ITC Quiz 4

Common types of cloud IaaS

see slide 10

Types of PaaS

• IaaS-centric PaaS • SaaS-centric PaaS • Generic PaaS

Typical Capabilities offered by IaaS

Data Center, Physical Hardware, Compute Instances, Image catalog, Storage, LAN, WAN Connectivity, Control plane and self-service interfaces, IAM, Support,

Shadow IT

If you don't support SaaS, users may bypass IT purchasing protocol and procure on their own

IaaS

Infrastructure as a Service. a cloud computing service where the service provider is responsible for everything below the operating system (OS) layer i.e., compute, storage and networking resources, and the subscriber is responsible for managing the operating system and everything above it, such as middleware, data and applications.

IaaS - Potential issues and concerns

Network dependence • Compatibility with legacy security vulnerabilities • Virtual machine sprawl • Verifying authenticity of an IaaS cloud provider web site • Robustness of VM-level isolation • Data erase practices • Browser based risks

SaaS-centric PaaS

Offers clear focus on productivity and simplicity which are mostly restricted and tailored to a specific SaaS solution

SaaS

"Software deployed as a hosted service and accessed over the Internet." [Microsoft] • With SaaS, a provider licenses an application to customers as a service on demand, through a subscription, in a "pay-as-yougo" model

SaaS Scope of control

Cloud provider is responsible for deploying, configuring, updating, and managing the operation of the application. This includes managing the hardware, database services, user authentication services, identity management, account management, etc. Eg. Outlook Web App • Consumer only possesses control over the application-specific resources. Eg. Create, send, store emails

Actors in IaaS

Cloud service provider • It is the entity that delivers the service; it may be the subscriber's internal IT organization, or it may be via an external service provider Subscriber/client • It is the entity that receives the service • A subscriber may be an entire business, a business unit, a team, or (rarely) an individual • A subscriber may have multiple "end users" — individuals that are using the service

IaaS - Cluster Manager

Cluster Manager is responsible for the operation of a collection of computers that are connected via high speed local area networks • A computer cluster may contain hundreds or thousands of computers. A Cluster Manager receives resource allocation commands and queries from the Cloud Manager, and calculates whether part or all of a command can be satisfied using the resources of the computers in the cluster • A Cluster Manager queries the Computer Managers for the computers in the cluster to determine resource availability, and returns messages to the Cloud Manager on whether part, or all, of a request can be satisfied in a cluster • A Cluster Manager then instructs the Computer Managers to perform resource allocation, and reconfigures the virtual network infrastructure to give the consumer uniform access • It is connected to Persistent Local Storage (PLS) and manages it. Virtual machines need persistent disk-like storage to preserve their work while virtual machines are de-allocated and later reallocated

Security and Privacy with Public SaaS

Control user accounts and authentication to most effectively reduce SaaS failure. Develop and enforce policies for SaaS requirements analysis, assessment and risk responsibility. Ensure that contingency plans have been developed for the failure or shutdown of your critical SaaS services. Investigate the use of cloud access security brokers to track enterprise and department use of SaaS

IaaS - Data center

• Usually the service provider will host the infrastructure in its data center. The provider may own or lease its data center, or it may use a colocation facility • Regardless of the mode of ownership, the provider is responsible for ensuring that the physical environment meets the service delivery commitments

IaaS - WAN connectivity

• When the offering is hosted in the provider's data center, the provider is responsible for connecting the offering to the subscriber's chosen telecommunications provider, so that the subscriber can obtain private connectivity • If the offering is hosted in the subscriber's data center, the subscriber is normally responsible for the WAN

IaaS - Storage

A compute instance needs access to files or block storage; at minimum, it requires a boot volume with an operating system. Eg. AWS Elastic Block Store • This type of storage is distinct from what is commonly known as "cloud storage," which is object-based, API-accessible storage. Eg. Box

Pass Model - Management

A management layer allows control over the deployed applications and the configuration settings of the platform. The management layer includes the abilities to deploy and manage the lifecycle of the applications. This encompasses pushing, starting, and stopping of applications. • The provisioning of all native services and add-ons is initiated from the management tier.

IaaS - Support

A provider will normally offer customer support for billing and administrative tasks as part of the offering • It may also offer "community" support, where customers can ask questions in the support forums • A provider may offer more options for technical support for additional cost

IaaS - Compute Instances

An instance can be a virtual machine or a bare-metal server • If virtual machines, the service provider is responsible for operating the virtualization management and hypervisor layer

When is PaaS a good choice?

Application Time to Market is a key pressure for development teams - the ability to quickly move an application from concept to production should take as little time as possible • Considerable over-provisioned infrastructure - data center consolidation efforts can be the catalyst to begin to adopt PaaS techniques • Difficulty aligning application utilization with stakeholders - across a large application portfolio, PaaS will provide better metrics support for usage and chargeback • High operational costs - the net reduction of administrators for a set of applications has a measurable impact on the bottom line. • High degree of custom craftsmanship per application environment - when the loss of a single administrator has catastrophic consequences for application maintenance, it may be time to consider PaaS. PaaS encourages repeatable, formalized processes for administration using centralized management tools

Who are the consumers of PaaS?

Application developers, who design and implement an application's software. • Application testers, who run applications in various (possibly cloud-based) testing environments. • Application deployers, who publish completed (or updated) applications into the cloud, and manage possible conflicts arising from multiple versions of an application. • Application administrators, who configure, tune, and monitor application performance on a platform. • Application end users, who subscribe to the applications deployed on a PaaS cloud.

SaaS service offerings use cases - Business logic

Applications in this area connect businesses with their suppliers, employees, investors, and customers. Examples include invoicing, funds transfer, inventory management, and customer relationship management

SaaS service offerings use cases - Learning management system

Applications in this area focus on administration, documentation, tracking, reporting and delivery of education courses or training programs. Examples include computer based trainings, and self-paced learning tutorials

SaaS service offerings use cases -Collaboration

Applications in this area help teams of people work together, either within or between organizations. Examples include calendar systems, email, screen sharing, collaborative document authoring, conference management, and online gaming

SaaS service offerings use cases - Office productivity

Applications in this area implement the applications that typify office environments such as word processors, spreadsheet programs, presentation programs, and file storage

SaaS service offerings use cases - Software tools

Applications in this area solve security or compatibility problems and support new software development. Examples include format conversion tools, security scanning and analysis, compliance checking, and Web development

Where (public) SaaS may not make sense

Applications where extremely fast processing of real time data is required. Example includes flight control systems or factory robot controls • Applications which involve bulk consumer data. It may not be feasible to transfer large data in real time over wide area networks to a SaaS provider • Applications where legislation or other regulation does not permit data being hosted externally • 'Critical' applications

PaaS application lifecycle

Build Applications -> Land First release -> Maintain App -> Land releases->End of Life

PaaS - Application development and deployment

Developers code their applications using common programming languages and development frameworks, such as PHP, Java*, and .NET*. • With PaaS, application developers do not need an installation kit, don't have to order and configure servers or virtual machines, and don't have to copy files from one server to another. • The application is pushed to the cloud from a command-line interface or directly from an interactive development environment (IDE) using a plug-in. • The application is analyzed by PaaS and then hosted in the runtime container, which matches the application's resource requirements. The platform also provides elastic scaling, high availability, automatic configuration, load balancing, and management tools.

SaaS Integration architecture

Integrating a SaaS application into your environment will create data dependencies that require data to be synchronized and moved between the SaaS application and one or more in-house applications • "Bootstrapping" the SaaS application with preexisting data from an onpremise source • Configuring a SaaS application to depend on data produced by an on-premise source for part of its functionality • Configuring an on-premise application to depend on data produced by a SaaS application for part of its functionality • An integration broker is used to manage data movement and system integration.

IaaS - Cloud Manager

It is responsible for user accounts and high-level allocation of resources within the overall cloud • It is the public access point to the cloud - subscribers sign up and login to their account, manage their resources, and access data stored in the cloud • When a subscriber requests to rent a number of resources, the Cloud Manager determines if the cloud has enough free resources to satisfy the request, and if so, which Cluster Manager (or Managers) have some or all the resources • If the request can be satisfied, the Cloud Manager commits to the allocation of the resources at the participating Cluster Managers, and must coordinate the setup of virtual networking so that the consumer can uniformly access all resources • It enforces any cloud-global policies governing resource requests • It is connected to Data Object Storage (DOS). DOS stores data; it needs to be accessible from VMs/instances in the cloud as well as from external systems (eg. Box). Cloud Manager manages and tracks the access to DOS

Maturity model of the service-centric IT - Level 3

Level 3 is about service-portfolio optimization. The service portfolio is enhanced with additional options coming from SaaS providers, allowing the enterprise to further optimize its IT strategy and cost allocation decisions

Recommendations for IaaS systems

Multi-tenancy - When an IaaS cloud provider provides computing resources in the form of Virtual Machines (VMs), ensure that the provider has mechanisms in place to protect VMs from attacks (a) from other VMs on the same physical host (b) from the physical host as well as (c) from network originated attacks • Data Protection - Analyze the IaaS provider's data protection mechanisms, data location configuration and processing technologies, and assess whether they will meet the confidentiality, compliance, integrity and availability needs of the organization that will be using the provider's infrastructure • Secure Data Deletion - Require that a cloud provider offer a mechanism for reliably deleting data on a consumer's request • Administrative Access - When renting computing resources from an IaaS cloud provider in the form of virtual machines or physical servers, ensure that a limited set of trained/trusted users alone are provided administrative access to those resources. • VM Migration - Formulate a strategy for future migration of Virtual Machines and their associated storage among alternate cloud providers • Virtualization Best Practices - Follow best practices for the administration of conventional systems and networks, and for use of virtualization (refer to NIST 800-125)

SaaS provider/consumer interaction dynamics

Same application could be accessed by multiple clients; however the cloud provider usually provisions unique execution environment to each customer even for the same application • This ensures logical isolation of resources between clients

IaaS - Cloud architecture considerations

The operation of an IaaS cloud is a cyclical process of consumer requests flowing in and down through the hierarchy, and responses flowing back up to consumers • When physical hardware wears out or fails, the cloud's structure and algorithms must allow for its replacement without wide-scale service interruptions. The underlying mobility of virtual machines is an important tool for accommodating the inevitable need for hardware replacement • In addition, providers generally use virtualization to transparently add new capacity in the form of additional computers within clusters or additional clusters to accommodate growth in demand for cloud services

PaaS Model - Platform:

The platform is the main deliverable of a PaaS offering and includes the application hosting environment delivered as a service. • Two stacks of components are decisive: The runtime stack and the service stack. Both stacks can be combined via bindings. • The runtime stack includes the basic runtimes offered by the PaaS, i.e. the programming languages that applications can be written in. • The services stack is divided into native and add-on services. Native services are hosted and operated by the PaaS vendor typically co-located to the PaaS environment inside the same infrastructure. Add-ons are provisioned from within the PaaS with the add-on provider and are directly billed as additional part of platform fees.

PaaS - Scope of control

The provider operates and controls the lowest layers - hardware (encompassing compute, storage, and network) and the operating system. • At the middleware layer, the provider makes programming and utility interfaces available to the consumer; these interfaces provide the execution environment within which consumer applications run and provide access to needed resources such as CPU cycles, memory, etc. • Consumer makes use of the interfaces and develops, implements and deploys applications.

IaaS - Control plane and self-service interfaces

The provider provides self-service interfaces to the subscriber in the form of a Web-based portal, and an API • The subscriber can then use the API to implement additional automation

IaaS - Physical Hardware

The service provider will own and operate all the hardware associated with the offering • Hardware includes servers, storage arrays and network devices • In some cases (private cloud IaaS offering), the subscriber can choose as well as own hardware

IaaS - LAN

There must be a LAN between compute instances, as well as a LAN between compute instances and any network-attached storage devices • The provider is responsible for LAN operations • Many providers offer higher-level networking functions as well, such as loadbalancing, network security, and DNS

Characteristics of SaaS

Web access to commercial software • Software is managed from a central location • Software delivered in a "one to many" model - multitenancy • Users not required to handle software upgrades and patches • Application Programming Interfaces (APIs) allow for integration between different pieces of software

IaaS providers

see slide 20

Integrating IaaS Services

see slide 9

SaaS Challenges

• Browser based risks • Network dependence • Lack of portability between SaaS clouds • Configurable, but less scope for customization

Where SaaS makes sense

• "Vanilla" offerings where the solution is largely undifferentiated. Most firms may use the same software because is is a fundamental requirement for doing business, but does not itself confer an competitive advantage • Applications where there is significant interplay between the organization and the outside world • Applications that have a significant need for web or mobile access • Software that is only to be used for a short term need • Software where demand spikes significantly

PaaS

• A Platform-as-a-Service (PaaS) cloud provides a toolkit for conveniently developing, deploying, and administering application software and that can potentially be accessed from any point in the Internet. • PaaS clouds will typically provide a set of software building blocks and a set of development tools such as programming languages and supporting run-time environments that facilitate the construction of high-quality, scalable applications.

IaaS - Image catalog

• An image catalog contains, at minimum OS images that are supplied by the provider — for instance, Linux and Windows images • More advanced image catalogs may contain images that are supplied by the subscriber or third parties; images may include other software in addition to the OS

Maturity model of the service-centric IT - Level 1

• At level 1, the enterprise user needs are rudimentarily addressed by a collection of siloed applications

Maturity model of the service-centric IT - Level 2

• At level 2, the enterprise user needs are better addressed through a service portfolio, each consisting of related applications offering a more complete set of functionalities

Maturity model of the service-centric IT - Level 4

• At level 4, in-the-cloud and on-premise services are seamlessly integrated, offering a platform for composing applications closely aligned with business tasks

IaaS - Computer Manager

• Computer Manager is responsible for managing VMs running on individual computers. • In response to queries from its Cluster Manger, a Computer Manager returns status information including how many virtual machines are running and how many can still be started • In response to commands issued from its Cluster Manager, a Computer Manager uses the command interface of its hypervisor to start, stop, suspend, and reconfigure virtual machines, and to set the local virtual network configuration • It ensures that virtual machines running on behalf of different consumers must appear to be isolated from one another

SaaS readiness

• Considerations • Technical considerations • Financial considerations • Political considerations • Legal considerations

IaaS - Common Use Cases

• Development environments: • SaaS hosting • Consumer-facing hosting • Business-to-business (B2B) hosting • Batch computing • General business applications • Enterprise applications • Disaster recovery (DR)

Benefits of PaaS

• Enhanced agility • Reduced complexity • Greater standardization and extensibility • Improved resource utilization

SaaS efficiency

• Favoring efficiency • The SaaS application concurrently serves multiple clients and saves data in a combined database • The separation of clients should be accounted for during the design and engineering of the application itself • Less secure; more efficient

SaaS Isolation

• Favoring isolation • Each client has a separate running copy of the application and a separate data store • The separation between clients is provided by the operating system • More secure; less efficient

PaaS Recommendations for vendor selection

• Generic interface - evaluate whether the application infrastructure interfaces provided in that platform are generic enough to support portability and interoperability of the application. • Standard languages and tools • Standard data access protocols (eg. SQL) • Data protection - analyze the PaaS provider's data protection mechanisms • Security - ensure that a PaaS application can be configured to run in a secure manner and can be integrated with existing enterprise security frameworks such as IAM.

Benefits of SaaS

• High adoption rate • Lower initial costs • Reduced administration • Painless upgrades • Seamless scalability

PaaS Model

• Infrastructure • Platform • Management

SaaS Integration broker

• Integrates in-house applications and SaaS applications • Pipeline architecture • Add and remove modules that perform specific integration operations • Essential part of the Enterprise Application Integration (EAI) framework • Integration Platform as a Service (iPaaS) • Cloud services enabling development, execution and governance of integration flows connecting any combination of on premises and cloud-based processes, services, applications and data • Example vendors - Dell Boomi, MuleSoft

PaaS Concerns

• Lack of portability between PaaS clouds • Browser based risks • Network dependence • Isolation of execution environments for different consumers

Logical IaaS Cloud Architecture

• Layered and abstract model Three level hierarchy • Cloud Manager • Cluster Manager • Compute Manager

Generic PaaS

• Offers application platform that consists of a set of language runtimes, frameworks, services, and other components an application can be programmed to

IaaS-centric PaaS

• Offers streamlined deployment of applications on top of the IaaS stack while still retaining full control over the underlying infrastructure

IaaS Benefits

• Savings in up-front costs • Flexibility and on demand capacity • Faster time to market • High availability, DR and BC

SaaS Recommendations for vendor selection

• Security - confidentiality, integrity, availability • Meet compliance requirements • Integration with on premise systems • Customization • Cross platform compatibility across operating systems and browsers • Mobile compatibility • Disaster recovery and data backup • Data deletion policy • Well defined and clear service level agreement • Upgrades and patch management

PaaS Model - Infrastructure:

• The PaaS infrastructure tier abstracts the physical infrastructure and adds another layer on top of IaaS capabilities or directly abstracts the bare hardware. • A PaaS vendor typically offers several deployment regions or at least the appropriate region for the application's customer base. This is an essential for the following reasons: • Speed of access • Legal issues • Data security regulations

Paas - The provider's responsibilities

• The cloud provider maintains an (1) inventory of applications (2) a set of development tools, and (3) a set of execution environments • The development tools might include programming languages, compilers, interfaces, testing tools, and mechanisms to deploy an application once it's finished • An execution environment can be a physical computer, a virtual machine, storage resources, and programs that can service client requests

IaaS - IAM

• The provider will provide mechanisms for logging into the Web-based portal, and authenticating against the API • The access permissions are usually controlled via role-based access control (RBAC)