Understanding Services and Applications by

Type
• Learning about different service types
• Creating clouds with Infrastructure as a Service
• Working with Software as a Service
• Developing applications on a Platform as a Service
• Securing cloud transactions with Identity as a
Service
• cloud computing applications as being composed of a set of
layers include Infrastructure, Platform, and Software.

• Depending on the type and level of service being offered, a

c lient c an build on these layers to c reate c loud-based
applications.
You can broadly partition cloud
computing into four layers that form
a cloud computing ecosystem, as
shown in Figure .
The Application layer forms the basis
for Software as a Service (SaaS),
while the Platform layer forms the
basis for Platform as a Service
(PaaS).
Infrastructure as a Service (IaaS)
creates utility computing model
Defining Infrastructure as a Service (IaaS)
• IaaS may be seen to be an incredibly disruptive technology, one
that can help turn a small business into a large business nearly
overnight.
• IaaS startups increased
• Infrastructure as a Service (IaaS) is a cloud computing service
model in which hardware is virtualized in the cloud.
• In this particular model, the service vendor owns the equipment:
servers, storage, network infrastructure, and so forth.
• The developer/customer/clients creates virtual hardware on
which to develop applications and services.
The developer interacts with the IaaS model to create
• virtual private servers,
• virtual private storage,
• virtual private networks, and so on,
and then populates these virtual systems with the applications
and services it needs to complete its solution.
IaaS customers access resources and services through a wide area network
(WAN), such as the internet, and can use the cloud provider's services to
install the remaining elements of an application stack.
For example,
• the user can log in to the IaaS platform to create virtual machines
(VMs);
• install operating systems in each VM;
• deploy middleware, such as databases;
• create storage buckets for workloads and backups;
• and install the enterprise workload into that VM.
Customers can then use the provider's services
• to track costs,
• monitor performance,
• balance network traffic,
• troubleshoot application issues and manage disaster recovery.
 IaaS workloads
• The notion of a workload is central to Cloud Computing, Essentially, a
workload is a discrete capability or amount of work you'd like to run on a
Cloud instance.

• virtualized client in an IaaS deployment is called a workload

• A workload simulates the ability of a certain type of real or physical server

to do an amount of work.

• The work done can be measured by the number of Transactions Per

Minute (TPM) or a similar metric against a certain type of system.

• In addition to throughput, a workload has certain other attributes such as

Disk I/Os measured in Input/Output Per Second IOPS, the amount of RAM
consumed under load in MB, network throughput and latency, and so forth.
• Workload can also refer to the amount of work (or load) that software
imposes on the underlying computing resources.

• Broadly stated, an application's workload is related to the amount of time

and computing resources required to perform a specif ic task or produce
an output from inputs provided.

• A light workload accomplishes its intended tasks or performance goals

using relatively little computing resources, such as processors, CPU
(central processing unit) clock cycles, storage I/O (input/output) and so on.

• A heavy workload demands significant amounts of computing resources.

• A workload's tasks vary widely depending on the complexity and intended
purpose of the application.

• For example, a web server application might gauge load by the number of
webpages the server delivers per second,

• while other applications might gauge load by the number of transactions

accomplished per second with a specif ic number of concurrent network
users.

• Standardized metrics used to measure and report on an application's

performance or load are collectively referred to as benchmark.
• In a hosted application environment, a client’s application runs
on a dedicated server inside a server rack or perhaps as a
standalone server in a room full of servers.

• In cloud computing, a provisioned server called an instance is

reserv ed by a c ustom er, and the nec essary am ount of
computing resources needed to achieve that type of physical
server is allocated to the client’s needs
Figure shows how three
virtual private server
instances are partitioned in
an IaaS stack.
The three workloads require
three different sizes of
computers: small, medium,
and large
• A client would reserve a machine equivalent required to run each of these
workloads.
• The IaaS infrastructure runs these server instances in the data center
drawing services from a pool of virtualized machines, RAID storage, and
network interface capacity.
• These three layers are expressions of physical systems that are partitioned
as logical units.
• The classic example of an IaaS service model is Amazon.com’s Amazon
Web Services (AWS).

• AWS has sev e ral d ata c e nte rs i n whi c h se rv e rs run o n to p o f a

virtualization platform (Xen) and may be partitioned into logical compute
units of various sizes.

• Developers can then apply system images containing different operating

systems and applications or create their own system images.

• Storage may be partitions, databases may be created, and a range of

services such a messaging and notif ic ation can be called upon to make
distributed application work correctly.
Pods, aggregation, and silos
• Workloads support a certain number of users, at which point you exceed
the load that the instance sizing allows.
• When you reach the limit of the largest virtual machine instance possible,
you must make a copy or clone of the instance to support additional users.
• A group of users within a particular instance is called a pod.
• Pods are managed by a Cloud Control System (CCS). In AWS, the CCS is
the AWS Management Console
• Sizing limitations for pods need to be accounted for if you are building a
large cloud-based application.
• Pods are aggregated into pools within an IaaS region or site called an
availability zone.
• In very large cloud computing networks, when systems fail, they fail on a
pod-by-pod basis, and often on a zone-by-zone basis.
• A failover system between zones gives IaaS private clouds a very high
degree of availability.
• Figure shows how pods are aggregated and virtualized in IaaS across
zones.
• When a cloud computing infrastructure isolates user clouds from each
other so the management system is incapable of interoperating with other
private clouds, it creates an information silo, or simply a silo.
• Silos are the cloud computing equivalent of compute islands: They are
processing domains that are sealed off from the outside.
• cloud silo is a computer server with one application and that isn’t designed
to interact with other applications or software packages.
• It’s a standalone application on a server. So why is it in the cloud?
• Well, you can have any kind of application in the cloud. Perhaps that
application is an essential application for your business but you don’t have
the computing resources at your location to host it there so you host it
elsewhere and access it from your computers over the Internet.
• The reason companies host single applications on a web server in a data
center at a location other than their own business is because it is cheaper to
host those applications elsewhere.
• And the application can be accessed from computers worldwide so if you
have several of fices that use the same application then a cloud silo could be
an essential computing resource.
• Silos just aren’t as flexible as open systems and are subject to vendor lock-in.
Defining Platform as a Service (PaaS)
• The Platform as a Service model describes a software environment in which a
developer can create customized solutions within the context of the development
tools that the platform provides.
• Platforms can be based on specif ic types of development languages, application
frameworks, or other constructs
• A PaaS offering provides the tools and development environment to deploy
applications on another vendor’s application.
• PaaS tool is a fully integrated development environment(IDE) ; that is, all the tools
and services are part of the PaaS service.
• PaaS systems must offer a way to create user interfaces, and thus support
standards such as HTLM, JavaScript, or other rich media technologies.
• Google App engine
• Salesforce.com------force.com
• The dif fic ulty with PaaS is that it locks the developer (and the customer) into a
solution that is dependent upon the platform vendor.
• An application written in Python against Google’s API using the Google App Engine
is likely to work only in that environment.
• There is considerable vendor lock-in associated with a PaaS solution
Defining Software as a Service (SaaS)

• SaaS provides the complete infrastructure, software, and solution stack as the
service offering.
• A good way to think about SaaS is that it is the cloud-based equivalent of shrink-
wrapped software.
• Shrink-Wrap Software means Software that has not been customized and that is
generally commercially available in consumer retail stores, from the Software
licensors
• software on CD-ROMs that are boxed and shrink-wrapped and
sold in stores.
Shrink-Wrap Software means
• software that is generally commercially available,
• non-customized software in executable code
• or hosted form :
(a) through or in consumer retail stores;
(b) from the software licensors or their distributors, sales agents,
representatives
or other persons, including value-added and other resellers or original
equipment
manufacturers; or
(c) from the Internet pursuant to “shrink wrap” or “click through” licenses;
• Software-as–a-Service (SaaS) model allows to provide software application as a
service to the end users.
• Software as a Service (SaaS) may be described as software that is deployed on a
hosted service and can be accessed globally over the Internet, most often in a
browser.
• With the exception of the user interaction with the software, all other aspects of
the service are abstracted away.
• SaaS applications come in all shapes and sizes, and include custom software
such as
 Billing and invoicing systems,
 Customer Relationship Management (CRM) applications,
 Help Desk applications,
 Human Resource (HR) solutions, as well as
 myriad online versions of familiar applications
• Examples of SaaS software for end-users are Google Gmail and Calendar,
QuickBooks online, Zoho Office Suite, and others that are equally well known.

• Some of the SaaS applications are not customizable such as Microsoft Of fic e
Suite. But SaaS provides us Application Programming Interface (API), which
allows the developer to develop a customized application.
• Many people believe that SaaS software is not customizable, and in many
SaaS applications it can be.

• For user-centric applications such as an of fic e suite, that is mostly true;

those suites allow you to set only options or preferences.

• However, many other SaaS solutions expose Application Programming

Interfaces (API) to developers to allow them to create custom composite
applications.

• These APIs may alter the security model used, the data schema, workf low
characteristics, and other fundamental features of the service’s expression
as experienced by the user.

• Examples of an SaaS platform with an exposed API are Salesforce.com

and Quicken.com.
• So SaaS does not necessarily mean that the software is static or
monolithic
All Software as a Service (SaaS) applications
share the following characteristics:
1.The software is available over the Internet globally through a browser on
demand.
2. The typical license is subscription-based or usage-based and is billed on a
recurring basis. In a small number of cases a f lat fee may be changed, often
coupled with a maintenance fee.
3. The software and the service are monitored and maintained by the vendor,
regardless of where all the different software components are running.
There may be executable client-side code, but the user isn’t responsible for
maintaining that code or its interaction with the service.
4. Reduced distribution and maintenance costs and minimal end-user
system costs generally make SaaS applications cheaper to use than their
shrink-wrapped versions.
5. Such applications feature automated upgrades, updates, and patch
management and much faster rollout of changes.
6. SaaS applications often have a much lower barrier to entry than their
locally installed competitors, a known recurring cost, and they scale on
demand (a property of cloud computing in general).
7. All users have the same version of the software so each user’s software is
compatible with another’s.
8. SaaS supports multiple users and provides a shared data model through a
single-instance, multi-tenancy model.
The alternative of software virtualization of individual instances also exists,
but is less common.
Open SaaS and SOA
• Open SaaS uses those SaaS applications, which are developed
using open source programming language.
• These SaaS applications can run on any open source operating
system and database.
• Open SaaS has several benefits listed below:
• No License Required
• Low Deployment Cost
• Less Vendor Lock-in
• More portable applications
• More Robust Solution
A modern implement of SaaS using an Enterprise Service
Bus and architected with SOA components
Enterprise Service Bus (ESB) is a software architecture which connects all
the services together over a bus like infrastructure.
It acts as communication center in the SOA by allowing, linking multiple
systems, applications and data and connects multiple systems with no
disruption.
• The Service Oriented Architecture is an architectural design which
includes collection of services in a network which communicate with
each other.

• The complication of each service is not noticeable to other service.

• The service is a kind of operation which is well def ined, self contained
that provides separate functionality such as checking customer
account details, printing bank statements etc and does not depend on
the sate of other services.
Issues
• There are several issues associated with SaaS, some of them
are listed below:
• Browser based risks
• Network dependence
• Lack of portability between SaaS clouds
Browser based risks
• If the customer visits malicious website and browser becomes
infected, the subsequent access to SaaS application might
compromise the customer's data.
• To avoid such risks, the customer can use multiple browsers
and dedicate a specif ic browser to access SaaS applications or
can use virtual desktop while accessing the SaaS applications.
Network dependence
The SaaS application can be delivered only when network is
continuously available. Also network should be reliable but the
network reliability cannot be guaranteed either by cloud provider
or by the customer.
Lack of portability between SaaS clouds
Transferring workloads from one SaaS cloud to another is not so
easy because work f low, business logics, user interfaces, support
scripts can be provider specific.
Salesforce.com and CRM SaaS
Perhaps the best-known example of Software as a Service (SaaS)
is the Customer Relationship Management software offered by
Salesforce.com whose solution offers
• sales,
• service,
• support,
• marketing,
• analytical analysis
• collaboration through a platform called Chatter.
Salesforce.com was founded in 1999 by a group of Oracle
executives and early adopters of many of the technologies that
are becoming cloud computing staples.
• Salesforce.com extended its SaaS offering to allow developers to
create add-on applications, essentially turning the SaaS service into a
Platform as a Service (PaaS) offering called the Force.com Platform.
• Applications built on Force.com are in the form of the Java variant
called Apex using an XML syntax for creating user interfaces in
HTML, Ajax, and Flex.
• Nearly a thousand applications now exist for this platform from
hundreds of vendors.
Figure 4.5 shows Salesforce.com’s home page.
Defining Identity as a Service (IDaaS)

• The establishment and proof of an identity is a central network

function.
• An identity service is one that stores the information associated
with a digital entity in a form that can be queried and managed
for use in electronic transactions.
• Identity services have as their core functions: a data store, a
query engine, and a policy engine that maintains data integrity.
An identity can belong to a person and may include the
following:

Things you are: Biological characteristics such as age, race,

gender, appearance, and so forth
Things you know: Biography, personal data such as social
security numbers, PINs, where you went to school, and so on
Things you have: A pattern of blood vessels in your eye, your
f ingerprints, a bank account you can access, a security key you
were given, objects and possessions, and more
Things you relate to: Your family and friends, a software license,
beliefs and values, activities and endeavors, personal selections
and choices, habits and practices, an iGoogle account, and
more.
To establish your identity on a network, you might be asked to
provide a name and password, which is called a single-factor
authentication method.
• More secure authentication requires the use of at least two-factor
authentication; for example, not only name and password (things you
know) but also a transient token number provided by a hardware key
(something you have).

• To get to multifactor authentication, you might have a system that

examines a biometric factor such as a f ingerprint or retinal blood
vessel pattern—both of which are essentially unique things you are.

• Multifactor authentication requires the outside use of a network

security or trust service.
The manner in which Microsoft validates your installation of Windows and
Of fic e is called Windows Product Activation and creates an identif ic ation
index or prof ile of your system, which is instructive. During activation, the
following unique data items are retrieved:
• A 25-character software product key and product ID
• The uniquely assigned Global Unique Identifier or GUID
• PC manufacturer
• CPU type and serial number
• BIOS checksum
• Network adapter and its MAC address
• Display adapter
• SCSCI and IDE adapters
• RAM amount
• Hard drive and volume serial number
• Optical drive
• Region and language settings and user locale
Networked identity service classes

To validate Web sites, transactions, transaction participants, clients, and

network services—various forms of identity services—have been deployed
on networks.

Ticket or token providing services, certif ic ate servers, and other trust
mechanisms all provide identity services that can be pushed out of private
networks and into the cloud.
Identity as a Service (IDaaS) may include any
of the following:
• Authentication services (identity verification)
• Directory services
• Federated identity
• Identity governance
• Identity and profile management
• Policies, roles, and enforcement
• Provisioning (external policy administration)
• Registration
• Risk and event monitoring, including audits
• Single sign-on services (pass-through authentication)
Identity system codes of conduct

Certain codes of conduct must be observed legally, and if not legally at the
moment, then certainly on a moral basis. In working with IDaaS software,
evaluate IDaaS applications on the following basis:
User control for consent: Users control their identity and must consent to the
use of their information.

Minimal Disclosure: The minimal amount of information should be disclosed

for an intended use.

Justif ia ble access: Only parties who have a justif ie d use of the information
contained in a digital identity and have a trusted identity relationship with the
owner of the information may be given access to that information.

Directional Exposure: An ID system must support bidirectional identif ication for

a public entity so that it is discoverable and a unidirectional identifier for private
entities, thus protecting the private ID.
Interoperability: A cloud computing ID system must interoperate with other
identity services from other identity providers.

Unambiguous human identif ication: An IDaaS application must provide an

unambiguous mechanism for allowing a human to interact with a system while
protecting that user against an identity attack.

Consistency of Service: An IDaaS service must be simple to use, consistent

across all its uses, and able to operate in different contexts using different
technologies.
IDaaS interoperability
XACML (Extensible Access Control Markup Language): def ines attribute
based access control policy language and describes how to evaluate
access requests according to rules defined in policies.
SAML: Security Assertion Markup Language
SPML: Service provisioning Markup Language
XDAS: Extensible Distributed Audit Service.
IDaaS interoperability
Identity as a Service provides an easy mechanism for integrating identity services into
individual applications with minimal development effort, by allowing the identif ication logic
and storage of an identity's attributes to be maintained externally.

Therefore, cloud computing IDaaS applications must rely on a set of developing industry
standards to provide interoperability. The following are among the more important of these
services:

User centric authentication: (usually in the form of information cards): The OpenID and
CardSpace specifications support this type of data object.

The XACML Policy Language: This is a general-purpose authorization policy language that
allows a distributed ID system to write and enforce custom policy expressions. XACML can
work with SAML; when SAML presents a request for ID authorization, XACML checks the ID
request against its policies and either allows or denies the request.
The SPML Provisioning Language: This is an XML request/response
language that is used to integrate and interoperate service provisioning
requests. SPML is a standard of OASIS's Provision Services Technical
Committee (PSTC) that conforms to the SOA architecture.

The XDA S A ud it Syste m: The D istribute d A ud it Se rv ic e prov id e s

accountability for users accessing a system, and the detection of security
policy violations when attempts are made to access the system by
unauthorized users or by users accessing the system in an unauthorized way.
Figure 4.6 shows how these different standards form an identity service
framework.
FIGURE 4.6

Open standards that support an IDaaS infrastructure for cloud computing