A breach can expose this
data to hackers.

2. Unauthorized Access
Weak passwords, poor access control, or insider threats can allow unauthorized people to access sensitive data.

3. Data Loss
Data stored in the cloud may be lost due to accidental deletion, ransomware attacks, or service failure.

4. Lack of Visibility and Control

When data is in the cloud, organizations often lack full control over where and how it is stored and processed.

5. Compliance and Legal Issues

Cloud users must follow laws like GDPR, HIPAA, or ISO/IEC 27001. If cloud providers don't comply, users may face legal
penalties.
Example:
In 2019, Capital One, a major U.S. bank, suffered a breach where over 100 million customer records were stolen from their
cloud-hosted database on AWS (Amazon Web Services). The attacker exploited a misconfigured firewall.

Example:
If an employee at a healthcare provider accidentally shares login credentials, hackers could access patients’ medical records
stored in the cloud, violating privacy laws like HIPAA.

Example:
In 2021, OVHcloud, a French cloud provider, experienced a major fire in its data centers. Several clients lost their data
permanently because they had no backups.

Example:
A company using a third-party cloud service may not know if their data is being stored in a country with weak data protection
laws.

Example:
A European company using a U.S.-based cloud provider may violate GDPR rules if the provider transfers data to non-compliant
countries.
11.2 CLOUD SECURITY RISKS

What are the security risks faced by cloud users?

traditional security
threats,
threats related to system availability,
and threats related to third-party data control.

Before the rise of cloud computing, IT systems mostly ran on local servers or
on-premises data centers. These systems faced a range of traditional security
threats, which are still relevant today.
threats related to system availability

System availability means that a computer system, network, or application is accessible and usable when needed.
Threats to availability can disrupt business operations, cause financial losses, and affect user trust.
Threats Related to Third-Party Data Control

When organizations use cloud services or outsource IT functions to third parties (like cloud providers, SaaS platforms,
or data centers), they often lose direct control over their data. This introduces a new category of security threats.
Threats Related to Third-Party Data Control

When an organization uses third-party services (like cloud storage, SaaS platforms, or outsourced IT providers), it gives partial
control of its data to an external entity. While this can improve efficiency, it introduces several security and privacy risks.
The 2010 Cloud Security Alliance (CSA) report, titled "Top Threats to Cloud Computing", identified key security
concerns in cloud environments. It outlined seven major threats:
Abuse of Cloud Services – Use for spamming, malware, etc.
Insecure APIs – Vulnerable interfaces allowing unauthorized access.
Malicious Insiders – Internal users misusing access.
Shared Technology Issues – Risks from multi-tenant infrastructure.
Data Loss/Leakage – Accidental or intentional data exposure.
Account Hijacking – Unauthorized access via phishing or theft.
Unknown Risk Profile – Lack of transparency from providers.
The report raised awareness about cloud-specific security challenges and laid the foundation for future CSA
guidelines.
The 2011 Cloud Security Alliance (CSA) report built upon the foundation laid by the 2010 report, continuing to
address the evolving security challenges in cloud computing. While the specific "Top Threats" list from 2011 isn't
detailed in the available sources, the CSA's ongoing efforts during that year included the release of Version 3 of the
"Security Guidance for Critical Areas of Focus in Cloud Computing," which emphasized security, stability, and privacy
in multi-tenant environments .

Additionally, the CSA's initiatives in 2011 focused on providing practical, actionable roadmaps for organizations to
adopt cloud computing securely, reflecting the rapidly changing landscape of cloud technologies and associated risks
The three actors involved in the model considered are: the user, the service, and the cloud infrastructure,
and there are six types of attacks possible,
The user can be attacked from two directions, the service and the cloud

Secure Sockets Layer (SSL) certificate spoofing, attacks on browser caches, or phishing attacks are example
of attacks that originate at the service.

The user can also be a victim of attacks that either truly originate or that spoof originating from the cloud
infrastructure.
The Cloud Controls Matrix (CCM) is a cybersecurity control framework developed by the Cloud Security Alliance
(CSA) specifically for cloud computing. It provides a detailed and structured set of security controls that help
organizations assess the security posture of cloud providers and ensure compliance with various regulations and
standards.

https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v3-0-1/
11.3 PRIVACY AND PRIVACY IMPACT ASSESSMENT

The term privacy refers to the right of an individual, a group of individuals, or an organization to keep information of
personal nature or proprietary information from being disclosed

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks
upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

The statement you provided is from Article 12 of the Universal Declaration of Human Rights (UDHR), adopted by the
United Nations General Assembly in 1948.
Article 12 – Summary:
Protection of Privacy: No one should face unjust or arbitrary intrusions into their private life, family, home, or
communications.
Protection of Reputation : Individuals must also be shielded from attacks on their honor and reputation.
Right to Legal Protection : Everyone has the right to legal protection if such interference or attacks occur.
Purpose:
This article is a fundamental expression of the right to privacy and dignity, aiming to uphold human freedom and
security in both personal and public life. It is especially relevant in the digital age where privacy risks are more complex.
At the same time, the right to privacy is limited by laws. For example, the taxation laws require individuals to share
information about personal income or earnings. Individual privacy may conflict with other basic human rights e.g., with
freedom of speech.

In the digital age, people often share personal information online — like on social media, shopping websites, or apps.
But this has created new privacy problems for governments and lawmakers.
For example, if you give your name, email, or credit card info to a website, and that site is hacked or careless with your
data, someone might steal it. This stolen information can be used to pretend to be you — a crime called identity theft.
This kind of misuse of personal data is a big challenge today, and laws are struggling to keep up with how fast
technology is changing.

Some countries are taking stronger steps than others to protect people's privacy online. The European Union (EU) is
one of the strictest when it comes to how personal information is handled.
They introduced a new rule called the “right to be forgotten.” This means that people can ask websites to delete their
personal information, like old photos, posts, or other things that they don’t want online anymore.
The reason for this rule is that in the digital world, your past never really goes away — everything you post can stay on
the internet forever. The “right to be forgotten” helps people move on from their past and have more control over what
stays online about them.
Gmail privacy policy reads (see http: //www.google.com/policies/privacy/ accessed on October 6, 2012)

Cloud Service Providers (CSPs) — the companies that store and manage data online — may use your
information without permission to make money. For example, they might use your data for targeted ads.
Right now, there’s no strong technology to completely stop this kind of misuse.
Also, when a CSP outsources work to others (called dynamic provisioning), things can get unclear or risky.
For example:
Who are the subcontractors handling your data?
What access or control do they have?
What happens to your data if the company goes bankrupt or merges with another?
Because of all these issues, we need better laws to protect people's privacy in the digital world.
The U.S. Federal Trade Commission (FTC) gave advice to Congress saying that websites that collect personal
information from users should follow four fair rules, known as Fair Information Practices:
Notice – Tell people what data is collected and how it will be used.
Choice – Give users options to agree or refuse data collection.
Access – Let users see and correct their own data.
Security – Protect the data from theft or misuse.
These rules help ensure that people have control and safety over their personal information online.
11.5 CLOUD DATA ENCRYPTION

What is Cloud Data Encryption?

Cloud data encryption means turning your data into a secret code (called ciphertext) before it's stored in the cloud.
This protects your information so that even if someone steals the data, they can’t read it without the secret key
used to unlock (decrypt) it.

Example: Using Google Drive or Dropbox

Imagine you upload your personal documents — like bank statements, ID proofs, or contracts — to Google Drive.
If cloud data encryption is used:
Your files are encrypted (turned into unreadable code) before being uploaded or while stored in the cloud.
Only you (or someone with your permission and the key) can decrypt and read the files.
Even if a hacker breaks into Google’s servers, they will only see gibberish, not your real documents.
What is Encryption?
Encryption is the process of converting plain (readable) information into a secret code so that only
authorized people can read it.
Simple Example:
Imagine you write a message:
"Hello, John"
Using encryption, this message is turned into something like:
"6f1a9b2c4e..." (random-looking characters)
Only someone with the correct key (like a password or special code) can decrypt it and turn it back into
"Hello, John.“

Encryption = Locking your data with a secret key so no one else can read it.
What is Homomorphic Encryption?
Homomorphic encryption is a special type of encryption that allows computations to be done on encrypted
data — without needing to decrypt it first.

Imagine a hospital stores patient data encrypted in the cloud for privacy. A researcher wants to calculate the
average age of patients, but:
They are not allowed to see the actual ages because of privacy laws.
With homomorphic encryption, the cloud can calculate the average on encrypted ages and return an encrypted
result.
The researcher decrypts the final result — and sees the correct average, without ever seeing individual ages.