Resource Management &

Security In Cloud

Dr. R. Rajeswara Rao

B.Tech., M.Tech., Ph.D., Post Doc. (UOM,USA)
MCSI,SMIEEE
Professor of CSE
JNTUGV-Vizianagaram
 Agenda
 Inter Cloud Resource Management

 Resource Provisioning and Resource Provisioning

Methods

 Global Exchange of Cloud Resources

 Security Overview

 Cloud Security Challenges

 Software-as-a-Service Security

 Security Governance

 Virtual Machine Security

 IAM – Security Standards.

 Inter Cloud Resource Management
 Inter cloud or 'cloud of clouds’-refer to a theoretical model for cloud
computing services.

 Combining many different individual clouds into one seamless mass in

terms of on-demand operations.

 A cloud may be saturated to the computational and storage resources of

its infrastructure.

 When two or more clouds have to communicate with each other, or

another intermediary comes into play and federates the resources of two
or more clouds.

 In inter cloud, intermediary is known as “cloud broker” or simply “broker.”

 Broker is the entity which introduces the cloud service customer (CSC) to
the cloud service provider (CSP)
 Inter Cloud Resource Management

Inter-Cloud Resource Management Consists of

 Extended Cloud Computing Services

 Resource Provisioning and Platform Management

 Virtual Machine Creation and Management

 Global Exchange of Cloud Resources

Extended Cloud Computing Services

Six layers of cloud services and their providers

 Extended Cloud Computing Services

Cloud Service Tasks and Trends

 SaaS is mostly used for Business Applications
Eg: CRM (Customer Relationship Management) used for business
promotion, direct sales, and marketing services.

 PaaS is provided by Google, Salesforce.com, and Facebook etc.

 IaaS is provided by Amazon, Windows Azure, and RackRack etc.

 Collocation services Provides security to lower layers.

 Network cloud services provide communications.

 Resource Provisioning (Providing) and Platform
Deployment
There are techniques to provision computer resources or VMs. Parallelism is exploited at
the cluster node level.

 Provisioning of Compute Resources (VMs)

 Provisioning Methods

 Demand Driven Methods

 Event-Driven Resource Provisioning

 Popularity-Driven Resource Provisioning

 Dynamic Resource Deployment

 Provisioning of Storage Resources

Virtual Machine Creation and Management
 Global Exchange of Cloud Resources
 Cloud infrastructure providers (i.e., IaaS providers) have established data
centers in multiple geographical locations to provide redundancy and ensure
reliability in case of site failures.

 Amazon does not provide seamless/automatic mechanisms for scaling its

hosted services across multiple geographically distributed data centers.

 First, it is difficult for cloud customers to determine in advance the best

location for hosting their services as they may not know the origin of
consumers of their services.

 Second, SaaS providers may not be able to meet the QoS expectations of
their service consumers originating from multiple geographical locations.

 It is not possible for a cloud infrastructure provider to establish its data

centers at all possible locations throughout the world.

 This results in difficulty in meeting the QOS expectations of their customers.

Global Exchange of Cloud Resources
Security
 Security

 Virtual machines from multiple organizations have to be co-

located on the same physical server in order to maximize the
efficiencies of virtualization.

 Cloud service providers must learn from the managed service

provider (MSP) model and ensure that their customers'
applications and data are secure if they hope to retain their
customer base and competitiveness.

 Cloud environment should be free from abuses, cheating,

hacking, viruses, rumors, and privacy and copyright violations.
 Cloud Security Challenges
 In cloud model users lose control over physical security.

 In a public cloud, users are sharing computing resources with other companies.

 When users share the environment in the cloud, it results in data at risk of
seizure (attack).

 Storage services provided by one cloud vendor may be incompatible with

another vendor’s services; this results in unable to move from one to the other.

 Vendors create “sticky services”.

 Sticky services are the services which makes end user, in difficulty while
transporting from one cloud vendor to another.

 Customers want their data encrypted while data is at rest (data stored) in the
cloud vendor’s storage pool.
 Software as a Service Security (Or) Data Security
(Or) Application Security (Or) Virtual Machine
Security.
Privileged user access—Inquire about who has specialized access to data, and about the
hiring and management of such administrators.

Regulatory compliance—Make sure that the vendor is willing to undergo external audits
and/or security certifications.

Data location— Does the provider allow for any control over the location of data?

Data segregation—Make sure that encryption is available at all stages, and that these
encryption schemes were designed and tested by experienced professionals.

Recovery—Find out what will happen to data in the case of a disaster. Do they offer
complete restoration? If so, how long would that take?

Investigative support—Does the vendor have the ability to investigate any inappropriate
or illegal activity?
 Security Governance
 A security committee should be developed whose objective is to focus on providing
guidance about security initiatives with business and IT strategies.

 A charter for the security team is typically one of the first deliverables from the
steering committee.

 This charter must clearly define the roles and responsibilities of the security team
and other groups involved in performing information security functions.

 In addition, lack of attention to security governance can result in key needs of the
business not being met, including but not limited to, risk management, security
monitoring, application security, and sales support.

 Lack of proper governance and management of duties can also result in potential
security risks being left unaddressed and opportunities to improve the business
being missed.

 The security team is not focused on the key security functions and activities that
are critical to the business.
 Cloud Security Governance Challenges

 Lack of senior management participation and buy-in

 Lack of embedded management operational controls

 Lack of operating model, roles, and responsibilities

 Lack of metrics for measuring performance and risk

Key Objectives for Cloud Security Governance

 Strategic Alignment
 Value Delivery
 Risk Mitigation
 Effective Use of Resources
 Sustained Performance
 Virtual Machine Security
In the cloud environment, physical servers are consolidated (combined) to
multiple virtual machine instances.

Following are deployed on virtual machines to ensure security

 Firewalls
 Intrusion detection and prevention
 Integrity monitoring
 Log inspection
 Identity and access management architecture( IAM)
Basic concept and definitions of IAM functions for any service
 Authentication
 Authorization
 Auditing
The IAM processes to support the business can be broadly categorized as follows:

 User management
 Authentication management
 Authorization management
 Access management
 Data management and provisioning
 Monitoring and auditing
 Provisioning
Enterprise IAM functional architecture
 Security standards
Security standards define the processes, procedures, and practices
necessary for implementing a security program.

These standards also apply to cloud-related IT activities and include

specific steps that should be taken to ensure a secure environment is
maintained that provides privacy and security of confidential information
in a cloud environment.

Security standards are based on a set of key principles intended to protect

this type of trusted environment. Messaging standards, especially for
security in the cloud, must also include nearly all the same considerations
as any other IT security endeavor.

Security (SAML ,OAuth, OpenID, SSL/TLS)

 Security Assertion Markup Language (SAML)

 Open Authentication (OAuth)
 OpenID
 SSL/TLS
 Security standards

Security (SAML ,OAuth, OpenID, SSL/TLS)

 Security Assertion Markup Language (SAML)

SAML is an XML-based standard for communicating authentication, authorization,
and attribute information among online partners.
 Open Authentication (OAuth)
OAuth is an open protocol, initiated by Blaine Cook and Chris Messina, to allow
secure API authorization in a simple, standardized method for various types
of web applications.
 OpenID
OpenID is an open, decentralized standard for user authentication
and access control that allows users to log onto many services using the
same digital identity. It is a single-sign-on (SSO) method of access control.
 SSL/TLS
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL),
are cryptographically secure protocols designed to provide security and data integrity
for communications over TCP/IP. TLS and SSL encrypt the segments of network
connections at the transport layer.