Cloud Computing UNIT 4

UNIT 4
(Resource management and security)
Resource management is the process of allocating computing, storage, networking
and energy resources to a set of applications in order to meet performance
objectives and requirements of the infrastructure providers and the cloud users.

Resource managements basically deals with selection of resources, Allotment of

resources, Scheduling of resources , deployment of resources and so on.

Resource management is a core function required for any cloud system,

and inefficient resource management has a direct negative effect on
performance and cost, while it can also indirectly affect system functionality,
becoming too expensive or ineffective due to poor performance.

Cloud resource management requires complex policies and decisions for multi-
objective optimization. Effective resource management is extremely challenging
due to the scale of the cloud infrastructure and to the unpredictable interactions of
the system with a large population of users.

Inter Cloud resource management

Resources management under various cloud is known as inter cloud resource
management.

These resources are built in perform resource discovery, match, select,

composition, negotiate, schedule and monitors operations.

The cloud provider performs a number of tasks to ensure efficient use of cloud
resources.

1
Audit System Backups

It is required to audit the backups timely to ensure restoring of randomly selected

files of different users. Backups can be performed in following ways:
• Backing up files by the company, from on-site computers to the disks that
reside within the cloud.
• Backing up files by the cloud provider.
It is necessary to know if cloud provider has encrypted the data, who has access to
that data and if the backup is taken at different locations then the user must know
the details of those locations.
Data Flow of the System

The managers are responsible to develop a diagram describing a detailed process

flow. This process flow describes the movement of data belonging to an
organization throughout the cloud solution.
Vendor Lock-In Awareness and Solutions

The managers must know the procedure to exit from services of a particular cloud
provider. The procedures must be defined to enable the cloud managers to export
data of an organization from their system to another cloud provider.
Knowing Provider’s Security Procedures

The managers should know the security plans of the provider for the following
services:
• Multitenant use

2
• E-commerce processing
• Employee screening
• Encryption policy
Monitoring Capacity Planning and Scaling Capabilities

The managers must know the capacity planning in order to ensure whether the
cloud provider is meeting the future capacity requirement for his business or not.
The managers must manage the scaling capabilities in order to ensure services can
be scaled up or down as per the user need.
Monitor Audit Log Use

In order to identify errors in the system, managers must audit the logs on a regular
basis.
Solution Testing and Validation

When the cloud provider offers a solution, it is essential to test it in order to ensure
that it gives the correct result and it is error-free. This is necessary for a system to
be robust and reliable.

Resource Provinioning
In general, Provisioning means making something available, or “providing”.
The allocation of resources and services from a cloud provider to a customer is
known as resource provisioning in cloud computing, sometimes called cloud
provisioning. Resource provisioning is the process of choosing, deploying, and
managing software (like load balancers and database server management
systems) and hardware resources (including CPU, storage, and networks) to
assure application performance.
To effectively utilize the resources without going against SLA and achieving the
QoS requirements, Static Provisioning/Dynamic Provisioning and
Static/Dynamic Allocation of resources must be established based on the
application needs. Resource over and under-provisioning must be prevented.
Power usage is another significant restriction. Care should be taken to reduce
power consumption, dissipation, and VM placement. There should be techniques
to avoid excess power consumption.
Therefore, the ultimate objective of a cloud user is to rent resources at the lowest
possible cost, while the objective of a cloud service provider is to maximize
profit by effectively distributing resources.
We can provide a variety of processes, which include:
• Server Provisioning
• User Provisioning
• Network Provisioning
• Device Provisioning
• Internet Access Provisioning
1. Server provisioning: It is the process of giving a server in a network the
desired resources it will need to operate, which depends completely on the job
that particular server is doing. So it is important to gather information about a
server’s intended use before provisioning. As there are many servers categorized
according to their uses, Each of them has unique provisioning requirements, and
the choice of the server itself will be driven by the intended use. For example,
there are file servers, policy servers, mail servers, and application servers, just to
name a few. Server provisioning includes processes such as adjusting control
panels, installing operating systems and other software, or even replicating the
set-up of other servers. Generally, server provisioning is a process that constructs
a new machine, bringing it up to speed and defining the system’s desired state.
2. User Provisioning: User provisioning is identity management that monitors
authorization and authentication of privileges and rights in a business or
information technology infrastructure. This technology is involved in modifying,
disabling, creating, and deleting user accounts and profiles. In a business setup,
this is important as it automates administrative workforce activities, off-
boarding, and on-boarding activities.
3. Network Provisioning: Network provisioning is mainly concerned with
setting up a network in an information technology environment so that devices,
servers, and authorized users can gain access to it. Network provisioning is
becoming more widespread in corporations, and it focuses on limiting access to a
system to only specified users. The procedure begins when the network is first
set up and users are granted access to specific devices and servers. It is
paramount that security and connectivity are given priority in this provisioning
so as to safeguard identity and device management.
4. Device Provisioning: This technology is mostly used when you’re deploying
your IoT network. In this, a device is configured, secured, customized, and
certified, after which a user is allocated these devices. This enables improved
device management, flexibility, and device sharing.
5. Internet- access Provisioning: This simply means granting internet access to
individuals and devices on a network. There is a lot more as, although it may
appear straightforward, it necessitates the installation of firewalls, virus
protection, cyber security tools, and editing software, among other things.
Furthermore, everything will need to be correctly adjusted, which could take
some time. This is especially true for larger networks, which will necessitate a
higher level of protection.

How to Automate Provisioning:-

In traditional information technology infrastructure, provisioning was handled

manually, which included configuring hardware to the desired settings and
setting up physical servers. A lot has changed, as now the infrastructure is
defined by containers, software, and virtualization. You can automate
provisioning through infrastructure as code. In this way, one does not need to
manually provision and manage servers, storage, and operating systems each
time they deploy or develop an application. Developers need only to execute a
script to have their infrastructure ready, which eases the majority of provisioning
work. It also means you can divide your infrastructure into modular components
that can then be combined in different ways through automation. This gives you
a template to follow for provisioning through automation tools like the Ansible
automation tool.
Importance of Automating Provisioning:

• Assured Compliance through automated provisioning and various other

access policies, you can control who’s granted access to which tools and
applications, and trace the account activity.
• Easily scalable because change is a constant in any organization,
automated provisioning allows you to scale your infrastructure at the pace of
your business.
• Optimize transparency across users automated provisioning grants users
access to tools and applications based on their roles and permission levels
inside the organization.
• It also saves money as automation cuts onboarding and operational costs.
It saves IT and human resources departments time, which translates to money
saved.
• With “Track and Audit”, you will get an audit trail of how to access roles
are being created, who was granted access, and what they received access to.
• This improves the productivity of HR and IT resources during on-boarding
and provisioning services as it reduces the labor involved in traditional
provisioning.
Provisioning is an important aspect of a business and IT infrastructure because it
enables the organization and allocation of resources efficiently for maximum
profit and productivity. It is essential to provision your resources accordingly as
this will determine the success of your business.

Importance of Cloud Provisioning:

• Scalability: Being able to actively scale up and down with flux in demand
for resources is one of the major points of cloud computing
• Speed: Users can quickly spin up multiple machines as per their usage
without the need for an IT Administrator
• Savings: Pay as you go model allows for enormous cost savings for users,
it is facilitated by provisioning or removing resources according to the
demand

Challenges of Cloud Provisioning:

• Complex management: Cloud providers have to use various different

tools and techniques to actively monitor the usage of resources
• Policy enforcement: Organisations have to ensure that users are not able
to access the resources they shouldn’t.
• Cost: Due to automated provisioning costs may go very high if attention
isn’t paid to placing proper checks in place. Alerts about reaching the cost
threshold are required.

Tools for Cloud Provisioning:

• Google Cloud Deployment Manager

• IBM Cloud Orchestrator
• AWS CloudFormation
• Microsoft Azure Resource Manager
Types of Cloud Provisioning:

• Static Provisioning or Advance Provisioning: Static provisioning can be

used successfully for applications with known and typically constant
demands or workloads. In this instance, the cloud provider allows the
customer with a set number of resources. The client can thereafter utilize
these resources as required. The client is in charge of making sure the
resources aren’t overutilized. This is an excellent choice for applications with
stable and predictable needs or workloads. For instance, a customer might
want to use a database server with a set quantity of CPU, RAM, and storage.
When a consumer contracts with a service provider for services, the supplier
makes the necessary preparations before the service can begin. Either a one-
time cost or a monthly fee is applied to the client.
Resources are pre-allocated to customers by cloud service providers. This
means that before consuming resources, a cloud user must select how much
capacity they need in a static sense. Static provisioning may result in issues
with over or under-provisioning.
• Dynamic provisioning or On-demand provisioning: With dynamic
provisioning, the provider adds resources as needed and subtracts them as
they are no longer required. It follows a pay-per-use model, i.e. the clients are
billed only for the exact resources they use. Consumers must pay for each use
of the resources that the cloud service provider allots to them as needed and
when necessary. The pay-as-you-go model is another name for this.
“Dynamic provisioning” techniques allow VMs to be moved on-the-fly to
new computing nodes within the cloud, in situations where demand by
applications may change or vary. This is a suitable choice for programs with
erratic and shifting demands or workloads. For instance, a customer might
want to use a web server with a configurable quantity of CPU, memory, and
storage. In this scenario, the client can utilize the resources as required and
only pay for what is really used. The client is in charge of ensuring that the
resources are not oversubscribed; otherwise, fees can skyrocket.
• Self-service provisioning or user self-provisioning: In user self-
provisioning, sometimes referred to as cloud self-service, the customer uses a
web form to acquire resources from the cloud provider, sets up a customer
account, and pays with a credit card. Shortly after, resources are made
accessible for consumer use.

Security Overview
Cloud security, is a collection of security measures designed to protect cloud-
based infrastructure, applications, and data. These measures ensure user and
device authentication, data and resource access control, and data privacy
protection.

Security in cloud computing is a major concern. Data in cloud should be stored in

encrypted form. To restrict client from accessing the shared data directly, proxy
and brokerage services should be employed.
5 Key Areas of Cloud Security
• Identity and Access Management.
• Securing Data in the Cloud.
• Securing the Operating System.
• Protecting the Network Layer.
• Managing Security Monitoring, Alerting, Audit Trail, and Incident Response.

Security Management in the Cloud:-

Security management in the cloud is a set of strategies designed to allow a

business to use cloud applications and networks to their greatest potential while
limiting potential threats and vulnerabilities. This is often done with several
independent tactics:

• Identifying and assessing cloud services. First, you need to spend time
identifying which cloud products and services are being used in your organization,
and which ones might be considered in the future. Then, you’ll need to assess and
audit those items, analyzing their security and potential vulnerabilities.

• Auditing and adjusting native security settings. Within each application,

you’ll have full control of your own privacy and security settings. It’s on your
cloud security team to understand which settings are available, and take full
advantage of them to grant your organization the highest possible level of security.

• Encrypting data. In many cases, you’ll need to take extra efforts to prevent
data loss and preserve data integrity by encrypting your data and securing your
connections. It’s your responsibility to allow legitimate network traffic and block
suspicious traffic.

• Managing devices. Cloud applications allow you to reduce the amount of

physical infrastructure you maintain, but you and your employees will still be
accessing data and services with specific devices. You’ll need some way to manage
and monitor those devices to ensure only authorized devices can access your data.

• Managing users. Similarly, you’ll need to consider user-level controls.

Establish varying levels of user permissions, to restrict access to your most
valuable or sensitive information, and change user permissions as necessary to
allow secure access.

• Reporting. It’s also important to monitor cloud activity from a high level,
and report on that activity so you can better understand your risks and ongoing
operations.

Security Planning
Before deploying a particular resource to cloud, one should need to analyze several
aspects of the resource such as:
• Select resource that needs to move to the cloud and analyze its sensitivity to
risk.
• Consider cloud service models such as IaaS, PaaS, and SaaS. These models
require customer to be responsible for security at different levels of service.
• Consider the cloud type to be used such as public, private,
community or hybrid.
• Understand the cloud service provider's system about data storage and its
transfer into and out of the cloud.
The risk in cloud deployment mainly depends upon the service models and cloud
types.
Understanding Security of Cloud
Security Boundaries

A particular service model defines the boundary between the responsibilities of

service provider and customer. Cloud Security Alliance (CSA) stack model
defines the boundaries between each service model and shows how different
functional units relate to each other. The following diagram shows the CSA stack
model:

Key Points to CSA Model

• IaaS is the most basic level of service with PaaS and SaaS next two above levels of
services.
• Moving upwards, each of the service inherits capabilities and security concerns of the
model beneath.
• IaaS provides the infrastructure, PaaS provides platform development environment, and
SaaS provides operating environment.
• IaaS has the least level of integrated functionalities and integrated security while SaaS
has the most.
• This model describes the security boundaries at which cloud service provider's
responsibilities end and the customer's responsibilities begin.
• Any security mechanism below the security boundary must be built into the system and
should be maintained by the customer.
Although each service model has security mechanism, the security needs also depend upon
where these services are located, in private, public, hybrid or community cloud.
Understanding Data Security
Since all the data is transferred using Internet, data security is of major concern in the cloud.
Here are key mechanisms for protecting data.

• Access Control
• Auditing
• Authentication
• Authorization
All of the service models should incorporate security mechanism operating in all above-
mentioned areas.
Isolated Access to Data
Since data stored in cloud can be accessed from anywhere, we must have a mechanism to isolate
data and protect it from client’s direct access.
Brokered Cloud Storage Access is an approach for isolating storage in the cloud. In this
approach, two services are created:
• A broker with full access to storage but no access to client.
• A proxy with no access to storage but access to both client and broker.
Working Of Brokered Cloud Storage Access System
When the client issues request to access data:
• The client data request goes to the external service interface of proxy.
• The proxy forwards the request to the broker.
• The broker requests the data from cloud storage system.
• The cloud storage system returns the data to the broker.
• The broker returns the data to proxy.
• Finally the proxy sends the data to the client.
All of the above steps are shown in the following diagram:
Encryption
Encryption helps to protect data from being compromised. It protects data that is being
transferred as well as data stored in the cloud. Although encryption helps to protect data from
any unauthorized access, it does not prevent data loss.