rt COIT' Cloud computing is typically classified in two ways : A referimc.e model is ;in ;ihstr;,c.t fr;,mewnrk fnr unc1erst;,nc1ing signifi~nt rel;,tinnships among the entities of some environment, and for the development of consistent standards or specifications supporting that environment. It is based on a small number of unifying concepts and may be used as a basis for education and explaining standards. It is not directly tied to any standards, technologies, or other concrete implementation details, but it does seek to provide a common semantics that can be used unamb:guously across and between different implementations. • Organiz.Jtion for the Adva.n.:ement of Strvctured /l}fomfdtion Standard (OASIS) Greenfield Deployment Option It is typically used when an infrastructure does not exist and an organization has to build the cloud infrastructure starti ng from the physica l layer. Brownfield Deployment Option It is used when some of the infrastructure entities exist, wh ich can be transformed to cloud infrastructure by deploying the remain ing entities required for the cloud infrastructure. I r1 .... ,.... """' Governance is the active distribution of decision- making rights and accountability among different stakeholders in an organization. It also describes the rules and procedures for making and monitoring those decisions to determine and achieve t he desired behaviors and results . A contract negotiated between a provider and a consumer that specifies various parameters and metrics such as cost, service availability, maintenance schedules, performance levels, service desk response time, and consumer's and provider's responsibilities. A situation where a consumer is unable to move readily from the current provider to another. Processo; Random- Access Memory Read-Only Memory Motherboard Ch1pset • An JC that exeartes software programs by pedorming arithmetical, logical, and input/output operations • A volatile data storage device containing the programs for e.)IK'Ution and the data used by the processor • A semiconductor n emory containing bo:.t, power management, and other devicespecific firmware • A PCB that holds the processor. RAM, ROM, network and 1/0 portS, and other integrated rnmj'Vlot'l,..ritc:. ~lrh ;::r,~ C::.i>tl ;::r,n rt H J(' • A collection of microchips on a motherboard to manage specific functions, such as processor access ta AAM and to peripheral ports Magnetic disk dnve solld-state (tlash) drive Magnetic tape dnve Optical disc dnve • Stores data on a circular disk with a ferromagnetic. coating • Provides random read/write access • Most popula r storage device with large storage capacity • Storoc data on i somiconductor- b;asod momory • Very low latenc)' per 1/0, low power requirements, and very high t h.nughput • Stores data on a thin plastic fil m with a magnetic coating • Provides on.ly SEquential data access • Low-cost solution for long term data storage • Stores data on a polycarbonate disc with a reflective coating • Write Once and Read Many capability: CO, DVD, 80 • Low•cost solution for long-term data storage A storage technology in which data is written in blocks across multiple disk drives that are combined into a logical unit called a RAID group. RAID Technique: Striping (RAID 0) Striping A RAID technique to spread data across multiple drives in ordler to use the drives in parallel. RAID Technique: Mirroring (RAID 1) Mirroring A RAID technique to store the same data simultaneously on two different drives, yielding two copies of the data. APP APP ,---------- RAID Controller Compute System RAID Technique: Parity Parity A RAID technique to protect striped data from drive failure by performing a mathematical operation on individual strips and storing the result on a portion of the RAID group. RAID Controller Compute System • RAID 0 • Striped set with no fault tolerance RAID 1 • Oisk mirroring RAID 1+0 • Nested RAIO ( striping and mi rroring) RAID 3 • Stri~d set with parallel acass and a ~dicated parity disk RAID 5 • Striped set with independent disk access a nd distribut ed parity RAID 6 • Striped set with independent disk access a nd dual distributed parity SAN vs NAS Storage Area Network vs Network-Attached Storage • SAN it is a high -speed, dedicated network of servers and shared st orage devices Protocols: Fibre Channel ( Not Fiber) iSCSI • NAS it is an IP- based, dedicated, highperformance file sharing and storage device • Protocols: - CIFS ( Windows) - NFS (UNIX) Storage Area Network (SAN) A network that interconnects storage systems with compute systems, enabling the compute systems to access and share the storage systems. • Based on the protocols they support, SANs can be classified as: - Fibre Channel SAN (FC SAN) - Internet Protocol SAN (IP SAN) - Fibre Channel over Ethernet SAN (FCoE SAN) FC SAN FCSAN A SAN that uses Fibre Channel (FC) protocol to transport data, commands, and status information between compute and storage systems. IP SAN IP SAN A SAN that uses Internet Protocol (IP) for the transport of storage traffic. It transports block 1/0 over an IP-based network. iSCSI Networking iSCSI iSCSI encapsulates SCSI commands and data into IP packets that are transported over an IP-based network. FCIP FCIP is an encapsulation of FC frames into IP packets that are t ransported between disparate FC SANs over an IP-based network through FCIP tunnel. FCoE SAN FCoE SAN A converged enhanced Ethernet (CEE) network that uses the FCoE protocol to transport FC data along with regular Ethernet traffic over high speed Ethernet links. FCoE encapsulates FC frames into Ethernet frames. Virtualization Refers to the logical abstraction of physical resources, such as compute, network, and storage that enables a single hardware resource to support multiple concurrent instances of systems or multiple hardware resources to support single instance of system. Hypervisor Software that 1s installed on a compute system and enables multiple ass to run concurrently on a physical compute system. Resource Pool A logical abstraction of the aggregated computing resources, such as processing power, memory capacity, storage, and network bandwidth that are managed co llectively. Virtual Machine A logical compute !.ystem thi'lt, like a physical compute system, runs an OS and applications. Configuration file • Stores Information, such as VM name, BIOS Information, guest OS type, Virtual disk file • Stores the contents of the VM's disk drive Memory state file • Stores the memory contents of a VM In a suspended state Snapshot file • Stores the VM settings and virtual disk of a \IM Log file • Keeps a log of the VM's activity and Is used l1 troubleshooting memory size VM Console • VM console is an interface to view and manage the VMs on a compute system or a cluster VM Template A master copy of a d virtual hardware and software configu ration t hat is used to create new VMs Virtual Appliance Preconfigured virtual machine(s} preinstalled with a guest OS and an application dedicated to a specific function. VM Network A logical network that provides Ethernet connectivity and enables communication between VMs w ithin a compute system. VM Network Components Component Virtual switch Description A log ical OSI Layer 2 Ethernet switch created in a compute system C:nnnF!r.ts VMs lnr.r1lly ;inti r1lsn tlirF!r.ts VM trr1ffir. tn;, r,hysir.r1I nF!twnrk Forwards frames to a virtual switch port based on destination address A distributed virtual switch can function across multiple physical compute systems Virtual NIC Connects a VM to a virtual switch and functions like a physical NIC Has unique MAC and I P addresses Forwards the VM's network 1/0 in the form of Ethernet frames to the virtual switch Uplink NIC A physical NIC connected to the uplink port of a virtual switch Functions as an I SL between virtual and physical Ethernet switches Not addressable from the network Abstracts the identity and internal functions of storage system(s) and appear as physical storage to the compute system. Thin LUN • Does not require physical storage to be completely allocated at the time of creation • Consumes storage as needed from the underlying storage pool in increments called thin LUN extents Thick LUN • Physical storage is completely allocated at the time of creation A software-based logical network that is either a segment of a physical network or spans across multiple physical networks. Virtual LAN (VLAN) A virtual network created on a LAN enabling communication between a group of nodes with a common set of functional requirements, independent of their physical location in the network. A sub-VLAN that segregates the nodes within a standard VLAN, called as primary VLAN. A PVLAN can be configured as either isolated or commun ity. Stretched VLAN A VLAN that spans multiple sites and enables Layer 2 communication between a group of nodes over a Layer 3 WAN infrastructure, independent of their physical location. Virtual Extensible LAN A logical Layer 2 overlay network built on a Layer 3 network, which uses MACin-UDP encapsulation to enable communication between a group of nodes, independent of their physical location . Virtual SAN A logical fabric, created on a physical FC or FCoE SAN enabling communication between a g roup of nodes with a common set of requirements, independent of their physical location in the fabric. Includes software tools that are responsible for managing and controlling the underlying cloud infrastructure and enable.s provisioning of IT resources for creating cloud services. Management Process of allocating resources effectively to a service instance from a pool of resources and monitoring the resources t h at help in mainta ining service levels. . .. . f>rovisioning It enables to present a LUN to an application with more capacity than is physically allocated to it on the storage stem. I • • + I 1:.11 ■ I 111 I A technique of establishing a hierarchy of different storage types for different categories of data t hat enables storing the right data automatically to the right t ier, to meet the service level reauirements. r~·· I A networking technique t hat prevents regular network traffic on a LAN or VLAN from being disrupted by a network storm . A network storm occurs due to flooding of frames on a LAN or VLAN, creating excessive traffic and resulting in degraded network oerformance. Network - Quality of Service (QoS) Capability of a network to pri oritize business cri tica l and latency-sensitive network t raffic and to provide better service to such t raffic over less critical t raffic. QoS enables applicatio ns to obtain consistent service levels in terms of network bandwidth latenc variations and dela . Approach Description Integrated Services App lication signals the n etwork to Inform network components about required QoS App lication can transmit data through network only after receiving confirmation from the network Differentiated Services. Priority specification to network packets are Inserted by applications or by swi tches or routers Network uses priority specification to clas.s lfy traffic and then manage network bandwidth based on the traffic class IT resources that are packaged by the service providers and are offered to the consumers. Menu of services that lists services, attributes of services, service level commitments, terms and conditions for service provisioning, and prices of services. Cloud Portal A cloud portal 1s a web portal that presents service catalog and cloud interfaces, enabling consumers to order and manage cloud services in an ondemand, self-service way. A cloud portal is also accessed by the cloud administrators to manage cloud infrastructure and the lifecycle of cloud services. Cloud Interface Standardization A process to formulate a norm or a specification for common and repeated use in regard to development and implementation of cloud interfaces for achieving uniformity across service providers. Interface Standards for Portability - OVF Open Virtualization Format (OVF) • Open standard for packaging and distribution of virtua l appliances - Enables packaging services as virtual appliances and facilitates portability across different cloud platforms • OVF package in cludes metadata about VMs such as - Number of processors, memory space, and network configuration • Metadata is used by a cloud platform to deploy a service Interoperability In doud means the ablbty to communicate, run software, and transfer data among multiple d ouds with unifO(m cloud Interface. I nterface standardization allows consumers to use their data and applications across multiple clouds with common doud Interface. Automated arrangement, coordination, and management of various system or component functions in a cloud infrastructure to provide and manage cloud services. . .. . A source-code-based specification intended to be used by software components as an interface to communicate with each other. It specifies a set of component functions that can be called from a software component to interact with other software components. A process of generating bills from the resource usage data for cloud services using predefined billing policies. A collection of interrelated hardware and/or software components that constitute a service and work together upon deployment of a service. An entry in the service catalog that describes a service template combined with constraints, policies, rules, price, and SLA. An agreement between the service provider and the service consumer stating the terms of service usage. The two parties enter into a contract describing agreements on pricing, SLAs, termination of service, and any specific configuration options. BC entails preparing for, responding to, and recovering from service outage that adversely affects business operations. Cloud Service Availability Refers to the ability of a cloud service to perform its agreed function according to business requirements and customer expectations during its specified time of o eration. Service availability(%) = Agreed service time - Downtime Agreed service time (Agreed service time is the period where the service is supposed to be available) Single Points of Failure Refers to any individual component or aspect of an infrastructure whose failure can make the entire system or service unavailable. Compute Clustering A technique where at least two compute systems (or nodes) work together and are viewed as a single compute system to provide high availability and load balancing. NIC Teaming A link aggregation technique that groups NICs so that they appear as a single, logical NIC to the OS or hypervisor. Backup An additional copy of production data, created and retained for the sole purpose of recovering lost or corrupted data. Data Deduplication The process of detecting and identifying the unique data segments within a given set of data to eliminate redundancy. Replication Process of creating an exact copy (replica) of the data for ensuring availability of services. Information Security A term that includes a set of practices that protect information and information systems from unauthorized access, use, information disclosure, disruption, modification, or destruction. - US Federal law (Title 38 Part JV, Chapter 57, Subc.hapter Ill USC 5727) • Confidentiality Provides required secrecy of information - Ensures only authorized users have access to data • Integrity - Ensures unauthorized changes to data are not allowed • Availability Ensures authorized users have reliable and timely access to resources • Authentication - Process to ensure users or assets are who they claim to be by verifying their identity credentials - Two methods: single-factor and multi -factor • Authorization - Process of determining access r ights of a user, device, application, or process to a service or resource - For example, a user with administrator's privileges Is authorized to access more services or resources compared to a user with nonadministrator (for example, read -only) privileges. Authorization should be performed on ly if authentication is successful • Auditing - Process to evaluate the effectiveness of security enforcement mechanisms Defense-i n- depth A strategy in which multiple layers of defense are deployed throughout the infrastructure to help mitigate the risk of security threats in case one layer of the defense is compromised. A set of all those components that are critical to the security of the cloud infrastructure. Refers to a situation where an existing security threat in a cloud may spread rapidly and have large impact. Malicious Insiders An organizat10n s current or former employee, contractor, or other business partner who has or had authorized access to an organization's compute systems, network, or storage. - C<mputer Emergtncy Response ream { CERT) Loss of Compliance Occur when a cloud service provider or cloud broker does not adhere to, and demonstrating adherence to external laws and regulations as well as corporate policies and procedures. A process of managing consumers' identifiers, and their authentication and authorization to access cloud resources. OAuth An open authorization mechanism allows a client to access protected resources from a resource server on behalf of a resource owner. Kerberos A network authent1cat1on protocol, which provides strong authentica tion for client/server applications by using secret -key cryptography. A cli ent and server can prove their identity t o each other across an insecure network connecti on. An open standard for authentication in which a service provider uses authentication services from an OpenID provider. Firewa ll A security mechanism designed to examine data packets traversi ng a network and compare them to a set of filtering rules. A security tool that automates the process of detecting and preventing events that can compromise the confidentiality, integrity, or availability of IT resources. Adaptive Security A mechanism that integrate with the cloud service providers' standalone mechanisms such as IDPS and fi rewalls and use heuristics to learn user behavior and detect fraudulent activity. Refers to the assignment of LUNs to specific host bus adapter worl d- wide names. Data Encryption A cryptographic technique in which data is encoded and made indecipherable to eavesdroppers or hackers. A process of deleting data or residual representations (sometimes called remanence) of data and making it unrecoverable Security as a Service Refers to the prov1s1on of security applications and services via the cloud either to cloud-based infrastructure and software or from the cloud to the customers' on- premise systems. This will enable enterprises to make use of security services i n new ways, or in ways that would not be cost effective if provisioned locally. - Cloud Secun·ty Alliance, "Security as a Service" Version 1.0 (2011) A term encompassing processes that help an organization to ensure that their acts are ethically correct and in accordance with their risk appetite (the risk level an organization chooses to accept), internal policies and external regu lations. Determ ine the purpose, strategy, and operational rules by which companies are directed and managed. Risk and Risk Management Risk 1s the effect of uncertainty on business objectives. Risk manaQement is a systematic process of assessing its assets, placing a realistic valuation on each asset, and creating a risk profile that is rationalized for each information asset across the business. Compliance Act of adhering to, and demonstrating adherence to, external laws and regu lations, corporate policies and procedures, service provider's own demands, consumers' demands, and/or the demands of participating cloud providers (in case of hybrid cloud and cloud brokers) . Compliance Management Ensures that the cloud services, service creation processes, and cloud infrastructure resources adhere to relevant policies and legal requirements. Auditing A process that determines the va lidity and reliability of information about the enforcement of controls presented by a provider. Aud it also provides an assessment of the cloud provider's control mechanisms and their ability to provide the consumers, the logs requ ired to verify the mechanisms. Cloud Service Man11gement All of the sen11ce-1elated functions that are necessary for the management and opi>r~tio n nf thosF> s;,rvir.i>s rF>~11irF>d h•t or proposen to r.lo11d r.nns11mers. - Ni ST Service Catalog Management Goal Ensure that a service catalog 1s created and maintained with accurate information on all of the available services. Financial Management Goal Manage the doud service provider s budgeting, accounting, and billing requ irements. TCO and ROI • I nvestment decisions are usually factored by Tot al Cost of Ownership (TCO) and Return On Investment (ROI ) t= Service asset lifetime TCO = L One-time costs + Recurring costs {t) t•l {Gain from investment - Cost of investment) ROI = Cost of investment • One- time costs - CAPEX - E.g. procurement and deployment costs of hardware • Recurring costs - OPEX - E.g. power, cooling, facility, and administration costs Supplier Management Goal Ensure that all contracts with the suppliers of cloud products, tech nologies, and supporting services meet the business requirements of t he cloud service provider and that the suppliers adhere to contractual commitments. Service Asset and Configuration Management Goal Maintain information on configuration items (C! s)" and their relationships. C!s are components such as services, process documents, infrastructure components, people, and SLAs that need to be managed in order to deliver services. Change Management Goal Standardize change-related procedures in a cloud infrastructure for prompt handling of all changes with m inim a l imp act on service quality. Capacity Management Goal Ensure that a cloud infrastructure 1s able to meet the required capacity demands for cloud services in a cost effective and t imely manner. Performance Management Goal Monitor, measure, analyze, and improve the performance of cloud infrastructure and services. Incident Management Goal Return cloud services to consumers as quickly as possible when unplanned events, called ' incidents', cause an interruption to services or degrade service quality. Problem Management Goal Prevent incidents that share common symptoms or- more importantly - root causes from reoccurring, and to minimize the adverse impact of incidents that cannot be prevented. Availability Management Goal Ensure that stated ava1lab1hty commitments are consistently met. Information Security Management Prevent the occurrence of incidents or activities adversely affecting the confidentiality, integrity and availability of information in cloud services and all service management processes. Protect corporate and consumer data to the extent required to meet the regulatory or compliance concerns (both internal and external), and at reasonable/acceptable costs.