cloud computing lecture notes, Lecture notes of Computer science

Lecture notes for cloud computing

Typology: Lecture notes

2018/2019

Uploaded on 04/01/2019

melvinia
melvinia 🇿🇲

1 document

1 / 10

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Cloud Authentication
Cloud authentication
Users must be identified to use cloud services. There are several ways to provide authentications
services, depending on the situation.
Organizations can keep their internal computing resources separate from cloud-based services.
Users provide one username and password for internal resources, and a different username and
password for cloud-based resources. This is simple to set up and manage, but it does require the
user to remember at least two different username and password combinations, and for which
services they are needed. For example, an organization can have its users use their on-premises
Active Directory (AD) account for on-premises resources and provide a separate Office 365
account for online Office resources.
Most users are more comfortable using just one set of username and password credentials. This
is a common way to access internal resources – each resource is identified in AD and the user is
given access to it. They only need the one set of AD credentials to gain access to any AD
resource. Organizations can extend this to trusted non-AD resources by configuring Single Sign
On (SSO), making identification and authentication transparent for the user.
SSO makes use of a federated authentication mechanism that helps verify the user’s identity. You
might be familiar with using your Facebook or Google+ account to authenticate yourself to
another, seemingly unrelated website - you can use these types of credentials to log in to lots of
different web pages and services. This is a type of federation: you trust Facebook to identify and
authenticate you, and if the web service provider also trusts Facebook to identify and
authenticate you, they don’t require their own authentication system, but instead relies on the
third-party (in this case Facebook).
Microsoft-based Enterprise level organizations use Active Directory Federation Services
(ADFS), and smaller organizations might simply use a Microsoft account. In this way,
organizations can enable SSO for their on-premises resources and their cloud-based resources.
SSO is easier for users and can be more secure because organizations can add multi-factor
authentication, such as verification by text or phone call, or even fingerprint.
Privacy Management
When you post information on social-networking sites, you should recognize that the data is
being stored on one or more servers that can be located anywhere. Whether you’re posting
personal information to Facebook or updating your business links on LinkedIn, this data is stored
somewhere. Equally, if an organization uses cloud services, the storage and location of their data
becomes more important due to data privacy, legal, or regulatory demands.
An organization considering storing data in the cloud must understand the legal and regulatory
requirements for their data, as well as their customer’s expectations for privacy, and whether the
services offered by a cloud service provider meet those requirements.
Questions to be considered by an organization considering storing data in the cloud include:
In which country/region will the data be stored?
How long will the data be stored for?
pf3
pf4
pf5
pf8
pf9
pfa

Partial preview of the text

Download cloud computing lecture notes and more Lecture notes Computer science in PDF only on Docsity!

Cloud Authentication

Cloud authentication

Users must be identified to use cloud services. There are several ways to provide authentications

services, depending on the situation.

Organizations can keep their internal computing resources separate from cloud-based services. Users provide one username and password for internal resources, and a different username and password for cloud-based resources. This is simple to set up and manage, but it does require the user to remember at least two different username and password combinations, and for which services they are needed. For example, an organization can have its users use their on-premises Active Directory (AD) account for on-premises resources and provide a separate Office 365 account for online Office resources.

Most users are more comfortable using just one set of username and password credentials. This is a common way to access internal resources – each resource is identified in AD and the user is given access to it. They only need the one set of AD credentials to gain access to any AD resource. Organizations can extend this to trusted non-AD resources by configuring Single Sign On (SSO), making identification and authentication transparent for the user.

SSO makes use of a federated authentication mechanism that helps verify the user’s identity. You might be familiar with using your Facebook or Google+ account to authenticate yourself to another, seemingly unrelated website - you can use these types of credentials to log in to lots of different web pages and services. This is a type of federation: you trust Facebook to identify and authenticate you, and if the web service provider also trusts Facebook to identify and authenticate you, they don’t require their own authentication system, but instead relies on the third-party (in this case Facebook).

Microsoft-based Enterprise level organizations use Active Directory Federation Services (ADFS), and smaller organizations might simply use a Microsoft account. In this way, organizations can enable SSO for their on-premises resources and their cloud-based resources.

SSO is easier for users and can be more secure because organizations can add multi-factor authentication, such as verification by text or phone call, or even fingerprint.

Privacy Management

When you post information on social-networking sites, you should recognize that the data is being stored on one or more servers that can be located anywhere. Whether you’re posting personal information to Facebook or updating your business links on LinkedIn, this data is stored somewhere. Equally, if an organization uses cloud services, the storage and location of their data becomes more important due to data privacy, legal, or regulatory demands.

An organization considering storing data in the cloud must understand the legal and regulatory requirements for their data, as well as their customer’s expectations for privacy, and whether the services offered by a cloud service provider meet those requirements.

Questions to be considered by an organization considering storing data in the cloud include:

  • In which country/region will the data be stored?
  • How long will the data be stored for?
  • Does the service provider guarantee locations of not just primary data, but also backup data?
  • Could the service provider be forced to allow access to customers’ data through legal channels?

When data falls under regulatory or compliance restrictions, the choice of cloud deployment (whether private, public, or hybrid) relies on trusting that the provider is fully able to support the customer’s requirements.

It is possible for an organization to implement additional security controls that meet regulatory or legal requirements even when the underlying public Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) does not fully meet those same requirements. But the range of additional controls that can be added by an organization are limited and cannot block all the gaps in some public cloud services. The effort involved in monitoring and maintaining additional security controls may be prohibitive.

Global organizations need to ensure that any services deployed to the cloud are used according to laws and regulations in place for the employees, foreign subsidiaries, and customers. Data protection laws are different across the world, and organizations must be aware of the laws that pertain to employees in all their locations.

The primary location of the data and any backup locations must be known to ensure these laws and regulations are followed. Often, the backup locations need to be determined. For example, Amazon.com Inc. has large datacenters in both the United States and Ireland, which could cause problems if they were used as backup centers for certain types of data.

The data protection laws of the European Union (EU) member states, as well as other regions, are extremely complex and have a number of definitive requirements. The transfer of personal data outside these regions needs to be handled in specific ways. For instance, the EU requires that the collector of the data, or data controller, must inform individuals when the data will be sent and processed in a region outside of the EU. The data controller and end processor must also have contracts approved by the Data Protection Authority in advance. The United States and EU have a reciprocal agreement, and the U.S. recipient only has to self-certify its data procedures by registering with the U.S. Department of Commerce.

Privacy management is a major consideration for global organizations, or those with a global customer base, when identifying appropriate cloud services and cloud service providers.

Compliance Management

Compliance is primarily about tracking and monitoring access to data; that is, ensuring proper controls over who has access to assets, what level of access they have, and how those levels are maintained. Compliance with legal regulations is a requirement for most organizations and is proven through successful audits. Cloud computing often makes it difficult for organizations to ensure they are complying with industry and government regulations, especially if they, or their customers, span multiple global regions with differing regulations.

If the organization operates in the United States, Canada, or the European Union, they’re subject to numerous regulatory requirements. These laws might relate to where the data is stored or transferred, including how well this data is protected from a confidentiality aspect. Some laws apply to specific markets, such as the United States’ Health Insurance Portability and Accountability Act (HIPAA) for the health-care industry. However, organizations often store health-related information about individual employees, which means those organizations might

  • Use the SaaS provider’s encryption; Since major SaaS providers include options to encrypt sensitive information, organizations that trust the provider can use their encryption.
  • Add your own encryption; Data could be encrypted before sending it to the SaaS application, which would require an extra step for the end users.
  • Use an encryption proxy; Use an encryption proxy to encrypt and decrypt the data transferred to and from the provider. This proxy intercepts all communication with the SaaS application and encrypts and decrypts sensitive data. This can add a layer of security to the data without the end user being aware of it. Any change in the SaaS might cause problems with this technique.
  • Select the storage location ; Some cloud service providers allow organizations to choose where their data will be located, either electing to keep it on-premises or a specific data center. This might also be mandated by the regulatory requirements of some countries/ regions which prohibit storing sensitive data in foreign locations that don’t come under their jurisdiction.

It is imperative to have strong access control mechanisms in addition to encryption; this can help negate insider attacks. It is also strongly advised that organizations use encryption for all forms of cloud computing – public, private, and hybrid. Given the increase in insider-led data breaches,

encryption and access controls should be equally extended to Private Clouds.

Service Improvement and Roadmap

Organizations accept a level of risk when they move to the cloud. In transferring all or part of their IT infrastructure to a cloud service provider, an organization must trust the service provider to provide the services it requires now, and to develop new services in the future to stay current in the marketplace.

Most cloud services providers maintain a roadmap that shows their current state and what future service features they plan to develop. It is a way to advertise the planned innovations for their platform and to reassure the customer that they have made the right choice of provider. A good roadmap is a competitive advantage over other cloud providers, but it is also important to note that sharing this information can assist competitors to get insights into a cloud service provider’s planned development route. Timing in publishing the roadmap is key to making sure it does not give other competitors an advantage in innovating their platform, but it still demonstrates that the cloud service provider has the ability deliver what customers want.

A good cloud platform company will publish their roadmap online for their customers to see. Click on the following links to see some examples:

  • Office 365 roadmap
  • Azure roadmap
  • What’s new with AWS

Organizations can use the roadmap to help them decide what features they will use in the future and to help them begin planning for these features now. Usually organizations do not have

constant innovation at their fingertips with their own on-premises resources and platforms, and

they have to go through the long and expensive process of planning and procuring hardware to innovate; however, using the cloud makes it really easy to adopt new features.

Service Health and Maintenance

For a cloud service provider, a regular, scheduled maintenance cycle for all services provides the opportunity to ensure that all services are working efficiently and supplying the best possible experience for its customers. It offers the chance to back up, move and reconfigure services, and add any new features that are ready for release. Service health and maintenance plans should include the monitoring of services to ensure that any potential issues are found and managed before they become a problem.

The proper communication of this maintenance cycle and its value to the customers is of paramount importance. Unexpected outages or unexplained unavailability can be a major problem for customers, so a good cloud service provider will give them ample opportunity to plan by providing reminders of regularly scheduled maintenance, easily accessible dashboards that show current service health, and other communication mechanisms.

A cloud service customer has a responsibility to be aware of regular maintenance schedules and plan around them. They can use the opportunity to explore new features or perform their own maintenance tasks.

Organizations that use hybrid cloud environments are both cloud service provider and cloud service customer. They must preform regularly scheduled maintenance to ensure the best possible performance for the private cloud elements of their IT services, and also plan for those service outages as a client.

Service Level Agreements

A service level agreement (SLA) defines the expectations of the cloud service provider and its customer, detailing acceptable service uptime, availability, and performance levels. The SLA forms part of the contract between the two parties.

A typical SLA contains the following components;

Type of service to be provided

It specifies the type of service to be provided and any additional details about the service. Some elements of this component (and examples of each) include:

  • Availability - 99.99% during work days, 99.9% for nights/weekends
  • Performance - maximum response times
  • Security / privacy of the data - encrypting all stored and transmitted data
  • (^) Disaster Recovery expectations - worse case recovery commitment
  • Location of the data - consistent with local legislation
  • Access to the data - data retrievable from provider in readable format
  • Portability of the data - ability to move data to a different provider

Monitoring process and service level reporting

Organizations can run websites in Azure Web Apps or a SQL database in Azure SQL Databases.

Both of these scenarios are examples of PaaS because Microsoft Azure has taken the place of a traditional platform. Instead of the individual user or company maintaining platform software and updates, Microsoft takes care of it in the backgroun

Azure SaaS services

Users can also set up and access the Microsoft Azure Operations Management suite, which enables organizations to select and run the management tools they need through Microsoft Azure so that no local infrastructure is required. These tools are an example of SaaS; in fact, they’re an example of a SaaS running on a PaaS. Microsoft Azure provides numerous services which fall into IaaS, PaaS or SaaS contexts, and these services are constantly being added to and evolving.

Microsoft Azure can also be used with other Microsoft solutions to extend an organization's current datacenter into a hybrid cloud that expands that organization’s capacity capabilities.

Azure Data Centers and Services

Azure services are hosted in Microsoft-managed data centers. The data centers are in multiple geographic areas around the globe. At the time of this writing, Azure is generally available in 42 regions around the world, with plans announced for 6 additional regions. But not all Azure services are available from every region.

Azure Portal

The Microsoft Azure portal enables organizations to build, manage, and monitor everything from

simple web apps to complex cloud applications in one place. It brings together different cloud resources into a customizable console called a Hub, which can be managed and controlled. It contains resources such as web applications, databases, virtual machines, virtual networks, storage, and more. For software development teams, the portal provides a hub and storage solution so that the entire development lifecycle can be managed from the portal.

Role-based access is built-in to the portal so that organizations can control exactly who is able to access and manage different portal features. It also features templates so that organizations can perform common actions quickly with just a few adjustments. The Azure Portal is popular with users because it is easy to use and offers control and ready-made tools.

Azure Resource Manager

The infrastructure for an application is typically made up of many components – maybe a virtual

machine, storage account, and virtual network, or a web app, database, database server, and 3rd party services. These components are typically not viewed as separate entities; instead, they’re viewed as related and interdependent parts of a single entity.

Organizations want to deploy, manage, and monitor these entities, or resources, as a group. Azure Resource Manager enables an organization to work with the resources in their solution as a group. They can deploy, update, or delete all the resources for their solution in a single, coordinated operation. They use a template for deployment and that template can work for different environments such as testing, staging, and production. Resource Manager provides security, auditing, and tagging features to help organizations manage their resources after deployment.

Resource Manager provides organizations with several benefits, including the ability to:

  • Deploy, manage, and monitor all the resources for their solution as a group, rather than handling these resources individually.
  • Deploy their solution repeatedly throughout the development lifecycle and have confidence their resources are deployed in a consistent state.
  • (^) Manage their infrastructure through declarative templates rather than scripts.
  • Define the dependencies between resources so they are deployed in the correct order.
  • Apply access control to all services in their resource group because Role-Based Access Control (RBAC) is natively integrated into the management platform.
  • Apply tags to resources to logically organize all the resources in their subscription.
  • Clarify their billing by viewing costs for a group of resources sharing the same tag.

Web Apps

Azure Web Apps is a service for hosting web applications, REST APIs, and mobile backends.

Web applications

A web application is any application that uses a web browser as a client or node and can request information from a server. A web application can be as simple as a message board or small survey on a website, or as complex as a multi-feature word processing tool like Microsoft Word on Office 365. The terms “web application” and “website” are commonly used to refer to the same thing because so many websites feature one or more web applications, and so many web applications are a part of what people traditionally think of as websites.

REST API'S

An Application Programming Interface (API) allows one piece of software to talk to another. REST APIs work the same way as a website. You make a call from a client to a server, and you get data back over the HTTP protocol. However, REST APIs are different from websites because instead of showing you a webpage like the ones we are all used to seeing, the REST API provides information back in code form. You can use REST APIs to find map coordinates from Bing maps, or you can use REST APIs to find specific locations or objects in Instagram photos (such as “cats” or “New York”).

Mobile backends

Mobile backend as a service (mobile BaaS) is a cloud service that provides mobile apps with access to the servers, storage, and other resources that they need to run properly. Mobile BaaS makes creating and launching apps much easier because it takes care of all the network setup so that developers can keep their focus on coding and uploading their app. Therefore, they don’t have to worry about backend infrastructure, since the mobile BaaS takes care of all that.

With the Azure Web Apps service, organizations can develop their web applications, REST APIs, and mobile back ends in their favorite language (such as .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python), and they can run and scale apps with ease on Windows or Linux Virtual Machines (VMs).

The Azure Web Apps also adds the power of Microsoft Azure to an organization’s application (for example, security, load balancing, autoscaling, and automated management). Additional features include DevOps capabilities, which help users manage active applications by enabling