WEEK 4

Microsoft Azure :

Microsoft Azure is a growing collection of integrated cloud services which developers and IT
professionals use to build, deploy and manage applications through a global network of datacenters.

Protect your business with the most trusted cloud

Azure helps to protect assets through a rigorous methodology and focus on security, privacy,
compliance and transparency.

Azure Web Apps

• Highly scalable, Self-patching web hosting service.

• Prerequisites

 To complete this demo:

 Install Git
 Install Python

Configure a deployment user using the command

 A deployment user is required for FTP and local Git deployment to a web app.
 az webapp deployment user set --user-name <username> --password <password>

Create an Azure App Service plan

App Service plans define:

 Region (for example: North Europe, East US, or Southeast Asia)

 Instance size (small, medium, or large)
 Scale count (1 to 20 instances)
 SKU (Free, Shared, Basic, Standard, or Premium)

Prepared by Divya B
Configure local Git deployment

App Service supports several ways to deploy content to a web app, such as FTP, local Git, GitHub, Visual
Studio Team Services, and Bitbucket. For this quickstart, you deploy by using local Git. That means you
deploy by using a Git command to push from a local repository to a repository in Azure.

Google Cloud Platform

Google Cloud Platform is a set of services that enables developers to build, test and deploy applications
on Google’s reliable infrastructure.

Google manages your application, database and storage servers so you don’t have to.

 Managed services
 Developer Tools and SDKs
 Console and Administration

Mix and Match Services

 Virtual machines.
 Managed platform.
 Blob storage.
 Block storage.
 NoSQL datastore.
 MySQL database.
 Big Data analytics.

Google Cloud Platform has all the services your application architecture needs.

 Compute
 Storage
 Services

Prepared by Divya B
Google Cloud Platform Services – from User end!

 Consider to migrate your web application to Google Cloud Platform for better performance
using GoogleAppEngine.
 Your application should go wherever your users go: Scale your application using
GoogleCloudEndpoints.
 Integrate Google’s services into your Application using GoogleAPIs

Prepared by Divya B
 WEEK 5

Service Level Agreement

A formal contract between a Service Provider (SP) and a Service Consumer (SC)

SLA contains Service Level Objectives (SLOs)

– Objectively measurable conditions for the service

– SLA & SLO: basis of selection of cloud provider

Cloud Properties:

 Common Infrastructure

– pooled, standardized resources, with benefits generated by statistical multiplexing.

 Location-independence

– ubiquitous availability meeting performance requirements, with benefits deriving from latency
reduction and user experience enhancement.

 Online connectivity

– an enabler of other attributes ensuring service access. Costs and performance impacts of network
architectures can be quantified using.. traditional methods.

• Utility pricing

– usage-sensitive or pay-per-use pricing, with benefits applying in environments with variable demand
levels.

• on-Demand Resources

– scalable, elastic resources provisioned and de-provisioned without delay or costs associated with
change.

Prepared by Divya B
Prepared by Divya B
MapReduce

– Implement large scale search

– Text processing on massively scalable web data stored using BigTable and GFS distributed file system

• Example:

– Hadoop: open source implementation of MapReduce (developed at Yahoo!)

– Available on pre-packaged AMIs on Amazon EC2 cloud platform

• Parallel programming abstraction

• Used by many different parallel applications which carry out large-scale computation involving
thousands of processors

• Leverages a common underlying fault-tolerant implementation

• Two phases of MapReduce:

– Map operation

– Reduce operation

• A configurable number of M ‘mapper’ processors and R ‘reducer’ processors are assigned to work on
the problem

• The computation is coordinated by a single master process

Resources types

Physical resource

 Computer, disk, database, network, scientific instruments.

Logical resource

 Execution, monitoring, communicate application .

Resources Management

The term resource management refers to the operations used to control how capabilities provided by
Cloud resources and services cane be made available to other entities, whether users, applications,
services in an efficient manner.

Prepared by Divya B
Data Center Power Consumption

• Currently it is estimated that servers consume 0.5% of the world’s total electricity usage.

• Server energy demand doubles every 5-6 years.

• This results in large amounts of CO2 produced by burning fossil fuels.

• Need to reduce the energy used with minimal performance impact.

Green Computing

Advanced scheduling schemas to reduce energy consumption.

• Power aware

• Thermal aware

• Performance/Watt is not following Moore’s law.

Data center designs to reduce Power Usage Effectiveness.

 Cooling systems
 Rack design

VM Management

• Monitor Cloud usage and load.

When load decreases:

 Live migrate VMs to more utilized nodes.

 Shutdown unused nodes.

When load increases:

 Use WOL to start up waiting nodes.

 Schedule new VMs to new nodes.

Minimizing VM Instances

• Virtual machines are loaded!

• Lots of unwanted packages.

• Unneeded services.

Prepared by Divya B
• Are multi-application oriented, not service oriented.

Clouds are based off of a Service Oriented Architecture.

• Need a custom lightweight Linux VM for service oriented science.

• Need to keep VM image as small as possible to reduce network latency.

Resource Management for IaaS

• Infrastructure-as-a-Service (IaaS) is most popular cloud service

• In IaaS, cloud providers offer resources that include computers as virtual machines, raw (block)
storage, firewalls, load balancers, and network devices.
• One of the major challenges in IaaS is resource management.

Resource Management Aspects

 Resource provisioning
 Resource allocation
 Resource requirement mapping
 Resource adaptation
 Resource discovery
 Resource brokering
 Resource estimation
 Resource modeling

Resource Management – Challenges (Logical resources)

• Operating system
• Energy
• Network throughput/bandwidth
• Load balancing mechanisms
• Information security
• Delays
• APIs/(Applications Programming Interfaces)
• Protocols

Prepared by Divya B
Resource provisioning approach

Resource Allocation Approaches

Prepared by Divya B
Resource Mapping Approaches

Resource Adaptation Approaches

Performance Metrics for Resource Management

• Reliability

• Ease of deployment

• QoS

• Delay

• Control overhead

Prepared by Divya B
 WEEK 6

CLOUD SECURITY I

Security - Basic Components

Confidentiality

 Keeping data and resources hidden

Integrity

 Data integrity (integrity)

 Origin integrity (authentication)

Availability

 Enabling access to data and resources

Security Attacks

Four types of attack:

1. Interruption

2. Interception

3. Modification

4. Fabrication

Interruption: Attack on availability

Interception: Attack on confidentiality

Modification: Attack on integrity

Fabrication: Attack on authenticity

Classes of Threats

 Disclosure : - Snooping
 Deception: -Modification, spoofing, repudiation of origin, denial of receipt
 Disruption: -Modification
 Usurpation: - Modification, spoofing, delay, denial of service

Prepared by Divya B
Goals of Security

 Prevention :- Prevent attackers from violating security policy

 Detection: -Detect attackers’ violation of security policy
 Recovery:- Stop attack, assess and repair damage. Continue to function correctly even if attack
succeeds

Passive and Active Attacks

Passive attacks

Obtain information that is being transmitted (eavesdropping).

Two types:

Release of message contents:- It may be desirable to prevent the opponent from learning the contents
of the transmission.

Traffic analysis:- The opponent can determine the location and identity of communicating hosts, and

observe the frequency and length of messages being exchanged.

Very difficult to detect.

Prepared by Divya B
Active attacks

 Involve some modification of the data stream or the creation of a false stream.

Four categories:

 Masquerade:- One entity pretends to be a different entity.

 Replay:- Passive capture of a data unit and its subsequent retransmission to produce an
unauthorized effect.
 Modification:- Some portion of a legitimate message is altered.
 Denial of service:- Prevents the normal use of communication facilities.

Security Services

• Confidentiality (privacy)
• Authentication (who created or sent the data)
• Integrity (has not been altered)
• Non-repudiation (the order is final)
• Access control (prevent misuse of resources)
• Availability (permanence, non-erasure)
 Denial of Service Attacks
 Virus that deletes files

Role of Security

A security infrastructure provides:

• Confidentiality – protection against loss of privacy

• Integrity – protection against data alteration/ corruption
• Availability – protection against denial of service
• Authentication – identification of legitimate users
• Authorization – determination of whether or not an operation is allowed by a certain user
• Non-repudiation – ability to trace what happened, & prevent denial of actions
• Safety – protection against tampering, damage & theft

Types of Attack

• Social engineering/phishing
• Physical break-ins, theft, and curb shopping
• Password attacks

Prepared by Divya B
 • Buffer overflows
• Command injection
• Denial of service
• Exploitation of faulty application logic
• Snooping
• Packet manipulation or fabrication
• Backdoors

Network Security...

• Determine network security policy

• Implement network security policy
• Reconnaissance
• Vulnerability scanning
• Penetration testing
• Post-attack investigation

• IaaS: entire infrastructure from facilities to hardware

• PaaS: application, middleware, database, messaging supported by IaaS

– Customer-side system administrator manages the same with provider handling platform,
infrastructure security

• SaaS: self contained operating environment: content, presentation, apps, management

– Service levels, security, governance, compliance, liability, expectations of the customer & provider
are contractually defined

Gartner’s Seven Cloud Computing Security Risks

Security Risks

o Privileged User Access

o Regulatory Compliance & Audit
o Data Location
o Data Segregation
o Recovery
o Investigative Support
o Long-term Viability

Prepared by Divya B
Recovery

• “Any offering that does not replicate the data and application infrastructure across multiple sites is
vulnerable to a total failure,” Gartner says. Ask your provider if it has “the ability to do a complete
restoration, and how long it will take.”

• Recovery Point Objective (RPO): The maximum amount of data that will be lost following an
interruption or disaster.

• Recovery Time Objective (RTO): The period of time allowed for recovery i.e., the time that is allowed
to elapse between the disaster and the activation of the secondary site.

Gartner warns. “Cloud services are especially difficult to investigate, because logging and data for
multiple customers may be co-located and may also be spread across an ever-changing set of hosts and
data centers.”

Virtualization

Two types:

– Full virtualization: VMs run on hypervisor that interacts with the hardware
– Para virtualization: VMs interact with the host OS.

Access Control & Identity Management

Identity Management (IDM) – authenticate users and services based on credentials and characteristics

Similar attacks:

• Injection attacks: introduce malicious code to change the course of execution

• XML Signature Element Wrapping: By this attack, the original body of an XML message is
moved to a newly inserted wrapping element inside the SOAP header, and a new body is
created.
• Cross-Site Scripting (XSS): XSS enables attackers to inject client-side script into Web pages
viewed by other users to bypass access controls.
• Flooding: Attacker sending huge amount of request to a certain service and causing denial of
service.
• DNS poisoning and phishing: browser-based security issues

Prepared by Divya B
 • Metadata (WSDL) spoofing attacks: Such attack involves malicious reengineering of Web
Services’metadata description

Amazon EC2 Service

Three degrees of freedom: instance-type, region, availability zone

Network Probing

• Identify public servers hosted in EC2 and verify co-residence

• Open-source tools have been used to probe ports (80 and 443)

– nmap – perform TCP connect probes (attempt to complete a 3-way hand-shake

between a source and target)
– hping – perform TCP SYN traceroutes, which iteratively sends TCP SYN packets with
increasing TTLs, until no ACK is received
– wget – used to retrieve web pages

• External probe: probe originating from a system outside EC2 and has an EC2 instance as destination

• Internal probe: originates from an EC2 instance, and has destination another EC2 instance

• Given an external IP address, DNS resolution queries are used to determine:

– External name
– Internal IP address

Risk-based Access Control (RAC)

Inter-Domain Role Mapping (IDRM)

Dynamic Detection and Removal of Access Policy Conflicts

• Dynamic detection of conflicts to address security issue

• Removal of conflicts to address availability issue

Prepared by Divya B
MIGRATION DECIDER

• Makes use of a fuzzy inference engine

• Input :

• Output : Degree of SLA Satisfaction for

• If Degree of SLA Satisfaction < threshold, migrate

Prepared by Divya B