© 2018 Web Age Solutions, Inc. All rights reserved Introduction to Cloud Computing
© 2018 Web Age Solutions, Inc. All rights reserved
Introduction to C loud Computing
© 2018 Web Age Solutions, Inc. All rights reserved
L esson Objectives Introduce the basics of Cloud Computing
Identify c loud goals
Define the key benefits derived from C loud
including the 5 normally stated
characteristics + 1
E xplain service models in C loud
Describe C loud deployment models
© 2018 Web Age Solutions, Inc. All rights reserved
W here to begin with C loud C omputing
3
Facilitated understanding and documentation of
the present state of technology for infrastructure,
applications, process, capabilities, and talent
Planning for the future of application development
using C loud infrastructure, platforms, and services
C reation of the plan of prioritized tasks (rocks) to
move the organization (mountain) toward C loud
C omputing and usage of C loud services
The start of Cloud Comput ing in organizat ions usual ly begins w ith:
© 2018 Web Age Solutions, Inc. All rights reserved
Getting S tarted
4
© 2018 Web Age Solutions, Inc. All rights reserved
W hat is C loud C omputing?
On- demand delivery of IT resources and
applications via the Internet
Cloud providers, e.g. Private, GCP, AW S , Azure
R esources and applications hosted in
geographically distributed data centers that are
designed and built with high scalability and
reliability
U sing application and services with shared
responsibility
Application
Monitoring
Content
Collaboration
Communication
Finance
Platform
Object Storage
Identity Runtime Queue Database
Infrastructure
Compute Block Storage
Network
5
© 2018 Web Age Solutions, Inc. All rights reserved
Multi- tenancy
Cloud environments are resource pools that
serve multiple consumers
Multi- tenancy in c loud relies on the use of
virtualization and containerization technologies
C loud IT resources are partitioned so that
computational resources, data, network, etc .
are shared through virtual private c loud (V PC )
E ach tenant is isolated, accessing only their
resources
Application
Business Unit
TeamProject
6
© 2018 Web Age Solutions, Inc. All rights reserved
N ational Institute of S tandards and T echnology (N IS T ) Perspective
"Cloud computing is a model for enabling
ubiquitous, convenient, on- demand network access
to a shared pool of configurable computing
resources (e.g., networks, servers, storage,
applications and services) that can be rapidly
provisioned and released with minimal
management effort or service provider interaction."
Furthermore, the c loud model promotes availability
and has the following from their original definition
Five essential characteristics T hree service models
Four deployment models
7
Sof tware as a Service (SaaS)
Platform as a Service (PaaS)
Inf rastructure as a Service (IaaS)
Private Community Public Hybrid
On-demand self -service
Ubiquitous network access Rapid elasticity
Location independent resource pooling Measured service
Virtualization
Grid Technology
Serviced Oriented Architectures
Browser as a Platform
Distributed Computing
Broadband Networks
Free and Open Source Sof tware
Service Level Agreements
Autonomic Systems
Web 2.0
Web Application Frameworks
Utility Computing
© 2018 Web Age Solutions, Inc. All rights reserved
C loud C haracteristics (N IS T + 1)
8
Rapid elasticity
Broad network access
On-demand andself -service Resource pooling
Measured service
Managed service
© 2018 Web Age Solutions, Inc. All rights reserved
C loud S ervice Models AKA C loud Delivery Models
N IS T defines the following three service delivery models:
9
SaaS PaaS IaaSInf rastructure as
a ServicePlatform as a Service
Sof tware as a Service
EmailCRM
CollaborativeERP
App DevelopmentDecision Support
WebStreaming
CachingLegacy
NetworkingSecurity
FileTechnical
System Mgmt
W e’ll add one more category:
XaaSEverything/ Anything
as a Service
© 2018 Web Age Solutions, Inc. All rights reserved
Infrastructure- as- a- S ervice (IaaS )
Cloud provider infrastructure for you to
deploy your own software solution: (virtual)
servers, applications, networking, database,
resource management systems, etc .
Amazon E C 2, Google C ompute E ngine,
Microsoft Azure, OpenS tack, R ackspace,
V MW are
IaaS
10
© 2018 Web Age Solutions, Inc. All rights reserved
Platform- as- a- S ervice (PaaS )
The Cloud vendor provides a computing
environment where we run our solutions.
Our solutions use run- times, APIs , and other
provider services or resources within their
environment
Amazon B eanstalk, C loud Foundry (Pivotal),
Google App E ngine (GAE ), Heroku,
Microsoft Azure
PaaS can be built on top of IaaS , in which
case our PaaS solutions act as consumers
of the IaaS services
PaaS
11
12© 2018 W eb Age S olutions, Inc . All rights reserved
S oftware- as- a- S ervice (S aaS )
V endors provide solutions that we purchase
access to in the form of some sort of
licensing subscription model
S alesforce.com, Google Gmail, Google
Docs, Apple iC loud, Adobe Marketing C loud,
U PS / FedE x S hipping APIs , C yberS ource
V ault
SaaS
13© 2018 W eb Age S olutions, Inc . All rights reserved
S ervice T ype C omparison
U se C loud vendor's software
typically delivered through a
user interface or web services
IaaSDeploy any software
stack that you want
U tilize programming languages
that are supported by the vendor
and run- time environments; your
applications talk to the outside
world though the established API
PaaS SaaS
Y ou forego control in favor of vendor- managed c loud capabilities along this path:
IaaS → PaaS → SaaS
14© 2018 W eb Age S olutions, Inc . All rights reserved
Pizza- as- a- S ervice
Dining Table
Soda
Electric/ Gas
Fire
Pizza Dough
Tomato Sauce
Toppings
Cheese
Oven
TraditionalOn-Premises
Made at home
Dining Table
Soda
Electric/ Gas
Fire
Oven
Pizza Dough
Tomato Sauce
Toppings
Cheese
Inf rastructure as a Service (IaaS)
Take & Bake
Dining Table
Soda
Electric/ Gas
Fire
Oven
Pizza Dough
Tomato Sauce
Toppings
Cheese
Platform as a Service (PaaS)
Delivery
Dining Table
Soda
Electric/ Gas
Fire
Oven
Pizza Dough
Tomato Sauce
Toppings
Cheese
Sof tware as a Service (SaaS)
Dining OutYou Manage
Vendor Manages
Cloud Reference Model
© 2018 W eb Age S olutions, Inc . All rights reserved 15
Gove
rnan
ce/P
rovis
ioning
/Mon
itorin
g/SL
A/Bi
lling
Reso
urce
Infra
stru
ctur
e
Presentation
Applications
Data/Metadata/Content
Integration Layer & Middleware
API’s
Core Connectivity & Delivery
Abstraction Layer
Hardware Facilities
Infra
stru
ctur
e as
a S
ervic
e (Ia
aS)
Plat
form
as
a Se
rvice
(Pa
aS)
Soft
ware
as
a Se
rvice
(Sa
aS)
16© 2018 W eb Age S olutions, Inc . All rights reserved
IaaS Platform N omenclature
API’s
Core Connectivity & Delivery
Abstraction
Hardware
Facilities
IPAM/DNS
Mgmt
ILM/Auth
VMMGrid/
Cluster/Utility
Images
Network Storage
Power HVAC Space
17© 2018 W eb Age S olutions, Inc . All rights reserved
Paas Platform N omenclature
Many PaaS platforms are implemented on top of some sort of IaaS platforms (f rom the same vendor or a 3rd party)
Integration & Middleware ILM/Auth
18© 2018 W eb Age S olutions, Inc . All rights reserved
S aas Platform N omenclature
API’s
Presentation Modality
Presentation Platform
Applications
Data Metadata Content
Data Voice Video
SOAP REST Query
Native Web
PC Mobile
What is XaaS ?
XaaS E verything or Anything- as- a- S ervice is a
collective term for the expansion of As- a- S ervice
from S oftware, Platform and Infrastructure
usages
XaaS is a concept of being able to call up re-
usable, fine- grained software components
across a network, and is a subset of c loud
computing
© 2018 W eb Age S olutions, Inc . All rights reserved 19
Everything and Anything as a Service (XaaS )
E nterprise areas of XaaS usage include
MaaS – Monitoring- as- a- S ervice
Maas – Metal- as- a- S ervice
iPaaS – Integration Platform- as- a- S ervice
hpaPaas – High Performance Application Paas
BaaS – B ackup- as- a- S ervice
SECaaS – S ecurity- as- a- S ervice
© 2018 W eb Age S olutions, Inc . All rights reserved 20
21© 2018 W eb Age S olutions, Inc . All rights reserved
E xamples of as- a- S ervice
Cloud-Everything
Google App Engine
Google App Engine (often referred to as GAE or
s imply App E ngine) is a platform as a service
(PaaS ) c loud computing platform for developing
and hosting web applications in Google-
managed data centers .
Google App Engine is a ful ly managed platform
that completely abstracts away infrastructure so
Developers focus only on code.
Out of the box, App Engine supports Node.js,
J ava, R uby, C # , Go, Python, and PHP. Developers
from these language communities can be
productive immediately in a familiar environment.
PaaS
© 2018 W eb Age S olutions, Inc . All rights reserved 22
Force.com
Platform - as- a- service developed by
S alesforce.com to expand from the C R M
software- as- a- service.
Enables development teams in the building and
management of applications, by allowing them to
focus on the application and not the
infrastructure.
Boomi
Dell B oomi AtomS phere is an
on- demand multi- tenant
c loud integration platform- as-
a- service for connecting
c loud and on- premises
applications and data.
Boomi platform enables
customers to design c loud-
based integration processes
called Atoms and transfer
data between c loud and on-
premises applications.
© 2018 W eb Age S olutions, Inc . All rights reserved 24
MuleSoft
MuleSoft is a vendor that provides
an integration platform to connect
applications, data and APIs across
on- premises and c loud computing
environments.
MuleSoft's Anypoint Platform
integrates or connects S aaS
applications and existing legacy
applications through application
programming interfaces (APIs).
© 2018 W eb Age S olutions, Inc . All rights reserved 25
ServiceNow
ServiceNow is an Information Technology
S ervice Management tool hosted in c loud and
utilized by customers as a S oftware- as- a- S ervice
(S aaS ).
ServiceNow is used to replace or augment
on- premises IT tools with a modern, easy- to- use
service management solution in the c loud that
requires no infrastructure.
© 2018 W eb Age S olutions, Inc . All rights reserved 26
27© 2018 W eb Age S olutions, Inc . All rights reserved
C loud Advantages
Offload capital infrastructure (fixed)
cost to c loud provider
S calability
B usiness agility
Pay- as- you- go model
28© 2018 W eb Age S olutions, Inc . All rights reserved
C loud Deployment Models
Public Cloud Private Cloud Community Cloud
Hybrid Cloud
Traditional Waterfall Computing Scaling and Provisioning
© 2018 W eb Age S olutions, Inc . All rights reserved 29
Agile Cloud Computing Scaling and Provisioning
© 2018 W eb Age S olutions, Inc . All rights reserved 30
31© 2018 W eb Age S olutions, Inc . All rights reserved
C loud C omputing C hallenges
C ompliance/ S ecurity with rapidly
changing capabilities
C omplexity of solutions and knowledge
management and talent needs
C loud Provider V endor L ock- in or
C loud Provisioning V endor L ock- in
Fit with C urrent People, Process,
T echnology
C ost of S ervice without C hange in
Architecture
Challenges of Enterprise
Cloud Adoption
Compliance/ Security
ComplexityCost and Price
Compatibility with Current IT Inf rastructure
32© 2018 W eb Age S olutions, Inc . All rights reserved
E volution of C loud C omputing
Cloud computing is a result of the convergence of
several technologies and computing paradigms:
V irtualization, 1960s, 1990s, 2000s
Grid computing, early/ late 1990s
L arge Data Centers and Multi- T enancy, late 1990s
S oftware as a S ervice (S aaS ), late 1990s
S ervice Oriented Architecture (S OA) – 2000s
Microservices and Containerization
© 2018 Web Age Solutions, Inc. All rights reserved
Cloud U se Cases
33
34© 2018 W eb Age S olutions, Inc . All rights reserved
Discussion
Do you have vis ibility to how C loud is being used
in the Organization?
Is there a C loud C ompetency or C OE currently?
C ould you share some of the successes /
opportunities?
Do you have any other organization specific
insights to share?
© 2018 Web Age Solutions, Inc. All rights reserved
S ummary Introduction to the basics of Cloud
C omputing
Identification of c loud goals
Definition of the key benefits derived from
C loud including the 5 normally stated
characteristics
E xplanation of service models in C loud
Description of C loud deployment models
United States744 Yorkway Place, Jenkintown, PA, 19046Toll Free 1 877 517 6540Email [email protected]
Canada821A Bloor Street West, Toronto, Ontario, M6G 1M1Toll Free 1 866 206 4644Email [email protected]
Int roduct ion to Cloud Comput ing
© 2018 Web Age Solutions, Inc. All rights reserved
© 2018 Web Age Solutions, Inc. All rights reserved
Cloud Computing E nvironment Attributes
© 2018 Web Age Solutions, Inc. All rights reserved
L esson ObjectivesCloud standardization
E lastic ity
C loud vendor market place
V irtualization & Containerization
Dynamic infrastructure
© 2018 Web Age Solutions, Inc. All rights reserved
C loud S tandardization
The major cloud vendors, including AWS, Google, and Microsoft,
have their own standards for managing their highly proprietary
platform infrastructure
Clients are offered platform- specific programming API,
command- line, and web services interface to interact with the
platform of choice
An attempt is being made to standardize c lient- fac ing
interactions with various platform using the newly developed
open Cloud standards [http:/ / c loud- standards.org/ ]
T he main governing body managing the open Cloud standards
development effort is the Cloud S tandards Customer Council
(CS CC), which inc ludes more than 600 world's leading
organizations that provide the community's feedback to help
design service interfaces
39
SITUATION: There are SO many competing standards.
SITUATION: There are MORE competing standards.
?!? Ridiculous! We need to develop one universal standard that covers everyone’s use cases.Yeah!
SOON:
© 2018 Web Age Solutions, Inc. All rights reserved
Cloud S tandardization: An E xample
T he Open C loud C omputing Interface (OC C I) model is built on top of the R esource Oriented
Architecture and uses R E S T web services to handle c lient requests for services such as:
V irtual Machine deployment,
C loud management requests ,
Monitoring queries,
Distributed tracing.
40
© 2018 Web Age Solutions, Inc. All rights reserved
C loud Managed S ervices
Cloud services are collectively referred to as managed (by the Cloud platform) services. T hese services have
such Cloud- grade attributes as:
S calability
High availability
R obustness
Metered usage (for billing)
S hared R esponsibility
Automation
Personalized dashboards
W orkflow
Common strategies for logging, automation, notification, monitoring, visualization
41
© 2018 Web Age Solutions, Inc. All rights reserved
S hared R esponsibility Model
C loud vendors demarcate the scopes of their and c lient responsibilities :
T he C loud vendor is responsible for
• Providing c loud- grade infrastructure with the perimeter security and intrusion detection in place
C lients are responsible for
• S ecurity of their accounts, networks, and applications, including U ser access control U ser roles Application passwords Instance OS patching N etwork configuration (public / private)
42
© 2018 Web Age Solutions, Inc. All rights reserved
V irtualization
To run your servers in IaaS, you wil l need to self- provision them as virtual machine (V M) instances
V endors standardize their platforms on different types of virtualization technologies,
E .g. Amazon Machine Images (AW S AMI) support two types of virtualization: Paravirtual (PV ) and
Hardware V irtual Machine (HV M); Google offers KV M on their C ompute E ngine platform
L ifecycles of V M instances (start/ suspend/ stop/ etc .) are controlled by V irtual Machine Monitors
(V MM)
V MMs are also referred to as hypervisors
C loud vendors implement hypervisor pools to achieve reliability and scalability of their virtualized
operations
A V M is booted from a bootable machine image of an OS of your choice (e.g. U buntu, W indows, or
R HE L )
43
© 2018 Web Age Solutions, Inc. All rights reserved
C ontainerization
To run your applications containerized, cloud
providers have offerings to support this common
c loud- native application modernization pattern, e.g.
AW S with E CS and E CR
W ith the widespread adoption of Docker as the
vehic le for containerized microservices and other
application or application components
• Providers are supporting this pattern and adding other services to allow for management
• Kubernetes, Mesos, S warm or custom Container Management Platforms like OpenS hift
• Distributed trac ing, monitoring, AW S X- R ay• E vent- driven models , e.g. AW S L ambda, Azure
Functions, Google Functions, B lueMix OpenW hisk
44
© 2018 Web Age Solutions, Inc. All rights reserved
V irtual Machine Images
You deploy your applications on the (guest) OS that runs in a VM
A disk image containing an OS (with optionally pre- installed software)
that can be booted in a V M (and managed by the hypervisor) is called
the bootable OS image
• E xample 1: Amazon W eb S ervices (AW S ) offer an Amazon Machine Image (AMI) which a packaged- up environment containing all the necessary binaries to set up and boot your virtual server instance AMIs are units of deployment Amazon E C2 provides a number of tools for creating an AMI
• E xample 2: Google Compute E ngine uses the KV M hypervisor and only supports guest images running L inux or FreeB S D
45
© 2018 Web Age Solutions, Inc. All rights reserved
Applying V irtualization to C loud
Virtualization provides a critical capability to the Cloud computing world
- scaling - through effective utilization of hardware in C loud vendors'
data centers
• Horizontal (and vertical) scaling of server infrastructure and resources meets overall demand as well as c lient- specific demand
Much of a C loud’s ability to seamlessly support multiple end- users with
wildly different usage scenarios and peak- usage demands is enabled by
virtualization
46
© 2018 Web Age Solutions, Inc. All rights reserved
C haracteristics of V irtualization
Transparent sharing of resources (memory, network, disk,
CPU , etc .)
• decouples hardware from software• hardware aggregates as a pool of sharable resources
L ive migration
• shift virtual servers between physical hardware instances while running
• fac ilitate zero downtime while still maintaining hardware
Isolation
• limits security exposure• reduces spread of risk
47
© 2018 Web Age Solutions, Inc. All rights reserved
Additional C haracteristics of V irtualization
Management
• single point of control across all V Ms• ease deployment burden through repetitive
scripts and templates• block- level rollbacks to prior snapshots in the
event of failure
High availability
• boot virtual servers on alternate hardware in the event of primary hardware failure
• execute multiple instances of a virtual server across multiple hosts
48
© 2018 Web Age Solutions, Inc. All rights reserved
W hat about PaaS , S aas and E verything or Anything as- a- S ervice
In PaaS, you do not interact with low level infrastructure
components like V Ms or bootable images – those tasks are
handled transparently by the Cloud vendor
Y our role in the deployment and management of your applications
in PaaS is , for the most part, limited to writing your application in a
language supported by the PaaS sandboxed runtimes, packaging
your application in the required format (e.g. a zip bundle or a W AR
file) and uploading it to a C loud deployment end- point
• S caling is a managed service of PaaS
For S aaS interactions, in most cases, you just need a browser or a
web service end- point
49
© 2018 Web Age Solutions, Inc. All rights reserved
C ontainerization for Application C omponentization and Modernization
Containers are a lightweight alternative to full machine virtualization
• It is often called virtualization environment, or OS - level virtualization
• Docker is a very popular open- source system for creating virtual environments as containers
A container encapsulates an application running inside its own operating
environment which is derived from the underlying host OS
Containerization has been popularized by c loud- like processing environments that
require fast server boot- up time
• Platform- as- a- S ervice (PaaS ) vendors such as Heroku, OpenS hift, and Cloud Foundry use L inux containerization
At the moment, the most widely used technology behind containerization is Docker,
originally built from L inuX Containers (L XC), which is a userspace interface for the
L inux kernel containment features (cgroups and namespaces)
Microsoft released Hyper- V and allows for both Docker containers and process
based services in their S ervice Fabric model. T his includes .N E T Core usages
running these environments in L inux and W indows S erver virtualization.
50
© 2018 Web Age Solutions, Inc. All rights reserved
V irtualization & C ontainerization: A T ale of T wo T echnologies
Both offer multi - tenancy for guests (OS es and applications)
V irtualization is about translating communication between the hosted OS es and hypervisor
C ontainerization is "native" in that containers share the host OS 's kernel
C ontainers ' OS is the same as the hosts ' OS
V irtualization allows to run multiple guest OS es on the same host, while containerization is limited to
the OS type the host uses
T raditional virtualization offers better protection from "rogue" tenants
C ontainerization offers higher levels of scaling
S ome specialized systems, like Kubernetes [https:/ / kubernetes.io/ ], introduce logical grouping of
containers for intelligent resource management at massive scale
51
© 2018 Web Age Solutions, Inc. All rights reserved
Dynamic Infrastructure
Self - provisioning of resources is the key value proposition of
any C loud platform
Y ou can assemble your complete C loud- based solution from a
combination of managed and your own services in the same
way to can assemble a L ego® puzzle
IaaS C loud vendors offer a variety of tools and configuration
templates to dynamically provision and manage the
infrastructure elements you need
N ote: Dynamic infrastructure capability is limited on PaaS
52
© 2018 Web Age Solutions, Inc. All rights reserved
Dynamic Infrastructure E xamples
AWS CloudFormation service
• S implifies provisioning and management on AW S using templates
Azure R esource Manager and Quickstart templates
• Allows you to provision and manage your applications along with Quickstart template.
Pivotal C loud Foundry
• Allows you to provision your applications along with their dependencies using a declarative template
T erraform
• Allows you to provision your applications along with their dependencies using IaC templates.
C onfiguration Management T ooling
• C hef, Puppet, Ansible and S alt all provide the ability to dynamically create infrastructure.
53
© 2018 Web Age Solutions, Inc. All rights reserved
E lastic ity on Demand
Low latency application scaling is a critical capability of Cloud computing used to elastically accommodate
spikes or drops in demand
It is a standard feature of most c loud platforms
E lastic ity is supported through two major capabilities :
• Auto S caling – both up and down• Cloud B ursting – extending on- premise dedicated applications infrastructure with c loud capabilities
54
© 2018 Web Age Solutions, Inc. All rights reserved
C loud Provider S caling S ervices
Examples of Auto Scal ing Services
Amazon Auto S caling S ervice that can increase the
number of your Amazon E C 2 instances (V Ms) during
demand peaks and decrease capacity during demand
valleys to optimize your E C 2 fleet utilization costs
• Metrics used by Auto S caling conditions that trigger scaling activities are collected by the C loudW atch service
Google C ompute E ngine has managed instance groups
that offer autoscaling capabilities
• Y ou define your scaling preferences in the autoscaling policy which specifies the trigger points
55
© 2018 Web Age Solutions, Inc. All rights reserved
C loud Providers
The current leaders in this market are:
• Amazon AW S• Microsoft Azure• Google Cloud Platform• IB M B luemix• V MW are
T he c loud vendor space is not limited to those listed above, though – you can shop around to find a
suitable c loud platform; you can start here:
• Cloud Foundry• Heroku/ Force.com• OpenS tack• Accenture Cloud • Adobe Marketing Cloud• R ackspace Cloud • IB M ZL inux
56
57© 2018 W eb Age S olutions, Inc . All rights reserved
Discussion
Do you have experience with one or more c loud
providers?
W hat attributes do you think are the most
important for your usages?
W hat as- a- S ervice solutions are you or your
team using currently or planned for the future?
© 2018 Web Age Solutions, Inc. All rights reserved
S ummaryCloud standardization
E lastic ity
C loud vendor market place
V irtualization & Containerization
Dynamic infrastructure
United States744 Yorkway Place, Jenkintown, PA, 19046Toll Free 1 877 517 6540Email [email protected]
Canada821A Bloor Street West, Toronto, Ontario, M6G 1M1Toll Free 1 866 206 4644Email [email protected]
Cloud Comput ing Environment At t ributes
© 2018 Web Age Solutions, Inc. All rights reserved
© 2018 Web Age Solutions, Inc. All rights reserved
Cloud S ecurity and R isk
© 2018 Web Age Solutions, Inc. All rights reserved
L esson Objectives Cloud and InfoSec
Access Control
Application S ecurity
Information and Data S ecurity
N etwork S ecurity
Operational S ecurity
DevOps S ecurity Concerns
© 2018 Web Age Solutions, Inc. All rights reserved
C loud S ecurity Domains
62
Security is consistently rated as a major concern
and blockage to c loud adoption
L ack of governance can result in data breaches,
compliance mistakes and growth of shadow IT
C loud security focuses on domains
C loud S ecurity Alliance (C S A) establishes 14
domains for C loud S ecurity Guidance
The adopt ion of Cloud Comput ing brings on many quest ions:
© 2018 Web Age Solutions, Inc. All rights reserved
C S A Domains
63
© 2018 Web Age Solutions, Inc. All rights reserved
T he C IA of C loud S ecurity
Cloud security in each of the above domains (see
previous s lide) must enforce the three main
princ iples of information security (the CIA triad) for
both data at rest and data in transit:
Confidentiality: data protection against
unauthorized access
Integrity: data protection against modification
and / or deletion
Availability: on- demand provisioning of data to
authorized entities
Application
Monitoring
Content
Collaboration
Communication
Finance
Platform
Object Storage
Identity Runtime Queue Database
Infrastructure
Compute Block Storage
Network
64
© 2018 Web Age Solutions, Inc. All rights reserved
Cloud Provider S ecurity S tandards & CertificationsR eview third- party certification, accreditations and validations
your c loud vendor obtained. IS O and S OC are referred to as
horizontal standards, while PC I, HIPAA are vertical standards.
Payment C ard Industry (PC I) Data S ecurity S tandard (DS S )
IS O 27001 Information S ecurity S tandard
Annual S OC 1, S OC 2, and S OC 3 audits
Federal government systems evaluations, e.g. DIAC AP L evel
2 for DoD systems
US Federal Information S ecurity Management Act (F IS MA)
compliance
W here applicable, map your organization's security controls to
internationally recognized security certifications
ISO
PCI-DSSFISMA
GDPR
65
SOCHIPAA
© 2018 Web Age Solutions, Inc. All rights reserved
Agile S ecurity R isk Management Process
Perform data security level
categorization
E stablish user security profiles
E stablish security controls
over services against the
security profiles
C ontinuously monitor access
and use of services
C reate feedback loops &
iterate
66
© 2018 Web Age Solutions, Inc. All rights reserved
C loud Access S ecurity C ontrols
E valuate security features offered by your c loud
vendor:
Physical security (physical access control to
fac ilities)
U ser system access control
S S H keys
Provider security groups
Identity and Access Management (IAM)
Multi- Factor Authentication (MFA)
B reaking the Glass
IaaS
67
Access Control: Authentication and AuthorizationUser authentication and group - based system access authorization
User and group management can be done using your cloud
vendor's Identity and Access Management (IAM) or s imilar service
The minimum acceptable strength of user passwords and other
credentials as well as their expiration polices can also be enforced
by an IAM service
Identity federation between your corporate directory (Active
Directory, L DAP, etc .) and c loud services, if supported, will let you
re- use existing corporate identities to grant secure access to c loud
resources without the need to create new c loud- based identities
Multi - Factor Authentication (MFA) is becoming a common practice
Use of OAuth, JWT, and API Management functions
Application specifics: Atlas, Ranger, other 3 rd- Party or Open S ource
© 2018 W eb Age S olutions, Inc . All rights reserved 68
Data at Rest: Our Data and Cloud Security
Encryption of data at- rest Prevents loss on security breach
AES128/256 is the standard
Encryption of data in - transitPrevents disc losure due to man- in- the- middle attacks
Strong authentication between system components (on- way or two- way)R equired purging of application caches
Compliance with government regulations (HIPAA, Patriot Act, etc.)L ocation of data
Organizations may be subject to regulations that specific data be stored in their own origin
country data centers
© 2018 W eb Age S olutions, Inc . All rights reserved 69
Data at Rest: Security Examples
All data at rest (data written and committed to
disk) in Google C ompute E ngine is encrypted
using the AE S - 128- C B C algorithm
AWS offers no encryption for its virtual (EBS)
volumes; the users can implement an
encrypted file system on top of their Amazon
E B S volumes
AWS's S3 object storage uses AES- 256
© 2018 W eb Age S olutions, Inc . All rights reserved 70
Network Security: Provider Responsibility
T he S hared R esponsibility C ontract vests the control of
the C loud network service and exposed public API
endpoints in C loud vendors, making them responsible for
protecting their c lients against the following attacks:
Distributed Denial Of Service (DDoS) attacksS tandard DDoS mitigation techniques are: syn cookies and connection throttling
Man- in- the- Middle attacksC loud public API endpoints should be protected by S S L requiring server
authentication
IP SpoofingC loud- hosted instances must be incapable of sending spoofed IP traffic
Port Scanning C lient applications that perform port scanning must be viewed as a violation of the
C loud U ser Policy resulting in investigation and c losing of the account
© 2018 W eb Age S olutions, Inc . All rights reserved 71
Network Security: Shared Responsibility
Organizational network access control options:
V L A N ( o r V P C )
Intrusion detection and prevention
Group virtual machines by domain (layer)
Separate management, guest and public networks
IaaS clouds offer virtual firewalls as security groups
(or s imilar concepts) that inc lude a number of rules
for regulating open ports (mapped to available
services, e.g. S S H or POP3) and source IP
address(s); those rules can be applied to your
virtual server instances deployed in different
application tiers
© 2018 W eb Age S olutions, Inc . All rights reserved 72
Operational Security
Cloud models aid in reducing the scope of needed
operational activities , leaving Ops to deal with
IaaS: server l i fecycle management (start / pause / stop /
remove), resource provis ioning, app code uploading,
system monitoring and the like
PaaS: app code uploading, system monitoring
Ops should disable unnecessary user accounts and
services (on IaaS )
Use only key- based S S H session authentication
Some cloud vendors offer mechanisms for embedding
authentication keys into virtual machine images (V MI)
meaning that only the owner (Ops) of those credentials
can launch virtual servers based on those V MIs
© 2018 W eb Age S olutions, Inc . All rights reserved 73
Zero Trust Security
Zero trust is a security model in which no user,
interface or application is automatically
"trusted“.
In physical implementations of zero trust
security, traffic flows through a centralized
security device, limiting scalability.
Virtual or cloud - based environments allow for
scalability due to their underlying
implementations of software- defined
networking.
© 2018 W eb Age S olutions, Inc . All rights reserved 74
Micro- segmentation
Creation of isolated virtual networks that run
parallel to one another.
Creation of zero trust zones with micro -
segmentation with software- defined
networking.
The micro- segmentation approach to network
segmentation is said to improve usability and
security by establishing "zero trust" zones
where more granular access controls can be
enforced.
© 2018 W eb Age S olutions, Inc . All rights reserved 75
DevOps Security Concerns
E nterprise areas of XaaS usage inc lude
For all intents and purposes, hardening your application
environment is very much like hardening any W indows, or
Unix server (applies mostly to IaaS )
Cloud applications must be properly partitioned to
minimize the breadth of the exposure, when some parts of
your application are compromised
On IaaS platforms, we evaluate Mandatory Access Control
(MAC ) systems (e.g. AppArmor) to minimize access scopes
Regularly organizations use HoneyPot technology to
identify unknown intruder penetration to the application
infrastructure
© 2018 W eb Age S olutions, Inc . All rights reserved 76
Cloud Security Alliance (CSA)
CSA was formed in 2008 and is now on their 4 th iteration of their C loud S ecurity Guidance
and GR C S tack documents
https:/ / c loudsecurityalliance.org/ download/ security- guidance- v4
The CSA GRC Stack is comprised of four separate initiatives: Cloud Audit, CCM, CAIQ and
C loud T rust Protocol (C T P). T he C C M and C AIQ are the two documents that are the most
directly useful for companies trying to assess a given c loud provider's controls and risk
model.
CAIQ questions are used to establish security of your internal and external cloud providers.
T he questions are categorized by control group and then mapped to major compliance
and regulatory standards like C oB iT , HIPAA, PC I and FedR AMP. T hese are referred to as
vertical standards.
© 2018 W eb Age S olutions, Inc . All rights reserved 77
78© 2018 Web Age Solutions, Inc. All rights reserved
Down on the Farm: Pigs and Chickens• Committed – InfoSec & Leadership
• Involved – Everyone else dedicated to the security of the organization in the move to Cloud as-a-Service and Cloud-native applications
• Neither – 1/3rd quartile, hackers, Kylo Ren
79© 2018 W eb Age S olutions, Inc . All rights reserved
Discussion
How is c loud security being discussed for the
organization?
Are there knowledge stores that outline security
and risk in C loud?
How is InfoS ec part of the pipelines for c loud-
native application modernization in the
organization?
W hat horizontal and vertical standards has your
organization considered or implemented?
© 2018 Web Age Solutions, Inc. All rights reserved
S ummary Cloud and InfoSec
Access Control
Application S ecurity
Information and Data S ecurity
N etwork S ecurity
Operational S ecurity
DevOps S ecurity Concerns
United States744 Yorkway Place, Jenkintown, PA, 19046Toll Free 1 877 517 6540Email [email protected]
Canada821A Bloor Street West, Toronto, Ontario, M6G 1M1Toll Free 1 866 206 4644Email [email protected]
Cloud Security and Risk
© 2018 Web Age Solutions, Inc. All rights reserved
© 2018 Web Age Solutions, Inc. All rights reserved
C loud- native Application ModernizationMaking the move to C loud
© 2018 Web Age Solutions, Inc. All rights reserved
L esson ObjectivesCloud adoption steps
Cloud- native
Designing c loud applications
Microservices
Automation & DevOps
© 2018 Web Age Solutions, Inc. All rights reserved
Moving to the C loud
While Cloud computing (using Cloud vendor's data centers) is, in
many aspects , s imilar to what you do on- premise, there are
nuances, however, that may make the process of moving to the
c loud costly, if not frustrating
• Moving to C loud computing is a paradigm shift
• It is also an opportunity to undertake application modernization initiatives
Y ou need to educate yourself about C loud's intricac ies , learn and
adopt best practices for designing and implementing Cloud
applications, and, of course, make the right technological choices
Down the road, it is all about making your business successful
and your technological choices must be aligned with the
business objectives of your organization
84
© 2018 Web Age Solutions, Inc. All rights reserved
Cloud Kickstart
There are certain steps you need to follow in order to make moving to the Cloud as painless as possible
It is not possible to touch on all the steps each organization, line of business or team would need to
consider, but here are some of the more common first broad directions:
• Create a C loud app from scratch (Green field)
• Migrate an existing on- premise app (B rown field)
W hat are your priorities for C loud- native application modernization
W hat Cloud service models (IaaS , PaaS , or S aaS ) are you already using to accelerate business value?
W hat are your vendors and channel partners doing with Cloud?
W hat is the current capabilities in the organization and have you created a Kaizen skills map?
85
© 2018 Web Age Solutions, Inc. All rights reserved
C onsidering B usiness Drivers for C loud Adoption
Your business drivers, to some extent, dictate the choice of the Cloud service model, which will help you
narrow down the search area
If business agility (time to market, fast upgrade cycles) is the most important factor, you need to go with
either PaaS or S aaS
• T his choice needs to be balanced against the complexity of the application you want to create or move
to the c loud
• PaaS and S aaS can dramatically s implify the scope of your S ysAdmin tasks while doing so at a huge
expense of flexibility and availability of technological options at your disposal
• PaaS and S aaS platforms can also satisfy your business ' critical dependency on automatic scalability or
c loud bursting for scale
If your business processes to be moved to the C loud are complex ones with a large number of
dependencies , your choice should, most likely, be IaaS
• IaaS has the capabilities to support new business drivers that may emerge as your C loud presence
solidifies and evolves
• It is possible to connect parts of your application deployed in PaaS and/ or S aaS with those ones in IaaS
86
© 2018 Web Age Solutions, Inc. All rights reserved
Deep T houghts on C loud from S cott Adams
87
© 2018 Web Age Solutions, Inc. All rights reserved
C loud Adoption and the S tages of V irtualization Maturity
Moving to the Cloud is a major strategic decision which requires a staged approach
According to Gartner R esearch, most organizations tend to go through a typical staged process on
the way to the c loud (some steps may be skipped)
S tage 1 – On- prem server virtualization (server consolidation (count reduction) and better resource
management leading to capital savings, trying out DR through virtualization for business continuity)
S tage 2 – On- prem distributed virtualization (automation of deployment)
S tage 3 – Private C loud (c loud payment model, elastic ity, usage metering)
S tage 4 – Hybrid (respond well during peak loads)
S tage 5 – Public C loud (shift from fixed costs (capital expenses) to variable costs (operational
expenses)
88
© 2018 Web Age Solutions, Inc. All rights reserved
Accelerating B usiness V alue through C loud Adoption
89
Stage 1:Server Virtualization
• Consolidation• Capital Expense
© 2018 Web Age Solutions, Inc. All rights reserved
Accelerating B usiness V alue through C loud Adoption
90
Stage 2:Distributed Virtualization
• Flexibility and speed• Operational expense, automation• Less downtime
© 2018 Web Age Solutions, Inc. All rights reserved
Accelerating B usiness V alue through C loud Adoption
91
Stage 3:Private Cloud
• Self -serve agility• Standardization• IT as a business• Usage metering
© 2018 Web Age Solutions, Inc. All rights reserved
Accelerating B usiness V alue through C loud Adoption
92
Stage 4:Hybrid Cloud
• Cost for peak loads• Flexibility for peak loads
© 2018 Web Age Solutions, Inc. All rights reserved
Accelerating B usiness V alue through C loud Adoption
93
Stage 5:Public Cloud
• Capital expense elimination• Increased f lexibility (up and down)
© 2018 Web Age Solutions, Inc. All rights reserved
Agile C loud Provisioning
There are evolving Cloud standards for platform, service, and
infrastructure
Organizations can adopt vendor- specific or vendor agnostic views of
C loud, e.g. “W e use AW S ”, or “W e use a solution that makes us provider
agnostic”
T o avoid the vendor lock- in s ituation (for both IaaS and PaaS
deployments):
• T ry to use as much of the open and accepted standards to achieve and maintain system interoperability. For example, for web services use B asic Profile 1.0 compliant web services R E S T ful services (wherever practical, favor them over W S - *)
• W rap up native platform API in a generic and portable API with dependency injection to plug platform- specific implementation
94
© 2018 Web Age Solutions, Inc. All rights reserved
T welve- factor App Methodology
The good people who worked on the Heroku PaaS platform, summarized their development and
deployment experience in the T welve- factor app methodology for building S oftware- as- a-
S ervice apps: https:/ / 12factor.net/
T he methodology provides guidelines for creating apps (whether you target PaaS or IaaS ) that:
• “U se declarative formats for setup automation, to minimize time and cost for new developers joining the project;
• Have a c lean contract with the underlying operating system, offering maximum portability between execution environments;
• Are suitable for deployment on modern c loud platforms, obviating the need for servers and systems administration;
• Minimize divergence between development and production, enabling continuous deployment for maximum agility;
• And can scale up without s ignificant changes to tooling, architecture, or development practices.”
95
© 2018 Web Age Solutions, Inc. All rights reserved
T welve- factor princ iples
96
1. Codebase2. Dependencies3.Conf ig4. Backing services5. Build, Release, Run6. Processes7.Port binding8. Concurrency9. Disposability10..Dev/prod parity11.Logs12.Admin Processes
© 2018 Web Age Solutions, Inc. All rights reserved
T welve- factor - C odebase
One codebase per service, component or
application, tracked in revision control; many
deploys to meet the organizational guidance for
Continuous Integration & Delivery (C I/ CD)
T he T welve- factor App recommends one
codebase per app. In a microservices
architecture, the correct approach is one
codebase per service.
T his codebase should be in version control, either
distributed, e.g. git, or centralized, e.g. S V N .
97
Codebase Deploys
production
staging
developer 1
developer 2
© 2018 Web Age Solutions, Inc. All rights reserved
T welve- factor - Dependencies
Explicit ly declare and isolate dependencies
R egardless of which platform your application is running on, use the dependency manager
included with your language or framework.
Do not assume that the tool, library or application your code depends on will be there.
How you install operating system or platform dependencies depends on the platform:
• In noncontainerized environments, use a configuration management tool (C hef, Puppet, S alt, Ansible) to install system dependencies.
• In a containerized environment, do this in the Dockerfile.
98
© 2018 Web Age Solutions, Inc. All rights reserved
Data is K ing
Same rules apply to on- prem or C loud apps; keep them in
mind when moving your applications to the c loud:
• Data is king• Data outlives applications• Applications outlive integrations
Y ou need to account for variability in your system integration needs when designing your C loud- native applications
99
© 2018 Web Age Solutions, Inc. All rights reserved
Monolithic vs. Microservice
100
A monolithic application puts all its functionality into a single process…
…and scales by replicating the monolith on multiple servers.
A microservices architecture puts each element of functionality into a separate service…
…and scales by distributing these services across servers, replicating as needed.
© 2018 Web Age Solutions, Inc. All rights reserved
Qualities of Microservices
Componentization via Services
Organized around B usiness C apabilities
Products not Projects
S mart endpoints and dumb pipes
Decentralized Governance
Decentralized Data Management
Infrastructure Automation
Design for failure
E volutionary Design
101
© 2018 Web Age Solutions, Inc. All rights reserved
C loud N ative Applications
102
On-Premise Microsof t Azure
Database(Oracle)
Database(RDS)
Web App 1
Microservice 1
Microservice 3 Microservice 1
Microservice 2
Microservice 3
Web App 2
© 2018 Web Age Solutions, Inc. All rights reserved
C loud N ative = C hallenges S olved
Increase velocity of software deployments. Agile delivery of new cloud applications in days versus
weeks, and perform platform upgrades in minutes.
E nabling predictability of c loud platform software through all stages of deployments.
S ustainability and supportability to deliver upgrades or c loud infrastructure changes by using the
same C ontinuous Integration / C ontinuous Delivery (C I/ C D) process for all types of deployments.
R eliability in reduction of impact on existing network workloads when patching, updating, or adding
applications and platforms.
Provide operational maturity with dashboard vis ibility into the health of every component,
scalability and the ability for self healing
103
© 2018 Web Age Solutions, Inc. All rights reserved
C loud N ative + Agile + DevOps = C hallenges S olved
104
© 2018 Web Age Solutions, Inc. All rights reserved
Key C omponents of S uccessful Microservices T eams
“A3 & C”
S hared Accountability for service consistency
Automation of cattle
Architecture patterns
C ulture of C ontainerization
Other keys areas include DevOps, collaboration, gold
master example, and standards
105
WINNERWINNERCHICKENDINNER
© 2018 Web Age Solutions, Inc. All rights reserved
Designing for Failure
Microservices architecture based components are designed for
failure.
Any service can fail, anytime
T he c lient application has to respond as gracefully as possible
It's important to be able to detect the failures quickly and, if
possible, automatically restore service
Microservices applications put a lot of emphasis on real- time
monitoring
N etflix S imian Army induces failures of services during the
working day to test the application's resilience and monitoring
106
© 2018 Web Age Solutions, Inc. All rights reserved
Microservices In a N utshell
Shift Left. Microservices go hand - in- hand with Agile software development methodologies and
DevOps.
C ompetitive Advantage. C lean, well managed services improve agility and velocity.
T echnology E nabled B usiness. T ime to market and value is enabled by a componentized
application, built on the principal of MV P.
Gold Master. E very organization needs their reference architecture and working examples to
s implify consistent adoption across the enterprise.
107
© 2018 Web Age Solutions, Inc. All rights reserved
Data Management C onsiderations
Microservice applications are decomposed to components – smaller independent service applications.
Components are loosely coupled and that inc ludes the backing store
108
109© 2018 W eb Age S olutions, Inc . All rights reserved
© 2018 Web Age Solutions, Inc. All rights reserved
Management L ift for Microservices
In some cases, you may satisfy your operational needs by using Apache
Zookeeper ( https:/ / zookeeper.apache.org ) which offers services for
highly reliable distributed coordination, centralized configuration
management , and distributed synchronization
N etflix Open S ource S oftware (OS S ) Center (https:/ / netflix.github.io/ )
provides a complete set of J ava- based infrastructure components that
can be used to support microservices
Y ou may also want to consider moving to a whole new deployment and
execution platform, e.g. C loud Foundry
PaaS (https:/ / www.cloudfoundry.org/ ) or a model like
AT &T Integrated Cloud Platform (AIC) built on OpenS tack
110
© 2018 Web Age Solutions, Inc. All rights reserved
S ervice Fabric Application Modernization
Take a traditional monolithic application
L ift and S hift - U se containers or guest executables to host existing code in S ervice Fabric .
Modernization - N ew microservices added alongside existing containerized code.
Innovate - B reak the monolithic into microservices purely based on need.
T ransformed into microservices - the transformation of existing monolithic applications or building new
greenfield applications.
111
© 2018 Web Age Solutions, Inc. All rights reserved
Microservice B est Practices
Base Image – Place your log aggregation, security, and patterns in a base docker image that you use to contain your
microservices
Conversation ID – Generate unique ids in the c lient application that flow through the orchestrated use of microservices and
components of the application for traceability and correlation
V ersion – use API versioning in services to allow for identifying the correct service routing and to account for the changes over
time and the use of strategies of blue- green, multiple coexistence, and canary releases
L og Aggregation – Microservices don’t maintain historical logs like applications servers so we have to constantly flow that
information to external log streams like E L K, E L F , S plunk, B ig Data, or other tools
R esiliency – S ervice failure is inevitable over time, ensure you provide telemetry and error handling to notify users , developers,
and operations
S ervice Identification – T he User Agent property is an excellent location to store the name, or logical id, of the service being
invoked. User- Agent:E mployeeS earchS ervice
R eference Architecture – Gold master example of company/ portfolio/ c lient service implementation
112
113© 2018 W eb Age S olutions, Inc . All rights reserved
Discussion
Does the organization have experiences to share
in c loud- native application modernization?
Are teams using T welve- factor, or another
approach, as the basis for Agile S DL C
modernization?
W ho holds the gold master for Microservices
and C loud- native in the various platforms and
technologies used by the organization?
© 2018 Web Age Solutions, Inc. All rights reserved
S ummaryCloud adoption steps
Cloud- native
Designing c loud applications
Microservices
Automation & DevOps
United States744 Yorkway Place, Jenkintown, PA, 19046Toll Free 1 877 517 6540Email [email protected]
Canada821A Bloor Street West, Toronto, Ontario, M6G 1M1Toll Free 1 866 206 4644Email [email protected]
Cloud-nat ive Appl icat ion Modernizat ion
© 2018 Web Age Solutions, Inc. All rights reserved
© 2018 Web Age Solutions, Inc. All rights reserved
T hank you