Maharana Pratap Group of Institutions, Mandhana, Kanpur

(Approved By AICTE, New Delhi And Affiliated To AKTU, Luck now)

Digital Notes
[Department of Computer Science Engineering]

Course : B.TECH
Branch : CSE 4th Yr

Subject Name :Cloud Computing

. Prepared by : Mr. Abhishek Singh Sengar
 Syllabus
• Resource management and security in cloud –
Inter cloud resource management
• Resource provisioning and resource
provisioning methods ,Global exchange of
cloud resources ,security overview, cloud
security challenge, SaaS security, Security
governance ,Virtual machine security ,IAM,
Security standards
Resource Management in Cloud Computing

• The term resource management refers to the

operations used to control how capabilities
provided by Cloud resources and services are
made available to other entities, whether
users, applications, or services.
• Types of Resources
• Physical Resource: Computer, disk,
database, network, etc.
• Logical Resource: Execution, monitoring,
and application to communicate
• Resource Management in Cloud Computing Environment
• On the Cloud Vendor’s View
• Provision resources on an on-demand basis.
• Energy conservation and proper utilization is maintained in
Cloud Data Centers
• On the Cloud Service Provider’s View
• To make available the best performance resources at the
cheapest cost.
• QoS (Quality of Service) to their cloud users
• On the Cloud User’s View
• Renting resources at a low price without compromising
performance
• Cloud provider guarantees to provide a minimum level of
service to the user
 Resource Management Models
• 1. Compute Model
• 2. Data Model
• 3. Programming Model
• 4 . Security Model
Compute Model
• Resource in the cloud is shared by all users at the same time. It allows the user to reserve the VM’s
memory to ensure that the memory size requested by the VM is always available to operate locally on
clouds with a good enough level of QoS (Quality of Service) being delivered to the end user.
• Grid Strictly manages the workload of computing mode. Local resource manager such as Portable
Batch System, Condor, and Sun Grid Engine manages the compute resource for the Grid site. Identify
the user to run the job
• Data Model
• It is related to plotting, separating, querying, transferring, caching, and replicating data.
• Data is Stored at an Un-Trusted Host:- Although may not seem the best policy to store data and
let others use the data without permission moving data off-premises increases the number of
potential security risks.
• Data Replication over Large Areas:- Making sure data is available and durable whenever
demanded is of utmost importance for cloud storage providers. Data availability and durability are
typically achieved through under-the-covers replication i.e., data is automatically replicated without
customer interference or requests.
• Problems with Data Management:- Transactional data management is one of the biggest data
management problems. It is hard to ensure Atomicity, Consistency, Isolation, and Durability is
maintained during data replication over large distances. It is also risky to store such sensitive data in
untrusted storage.
• Virtualization
• It is the method by which we can create an emulation of
software or hardware on our computer. It has further two
components:-
• Abstraction:- Provides the necessary virtual versions of
raw compute, storage, and network that can be unified as
a pool of resources and resource overlay which includes
data storage services, and a web hosting environment.
• Encapsulation:- A virtual machine can be represented as
a single file. Virtualization configures, deploys, starts,
migrates, suspends, resumes, and stops in each
application. Provides better security, manageability, and
isolation.
• Monitoring
• The challenge that virtualization brings is that users don’t have a lot of
control over the monitoring resource. It is a method of reviewing,
observing, and managing the operation of a cloud-based IT infrastructure.
• In Cloud: Different levels of services can be offered to end users. The
user is only exposed to a limited Application Programming Interface. And
lower-level resources are not revealed to the user (PaaS, SaaS level some
providers may choose to expose monitoring information at these levels).
The user does not have the capability to implement a new application of
its own monitoring infrastructure. Limited information returned to users
restricts their knowledge about the current status of the resource. Require
to maintain business tracking, update, inspect and troubleshoot the
servers of the cloud organization, monitor virtual machines, and maintain
the functioning of the hardware.
• In Grid: Have a different trust model in which users via their identity
delegation can access and browse resources at different Grid sites and
Grid resources are not highly abstracted and virtualized as in Clouds.
• Programming Model
• User-level programming languages are used for accessing and
operating the cloud.
• In Cloud: Makes use of Web Services where users have more
control over the Cloud Services. The translation of data for the
receiving system and real-time data exchange between systems
without middleware of all the services and applications remain a
big challenge.
• In Grid: Makes use of parallel and distributed computing
environment
• Challenges:
1. Multiple service providers allow to access data to clients with little
authorization or authentication
2. Diversity in resources in turn affects the performance and stability
3. Error handling in a continuously changing business environment
 Security Model

• Allows users to control the security of their own data

by maintaining passwords, and receiving any news
regarding suspicious activity with their data via
email.
• Risks in the Security Model:-
1. Privileged use access
2. Regulatory compliance
3. Data location
4. Data partition
5. Recovery
6. Investigation support
7. Long-term durability
Extended Cloud Computing Service
 Six layers of cloud services
• Software as a Service(SaaS)
• Platform as a Service(PaaS)
• Infrastructure as a Service(IaaS)
• Hardware / Virtualization Cloud Services(HaaS)
• Network Cloud Services (NaaS)
• Collocation Cloud Services(LaaS)
• The top layer offers SaaS which provides cloud application.
• PaaS sits on top of IaaS infrastructure.
• The bottom three layers are more related to physical requirements.
• The bottommost layer provides Hardware as a Service (HaaS).
• NaaS is used for interconnecting all the hardware components.
• Location as a Service (LaaS), provides security to all the
physical hardware and network resources. This service is also
called as Security as a Service.
• The cloud infrastructure layer can be further subdivided as
 Data as a Service (DaaS)
• Communication as a Service (CaaS)
• Infrastructure as a Service(IaaS)
• Cloud players are divided into three classes:
• Cloud service providers and IT administrators
• Software developers or vendors
• End users or business users
Cloud Differences in Perspective of
Providers, Vendors, and Users
 Cloud Service Tasks and Trends
• SaaS is mostly used for Business Applications
• Eg: CRM (Customer Relationship Management) used
for business promotion, direct sales, and marketing
services
• PaaS is provided by Google, Salesforce.com, and
Facebook etc.
• IaaS is provided by Amazon, Windows Azure, and
RackRack etc.
• Collocation services Provides security to lower layers.
Network cloud services provide communications.
 Software Stack for Cloud Computing
• The software stack structure of cloud
computing software can be viewed as layers.
• Each layer has its own purpose and provide
• the interface for the upper layers.
• The lower layers are not completely
transparent to the upper layers.
 Runtime Support Services
• Runtime Support Services
• Runtime support refers to software needed in
applications.
• The SaaS provides the software applications as
a service, rather than allowing users purchase
the software. On the customer side, there is
no upfront investment in servers
 Resource Provisioning (Providing) and
Platform Deployment
• There are techniques to provision computer resources or VMs. Parallelism is
exploited at the cluster node level. Provisioning of Compute Resources
(VMs)
• Providers supply cloud services by signing SLAs with end users.
• The SLAs must specify resources such as
• CPU
• Memory
• Bandwidth Users can use these for a preset (fixed) period.
• Under provisioning of resources will lead to broken SLAs and penalties.
• Over provisioning of resources will lead to resource underutilization, and
consequently, a decrease in revenue for the provider.
• Provisioning of resources to users is a challenging problem. The difficulty
comes from the following o Unpredictability of consumer demand o
Software and hardware failures o Heterogeneity of services
• Power management of Conflict in signed SLAs
between consumers and service providers
Inter Cloud Resource Management

• A theoretical model for cloud computing services is referred to as

the “inter-cloud” or “cloud of clouds.” combining numerous
various separate clouds into a single fluid mass for on-demand
operations Simply put, the inter-cloud would ensure that a cloud
could utilize resources outside of its range using current
agreements with other cloud service providers. There are limits to
the physical resources and the geographic reach of any one cloud.
• Need of Inter-Cloud
• Due to their Physical Resource limits, Clouds have certain
Drawbacks:
• When a cloud’s computational and storage capacity is completely
depleted, it is unable to serve its customers.
• The Inter-Cloud addresses these circumstances when one cloud
would access the computing, storage, or any other resource of the
infrastructures of other clouds.
Benefits of the Inter-Cloud Environment include:

• Avoiding vendor lock-in to the cloud

client
• Having access to a variety of
geographical locations, as well as
enhanced application resiliency.
• Better service level agreements
(SLAs) to the cloud client
• Expand-on-demand is an advantage
for the cloud provider
Inter-Cloud Resource Management

• A cloud’s infrastructure’s processing and storage capacity

could be exhausted. combining numerous various separate
clouds into a single fluid mass for on-demand operations.
Simply put, the intercloud would ensure that a cloud could
utilize resources outside of its range combining numerous
various separate clouds into a single fluid mass for on-
demand operations. Such requests for service allocations
received by its clients would still be met by it.
• Managing resources across multiple clouds requires careful
orchestration and automation. For those looking to
streamline this process within a DevOps pipeline, the
DevOps Engineering – Planning to Production
course covers how to integrate cloud resources
effectively using DevOps tools and best practices.
 Types of Inter-Cloud Resource Management

1. Federation Clouds: A federation cloud is a kind of inter-cloud

where several cloud service providers willingly link their cloud
infrastructures together to exchange resources. Cloud service
providers in the federation trade resources in an open manner.
With the aid of this inter-cloud technology, private cloud
portfolios, as well as government clouds (those utilized and
owned by non-profits or the government), can cooperate.
2. Multi-Cloud: A client or service makes use of numerous
independent clouds in a multi-cloud. A multi-cloud ecosystem
lacks voluntarily shared infrastructure across cloud service
providers. It is the client’s or their agents’ obligation to manage
resource supply and scheduling. This strategy is utilized to use
assets from both public and private cloud portfolios. These
multi-cloud kinds include services and libraries.
Topologies used In InterCloud Architecture

• 1. Peer-to-Peer Inter-Cloud
Federation: Clouds work together
directly, but they may also utilize
distributed entities as directories or
brokers. Clouds communicate and
engage in direct negotiation without the
use of intermediaries. The peer-to-peer
federation intercloud projects are
RESERVOIR (Resources and Services
Virtualization without Barriers Project)
 . Centralized Inter-Cloud
Federation:
• In the cloud, resource sharing is
carried out or facilitated by a central
body. The central entity serves as a
registry for the available cloud
resources. The inter-cloud initiatives
Dynamic Cloud Collaboration (DCC),
and Federated Cloud Management
leverage centralized inter-cloud
federation
 3. Multi-Cloud Service:
• Clients use a service to access
various clouds. The cloud client hosts
a service either inside or externally.
The services include elements for
brokers. The inter-cloud initiatives
OPTIMUS, contrail, MOSAIC,
STRATOS, and commercial cloud
management solutions leverage
multi-cloud services
 Difficulties with Inter-Cloud
Research
• The needs of cloud users frequently call for various resources, and the needs are
often variable and unpredictable. This element creates challenging issues with
resource provisioning and application service delivery. The difficulties in
federating cloud infrastructures include the following:
• Prediction of Application Service Behaviour: It is essential that the system
be able to predict customer wants and service Behaviour. It cannot make rational
decisions to dynamically scale up and down until it has the ability to predict. It is
necessary to construct prediction and forecasting models. Building models that
accurately learn and fit statistical functions suited to various behaviors is a
difficult task. Correlating a service’s various behaviors can be more difficult.
• Flexible Service-Resource Mapping: Due to high operational expenses and
energy demands, it is crucial to enhance efficiency, cost-effectiveness, and
usage. A difficult process of matching services to cloud resources results from
the system’s need to calculate the appropriate software and hardware
combinations. The QoS targets must be met simultaneously with the highest
possible system utilization and efficiency throughout the mapping of services.
• Techniques for Optimization Driven by Economic Models: An approach to
decision-making that is driven by the market and looks for the best possible
combinations of services and deployment strategies is known as combinatorial
optimization. It is necessary to create optimization models that address both
resource- and user-centered QoS objectives.
• Integration and Interoperability: SMEs may not be able to migrate to the
cloud since they have a substantial number of on-site IT assets, such as
business applications. Due to security and privacy concerns, sensitive data in
an organization may not be moved to the cloud. In order for on-site assets and
cloud services to work together, integration and interoperability are required. It
is necessary to find solutions for the problems of identity management, data
management, and business process orchestration.
• Monitoring System Components at Scale: In spite of the distributed nature
of the system’s components, centralized procedures are used for system
management and monitoring. The management of multiple service queues and
a high volume of service requests raises issues with scalability, performance,
and reliability, making centralized approaches ineffective. Instead,
decentralized messaging and indexing models-based architectures are required,
which can be used for service monitoring and management services.
Identity and Access Management(IAM)
 IAM
• Identity and Access Management (IAM) is a combination of
policies and technologies that allows organizations to identify
users and provide the right form of access as and when required.
• There has been a burst in the market with new applications, and the
requirement for an organization to use these applications has
increased drastically. The services and resources you want to access
can be specified in IAM.
• IAM doesn’t provide any replica or backup. IAM can be used for
many purposes such as, if one want’s to control access of individual
and group access for your AWS resources. With IAM policies,
managing permissions to your workforce and systems to ensure
least-privilege permissions becomes easier. The AWS IAM is a global
service.
Components of Identity and Access Management (IAM)

• Users
• Roles
• Groups
• Policies
 IAM Identities Classified As

• IAM Users
• IAM Groups
• IAM Roles
• Root User: The root user will automatically be created and
granted unrestricted rights. We can create an admin user
with fewer powers to control the entire Amazon account.
• IAM Users: We can utilize IAM users to access the AWS
Console and their administrative permissions differ from
those of the Root user and if we can keep track of their
login information.
 Example

• With the aid of IAM users, we can accomplish our goal of giving a specific person
access to every service available in the Amazon dashboard with only a limited set of
permissions, such as read-only access. Let’s say user-1 is a user that I want to have
read-only access to the EC2 instance and no additional permissions, such as create,
delete, or update. By creating an IAM user and attaching user-1 to that IAM user, we
may allow the user access to the EC2 instance with the required permissions.
• IAM Groups: A group is a collection of users, and a single person can be a member
of several groups. With the aid of groups, we can manage permissions for many
users quickly and efficiently.
• Example
• Consider two users named user-1 and user-2. If we want to grant user-1 specific
permissions, such as the ability to delete, create, and update the auto-calling group
only, and if we want to grant user-2 all the necessary permissions to maintain the
auto-scaling group as well as the ability to maintain EC2,S3 we can create groups
and add this user to them. If a new user is added, we can add that user to the
required group with the necessary permissions.
 IAM Roles

• While policies cannot be directly given to any of the

services accessible through the Amazon dashboard, IAM
roles are similar to IAM users in that they may be assumed
by anybody who requires them. By using roles, we can
provide AWS Services access rights to other AWS Services.
• Example
• Consider Amazon EKS. In order to maintain an autoscaling
group, AWS eks needs access to EC2 instances. Since we
can’t attach policies directly to the eks in this situation, we
must build a role and then attach the necessary policies to
that specific role and attach that particular role to EKS.
 IAM Policies

• IAM Policies can manage access for AWS by attaching

them to the IAM Identities or resources IAM policies
defines permissions of AWS identities and AWS resources
when a user or any resource makes a request to AWS will
validate these policies and confirms whether the request
to be allowed or to be denied.
• AWS policies are stored in the form of Jason format the
number of policies to be attached to particular IAM
identities depends upon no of permissions required for
one IAM identity. IAM identity can have multiple policies
attached to them.
Access Management For AWS Resources Identity Management

• Access management
• Federation
• RBAC/EM
• Multi-Factor authentication
• Access governance
• Customer IAM
• API Security
• IDaaS – Identity as a service
• Granular permissions
• Privileged Identity management – PIM (PAM or PIM is the
same)
 Benefits of IAM Systems

• Enhanced Security: IAM prevents unauthorized access to sensitive data

and systems, thus minimizing the access of the unauthorized personnel.
• Improved Compliance: It also guarantees that the organization complies
with the legal requirements concerning the access control as well as the
tracking of activities performed by the users.
• Increased Productivity: Automates processes of the management of
users and access, thus minimizing the numbers of manual operations
and providing faster access to the required resources.
• Reduced Risk: Portfolios reduce internal risks and data losses due to
strict access protocols in place.
• Centralized management is capable of consolidating identity and
company access control and enforcing the same across different
systems
 Importance of IAM for Organizations

• Security: IAM makes certain that only the right people are given access to
core systems and information and thus safeguards organizations from
threats within and outside.
• Regulatory Compliance: IAM aids organizations in compliance with the
legal and industry-compliant requirements based on the accessibility and
the log records of the user activities.
• Operational Efficiency: IAM provides means of minimizing workload to IT
teams by automating tasks such as onboarding, offboarding, and shifts in
user roles.
• Risk Mitigation: IAM also helps in combating data breaches and
cyber attacks since it has strict measures towards providing access to users.
• User Experience: It provides easier access to the firm’s partners,
employees, and customers in interacting with the systems with increased
security, thus enhancing productivity and customer satisfaction.
 IAM and Compliance Regulations

• Access Control: IAM helps in authorizing only the right people access
to information; this complies with data protection laws such as GDPR
and HIPAA.
• Audit Trails: Saves a rich history of users activities to assist in audits
and other reporting requirements.
• Segregation of Duties: Implements strict access control with respect
to the roles that inhabitants are to undertake to avoid breaching
conflict of interest rules as provided by SOX and its equivalents.
• Data Protection: Enhances data protection; the program is useful in
supporting compliance with Data Security policies in line with
PCI-DSS and other standards.
• User Authentication: Provides multi-factor authentication, thus
satisfies security standards for many compliance programs.
 IAM Technologies and Tools

• Single Sign-On (SSO): A choice that lets a user login and use multiple
applications at once, as well as give more security to the
services. Example: Its competitors include Okta and Microsoft Azure
AD.
• Multi-Factor Authentication (MFA): A second one is that you must
verify your account with two or more ways to boost its security.
Example: Some of the examples of Two Factor Authentication
applications are Duo Security and Google Authenticator.
• Role-Based Access Control (RBAC): Secures the system based on
employees’ roles, where the user will have the least privilege to access
the system. Example: IBM Security Identity Manager.
• Privileged Access Management (PAM): Performs functions associated
with obtaining and maintaining high levels of accessible (“privileged”)
computing resources. Example: CyberArk, BeyondTrust.
 Resource Access Control

• Identity and access management (IAM) will allows you to manage the
permissions to the resources in the AWS cloud like users who can access
particular serivce to which extent and also instead of mantaing the permissions
individually you can manage the permissions to group of users at a time.
• Managing permissions: For example you want to assign an permission to the
user that he/her can only perform restart the instance task on AWS EC2 instance
then you can do using AWS IAM.
• Implemneting role-based access control(RBAC): Identity and Access
Management (IAM) will helps you to manage the permissions based on roles
Roles will helps to assign the the permissions to the resourcesw in the AWS like
which resources can access the another resource according to the requirement.
• Enabling single sign-on (SSO): Identity and Access Management will helps you to
maintain the same password and user name which will reduce the effort of
remembering the different password.
 IAM Features

• Shared Access to your Account: A team working on a project can easily

share resources with the help of the shared access feature.
• Free of cost: IAM feature of the AWS account is free to use & charges are
added only when you access other Amazon web services using IAM users.
• Have Centralized control over your AWS account: Any new creation of
users, groups, or any form of cancellation that takes place in the
AWS account is controlled by you, and you have control over what & how
data can be accessed by the user.
• Grant permission to the user: As the root account holds administrative
rights, the user will be granted permission to access certain services by
IAM.
• Multifactor Authentication: Additional layer of security is implemented on
your account by a third party, a six-digit number that you have to put along
with your password when you log into your accounts.
 Accessing IAM

• AWS Console: Access the AWS IAM through the GUI. It is

an web application provided by the AWS (Amazon Web
Application) it is an console where users can access the
aws console
• AWS Command Line Tools: Instead of accessing the
console you can access y the command line interface (
CLI) to access the AWS web application. You can
autiomate the process by using the Scripts.
• IAM Query API: Programmatic access to IAM and AWS
by allowing you to send HTTPS requests directly to the
service.
 Security Issues in Cloud Computing
• 1 Data Loss
• 2. Interference of Hackers and Insecure API’s
• 3. User Account Hijacking
• 4. Changing Service Provider
• 5. Lack of Skill
• 6. Denial of Service (DoS) attack
• 7. Shared Resources
• 8 Compliance and Legal Issues
• 9 . Data Encryption
• 10 Insider Threats
 Security Issues in Cloud Computing
• Data Loss –
Data Loss is one of the issues faced in Cloud Computing. This is also known as
Data Leakage. As we know that our sensitive data is in the hands of Somebody
else, and we don’t have full control over our database. So, if the security of
cloud service is to break by hackers then it may be possible that hackers will get
access to our sensitive data or personal files.

• Interference of Hackers and Insecure API’s –

As we know, if we are talking about the cloud and its services it means we are
talking about the Internet. Also, we know that the easiest way to communicate
with Cloud is using API. So it is important to protect the Interface’s and API’s
which are used by an external user. But also in cloud computing, few services are
available in the public domain which are the vulnerable part of Cloud Computing
because it may be possible that these services are accessed by some third
parties. So, it may be possible that with the help of these services hackers can
easily hack or harm our data.
• User Account Hijacking –
Account Hijacking is the most serious security issue in Cloud Computing. If somehow the
Account of User or an Organization is hijacked by a hacker then the hacker has full authority
to perform Unauthorized Activities.

• Changing Service Provider –

Vendor lock-In is also an important Security issue in Cloud Computing. Many organizations
will face different problems while shifting from one vendor to another. For example, An
Organization wants to shift from AWS Cloud to Google Cloud Services then they face various
problems like shifting of all data, also both cloud services have different techniques and
functions, so they also face problems regarding that. Also, it may be possible that the
charges of AWS are different from Google Cloud, etc.

• Lack of Skill –
While working, shifting to another service provider, need an extra feature, how to use a
feature, etc. are the main problems caused in IT Companies who doesn’t have skilled
Employees. So it requires a skilled person to work with Cloud Computing.
• Denial of Service (DoS) attack –
This type of attack occurs when the system receives too much traffic.
Mostly DoS attacks occur in large organizations such as the banking
sector, government sector, etc. When a DoS attack occurs, data is lost. So,
in order to recover data, it requires a great amount of money as well as
time to handle it.
• Shared Resources: Cloud computing relies on a shared infrastructure. If
one customer’s data or applications are compromised, it may potentially
affect other customers sharing the same resources, leading to a breach of
confidentiality or integrity.
• Compliance and Legal Issues: Different industries and regions have
specific regulatory requirements for data handling and storage. Ensuring
compliance with these regulations can be challenging when data is stored
in a cloud environment that may span multiple jurisdictions.
• Data Encryption: While data in transit is often encrypted, data at rest can be susceptible to
breaches. It’s crucial to ensure that data stored in the cloud is properly encrypted to prevent
unauthorized access.
• Insider Threats: Employees or service providers with access to cloud systems may misuse their
privileges, intentionally or unintentionally causing data breaches. Proper access controls and
monitoring are essential to mitigate these threats.
• Data Location and Sovereignty: Knowing where your data physically resides is important for
compliance and security. Some cloud providers store data in multiple locations globally, and
this may raise concerns about data sovereignty and who has access to it.
• Loss of Control: When using a cloud service, you are entrusting a third party with your data
and applications. This loss of direct control can lead to concerns about data ownership, access,
and availability.
• Incident Response and Forensics: Investigating security incidents in a cloud environment can
be complex. Understanding what happened and who is responsible can be challenging due to
the distributed and shared nature of cloud services.
• Data Backup and Recovery: Relying on cloud providers for data backup and recovery can be
risky. It’s essential to have a robust backup and recovery strategy in place to ensure data
availability in case of outages or data loss.
• Vendor Security Practices: The security practices of cloud
service providers can vary. It’s essential to thoroughly assess
the security measures and certifications of a chosen provider
to ensure they meet your organization’s requirements.
• IoT Devices and Edge Computing: The proliferation of IoT
devices and edge computing can increase the attack surface.
These devices often have limited security controls and can be
targeted to gain access to cloud resources.
• Social Engineering and Phishing: Attackers may use social
engineering tactics to trick users or cloud service providers
into revealing sensitive information or granting unauthorized
access.
 Yo u
nk
T ha