Chapter 10: Virtualization and Cloud Security
Level of Control in the Hosting Models
One way to examine the differences between the cloud models and on-premises computing is to look at who controls what aspect of the model. In Figure 10-1 , you can see that the level of control over the systems goes from complete self-control in on-premises computing to complete vendor control in XaaS.
Platform as a Service (PaaS)
Platform as a Service (PaaS) is a marketing term used to describe the offering of a computing platform in the cloud. Multiple sets of software working together to provide services, such as database services, can be delivered via the cloud as a platform. PaaS offerings generally focus on security and scalability, both of which are characteristics that fit with cloud and platform needs.
Services Integration
Services integration is the connection of infrastructure and software elements to provide specific services to a business entity. Connecting processing, storage, databases, web, communications, and other functions into an integrated comprehensive solution is the goal of most IT organizations.
Software as a Service (SaaS)
Software as a Service (SaaS) is the offering of software to end users from within the cloud. Rather than installing software on client machines, SaaS acts as software on demand, where the software runs from the cloud. This has a couple advantages: updates can be seamless to end users, and integration between components can be enhanced. Common examples of SaaS are products offered via the Web as subscription services, such as Microsoft Office 365 and Adobe Creative Suite.
Software-Defined Networking (SDN)
Software-defined networking (SDN) is a network architecture where the control plane and the data plane are separated. This allows for networking hardware to be under programmatic control, even while processing data. Traditional network architectures have the data plane and the control plane coexisting, and one of the results is the reduced flexibility of changing the network.
Virtual Machine (VM) Sprawl Avoidance
Sprawl is the uncontrolled spreading and disorganization caused by lack of an organizational structure when many similar elements require management. An organization needs to implement VM sprawl avoidance through policy. It can avoid VM sprawl through naming conventions and proper storage architectures so that the files are in the correct directory/folder, making finding the correct VM easy and efficient.
On-Premises vs. Off-Premises
Systems can exist in a wide array of places—from on-premises, to hosted, to in the cloud. On-premises means the system resides locally in the building of the organization. Whether it's a virtual machine (VM), storage, or even a service, if the solution is locally hosted and maintained, it is referred to as "on-premises." scale. Off-premises or hosted services refer to having the services hosted somewhere else, commonly in a shared environment. Using a third party for hosted services provides you a set cost based on the amount of those services you use.
cloud models
There are many different cloud deployment models . Clouds can be created by many entities, both internal and external to an organization. Many commercial cloud services are available from a variety of firms, ranging from Google and Amazon to smaller, local providers. Internally, an organization's own services can replicate the advantages of cloud computing while improving the utility of limited resources.
Serverless Architecture
This serverless architecture simplifies a lot of things and adds significant capabilities. By specifying the resources needed in terms of processing power, the cloud provider can spin up the necessary resources. Because you are in essence renting from a large pool of resources, this gives you the ability to have surge capacity, where for a period of time you increase capacity for some specific upturn in usage.
Type I
Type I hypervisors run directly on the system hardware. They are referred to as a native, bare-metal, or embedded hypervisors in typical vendor literature. Type I hypervisors are designed for speed and efficiency, as they do not have to operate through another OS layer. Examples of Type I hypervisors include KVM (Kernel-based Virtual Machine, a Linux implementation), Xen (Citrix Linux implementation), Microsoft Windows Server Hyper-V (a headless version of the Windows OS core), and VMware's vSphere/ESXi platforms.
Type II
Type II hypervisors run on top of a host operating system. In the beginning of the virtualization movement, Type II hypervisors were most popular. Administrators could buy the VM software and install it on a server they already had running.
containers
Virtualization enables multiple OS instances to coexist on a single hardware platform. The concept of containers is similar, but rather than having multiple independent OSs, a container holds the portions of an OS that it needs separate from the kernel. TIP Containers are a form of operating system virtualization. They are a packaged-up combination of code and dependencies that help applications run quickly in different computing environments.
Virtualization
Virtualization technology is used to enable a computer to have more than one OS present and, in many cases, operating at the same time. Virtualization is an abstraction of the OS layer, creating the ability to host multiple OSs on a single piece of hardware. To enable virtualization, a hypervisor is employed. A hypervisor is a low-level program that allows multiple operating systems to run concurrently on a single host computer. TIP A hypervisor is the interface between a virtual machine and the host machine hardware. Hypervisors comprise the layer that enables virtualization. Two types of hypervisors exist: Type I and Type II.
VM Escape Protection
When multiple VMs are operating on a single hardware platform, one concern is VM escape, where software, either malware or an attacker, escapes from one VM to the underlying OS. Once the VM escape occurs, the attacker can attack the underlying OS or resurface in a different VM.
Anything as a Service (XaaS)
With the growth of cloud services, applications, storage, and processing, the scale provided by cloud vendors has opened up new offerings that are collectively called Anything as a Service (XaaS). The wrapping of the previously mentioned SaaS and IaaS components into a particular service (say, Disaster Recovery as a Service) creates a new marketable item.
transit gateway
network connection that is used to interconnect virtual private clouds (VPCs) and on-premises networks. Using transit gateways, organizations can define and control communication between resources on the cloud provider's network and their own infrastructure. Transit gateways are unique to each provider and are commonly implemented to support the administration of the provider's cloud environment.
public cloud
public cloud refers to a cloud service that is rendered over a system open for public use. In most cases, there is little operational difference between public and private cloud architectures, but the security ramifications can be substantial.
fog computing
Cloud computing has been described by pundits as using someone else's computer. If this is the case, then fog computing is using someone else's computers. Fog computing is a distributed form of cloud computing, in which the workload is performed on a distributed, decentralized architecture.
Cloud Service Providers
Cloud service providers (CSPs) come in many sizes and shapes, with a myriad of different offerings, price points, and service levels. There are the mega-cloud providers, Amazon, Google, Microsoft, and Oracle, which have virtually no limit to the size they can scale to when needed. There are smaller firms, with some offering reselling from the larger clouds and others hosting their own data centers. Each of these has a business offering, and the challenge is determining which offering best fits the needs of your project or company.
Edge Computing
Edge computing refers to computing performed at the edge of a network. Edge computing has been driven by network vendors who have processing power on the network and wish new markets rather than just relying on existing markets.
Software-Defined Visibility (SDV)
For a network device to operate on data, it must see the data flow. Firewalls can't manage data they don't see, so firewalls are physically positioned throughout the network in line with the system's physical architecture. Just as software-defined networking has changed how networks are managed, software-defined visibility (SDV) is an extension of this infrastructure as code idea for the network visibility problem.
private cloud
If your organization is highly sensitive to sharing resources, you may wish to use a private cloud . Private clouds are essentially reserved resources used only by your organization—your own little cloud within the cloud. This setup will be considerably more expensive, but it should also carry less exposure and should enable your organization to better define the security, processing, and handling of data and so on that occurs within your cloud.
Infrastructure as a Service (IaaS)
Infrastructure as a Service (IaaS) is a marketing term used to describe cloud-based systems that are delivered as a virtual solution for computing. Rather than firms needing to build data centers, IaaS allows them to contract for utility computing as needed. IaaS is specifically marketed on a pay-per-use basis, scalable directly with need.
Infrastructure as Code
Infrastructure as code is the use of machine-readable definition files as well as code to manage and provision computer systems. By making the process of management programmable, there are significant scalability and flexibility advantages.
resource policies
Management of these items is done via resource policies . Each cloud service provider has a different manner of allowing you to interact with their menu of services, but in the end, you are specifying the resource policies you wish applied to your account.
Microservices/API
(API) is a means for specifying how one interacts with a piece of software. Let's use a web service as an example: if it uses the representational state transfer (REST) API, then the defined interface is a set of four actions expressed in HTTP: • GET Get a single item or a collection. • POST Add an item to a collection. • PUT Edit an item that already exists in a collection. • DELETE Delete an item in a collection. Microservices is a different architectural style. Rather than defining the inputs and outputs, microservices divide a system into a series of small modules that can be coupled together to produce a complete system.
community cloud
A community cloud system is one where several organizations with a common interest share a cloud environment for the specific purposes of the shared endeavor. For example, local public entities and key local firms may share a community cloud dedicated to serving the interests of community initiatives. This can be an attractive cost-sharing mechanism for specific data-sharing initiatives.
hybrid
A hybrid cloud structure is one where elements from private, public, and community cloud structures are combined. When considering a hybrid structure, you need to remain cognizant that, operationally, these differing environments are not actually joined together but rather are used together. For example, sensitive information can be stored in a private cloud and issue-related information can be stored in the community cloud, yet all of this information is accessed by an application. This makes the overall system a hybrid cloud system.
Managed Service Provider (MSP) / Managed Security Service Provider (MSSP)
A managed service provider (MSP) is a company that remotely manages a customer's IT infrastructure. A managed security service provider (MSSP) does the same thing as a third party that manages security services. For each of these services, the devil is in the details. The scope of the engagement, what is in the details of the contract, is what is being provided by the third party, and nothing else.
thin client
A thin client is a lightweight computer, with limited resources, whose primary purpose is to communicate with another machine. Thin clients can be very economical when they are used to connect to more powerful systems.