rt
COIT'
Cloud computing is typically classified in two ways :
A referimc.e model is ;in ;ihstr;,c.t fr;,mewnrk fnr unc1erst;,nc1ing signifi~nt rel;,tinnships
among the entities of some environment, and for the development of consistent
standards or specifications supporting that environment. It is based on a small number
of unifying concepts and may be used as a basis for education and explaining
standards. It is not directly tied to any standards, technologies, or other concrete
implementation details, but it does seek to provide a common semantics that can be
used unamb:guously across and between different implementations.
• Organiz.Jtion for the Adva.n.:ement of Strvctured /l}fomfdtion Standard (OASIS)
Greenfield Deployment Option
It is typically used when an infrastructure does not exist
and an organization has to build the cloud infrastructure
starti ng from the physica l layer.
Brownfield Deployment Option
It is used when some of the infrastructure entities exist,
wh ich can be transformed to cloud infrastructure by
deploying the remain ing entities required for the cloud
infrastructure.
I
r1 .... ,....
"""' Governance is the active distribution of decision- making rights and accountability
among different stakeholders in an organization. It also describes the rules and
procedures for making and monitoring those decisions to determine and achieve
t he desired behaviors and results .
A contract negotiated between a provider and a consumer that specifies various
parameters and metrics such as cost, service availability, maintenance schedules,
performance levels, service desk response time, and consumer's and provider's
responsibilities.
A situation where a consumer is unable to move readily from the current provider
to another.
Processo;
Random- Access Memory
Read-Only Memory
Motherboard
Ch1pset
• An JC that exeartes software programs by pedorming arithmetical, logical, and
input/output operations
• A volatile data storage device containing the programs for e.)IK'Ution and the data used
by the processor
• A semiconductor n emory containing bo:.t, power management, and other devicespecific firmware
• A PCB that holds the processor. RAM, ROM, network and 1/0 portS, and other integrated
rnmj'Vlot'l,..ritc:. ~lrh ;::r,~ C::.i>tl ;::r,n rt H J('
• A collection of microchips on a motherboard to manage specific functions, such as
processor access ta AAM and to peripheral ports
Magnetic disk dnve
solld-state (tlash) drive
Magnetic tape dnve
Optical disc dnve
• Stores data on a circular disk with a ferromagnetic. coating
• Provides random read/write access
• Most popula r storage device with large storage capacity
• Storoc data on
i
somiconductor- b;asod momory
• Very low latenc)' per 1/0, low power requirements, and very high t h.nughput
• Stores data on a thin plastic fil m with a magnetic coating
• Provides on.ly SEquential data access
• Low-cost solution for long term data storage
• Stores data on a polycarbonate disc with a reflective coating
• Write Once and Read Many capability: CO, DVD, 80
• Low•cost solution for long-term data storage
A storage technology in which data is written in blocks across multiple disk
drives that are combined into a logical unit called a RAID group.
RAID Technique: Striping (RAID 0)
Striping
A RAID technique to spread data across multiple drives in ordler to use the
drives in parallel.
RAID Technique: Mirroring (RAID 1)
Mirroring
A RAID technique to store the same data simultaneously on two different
drives, yielding two copies of the data.
APP
APP
,----------
RAID
Controller
Compute System
RAID Technique: Parity
Parity
A RAID technique to protect striped data from drive failure by performing a
mathematical operation on individual strips and storing the result on a
portion of the RAID group.
RAID
Controller
Compute System
•
RAID 0
• Striped set with no fault tolerance
RAID 1
• Oisk mirroring
RAID 1+0
• Nested RAIO ( striping and mi rroring)
RAID 3
• Stri~d set with parallel acass and a ~dicated parity disk
RAID 5
• Striped set with independent disk access a nd distribut ed parity
RAID 6
• Striped set with independent disk access a nd dual distributed parity
SAN vs NAS
Storage Area Network vs Network-Attached Storage
• SAN
it is a high -speed, dedicated network
of servers and shared st orage devices
Protocols:
Fibre Channel ( Not Fiber)
iSCSI
• NAS
it is an IP- based, dedicated, highperformance file sharing and storage
device
• Protocols:
- CIFS ( Windows)
- NFS (UNIX)
Storage Area Network (SAN)
A network that interconnects storage systems with compute systems,
enabling the compute systems to access and share the storage systems.
• Based on the protocols they support, SANs can be
classified as:
- Fibre Channel SAN (FC SAN)
- Internet Protocol SAN (IP SAN)
- Fibre Channel over Ethernet SAN (FCoE SAN)
FC SAN
FCSAN
A SAN that uses Fibre Channel (FC) protocol to
transport data, commands, and status information
between compute and storage systems.
IP SAN
IP SAN
A SAN that uses Internet Protocol (IP) for the transport of storage traffic. It
transports block 1/0 over an IP-based network.
iSCSI Networking
iSCSI
iSCSI encapsulates SCSI commands and data into
IP packets that are transported over an IP-based
network.
FCIP
FCIP is an encapsulation of FC frames into IP packets that are t ransported
between disparate FC SANs over an IP-based network through FCIP tunnel.
FCoE SAN
FCoE SAN
A converged enhanced Ethernet (CEE) network that uses the FCoE protocol to
transport FC data along with regular Ethernet traffic over high speed Ethernet
links. FCoE encapsulates FC frames into Ethernet frames.
Virtualization
Refers to the logical abstraction of physical resources, such as compute,
network, and storage that enables a single hardware resource to
support multiple concurrent instances of systems or multiple
hardware resources to support single instance of system.
Hypervisor
Software that 1s installed on a compute system and enables multiple ass to
run concurrently on a physical compute system.
Resource Pool
A logical abstraction of the aggregated computing resources, such as
processing power, memory capacity, storage, and network bandwidth that are
managed co llectively.
Virtual Machine
A logical compute !.ystem thi'lt, like a physical compute system, runs an OS
and applications.
Configuration file
• Stores Information, such as VM name, BIOS Information, guest OS type,
Virtual disk file
• Stores the contents of the VM's disk drive
Memory state file
• Stores the memory contents of a VM In a suspended state
Snapshot file
• Stores the VM settings and virtual disk of a \IM
Log file
• Keeps a log of the VM's activity and Is used l1 troubleshooting
memory size
VM Console
• VM console is an interface to view and manage the VMs on a
compute system or a cluster
VM Template
A master copy of a
d virtual hardware and software
configu ration t hat is used to create new VMs
Virtual Appliance
Preconfigured virtual machine(s} preinstalled with a guest OS and an
application dedicated to a specific function.
VM Network
A logical network that provides Ethernet connectivity and enables
communication between VMs w ithin a compute system.
VM Network Components
Component
Virtual switch
Description
A log ical OSI Layer 2 Ethernet switch created in a compute system
C:nnnF!r.ts VMs lnr.r1lly ;inti r1lsn tlirF!r.ts VM trr1ffir. tn;, r,hysir.r1I nF!twnrk
Forwards frames to a virtual switch port based on destination address
A distributed virtual switch can function across multiple physical
compute systems
Virtual NIC
Connects a VM to a virtual switch and functions like a physical NIC
Has unique MAC and I P addresses
Forwards the VM's network 1/0 in the form of Ethernet frames to the
virtual switch
Uplink NIC
A physical NIC connected to the uplink port of a virtual switch
Functions as an I SL between virtual and physical Ethernet switches
Not addressable from the network
Abstracts the identity and internal functions of storage system(s) and
appear as physical storage to the compute system.
Thin LUN
• Does not require physical storage to be
completely allocated at the time of creation
• Consumes storage as needed from the
underlying storage pool in increments called
thin LUN extents
Thick LUN
• Physical storage is completely allocated at the
time of creation
A software-based logical network that is either a segment of a physical
network or spans across multiple physical networks.
Virtual LAN (VLAN)
A virtual network created on a LAN enabling communication between a group
of nodes with a common set of functional requirements, independent of their
physical location in the network.
A sub-VLAN that segregates the nodes within a standard VLAN, called as
primary VLAN. A PVLAN can be configured as either isolated or commun ity.
Stretched VLAN
A VLAN that spans multiple sites and enables Layer 2 communication
between a group of nodes over a Layer 3 WAN infrastructure, independent of
their physical location.
Virtual Extensible LAN
A logical Layer 2 overlay network built on a Layer 3 network, which uses MACin-UDP encapsulation to enable communication between a group of nodes,
independent of their physical location .
Virtual SAN
A logical fabric, created on a physical FC or FCoE SAN enabling communication
between a g roup of nodes with a common set of requirements, independent of
their physical location in the fabric.
Includes software tools that are responsible for managing and controlling the
underlying cloud infrastructure and enable.s provisioning of IT resources for creating
cloud services.
Management
Process of allocating resources effectively to a service instance from a pool of
resources and monitoring the resources t h at help in mainta ining service levels.
. ..
.
f>rovisioning
It enables to present a LUN to an application with more
capacity than is physically allocated to it on the storage
stem.
I
•
•
+
I
1:.11 ■ I 111 I
A technique of establishing a hierarchy of different storage types for different
categories of data t hat enables storing the right data automatically to the right t ier,
to meet the service level reauirements.
r~··
I
A networking technique t hat prevents regular network traffic on a LAN or VLAN from
being disrupted by a network storm . A network storm occurs due to flooding of
frames on a LAN or VLAN, creating excessive traffic and resulting in degraded
network oerformance.
Network - Quality of Service (QoS)
Capability of a network to pri oritize business cri tica l and latency-sensitive network
t raffic and to provide better service to such t raffic over less critical t raffic. QoS
enables applicatio ns to obtain consistent service levels in terms of network
bandwidth latenc variations and dela .
Approach
Description
Integrated Services
App lication signals the n etwork to Inform network components about
required QoS
App lication can transmit data through network only after receiving
confirmation from the network
Differentiated Services.
Priority specification to network packets are Inserted by applications
or by swi tches or routers
Network uses priority specification to clas.s lfy traffic and then
manage network bandwidth based on the traffic class
IT resources that are packaged by the service providers and are offered to the
consumers.
Menu of services that lists services,
attributes of services, service level
commitments, terms and conditions for
service provisioning, and prices of
services.
Cloud Portal
A cloud portal 1s a web portal that presents service catalog and cloud
interfaces, enabling consumers to order and manage cloud services in an ondemand, self-service way. A cloud portal is also accessed by the cloud
administrators to manage cloud infrastructure and the lifecycle of cloud
services.
Cloud Interface Standardization
A process to formulate a norm or a specification for common and repeated use
in regard to development and implementation of cloud interfaces for achieving
uniformity across service providers.
Interface Standards for Portability - OVF
Open Virtualization Format (OVF)
• Open standard for packaging and distribution of virtua l
appliances
- Enables packaging services as virtual appliances and facilitates
portability across different cloud platforms
• OVF package in cludes metadata about VMs such as
- Number of processors, memory space, and network configuration
• Metadata is used by a cloud platform to deploy a service
Interoperability In doud means the ablbty to communicate, run software, and transfer data among multiple d ouds with
unifO(m cloud Interface. I nterface standardization allows consumers to use their data and applications across multiple
clouds with common doud Interface.
Automated arrangement, coordination, and management of various system or
component functions in a cloud infrastructure to provide and manage cloud
services.
. .. .
A source-code-based specification intended to be used by software
components as an interface to communicate with each other. It specifies a set
of component functions that can be called from a software component to
interact with other software components.
A process of generating bills from the resource usage data for cloud services
using predefined billing policies.
A collection of interrelated hardware and/or software components that
constitute a service and work together upon deployment of a service.
An entry in the service catalog that describes a service template combined
with constraints, policies, rules, price, and SLA.
An agreement between the service provider and the service consumer stating
the terms of service usage. The two parties enter into a contract describing
agreements on pricing, SLAs, termination of service, and any specific
configuration options.
BC entails preparing for, responding to, and recovering from service outage that
adversely affects business operations.
Cloud Service Availability
Refers to the ability of a cloud service to perform its agreed function according to
business requirements and customer expectations during its specified time of
o eration.
Service availability(%) =
Agreed service time - Downtime
Agreed service time
(Agreed service time is the period where the service is supposed to be available)
Single Points of Failure
Refers to any individual component or aspect of an infrastructure whose failure can
make the entire system or service unavailable.
Compute Clustering
A technique where at least two compute systems (or nodes) work together and are
viewed as a single compute system to provide high availability and load balancing.
NIC Teaming
A link aggregation technique that groups NICs so that they appear as a single, logical
NIC to the OS or hypervisor.
Backup
An additional copy of production data, created and retained for the sole purpose of
recovering lost or corrupted data.
Data Deduplication
The process of detecting and identifying the unique data segments within a given set
of data to eliminate redundancy.
Replication
Process of creating an exact copy (replica) of the data for ensuring availability of
services.
Information Security
A term that includes a set of practices that protect information and information
systems from unauthorized access, use, information disclosure, disruption,
modification, or destruction.
- US Federal law (Title 38 Part JV, Chapter 57, Subc.hapter Ill USC 5727)
• Confidentiality
Provides required secrecy of information
- Ensures only authorized users have access to data
• Integrity
- Ensures unauthorized changes to data are not allowed
• Availability
Ensures authorized users have reliable and timely access to
resources
• Authentication
- Process to ensure users or assets are who they claim to be by verifying
their identity credentials
- Two methods: single-factor and multi -factor
• Authorization
- Process of determining access r ights of a user, device, application, or
process to a service or resource
- For example, a user with administrator's privileges Is authorized to
access more services or resources compared to a user with nonadministrator (for example, read -only) privileges.
Authorization should be performed on ly if authentication is successful
• Auditing
- Process to evaluate the effectiveness of security enforcement
mechanisms
Defense-i n- depth
A strategy in which multiple layers of defense are deployed throughout the
infrastructure to help mitigate the risk of security threats in case one layer of
the defense is compromised.
A set of all those components that are critical to the security of the cloud
infrastructure.
Refers to a situation where an existing security threat in a cloud may spread
rapidly and have large impact.
Malicious Insiders
An organizat10n s current or former employee, contractor, or other business
partner who has or had authorized access to an organization's compute
systems, network, or storage.
- C<mputer Emergtncy Response ream { CERT)
Loss of Compliance
Occur when a cloud service provider or cloud broker does not adhere to, and
demonstrating adherence to external laws and regulations as well as corporate
policies and procedures.
A process of managing consumers' identifiers, and their authentication and
authorization to access cloud resources.
OAuth
An open authorization mechanism allows a client to access protected resources
from a resource server on behalf of a resource owner.
Kerberos
A network authent1cat1on protocol, which provides strong authentica tion for
client/server applications by using secret -key cryptography. A cli ent and server
can prove their identity t o each other across an insecure network connecti on.
An open standard for authentication in which a service provider uses
authentication services from an OpenID provider.
Firewa ll
A security mechanism designed to examine data packets traversi ng a network and compare them to a set of
filtering rules.
A security tool that automates the process of detecting and preventing events
that can compromise the confidentiality, integrity, or availability of IT resources.
Adaptive Security
A mechanism that integrate with the cloud service providers' standalone
mechanisms such as IDPS and fi rewalls and use heuristics to learn user
behavior and detect fraudulent activity.
Refers to the assignment of LUNs to specific host bus adapter worl d- wide
names.
Data Encryption
A cryptographic technique in which data is encoded and made indecipherable to
eavesdroppers or hackers.
A process of deleting data or residual representations (sometimes called
remanence) of data and making it unrecoverable
Security as a Service
Refers to the prov1s1on of security applications and services via the cloud either
to cloud-based infrastructure and software or from the cloud to the customers'
on- premise systems. This will enable enterprises to make use of security
services i n new ways, or in ways that would not be cost effective if provisioned
locally.
- Cloud Secun·ty Alliance, "Security as a Service" Version 1.0 (2011)
A term encompassing processes that help an organization to ensure that their
acts are ethically correct and in accordance with their risk appetite (the risk
level an organization chooses to accept), internal policies and external
regu lations.
Determ ine the purpose, strategy, and operational rules by which companies are
directed and managed.
Risk and Risk Management
Risk 1s the effect of uncertainty on business objectives. Risk manaQement is a
systematic process of assessing its assets, placing a realistic valuation on each
asset, and creating a risk profile that is rationalized for each information asset
across the business.
Compliance
Act of adhering to, and demonstrating adherence to, external laws and
regu lations, corporate policies and procedures, service provider's own
demands, consumers' demands, and/or the demands of participating cloud
providers (in case of hybrid cloud and cloud brokers) .
Compliance Management
Ensures that the cloud services, service creation processes, and cloud
infrastructure resources adhere to relevant policies and legal requirements.
Auditing
A process that determines the va lidity and reliability of information about the
enforcement of controls presented by a provider. Aud it also provides an
assessment of the cloud provider's control mechanisms and their ability to
provide the consumers, the logs requ ired to verify the mechanisms.
Cloud Service Man11gement
All of the sen11ce-1elated functions that are necessary for the management and
opi>r~tio n nf thosF> s;,rvir.i>s rF>~11irF>d h•t or proposen to r.lo11d r.nns11mers.
- Ni ST
Service Catalog Management
Goal
Ensure that a service catalog 1s created and maintained with accurate information on
all of the available services.
Financial Management
Goal
Manage the doud service provider s budgeting, accounting, and billing requ irements.
TCO and ROI
• I nvestment decisions are usually factored by Tot al Cost of
Ownership (TCO) and Return On Investment (ROI )
t= Service asset lifetime
TCO
=
L
One-time costs + Recurring costs {t)
t•l
{Gain from investment - Cost of investment)
ROI =
Cost of investment
• One- time costs - CAPEX
-
E.g. procurement and deployment costs of hardware
• Recurring costs - OPEX
- E.g. power, cooling, facility, and administration costs
Supplier Management
Goal
Ensure that all contracts with the suppliers of cloud products, tech nologies, and
supporting services meet the business requirements of t he cloud service provider and
that the suppliers adhere to contractual commitments.
Service Asset and Configuration Management
Goal
Maintain information on configuration items (C! s)" and their relationships. C!s are
components such as services, process documents, infrastructure components, people,
and SLAs that need to be managed in order to deliver services.
Change Management
Goal
Standardize change-related procedures in a cloud infrastructure for prompt handling of
all changes with m inim a l imp act on service quality.
Capacity Management
Goal
Ensure that a cloud infrastructure 1s able to meet the required capacity demands for
cloud services in a cost effective and t imely manner.
Performance Management
Goal
Monitor, measure, analyze, and improve the performance of cloud infrastructure and
services.
Incident Management
Goal
Return cloud services to consumers as quickly as possible when unplanned events,
called ' incidents', cause an interruption to services or degrade service quality.
Problem Management
Goal
Prevent incidents that share common symptoms or- more importantly - root causes
from reoccurring, and to minimize the adverse impact of incidents that cannot be
prevented.
Availability Management
Goal
Ensure that stated ava1lab1hty commitments are consistently met.
Information Security Management
Prevent the occurrence of incidents or activities adversely affecting the confidentiality,
integrity and availability of information in cloud services and all service management
processes.
Protect corporate and consumer data to the extent required to meet the regulatory or
compliance concerns (both internal and external), and at reasonable/acceptable costs.