Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
NIST CCRA.pptx for cloud computing and virtualization
1. NIST Cloud Computing
Reference Architecture
Prepared by
Dr. Avita Katal
Assistant Professor(SG)
Cloud Software Operations Cluster
School of Computer Science
UPES, Dehradun
2. Unit objectives
After completing this unit, you should be able to:
• Understand the concept of NIST's Cloud Computing Reference
Architecture (CCRA)
• Learn about the conceptual reference model
• Gain knowledge on architectural components in CCRA
3. NIST Cloud Computing Reference Architecture (CCRA)
• The NIST CCRA doesn't focus on how to design solution and
implementation, but mainly focuses on the requirements of what the
cloud services should provide.
• To facilitate the understanding of the operational difficulties or
complexities in cloud computing the reference architecture is
designed.
• NIST CCRA is a tool for developing, discussing and describing a system
specific architecture by using a common framework of reference.
• NIST CCRA doesn't represent the system architecture of a particular
cloud computing system.
4. Objectives of NIST
• In the context of an overall cloud computing conceptual model the
NIST CCRA is to understand and illustrate the various cloud services.
• In order to understand, compare, discuss and categorize the cloud
services, the NIST CCRA is meant to provide a technical reference to
agencies and to other consumers.
• The NIST CCRA is meant to facilitate the analysis of candidate
standards for interoperability, portability, security and reference
implementations.
11. Cloud Broker
• A cloud broker as an entity that manages the use, performance and
delivery of cloud services and negotiates relationships between cloud
providers and cloud consumers.
12.
13. Cloud Auditor
• A cloud auditor is a team that can perform an independent
examination of cloud service controls, with the intent to express an
opinion there on.
• Audits are performed to verify conformance to standards through
review of objective evidence.
• A cloud auditor can gauge the services provided by a cloud provider in
terms of security controls, privacy impact, performance, etc.
14.
15. Cloud carrier
• A cloud carrier acts as a mediator which provides connectivity and
transport of cloud services between cloud consumers and cloud
providers.
• Cloud carriers provide access to consumers through network,
telecommunication and other access devices
16.
17.
18. CCRA: Architectural components
• According to NIST's cloud computing definition, a cloud infrastructure
can be operated in one of the following implementation models:
– Private cloud
– Public cloud
– Community cloud or hybrid cloud
• The differences between the implementation models mentioned
depend on how exclusive the computing resources are available to a
consumer in the cloud.
24. Business support
Commercial support involves the set of services related to businesses
that deal with customers and support processes. It includes the
components used to execute commercial operations oriented to the
client.
• Customer management.
• Contract management.
• Inventory management.
• Accounting and billing.
• Reporting and auditing.
• Pricing and rating.
25. Provisioning and configuration
• SLA management: Monitoring of SLA, application of SLA according to the defined
policies and that covers the SLA contract definition
• Resource changing: While repairs and updates adjust the configuration/resources
assignment and also join new nodes in the cloud according to the demand
• Rapid provisioning: Based on the requested services/resources/capabilities that
automatically deploy systems in the cloud.
• Metering: Appropriate for the type of service (for example, storage, processing,
bandwidth and active user accounts) that provides a measurement capability at some
level of abstraction.
• Monitoring and Reporting: Generation of performance reports, discovery and
monitoring of virtual resources and monitoring of operations and events in the cloud.
26. Portability and interoperability
• Cloud providers should provide mechanisms to support data
portability, service interoperability and system portability.
• Data portability is the ability of cloud consumers to copy data objects in or
out of a cloud or to use a disk for mass data transfer.
• Service interoperability is the ability of cloud consumers to use their data and
services through multiple cloud providers with a unified management interface
.
• System portability allows the migration of a fully stopped virtual machine
instance or a machine image from one provider to another or migrating
applications, services and their contents from one service provider to another
27. Security
• Shared security responsibilities:
Security is actually a shared responsibility. Security controls (i.e., the measures used to provide protections) must be analyzed to
determine which party is in a better position to implement.
This analysis should include estimates from the perspective of the service model, where different service models imply different degrees
of control between cloud consumers and cloud providers.
• Cloud service model perspectives:
Identified by NIST definition of cloud computing, the three cloud service models such as IaaS, PaaS and SaaS offer consumers different
types of service management operations and launch different points of entry to cloud systems.
Therefore, it is important to consider, when designing and implementing security, the impact of cloud service models and their different
problems.
In the security considerations of the SaaS cloud system, there has been an emphasis on web browser security.
IaaS cloud consumers have VMs that run on hypervisors on hosts. Therefore to achieve VM isolation hypervisor security has been studied
extensively for IaaS cloud providers that use technologies of virtualization.
• Implications of cloud deployment models :
From the perspective of the implementation model, one way to see the security implications is the different level of exclusivity of the
tenants in an implementation model.
A public cloud could have an unpredictable coexistence with each other, while the private cloud is dedicated to a single consumer
organization. Therefore, compared to the public cloud, the isolation of the workload is a minor concern for security in a private cloud.
From the perspective of the implementation model, another way to analyze the impact of security is to use the concept of access limits
30. • Level 1 (Role): As conceptualized by the associated actors, a role in the context of cloud
computing indicates a set of behaviors and obligations.
• Level 2 (Activity): Associated with a specific role an activity means general tasks or
behaviors.
• Level 3 (Component): Component refers to the specific processes, tasks or actions that must
be performed to achieve the specific objective of the activity.
• Level 4 (Sub-component): The subcomponent is a modular part of a component.
• First level terms (Role):
• Cloud consumer
• Cloud provider
• Cloud Carrier
• Cloud broker
• Cloud auditor
Second level terms (Activity):
• Cloud distribution Security audit
• Cloud access Privacy impact audit
• Service deployment Performance audit
• Service orchestration
• Cloud service management
• Security
• Privacy
• Software as a Service (SaaS)
• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS)
• Consumption of services
• Service provision
31. • Third level terms (Component):
• Service intermediation
• Aggregation of services
• Arbitration of services
• Private cloud:
• Community cloud
• Public cloud
• Hybrid cloud
• Service layer
• Abstraction layer and resource control
• Portability
• Interoperability
• Mobile endpoints
• Fixed endpoints
Fourth level terms (Sub-component):
Data portability
Interoperability
Portability of the system
Rapid provisioning
Resource change
Monitoring and reporting
Measurement
SLA management
Editor's Notes
Actor cloud consumer: A person or organization that maintains a business relationship with cloud providers
and uses service from cloud providers.
Actor cloud provider: A person, organization or an entity responsible for making a service available to cloud
consumer/interested parties.
Actor cloud auditor: A party which can conduct independent assessment/examination or audit of cloud,
services, performance, security and information system operations of the cloud implementation.
Actor cloud broker: An entity which manages the delivery, use and performance of cloud services and helps
in negotiating relationships between cloud providers and cloud consumers.
Actor cloud carrier: An intermediary which provides connectivity and transport of cloud, services from cloud
providers to cloud consumers.
Instead of contacting directly to cloud provider a cloud consumer may request service from cloud broker. After all the cloud broker may create a new service by improving or enhancing an existing service or by combining multiple services. In this scenario, the cloud consumers interacts with the cloud broker instead of directly with cloud providers which are invisible to the cloud consumer.
Cloud carriers are an intermediary which provides connectivity and transport of cloud services from cloud providers to cloud consumers. Follow the figure , a cloud provider arranges for a participates in two unique Service Level Agreements (SLAs), one with a cloud carrier i.e., SLA2 and another one with a cloud consumer i.e., SLA1.
A cloud provider arranges SLAs with a cloud carrier and it may request encrypted and dedicated connections to make sure the cloud services are consumed at a consistent level according to the legal agreement along with the cloud consumers. In this scenario, in order to provide essential requirements in SLA1, the cloud provider may specify its requirements on capability, flexibility and functionality in SLA2.
For a cloud service, a cloud auditor conducts independent examinations/assessments of the
of the cloud service implementation. This audit may involve interactions with the cloud provider and the cloud consumer.
Sure, here are examples of how a cloud broker could provide service arbitrage, intermediation, and aggregation according to the NIST CCRA (National Institute of Standards and Technology Cloud Computing Reference Architecture):
Service Arbitrage:
Example: A cloud broker offers a comparison service where it evaluates multiple cloud service providers (CSPs) based on factors like price, performance, reliability, and compliance. It then recommends the This allows clients to benefit from the best possible service at the most competitive price. most suitable CSP to its clients based on their specific needs and budget constraints.
Intermediation:
Example: A cloud broker acts as an intermediary between cloud service providers and their clients. It provides value-added services such as negotiation of contracts, performance monitoring, security management, and billing consolidation. For instance, the broker could negotiate volume discounts with CSPs on behalf of its clients, ensuring cost savings and simplifying the procurement process.
Aggregation:
Example: A cloud broker aggregates multiple cloud services from different providers into a single unified platform. For instance, it may integrate Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) offerings from various providers into a single user interface. This allows clients to access and manage diverse cloud services seamlessly, simplifying deployment, management, and scaling of their applications.
In the NIST CCRA (National Institute of Standards and Technology Cloud Computing Reference Architecture), a cloud auditor plays a crucial role in ensuring compliance, security, and governance within cloud environments. Here's how a cloud auditor fits into the NIST CCRA framework:
Compliance Assurance:
A cloud auditor verifies whether cloud services and deployments comply with relevant regulations, standards, and policies. This includes assessing adherence to industry-specific regulations (such as HIPAA for healthcare or GDPR for data privacy, HIPAA (Health Insurance Portability and Accountability Act) and GDPR (General Data Protection Regulation) are two important regulations related to data privacy and security)), as well as internal organizational policies.
Security Assessment:
The cloud auditor evaluates the security measures implemented by cloud service providers and consumers to protect data, applications, and infrastructure. This involves assessing the effectiveness of security controls, vulnerability management practices, access controls, encryption mechanisms, and incident response procedures.(Shared Responsibility Model- Security of the cloud and security in the cloud)
Risk Management:
Cloud auditors identify and assess risks associated with cloud deployments, including potential security threats, data breaches, service outages, and compliance violations. They analyze risk factors such as data sensitivity, geographic location, service dependencies, and contractual agreements to provide recommendations for risk mitigation.
Governance Oversight:
Cloud auditors monitor and enforce governance policies to ensure accountability, transparency, and responsible use of cloud resources. This includes reviewing access logs, audit trails, configuration settings, and usage reports to detect unauthorized activities, policy violations, or deviations from best practices.
Assurance Reporting:
Based on their assessments, cloud auditors produce assurance reports that document the compliance, security, and risk posture of cloud environments. These reports may include compliance attestations, audit findings, remediation recommendations, and ongoing compliance monitoring plans.
Business support causes the set of services related to the business that deal mainly with customers and support processes. It includes the customer-oriented components needed to execute business operations.
Customer management: It manages customer accounts, open/close/close accounts, manage customer relationships solving problems and problems of customers and providing contact points, manage user profiles, etc.
Contract management: It manages contracts of configuration/negotiation services/termination/closing of contract, etc.
Pricing and rating: It determines the prices by evaluating the services in the cloud, depending on the profile of the user who manages the promotions and the pricing rules, etc.
Inventory management: It manages and configures service catalogs, etc.
Accounting and billing: It manages customer billing information, send account statements, track invoices, process payments received, etc.
Reporting and auditing: It generates reports, monitor user operations, etc.
Data Portability:
The platform provides tools and APIs that allow customers to easily copy data objects in and out of the cloud environment. For example, customers can use a web-based interface or command-line tools to transfer large datasets between their on-premises infrastructure and the cloud, or between different cloud providers.
Additionally, the platform supports the use of physical storage devices (e.g., external hard drives or tape drives) for mass data transfer. Customers can ship their storage devices to the cloud provider's data center, where the data is uploaded or downloaded directly to/from the storage device, bypassing the need for internet bandwidth.
Service Interoperability:
The platform offers a unified management interface that abstracts the underlying differences between cloud providers' APIs and services. Customers can manage their data and services through a single pane of glass, regardless of the underlying cloud infrastructure.
For example, customers can provision virtual machines, databases, storage buckets, and other resources from different cloud providers using a standardized set of APIs and workflows provided by the platform. They can also monitor resource usage, configure security policies, and automate deployment pipelines in a consistent manner across multiple clouds.
System Portability:
The platform supports system portability by facilitating the migration of virtual machine instances, machine images, applications, and services between different cloud providers.
Customers can export their virtual machine instances or machine images from one cloud provider and import them into another provider's infrastructure, preserving their configurations, operating systems, and application settings.
Additionally, the platform offers tools and services to refactor or containerize applications for compatibility with different cloud environments, allowing customers to migrate their applications and services seamlessly between cloud providers without vendor lock-in.
Shared security responsibilities
As discussed above, in a cloud system, the cloud provider and the cloud consumer have different degrees of control over computing resources. Compared to traditional IT systems, where in an organization has control over the entire stack of computing resources and the complete life cycle of the systems, cloud providers and cloud consumers design, build, implement and operate collaborative cloud-based systems. The division of control means that both parties now share the responsibilities of providing sufficient protections to cloud-based systems.
Security is actually a shared responsibility. Security controls (i.e., the measures used to provide protections)must be analyzed to determine which party is in a better position to implement. This analysis should include estimates from the perspective of the service model, where different service models imply different degrees of control between cloud consumers and cloud providers. For example, the administration of the user account of the application implemented in a IaaS environment is generally not the responsibility of the IaaS provider, while the account management controls for users with initial system privileges in IaaS scenarios are generally performed by the IaaS provider.
Cloud service model perspectives
Identified by NIST definition of cloud computing, the three cloud service models such as IaaS, PaaS and SaaS offer consumers different types of service management operations and launch different points of entry to cloud systems. Therefore, it is important to consider, when designing and implementing security, the impact of cloud service models and their different problems. For example, through the network connection generally through the Internet and through a web browser, SaaS provides users with access to offers in the cloud. In the security considerations of the SaaS cloud system, there has been an emphasis on web browser security. IaaS cloud consumers have VMs that run on hypervisors on hosts. Therefore to achieve VM isolation hypervisor security has been studied extensively for IaaS cloud providers that use technologies of virtualization.
Implications of cloud deployment models
The variations of the cloud implementation models discussed in the previous sections also have important security implications. From the perspective of the implementation model, one way to see the security implications is the different level of exclusivity of the tenants in an implementation model. A public cloud could have an unpredictable coexistence with each other, while the private cloud is dedicated to a single consumer organization. Therefore, compared to the public cloud, the isolation of the workload is a minor concern for security in a private cloud. From the perspective of the implementation model, another way to analyze the impact of security is to use the concept of access limits. For example, at the cloud boundary when the private cloud is hosted on the site within the network limit of the cloud consumer organization, a private cloud on the site may or may not need additional border controllers or protection, while a cloud private off-line at the edge of the cloud requires the establishment of such perimeter protection.
To track or distinguish an individual's identity, the PII is information that can be used such as your name, biometric records, social security number/aadhar card number, etc., when combined with other personal or identifying information i.e., linked or linkable to a private party such as the date and place of birth, the maiden name of the mother etc. Although cloud computing offers a flexible solution for software, information and shared resources, it also poses additional privacy challenges for consumers in the cloud.
Security refers to measures taken to protect systems, networks, applications, and data from unauthorized access, misuse, disruption, or destruction.
Privacy refers to the right of individuals to control the collection, use, and disclosure of their personal information.
Taxonomy is defined as the science of classifying or categorizing things based on a predefined system. The taxonomy contains a controlled vocabulary with a hierarchical tree structure. In the above figure, a four-level taxonomy is depicted to describe the main concepts about cloud computing.
• Level 1 (Role): As conceptualized by the associated actors, a role in the context of cloud computing indicates a set of behaviors and obligations.
• Level 2 (Activity): Associated with a specific role an activity means general tasks or behaviors.
• Level 3 (Component): Component refers to the specific processes, tasks or actions that must be performed to achieve the specific objective of the activity.
• Level 4 (Sub-component): The subcomponent is a modular part of a component.
First level terms (Role):
• Cloud consumer: This is a person or organization that maintains a business relationship with cloud
service providers and uses the cloud service providers service.
• Cloud provider: This is a person, organization or entity that is responsible for serving consumers, making
a service available.
• Cloud carrier: This is the intermediary that provides transport and connectivity of services in the cloud
between consumers of the cloud and cloud providers.
• Cloud broker: This is an entity that negotiates relationships between cloud consumers and cloud
providers and manages the delivery, performance and use of cloud services.
• Cloud auditor: Cloud auditor is a part that can lead in the implementation of the cloud, the independent
examination of cloud services, performance, security and information system operations.
Second level terms (Activity):
• Cloud distribution: This is the process of transporting data in the cloud between cloud consumers and
cloud providers.
• Cloud access: This is to gain access to or make contact with cloud services.
• Service deployment: All the organization and activities necessary to make a cloud service available is a
service deployment.
• Service orchestration: It refers to the provision, management and coordination of cloud infrastructure to
provide services in the cloud to meet IT and business needs.
• Cloud service management: This is composed of all the functions related to the service that are
necessary for the operations and management of the services proposed or required by the clients.
• Security: Here security means security of information. Whereas information security protects information
and information systems against unauthorized use, access, modification, disclosure, destruction or
interruption in order to provide the following:
- Integrity, which means protecting against improper modification or destruction of information and also
ensuring that the information is authentic and not reputable.
- Confidentiality, which means protecting property information and personal privacy and also
preserving authorized restrictions for accessing and disclosing information.
- Availability, which means making sure that the use and timely and reliable access to information.
• Privacy: The privacy of information throughout its life cycle is nothing more than the consistent, safe and
adequate use, processing, collection, disposition and communication of PI and PII.
• Software as a Service (SaaS): SaaS is the capacity offered to the consumer by the provider is to use the
applications (providers) that run on an infrastructure in the cloud. Through a thin client interface such as a
web browser, applications can be accessed from various client devices. With the possible exception of
limited configurations of user-specific applications only, the consumer/user cannot control or manage the
underlying infrastructure of the cloud including the capabilities of individual applications, operating
systems, storage, servers or the network.
• Platform as a Service (PaaS): PaaS is the capacity offered to the consumer by the provider is to
implement in the cloud infrastructure applications acquired or created by the consumer using the tools
and compatible programming languages of the provider. The consumer has control over the applications
deployed and possibly the settings of the application-hosting environment, while the consumer cannot
control or manage the underlying infrastructure of the cloud including operating systems, storage, servers
or the network.
• Infrastructure as a Service (IaaS): IaaS is the capacity offered to the consumer by the provider is to
provide processing, networks, storage and other fundamental computing resources through that the
consumer can run and implement any software, including applications and operating systems. The
consumer has control over the implemented applications, operating systems, storage and possibly
limited control of the selected network components while the consumer cannot control or manage the
underlying infrastructure of the cloud.
• Consumption of services: When using a service in the cloud, the consumption of services is an
intermediary of the cloud.
• Service provision: In the act of providing a service in the cloud, service provision is a cloud broker.
Security audit: The security audit is a systematic evaluation of a system in the cloud measuring how well
it is in accordance with a set of predefined and tested security criteria.
• Privacy impact audit: This is a systematic evaluation of a cloud system measuring how well it is in
accordance with a set of predefined and tested privacy impact criteria.
• Performance audit: This is a systematic evaluation of a cloud system measuring how well it is in
accordance with a set of predefined and tested performance criteria.
Third level terms (Component):
• Service intermediation: Service intermediation adds value on top of a given service to enhance some
specific capability. Service intermediation is an intermediation broker that provides a service which
directly enhances a given service delivered to service consumers.
• Aggregation of services: The aggregation of services will ensure that the data is modeled and integrated
in all the services of the components and also to ensure the security and movement of the data between
the multiple providers and the consumer of the service. Service aggregation combines multiple existing
services into one or more services (new).
• Arbitration of services: Both, the service of arbitration of services in the cloud and the aggregation of
services in the cloud are similar. The main difference between them is that the aggregate services are not
fixed. Certainly, the main objective of arbitration is to provide the service aggregator with flexibility and
opportunistic options, for example, providing a credit scoring service that verify multiple scoring agencies
and opts for the best score or through a service provider that provides multiple email services.
• Private cloud: This is the infrastructure in the cloud is used exclusively for an organization. The private
cloud can exist on the site or outside of it and can be managed by the organization or even through a third
party.
• Community cloud: This is the infrastructure in the cloud shared by many organizations and supports a
specific community that has shared concerns, for example, policies, missions, compliance considerations
and security requirements. Community cloud can exist inside or outside the facilities and can be
managed by organizations or a third party.
• Public cloud: The public cloud is the infrastructure in the cloud that is made available to the general public
or a large industrial group is owned by an organization that sells cloud services.
• Hybrid cloud: Hybrid cloud is the infrastructure in the cloud that is a composition of two or more private,
public or community clouds that remains as unique entities but united by standardized technology that
allows the portability of data and applications, for example, cloudburst for charge.
• Service layer: The service layer defines the basic services provided by cloud providers physical resource
layer - it comprises of all the physical resources used to provide cloud services is the hardware and the
facility.
• Abstraction layer and resource control: In reality, resource abstraction and control layer means the
software elements such as virtual machines, virtual data storage, hypervisor and supporting software
components used to perform the infrastructure on the basis of which can establish the service in the
cloud.
• Portability: Portability is the ability of a system or software to run more than one operating system or to
run on more than one type of computer. Alternatively, it is the ability to transfer data from one system to
another without the need to modify significantly the application being transported or to re-create or
re-enter data descriptions.
• Interoperability: Interoperability is the ability to execute, communicate programs or transfer data under
specific conditions between many different functional units. Provisioning/configuration is a process of
preparing and equipping a cloud to allow it to provide new services to its customers.
Mobile endpoints: A physical device, often carried by the user that provided a human or machine
interface for applications and services in the cloud.
• Fixed endpoints: A physical device, fixed in its location that provided a man or machine interface to cloud
applications and services can use the multiple methods and protocols to connect to applications and
services in the cloud. A fixed endpoint typically uses a single method and protocol to connect to cloud
applications and services.
Fourth level terms (Sub-component):
• Data portability: Data portability is the ability to transfer data from one system to another without the need
to significantly modify the application being transported or to recreate or re-enter the data descriptions
service.
• Interoperability: Interoperability is the capability to execute, to communicate programs or to transfer data
under specified conditions among many different cloud services.
• Portability of the system: The portability of the system is the capacity of a service to run in more than one
type of cloud.
• Rapid provisioning: Based on the requested resources/services/capabilities rapid provisioning is
automatic deploying of cloud system.
• Resource change: Adjust the resource/configuration assignment for updates, repairs and join new nodes
to the cloud.
• Monitoring and reporting: Discovering and monitoring the virtual resources, monitoring cloud events and
operations and generating reports based on performance.
• Measurement: Appropriate to the type of services, for example, processing, storage, bandwidth and user
accounts (active), the measurement provides a measurement capacity at some level of abstraction.
• SLA management: According to the defined policies the SLA management covers the SLA contract
definition (basic scheme with service quality parameters), the SLA application and the SLA control.
