Cloud Computing

By Pin Chang and John Gillson

ObjectiveThe goals for cloud computing are increasing

how fast an application can grow, increasing innovations, and increasing agility, but reducing costs.

Cloud computing is supposed to be able to support servers, storage, network, and virtualization technology.

This concept is definitely changing and transforming from old to new architectures and designs.

Cloud Computing Infrastructure ModelsPublic, Private, and

Hybrid CloudsArchitectural Layers

of Cloud Computing (SaaS, PaaS, and IaaS)

Cloud Computing Application Programming Interfaces (API)

Cloud Computing BenefitsReduce run time and response timeMinimize infrastructure riskLower cost of entry

Renting the infrastructure, thus saving lots of money.

Developers programming in assembly language, a low-level language.

Increase pace of innovation

Architectural Considerations for IaaS

Cloud Security – Securing Data Encrypt data at rest – if an intruder is able to penetrate a

cloud provider’s security, or if a configuration error makes that data accessible to unauthorized parties, data cannot be interpreted

Encrypt data in transit – data will pass over public infrastructure and could be viewed by any party in between

Require strong authentication between application components – data should only be transmitted to known parties

Pay attention to cryptography and how algorithms are compromised and replaced by new ones. For example, since MD5 has been proven vulnerable to attack, the usage of a stronger technique such as SHA-256 would be feasible

Cloud Security – Securing DataConsider using strong, token-based authentication for

administrator rolesFor customer login/password access, consider who

manages the authentication server and whether it is under the company or the cloud provider’s control

For anonymous access to storage, for example anonymous FTP, consider whether a customer would register with the cloud provider for access or whether the cloud provider could federate with the company’s authentication servers

Cloud Security – Web ServicesWeb Services platform is the largest implementation

technology in cloud computing and requires a robust security policy

Web Service Security specification (WS-Security) provides a set of mechanisms to assist developers of Web Services to secure SOAP message exchanges

WS-Security describes enhancements to the existing SOAP messaging to provide Quality of Protection (QoP) through the application of message integrity, message confidentiality, and single message authentication to SOAP messages

Cloud Security – Web Services

Cloud Security – Web Services

Cloud Security – Security Domains Security domains group Virtual Machines (VMs) together and control access to the domain

through the cloud provider’s port filtering capabilities. For example, create a security domain for front-end Web servers, open only the HTTP or HTTPS ports to the outside world, and filter traffic from the Web server security domain to theone containing back-enddatabases

Cloud Security - Common ScenarioSystem administrators commonly deploy clusters of nodes on

private unroutable networks with a single front-end node responsible for routing traffic between the cluster of nodes and the public network

This configuration means that nodes can initiate connections to external hosts but external hosts cannot connect to nodes running within each cluster

An administrator might configure two Linux clusters, a server pool, and a collection of workstation nodes – each Linux cluster would have a front-end node with a public IP address, while the cluster nodes are connected via a private network; the server and workstation nodes have public IP addresses, but the workstations are behind a firewall and cannot be contacted from the outside world

It may be impossible to install a fully connected system, because many of the nodes can only initiate connections to external hosts or are completely isolated from external networks

Two sets of clusters may even have overlapping IP addresses because their networks are private and unroutable

Sample Cloud architecture

A hierarchical design to reflect underlying resource topologies in a Cloud architecture;Client, Cloud Controller (CLC), Cluster Controller (CC), and Node Controller (NC) components

Example location of CLC, CC, and NC components running within a typical resource environment

Sample Cloud architectureNode Controller (NC)The NC component executes on the physical resources

that host VM instances and is responsible for instance initialization, inspection, termination, and cleanup

There are typically many NCs but only one NC needs to execute for each physical node, since a single NC can manage multiple VM instances on a single node

Sample Cloud architectureCluster Controller (CC)A collection of NCs that logically belong together are

managed by a single CC that typically executes on a cluster front-end node that has access to both private and public networks

The CC is responsible for gathering state information from its collection of NCs, scheduling incoming VM instance execution requests to individual NCs, and managing the configuration of public and private instance networks

Sample Cloud architectureCloud Controller (CLC)A single CLC is the primary entry-point and decision-

making componentThe CLC is responsible for processing incoming user or

administrative requests, facilitating VM instance scheduling decisions, processing service-level agreements (SLAs) and maintaining persistent system and user metadata

The CLC has an associated composition of services that handle user requests and authentication, persistent system and user metadata, and the management and monitoring of VM instances

An enterprise service bus (ESB) component configures, manages, and publishes associated services and decouples the service implementation from message routing and transport details

Sample Cloud architectureInstance ControlWhen instance creation events are initiated, the

VmControl coordinates with the other services in the CLC to resolve user requests to images, keypairs, networks, and security groups

Allocation of these user requests consists of validating references to metadata

Messages are disseminated to the CCs involved in the allocation and each such CC will schedule the instance request to its locally controlled NCs which create the VM instance itself and respond accordingly

Sample Cloud architecture

Overview of services that comprise the CLC. Lines indicate the flow of messages where the dashed lines correspond to internal service messages

Cloud Security – Virtual NetworkingA complete VM instance network solution must address

connectivity, isolation, and performance issuesEvery VM must have network connectivity to each other

and to the InternetUsers who are granted super-user access to the

underlying network interfaces can cause security concerns – a VM instance user may act maliciously because they could realize that they have the ability to acquire system IP or MAC addresses

If multiple VM instances are running on one physical machine, a VM user may have the ability to intercept network packets belonging to another

Cloud Security – Virtual NetworkingIn a cloud shared by different, distributed, and often

unrelated users, VMs belonging to a single cloud allocation must be able to communicate, but VMs belonging to separate allocations must be isolated

A public virtual network interface handles communication outside or between a given set of VM instances.

Cloud Security – Virtual NetworkingIn an environment that has available public IP

addresses, public virtual network interfaces may be assigned to VM instances at instance initialization, allowing communication both to and from the instance

In environments where instances are connected to a private network with a router that supports external communication through network address translation (NAT), the public interface may be assigned a valid private address giving it access to systems outside the local network through the NAT-enabled router

Cloud Security – Virtual NetworkingThe CC can be configured to set up the public interfacenetwork in three (3) ways:

Attach the VM’s public interface directly to a software

Ethernet bridge connected to the real physical machine’s network, allowing the administrator to handle VM network DHCP requests the same way they handle regular DHCP requests

Allow the administrator to define a dynamic pool of IP addresses that will be assigned via a DHCP server that is executed by the CC. The administrator defines a network, an interface on the CC that is connected to that network, and a range of IP addresses that are assigned as instances are started

Allow an administrator to define static MAC and IP address tuples. Each new instance created by the system is assigned a free MAC/IP tuple, which is released when the instance is terminated

Cloud Security – Virtual NetworkingAnother requirement of the virtual network is that it

supports instance network traffic isolationIf two instances which are owned by separate users are

running on the same host or on different hosts connected to the same physical Ethernet, the users do not have the ability to inspect or modify each other’s network traffic – in order to meet this requirement, each set of user-owned instances is assigned a tag that is then used as a VLAN identifier assigned to that particular user’s instances

Essentially, each VM gets a private network address and the use of “Elastic IPs” or public addresses that can persist across user requests, are supported via IP tables at the cluster head-node

References[1] Wang, J., Zhao, Y., Jiang, S., & Le, J. (2009). Providing Privacy Preserving in cloud

computing

[2] Wei, J., Zhang, X., Ammons, G., Bala, V., & Ning, P. (2009). Managing Security of Virtual Machine Images in a Cloud Environment

[3] Yildiz, M., Abawajy, J., Ercan, T., & Bernoth, A. (2009). A Layered Security Approach for Cloud Computing Infrastructure

[4] Introduction to Cloud Computing – Sun Microsystems whitepaper

[5] General Parallel File System (GPFS) http://www.almaden.ibm.com/storagesystems/projects/gpfs/

[6] Web Services Security (WS-Security) http://www.ibm.com/developerworks/library/specification/ws-secure/

[7] WS-Security Specification.http://publib.boulder.ibm.com/infocenter/dmndhelp/v6rxmx/index.jsp?topic=/com.ibm.wbit.help.runtime.doc/topics/cwssecurity.html

[8] Nurmi, D., Wolski, R., Grzegorczyk, C., Obertelli, G., Soman, S., Youseff, L., & Zagorodnov, D. (2009). Eucalyptus: an open-source cloud computing infrastructure