CCS335 – CLOUD COMPUTING

QUESTION BANK WITH ANSWERS FOR ALL UNITS

Unit - I
PART- A
1. Define cloud computing and its main characteristics.
Cloud computing is the on-demand delivery of IT resources like servers, storage, software, and
databases over the internet, allowing users to access them as services with a pay-as-you-go
model instead of buying and maintaining their own physical infrastructure. Its essential
characteristics, as defined by NIST, are on-demand self-service, broad network access, resource
pooling, rapid elasticity, and measured service.
2. List the different types of cloud deployment models.
Different types of cloud computing deployment models are described below.
 Public Cloud
 Private Cloud
 Hybrid Cloud
 Community Cloud
 Multi-Cloud
3. Define Distributed computing.
Distributed computing is a model in which components of a software system are shared among
multiple computers or nodes. Even though the software components are spread out across
multiple computers in multiple locations, they're run as one system to improve efficiency and
performance. The systems on different networked computers communicate and coordinate by
sending messages back and forth to achieve a defined task.
4. Outline the difference between a public cloud and a private cloud.

Aspect Private Cloud Public Cloud

High upfront investment, ongoing
Costs Pay-as-you-go model, no upfront costs
maintenance costs
Enhanced control, customizable security Shared infrastructure, provider-managed
Security
measures security
Scalability Limited by physical infrastructure Highly scalable, on-demand resources

5. List any four design challenges in Cloud computing.

 Service Availability and Data Lock-in Problem Service Availability
 Data Privacy and Security Concerns
 Unpredictable Performance and Bottlenecks
 Distributed Storage and Widespread Software Bugs

6. What is cloud in cloud computing?

The term cloud refers to a network or the internet. It is a technology that uses remote servers on
the internet to store, manage, and access data online rather than local drives. The data can be
anything such as files, images, documents, audio, video, and more.

7. What is the use of elasticity in cloud?

Elasticity is the ability to increase or decrease the resources a cloud-based application uses.
Elasticity in cloud computing allows you to scale computer processing, memory, and storage
capacity to meet changing demands.

8. Depict the importance of on-demand provisioning.

On-demand provisioning is a cloud computing delivery model in which computing resources are
made available to users as needed, eliminating the need for large, upfront investments in IT
infrastructure. Its importance stems from the flexibility, cost savings, and operational efficiency
it provides for businesses with fluctuating or unpredictable resource demand.
9. Why do we need a hybrid cloud? Justify.
A hybrid cloud let us to allocate public cloud resources for short-term projects, at a lower cost
than if we used our own data center's IT infrastructure. No overinvest in equipment, we will need
only temporarily. It offer flexibility for the future.

10. Summarize the benefits and drawbacks of using “Platform as a Service”.

Advantages of PaaS:
 Simple and convenient for users
 Cost-Effective
 Efficiently managing the lifecycle
 Efficiency
Disadvantages of Paas:
 Limited control over infrastructure
 Dependence on the provider
 Limited flexibility
PART- B
1. What are Peer-to-Peer Network Families? Explain the NIST Cloud Computing
Reference Architecture and discuss how it contributes to the standardization of cloud
services.
Peer-to-Peer Network Families
• The P2P architecture offers a distributed model of networked systems.
• A P2P network is client-oriented instead of server-oriented.
• P2P systems are introduced at the physical level and overlay networks at the logical level.

P2P Systems:
• Every node acts as both a client and a server, providing part of the system resources.
• Peer machines client computers connected to the Internet.
• All client machines act autonomously to join or leave the system freely.
• No master-slave relationship exists among the peers.
• No central coordination or central database is needed.
• No peer machine has a global view of the entire P2P system.
• The system is self-organizing with distributed control.

NIST (National Institute of Standards and Technology Background)

The goal is to accelerate the federal government’s adoption of secure and effective cloud
computing to reduce costs and improve services.
Cloud Computing Reference Architecture
 Interactions between the Actors in Cloud Computing

Cloud Consumer
 The cloud consumer is the principal stakeholder for the cloud computing service.
 A cloud consumer represents a person or organization that maintains a business
relationship with, and uses the service from a cloud provider.
 The cloud consumer may be billed for the service provisioned, and needs to arrange
payments accordingly.

Cloud Provider
A cloud provider is a person, an organization;
 It is the entity responsible for making a service available to interested parties.
 Cloud Provider acquires and manages the computing infrastructure required for providing the
services.
 Runs the cloud software that provides the services.
 Makes arrangement to deliver the cloud services to the Cloud Consumers through network
access.

Cloud Auditor
 A cloud auditor is a party that can perform an independent examination of cloud
service controls.
 Audits are performed to verify conformance to standards through review of objective
evidence.
 Cloud auditor can evaluate the services provided by a cloud provider in terms of security
controls, privacy impact, performance, etc.

Cloud Broker
 Integration of cloud services can be too complex for cloud consumers to manage.
 Cloud consumer may request cloud services from a cloud broker, instead of contacting
a cloud provider directly.
 Cloud broker is an entity that manages the use, performance and delivery of cloud services.
Negotiates relationships between cloud providers and cloud consumers.

Cloud Carrier
 A cloud carrier acts as an intermediary that provides connectivity and transport of cloud
services between cloud consumers and cloud providers.
 Cloud carriers provide access to consumers through network.
 The distribution of cloud services is normally provided by
network and telecommunication carriers or a transport agent.
 A transport agent refers to a business organization that provides physical transport of storage
media such as high-capacity hard drives and other access devices.

2. Analyze the design challenges in compute and storage cloud infrastructure and purpose
potential solutions.
Architectural Design Challenges

Challenge 1 : Service Availability and Data Lock-in Problem Service Availability

Service Availability in Cloud might be affected because of Single Point Failure
Distributed Denial of Service Single Point Failure
o Depending on single service provider might result in failure.
o In case of single service providers, even if company has multiple data centres located in
different geographic regions, it may have common software infrastructure and accounting
systems.
Solution:
o Multiple cloud providers may provide more protection from failures and they provide
High Availability(HA)
o Multiple cloud Providers will rescue the loss of all data.

Distributed Denial of service (DDoS) attacks:

o Cyber criminals, attack target websites and online services and makes services
unavailable to users.
o DDoS tries to overwhelm (disturb) the services unavailable to user by having more traffic
than the server or network can accommodate.
Solution:
o Some SaaS providers provide the opportunity to defend against DDoS attacks by using
quick scale-ups. Customers cannot easily extract their data and programs from one site to
run on another. Solution:
o Have standardization among service providers so that customers can deploy (install)
services and data across multiple cloud providers.
Data Lock-in
 It is a situation in which a customer using service of a provider cannot be moved to
another service provider because technologies used by a provider will be incompatible
with other providers. This makes a customer dependent on a vendor for services and
makes customer unable to use service of another vendor.
Solution:
o Have standardization (in technologies) among service providers so that customers can
easily move from a service provider to another.
Challenge 2: Data Privacy and Security Concerns
Cloud services are prone to attacks because they are accessed through internet.
Security is given by
o Storing the encrypted data in to cloud.
o Firewalls, filters.
Cloud environment attacks include:
o Guest hopping
o Hijacking
o VM rootkits.
Guest Hopping: Virtual machine hyper jumping (VM jumping) is an attack method that
exploits(make use of) hypervisor’s weakness that allows a virtual machine (VM) to be accessed
from another.
Hijacking: Hijacking is a type of network security attack in which the attacker takes control of
a communication
VM Rootkit: is a collection of malicious (harmful) computer software, designed to enable
access to a computer that is not otherwise allowed.
A man-in-the-middle (MITM) attack is a form of eavesdroppping(Spy) where communication
between two users is monitored and modified by an unauthorized party.
o Man-in-the-middle attack may take place during VM migrations [virtual machine (VM)
migration - VM is moved from one physical host to another host.
Passive attacks steal sensitive data or passwords. Active attacks may manipulate (control) kernel
data structures which will cause major damage to cloud servers.

Challenge 3: Unpredictable Performance and Bottlenecks

 Multiple VMs can share CPUs and main memory in cloud computing, but I/O sharing is
problematic.
 Internet applications continue to become more data-intensive (handles huge amount of
data).
 Handling huge amount of data (data intensive) is a bottleneck in cloud environment.
 Weak Servers that does not provide data transfers properly must be removed from cloud
environment.

Challenge 4: Distributed Storage and Widespread Software Bugs

 The database is always growing in cloud applications.
 There is a need to create a storage system that meets this growth.
 This demands the design of efficient distributed SANs (Storage Area Network of Storage
devices).
Data centres must meet
o Scalability
o Data durability
o HA(High Availability)
o Data consistence
Bug refers to errors in software. Debugging must be done in data centres.

Challenge 5: Cloud Scalability, Interoperability and Standardization Cloud Scalability

Cloud resources are scalable. Cost increases when storage and network bandwidth
scaled(increased)
Interoperability
Open Virtualization Format (OVF) describes an open, secure, portable, efficient, and extensible
format for the packaging and distribution of VMs.
OVF defines a transport mechanism for VM, that can be applied to different virtualization
platforms
Standardization
Cloud standardization, should have ability for virtual machine to run on any virtual platform.
Challenge 6: Software Licensing and Reputation Sharing
 Cloud providers can use both pay-for-use and bulk-use licensing schemes to widen the
business coverage.
 Cloud providers must create reputation-guarding services similar to the “trusted e-
mail”services
 Cloud providers want legal liability to remain with the customer, and vice versa.

3. Outline Infrastructure as a Service model, Platform as a Service model and Software as

a Service model with an example.

Most cloud computing services fall into five broad categories:

1. Software as a service (SaaS)
2. Platform as a service (PaaS)
3. Infrastructure as a service (IaaS)
These are sometimes called the cloud computing stack because they are built on top of one
another. Knowing what they are and how they are different, makes it easier to accomplish your
goals. These abstraction layers can also be viewed as a layered architecture where services of a
higher layer can be composed of services of the underlying layer i.e, SaaS can provide
Infrastructure.

Software as a Service(SaaS)
Software-as-a-Service (SaaS) is a way of delivering services and applications over the Internet.
Instead of installing and maintaining software, we simply access it via the Internet, freeing
ourselves from the complex software and hardware management. It removes the need to install
and run applications on our own computers or in the data centers eliminating the expenses of
hardware as well as software maintenance.
SaaS provides a complete software solution that you purchase on a pay-as-you-go basis from a
cloud service provider. Most SaaS applications can be run directly from a web browser without
any downloads or installations required. The SaaS applications are sometimes called Web-based
software, on-demand software, or hosted software.

Advantages of SaaS
1. Cost-Effective: Pay only for what you use.
2. Reduced time: Users can run most SaaS apps directly from their web browser
without needing to download and install any software. This reduces the time spent in
installation and configuration and can reduce the issues that can get in the way of the
software deployment.
3. Accessibility: We can Access app data from anywhere.
The various companies providing Software as a service are Cloud9 Analytics, [Link],
Cloud Switch, Microsoft Office 365, Big Commerce, Eloqua, dropBox, and Cloud Tran.
Platform as a Service
PaaS is a category of cloud computing that provides a platform and environment to allow
developers to build applications and services over the internet. PaaS services are hosted in the
cloud and accessed by users simply via their web browser.
A PaaS provider hosts the hardware and software on its own infrastructure. As a result, PaaS
frees users from having to install in-house hardware and software to develop or run a new
application. Thus, the development and deployment of the application take place independent of
the hardware. The consumer does not manage or control the underlying cloud infrastructure
including network, servers, operating systems, or storage, but has control over the deployed
applications and possibly configuration settings for the application-hosting environment. To
make it simple, take the example of an annual day function, you will have two options either to
create a venue or to rent a venue but the function is the same.

Advantages of PaaS:
1. Simple and convenient for users: It provides much of the infrastructure and other
IT services, which users can access anywhere via a web browser.
2. Cost-Effective: It charges for the services provided on a per-use basis thus
eliminating the expenses one may have for on-premises hardware and software.
3. Efficiently managing the lifecycle: It is designed to support the complete web
application lifecycle: building, testing, deploying, managing, and updating.
4. Efficiency: It allows for higher-level programming with reduced complexity thus,
the overall development of the application can be more effective.
The various companies providing Platform as a service are Amazon Web services Elastic
Beanstalk, Salesforce, Windows Azure, Google App Engine, cloud Bees and IBM smart cloud.

Infrastructure as a Service
Infrastructure as a service (IaaS) is a service model that delivers computer infrastructure on an
outsourced basis to support various operations. Typically IaaS is a service where infrastructure is
provided as outsourcing to enterprises such as networking equipment, devices, database, and web
servers.
It is also known as Hardware as a Service (HaaS). IaaS customers pay on a per-user basis,
typically by the hour, week, or month. Some providers also charge customers based on the
amount of virtual machine space they use.
It simply provides the underlying operating systems, security, networking, and servers for
developing such applications, and services, and deploying development tools, databases, etc.

Advantages of IaaS:
1. Cost-Effective: Eliminates capital expense and reduces ongoing cost and IaaS
customers pay on a per-user basis, typically by the hour, week, or month.
2. Website hosting: Running websites using IaaS can be less expensive than traditional
web hosting.
3. Security: The IaaS Cloud Provider may provide better security than your existing
software.
The various companies providing Infrastructure as a service are Amazon web services,
Bluestack, IBM, Openstack, Rackspace, and Vmware.

4. Compare between Cloud Deployment model and Cloud Service model?

Cloud Deployment Models:

Factors Public Cloud Private Cloud Hybrid Cloud

Resources are Resources are shared It is a combination of
Resources shared among with a single public and private clouds.
multiple customers organization based on the requirement.
Tenancy Data of multiple Data of a single Data is stored in the public
 organizations is organization is stored cloud, and provide security
stored in the public in a clouds the public in the public cloud.
cloud cloud
It can include a mix of
public cloud pay-as-you-go
pricing, and private cloud
Have a variety of
Pay Model Pay what you used fixed pricing. It has other
pricing models
pricing models such as
consumption-based,
subscription-based, etc.
It has scalability and
It has more flexibility by allowing
Scalability and It has predictability
scalability and organizations to use a
Flexibility and consistency
flexibility, combination of public and
private cloud services.
Can be more expensive,
but it can also be less
expensive , depending on
Expensive less expensive More expensive
the specific needs and
requirements of the
organization.

Cloud Service Models:

Factors IaaS PaaS SaaS
It is a service model It is a cloud computing
It is a service model in
that provides model that delivers tools
cloud computing that
Model virtualized that are used for the
hosts software to make
computing resources development of
it available to clients.
over the internet. applications.
PaaS gives access to run
IaaS gives access to
time environment to
the resources like SaaS gives access to
Access deployment and
virtual machines and the end user.
development tools for
virtual storage.
application.
There is no requirement
Some knowledge is
Technical It requires technical about technicalities
required for the basic
understanding. knowledge. company handles
setup.
everything.
It is popular among
It is popular among
It is popular among consumers and
developers who focus on
Popularity developers and companies, such as file
the development of apps
researchers. sharing, email, and
and scripts.
networking.
It has about a 27 % rise
It has around a 12% It has around 32%
Percentage rise in the cloud computing
increment. increment.
model.
Used by the skilled Used by mid-level
Used among the users
Usage developer to develop developers to build
of entertainment.
unique applications. applications.
Amazon Web MS Office web,
Facebook, and Google
Cloud services. Services, sun, Facebook and Google
search engine.
vCloud Express. Apps.
Enterprise AWS virtual private
Microsoft Azure. IBM cloud analysis.
services. cloud.
Outsourced Salesforce [Link], Gigaspaces. AWS, Terremark
 cloud services.
Operating System,
Runtime,
User Controls Data of the application Nothing
Middleware, and
Application data
It is highly scalable to It is highly scalable to
It is highly scalable suit the different suit the small, mid and
Others
and flexible. businesses according to enterprise level
resources. business.

5. Discuss the various cloud service deployment models with neat sketch.

Types of Cloud Computing Deployment Models

The cloud deployment model identifies the specific type of cloud environment based on
ownership, scale, and access, as well as the cloud’s nature and purpose. The location of the
servers you’re utilizing and who controls them are defined by a cloud deployment model. It
specifies how your cloud infrastructure will look, what you can change, and whether you will be
given services or will have to create everything yourself. Relationships between the
infrastructure and your users are also defined by cloud deployment types. Different types of
cloud computing deployment models are described below.
 Public Cloud
 Private Cloud
 Hybrid Cloud
 Community Cloud

Public Cloud
The public cloud makes it possible for anybody to access systems and services. The public cloud
may be less secure as it is open to everyone. The public cloud is one in which cloud
infrastructure services are provided over the internet to the general people or major industry
groups. The infrastructure in this cloud model is owned by the entity that delivers the cloud
services, not by the consumer.

It is a type of cloud hosting that allows customers and users to easily access systems and
services. This form of cloud computing is an excellent example of cloud hosting, in which
service providers supply services to a variety of customers. In this arrangement, storage backup
and retrieval services are given for free, as a subscription, or on a per-user basis. For example,
Google App Engine etc.

Private Cloud
The private cloud deployment model is the exact opposite of the public cloud deployment model.
It’s a one-on-one environment for a single user (customer).
There is no need to share your hardware with anyone else. The distinction between private and
public clouds is in how you handle all of the hardware. It is also called the “internal cloud” & it
refers to the ability to access systems and services within a given border or organization. The
cloud platform is implemented in a cloud-based secure environment that is protected by powerful
firewalls and under the supervision of an organization’s IT department. The private cloud gives
greater flexibility of control over cloud resources.

Hybrid Cloud
By bridging the public and private worlds with a layer of proprietary software, hybrid cloud
computing gives the best of both worlds. With a hybrid solution, you may host the app in a safe
environment while taking advantage of the public cloud’s cost savings. Organizations can move
data and applications between different clouds using a combination of two or more cloud
deployment methods, depending on their needs.

Community Cloud
It allows systems and services to be accessible by a group of organizations. It is a distributed
system that is created by integrating the services of different clouds to address the specific needs
of a community, industry, or business. The infrastructure of the community could be shared
between the organization which has shared concerns or tasks. It is generally managed by a third
party or by the combination of one or more organizations in the community.
6. Explain about evolution of cloud computing in detail?
Cloud computing allows users to access a wide range of services stored in the cloud or on the
Internet. Cloud Computing services include computer resources, data storage, apps, servers,
development tools, and networking protocols. They are most commonly used by IT companies
and for business purposes.
Evolution of Cloud Computing
The phrase "Cloud Computing" was first introduced in the 1950s to describe internet-related
services, and it evolved from distributed computing to the modern technology known as cloud
computing. Cloud services include those provided by Amazon, Google, and Microsoft. Cloud
computing allows users to access a wide range of services stored in the cloud or on the Internet.
Cloud computing services include computer resources, data storage, apps, servers, development
tools, and networking protocols.
1. Mainframe Computing
Mainframes which first came into existence in 1951 are highly powerful and reliable computing
machines. These are responsible for handling large data such as massive input-output operations.
Even today these are used for bulk processing tasks such as online transactions etc. These
systems have almost no downtime with high fault tolerance. After distributed computing, these
increased the processing capabilities of the system. But these were very expensive. To reduce
this cost, cluster computing came as an alternative to mainframe technology.
2. Distributed Systems
Distributed System is a composition of multiple independent systems but all of them are depicted
as a single entity to the users. The purpose of distributed systems is to share resources and also
use them effectively and efficiently. Distributed systems possess characteristics such as
scalability, concurrency, continuous availability, heterogeneity, and independence in failures.
But the main problem with this system was that all the systems were required to be present at the
same geographical location. Thus to solve this problem, distributed computing led to three more
types of computing and they were-Mainframe computing, cluster computing, and grid
computing.
3. Cluster Computing
In 1980s, cluster computing came as an alternative to mainframe computing. Each machine in
the cluster was connected to each other by a network with high bandwidth. These were way
cheaper than those mainframe systems. These were equally capable of high computations. Also,
new nodes could easily be added to the cluster if it was required. Thus, the problem of the cost
was solved to some extent but the problem related to geographical restrictions still pertained. To
solve this, the concept of grid computing was introduced.
4. Grid Computing
In 1990s, the concept of grid computing was introduced. It means that different systems were
placed at entirely different geographical locations and these all were connected via the internet.
These systems belonged to different organizations and thus the grid consisted of heterogeneous
nodes. Although it solved some problems but new problems emerged as the distance between the
nodes increased. The main problem which was encountered was the low availability of high
bandwidth connectivity and with it other network associated issues. Thus. cloud computing is
often referred to as "Successor of grid computing".
5. Utility Computing
Utility Computing is a computing model that defines service provisioning techniques for services
such as compute services along with other major services such as storage, infrastructure, etc
which are provisioned on a pay-per-use basis.
6. Virtualization
Virtualization was introduced nearly 40 years back. It refers to the process of creating a virtual
layer over the hardware which allows the user to run multiple instances simultaneously on the
hardware. It is a key technology used in cloud computing. It is the base on which major cloud
computing services such as Amazon EC2, VMware vCloud, etc work on. Hardware
virtualization is still one of the most common types of virtualization.
7. Web 2.0
Web 2.0 is the interface through which the cloud computing services interact with the clients. It
is because of Web 2.0 that we have interactive and dynamic web pages. It also increases
flexibility among web pages. Popular examples of web 2.0 include Google Maps, Facebook,
Twitter, etc. Needless to say, social media is possible because of this technology only. It gained
major popularity in 2004.
8. Service Orientation
A service orientation acts as a reference model for cloud computing. It supports low-cost,
flexible, and evolvable applications. Two important concepts were introduced in this computing
model. These were Quality of Service (QoS) which also includes the SLA (Service Level
Agreement) and Software as a Service (SaaS).
Cloud Computing
Cloud Computing means storing and accessing the data and programs on remote servers that are
hosted on the internet instead of the computer’s hard drive or local server. Cloud computing is
also referred to as Internet-based computing, it is a technology where the resource is provided as
a service through the Internet to the user. The data that is stored can be files, images, documents,
or any other storable document.

7. Demonstrate the architectural design of compute and storage clouds.

A Generic Cloud Architecture

 The Internet cloud is envisioned as a massive cluster of servers.
 Servers are provisioned on demand to perform collective web services using data- center
resources.
 The cloud platform is formed dynamically by provisioning or deprovisioning servers,
software, and database resources.
 Servers in the cloud can be physical machines or VMs.
 User interfaces are applied to request services.

 The cloud computing resources are built into the data centers.
  Data centers are typically owned and operated by a third-party provider. Consumers do
not need to know the underlying technologies
 In a cloud, software becomes a service. Cloud demands a high degree of trust of massive
amounts of data retrieved from large data centers.
 The software infrastructure of a cloud platform must handle all resource management and
maintenance automatically.
 Software must detect the status of each node server joining and leaving.
 Cloud computing providers such as Google and Microsoft, have built a large number of
data centers.
 Each data center may have thousands of servers.
 The location of the data center is chosen to reduce power and cooling costs.

Layered Cloud Architectural Development

 The architecture of a cloud is developed at three layers
◻ Infrastructure
◻ Platform
◻ Application

 Implemented with virtualization and standardization of hardware and software resources

provisioned in the cloud. The services to public, private and hybrid clouds are conveyed
to users through networking support.
Infrastructure Layer
◻Built with virtualized compute, storage, and network resources.
◻Provide the flexibility demanded by users.
◻Virtualization realizes automated provisioning of resources and optimizes the infrastructure
management process.
Platform Layer
◻Foundation for implementing the application layer for SaaS applications.
◻Used for general-purpose and repeated usage of the collection of software resources.
◻Provides users with an environment to develop their applications, to test operation flows, and
to monitor execution results and performance.
The platform should be able to assure users that they have scalability, dependability, and security
protection
Application Layer
◻Collection of all needed software modules for SaaS applications.
◻Service applications in this layer include daily office management work, such as information
retrieval, document processing, and authentication services.
◻The application layer is also heavily used by enterprises in business
marketing and sales, consumer relationship management (CRM) and financial transactions.
◻Not all cloud services are restricted to a single layer.
◻Many applications may apply resources at mixed layers.
◻Three layers are built from the bottom up with a dependence relationship.

Market-Oriented Cloud Architecture

◻High-level architecture for supporting market-oriented resource allocation in a cloud
computing environment.
◻Users or brokers acting on user’s behalf submit service requests to the data center.
◻When a service request is first submitted, the service request examiner interprets the submitted
request for QoS requirements.
◻VM Monitor: Latest status information regarding resource availability.
◻Service Request Monitor: Latest status information workload processing
◻Pricing mechanism:Decides how service requests are charged.
◻Accounting mechanism:Maintains the actual usage of resources by requests to compute the
final cost.
◻VM Monitor mechanism keeps track of the availability of VMs and their resource entitlements.
◻Dispatcher starts the execution of accepted service requests on allocated VMs.
Service Request Monitor mechanism keeps track of the execution progress of service requests.
Multiple VMs can be started and stopped on demand.

PART- C
1. Design a secure, multi-tenant cloud architecture addressing data isolation and privacy. Outline
key security measures and evaluate their pros and cons.

Multi-tenant architecture is a foundational technology behind cloud computing. Cloud providers

use multi-tenancy to manage multiple customers on the same infrastructure, and this is the basis
for the economic benefits and elasticity of the public cloud. Private clouds can also make use of
multi-tenancy, to share the same resources between multiple users, projects, or organizational
units.
For instance:
Tenant A has users A1 and A2, Tenant B has a single user, and Tenant C has multiple users (C1,
C2, C3) along with an admin. This architecture allows these tenants to coexist on the same
system while maintaining strict data isolation and privacy, ensuring that the data and actions of
one tenant do not affect others.

Separate databases: Each tenant has its own dedicated database. This provides the highest level
of isolation and security, but it is the most expensive and complex to manage.

The cost effectiveness made possible by multi-tenancy is possibly the biggest driver encouraging
enterprises to adopt multi-tenant architectures.
Another important driver is scalability. A single platform that serves multiple public cloud
customers or multiple units within an organization makes it possible to operate at a very large
scale. This means that cloud users have access to virtually unlimited resources at the click of a
button. If multi-tenancy was inefficient or cumbersome, cloud computing would not be possible.

Aspect Multi Tenant Architecture

Data is isolated at the application or database layer using schemas or

Data Isolation
tenant IDs.

Security Potential security risks due to shared resources.

Performance can vary, potentially affected by other tenants’ activities

Performance
(“noisy neighbors”).

Resource
Higher efficiency in resource utilization due to shared environment.
Utilization

Key security measures:

Core security measures

 Tenant Isolation: This is the foundation of multi-tenant security, ensuring that each tenant's
data and resources are logically separated and inaccessible to other tenants. This can be
achieved through techniques like network segmentation and robust access controls.
 Data Encryption: Encrypt sensitive data both while it's being stored (at rest) and when it's
being sent over networks (in transit). Use strong algorithms like AES-256 and implement
secure key management practices. Some solutions also offer application-level or client-side
encryption for an extra layer of privacy.
 Identity and Access Management (IAM): Implement strong IAM policies to control who can
access what.
 Role-Based Access Control (RBAC): Assign permissions based on user roles to ensure users
only have access to the data and functions they need.
 Multi-Factor Authentication (MFA): Require multiple forms of verification for users to log
in, significantly reducing the risk of unauthorized access.
 Zero Trust Architecture: Authenticate and authorize every request, even for users who are
already inside the network.
Continuous Monitoring and Auditing: Continuously monitor the environment for suspicious
activity, anomalies, and security threats. Regularly audit logs, configurations, and user
activities to identify and address vulnerabilities.
Compliance and Governance: Ensure the architecture adheres to relevant security compliance
regulations like GDPR, HIPAA, and PCI DSS. Implement automated compliance checks to
continuously validate adherence to these standards.
Multi-Tenant Architecture: Pros and Cons
Advantages:
 Lower costs—Since tenants share responsibilities over software maintenance, data center
operations, and infrastructure, the ongoing costs are lower.
 Scalability and improved productivity for tenants— A multi-tenant architecture
enables tenants to scale on demand.
 Customization without coding— Most vendors offering multi-tenant solutions provide
a high level of customization to ensure each tenant customer can customize the
application according to specific business needs.
 Continuous, consistent updates and maintenance — Multi-tenant software providers
are responsible for patches and updates..
Drawbacks:
 Compliance challenges: Proving data isolation and meeting regulatory requirements can
be complex in shared environments.
 Unpredictable behavior: Performance can become unpredictable because of "noisy
neighbors" or other tenants' resource usage patterns.
 Complex management: Managing a multi-tenant environment is complex, requiring
sophisticated tools and strategies to ensure isolation, performance, and security for all
users.

Multi-tenancy architecture in system design, as illustrated in the provided image, involves a

layered framework where multiple tenants (Tenant A, Tenant B, Tenant C) share a single
instance of the core application, middleware, and hardware infrastructure. Each tenant operates
independently, with their own distinct users and data sets.

The SaaS (Software as a Service) provider manages the underlying hardware and software
layers, providing scalability, maintenance, and updates across all tenants simultaneously.
 This setup enhances resource utilization efficiency, reduces operational costs, and enables
each tenant to customize their user experience without compromising the integrity or
performance of the shared system.
 The design ensures that the tenants benefit from the shared infrastructure while enjoying
the privacy and security of their data and operations
 UNIT- II
PART- A
1. What is Virtualization in cloud computing?
Virtualization is the process of creating a virtual (rather than physical) version of computing
resources such as servers, storage devices, networks, or operating systems. In cloud computing,
virtualization allows multiple virtual environments to run on a single physical hardware system,
improving resource utilization, flexibility, and scalability.

2. State the role of a hypervisor in virtualization?

A hypervisor is software or firmware that enables virtualization by creating and managing virtual
machines (VMs) on a physical host. Its roles include:
 Allocating physical resources (CPU, memory, storage) to VMs.
 Isolating VMs to prevent interference.
 Managing VM lifecycle (start, pause, stop, migrate).
 Enabling multiple OS instances to run concurrently on the same hardware.

3. Define a virtual machine.

A virtual machine is a software-based simulation of a physical computer. It runs an operating
system and applications like a physical computer but shares the underlying hardware with other
VMs through a hypervisor. Each VM is isolated and can have its own OS, CPU, memory, and
storage.

4. What is a cloud hypervisor?

A cloud hypervisor is a hypervisor specifically designed to manage virtual machines in a cloud
environment. It enables dynamic allocation of computing resources, high availability, live
migration, and scaling of VMs in cloud data centers. Examples: VMware ESXi, Microsoft
Hyper-V, KVM.
5. What is hardware virtualization?
Hardware virtualization is the abstraction of physical hardware resources to create virtual
hardware for VMs. It allows a single physical machine to emulate multiple virtual machines,
each running its own OS and applications independently. This includes CPU, memory, storage,
and network virtualization.

6. Write the role of CPU virtualization.

CPU virtualization allows multiple virtual machines to share the physical CPU safely and
efficiently. Its roles include:
 Enabling each VM to run its own operating system without interference.
 Providing isolation between VMs.
 Translating VM instructions to the physical CPU instructions.
 Supporting hardware-assisted virtualization (e.g., Intel VT-x, AMD-V) for better
performance.

7. What is application server virtualization?

Application server virtualization abstracts an application from the underlying hardware or OS,
enabling it to run in an isolated environment. Roles include:
 Running multiple applications on a single server without conflicts.
 Improving resource utilization.
 Simplifying deployment and maintenance.
 Enabling scalability and fault isolation.

8. Define emulation.
Emulation is the process of mimicking one hardware or software system on a different system so
that the emulated system behaves exactly like the original. Unlike virtualization, emulation often
involves translating instructions between different architectures (e.g., running x86 software on
ARM hardware).

9. Define I/O Virtualization.

I/O virtualization abstracts and shares input/output devices (like storage, network, or USB)
among multiple virtual machines. This allows VMs to access hardware devices without direct
control and improves resource utilization, isolation, and flexibility.

10. What is Type 2 hypervisor?

A Type 2 hypervisor (or hosted hypervisor) runs on top of a conventional operating system
rather than directly on the hardware. It relies on the host OS for device drivers and resource
management.
Examples: VMware Workstation, Oracle VirtualBox.
Characteristics:
 Easier to install and use.
 Less efficient than Type 1 (native) hypervisors.
 Suitable for desktop or testing environments rather than production servers.

PART- B

1. Compare hardware virtualization with CPU, memory and I/O virtualization, providing
real-world applications for each type.
Hardware Support for Virtualization: Modern operating systems and processors permit
multiple processes to run simultaneously. If there is no protection mechanism in a processor, all
instructions from different processes will access the hardware directly and cause a system crash.
Therefore, all processors have at least two modes, user mode and supervisor mode, to ensure
controlled access of critical hardware. Instructions running in supervisor mode are called
privileged instructions. Other instructions are unprivileged instructions. In a virtualized
environment, it is more difficult to make OSes and applications run correctly because there are
more layers in the machine stack.

CPU Virtualization: A VM is a duplicate of an existing computer system in which a majority of

the VM instructions are executed on the host processor in native mode. Thus, unprivileged
instructions of VMs run directly on the host machine for higher efficiency. Other critical
instructions should be handled carefully for correctness and stability. The critical instructions are
divided into three categories:

Privileged instructions - Privileged instructions execute in a privileged mode and will be

trapped if executed outside this mode.
Control sensitive instructions - Control-sensitive instructions attempt to change the
configuration of resources used.
Behavior-sensitive instructions - Behavior-sensitive instructions have different behaviors
depending on the configuration of resources, including the load and store operations over the
virtual memory.

A CPU architecture is virtualizable if it supports the ability to run the VM’s privileged and
privileged instructions in the CPU’s user mode while the VMM runs in supervisor mode. When
the privileged instructions including control- and behavior sensitive instructions of a VM are
executed, they are trapped in the VMM. In this case, the VMM acts as a unified mediator for
hardware access from different VMs to guarantee the correctness and stability of the whole
system. RISC CPU architectures can be naturally virtualized because all control- and behavior
sensitive instructions are privileged instructions.

Hardware-Assisted CPU Virtualization: This technique attempts to simplify virtualization

because full or para virtualization is complicated. Intel and AMD add an additional mode called
privilege mode level (some people call it Ring-1) to x86 processors. Therefore, operating
systems can still run at Ring 0 and the hypervisor can run at Ring -[Link] the privileged and
sensitive instructions are trapped in the hypervisor automatically. This technique removes the
difficulty of implementing binary translation of full virtualization. It also lets the operating
system run in VMs without modification.

Memory Virtualization: Virtual memory virtualization is similar to the virtual memory support
provided by modern operating systems. In a traditional execution environment, the operating
system maintains mappings of virtual memory to machine memory using page tables, which is a
onestage mapping from virtual memory to machine memory. All modern x86 CPUsinclude a
memory management unit (MMU) and a translation lookaside buffer (TLB) to optimize virtual
memory performance. However, in a virtual execution environment, virtual memory
virtualization involves sharing the physical system memory in RAM and dynamically allocating
it to the physical memory of the VMs. That means a two-stage mapping process should be
maintained by the guest OS and the VMM, respectively: virtual memory to physical memory and
physical memory to machine memory. Furthermore, MMU virtualization should be supported,
which is transparent to the guest OS. The guest OS continues to control the mapping of virtual
addresses to the physical memory addresses of VMs. But the guest OS cannot directly access the
actual machine memory. The VMM is responsible for mapping the guest physical memory to the
actual machine memory. Figure below shows the two-level memory mapping procedure.
Two-level memory mapping procedure

I/O Virtualization: I/O virtualization involves managing the routing of I/O requests between
virtual devices and the shared physical hardware. There are three ways to implement I/O
virtualization:
• Full device emulation
• Para virtualization
• Direct I/O

Device emulation for I/O virtualization implemented inside the middle layer that maps real I/O
devices into the virtual devices for the guest device driver to use.

Full device emulation is the first approach for I/O virtualization. Generally, this approach
emulates well known, real-world devices. All the functions of a device or bus infrastructure, such
as device enumeration, identification, interrupts, and DMA, are replicated in [Link]
software is located in the VMM and acts as a virtual device. The I/O access requests of the guest
OS are trapped in the VMM which interacts with the I/O devices.
A single hardware device can be shared by multiple VMs that run concurrently. However,
software emulation runs much slower than the hardware it emulates. The para virtualization
method of I/O virtualization is typically used in Xen. It is also known as the split driver model
consisting of a frontend driver and a backend driver. The frontend driver is running in Domain U
and the backend driver is running in Domain 0. They interact with each other via a block of
shared memory. The frontend driver manages the I/O requests of the guest OSes and the backend
driver is responsible for managing the real I/O devices and multiplexing the I/O data of different
VMs. Although para I/O-virtualization achieves better device performance than full device
emulation, it comes with a higher CPU overhead.

2. What is Virtualization? Present an outline of the implementation levels of virtualization.

Levels of Virtualization:
A traditional computer runs with host operating system specially tailored for its hardware
architecture, as shown in Figure 2.11 (a). After virtualization, different user applications
managed by their own operating systems (guest OS) can run on the same hardware, independent
of the host OS. This virtualization layer is known as hypervisor or virtual machine monitor
(VMM) .The VMs are shown in the upper boxes, where applications run with their own guest OS
over the virtualized CPU, memory, and I/O resources. The main function of the software layer
for virtualization is to virtualize the physical hardware of a host machine into virtual resources to
be used by the VMs, exclusively. The virtualization software creates the abstraction of VMs by
interposing a virtualization layer at various levels of a computer system. Common virtualization
layers include the instruction set architecture (ISA) level, hardware level, operating system level,
library support level, and application level.
Fig:Virtualization ranging from hardware to applications in five abstraction levels.

Instruction Set Architecture Level:

At the ISA level, virtualization is performed by emulating a given ISA by the ISA of the host
machine. For example, MIPS binary code can run on an x86-based host machine with the help of
ISA emulation. With this approach, it is possible to run a large amount of legacy binary code
written for various processors on any given new hardware host machine. Instruction set
emulation leads to virtual ISAs created on any hardware machine.
The basic emulation method is through code interpretation. An interpreter program interprets the
source instructions to target instructions one by one. OneSource instruction may require tens or
hundreds of native target instructions to perform its function. Obviously, this process is relatively
slow. For better performance, dynamic binary translation is desired.
This approach translates basic blocks of dynamic source instructions to target instructions. The
basic blocks can also be extended to program traces or super blocks to increase translation
efficiency. Instruction set emulation requires binary translation and optimization. A virtual
instruction set architecture (V-ISA) thus requires adding a processor-specific software translation
layer to the compiler.
Hardware Abstraction Level:
Hardware-level virtualization is performed right on top of the bare hardware. The idea is to
virtualize a computer’s resources, such as its processors, memory, and I/O devices. The intention
is to upgrade the hardware utilization rate by multiple users concurrently.
Operating System Level:
This refers to an abstraction layer between traditional OS and user applications. OS-level
virtualization creates isolated containers on a single physical server and the OS instances to
utilize the hardware and software in datacenters.
The containers behave like real servers. OS-level virtualization is commonly used in creating
virtual hosting environments to allocate hardware resources among a large number of mutually
distrusting users. It is also used, to a lesser extent, in consolidating server hardware by moving
services on separate hosts into containers or VMs on one server.
Library Support Level:
Most applications use APIs exported by user level libraries rather than using lengthy system calls
by the OS. Since most systems provide well documented APIs, such an interface becomes
another candidate for virtualization.
Virtualization with library interfaces is possible by controlling the communication link between
applications and the rest of a system through API hooks. The software tool WINE has
implemented this approach to support Windows applications on top of UNIX hosts. Another
example is the vCUDA which allows applications executing within VMs to leverage GPU
hardware acceleration.
User-Application Level:
Virtualization at the application level virtualizes an application as a VM. On a traditional OS, an
application often runs as a process. Therefore, application-level virtualization is also known as
process-level virtualization. The most popular approach is to deploy high level language
(HLL)VMs.

Relative Merits of Virtualization at Various Levels (More “X”’s Means Higher Merit, with
a Maximum of 5 X’s)

3. What is Hypervisor? Draw and explain working of Type 1 Hypervisor.

A hypervisor (or Virtual Machine Monitor, VMM) is software that lets multiple operating
systems run on a single physical machine. It manages hardware resources (CPU, memory,
storage) and allocates them to virtual machines (VMs) without interference. This improves
hardware utilization, reduces costs, and provides flexibility in cloud and server environments.

A hypervisor runs on hardware or a host OS to create and manage virtual machines (VMs), each
with its own virtual CPU, memory, storage, and network. It intercepts guest OS requests and
translates them to physical hardware, ensuring isolation, security, and stability. A fundamental
element of hardware virtualization is the hypervisor, or virtual machine manager (VMM). It
recreates a hardware environment in which guest operating systems are installed. There are two
major types of hypervisors: Type I and Type II

Type 1 Hypervisor
A Type 1 hypervisor runs directly on the host's hardware. It doesn't rely on a host operating
system. This architecture offers better performance and security because there is no intermediary
OS. It's the standard for enterprise-level data centers and cloud providers like Amazon Web
Services (AWS) and Microsoft Azure. Hypervisors run directly on top of the hardware.
Therefore, they take the place of the operating systems and interact directly with underlying
hardware . This type of hypervisor is also called a native virtual machine since it runs natively on
hardware .
A Type 1 hypervisor (bare-metal) runs directly on the host's hardware, eliminating the need for a
host operating system. It acts as a lightweight operating system, managing and allocating
hardware resources like CPU, memory, and storage directly to the virtual machines (VMs).
A Type 1 hypervisor is a layer of software installed directly on top of a physical server and its
underlying hardware. Since no other software runs between the hardware and the hypervisor, it is
also called the bare-metal hypervisor. This hypervisor type provides excellent performance and
stability since it does not run inside Windows or any other operating system. Instead, it is a
simple operating system designed to run virtual machines. The physical machine the hypervisor
runs on serves virtualization purposes only. Type 1 hypervisors are mainly found in enterprise
environments. Once you boot up a physical server with a bare-metal hypervisor installed, it
displays a command prompt-like screen with some of the hardware and network details. They
include the CPU type, the amount of memory, the IP address, and the MAC address.

Examples: VMware ESXi, Microsoft Hyper-V, KVM (Kernel-based Virtual Machine), and Xen.

Pros:
 High performance (direct hardware access).
 Strong security (no intermediate OS layer).
 Suitable for mission-critical workloads.
Cons:
 Requires dedicated hardware.
 Setup and management are complex compared to Type-2.

4. Compare the terms Full Virtualization and Para Virtualization and depict the process of
virtualization.
Virtualization allows one computer to function as multiple computers by sharing its resources
across different environments. CPU virtualization includes full virtualization and
paravirtualization. In full virtualization, the original operating system runs without knowing it's
virtualized, using translation to handle system calls. Paravirtualization modifies the OS to use
hypercalls instead of certain instructions, making the process more efficient but requiring
changes before compiling.
Full Virtualization:
Full Virtualization was introduced by IBM in 1966. It is the first software solution for server
virtualization and uses binary translation and direct approach techniques. In full virtualization,
the virtual machine completely isolates the guest OS from the virtualization layer and hardware.
Microsoft and Parallels systems are examples of full virtualization.
Paravirtualization:
Paravirtualization is the category of CPU virtualization which uses hypercalls for operations to
handle instructions at compile time. In paravirtualization, guest OS is not completely isolated but
it is partially isolated by the virtual machine from the virtualization layer and
hardware. VMware and Xen are some examples of paravirtualization.

The difference between Full Virtualization and Paravirtualization are as follows:

[Link]. Full Virtualization Paravirtualization

In Full virtualization, virtual In paravirtualization, a virtual machine
machines permit the execution of does not implement full isolation of OS
1. the instructions with the running of but rather provides a different API which
unmodified OS in an entirely is utilized when OS is subjected to
isolated way. alteration.
While the Paravirtualization is more
2. Full Virtualization is less secure.
secure than the Full Virtualization.
Full Virtualization uses binary
While Paravirtualization uses hypercalls
3. translation and a direct approach as
at compile time for operations.
a technique for operations.
Full Virtualization is slow thanParavirtualization is faster in operation as
4.
paravirtualization in [Link] to full virtualization.
Full Virtualization is more portable
Paravirtualization is less portable and
5.
and compatible. compatible.
Examples of full virtualization are
Examples of paravirtualization are
6.
Microsoft and Parallels [Link] Hyper-V, Citrix Xen, etc.
The guest operating system has to be
It supports all guest operating
7. modified and only a few operating
systems without modification.
systems support it.
8. The guest operating system will Using the drivers, the guest operating
 issue hardware calls. system will directly communicate with
the hypervisor.
It is less streamlined compared to
9. It is more streamlined.
para-virtualization.
It provides less isolation compared to full
10. It provides the best isolation.
virtualization.

5. Illustrate the Taxonomy of Virtual Machines.

TAXONOMY OF VIRTUALIZATION TECHNIQUES

Virtualization covers a wide range of emulation techniques that are applied to different areas of
computing.
A classification of these techniques helps us better understand their characteristics and use.

The first classification discriminates against the service or entity that is being emulated.
 Virtualization is mainly used to emulate execution environments, storage, and
networks.
 Among these categories, execution virtualization constitutes the oldest,most popular,
and most developed area. Therefore, it deserves major investigation and a further
categorization We can divide these execution virtualization techniques into two major
categories by considering the type of host they require.
 Process-level techniques are implemented on top of an existing operating system, which
has full control of the hardware.
 System-level techniques are implemented directly on hardware and do not require - or
require a minimum of support from - an existing operating system
 Within these two categories we can list various techniques that offer the guest a different
type of virtual computation environment:
 bare hardware
 operating system resources
 low-level programming language application libraries.
Execution virtualization:
Execution virtualization includes all techniques that aim to emulate an execution environment
that is separate from the one hosting the virtualization layer.
All these techniques concentrate their interest on providing support for the execution of
programs, whether these are the operating system, a binary specification of a program compiled
against an abstract machine model, or an application. Therefore, execution virtualization can be
implemented directly on top of the hardware by the operating system, an application, or libraries
dynamically or statically linked to an application image
Hardware-level virtualization:Hardware-level virtualization is a virtualization technique that
provides an abstract execution environment in terms of computer hardware on top of which a
guest operating system can be run .
Hardware-level virtualization is also called system virtualization, since it provides ISA to virtual
machines, which is the representation of the hardware interface of a system.
Hardware-level virtualization is also called system virtualization.
Hypervisors:A fundamental element of hardware virtualization is the hypervisor, or virtual
machine manager (VMM). It recreates a hardware environment in which guest operating systems
are installed. There are two major types of hypervisors: Type I and Type II .

Hardware Virtualization Techniques :

Full virtualization :Full virtualization refers to the ability to run a program, most likely an
operating system, directly on top of a virtual machine and without any modification, as though it
were run on the raw hardware. To make this possible, virtual machine manager are required to
provide a complete emulation of the entire underlying hardware .
Para - virtualization :This is a not-transparent virtualization solution that allows implementing
thin virtual machine managers. Paravirtualization techniques expose a software interface to the
virtual machine that is slightly modified from the host and, as a consequence, guests need to be
modified. The aim of paravirtualization is to provide the capability to demand the execution of
performance-critical operations directly on the host .
Partial virtualization :
Partial virtualization provides a partial emulation of the underlying hardware, thus not allowing
the complete execution of the guest operating system in complete isolation. Partial virtualization
allows many applications to run transparently, but not all the features ofthe operating system can
be supported, as happens with full virtualization

Operating System-Level Virtualization :

It offers the opportunity to create different and separated execution environments for applications
that are managed concurrently. Differently from hardware virtualization, there is no virtual
machine manager or hypervisor, and the virtualization is done within a single operating
system, where the OS kernel allows for multiple isolated user space instances.

Programming language-level virtualization

Programming language-level virtualization is mostly used to achieve ease of deployment of
applications, managed execution, and portability across different platforms and operating
systems
The main advantage of programming-level virtual machines, also called process virtual
machines, is the ability to provide a uniform execution environment across different platforms.
Programs compiled into bytecode can be executed on any operating system and platform for
whicha virtual machine able to execute that code has been provided .

Application-level virtualization :
The application-level virtualization is used when there is a desire to virtualize only one
application .
Application virtualization software allows users to access and use an application from a separate
computer than the one on which the application is installed.
6. Explain Virtual Machine? Narrate steps for launching a virtual server in AWS cloud
platform
Virtualization is a technique, which allows to share single physical instance of an application or
resource among multiple organizations or tenants (customers). It does so by assigning a logical
name to a physical resource and providing a pointer to that physical resource on demand.

Before Virtualization
• Single OS image per machine.
• Software and hardware tightly coupled.
• Running multiple applications on same machine often creates conflict.
• Underutilized resources.
• Inflexible and costly infrastructure.

After Virtualization
 Hardware-independence of operating system and applications.
 Virtual machines can be provisioned to any system.
 Can manage OS and application as a single unit by encapsulating them into virtual
Machines.

Virtual Machines (Cloud Instances)

 After installing virtualization software, you can create one or more virtual machines on
your computer.
 Virtual machines (VMs) behave like regular applications on your system.
 The real physical computer is called the Host, while the virtual machines are
called Guests.
 A single host can run multiple guest virtual machines.
 Each guest can have its own operating system, which may be the same or different from
the host OS.
 Every virtual machine functions like a standalone computer, with its own settings,
programs, and configuration.
 VMs access system resources such as CPU, RAM, and storage, but they work as if they
are using their own hardware.

Steps for launching a virtual server in AWS cloud platform

To launch a virtual server (EC2 instance) in AWS, log in to the AWS Management Console,
navigate to the EC2 dashboard, and click "Launch Instance". You will then select an Amazon
Machine Image (AMI), choose an instance type, configure instance details, set up a key pair for
secure access, define security group rules to control network traffic, and finally review and
launch instance.
Step 1: Log in and navigate to the EC2 dashboard
 Sign in to your AWS Management Console.
 From the main dashboard, navigate to the EC2 service. This can be done by searching for
"EC2" or finding it under the "Compute" section in the services menu.
 Click the "Launch Instance" button on the EC2 dashboard.
Step 2: Choose an Amazon Machine Image (AMI)
 Select an AMI, which is a template that contains the operating system and potentially
some software for your instance.
 For beginners, options like Amazon Linux 2, Ubuntu, or Windows are good starting
points.
Step 3: Select an instance type
 Choose an instance type that specifies the CPU, memory, storage, and networking
capacity of your server.
 For testing or learning, the [Link] instance type is often eligible for the AWS Free
Tier.
Step 4: Configure instance details
 In this section, you can configure more specific settings, such as the network, subnet, and
storage size.
 You can also add tags to your instance for better organization and management.
Step 5: Set up a key pair
 Create a new key pair or choose an existing one to securely connect to your instance.
 If you create a new one, give it a name and download the private key file (e.g., .pem for
Linux/macOS or .ppk for Windows). This file is required for connecting to your server.
Step 6: Configure the security group
 Create a new security group or select an existing one to define firewall rules.
 Configure the rules to allow incoming traffic on specific ports, such as port etc.
Step 7: Review and launch
 Review all the configurations you've made on the summary page.
 Click the "Launch" button to start the creation of your virtual server.
 You can then connect to your instance using its public IP address or DNS name and the
private key you downloaded

7. Explain in detail about Hypervisor and Xen architecture?

Hypervisor and Xen Architecture

The hypervisor supports hardware-level virtualization (see Figure (b)) on bare metal devices like
CPU, memory, disk and network interfaces. The hypervisor software sits directly between the
physical hardware and its OS. This virtualization layer is referred to as either the VMM or the
hypervisor.
The hypervisor provides hyper calls for the guest OSes and applications. Depending on the
functionality, a hypervisor can assume microkernel architecture like the Microsoft Hyper-V. Or
it can assume monolithic hypervisor architecture like the VMware ESX for server virtualization.
A micro-kernel hypervisor includes only the basic and unchanging functions (such as physical
memory management and processor scheduling). The device drivers and other changeable
components are outside the hypervisor.
A monolithic hypervisor implements all the aforementioned functions, including those of the
device drivers. Therefore, the size of the hypervisor code of a micro-kernel hypervisor is smaller
than that of a monolithic hypervisor. Essentially, a hypervisor must be able to convert physical
devices into virtual resources dedicated for the deployed VM to use.
The Xen Architecture

Xen is an open source hypervisor program developed by Cambridge University. Xen is a

micro- kernel hypervisor, which separates the policy from the mechanism. The Xen hypervisor
implements all the mechanisms, leaving the policy to be handled by Domain 0, as shown in
Figure above. Xen does not include any device drivers natively. It just provides a mechanism by
which guests OS can have direct access to the physical devices.

As a result, the size of the Xen hypervisor is kept rather small. Xen provides a virtual
environment located between the hardware and the OS. A number of vendors are in the process
of developing commercial Xen hypervisors, among them are Citrix XenServer and Oracle VM.
The core components of a Xen system are the hypervisor, kernel, and applications. The
organization of the three components is important. Like other virtualization systems, many guest
OSes can run on top of the hypervisor. However, not all guest OSes are created equal, and one in
particular controls the others.
The guest OS, which has control ability, is called Domain 0, and the others are called Domain
U. Domain 0 is a privileged guest OS of Xen. It is first loaded when Xen boots without any file
system drivers being available. Domain 0 is designed to access hardware directly and manage
devices. Therefore, one of the responsibilities of Domain 0 is to allocate and map hardware
resources for the guest domains (the Domain U domains).

Binary Translation with Full Virtualization

Depending on implementation technologies, hardware virtualization can be classified into two
categories: full virtualization and host-based virtualization.
Full virtualization does not need to modify the host OS. It relies on binary translation to trap
and to virtualize the execution of certain sensitive, non virtualizable instructions. The guest OSes
and their applications consist of noncritical and critical instructions.
In a host-based system, both a host OS and a guest OS are used. A virtualization software layer
is built between the host OS and guest OS.

Full Virtualization
With full virtualization, noncritical instructions run on the hardware directly while critical
instructions are discovered and replaced with traps into the VMM to be emulated by software.
Both the hypervisor and VMM approaches are considered full virtualization.
Why are only critical instructions trapped into the VMM? This is because binary translation can
incur a large performance overhead.
Noncritical instructions do not control hardware or threaten the security of the system, but
critical instructions do. Therefore, running noncritical instructions on hardware not only can
promote efficiency, but also can ensure system security.
Binary Translation of Guest OS Requests Using a VMM
This approach was implemented by VMware and many other software companies. As shown in
Figure below, VMware puts the VMM at Ring 0 and the guest OS at Ring 1. The VMM scans
the instruction stream and identifies the privileged, control- and behaviour sensitive instructions.
When these instructions are identified, they are trapped into the VMM, which emulates the
behavior of these instructions. The method used in this emulation is called binary translation.
Therefore, full virtualization combines binary translation and direct execution. The guest OS is
unaware that it is being virtualized.

Indirect execution of complex instructions via binary translation of guest OS requests using the
VMM plus direct execution of simple instructions on the same host. The performance of full
virtualization may not be ideal, because it involves binary translation which is rather time-
consuming. In particular, the full virtualization of I/O intensive applications is a really a big
challenge. Binary translation employs a code cache to store translated hot instructions to improve
performance, but it increases the cost of memory usage.

Host-Based Virtualization
An alternative VM architecture is to install a virtualization layer on top of the host OS. This host
OS is still responsible for managing the hardware. The guest OSes are installed and run on top of
the virtualization layer. Dedicated applications may run on the VMs.
Certainly, some other applications can also run with the host OS directly. This host-based
architecture has some distinct advantages, as,

First, the user can install this VM architecture without modifying the host OS. The virtualizing
software can rely on the host OS to provide device drivers and other low-level services. This will
simplify the VM design and ease its [Link], the host-based approach appeals to
many host machine configurations. Compared to the hypervisor/VMM architecture, the
performance of the host-based architecture may also be low. When an application requests
hardware access, it involves four layers of mapping which downgrades performance
significantly. When the ISA of a guest OS is different from the ISA of the underlying hardware,
binary translation must be adopted. Although the host-based architecture has flexibility, the
performance is too low to be useful in practice.

Para-Virtualization with Compiler Support

Para-virtualization needs to modify the guest operating systems. A para-virtualized VM provides
special APIs requiring substantial OS modifications in user applications. Performance
degradation is a critical issue of a virtualized system. No one wants to use a VM if it is much
slower than using a physical machine. The virtualization layer can be inserted at different

positions in a machine software stack. However, para-virtualization attempts to reduce the

virtualization overhead, and thus improve performance by modifying only the guest OS kernel.
The guest operating systems are paravirtualized. The traditional x86 processor offers four
instruction execution rings: Rings 0,1, 2, and 3. The lower the ring number, the higher the
privilege of instruction being executed. The OS is responsible for managing the hardware and the
privileged instructions to execute at Ring 0, while user-level applications run at Ring 3.
Para-virtualized VM architecture

The use of a para-virtualized guest OS assisted by an intelligent compiler to replace

nonvirtualizable OS instructions by hypercalls
Para-Virtualization Architecture:
When the x86 processor is virtualized, a virtualization layer is inserted between the hardware and
the OS. According to the x86 ring definitions, the virtualization layer should also be installed at
Ring 0. The para-virtualization replaces non virtualizable instructions with hyper calls that
communicate directly with the hypervisor or VMM. However, when the guest OS kernel is
modified for virtualization, it can no longer run on the hardware directly.
Although para-virtualization reduces the overhead, it has incurred other problems. First, its
compatibility and portability may be in doubt, because it must support the unmodified OS as
well. Second, the cost of maintaining para-virtualized OSes is high, because they may require
deep OS kernel modifications. Finally, the performance advantage of para virtualization varies
greatly due to workload variations.

PART- C
1. Outline various problems in virtualizing in CPU, I/O and memory devices and suggest
how it could be overridden for efficient utilization of cloud services.

Virtualization faces problems like performance bottlenecks from CPU contention and I/O wait
times, memory fragmentation, and security vulnerabilities, particularly in the hypervisor and I/O
handling. These issues arise because virtual machines (VMs) must compete for shared physical
resources, and managing guest OS access to hardware requires a layer of abstraction that can
introduce complexity and risks.

CPU Virtualization
 Contention and CPU steal time: VMs compete for limited CPU cores, leading to delays
and poor performance when one VM's high usage causes another to wait for a schedule
slot.
 Resource limits: Setting hard limits on a VM's CPU can prevent it from accessing the
physical CPU's resources even when available, causing it to wait and suffer performance
issues.
 Performance analysis complexity: It can be difficult to pinpoint the root cause of a
performance problem, as it may stem from a VM's application, but the symptoms appear
in another VM that is waiting for resources stolen by the first.
I/O Virtualization
 Storage latency: Virtualizing storage can introduce latency due to the overhead of the
hypervisor managing I/O requests, especially if the storage solution isn't optimized.
 Limited access: Virtual machines may have limited access to hardware I/O devices,
which can be a problem for applications that require direct hardware interaction.
  Security risks: Vulnerabilities in I/O handling, such as through specialized virtual devices
or privileged instructions, can potentially allow attackers to gain unauthorized access or
compromise multiple VMs.
Memory Virtualization
 Memory fragmentation: Sharing physical memory between multiple VMs can lead to
fragmentation, where the available memory is broken into small, unusable chunks.
 Dual control overhead:Both the guest OS and the hypervisor are managing memory,
creating a dual control problem that adds complexity and overhead.
 Management complexity: Efficiently managing memory allocation and optimization
becomes difficult due to varying guest OS memory policies and unpredictable application
demands.
 Lack of direct access: The hypervisor must manage memory access on behalf of the VM,
so VMs cannot directly use the native memory management hardware like page tables,
requiring the hypervisor to duplicate some functionality.

Problems in virtualizing CPU, I/O, and memory devices can be overcome through techniques
like dynamic resource allocation, over-provisioning, and specialized hardware, which allow for
efficient utilization of cloud services by abstracting physical hardware and pooling
resources. Overriding these issues involves the hypervisor managing resource contention, using
techniques like memory over-commitment, CPU scheduling, and fast I/O access to provide a
seamless experience for multiple virtual machines (VMs).

CPU virtualization
 Problem: CPU contention where multiple VMs compete for processing time, leading to
performance degradation.
 Solution:
 Hypervisor-based scheduling: The hypervisor manages the allocation of CPU
time to each VM, ensuring fair access and prioritizing critical tasks.
 CPU over-provisioning: Allowing the total virtual CPUs assigned to VMs to
exceed the physical CPU cores to efficiently utilize idle cycles.
 CPU pinning: Dedicating specific physical CPU cores to a VM to guarantee
performance for high-demand applications.
I/O virtualization
 Problem: I/O operations can become bottlenecks due to the overhead of the hypervisor
managing access to physical devices.
 Solution:
 Direct path I/O: Allowing a VM to have direct access to an I/O device,
bypassing the hypervisor and reducing overhead.
 I/O pooling and virtualization: Aggregating I/O devices into a pool, allowing
them to be shared and managed more efficiently among multiple VMs.
 Specialized hardware: Using devices like Solid State Drives (SSDs) with
hardware-assisted virtualization to speed up I/O operations.
Memory virtualization
 Problem: Managing memory resources across multiple VMs can lead to contention and
performance issues.
 Solution:
 Memory over-commitment: Allowing the total virtual memory allocated to VMs
to exceed the physical RAM, relying on the hypervisor to manage and swap
memory as needed.
 Memory deduplication: Identifying and eliminating duplicate blocks of memory
to save space and improve performance.
 Memory ballooning: A technique where a VM with excess memory can
"balloon" and return unused memory to the hypervisor for allocation to other
VMs.
 UNIT-III
PART- A
1. Differentiate between full virtualization and para-virtualization.
Feature Full Virtualization Para-Virtualization
The guest OS runs unmodified, and the The guest OS is modified to work
Definition hypervisor fully emulates the with the hypervisor for better
hardware. efficiency.
Guest OS
Not required Required
Modification
Performance Slightly lower due to full emulation Higher due to reduced overhead
Hardware Hardware-assisted virtualization often
Less dependent on hardware support
Requirement needed
Example VMware ESXi, VirtualBox Xen (with modified guest OS)

[Link] is Docker and why is it used in virtualization?

Docker is a platform that uses containerization to run applications in isolated environments.
Unlike VMs, containers share the host OS kernel but have their own user-space environment.
Uses in virtualization:
 Lightweight and fast deployment of applications.
 Ensures consistency across development, testing, and production.
 Efficient resource utilization compared to full VMs.

[Link] a virtual cluster.

A virtual cluster is a set of virtual machines or virtualized computing resources that work
together as a single logical unit. It behaves like a physical cluster but is flexible, scalable, and
can be managed more efficiently in a virtualized/cloud environment.

[Link] is OS virtualization implemented?

OS virtualization (also called container-based virtualization) is implemented by:
 Sharing the host OS kernel among multiple isolated containers.
 Each container runs its own applications and libraries without a separate OS.
 Technologies used: Docker, LXC (Linux Containers), OpenVZ.

[Link] between containers and virtual machines and write one use case to each.
Feature Container Virtual Machine
OS Shares host OS kernel Each VM has its own OS
Resource Usage Lightweight, faster startup Heavy, more resource-intensive
Isolation Process-level isolation Full hardware-level isolation
Deployment Time Seconds Minutes

[Link] are the benefits of Network Virtualization?

Benefits of Network Virtualization
 Improved network flexibility and scalability.
 Simplified network management and automation.
 Isolation between virtual networks for security.
 Efficient use of physical network resources.
 Enables rapid deployment of network services in cloud environments.

[Link] is storage virtualization in cloud computing?

Storage virtualization is the abstraction of physical storage devices into a single logical storage
pool. Benefits include:
 Simplified storage management.
  Efficient resource allocation and load balancing.
 Improved scalability and fault tolerance.
 Enables features like snapshots, replication, and backup in the cloud.

[Link] are the three key components of virtual desktop infrastructure?

Three Key Components of Virtual Desktop Infrastructure (VDI)
1. Connection Broker – Manages user connections to virtual desktops.
2. Virtual Desktop Host – Hosts the virtual desktops on a server or hypervisor.
3. Client Device – Endpoint device (PC, tablet, thin client) used to access the virtual
desktop.

[Link] is cloud analytics?

Cloud analytics is the use of cloud computing resources to perform large-scale data analysis. It
involves storing, processing, and analyzing data in the cloud to extract insights, trends, and
business intelligence. Benefits include scalability, accessibility, and reduced infrastructure cost.

[Link] is file level storage virtualization?

File-level storage virtualization abstracts multiple physical file storage devices into a single
logical file system. Users and applications access it as a unified storage pool, while the system
manages the underlying physical storage distribution.

PART- B
1. Describe the differences between network virtualization, storage virtualization and explain
their advantages in cloud environments.

Network Virtualization in Cloud Computing

Network Virtualization is a process of logically grouping physical networks and making them operate
as single or multiple independent networks called Virtual Networks.

General Architecture Of Network Virtualization

Tools for Network Virtualization :

 Physical switch OS – It is where the OS must have the functionality of network
virtualization.
 Hypervisor –It is which uses third-party software or built-in networking and the
functionalities of network virtualization.
The basic functionality of the OS is to give the application or the executing process with a simple set
of instructions. System calls that are generated by the OS and executed through the libc library are
comparable to the service primitives given at the interface between the application and the network
through the SAP (Service Access Point). The hypervisor is used to create a virtual switch and
configuring virtual networks on it.
Functions of Network Virtualization :
 It enables the functional grouping of nodes in a virtual network.
 It enables the virtual network to share network resources.
 It allows communication between nodes in a virtual network without routing of frames.
 It restricts management traffic.
 It enforces routing for communication between virtual networks.
Network Virtualization in Virtual Data Center :
1. Physical Network
 Physical components: Network adapters, switches, bridges, repeaters, routers and hubs.
 Grants connectivity among physical servers running a hypervisor, between physical
servers and storage systems and between physical servers and clients.
2. VM Network
 Consists of virtual switches.
 Provides connectivity to hypervisor kernel.
 Connects to the physical network.
 Resides inside the physical server.

Network Virtualization In VDC

Advantages of Network Virtualization :

 Improves manageability
 Reduces CAPEX
 Improves utilization
 Enhances performance and Security
Disadvantages of Network Virtualization :
 It needs to manage IT in the abstract.
 It needs to coexist with physical devices in a cloud-integrated hybrid environment.
 Increased complexity.
 Upfront cost.
 Possible learning curve.
Storage virtualization
Storage virtualization in Cloud Computing is nothing but the sharing of physical storage into multiple
storage devices which further appears to be a single storage device. It can be also called as a group of
an available storage device which simply manages from a central console.
This virtualization provides numerous benefits such as easy backup, achieving, and recovery of the
data. This whole process requires very less time and works in an efficient manner. Storage
virtualization in Cloud Computing does not show the actual complexity of the Storage Area Network
(SAN). This virtualization is applicable to all levels of SAN.

Following are the reasons shows why we storage virtualization in Cloud Computing implements:
 If this virtualization implements in IT environment it will improve the management of the
storage. As each and everything will properly store and manage there won’t be any
 congestion and the task will perform quickly.
 There will be very less downtime as the storage availability is better. All these problems
eliminate with the help of an automated management system.
 Storage virtualization will provide better storage utilization as storing most information
in a particular place can cause loss of data, congestion, and any other problems. So,
properly dividing storage and storing data can be useful.

Types of Storage Virtualization

 Hardware Assisted Virtualization
 Kernel Level Virtualization
 Hypervisor Virtualization
 Para-Virtualization
 Full Virtualization
i. Hardware Assisted Virtualization
This type of virtualization requires hardware support. It is similar to full Para-virtualization. Here,
the unmodified OS can run as hardware support for virtualization and we can also use to handle
hardware access requests and protect operations.
ii. Kernel Level Virtualization
It runs a separate version of the Linux Kernel. Kernel level allows running multiple servers in a single
host. It uses a device driver to communicate between main Linux Kernel and the virtual machine. This
virtualization is a special form of Server Virtualization.
iii. Hypervisor Virtualization
A hypervisor is a layer between the Operating system and hardware. With the help of hypervisor
multiple operating systems can work. Moreover, it provides features and necessary services which
help OS to work properly.
iv. Para-Virtualization
It is based on hypervisor which handles emulation and trapping of software. Here, the guest
operating system is modified before installing it to any further machine. The modified system
communicates directly with the hypervisor and improves the performance.
v. Full Virtualization
This virtualization is similar to Para-Virtualization. In this, the hypervisor traps the machine
operations which is used by the operating system to perform the operations. After trapping the
operations, it emulates in particular software and the status codes returned.
Methods of Storage Virtualization
i. File-based Storage Virtualization
This type of virtualization is used for a specific purpose and can apply to network-attached storage
(NAS) system.
File-based storage virtualization in Cloud Computing utilizes server message block or network file
system protocols and with its help of it breaks the dependency in a normal network attached storage
array.
This is done between the data being accessed and the location of the physical memory. It also provides
a benefit of better handling file migration in the background which improves the performance.
ii. Block-based Virtual Storage
The Block based virtual storage is more widely used than the virtual storage system as the virtual
storage system is sometimes used for a specific purpose. The block-based virtual storage system uses
logical storage such as drive partition from the physical memory in a storage device.
It also abstracts the logical storage such as a hard disk drive or any solid state memory device. This
also allows the virtualization management software to get familiar with the capacity of the available
device and split them into shared resources to assign.
Address Space Remapping
Storage virtualization in Cloud Computing helps to achieve location independence by utilizing the
physical location of the data. This system provides the space to the customer to store their data and
handles the process of mapping.
It is possible that the output of virtualizations can cascade as an input for a higher level of
virtualizations. This leads to the fact that it is possible to have multiple layers of virtualizations
mapping.

Following are the different ways for storage applies to the virtualization:
 Host-Based
 Network-Based
 Array-Based
i. Host-Based Storage Virtualization
Here, all the virtualizations and management is done at the host level with the help of oftware and
physical storage, it can be any device or array. The host is made up of multiple hosts which present
virtual drives of a set to the guest machines. Doesn’t matter whether they are VMs in an enterprise or
PCs. Storage Virtualization – Advantages and Importance
ii. Network-Based Storage Virtualization
Network-based storage virtualization is the most common form which are using nowadays. Devices
such as a smart switch or purpose-built server connect to all the storage device in a fibre channel
storage network and present the storage as a virtual pool.
iii. Array-Based Storage Virtualization
Here the storage array provides different types of storage which are physical and used as storage tiers.
The software is available which handles the amount of storage tier made up of solid-state drives hard
 drives.

The storage virtualization technique is now common among the users as it has its own benefits. With
the help of storage virtualization in Cloud Computing, all the drives can combine with a single centrally
managed [Link], it allows modifying and making changes without downtime. This
provides flexibility to the customer by making data migration flexible.

2. Explain the components of Docker, such as Docker images and repositories, demonstrate
their role in containerized application deployment.

Docker is a set of platforms as a service (PaaS) products that use the Operating system level virtualization
to deliver software in packages called [Link] are isolated from one another and bundle
their own software, libraries, and configuration files; they can communicate with each other through well-
defined channels. All containers are run by a single operating system kernel and therefore use fewer
resources than a virtual machine. Docker Containers contain binaries, libraries, and configuration files
along with the application [Link] don’t contain a guest OS for each container and rely on the
underlying OS kernel, which makes the containers [Link] share resources with other
containers in the same host OS and provide OS-level process isolation.
1. Docker Image
 It is a file, comprised of multiple layers, used to execute code in a Docker container.
 They are a set of instructions used to create docker containers.
2. Docker Container
 It is a runtime instance of an image.
 Allows developers to package applications with all parts needed such as libraries and other
dependencies.
3. Docker file
 It is a text document that contains necessary commands which on execution helps assemble
a Docker Image.
 Docker image is created using a Docker file.
4. Docker Engine
 The software that hosts the containers is named Docker Engine.
 Docker Engine is a client-server based application
 The docker engine has 3 main components:
 Server: It is responsible for creating and managing Docker images, containers,
networks, and volumes on the Docker. It is referred to as a daemon process.
 REST API: It specifies how the applications can interact with the Server and
instructs it what to do.
 Client: The Client is a docker command-line interface (CLI), that allows us to
interact with Docker using the docker commands.
5. Docker Hub
 Docker Hub is the official online repository where you can find other Docker Images that
are available for use.
 It makes it easy to find, manage, and share container images with others.
3. Outline Desktop Virtualization. Differentiate between block level storage virtualization
and file level storage virtualization.

Desktop Virtualization:
Desktop virtualization creates a software-based (or virtual) version of an end user’s desktop
environment and operating system (OS) that is decoupled from the end user’s computing device or
client. This enables the user to access his or her desktop from any computing device.

Desktop virtualization deployment models

Virtual desktop infrastructure (VDI)

In VDI deployment model, the operating system runs on a virtual machine (VM) hosted on a server in
a data center. The desktop image travels over the network to the end user’s device, where the end user
can interact with the desktop (and the underlying applications and operating system) as if they were
local. VDI gives each user his or her own dedicated VM running its own operating system. The
operating system resources—drivers, CPUs, memory, etc.—operate from a software layer called a
hypervisor that mimics their output, manages the resource allocation to multiple VMs, and allows
them to run side by side on the same server.
 A key benefit of VDI is that it can deliver the Windows 10 desktop and operating system to the end
user’s devices. However, because VDI supports only one user per Windows 10 instance, it requires a
separate VM for each Windows 10 user.

Remote desktop services (RDS)

In RDS—also known as Remote Desktop Session Host (RDSH)—users remotely access desktops and
Windows applications through the Microsoft Windows Server operating system. Applications and
desktop images are served via Microsoft Remote Desktop Protocol (RDP). Formerly known as
Microsoft Terminal Server, this product has remained largely unchanged since its initial release.

From the end user’s perspective, RDS and VDI are identical. But because one instance of Windows
Server can support as many simultaneous users as the server hardware can handle, RDS can be a more
cost-effective desktop virtualization option. It’s also worth noting applications tested or certified to run
on Windows 10 may not be tested or certified to run on the Windows Server OS.

Desktop-as-a-Service (DaaS)
In DaaS, VMs are hosted on a cloud-based backend by a third-party provider. DaaS is readily scalable,
can be more flexible than on-premise solutions, and generally deploys faster than many other desktop
virtualization [Link] other types of cloud desktop virtualization, DaaS shares many of the
general benefits of cloud computing, including support for fluctuating workloads and changing storage
demands, usage-based pricing, and the ability to make applications and data accessible from almost
any internet-connected device. The chief drawback to DaaS is that features and configurations are not
always as customizable as required.
Choosing a model

VDI is a popular choice because it offers a virtualized version of a familiar computing model—
physical desktop computing. But implementing VDI requires you to manage all aspects of the
infrastructure yourself, including the hardware, operating systems and applications, and hypervisor
and associated software. This can be challenging if your VDI experience and expertise is limited.
Purchasing all infrastructure components can require a larger upfront investment.

Benefits of desktop virtualization:

 Simpler administration  Stronger security
 Cost savings  Agility and scalability
 Improved productivity  Better end-user experiences
 Support for a broad variety of device types

Block level storage virtualization and File level storage virtualization:

However, file-level and block-level virtualization also have some distinct differences that affect their
suitability and performance for different scenarios and applications.

Fig: Block level provides virtual storage to the servers in the form of virtual disk
 Fig: File level provides virtual storage to the servers in the form files and directories

File-level virtualization operates at a higher level of abstraction than block-level virtualization, which
means that it has more visibility and control over the file system metadata and structure, but also more
overhead and latency. File-level virtualization is more suitable for applications that need to access and
manipulate files and directories across different storage devices and locations, but less suitable for
applications that need to access and manipulate data blocks directly and efficiently.

Block level storage virtualization File level storage virtualization

Supports common file-level protocols and

Store files but requires additional
File permissions models. Usable by
budget and management resources to
management applications configured to work with
support files on block storage.
shared file storage.
Metadata Stores limited metadata relevant to files
Uses very little associated metadata.
management only.
High-performance, low latency, and Offers high performance for shared file
Performance
rapid data transfer. access.
Physical On-premises NAS servers or over
Distributed across SSDs and HDDs.
storage underlying physical block storage.
Scalability Somewhat limited. Somewhat limited.

4. Describe about Docker Compose and Docker Swarm.

Docker Compose: Docker Compose is used to combine several containers into a single service. You
can run all of your containers on a single host using docker-compose, and getting started doesn’t need a
complicated host configuration. Ports, network, and container capacity are all readily customizable in
the YAML file.
The majority of real-world apps consists of many services that are reliant on one another. For instance,
your app could operate in one container but rely on a database server that is deployed nearby in another
container. Furthermore, before services can be deployed, they often need to be configured with storage
volumes, environment variables, port bindings, and other parameters. You may use Compose to package
these needs into a customised “stack” of containers for your application. This enhances developer
ergonomics, facilitates stack reuse across several settings, and lessens the likelihood of inadvertent
misconfiguration.
Features:

 Fast And Easy Configuration With YAML Scripts  Portability Across Environments
 Extensive Community And Support  Efficient Collaboration
 Simplified Control

Docker Swarm
A Docker Swarm is a container orchestration tool that manages the Docker application. It has been set to
link together in a cluster. A Swarm manager controls the cluster’s activity, and machines that join the
cluster are referred to as nodes. A swarm manager oversees the cluster’s operations, and the machines
that have joined the cluster are known as nodes. The high degree of availability provided for apps is one
of the main advantages of running a docker swarm.

Docker Swarm is designed for more demanding workloads, whereas Docker Compose is more of an
automated tool. Web applications that must grow concurrently for workloads involving hundreds or
thousands of users. Distributed systems like Docker Swarm are ideal for businesses with a big user base
and strict SLA requirements. The likelihood of downtime resulting from an impacted data center or
network link is greatly decreased if your application is operating across numerous servers and data
centers.

Features:
 Cluster Management Integrated With Docker Engine  Declarative Service Model
 Desired State Reconciliation  Service Discovery
 Decentralized Design  Secure By Default

5. Compare and contrast the Physical clusters and Virtual Clusters and depict how resource
management could be carried out in virtual machines.

Physical clusters use dedicated hardware, while virtual clusters use software-based virtual
machines (VMs) that are more flexible, share underlying hardware, and can be dynamically
reconfigured. Resource management in virtual machines is handled through a hypervisor that shares
physical resources like CPU, RAM, and storage among multiple VMs, and can be further optimized
with tools like load balancing and live migration.
Physical clusters vs. Virtual clusters
Feature Physical Cluster Virtual Cluster

Underlying A group of interconnected, dedicated physical

A logical grouping of VMs that can span
Structure servers. multiple physical servers.
Resource Resources are dedicated to a single physical
Resources are pooled and shared across
Allocation server and its OS. multiple VMs running on one or more
physical hosts.

Flexibility Low flexibility; reconfiguring requires

High flexibility; VMs can be created,
physically adding or removing hardware. moved, and deleted on demand.

Scalability Scaled by adding new physical machines, whichScaled by adding VMs to the existing
involves significant upfront costs and potential
resource pool, which is more cost-effective
downtime. and agile.

Operating Each physical server runs a single OS. Multiple VMs can run different OSs
Systems simultaneously on a single physical server.

Cost High upfront costs for hardware; less efficient

Lower upfront costs; better server
use of resources. utilization due to consolidation.

Resource management in virtual machines:

Resource management in a virtualized environment is handled by a software layer called a hypervisor,

which sits between the physical hardware and the virtual machines.
Hypervisor: The hypervisor, or virtual machine monitor, is responsible for creating, running, and
managing VMs. It allocates physical resources like CPU time, memory, and disk space to each VM as
needed.
Abstraction: The hypervisor abstracts the underlying physical hardware, allowing multiple virtual
machines with different operating systems to run on the same physical server without interfering with
each other.
Dynamic Resource Allocation: Resources are not permanently assigned but are allocated dynamically
based on the demand of each VM. This can be further optimized with features like:
Load Balancing: Distributes workloads across multiple VMs to prevent any single VM from becoming
overloaded.
VM Migration: Allows a VM to be moved from one physical host to another with minimal or no
downtime. This is used for maintenance, load balancing, or to move a VM to a more powerful server.
Centralized Management: A centralized management plane or orchestration tool can be used to
manage the entire pool of virtual resources, making it easier to provision new VMs, monitor
performance, and apply policies across the cluster.

6. Explain in detail about various types of virtualization?

Operating system-based Virtualization refers to an operating system feature in which the kernel enables
the existence of various isolated user-space instances. The installation of virtualization software also
refers to Operating system-based virtualization. It is installed over a pre-existing operating system and
that operating system is called the host operating system.
In this virtualization, a user installs the virtualization software in the operating system of his system like
any other program and utilizes this application to operate and generate various virtual machines. Here,
the virtualization software allows direct access to any of the created virtual machines to the user. As the
host OS can provide hardware devices with the mandatory support, operating system virtualization may
affect compatibility issues of hardware even when the hardware driver is not allocated to the
virtualization software.
Virtualization software is able to convert hardware IT resources that require unique software for
operation into virtualized IT resources. As the host OS is a complete operating system in itself, many
OS-based services are available as organizational management and administration tools can be utilized
for the virtualization host management.
Some major operating system-based services are mentioned below:
1. Backup and Recovery.
2. Security Management.
3. Integration to Directory Services.

Various major operations of Operating System Based Virtualization are described below:
1. Hardware capabilities can be employed, such as the network connection and CPU.
2. Connected peripherals with which it can interact, such as a webcam, printer, keyboard, or
Scanners.
3. Data that can be read or written, such as files, folders, and network shares. The Operating
system may have the capability to allow or deny access to such resources based on which
the program requests them and the user account in the context of which it runs. OS may
also hide these resources, which leads that when a computer program computes them, they
do not appear in the enumeration results. Nevertheless, from a programming perspective,
the computer program has interacted with those resources and the operating system has
managed an act of interaction.
With operating-system-virtualization or containerization, it is probable to run programs within
containers, to which only parts of these resources are allocated. A program that is expected to perceive
the whole computer, once run inside a container, can only see the allocated resources and believes them
to be all that is available. Several containers can be formed on each operating system, to each of which a
subset of the computer’s resources is allocated. Each container may include many computer programs.
These programs may run parallel or distinctly, even interrelate with each other.

Features of operating system-based virtualization are:

 Resource isolation: Operating system-based virtualization provides a high level of resource

isolation, which allows each container to have its own set of resources, including CPU, memory,
and I/O bandwidth.
 Lightweight: Containers are lightweight compared to traditional virtual
machines as they share the same host operating system, resulting in faster startup and lower
resource usage.
 Portability: Containers are highly portable, making it easy to move them from one environment
to another without needing to modify the underlying
application.
 Scalability: Containers can be easily scaled up or down based on the application requirements,
allowing applications to be highly responsive to changes in
demand.
 Security: Containers provide a high level of security by isolating the
containerized application from the host operating system and other containers running on the same
system.
 Reduced O+verhead: Containers incur less overhead than traditional virtual machines, as they do
not need to emulate a full hardware environment.
 Easy Management: Containers are easy to manage, as they can be started, stopped, and
monitored using simple commands.
Operating system-based virtualization can raise demands and problems related to performance overhead,
such as:
1. The host operating system employs CPU, memory, and other hardware IT resources.
2. Hardware-related calls from guest operating systems need to navigate numerous layers to
and from the hardware, which shrinkage overall performance.
3. Licenses are frequently essential for host operating systems, in addition to individual
licenses for each of their guest operating systems.
Advantages of Operating System-Based Virtualization:
 Resource Efficiency: Operating system-based virtualization allows for greater resource efficiency
as containers do not need to emulate a complete hardware environment, which reduces resource
overhead.
 High Scalability: Containers can be quickly and easily scaled up or down depending on the
demand, which makes it easy to respond to changes in the
workload.
 Easy Management: Containers are easy to manage as they can be managed through simple
commands, which makes it easy to deploy and maintain large numbers of containers.
Reduced Costs: Operating system-based virtualization can significantly reduce costs, as it requires
fewer resources and infrastructure than traditional virtual machines.
 Faster Deployment: Containers can be deployed quickly, reducing the time required to launch new
applications or update existing ones.
 Portability: Containers are highly portable, making it easy to move them from one environment to
another without requiring changes to the underlying application.
Disadvantages of Operating System-Based Virtualization:
 Security: Operating system-based virtualization may pose security risks as containers share the
same host operating system, which means that a security breach in one container could potentially
affect all other containers running on the same system.
 Limited Isolation: Containers may not provide complete isolation between applications, which can
lead to performance degradation or resource contention.
 Complexity: Operating system-based virtualization can be complex to set up and manage, requiring
specialized skills and knowledge.
 Dependency Issues: Containers may have dependency issues with other containers or the host
operating system, which can lead to compatibility issues and hinder deployment.
 Limited Hardware Access: Containers may have limited access to hardware resources, which can
limit their ability to perform certain tasks or applications that require direct hardware access.

7. Discuss about: a) Containers and Virtual Machines b) Containers and Kubernetes.

a) Containers and Virtual Machines
Virtual machines and Containers are two ways of deploying multiple, isolated services on a single
[Link] runs on top of an emulating software called the hypervisor which sits between the
hardware and the virtual machine. The hypervisor is the key to enabling virtualization. It manages
the sharing of physical resources into virtual machines. Each virtual machine runs its guest operating
system. They are less agile and have lower portability than containers.
Container:It sits on the top of a physical server and its host operating system. They share a common
operating system that requires care and feeding for bug fixes and patches. They are more agile and
have higher portability than virtual machines.
 [Link]. Virtual Machines Containers
VM is a piece of software that While a container is software that allows
1 allows you to install other software different functionalities of an application
inside of it so you control it virtually independently.
as opposed to installing the software
directly on the computer.
Applications running on a VM While applications running in a container
2. system, or hypervisor, can run environment share a single OS.
different OS.
VM virtualizes the computer system, While containers virtualize the operating
3. meaning its hardware. system, or the software only.
VM size is very large, While the size of the container is very
4. generally in gigabytes. light, generally a few hundred
megabytes, though it may vary as per use.
VM takes longer to run than While containers take far less time to
5. containers, the exact time depending run.
on the underlying hardware.
VM uses a lot of system memory. While containers require very less
6. memory.
VM is more secure, as the While containers are less secure, as the
7. underlying hardware isn’t shared virtualization is software-based, and
between processes. memory is shared.
VMs are useful when we require all While containers are useful when we are
8. of the OS resources to run various required to maximize the running
applications. applications using minimal servers.
Examples of Type 1 Examples of containers are RancherOS,
9. hypervisors are KVM, Xen, and PhotonOS, and Containers by Docker.
VMware. Virtualbox is a Type 2
hypervisor

b) Containers and Kubernetes.

Kubernetes is an container orcherstration platform by which you can automate the deployment of
the application , scaling of the application by depending on the traffic. Containers are light in
weight which can be portable very easily form one server to the another server very easily
following makes ideal for running containerized applications in production.
1. Load Balancing
2. Service Discovery
3. Self-healing
4. Horizontal scaling
Containers are the lightweighted, portable packaged applications that contains all the
dependencies it required to run that application providing the consistency across the environments.
It simplifies the automation of deployment, scaling, and management of these containerized
applications. It works by orchestrating containers across a cluster of machines, providing high
availability and efficient resource utilization. Together, containers and Kubernetes enable
seamless application development, deployment, and scaling in cloud-native environments.

Containerization Using Kubernetes

Containerization Using Kubernetes is the way of deploying
you microservices or monolithic application using container orchestration tool kubernetes.
Kubernetes is the best tool to deploy the application in the form of containers because it offers so
many features like load balancing, self healing and scaling. Containerize an application first you
need to build the image of the application which can be done by using the docker and it contains
all the dependencies required for the application to deploy into the production server after building
the image know you need to push the image into the docker-hub registry from where other or
kubernetes can pull the image.

PART- C
1. How to Create, Implement and Run a Container Using Docker? Write the steps and commands
used.
Installing Docker on Ubuntu
1. Remove old version of Docker
$ sudo apt-get remove docker docker-engine [Link] containerd runc

2. Installing Docker Engine

$ sudo apt-get update

$ sudo apt-get install \ ca-

certificates \ curl \
gnupg \ lsb-
release
$ sudo mkdir -p /etc/apt/keyrings
$ curl -fsSL [Link] | sudo gpg
--dearmor -o /etc/apt/keyrings/[Link]
$ echo \
"deb [arch=$(dpkg --print-architecture) signed- by=/etc/apt/keyrings/[Link]]
[Link] \
$(lsb_release -cs) stable" | sudo tee
/etc/apt/[Link].d/[Link] > /dev/null
$ sudo apt-get update
$ sudo apt-get install docker-ce docker-ce-cli [Link] docker- compose-plugin

$ sudo groupadd docker

$ sudo usermod -aG docker $USER
Check if docker is successfully installed in your system
$ sudo docker run hello-world

Create an application in Docker

1. Create a folder with 2 files (Dockerfile and [Link] file) in it.
 Dockerfile
 [Link]
2. Edit [Link] with the below code.
 Python3
#!/usr/bin/env python3
print("Docker and GFG rock!")

3. Edit Dockerfile with the below commands.

FROM python:latest COPY
[Link] /
CMD [ "python", "./[Link]" ]

4. Create a Docker image.

Once you have created and edited the [Link] file and the Dockerfile, create your image to
contain your application.
$ sudo docker build -t python-test .
The ‘-t’ option allows to define the name of your image. ‘python-test’ is the name we have
chosen for the image.
5. Run the Docker image
Once the image is created, your code is ready to launch.
$ sudo docker run python-test

Push an image to Docker Hub

1. Create an Account on Docker Hub.

2. Click on the “Create Repository” button, put the name of the file, and click on “Create”.
3. Now will “tag our image” and “push it to the Docker Hub repository” which we just
created.
Now, run the below command to list docker images:
$ docker images

The above will give us this result

REPOSITORY TAG IMAGE_ID CREATED SIZE afrozchakure/python-test latest
c7857f97ebbd 2 hours ago 933MB
Image ID is used to tag the image. The syntax to tag the image is:
docker tag <image-id> <your dockerhub username>/python-test:latest
$ docker tag c7857f97ebbd afrozchakure/python-test:latest

4. Push image to Docker Hub repository

$ docker push afrozchakure/python-test

Fetch and run the image from Docker Hub

1. To remove all versions of a particular image from our local system, we use the Image ID
for it.
$ docker rmi -f af939ee31fdc

2. Now run the image, it will fetch the image from the docker hub if it doesn’t exist on
your local machine.
$ docker run afrozchakure/python-test
 UNIT –IV
PART- A
[Link] two popular cloud service providers and their platforms.
Provider Platform/Service
Amazon Web Services (AWS) EC2, S3, RDS, Lambda, VPC, CloudFront
Azure Virtual Machines, Azure App Services, Azure Blob
Microsoft Azure
Storage, Azure SQL, Azure Functions

[Link] is OpenStack used for in cloud computing?

OpenStack is an open-source cloud computing platform used for:
 Building private and public clouds.
 Managing compute, storage, and networking resources.
 Orchestrating virtual machines, containers, and other cloud services.
 Providing scalability, automation, and multi-tenant cloud environments.

[Link] elasticity in a cloud computing environment.

Elasticity refers to the ability of a cloud system to automatically scale resources up or down based
on demand.
 Scale Out: Add resources when demand increases.
 Scale In: Remove resources when demand decreases.
Benefits: Cost optimization, improved performance, and automatic adaptation to workload
changes.

[Link] is Eucalyptus?
Eucalyptus (Elastic Utility Computing Architecture for Linking Your Programs to Useful
Systems) is an open-source software platform for building private and hybrid clouds.
 Compatible with AWS APIs.
 Provides compute, storage, and network services for cloud applications.

[Link] do you mean by open cloud ecosystem?

An open cloud ecosystem refers to a cloud environment that:
 Uses open standards and APIs.
 Supports interoperability between multiple cloud providers.
 Encourages community collaboration, innovation, and flexibility.
 Avoids vendor lock-in by enabling hybrid or multi-cloud deployments.

[Link] the procedure to deploy the application in Google App Engine.

Procedure to Deploy an Application in Google App Engine
1. Install GCP SDK and set up your project.
2. Write the application using supported languages (Python, Java, [Link], etc.).
3. Create [Link] configuration file specifying runtime and scaling options.
4. Test the application locally using the local development server.
5. Deploy the application using: gcloud app deploy
6. Access the deployed app using the provided App Engine URL.
7. Monitor and scale using GCP console if needed.

[Link] the service offerings by AWS.

WS Services are broadly categorized as:
 Compute: EC2, Lambda, ECS, EKS
 Storage: S3, EBS, Glacier
 Database: RDS, DynamoDB, Aurora
 Networking: VPC, Route 53, CloudFront
 Analytics: Redshift, Athena, EMR
 AI/ML: SageMaker, Rekognition, Comprehend
 Security & Identity: IAM, KMS, Cognito
[Link] the benefits of OpenStack Compute.
Provides elastic and scalable computing resources.
Supports multi-tenant virtualization.
Integrates with networking and storage components for full cloud stack.
Open-source, highly customizable, and avoids vendor lock-in.
Supports hypervisors like KVM, VMware, Xen.

[Link] do you understand by third party cloud services?

Third-party cloud services are cloud-based solutions offered by external vendors rather than
owned or managed by the user.
 Examples: Salesforce (SaaS), Dropbox (cloud storage), AWS (IaaS).
 Advantages: Reduced infrastructure cost, on-demand resources, professional maintenance.
 May include IaaS, PaaS, SaaS offerings.

[Link] virtualization employed in azure?

Azure uses hypervisors (Hyper-V) to virtualize compute resources.
Supports VMs, containers, and virtual networks.
Allows dynamic allocation of CPU, memory, and storage to workloads.
Enables scaling, isolation, and multi-tenancy.
Integrates with Azure services like Azure Virtual Machine Scale Sets for automated elasticity.

PART- B
1. Compare the cloud software environments: Eucalyptus, OpenStack, and Amazon AWS,
focusing on their unique features and capabilities.

Eucalyptus focuses on building AWS-compatible private and hybrid clouds, OpenStack is a flexible
open-source cloud operating system, and Amazon AWS is a comprehensive, proprietary public cloud
platform with a vast range of managed services. Eucalyptus's unique feature is its compatibility with
AWS APIs, enabling migration between environments. OpenStack's advantage is its complete control
and extensive service offerings for building private or public clouds from the ground up. AWS stands
out for its unmatched scalability, mature ecosystem, and the breadth of services it offers, though it is
a proprietary, vendor-locked solution.

Feature Eucalyptus OpenStack Amazon AWS

Primary Building AWS- Open-source cloud operating Comprehensive public

Purpose compatible private system for building private or cloud platform with a
and hybrid clouds public clouds massive range of
managed services

Key AWS compatibility, Flexibility, control, and Unmatched scalability

Advantage allowing for easier extensive open-source and a vast, mature set of
migration and hybrid ecosystem managed services
setups

Architecture Focuses on Modular, with many services Proprietary architecture

emulating the AWS for networking, storage, and with a deep integration of
API for compatibility orchestration services

Control Allows for private Provides complete control Offers less control; users
cloud deployments over the infrastructure are dependent on AWS's
with some hybrid proprietary services
capabilities
Cost Model Open-source or Open-source, but requires Pay-as-you-go model, but
commercial versions significant management and can lead to bill shock and
available infrastructure costs is often more expensive
than self-managed
solutions in the long run

Complexity Can have complex Extremely complex to set up Managed by Amazon,

installation and and manage due to its making it easier to use for
configuration, though modular nature a wide variety of services,
simpler than but with its own
OpenStack complexity in billing and
service limits

2. Discuss the role of Google App Engine in cloud deployment. Describe major building
blocks and functional modules of Google Cloud platform.
GOOGLE APPLICATION ENGINE (GAE)
Google App Engine is a PaaS cloud that provides a complete Web service environment
(Platform)
GAE provides Web application development platform for users.
All required hardware, operating systems and software are provided to clients.
Clients can develop their own applications, while App Engine runs the applications on
GAE helps to easily develop an Web Application
App Engine only supports the Java and Python programming languages.
The Google App Engine (GAE) provides a powerful distributed data storage service.

GOOGLE CLOUD INFRASTRUCTURE

Google has established cloud development by making use of large number of data centers.
Eg: Google established cloud services in
❖ Gmail
❖ Google Docs
❖ Google Earth etc.
These applications can support a large number of users simultaneously with High Availability (HA).
In 2008, Google announced the GAE web application platform.
GAE enables users to run their applications on a large number of data centers. Google App Engine
environment includes the following features :
❖ Dynamic web serving
❖ Persistent(constant) storage with queries, sorting, and transactions
❖ Automatic scaling and load balancing
Provides Application Programming Interface(API) for authenticating users. Send email using Google
Accounts.
Local development environment that simulates(create) Google App Engine on your computer.
GAE ARCHITECTURE
TECHNOLOGIES USED BY GOOGLE ARE
Google File System(GFS) ->for storing large amounts of data. MapReduce->for application program
development.
Chubby-> for distributed application lock services. BigTable-> offers a storage service.
Third-party application providers can use GAE to build cloud applications for providing
services.
Inside each data center, there are thousands of servers forming different clusters. GAE runs the user
program on Google’s infrastructure.
Application developers now do not need to worry about the maintenance of servers. GAE can be
thought of as the combination of several software components.
GAE supports Python and Java programming environments.

FUNCTIONAL MODULES OF GAE

The GAE platform comprises the following five major components. DataStore: offers data storage
services based on BigTable techniques.
The Google App Engine (GAE) provides a powerful distributed data storage service.
This provides a secure data Storage.

GOOGLE SECURE DATA CONNECTOR (SDC)

FUNCTIONAL MODULES OF GAE

When the user wants to get the data, he/she will first send an authorized data requests to Google
Apps.
It forwards the request to the tunnel server. The tunnel servers validate the request identity.
If the identity is valid, the tunnel protocol allows the SDC to set up a connection, authenticate, and
encrypt the data that flows across the Internet.
SDC also validates whether a user is authorized to access a specified resource.
Application runtime environment offers a platform for web programming and execution.
It supports two development languages: Python and Java.
Software Development Kit (SDK) is used for local application development.
The SDK allows users to execute test runs of local applications and upload application code.
Administration console is used for easy management of user application development
cycles.
GAE web service infrastructure provides special guarantee flexible use and management of
storage and network resources by GAE.
Google offers essentially free GAE services to all Gmail account owners.
We can register for a GAE account or use your Gmail account name to sign up for the
service.
The service is free within a quota.
If you exceed the quota, extra amount will be charged.
Allows the user to deploy user-built applications on top of the cloud infrastructure.
They are built using the programming languages and software tools supported by the
provider (e.g., Java, Python)

GAE APPLICATIONS
 Google Search Engine
 Google Docs
 Google Earth
 Gmail
 These applications can support large numbers of users simultaneously.
 Users can interact with Google applications via the web interface provided by each
[Link] run in the Google data centers.
 Inside each data center, there might be thousands of server nodes to form different clusters.
Each cluster can run multipurpose servers.

3. What is openStack? How is OpenStack used in a cloud computing environment? What are
the components of OpenStack? Differentiate between openNebula and openStack.

OpenStack
It is a free open standard cloud computing platform that first came into existence on July 21′ 2010. It
was a joint project of Rackspace Hosting and NASA to make cloud computing more ubiquitous in
nature. It is deployed as Infrastructure-as-a- service(IaaS) in both public and private clouds where
virtual resources are made available to the users. The software platform contains interrelated
components that control multi-vendor hardware pools of processing, storage, networking resources
through a data center. In OpenStack, the tools which are used to build this platform are referred to as
“projects”. These projects handle a large number of services including computing, networking, and
storage services. Unlike virtualization, in which resources such as RAM, CPU, etc are abstracted from
the hardware using hypervisors, OpenStack uses a number of APIs to abstract those resources so that
users and the administrators are able to directly interact with the cloud services.

OpenStack components
Apart from various projects which constitute the OpenStack platform, there are nine major services
namely Nova, Neutron, Swift, Cinder, Keystone, Horizon, Ceilometer, and Heat. Here is the basic
definition of all the components which will give us a basic idea about these components.
1. Nova (compute service): It manages the compute resources like creating, deleting, and
handling the scheduling. It can be seen as a program dedicated to the automation of
resources that are responsible for the virtualization of services and high-performance
computing.
2. Neutron (networking service): It is responsible for connecting all the networks across
OpenStack. It is an API driven service that manages all networks and IP addresses.
3. Swift (object storage): It is an object storage service with high fault tolerance capabilities
and it used to retrieve unstructured data objects with the help of Restful API. Being a
distributed platform, it is also used to provide redundant storage within servers that are
clustered together. It is able to successfully manage petabytes of data.
4. Cinder (block storage): It is responsible for providing persistent block storage that is made
accessible using an API (self- service). Consequently, it allows users to define and manage
the amount of cloud storage required.
5. Keystone (identity service provider): It is responsible for all types of authentications and
authorizations in the OpenStack services. It is a directory-based service that uses a central
repository to map the correct services with the correct user.
6. Glance (image service provider): It is responsible for registering, storing, and retrieving
virtual disk images from the complete network. These images are stored in a wide range of
back-end systems.
7. Horizon (dashboard): It is responsible for providing a web-based interface for OpenStack
services. It is used to manage, provision, and monitor cloud resources.
8. Ceilometer (telemetry): It is responsible for metering and billing of services used. Also, it
is used to generate alarms when a certain threshold is exceeded.
 9. Heat (orchestration): It is used for on-demand service provisioning with auto-scaling of
cloud resources. It works in coordination with the ceilometer.
These are the services around which this platform revolves around. These services individually handle
storage, compute, networking, identity, etc. These services are the base on which the rest of the
projects rely on and are able to orchestrate services, allow bare-metal provisioning, handle dashboards,
etc.

Features of OpenStack

 Modular architecture: OpenStack is designed with a modular architecture that enables users
to deploy only the components they need. This makes it easier to customize and scale the
platform to meet specific business requirements.
 Multi-tenancy support: OpenStack provides multi-tenancy support, which enables multiple
users to access the same cloud infrastructure while maintaining security and isolation
between them. This is particularly important for cloud service providers who need to offer
services to multiple customers.
 Open-source software: OpenStack is an open-source software platform that is free to use
and modify. This enables users to customize the platform to meet their specific
requirements, without the need for expensive proprietary software licenses.
 Distributed architecture: OpenStack is designed with a distributed architecture that enables
users to scale their cloud infrastructure horizontally across multiple physical servers. This
makes it easier to handle large workloads and improve system performance.
 API-driven: OpenStack is API-driven, which means that all components can be accessed
and controlled through a set of APIs. This makes it easier to automate and integrate with
other tools and services.
 Comprehensive dashboard: OpenStack provides a comprehensive dashboard that enables
users to manage their cloud infrastructure and resources through a user-friendly web
interface. This makes it easier to monitor and manage cloud resources without the need for
specialized technical skills.
  Resource pooling: OpenStack enables users to pool computing, storage, and networking
resources, which can be dynamically allocated and de- allocated based on demand. This
enables users to optimize resource utilization and reduce waste.
Advantages of using OpenStack
 It boosts rapid provisioning of resources due to which orchestration and scaling up and
down of resources becomes easy.
 Deployment of applications using OpenStack does not consume a large amount of time.
 Since resources are scalable therefore they are used more wisely and efficiently.
 The regulatory compliances associated with its usage are manageable.

Disadvantages of using OpenStack

 OpenStack is not very robust when orchestration is considered.
 Even today, the APIs provided and supported by OpenStack are not compatible with many
of the hybrid cloud providers, thus integrating solutions becomes difficult.
 Like all cloud service providers OpenStack services also come with the risk of security
breaches.

4. Discuss in detail about Amazon AWS?

AWS stands for Amazon Web Services which uses distributed IT infrastructure to provide
different IT resources on demand.
o AWS stands for Amazon Web Services.
o The AWS service is provided by the Amazon that uses distributed IT infrastructure to provide
different IT resources available on demand. It provides different services such as infrastructure
as a service (IaaS), platform as a service (PaaS) and packaged software as a service (SaaS).
o Amazon launched AWS, a cloud computing platform to allow the different organizations
to take advantage of reliable IT infrastructure.

Uses of AWS
o A small manufacturing organization uses their expertise to expand their business by
leaving their IT management to the AWS.
o A large enterprise spread across the globe can utilize the AWS to deliver the training to the
distributed workforce.
o An architecture consulting company can use AWS to get the high-compute rendering of
construction prototype.
o A media company can use the AWS to provide different types of content such as ebox or audio
files to the worldwide files.

Pay-As-You-Go
Based on the concept of Pay-As-You-Go, AWS provides the services to the customers AWS provides
services to customers when required without any prior commitment or upfront investment. Pay-As-
You-Go enables the customers to procure services from AWS.
o Computing
o Programming models
o Database storage
o Networking
Advantages of AWS
1) Flexibility
o We can get more time for core business tasks due to the instant availability of new
features and services in AWS.
o It provides effortless hosting of legacy applications. AWS does not require learning
new technologies and migration of applications to the AWS provides the advanced
computing and efficient storage.
o AWS also offers a choice that whether we want to run the applications and services
together or not. We can also choose to run a part of the IT infrastructure in AWS and
the remaining part in data centres.
2) Cost-effectiveness
AWS requires no upfront investment, long-term commitment, and minimum expense when
compared to traditional IT infrastructure that requires a huge investment.
3) Scalability/Elasticity
Through AWS, autoscaling and elastic load balancing techniques are automatically scaled up
or down, when demand increases or decreases respectively. AWS techniques are ideal for
handling unpredictable or very high loads. Due to this reason, organizations enjoy the benefits
of reduced cost and increased user satisfaction.
4) Security
o AWS provides end-to-end security and privacy to customers.
o AWS has a virtual infrastructure that offers optimum availability while managing full
privacy and isolation of their operations.
o Customers can expect high-level of physical security because of Amazon's several
years of experience in designing, developing and maintaining large- scale IT
operation centers.
o AWS ensures the three aspects of security, i.e., Confidentiality, integrity, and
availability of user's data.

5. Draw and explain the architecture of Eucalyptus.

Eucalyptus
The open-source cloud refers to software or applications publicly available for the users in the
cloud to set up for their own purpose or for their organization.
Eucalyptus is a Linux-based open-source software architecture for cloud computing and also a
storage platform that implements Infrastructure a Service (IaaS). It provides quick and efficient
computing services. Eucalyptus was designed to provide services compatible with Amazon’s EC2
cloud and Simple Storage Service(S3).
Eucalyptus Architecture
Eucalyptus CLIs can handle Amazon Web Services and their own private instances. Clients
have the independence to transfer cases from Eucalyptus to Amazon Elastic Cloud. The
virtualization layer oversees the Network, storage, and Computing. Occurrences are isolated
by hardware virtualization.
Important Features are:-
1. Images: A good example is the Eucalyptus Machine Image which is a module
software bundled and uploaded to the Cloud.
2. Instances: When we run the picture and utilize it, it turns into an instance.
3. Networking: It can be further subdivided into three modes: Static
mode(allocates IP address to instances), System mode (assigns a MAC address
and imputes the instance’s network interface to the physical network via NC),
and Managed mode (achieves local network of instances).
4. Access Control: It is utilized to give limitations to clients.
5. Elastic Block Storage: It gives block-level storage volumes to connect to an
instance.
6. Auto-scaling and Load Adjusting: It is utilized to make or obliterate cases or
administrations dependent on necessities.

Components of Architecture
 Node Controller is the lifecycle of instances running on each node. Interacts
with the operating system, hypervisor, and Cluster Controller. It controls the
working of VM instances on the host machine.
 Cluster Controller manages one or more Node Controller and Cloud Controller
simultaneously. It gathers information and schedules VM execution.
 Storage Controller (Walrus) Allows the creation of snapshots of volumes.
Persistent block storage over VM instances. Walrus Storage Controller is a
simple file storage system. It stores images and snapshots. Stores and serves files
using S3(Simple Storage Service) APIs.
 Cloud Controller Front-end for the entire architecture. It acts as a Complaint
Web Services to client tools on one side and interacts with the rest of the
components on the other side.

Operation Modes of Eucalyptus

 Managed Mode: Numerous security groups to users as the network is large.
Each security group is assigned a set or a subset of IP addresses. Ingress rules are
applied through the security groups specified by the user. The network is isolated
by VLAN between Cluster Controller and Node Controller. Assigns two IP
addresses on each virtual machine.
 Managed (No VLAN) Node: The root user on the virtual machine can snoop
into other virtual machines running on the same network layer. It does not
provide VM network isolation.
 System Mode: Simplest of all modes, least number of features. A MAC address
is assigned to a virtual machine instance and attached to Node Controller’s
bridge Ethernet device.
 Static Mode: Similar to system mode but has more control over the assignment
of IP address. MAC address/IP address pair is mapped to static entry within the
DHCP server. The next set of MAC/IP addresses is mapped.
Advantages Of The Eucalyptus Cloud
1. Eucalyptus can be utilized to benefit both the eucalyptus private cloud and the
eucalyptus public cloud.
2. Examples of Amazon or Eucalyptus machine pictures can be run on both clouds.
3. Its API is completely similar to all the Amazon Web Services.
4. Eucalyptus can be utilized with DevOps apparatuses like Chef and Puppet.
5. Although it isn’t as popular yet but has the potential to be an alternative to OpenStack
and CloudStack.
6. It is used to gather hybrid, public and private clouds.
7. It allows users to deliver their own data centers into a private cloud and hence, extend
the services to other organizations.

6. Discuss in detail about MS Azure.

MICROSOFT AZURE
Microsoft Azure is a cloud computing platform that provides a wide variety of services that
we can use without purchasing and arranging our hardware. It enables the fast development
of solutions and provides the resources to complete tasks that may not be achievable in an
on-premises environment. Azure Services like compute, storage, network, and application
services allow us to put our effort into building great solutions without worrying about the
assembly of physical infrastructure.
This tutorial covers the fundamentals of Azure, which will provide us the idea about all the
Azure key services that we are most likely required to know to start developing solutions.
After completing this tutorial, we can crack job interviews or able to get different Microsoft
Azure certifications.

Microsoft Azure Services

Following are some of the services Microsoft Azure offers:
o Compute: Includes Virtual Machines, Virtual Machine Scale Sets, Functions for
serverless computing, Batch for containerized batch workloads, Service Fabric for
microservices and container orchestration, and Cloud Services for building cloud-
based apps and APIs.
o Networking: With Azure, you can use a variety of networking tools, like the
Virtual Network, which can connect to on-premise data centers; Load Balancer;
Application Gateway; VPN Gateway; Azure DNS for domain hosting, Content
Delivery Network, Traffic Manager, ExpressRoute dedicated private network fiber
connections; and Network Watcher monitoring and diagnostics
o Storage: Includes Blob, Queue, File, and Disk Storage, as well as a Data Lake Store,
Backup, and Site Recovery, among others.
o Web + Mobile: Creating Web + Mobile applications is very easy as it includes
several services for building and deploying applications.
o Containers: Azure has a property that includes Container Service, which supports
Kubernetes, DC/OS or Docker Swarm, and Container Registry, as well as tools for
microservices.
o Databases: Azure also included several SQL-based databases and related tools.
o Data + Analytics: Azure has some big data tools like HDInsight for Hadoop Spark,
R Server, HBase, and Storm clusters
o AI + Cognitive Services: With Azure developing applications with artificial
intelligence capabilities, like the Computer Vision API, Face API, Bing Web Search,
Video Indexer, and Language Understanding Intelligent.
 o Internet of Things: Includes IoT Hub and IoT Edge services that can be combined
with a variety of machine learning, analytics, and communications services.
o Security + Identity: Includes Security Center, Azure Active Directory, Key Vault,
and Multi-Factor Authentication Services.
o Developer Tools: Includes cloud development services like Visual Studio Team
Services, Azure DevTest Labs, HockeyApp mobile app deployment and monitoring,
Xamarin cross-platform mobile development, and more.

How Azure works

It is essential to understand the internal workings of Azure so that we can design our applications
on Azure effectively with high availability, data residency, resilience, etc.

Microsoft Azure is completely based on the concept of virtualization. So, similar to other
virtualized data center, it also contains racks. Each rack has a separate power unit and network
switch, and also each rack is integrated with a software called Fabric- Controller. This Fabric-
controller is a distributed application, which is responsible for managing and monitoring servers
within the rack. In case of any server failure, the Fabric-controller recognizes it and recovers it.
And Each of these Fabric-Controller is, in turn, connected to a piece of
software called Orchestrator. This Orchestrator includes web-services, Rest API to create,
update, and delete resources.

When a request is made by the user either using PowerShell or Azure portal. First, it will go
to the Orchestrator, where it will fundamentally do three things:
1. Authenticate the User
2. It will Authorize the user, i.e., it will check whether the user is allowed to do the
requested task.
3. It will look into the database for the availability of space based on the resources and
pass the request to an appropriate Azure Fabric controller to execute the request.
Combinations of racks form a cluster. We have multiple clusters within a data center, and we
can have multiple Data Centers within an Availability zone, multiple Availability zones
within a Region, and multiple Regions within a Geography.
 o Geographies: It is a discrete market, typically contains two or more regions, that
preserves data residency and compliance boundaries.
o Azure regions: A region is a collection of data centers deployed within a defined
perimeter and interconnected through a dedicated regional low-latency network.

Azure covers more global regions than any other cloud provider, which offers the scalability
needed to bring applications and users closer around the world. It is globally available in 50
regions around the world. Due to its availability over many regions, itelps in preserving data
residency and offers comprehensive compliance and flexible options to the customers.

7. Write detailed steps to set the Google App Engine environment for executing any
program of your choice.

Programming Support of Google App Engine

GAE programming model for two supported languages: Java and Python. A client
environment includes an Eclipse plug-in for Java allows you to debug your GAE on your
local
machine. Google Web Toolkit is available for Java web application developers. Python is
used
with frameworks such as Django and CherryPy, but Google also has webapp Python
environment.

There are several powerful constructs for storing and accessing data. The data store is a
NOSQL data management system for entities. Java offers Java Data Object (JDO) and Java
Persistence API (JPA) interfaces implemented by the Data Nucleus Access platform, while
Python has a SQL-like query language called GQL. The performance of the data store can
be enhanced by in-memory caching using the memcache, which can also be used
independently of the data store.
Recently, Google added the blobstore which is suitable for large files as its size limit is 2
GB. There are several mechanisms for incorporating external resources. The Google SDC
Secure Data Connection can tunnel through the Internet and link your intranet to an external
GAE application. The URL Fetch operation provides the ability for applications to fetch
resources and communicate with other hosts over the Internet using HTTP and HTTPS
requests.
An application can use Google Accounts for user authentication. Google Accounts handles
user account creation and sign-in, and a user that already has a Google account (such as a
Gmail account) can use that account with your app. GAE provides the ability to manipulate
image data using a dedicated Images service which can resize, rotate, flip, crop, and enhance
images. A GAE application is configured to consume resources up to certain limits or
quotas. With quotas, GAE ensures that your application won’t exceed your budget, and that
other applications running on GAE won’t impact the performance of your app. In particular,
GAE use is free up to certain quotas.
Google File System (GFS)
GFS is a fundamental storage service for Google’s search engine. GFS was designed for
Google applications, and Google applications were built for GFS. There are several concerns
in GFS. rate). As servers are composed of inexpensive commodity components, it is the
norm rather than the exception that concurrent failures will occur all the time. Other
concerns the file size in GFS. GFS typically will hold a large number of huge files, each 100
MB or larger, with files that are multiple GB in size quite common. Thus, Google has
chosen its file data block size to be 64 MB instead of the 4 KB in typical traditional file
systems. The I/O pattern in the Google application is also special. Files are typically written
once, and the write operations are often the appending data blocks to the end of files.
Multiple appending operations might be concurrent. The customized API can simplify the
problem and focus on Google applications. Figure shows the GFS architecture. It is quite
obvious that there is a single master in the whole cluster. Other nodes act as the chunk
servers for storing data, while the single master stores the metadata. The file system
namespace and locking facilities are managed by the master. The master periodically
communicates with the chunk servers to collect management information as well as give
instructions to the chunk servers to do work such as load balancing or fail recovery.

The master has enough information to keep the whole cluster in a healthy state. Google uses a shadow
master to replicate all the data on the master, and the design guarantees that all the data operations are
 performed directly between the client and the chunk server. The control messages are transferred
between the master and the clients and they can be cached for future use. With the current quality of
commodity servers, the single master can handle a cluster of more than 1,000 nodes.

The mutation takes the following steps:

 The client asks the master which chunk server holds the current lease for the chunk and the locations
of the other replicas. If no one has a lease, the master grants one to a replica it chooses (not shown).
 The master replies with the identity of the primary and the locations of the other (secondary) replicas.
The client caches this data for future mutations. It needs to contact the master again only when the
primary becomes unreachable or replies that it no longer holds a lease.
 The client pushes the data to all the replicas. Each chunk server will store the data in an internal LRU
buffer cache until the data is used or aged out. By decoupling the data flow from the control flow, we
can improve performance by scheduling the expensive data flow based on the network topology
regardless of which chunk server is the primary.
 Once all the replicas have acknowledged receiving the data, the client sends a write request to the
primary. The request identifies the data pushed earlier to all the replicas. The primary assigns
consecutive serial numbers to all the mutations it receives, possibly from multiple clients, which
provides the necessary serialization. It applies the mutation to its own local state in serial order.
 The primary forwards the write request to all secondary replicas. Each secondary replica applies
mutations in the same serial number order assigned by the primary.
 The secondaries all reply to the primary indicating that they have completed the operation.
 The primary replies to the client. Any errors encountered at any replicas are reported to the client. In
case of errors, the write corrects at the primary and an arbitrary subset of the secondary replicas. The
client request is considered to have failed, and the modified region is left in an inconsistent state. Our
client code handles such errors by retrying the failed mutation.

PART - C
1. Depict the system requirements, software configuration, memory requirements for
creating an e-commerce website in cloud platform with S3 storage and hosting the
same in a laptop.

Creating an e-commerce website on a cloud platform with S3 storage and then hosting it on
a laptop involves distinct requirements for each phase.
1. Cloud Platform & S3 Storage (Development & Production Environment):
 System Requirements:
 Cloud Provider Account: An active account with a cloud provider (e.g.,
AWS, Azure, GCP) is essential.
 S3 Bucket: An Amazon S3 bucket configured for website hosting (if static)
or for storing media assets, product images, and other static content.
 Software Configuration:
 Web Server: Depending on your platform (e.g., Apache, Nginx) if running
on a virtual machine/container. For serverless architectures, this is managed
by the cloud provider.
 Database: A cloud-based database service (e.g., Amazon RDS, Azure SQL
Database, Google Cloud SQL) for dynamic content, user data, and order
information.
 Programming Language/Framework: The chosen language and framework
for your e-commerce application (e.g., Python/Django, [Link]/Express,
PHP/Laravel, Ruby on Rails).
 Version Control: Git or a similar system for managing code changes.
 Deployment Tools: Tools for deploying your application to the cloud (e.g.,
AWS CLI, Serverless Framework, CI/CD pipelines).
 Memory Requirements:
 Cloud Instances: Memory requirements for virtual machines or containers in
the cloud will depend on the expected traffic and complexity of the e-
commerce site. Start with a modest instance size and scale as needed.
 Database: Database memory requirements depend on the size and activity of
your database.
2. Hosting on a Laptop (Local Development Environment):
 System Requirements:
 Operating System: A modern operating system (e.g., Windows 10/11,
macOS, Linux).
 Processor: A multi-core processor for efficient development and testing.
 RAM: Minimum 8GB RAM, 16GB or more recommended for smoother
operation, especially when running multiple services (database, web server,
IDE).
 Storage: Sufficient free disk space for the operating system, development
tools, project files, and potentially a local database instance. SSD is highly
recommended for performance.
 Software Configuration:
 Integrated Development Environment (IDE): A suitable IDE for your
chosen programming language (e.g., VS Code, PyCharm, IntelliJ IDEA).
 Local Web Server: A local web server (e.g., Apache, Nginx, or the built-in
server of your framework) for testing.
 Local Database: A local database instance (e.g., MySQL, PostgreSQL,
SQLite) for development.
 Cloud Provider CLI/SDK: Command-line interfaces or Software
Development Kits for interacting with your cloud resources (e.g., AWS CLI
for S3).
 Containerization (Optional but Recommended): Docker and Docker
Compose for creating isolated and reproducible development environments.
  Memory Requirements:Development Tools: IDEs, web servers, and
databases consume RAM.
 Application Testing: Running your e-commerce application locally for
testing will also utilize memory.
Important Considerations:
 Security: Implement robust security measures for both your cloud and local
environments.
 Cost Optimization: Monitor cloud resource usage to manage costs effectively.
 Scalability: Design your e-commerce platform for scalability to handle future
growth.
 Backup and Recovery: Implement a comprehensive backup and recovery strategy
for your data.
 UNIT 5
PART- A
[Link] is guest hopping in virtualization security?
Guest hopping is a security attack where a malicious user on one virtual machine (guest OS) attempts
to break isolation and access another VM on the same physical host.
It exploits vulnerabilities in the hypervisor or VM isolation mechanisms.

[Link] the purpose of Identity and Access Management (IAM) in cloud security.
IAM ensures that the right users have the right access to the right resources in the cloud.
Its main purposes are:
 User authentication (verify identity)
 User authorization (grant permissions)
 Granular access control
 Secure management of roles, credentials, and policies

[Link] any two security attacks in a cloud computing environment.

 Man-in-the-middle (MITM) attack
 Denial of Service (DoS/DDoS) attack
Other examples: VM escape, data breaches, account hijacking, hypervisor attacks.

[Link] is IAM in cloud? What are the challenges in IAM?

IAM (Identity and Access Management) in cloud is a framework for managing user identities,
authentication, and access permissions.
Challenges in IAM:
 Managing many identities across distributed cloud services
 Role and permission complexity
 Multi-factor authentication requirements
 Handling insider threats
 Integration with on-premise identity systems
 Ensuring least-privilege access

[Link] is hyperjacking attack?

Hyperjacking is an attack where a hacker takes control of the hypervisor, allowing them to manipulate
or spy on all virtual machines running on it. This attack compromises the entire virtualization layer.

[Link] cloud security.

Cloud security refers to the set of technologies, policies, procedures, and controls designed to protect
cloud data, applications, and infrastructure from threats, attacks, and unauthorized access.

[Link] security policies are implemented in cloud computing?

Security policies in cloud are implemented through:
 IAM policies (role-based access control, permissions)
 Encryption (data at rest and in transit)
 Network security controls (firewalls, VPC rules, security groups)
 Compliance frameworks
 Monitoring and auditing tools
 Security configurations at VM, OS, and application levels

[Link] is multitenancy issue in cloud computing?

Multitenancy means multiple customers share the same physical resources in cloud.
Issues include:
 Data leakage between tenants
 Poor isolation
 Resource contention
 Security risks if one tenant is compromised.
These issues arise because multiple VM/containers run on shared hardware.

[Link] do you understand by virtualization security management?

Virtualization security management involves securing:
 Hypervisors
 Virtual machines
 Virtual networks
 Storage
 VM images and snapshots
It includes monitoring, patching, access control, and enforcing isolation among virtualized
components.

[Link] between Identity Management and Access Management?

Feature Identity Management Access Management
Deals with verifying who the user
Definition Deals with controlling what the user can access.
is.
User creation, authentication,
Focus Authorization, permissions, and policies.
credentials.
Login, MFA, password Role-based or rule-based access control
Process
management. (RBAC/ABAC).

PART- B
1. Evaluate the security challenges associated with VM migration and propose best practices to
mitigate hyper jacking attacks.

VM migration
Migration attack is an attack on the network during VM migration from one place to another. This
attack is an exploit on the mobility of virtualization.
Since VM images are easily moved between physical machines through the network, enterprises
constantly move VMs to various places based on their usage.
For example, VMs from a canceled customer may be moved to a backup data center, and VMs that
need maintenance may be moved to a testing data center for changes.
Thus, when VMs are on the network between secured perimeters, attackers can exploit the network
vulnerability to gain unauthorized access to VMs.
Similarly, the attackers can plant malicious code in the VM images to plant attacks on data centers
that VMs travel between.

VM migration-Types and Techniques

Before migration, the virtual machine must be powered off, after doing this
Cold Migration task. The old one should be deleted from source host. Moreover, the virtual
machine need not to be on shared storage.
Whenever transfer OS and any application, there is no need to suspend the
Warm Migration source host. Basically it has high demand in public cloud.
Live Migration It is the process of moving a running virtual machine without stopping the OS
and other applications from source host to destination host.
1) Pre- Copy Migration:
In this migration, the hypervisor copies all memory page from source machine to destination
machine while the virtual machine is running. It has two phases: Warm- up Phase and stop and copy
phase.
a) Warm Up Phase:
During copying all memory pages from source to destination, some memory pages changed because
of source machine CPU is active. All the changed memory pages are known as dirty pages.
All these dirty pages are required to recopy on destination machine; this phase is called as warm up
phase.
b) Stop & Copy Phase: Warm up phase is repeated until all the dirty pages recopied on
destination machine. This time CPU of source machine is deactivated till all memory pages will
transfer another machine. Ultimately at this time CPU of both source and destination is suspended,
this is known as down time phase. This is the main thing that has to explore in migration for its
optimization.
2) Post- Copy Migration:
 In this technique, VM at the source is suspended to start post copy VM migration.
 When VM is suspended, execution state of the VM (i.e. CPU state, registers, non- pageable
memory) is transferred to the target.
 In parallel the sources actively send the remaining memory pages of the VM to the target.
 This process is known as pre-paging.
 At the target, if the VM tries to access a page that has not been transferred yet, it generates a page
fault, also known as network faults. These faults are redirect to the source, which responds with the
faulted pages.
 Due to this, the performance of applications is degrading with number of network faults.
To overcome this, pre-paging scheme is used to push pages after the last fault by dynamically using
page transmission order.

Live VM migration steps of Google Compute Engine

■ VM migration
– VM migration is transfer of guest OS from one physical server to another with little or no
downtime
– Implemented by several virtualization products
– Provides high availability and dynamic load balancing

■ VM migration attack
– If migration protocol is unencrypted, susceptible to man-in-the-middle attack
– Allows arbitrary state in VM to be modified
– In default configuration, XenMotion is susceptible (no encryption)
– VMware’s VMotion system supports encryption
– Proof-of-concept developed by John Oberheide at the Univ. of Michigan
 Analysis of Hyper jacking Attack and Mitigation Techniques

2. Discuss the architecture and challenges of Identity and Access Management (IAM)
in cloud environment, with an example of its practical application.

Identity and access management architecture( IAM)

Authentication – is a process of verifying the identity of a user or a [Link]
usually connotes a more roburst form of identification. In some use cases such as service –
to- service interaction, authentication involves verifying the network service.
Authorization – is a process of determining the privileges the user or system is entitled to
once the identity is established. Authorization usually follows theauthentication step and is
used to determine whether the user or service has the necessary privileges to perform certain
operations.
Auditing – Auditing entails the process of review and examination ofauthentication,
authorization records and activities to determine the adequacy of IAMsystem controls, to
verify complaints with established security policies and procedure,to detect breaches in
security services and to recommend any changes that areindicated for counter measures.

IAM Architecture and Practice

IAM is not a monolithic solution that can be easily deployed to gain
capabilitiesimmediately. It is as much an aspect of architecture as it is acollection of
technology components, processes, and standard practices. Standardenterprise IAM
architecture encompasses several layers of technology, services, andprocesses. At the core of
the deployment architecture is a directory service (such as
LDAP or Active Directory) that acts as a repository for the identity, credential, and user
attributes of the organization’s user pool. The directory interacts with IAM technology
components such as authentication, user management, provisioning, and federation services
that support the standard IAM practice and processes within the organization.

The IAM processes to support the business can be broadly categorized as follows:

User management: Activities for the effective governance and management of identity life
cycles
Authentication management: Activities for the effective governance and management of
the process for determining that an entity is who or what it claims to be.
Authorization management: Activities for the effective governance and management of
the process for determining entitlement rights that decide what resources an entity is
permitted to access in accordance with the organization’s policies.
Access management: Enforcement of policies for access control in response to a request
from an entity (user, services) wanting to access an IT resource within the organization.
Data management and provisioning: Propagation of identity and data for authorization to
IT resources via automated or manual processes.
Monitoring and auditing: Monitoring, auditing, and reporting compliance by users
regarding access to resources within the organization based on the defined policies.
IAM processes support the following operational activities:

Provisioning: Provisioning can be thought of as a combination of the duties of the human

resources and IT departments, where users are given access to data repositories or systems,
applications, and databases based on a unique user identity. Deprovisioning works in the
opposite manner, resulting in the deletion or deactivation of an identity or of privileges
assigned to the user identity.

Credential and attribute management: These processes are designed to manage the life
cycle of credentials and user attributes— create, issue, manage, revoke—to inappropriate
account use. Credentials are usually bound to an individual and are verified during the
authentication process.
The processes include provisioning of attributes, static (e.g., standard text password) and
dynamic (e.g., one-time password) credentials that comply with a password standard (e.g.,
passwords resistant to dictionary attacks), handling password expiration, encryption
management of credentials during transit and at rest, and access policies of user attributes
(privacy and handling of attributes for various regulatory reasons).Minimize the business
risk associated with identity impersonation.

Entitlement management: Entitlements are also referred to as authorization policies. The

processes in this domain address the provisioning and deprovisioning of privileges needed
for the user to access resources including systems, applications, and databases. Proper
entitlement management ensures that users are assigned only the required privileges.
Compliance management: This process implies that access rights and privileges are
monitored and tracked to ensure the security of an enterprise’s resources. The process also
helps auditors verify compliance to various internal access control policies, and standards
that include practices such as segregation of duties, access monitoring, periodic auditing,
and reporting. An example is a user certification process that allows application owners to
certify that only authorized users have the privileges necessary to access business-sensitive
information.
Identity federation management: Federation is the process of managing the trust
relationships established beyond the internal network boundaries or administrative domain
boundaries among distinct organizations. A federation is an association of organizations that
come together to exchange information about their users and resources to enable
collaborations and transactions.

Centralization of authentication (authN) and authorization (authZ):

A central authentication and authorization infrastructure alleviates the need for application developers
to build custom authentication and authorization features into their applications. Furthermore, it
promotes a loose coupling architecture where applications become agnostic to the authentication
methods and policies. This approach is also called an ―externalization of authN and authZ from
applications

IAM Standards and Specifications for Organisations

The following IAM standards and specifications will help organizations implement effective and
efficient user access management practices and processes inthe cloud. These sections are ordered by
four major challenges in user and access management faced by cloud users:
 1. How can I avoid duplication of identity, attributes, and credentials and provide a single sign-
on user experience for my users? SAML.
2. How can I automatically provision user accounts with cloud services and automate the
process of provisoning and deprovisioning? SPML.

3. Present an outline on data privacy and security concerns in a cloud computing

environment with examples.

Cloud computing's data privacy and security concerns include data breaches,
misconfigurations, insider threats, data loss, compliance issues, and lack of transparency.
Examples of these concerns are unauthorized access due to poor security settings, accidental
data exposure from misconfigured cloud storage, data loss from vendor errors, and
challenges in complying with regional data laws like the GDPR.

Outline of data privacy and security concerns

I. Data Confidentiality and Integrity
 A. Unauthorized Access:
o Description: Gaining access to data without proper authorization.
o Examples:
o Exploiting weak passwords or lack of multi-factor authentication
(MFA).
o Using Social Engineering or phishing attacks to steal credentials.
 B. Data Breaches:
o Description: The compromise of sensitive data, often leading to theft or
exposure.
o Examples:
o A major cloud provider's customer data being exfiltrated by hackers.
o A company's cloud-hosted database being breached due to a
vulnerability.
 C. Data Loss:
o Description: The irreversible loss of data.
o Examples:
o Hardware failure at the cloud provider's data center.
o Accidental deletion by a user or a system error.
 D. Misconfigurations:
o Description: Security settings that are not properly configured, leaving data
vulnerable.
o Examples:
o Leaving a cloud storage bucket public, exposing its contents to the
internet.
o Overly permissive Identity and Access Management (IAM) policies
that grant too much access.
II. Compliance and Legal Issues
 A. Data Sovereignty:
o Description: The requirement to store and process data within a specific
geographic location to comply with local laws.
o Examples:
o A European company using a cloud provider whose data centers are
primarily in the US, potentially violating GDPR regulations.
  B. Lack of Transparency:
o Description: The cloud provider's inability or unwillingness to provide clear
information about their security practices and data handling.
o Examples:
o Not knowing which physical location your data is stored in.
o Not having visibility into how the provider uses third-party vendors
for services.
III. Shared Responsibility and Third-Party Risks
 A. Shared Responsibility Model:
o Description: The division of security responsibilities between the cloud
provider and the customer, which can lead to confusion and gaps in security.
o Examples:
o A company assumes the provider is handling all encryption, but they
are responsible for a key management aspect, and the data is exposed.
 B. Third-Party Access:
o Description: Risks introduced by third-party vendors the cloud provider
uses.
o Examples:
o A maintenance vendor having access to sensitive customer data and
mishandling it.
IV. Management and Visibility
 A. Lack of Visibility:
o Description: The inability to fully monitor and see what is happening within
the cloud environment.
o Examples:
o Not being able to easily identify all the services being used or who
has access to them.
 B. Insider Threats:
o Description: Malicious or negligent actions by employees or individuals
with legitimate access.
o Examples:
o An employee stealing data before leaving the company.
o An administrator accidentally deleting a critical database.

4. List the Virtualization System-Specific Attacks and explain any two of them.

Introduction : Virtual Threats- VM THREAT LEVELS

When categorizing the threat posed to virtualized environments, often the
vulnerability/threat matrix is classified into three levels of compromise:
• Abnormally terminated — Availability to the virtual machine is compromised, as the VM is
placed into an infinite loop that prevents the VM administrator from accessing the VM’s
monitor.
 • Partially compromised — The virtual machine allows a hostile process to interfere with the
virtualization manager, contaminating state checkpoints or over-allocating resources.
• Totally compromised — The virtual machine is completely overtaken and directed to execute
unauthorized commands on its host with elevated privileges.
New Virtualization System-Specific Attacks Hypervisor Risks
• The hypervisor is the part of a virtual machine that allows host resource sharing and
enables VM/host isolation.
• Therefore, the ability of the hypervisor to provide the necessary isolation during
intentional attack greatly determines how well the virtual machine can survive risk.
• One reason why the hypervisor is susceptible to risk is because it’s a software program;
risk increases as the volume and complexity of application code increases.
• Ideally, software code operating within a defined VM would not be able to
communicate or affect code running either on the physical host itself or within a
different VM; but several issues, such as bugs in the software, or limitations to the
virtualization implementation, may put this isolation at risk.
• Major vulnerabilities inherent in the hypervisor consist of rogue hypervisor rootkits,
external modification to the hypervisor, and VM escape.
Rogue Hypervisors Rootkits or Hyper jacking:
 In a normal virtualization scenario, the guest operating system (the operating system
that is booted inside of a virtualized environment) runs like a traditional OS managing
I/O to hardware and network traffic, even though it’s controlled by the hypervisor.
 VM-based rootkits can hide from normal malware detection systems by initiating a
“rogue” hypervisor and creating a cover channel to dump unauthorized code into the
system.
 Proof-of-concept (PoC) exploits have demonstrated that a hypervisor rootkit can insert
itself into RAM, downgrade the host OS to a VM, and make itself invisible.
 A properly designed rootkit could then stay “undetectable” to the host OS, resisting
attempts by malware detectors to discover and remove it.
 This creates a serious vulnerability in all virtualized systems.
 Detectability of malware code lies at the heart of intrusion detection and correction, as
security researchers analyze code samples by running the code and viewing the result.
 In addition, some malware tries to avoid detection by anti-virus processes by attempting
to identify whether the system it has infected is traditional or virtual.
 If found to be a VM, it remains inactivated and hidden until it can penetrate the physical
host and execute its payload through a traditional attack vector.
Consists of installing a rogue hypervisor
• Hyperjacking is an attack in which a hacker takes malicious control over the hypervisor
that creates the virtual environment within a virtual machine (VM) host.
• The point of the attack is to target the operating system that is below that of the virtual
machines so that the attacker's program can run and the applications on the VMs above
it will be completely oblivious to its presence.
• Hyperjacking involves installing a malicious, fake hypervisor that can manage the
entire server system.
• In hyperjacking, the hypervisor specifically operates in stealth mode and runs beneath
the machine, it makes more difficult to detect and more likely gain access to computer
servers where it can affect the operation of the entire institution or company.
Consists of installing a rogue hypervisor:
1. Injecting a rogue hypervisor beneath the original hypervisor;
2. Directly obtaining control of the original hypervisor;
 3. Running a rogue hypervisor on top of an existing hypervisor.
One method for doing this is overwriting pagefiles on disk that contain paged- out kernel code
 Force kernel to be paged out by allocating large amounts of memory
 Find unused driver in page file and replace its dispatch function with shellcode
 Take action to cause driver to be executed
 Shellcode downloads the rest of the malware
 Host OS is migrated to run in a virtual machine
–Has been demonstrated for taking control of Host OS
–Hyperjacking of hypervisors may be possible, but not yet demonstrated
 Hypervisors will come under intense scrutiny because they are such attractive
targets Known hyperjacking tools: BluePill, SubVirt, Vitriol

5. Write a detailed note on cloud security.

Cloud Security :
Cloud data security refers to the technologies, policies, services and security controls that protect any
type of data in the cloud from loss, leakage or misuse through breaches, exfiltration and unauthorized
access. A robust cloud data security strategy should include:
 Ensuring the security and privacy of data across networks as well as within applications,
containers, workloads and other cloud environments
 Controlling data access for all users, devices and software
 Providing complete visibility into all data on the network
The cloud data protection and security strategy must also protect data of all types. This includes:
 Data in use: Securing data being used by an application or endpoint through user
authentication and access control
 Data in motion: Ensuring the safe transmission of sensitive, confidential or proprietary
data while it moves across the network through encryption and/or other email and
messaging security measures
 Data at rest: Protecting data that is being stored on any network location, including the
cloud, through access restrictions and user authentication

Data Security Mitigation

 Customers of cloud computing services expect that data security will serve as compensating
controls for possibly weakened infrastructure security, since part of a customer’s infrastructure
security moves beyond its control and a provider’s infrastructure security may (for many
enterprises) or may not (for small to medium- size businesses, or SMBs) be less robust than
expectations, you will be disappointed. Although data-in-transit can and should be encrypted,
any use of that data in the cloud, beyond simple storage, requires that it be decrypted.
 Therefore, it is almost certain that in the cloud, data will be unencrypted. And if you are using a
PaaS-based application or SaaS, customer-unencrypted data will also almost certainly be
hosted in a multitenancy environment (in public clouds). Add to that exposure the difficulties
in determining the data’s lineage, data provenance—where necessary—and even many
providers’ failure to adequately address such a basic security concern as data remanence, and
the risks of data security for customers are significantly increased.
 So, what should you do to mitigate these risks to data security? The only viable option for
mitigation is to ensure that any sensitive or regulated data is not placed into a public cloud
(or that you encrypt data placed into the cloud for simple storage only). Given the economic
considerations of cloud computing today, as well as the present limits of cryptography,
CSPs are not offering robust enough controls around data security.
 It may be that those economics change and that providers offer their current services, as well
 as a “regulatory cloud environment” (i.e., an environment where customers are willing to
pay more for enhanced security controls to properly handle sensitive and regulated data).
Currently, the only viable option for mitigation is to ensure that any sensitive or regulated
data is not put into a public cloud.
Provider Data and Its Security
 In addition to the security of your own customer data, customers should also be
concerned about what data the provider collects and how the CSP protects that data.
Specifically with regard to your customer data, what metadata does the provider have
about your data, how is it secured, and what access do you, the customer, have to that
metadata? As your volume of data with a particular provider increases, so does the value
of that metadata.
 Additionally, your provider collects and must protect a huge amount of security- related
data. For example, at the network level, your provider should be collecting, monitoring,
and protecting firewall, intrusion prevention system (IPS), security incident and event
management (SIEM), and router flow data. At the host level your provider should be
collecting system logfiles, and at the application level SaaS providers should be
collecting application log data, including authentication and authorization information.
Storage
 For data stored in the cloud (i.e., storage-as-a-service), we are referring to IaaS and not data
associated with an application running in the cloud on PaaS or SaaS. The same three
information security concerns are associated with this data stored in the cloud (e.g., Amazon’s
S3) as with data stored elsewhere: confidentiality, integrity, and availability.
Confidentiality
 When it comes to the confidentiality of data stored in a public cloud, you have two potential
[Link], what access control exists to protect the data? Access control consists of both
authentication and authorization. CSPs generally use weak authentication mechanisms (e.g.,
username + password), and the authorization (“access”) controls available to users tend to be
quite coarse and not very granular.
 For large organizations, this coarse authorization presents significant security concerns unto
itself. Often, the only authorization levels cloud vendors provide are administrator authorization
(i.e., the owner of the account itself) and user authorization (i.e., all other authorized users)—
with no levels in between (e.g., business unit administrators, who are authorized to approve
access for their own business unit personnel).
 What is definitely relevant to this section, however, is the second potential concern: how is the
data that is stored in the cloud actually protected? For all practical purposes, protection of data
stored in the cloud involves the use of encryption.
Integrity
 In addition to the confidentiality of your data, you also need to worry about the integrity of
your data. Confidentiality does not imply integrity; data can be encrypted for confidentiality
purposes, and yet you might not have a way to verify the integrity of that data. Encryption alone
is sufficient for confidentiality, but integrity also requires the use of message authentication
codes (MACs).
 The simplest way to use MACs on encrypted data is to use a block symmetric algorithm
(as opposed to a streaming symmetric algorithm) in cipher block chaining (CBC) mode, and to
include a one-way hash function. This is not for the cryptographically uninitiated—and it is one
reason why effective key management is difficult. At the very least, cloud customers should be
asking providers about these matters.
 Not only is this important for the integrity of a customer’s data, but it will also serve to
provide insight on how sophisticated a provider’s security program is— or is not. Remember,
however, that not all providers encrypt customer data, especially for PaaS and SaaS services.
Availability
 Assuming that a customer’s data has maintained its confidentiality and integrity,
you must alsobe concerned about the availability of your data. There are
currently three major threats in this regard—none of which are new to computing,
but all of which take on increased importance in cloud computing because of
increased risk.
 The first threat to availability is network-based attacks. The second threat to
availability is the CSP’s own availability.

6. Depict the procedure to carry out IAM in AWS Cloud platform?

Implementing Identity and Access Management (IAM) in the AWS Cloud platform is essential for
securing access to AWS resources. IAM allows you to control who can access which resources and
what actions they can perform. Here's a step-by-step procedure to carry out IAM in AWS:

Create IAM Users

IAM users represent individual accounts for people or applications that interact with AWS services.
Step 1: Sign in to the AWS Management Console with your root account or an IAM user with
appropriate permissions.
Step 2: Navigate to the IAM Dashboard.
Step 3: Select Users from the left navigation pane and click Add User.
Step 4: Enter a User name.
Step 5: Choose the type of access:
 Programmatic access : For API, CLI, SDK, or other tools.
 AWS Management Console access : For web-based access to the AWS Console.
Step 6 : Set permissions (you can add users to a group, copy permissions from an existing user, or
manually attach policies).
Step 7 : Review the settings and create the user.
Step 8 : Download or copy the Access Keys and Secret Keys if programmatic access was
enabled.

Create IAM Groups

Groups are useful for managing permissions for multiple users at once.
Step 1 : In the IAM Dashboard, go to the Groups section.
Step 2 : Click Create New Group and give it a name.
Step 3 : Attach policies to the group (AWS provides predefined policies such as
`AdministratorAccess`, `PowerUserAccess`, `ReadOnlyAccess`, etc.).
Step 4 : Review and create the group.
Step 5 : Add IAM users to the group.

Create IAM Roles

Roles are used to grant specific permissions to entities (users, applications, services) to perform actions
on your behalf.
Step 1 : Go to the Roles section in the IAM dashboard.
Step 2 : Click Create role .
Step 3 : Choose the type of trusted entity for the role (AWS service, another AWS account, web
identity, etc.).
Step 4 : Select the permissions for the role.
Step 5 : Review and create the role.

Enable Multi-Factor Authentication (MFA)

To enhance the security of your AWS account, enable MFA for IAM users and root account access.
Step 1 : In the IAM dashboard, click Users and select the user.
Step 2 : Under Security credentials , click Manage MFA device .
Step 3 : Choose either Virtual MFA device , U2F security key , or Other hardware MFA
device .
Step 4 : Follow the prompts to set up MFA (e.g., scan a QR code with an MFA app like Google
Authenticator).

Set Permissions Boundary

Permissions boundaries define the maximum permissions that an IAM role or user can have, even if
they are granted more permissions through group policies.
Step 1 : Go to Users or Roles .
Step 2 : Choose the user or role.
Step 3 : Under the Permissions tab, click Set permissions boundary .
Step 4 : Choose or create a permissions boundary policy.

Monitor IAM Activity Using AWS CloudTrail

AWS CloudTrail allows you to monitor API calls made by IAM users and roles. It provides logs for
auditing and troubleshooting.
Step 1 : Go to the CloudTrail Dashboard in the AWS Management Console.
Step 2 : Enable CloudTrail if it’s not already enabled.
Step 3 : Review the logs for specific IAM activity like user logins, policy changes, and resource
access.

7. Discuss about: a) Cloud security challenges and risk. b) IAM Challenges

Cloud security challenges include a lack of visibility and control, misconfigurations, and the
complexity of multi-cloud environments. The primary risks are data breaches, account hijacking,
insider threats, and insecure APIs, which can be exacerbated by human error and compliance issues.
Key mitigation strategies involve strong identity and access management, robust data protection,
continuous monitoring, and employee training.

Cloud security challenges

 Misconfiguration: Incorrectly configured settings are a leading cause of security breaches, often
creating unintended vulnerabilities that expose sensitive data.
 Lack of visibility: It can be difficult to maintain a complete overview of cloud environments,
making it challenging to detect and respond to threats effectively.
 Identity and Access Management (IAM): Weaknesses in how user identities, roles, and
permissions are managed can lead to unauthorized access and privilege abuse.
 Complexity: Managing and securing multi-cloud and hybrid environments adds complexity,
potentially leading to gaps in security and compliance.
 Compliance: Meeting diverse and evolving regulatory requirements (like HIPAA or GDPR)
across different jurisdictions is a significant challenge.
 Skill shortage: There is a persistent shortage of skilled security professionals who can manage
and secure complex cloud infrastructures.

Cloud security risks and threats

 Data breaches: The most significant risk, where sensitive data is exposed due to
misconfigurations, weak access controls, or other vulnerabilities.
 Account hijacking: Attackers gain unauthorized access to accounts through methods like
phishing or stolen credentials, allowing them to steal data or disrupt services.
 Insider threats: Malicious or accidental actions by internal users, such as employees or
contractors with authorized access, can lead to data theft or misconfigurations.
 Insecure APIs: Application programming interfaces (APIs) that enable services to communicate
can become entry points for attackers if not properly secured with strong authentication and
other controls.
 Data loss: Data can be lost due to accidental deletion, hardware failures, or cyberattacks.
 Malware: Cloud environments are susceptible to various forms of malware, including
ransomware, which can severely impact data.
 Denial-of-Service (DoS) attacks: These attacks aim to overload cloud services, making them
unavailable to legitimate users

IAM Challenges:

Cloud Computing has completely changed the way Identity and Access Management (IAM) is
performed in organizations who operate on the cloud. A few years ago, the typical scenario would
have been the IT department giving remote access to specific people and only for a few applications.
This has changed now, with the employees accessing company resources from their personal devices
over unsecure networks.
In order to protect their assets, the security measures should include encryption, logging and
monitoring, role-based access control and more. The Cloud SaaS, PaaS and IaaS services offered by
Azure and Amazon Web Services, has mandated that the organizations integrate the IAM practices,
processes and procedures in a scalable, effective and efficient manner.

Challenges faced by IAM

New cloud-based identity and access management (IAM) services are growing in popularity as more
organizations are opting for them to provide a unified and simple identity management. They may add
extra security and protection to your company resources. But, it poses key challenges like proper
assessment of the existing IT infrastructure, current IAM standards and security before opting for the
cloud based IAM services.
The question which most of the organizations now ask, is how to extend their existing IAM systems to
manage users and their access to cloud-based applications and services. Also, how to leverage the
various cloud services, at a reasonable cost without losing control of the security.

The major challenges faced by the IAM in the cloud:

1. Identity Provisioning / De-provisioning

This concerns with providing a secure and timely management of on-boarding (provisioning) and off-
boarding (de-provisioning) of users in the cloud.
When a user has successfully authenticated to the cloud, a portion of the system resources in terms of
CPU cycles, memory, storage and network bandwidth is allocated. Depending on the capacity
identified for the system, these resources are made available on the system even if no users have been
logged on. Depending on the number of users, the system resources are allocated as and when
required, and scaled down regularly, based on projected capacity requirements. Simultaneously,
adequate measures need to be in place to ensure that as usage of the cloud drops, system resources are
made available for other objectives; else they will remain unused and constitute a dead investment.

2. Maintaining a single ID across multiple platforms and organizations

It is tough for the organizations to keep track of the various logins and ID that the employees maintain
throughout their tenure. The centralised federated identity management (FIdM) is the answer for this
issue. Here users of cloud services are authenticated using a company chosen identity provider (IdP).
By enabling a single sign on facility, the organization can extend IAM processes and practices to the
cloud and implement a standardized federation model to support single sign-on to cloud services.
3. Compliance Visibility: Who has access to what
When it comes to cloud services, it’s important to know who has access to applications and data,
where they are accessing it, and what they are doing with it. Your IAM should be able to provide a
centralised compliance reports across access rights, provisioning/de-provisioning, and end-user and
administrator activity. There should be a central visibility and control across all your systems for
auditing purposes.
4. Security when using 3rd party or vendor network
A lot of services and applications used in the cloud are from 3rd party or vendor networks. You may
have secured your network, but can’t guarantee that their security is adequate.
If you are facing any of these challenges, then Sysfore can help you to establish a secure and integrated
IAM practices, processes and procedures in a scalable, effective and efficient manner for your
organization.
 PART- C
1. Propose a cloud migration strategy for a large enterprise, covering virtualization,
containerization, and security. Discuss how to handle challenges like data loss, downtime and
compliance.

A comprehensive cloud migration strategy for a large enterprise involves phased execution, a hybrid
approach using both virtualization and containerization, and a robust focus on security,
compliance, and risk mitigation.
Cloud Migration Strategy: Phased Approach
The migration should be executed in stages, starting with non-critical workloads to test processes and
make adjustments before moving business-critical systems.
1. Assessment and Planning:
 Define Goals: Clearly establish business objectives (e.g., cost savings, increased
agility, better performance) to guide the process.
 Audit Current Landscape: Conduct a thorough assessment of existing applications,
data, dependencies, and security requirements to identify which systems are cloud-
ready and which need modification.
 Choose the Right "R" Strategy: For each application, select an appropriate migration
strategy (e.g., Rehost, Replatform, Refactor, Retire, Retain, Repurchase).
 Develop a Detailed Roadmap: Outline timelines, resources, and responsibilities for
each phase, including contingency and rollback plans.
2. Pilot and Execution:
 Start with a Proof-of-Concept (PoC): Migrate a small, non-critical workload first to
validate the chosen approach and identify potential issues on a smaller scale.
 Execute Phased Migration: Gradually move workloads in waves, applying lessons
learned from the pilot and previous stages to the next.
 Automate: Leverage automation and Infrastructure as Code (IaC) tools (e.g.,
Terraform, AWS CloudFormation, Azure Resource Manager) to streamline
deployment, reduce human error, and ensure consistency.
3. Operation and Optimization:
 Monitor and Test: Continuously monitor performance, costs, and security post-
migration to identify areas for optimization.
 Iterate and Refine: Regularly review the success of the migration against the initial
KPIs and refine the strategy for ongoing improvements.
Incorporating Virtualization & Containerization
A hybrid approach is often most effective for large enterprises:
 Virtualization: Leverage existing virtualization platforms (e.g., VMware) to "relocate"
workloads to a cloud version of the same platform, enabling a faster, hypervisor-level lift and
shift with minimal disruption.
 Containerization: For applications requiring high scalability, performance, and agility, adopt
containerization technologies like Kubernetes. This involves refactoring or re-architecting
applications into microservices, allowing them to run consistently across various cloud and on-
premises environments and avoiding vendor lock-in.

Handling Challenges

Challenge Strategy for Mitigation

Data Loss Backup all data before migration and implement robust backup and disaster recovery
(DR) plans. Use reliable migration tools and perform data validation checks before
and after migration to ensure integrity.

Downtime Schedule migrations during off-peak hours or maintenance windows. Use a phased
migration approach and employ techniques like blue-green deployments or live
replication to minimize service disruption.

Compliance Conduct a thorough risk assessment to map out all regulatory requirements (e.g.,
GDPR, HIPAA). Choose a cloud provider with the necessary certifications and
implement continuous compliance monitoring and audits.

Security Implement a shared responsibility model with the cloud provider. Encrypt data in
transit and at rest, enforce strong identity and access management (IAM) policies
with least privilege access, and conduct regular security assessments.