Cloud Computing


Published on

  • Be the first to comment

  • Be the first to like this

Cloud Computing

  1. 1. By Pin Chang and John Gillson
  2. 2. Objective <ul><li>The goals for cloud computing are increasing how fast an application can grow, increasing innovations, and increasing agility, but reducing costs. </li></ul><ul><li>Cloud computing is supposed to be able to support servers, storage, network, and virtualization technology. </li></ul><ul><li>This concept is definitely changing and transforming from old to new architectures and designs. </li></ul>
  3. 3. Cloud Computing Infrastructure Models <ul><li>Public, Private, and Hybrid Clouds </li></ul><ul><li>Architectural Layers of Cloud Computing (SaaS, PaaS, and IaaS) </li></ul><ul><li>Cloud Computing Application Programming Interfaces (API) </li></ul>
  4. 4. Cloud Computing Benefits <ul><li>Reduce run time and response time </li></ul><ul><li>Minimize infrastructure risk </li></ul><ul><li>Lower cost of entry </li></ul><ul><ul><li>Renting the infrastructure, thus saving lots of money. </li></ul></ul><ul><ul><li>Developers programming in assembly language, a low-level language. </li></ul></ul><ul><li>Increase pace of innovation </li></ul>
  5. 5. Architectural Considerations for IaaS
  6. 6. Cloud Security – Securing Data <ul><li>Encrypt data at rest – if an intruder is able to penetrate a cloud provider’s security, or if a configuration error makes that data accessible to unauthorized parties, data cannot be interpreted </li></ul><ul><li>Encrypt data in transit – data will pass over public infrastructure and could be viewed by any party in between </li></ul><ul><li>Require strong authentication between application components – data should only be transmitted to known parties </li></ul><ul><li>Pay attention to cryptography and how algorithms are compromised and replaced by new ones. For example, since MD5 has been proven vulnerable to attack, the usage of a stronger technique such as SHA-256 would be feasible </li></ul>
  7. 7. Cloud Security – Securing Data <ul><li>Consider using strong, token-based authentication for administrator roles </li></ul><ul><li>For customer login/password access, consider who manages the authentication server and whether it is under the company or the cloud provider’s control </li></ul><ul><li>For anonymous access to storage, for example anonymous FTP, consider whether a customer would register with the cloud provider for access or whether the cloud provider could federate with the company’s authentication servers </li></ul>
  8. 8. Cloud Security – Web Services <ul><li>Web Services platform is the largest implementation technology in cloud computing and requires a robust security policy </li></ul><ul><li>Web Service Security specification (WS-Security) provides a set of mechanisms to assist developers of Web Services to secure SOAP message exchanges </li></ul><ul><li>WS-Security describes enhancements to the existing SOAP messaging to provide Quality of Protection (QoP) through the application of message integrity, message confidentiality, and single message authentication to SOAP messages </li></ul>
  9. 9. Cloud Security – Web Services
  10. 10. Cloud Security – Web Services
  11. 11. Cloud Security – Security Domains <ul><li>Security domains group Virtual Machines (VMs) together and control access to the domain through the cloud provider’s port filtering capabilities. For example, create a security domain for front-end Web servers, open only the HTTP or HTTPS ports to the outside world, and filter traffic from the Web server security domain to the one containing back-end databases </li></ul>
  12. 12. Cloud Security - Common Scenario <ul><li>System administrators commonly deploy clusters of nodes on private unroutable networks with a single front-end node responsible for routing traffic between the cluster of nodes and the public network </li></ul><ul><li>This configuration means that nodes can initiate connections to external hosts but external hosts cannot connect to nodes running within each cluster </li></ul><ul><li>An administrator might configure two Linux clusters, a server pool, and a collection of workstation nodes – each Linux cluster would have a front-end node with a public IP address, while the cluster nodes are connected via a private network; the server and workstation nodes have public IP addresses, but the workstations are behind a firewall and cannot be contacted from the outside world </li></ul><ul><li>It may be impossible to install a fully connected system, because many of the nodes can only initiate connections to external hosts or are completely isolated from external networks </li></ul><ul><li>Two sets of clusters may even have overlapping IP addresses because their networks are private and unroutable </li></ul>
  13. 13. Sample Cloud architecture A hierarchical design to reflect underlying resource topologies in a Cloud architecture; Client, Cloud Controller (CLC), Cluster Controller (CC), and Node Controller (NC) components Example location of CLC, CC, and NC components running within a typical resource environment
  14. 14. Sample Cloud architecture <ul><li>Node Controller (NC) </li></ul><ul><li>The NC component executes on the physical resources that host VM instances and is responsible for instance initialization, inspection, termination, and cleanup </li></ul><ul><li>There are typically many NCs but only one NC needs to execute for each physical node, since a single NC can manage multiple VM instances on a single node </li></ul>
  15. 15. Sample Cloud architecture <ul><li>Cluster Controller (CC) </li></ul><ul><li>A collection of NCs that logically belong together are managed by a single CC that typically executes on a cluster front-end node that has access to both private and public networks </li></ul><ul><li>The CC is responsible for gathering state information from its collection of NCs, scheduling incoming VM instance execution requests to individual NCs, and managing the configuration of public and private instance networks </li></ul>
  16. 16. Sample Cloud architecture <ul><li>Cloud Controller (CLC) </li></ul><ul><li>A single CLC is the primary entry-point and decision-making component </li></ul><ul><li>The CLC is responsible for processing incoming user or administrative requests, facilitating VM instance scheduling decisions, processing service-level agreements (SLAs) and maintaining persistent system and user metadata </li></ul><ul><li>The CLC has an associated composition of services that handle user requests and authentication, persistent system and user metadata, and the management and monitoring of VM instances </li></ul><ul><li>An enterprise service bus (ESB) component configures, manages, and publishes associated services and decouples the service implementation from message routing and transport details </li></ul>
  17. 17. Sample Cloud architecture <ul><li>Instance Control </li></ul><ul><li>When instance creation events are initiated, the VmControl coordinates with the other services in the CLC to resolve user requests to images, keypairs, networks, and security groups </li></ul><ul><li>Allocation of these user requests consists of validating references to metadata </li></ul><ul><li>Messages are disseminated to the CCs involved in the allocation and each such CC will schedule the instance request to its locally controlled NCs which create the VM instance itself and respond accordingly </li></ul>
  18. 18. Sample Cloud architecture Overview of services that comprise the CLC. Lines indicate the flow of messages where the dashed lines correspond to internal service messages
  19. 19. Cloud Security – Virtual Networking <ul><li>A complete VM instance network solution must address connectivity, isolation, and performance issues </li></ul><ul><li>Every VM must have network connectivity to each other and to the Internet </li></ul><ul><li>Users who are granted super-user access to the underlying network interfaces can cause security concerns – a VM instance user may act maliciously because they could realize that they have the ability to acquire system IP or MAC addresses </li></ul><ul><li>If multiple VM instances are running on one physical machine, a VM user may have the ability to intercept network packets belonging to another </li></ul>
  20. 20. Cloud Security – Virtual Networking <ul><li>In a cloud shared by different, distributed, and often unrelated users, VMs belonging to a single cloud allocation must be able to communicate, but VMs belonging to separate allocations must be isolated </li></ul><ul><li>A public virtual network interface handles communication outside or between a given set of VM instances. </li></ul>
  21. 21. Cloud Security – Virtual Networking <ul><li>In an environment that has available public IP addresses, public virtual network interfaces may be assigned to VM instances at instance initialization, allowing communication both to and from the instance </li></ul><ul><li>In environments where instances are connected to a private network with a router that supports external communication through network address translation (NAT), the public interface may be assigned a valid private address giving it access to systems outside the local network through the NAT-enabled router </li></ul>
  22. 22. Cloud Security – Virtual Networking <ul><li>The CC can be configured to set up the public interface </li></ul><ul><li>network in three (3) ways: </li></ul><ul><li>Attach the VM’s public interface directly to a software Ethernet bridge connected to the real physical machine’s network, allowing the administrator to handle VM network DHCP requests the same way they handle regular DHCP requests </li></ul><ul><li>Allow the administrator to define a dynamic pool of IP addresses that will be assigned via a DHCP server that is executed by the CC. The administrator defines a network, an interface on the CC that is connected to that network, and a range of IP addresses that are assigned as instances are started </li></ul><ul><li>Allow an administrator to define static MAC and IP address tuples. Each new instance created by the system is assigned a free MAC/IP tuple, which is released when the instance is terminated </li></ul>
  23. 23. Cloud Security – Virtual Networking <ul><li>Another requirement of the virtual network is that it supports instance network traffic isolation </li></ul><ul><li>If two instances which are owned by separate users are running on the same host or on different hosts connected to the same physical Ethernet, the users do not have the ability to inspect or modify each other’s network traffic – in order to meet this requirement, each set of user-owned instances is assigned a tag that is then used as a VLAN identifier assigned to that particular user’s instances </li></ul><ul><li>Essentially, each VM gets a private network address and the use of “Elastic IPs” or public addresses that can persist across user requests, are supported via IP tables at the cluster head-node </li></ul>
  24. 24. References <ul><li>[1] Wang, J., Zhao, Y., Jiang, S., & Le, J. (2009). Providing Privacy Preserving in cloud computing </li></ul><ul><li>[2] Wei, J., Zhang, X., Ammons, G., Bala, V., & Ning, P. (2009). Managing Security of Virtual Machine Images in a Cloud Environment </li></ul><ul><li>[3] Yildiz, M., Abawajy, J., Ercan, T., & Bernoth, A. (2009). A Layered Security Approach for Cloud Computing Infrastructure </li></ul><ul><li>[4] Introduction to Cloud Computing – Sun Microsystems whitepaper </li></ul><ul><li>[5] General Parallel File System (GPFS) </li></ul><ul><li>[6] Web Services Security (WS-Security) </li></ul><ul><li>[7] WS-Security Specification. </li></ul><ul><li>[8] Nurmi, D., Wolski, R., Grzegorczyk, C., Obertelli, G., Soman, S., Youseff, L., & Zagorodnov, D. (2009). Eucalyptus: an open-source cloud computing infrastructure </li></ul>