Revolutionising B.

Tech
23TCSE305 – FOUNDATIONS OF
CLOUD COMPUTING

Module IV - Resource Management

and Security in Cloud
 Table of Content
• Aim • Security Governance
• Objectives • Virtual Machine Security – IAM
• Inter Cloud Resource • Self Assessments
Management • Terminal Questions
• Resource Provisioning • Reference Links*
• Resource Provisioning • Thank You
Methods
• Global Exchange of Cloud
Resources
• Security Overview
 Aim

To Interpret the Resource Management and Security Models in

the Cloud Environment
 a. Explain the Inter Cloud Resource Management.

b. Understanding the Resource Provisioning Methods.

c. Analyse the Security and its Challenges of Cloud Computing.

d. Explain how the Virtual Machine is implemented in Cloud.

Objectiv
e
 Inter Cloud Resource
• Inter Cloud Resource Management characterizes the
Management
various cloud service models and their extensions.
• The cloud service trends are outlined.
• Cloud resource management and intercloud resource
exchange schemes are reviewed.
1. Extended Cloud Computing Services
• The following fig shows six layers of cloud services,
ranging from hardware, network, and collocation to
infrastructure, platform, and software applications.
• We already introduced the top three service layers as
SaaS, PaaS, and IaaS, respectively.
A stack of six layers of cloud
services and their providers
 Inter Cloud Resource
• The cloud platform provides PaaS, which sits on top of
Management
the IaaS infrastructure.
• The top layer offers SaaS.
• These must be implemented on the cloud platforms
provided.
• Although the three basic models are dissimilar in usage,
as shown in below table, they are built one on top of
another.
 Inter Cloud Resource
• The implication is that one cannot launch SaaS
Management
applications with a cloud platform.
• The cloud platform cannot be built if compute and
storage infrastructures are not there.
• The bottom three layers are more related to physical
requirements.
• The bottommost layer provides Hardware as a Service
(HaaS).
• The next layer is for interconnecting all the hardware
components, and is simply called Network as a Service
(NaaS).
• Virtual LANs fall within the scope of NaaS.
• The next layer up offers Location as a Service (LaaS),
which provides a collocation service to house, power,
 Inter Cloud Resource
Management
• Some authors say this layer provides Security as a
Service (“SaaS”).
• The cloud infrastructure layer can be further subdivided
as Data as a Service (DaaS) and Communication as a
Service (CaaS) in addition to compute and storage in
IaaS.
• As shown in Table 4.7, cloud players are divided into
three classes:
(1) cloud service providers and IT administrators,
(2) software developers or vendors, and
(3) end users or business users. These cloud players
vary in their roles under the IaaS, PaaS, and SaaS
models.
 Inter Cloud Resource
Management
• The table entries distinguish the three cloud models as
viewed by different players.
• From the software vendors’ perspective, application
performance on a given cloud platform is most
important.
• From the providers’ perspective, cloud infrastructure
performance is the primary concern.
• From the end users’ perspective, the quality of services,
including security, is the most important.
 Inter Cloud Resource
1.1 Cloud Service Tasks and Trends
Management
• Cloud services are introduced in five layers.
• The top layer is for SaaS applications, as further
subdivided into the five application areas mostly for
business applications.
• For example, CRM is heavily practiced in business
promotion, direct sales, and marketing services.
• CRM offered the first SaaS on the cloud successfully.
• The approach is to widen market coverage by
investigating customer behaviors and revealing
opportunities by statistical analysis.
• SaaS tools also apply to distributed collaboration, and
financial and human resources management.
• These cloud services have been growing rapidly in recent
 Inter Cloud Resource
• PaaS is provided by Google, Salesforce.com, and Facebook,
Management
among others.
• IaaS is provided by Amazon, Windows Azure, and RackRack,
among others.
• Collocation services require multiple cloud providers to work
together to support supply chains in manufacturing.
• Network cloud services provide communications such as
those by AT&T, Qwest, and AboveNet.
1.2 Software Stack for Cloud Computing
• Despite the various types of nodes in the cloud computing
cluster, the overall software stacks are built from scratch to
meet rigorous goals.
• Developers have to consider how to design the system to
meet critical requirements such as high throughput, HA, and
fault tolerance.
 Inter Cloud Resource
1.3 Runtime Support Services
Management
• As in a cluster environment, there are also some runtime
supporting services in the cloud computing environment.
• Cluster monitoring is used to collect the runtime status of the
entire cluster.
• The scheduler queues the tasks submitted to the whole
cluster and assigns the tasks to the processing nodes
according to node availability.
• The distributed scheduler for the cloud application has
special characteristics that can support cloud applications,
such as scheduling the programs written in MapReduce style.
• Runtime support is software needed in browser-initiated
applications applied by thousands of cloud customers.
 Inter Cloud Resource
Management
• The SaaS model provides the software applications as
a service, rather than letting users purchase the
software.
• As a result, on the customer side, there is no upfront
investment in servers or software licensing.
• On the provider side, costs are rather low, compared
with conventional hosting of user applications.
• The customer data is stored in the cloud that is either
vendor proprietary or a publicly hosted cloud
supporting PaaS and IaaS.
 Resource Provisioning
• The emergence of computing clouds suggests fundamental
changes in software and hardware architecture.
• Cloud architecture puts more emphasis on the number of
processor cores or VM instances.
• Parallelism is exploited at the cluster node level.
Provisioning of Compute Resources (VMs)
• Providers supply cloud services by signing SLAs with end
users.
• The SLAs must commit sufficient resources such as CPU,
memory, and bandwidth that the user can use for a preset
period.
• Under provisioning of resources will lead to broken SLAs and
penalties.
• Overprovisioning of resources will lead to resource
underutilization, and consequently, a decrease in revenue for
 Resource Provisioning
• Deploying an autonomous system to efficiently provision
resources to users is a challenging problem.
• The difficulty comes from the unpredictability of consumer
demand, software and hardware failures, heterogeneity of
services, power management, and conflicts in signed SLAs
between consumers and service providers.
• Efficient VM provisioning depends on the cloud architecture
and management of cloud infrastructures.
• Resource provisioning schemes also demand fast discovery
of services and data in cloud computing infrastructures.
• In a virtualized cluster of servers, this demands efficient
installation of VMs, live VM migration, and fast recovery from
failures.
 Resource Provisioning
• To deploy VMs, users treat them as physical hosts with
customized operating systems for specific applications.
• For example, Amazon’s EC2 uses Xen as the virtual
machine monitor (VMM). The same VMM is used in IBM’s
Blue Cloud.
• In the EC2 platform, some predefined VM templates are
also provided.
• Users can choose different kinds of VMs from the
templates.
• IBM’s Blue Cloud does not provide any VM templates.
• In general, any type of VM can run on top of Xen.
• Microsoft also applies virtualization in its Azure cloud
platform.
• The provider should offer resource-economic services.
 Resource Provisioning Methods
• The following fig shows three cases of static cloud resource
provisioning policies.
• In case (a), overprovisioning with the peak load causes heavy
resource waste (shaded area).
• In case (b), underprovisioning (along the capacity line) of
resources results in losses by both user and provider in that
paid demand by the users (the shaded area above the
capacity) is not served and wasted resources still exist for
those demanded areas below the provisioned capacity.
• In case (c), the constant provisioning of resources with fixed
capacity to a declining user demand could result in even worse
resource waste.
• The user may give up the service by canceling the demand,
resulting in reduced revenue for the provider.
• Both the user and provider may be losers in resource
 Resource Provisioning Methods
• Three cases of cloud resource provisioning without elasticity:
(a) heavy waste due to overprovisioning, (b) underprovisioning
and
(c) under- and then overprovisioning.
 Resource Provisioning Methods
• Three resource-provisioning methods are presented in the
following sections.
• The demand-driven method provides static resources and
has been used in grid computing for many years.
• The event-driven method is based on predicted workload
by time.
• The popularity-driven method is based on Internet traffic
monitored.
1. Demand-Driven Resource Provisioning
• This method adds or removes computing instances based
on the current utilization level of the allocated resources.
• The demand-driven method automatically allocates two
Xeon processors for the user application, when the user
was using one Xeon processor more than 60 percent of the
 Resource Provisioning Methods
• In general, when a resource has surpassed a threshold for
a certain amount of time, the scheme increases that
resource based on demand.
• When a resource is below a threshold for a certain amount
of time, that resource could be decreased accordingly.
• Amazon implements such an auto-scale feature in its EC2
platform.
• This method is easy to implement.
• The scheme does not work out right if the workload
changes abruptly.
• The x-axis in following figure is the time scale in
milliseconds.
• In the beginning, heavy fluctuations of CPU load are
encountered.
 Resource Provisioning Methods
2. Event-Driven Resource Provisioning
• This scheme adds or removes machine instances based on
a specific time event.
• The scheme works better for seasonal or predicted events
such as Christmas time in the West and the Lunar New
Year in the East.
• During these events, the number of users grows before
the event period and then decreases during the event
period.
• This scheme anticipates peak traffic before it happens.
• The method results in a minimal loss of QoS, if the event is
predicted correctly.
• Otherwise, wasted resources are even greater due to
events that do not follow a fixed pattern.
 Resource Provisioning Methods

3. Popularity-Driven Resource Provisioning

• In this method, the Internet searches for popularity of

certain applications and creates the instances by
popularity demand.
• The scheme anticipates increased traffic with
popularity.
• Again, the scheme has a minimal loss of QoS, if the
predicted popularity is correct.
• Resources may be wasted if traffic does not occur as
expected.
Resource Provisioning Methods
 Resource Provisioning Methods

• Gradually, the utilization rate becomes more

stabilized with a maximum of 20 VMs (100 percent
utilization) provided for demand-driven provisioning in
Figure (a).
• However, the event-driven method reaches a stable
peak of 17 VMs toward the end of the event and
drops quickly in Figure (b).
• The popularity provisioning shown in Figure (c) leads
to a similar fluctuation with peak VM utilization in the
middle of the plot.
 Global Exchange of Cloud
• In order to support a large number of application service
Resources
consumers from around the world, cloud infrastructure
providers (i.e., IaaS providers) have established data
centers in multiple geographical locations to provide
redundancy and ensure reliability in case of site failures.
• For example, Amazon has data centers in the United
States (e.g., one on the East Coast and another on the
West Coast) and Europe.
• However, currently Amazon expects its cloud customers
(i.e., SaaS providers) to express a preference regarding
where they want their application services to be hosted.
• Amazon does not provide seamless/automatic
mechanisms for scaling its hosted services across
multiple geographically distributed data centers.
 Global Exchange of Cloud
• This approach has many shortcomings.
Resources
• First, it is difficult for cloud customers to determine in
advance the best location for hosting their services as
they may not know the origin of consumers of their
services.
• Second, SaaS providers may not be able to meet the QoS
expectations of their service consumers originating from
multiple geographical locations.
• This necessitates building mechanisms for seamless
federation of data centers of a cloud provider or providers
supporting dynamic scaling of applications across
multiple domains in order to meet QoS targets of cloud
customers.
• The following figure shows the high-level components of
 Global Exchange of Cloud Resources
Inter-cloud exchange of cloud resources through brokering
 Global Exchange of Cloud
• They consist of client brokering and coordinator services that
Resources
support utility-driven federation of clouds: application
scheduling, resource allocation, and migration of workloads.
• The architecture cohesively couples the administratively and
topologically distributed storage and compute capabilities of
clouds as part of a single resource leasing abstraction.
• The system will ease the cross-domain capability integration
for on-demand, flexible, energy-efficient, and reliable access to
the infrastructure based on virtualization technology.
• The Cloud Exchange (CEx) acts as a market maker for bringing
together service producers and consumers.
• It aggregates the infrastructure demands from application
brokers and evaluates them against the available supply
currently published by the cloud coordinators.
 Global Exchange of Cloud
• It supports trading of cloud services based on competitive
Resources
economic models such as commodity markets and auctions.
• CEx allows participants to locate providers and consumers with
fitting offers.
• Such markets enable services to be commoditized, and thus
will pave the way for creation of dynamic market infrastructure
for trading based on SLAs.
• An SLA specifies the details of the service to be provided in
terms of metrics agreed upon by all parties, and incentives
and penalties for meeting and violating the expectations,
respectively.
• The availability of a banking system within the market ensures
that financial transactions pertaining to SLAs between
participants are carried out in a secure and dependable
environment.
 Security Overview

• Lacking trust between service providers and cloud users has

hindered the universal acceptance of cloud computing as a
service on demand.
• In the past, trust models have been developed to protect
mainly e-commerce and online shopping provided by eBay
and Amazon.
• For web and cloud services, trust and security become even
more demanding, because leaving user applications
completely to the cloud providers has faced strong
resistance by most PC and server users.
• Cloud platforms become worrisome to some users for lack of
privacy protection, security assurance, and copyright
protection.
• Trust is a social problem, not a pure technical issue.
 Cloud Security Challenges

• Cloud computing security challenges fall into three

broad categories:

Data Protection
> Securing your data both at rest and in transit.
User Authentication
> Limiting access to data and monitoring who
accesses the data.
Disaster and Data Breach
> Contingency Planning.
 SECURITY ISSUES IN CLOUD
Data breaches:
COMPUTING
> It is an incident in which sensitive, protected or
confidential data has potentially been viewed, stolen or
used by an individual unauthorized.
Data loss:
> Valuable data disappear into the ether without a trace.
Account or service traffic hijacking:
> An attacker gains access to your account, he or she can
eavesdrop on your activities and redirect your clients to
illegitimate sites.
Insecure interfaces and APIs:
> Cloud computing providers expose a set of software
interfaces or APIs that customers use to manage and
interact with cloud services.
 SECURITY ISSUES IN CLOUD
Denial of service:
COMPUTING
> DoS outages can cost service providers, customers and
prove pricey to customers who are billed based on disk
space consumed.
Malicious insiders:
> It can be a current or former employee, a contractor, or
a business partner who gains access to a network, system,
or data for malicious purposes.
Cloud abuse:
> A hacker using a cloud service to break an encryption
key which is too difficult to crack on a standard computer.
Shared technology vulnerabilities:
> Cloud service providers share infrastructure, platforms,
and applications to deliver their services in a scalable way.
 Software-as-a-Service Security
• When you subscribe to SaaS, the software you use is secured
by powerful firewalls, intrusion prevention systems, antivirus
software, and access controls.
• This protects you from threats like brute-force attacks, denial-
of-service, and malware.
• SaaS providers handle much of the security for a cloud
application.
• The SaaS provider is responsible for securing the platform,
network, applications, operating system, and physical
infrastructure.
• However, providers are not responsible for securing customer
data or user access to it.
• Following are SaaS security practices that organizations can
adopt to protect data in their SaaS applications.
 Software-as-a-Service Security

• Detect rogue services and compromised

accounts.
• Apply identity and access management
(IAM).
• Encrypt cloud data.
• Enforce data loss prevention (DLP).
• Monitor collaborative sharing of data.
• Check provider's security.
 SaaS security solutions
• Data loss prevention (DLP) - safeguards intellectual
property and protects sensitive data in cloud
applications
• Compliance solutions - provide controls and reporting
capabilities to ensure compliance with government
and industry regulations.
• Advanced malware prevention - includes
technologies such as behavioral analytics and real-
time threat intelligence that can help detect and
block zero-day attacks
• Cloud access security brokers (CASBs) - protect
enterprise data and users across all cloud services,
 Cloud Security Governance

Definition:
• Cloud security governance refers to the management
model that facilitates effective and efficient security
management and operations in the cloud
environment so that an enterprise’s business targets
are achieved.
• This model incorporates a hierarchy of executive
mandates, performance expectations, operational
practices, structures, and metrics that, when
implemented, result in the optimization of business
value for an enterprise
 Cloud Security Governance

• Strategic alignment, value delivery, risk mitigation,

effective use of resources, and performance
measurement are key objectives of any IT-related
governance model, security included.
• To successfully pursue and achieve these objectives,
it is important to understand the operational culture,
business and customer profiles of an enterprise, so
that an effective security governance model can be
customized for the enterprise.
 Cloud Security Governance Challenges
• Lack of senior management participation and buy-in -
The lack of a senior management influenced and
endorsed security policy
• Lack of embedded management operational controls -
controls into cloud security operational processes and
procedures.
• Lack of operating model, roles, and responsibilities -
Many enterprises moving into the cloud environment
tend to lack a formal operating model for security, or
do not have strategic and tactical roles and
responsibilities properly defined and operationalized.
• Lack of metrics for measuring performance and risk - a
problem that stifles executive visibility into the real
 Cloud Security Governance Challenges
• Strategic Alignment - Enterprises should mandate that
security investments, services, and projects in the cloud
are executed to achieve established business goals
• Value Delivery - Enterprises should define, operationalize,
and maintain an appropriate security
• Risk Mitigation - Security initiatives in the cloud should be
subject to measurements that gauge effectiveness in
mitigating risk to the enterprise
• Effective Use of Resources - practical operating model for
managing and performing security operations in the cloud,
including the proper definition and operationalization of
due processes
• Sustained Performance - Security initiatives in the cloud
should be measurable in terms of performance, value and
 Virtual Machine Security

• Virtualized security, or security virtualization, refers to

security solutions that are software-based and designed to
work within a virtualized IT environment.
• This differs from traditional, hardware-based network
security, which is static and runs on devices such as
traditional firewalls, routers, and switches.
• The Security of VM based services rests on the assumption
that the underlying Trusted Computing Base(TCB) is also
secure.
• Hypervisor is the underlying component of all these
architectures. It is a new layer which needs to be
protected.
 Virtualization Security

• Hypervisor Security
• Host / Platform Security
• Securing Communication
• Security between Guests
• Security between Hosts and Guests
• Virtualized Infrastructure Security
• Virtual Machine Sprawl
 IAM – Identity Access Management

• In a traditional environment, trust boundary is within the

control of the organization
• This includes the governance of the networks, servers,
services, and applications
• In a cloud environment, the trust boundary is dynamic and
moves within the control of the service provider as well as
organizations
• Identity federation is an emerging industry best practice
for dealing with dynamic and loosely coupled trust
relationships in the collaboration model of an organization
• Core of the architecture is the directory service which is
the repository for the identity, credentials and user
attributes
 Why IAM?
• Improves operational efficiency and regulatory compliance
management
• IAM enables organizations to achieve access control and
operational security
Cloud use cases that need IAM
• Organization employees accessing SaaS service using
identity federation
• IT admin access CSP (Content Security Policy)
management console to provision resources and access for
users using a corporate identity
• Developers creating accounts for partner users in PaaS
• End users access storage service in a cloud
• Applications residing in a cloud service provider access
storage from another cloud service
IAM
 IAM Challenges

• Provisioning resources to users rapidly to

accommodate their changing roles
• Handle turnover in an organization
• Disparate dictionaries, identities, access rights
• Need standards and protocols that address the
IAM challenges
 IAM Definitions

Authentication
• Verifying the identity of a user, system or
service
Authorization
• Privileges that a user or system or service has
after being authenticated (e.g., access control)
Auditing
• Exam what the user, system or service has
carried out
• Check for compliance
 Relevant IAM Standards, Protocols for Cloud
IAM Standards and Specifications for Organizations
SAML - Security Assertion Markup Language (allows IdP to
pass authentication credentials to Service Providers(SP))
SPML – Security Provisioning Markup Language (for
exchanging user, resource and service provisioning
information between cooperating organizations)
XACML - eXtensible Access Control Markup Language
(designed to express security policies and access rights to
information for Web services)
OAuth - Open Authentication (to grant websites or
applications access to their information on other websites
but without giving them the passwords)
Relevant IAM Standards, Protocols for Cloud
 Assessments

The cloud infrastructure layer can be further

subdivided as ______________ and ___________ in
addition to compute and storage in IaaS.

a) LaaS, DaaS
b) DaaS, CaaS
c) NaaS, CaaS
d) LaaS, NaaS
 Assessments

. The _____________ is based on Internet traffic

monitored.

a) demand-driven method
b) event driven method
c) popularity-driven method
d) internet driven method
 Assessments

The ____________ acts as a market maker for

bringing together service producers and
consumers.

a) Cloud Exchange (CEx)

b) QoS
c) Navigation
d) SLA
 Terminal Questions

1) State the different Resource Provisioning

Methods..
2) What is the purpose of IAM? Describe its
functional architecture with an illustration
Reference Links
Text Books:

1. Kai Hwang, Geoffrey C. Fox, Jack G. Dongarra, "Distributed and

Cloud Computing, From Parallel Processing to the Internet of Things",
Morgan Kaufmann Publishers, 2012.
2. Rittinghouse, John W., and James F. Ransome, ―Cloud Computing:
Implementation, Management and Security‖, CRC Press, 2017.
3. Rajkumar Buyya, Christian Vecchiola, S. ThamaraiSelvi, ―Mastering
Cloud Computing‖, Tata Mcgraw Hill, 2013.
Thank
you