CLOUD TECHNOLOGY AND

SOLUTIONS

Krish Raghunundhun
02-06/11/2015
Email: raghunk@telkomsa.net
Cell: +27 81 765 4733
Lesson 2 – Cloud Computing
Architecture and Virtualization

• Cloud Computing Architecture

• Virtualization
• Virtualization Security
On the lighter side of Cloud…

3
Cloud Computing Architecture

• Cloud Computing Architecture

• Cloud Computing Infrastructure
• Cloud Deployment models
• Cloud Architecture – Layers
• Anatomy of the Cloud
• Building Scalable Architecture
Cloud Computing Architecture (1..2)

• Cloud Computing architecture

comprises of many cloud
components, which are loosely
coupled.
• We can broadly divide the cloud
architecture into two parts:
– Front End
– Back End
• Each of the ends is connected
through a network, usually
Internet.

5
Cloud Computing Architecture (2..2)

• Front End
– The front end refers to the
client part of cloud computing
system. It consists of interfaces
and applications that are
required to access the cloud
computing platforms, Example -
Web Browser.
• Back End
– The back End refers to the
cloud itself. It consists of all the
resources required to provide
cloud computing services. It
comprises of huge data
storage, virtual machines,
security mechanism, services,
deployment models, servers,
etc.

6
Cloud Computing Infrastructure (1..5)

• Cloud infrastructure consists of servers, storage devices,

network, cloud management software, deployment software,
and platform virtualization.

7
Cloud Computing Infrastructure (2..5)

• Hypervisor
– Hypervisor is a firmware or low-level program that acts as a Virtual
Machine Manager. It allows to share the single physical instance of
cloud resources between several tenants.
• Management Software
– It helps to maintain and configure the infrastructure.

8
Cloud Computing Infrastructure (3..5)

• Deployment Software
– It helps to deploy and integrate the application on the cloud.
• Network
– It is the key component of cloud infrastructure. It allows to connect
cloud services over the Internet.
– It is also possible to deliver network as a utility over the Internet, which
means, the customer can customize the network route and protocol.
9
Cloud Computing Infrastructure (4..5)

• Server
– The server helps to compute the resource sharing and offers other
services such as resource allocation and de-allocation, monitoring the
resources, providing security etc.
• Storage
– Cloud keeps multiple replicas of storage. If one of the storage resources
fails, then it can be extracted from another one, which makes cloud
computing more reliable.
10
Cloud Computing Infrastructure (5..5)

Infrastructural Constraints

• Virtualization • Application
delivery
solution

Transparency Scalability

Intelligent
Security
Monitoring

• Mega data • application

center solution
delivery

11
Cloud Deployment models (1..10)

• Public Cloud Model

• Private Cloud Model
• Hybrid Cloud Model
• Community Cloud Model

12
Public Cloud Model (2..10)

• The Public Cloud allows systems and services to be easily

accessible to general public, e.g., Google, Amazon, Microsoft
offers cloud services via Internet.

13
Public Cloud Model (3..10)

• Benefits

14
Private Cloud Model (4..10)

• The Private Cloud allows systems and services to be

accessible with in an organization. The Private Cloud is
operated only within a single organization. However, It may
be managed internally or by third-party.

15
Private Cloud Model (5..10)

16
Private Cloud Model (6..10)

• Benefits

17
Hybrid Cloud Model (7..10)

• The Hybrid Cloud is a mixture of public and private cloud.

Non-critical activities are performed using public cloud while
the critical activities are performed using private cloud

18
Hybrid Cloud Model (8..10)

• Benefits

19
Community Cloud Model (9..10)

• The Community Cloud allows system and services to be

accessible by group of organizations. It shares the
infrastructure between several organizations from a specific
community. It may be managed internally or by the third-party.

20
Community Cloud Model (10..10)

21
Cloud Architecture – Layers (1..7)

• The cloud architecture can be divided into four layers based on

the access of the cloud by the user.

Layer 4: Hardware resource layer

Layer 3: Cloud management layer

Layer 2: Network layer

Layer 1: User / client layer

22
Cloud Architecture (2..7)

Layer 1 (User/Client Layer)

Layer 4: Hardware resource layer

• All the users or client
belong to this layer.
Layer 3: Cloud management layer
• This is the place where the
client/user initiates the
connection to the cloud.
Layer 2: Network layer
• The client can be any
device such as:
– a thin client
– thick client, or
Layer 1: User / client layer
– mobile or any handheld device
that would support basic
functionalities to access a web
application.

23
Cloud Architecture (3..7)

Layer 1 (User/Client Layer)

Layer 4: Hardware resource layer

• Examples
– Mobile (Android, iPhone,
Windows Mobile
Layer 3: Cloud management layer
– Thin client (CherryPal,
Zonb, gOS based systems
– Thick client/Web browser
Layer 2: Network layer (Google Chrome, Mozilla
Firefox)

Layer 1: User / client layer

24
Cloud Architecture (4..7)

Layer 2 (Network Layer)

Layer 4: Hardware resource layer • This layer allows the users

to connect to the cloud.
The whole cloud
Layer 3: Cloud management layer infrastructure is dependent
on this connection where
the services are offered to
Layer 2: Network layer the customers.
• public cloud
– Internet
• private cloud
Layer 1: User / client layer – LAN

25
Cloud Architecture
Layer 2 (Network Layer)
Layer 4: Hardware resource layer
Layer 3: Cloud management layer
Layer 2: Network layer
Layer 1: User / client layer
26
(5..7)
• Examples of Infrastructure:
– Full virtualization (GoGrid,
Skytap)
– Grid computing (Sun Grid)
– Management (RightScale)
– Paravirtualization (Amazon
Elastic Compute Cloud)
• Examples of Platform:
– Web application frameworks
Python Django (Google App
Engine)
– Ruby on Rails (Heroku)
– Web hosting (Mosso)
– Proprietary (Azure,
Force.com)
Cloud Architecture
Layer 3 (Cloud Management Layer)
Layer 4: Hardware resource layer
Layer 3: Cloud management layer
Layer 2: Network layer
Layer 1: User / client layer
27
(6..7)
• This layer consists of
softwares that are used in
managing the cloud.
• The softwares can be a
cloud operating system
(OS), a software that acts as
an interface between the
data center (actual
resources) and the user, or
a management software that
allows managing resources.
Cloud Architecture (7..7)

Layer 4 (Hardware Resource Layer)

Layer 4: Hardware resource layer • Layer 4 consists of

provisions for actual
hardware resources.
Layer 3: Cloud management layer

Layer 2: Network layer

Layer 1: User / client layer

28
Anatomy of the Cloud

29
Anatomy of the Cloud (2..13)

• Cloud anatomy can be simply defined as the structure of

the cloud.

Application 1. Application: The upper layer is the application layer. In this layer, any
applications are executed.
Platform 2. Platform: This component consists of platforms that are responsible
for the execution of the application.
Virtualized 3. Infrastructure: The infrastructure consists of resources over which the
infrastructure other components work. This provides computational capability to the
user.
Virtualization 4. Virtualization: Virtualization is the process of making logical
components of resources over the existing physical resources.
Server/storage/ 5. Physical hardware: The physical hardware is provided by server and
datacenters storage units.

30
Network Connectivity in Cloud Computing
(3..13)

• Cloud computing is a technique of resource sharing where

servers, storage, and other computing infrastructure in
multiple locations are connected by networks.
• In the cloud, when an application is submitted for its
execution, needy and suitable resources are allocated from
this collection of resources; as these resources are
connected via the Internet, the users get their required
results.

31
Network Connectivity in Cloud Computing
(4..13)

• Public Cloud Access Networking

– Connectivity is often through the Internet
– Virtual Private Networks (VPNs)
• Private Cloud Access Networking
– Technology and approaches are local to the in-house network structure
– Internet VPN or VPN service from a network operator
• Intracloud Networking for Public Cloud Services
– Here, the resources of the cloud provider and thus the cloud service to
the customer are based on the resources that are geographically apart
from each other but still connected via the Internet.
• Private Intracloud Networking
– Private intracloud networking is usually supported over connectivity
between the major data center sites owned by the company.

32
Applications on the Cloud (5..13)

• A stand-alone application is developed to be run on a single

system that does not use network for its functioning.

Web
applications

Stand-alone Cloud
applications applications

33
Applications on the Cloud (6..13)

• Client server architecture that was followed by the web

application.
• The client can reside anywhere in the network. It can access
the web application through the Internet.

Web
applications

Stand-alone Cloud
applications applications

34
Applications on the Cloud (7..13)

• Client server architecture that was followed by the web

application.
• The client can reside anywhere in the network. It can access
the web application through the Internet.

Web
applications

Stand-alone Cloud
applications applications

35
Applications on the Cloud (8..13)

• Cloud Applications
– Three broad access or service models, Software as a Service (SaaS),
Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).
– A cloud application is different from other applications; they have
unique features. A cloud application usually can be accessed as a web
application but its properties differ.

36
Cloud application features (9..13)

• Multitenancy: Software can

Multitenancy be shared by different users
with full independence.
Cloud Application Features

Elasticity

Heterogeneous
cloud platform

Quantitative
measurement

On-demand service

37
Cloud application features (10..13)

• Elasticity: a system is able to

Multitenancy adapt to workload changes
by provisioning and de-
Cloud Application Features

Elasticity provisioning resources in an

autonomic manner such that
Heterogeneous at each point in time
cloud platform

Quantitative
measurement

On-demand service

38
Cloud application features (11..13)

• Heterogeneous cloud
Multitenancy platform: Any type of
application can be deployed in
Cloud Application Features

Elasticity the cloud. The applications

that are usually deployed can
Heterogeneous be accessed by the users
cloud platform using a web browser.
Quantitative
measurement

On-demand service

39
Cloud application features (12..13)

• Quantitative measurement:
Multitenancy The user is usually offered
services based on certain
Cloud Application Features

Elasticity charges

Heterogeneous
cloud platform

Quantitative
measurement

On-demand service

40
Cloud application features (13..13)

• On-demand service: The

Multitenancy cloud applications offer
service to the user, on
Cloud Application Features

Elasticity demand, that is, whenever

the user requires it. The
Heterogeneous cloud service would allow the
cloud platform users to access web
Quantitative applications usually without
measurement any restrictions on time,
duration, and type of device
On-demand service used.

41
Use Case Scenarios (1..6)

• End User to Cloud

– In this scenario, an end user is accessing data or applications in the
cloud. Common applications of t his type include email hosting and
social networking sites.
– A user of Gmail, Facebook or LinkedIn accesses the application and
their data through any browser on any device.
– The user doesn’t want to keep up with anything more than a password;
their data is stored and managed in the cloud.

42
Use Case Scenarios (2..6)

Requirements
• Identity: The cloud service must
authenticate the end user.
• An open client: Access to the cloud
service should not require a particular
platform or technology.
• Security: Security (including privacy)
is a common requirement to all use
cases, although the details of those
requirements will vary widely from
one use case to the next. A full
discussion of security in cloud
computing is beyond the scope of
this paper.
• SLAs: Although service level
agreements for end users will usually
be much simpler than those for
enterprises, cloud
43
Use Case Scenarios (3..6)

• Enterprise to Cloud to End User

– In this scenario, an enterprise is using the cloud to deliver data and
services to the end user.
– When the end user interacts with the enterprise, the enterprise
accesses the cloud to retrieve data and / or manipulate it, sending the
results to the end user. The end user can be someone within the
enterprise or an external customer.

44
Use Case Scenarios (4..6)

Requirements
• Identity: The cloud service must
authenticate the end user.
• An open client: Access to the cloud
service should not require a particular
platform or technology.
• Federated identity: In addition to basic
the identity needed by an end user, an
enterprise user is likely to have an
identity with the enterprise.
• Location awareness: Depending on the
kind of data the enterprise is managing
on the user's behalf, there might be legal
restrictions on the location of the physical
server where the data is stored.

45
Use Case Scenarios (5..6)

• Requirements
– Identity: The cloud service must authenticate the end user.
– An open client: Access to the cloud service should not require a
particular platform or technology.
– Federated identity: In addition to basic the identity needed by an end
user, an enterprise user is likely to have an identity with the enterprise.
– Location awareness: Depending on the kind of data the enterprise is
managing on the user's behalf, there might be legal restrictions on the
location of the physical server where the data is stored.
– Metering and monitoring: All cloud services must be metered and
monitored for cost control, chargebacks and provisioning.
– Security: Any use case involving an enterprise will have more
sophisticated security requirements than one involving a single end
user.

46
Use Case Scenarios (6..6)

• Requirements
– A Common File Format for VMs: A VM created for one cloud vendor’s
platform should be portable to another vendor’s platform.
– Common APIs for Cloud Storage and Middleware: The enterprise use
cases require common APIs for access to cloud storage services, cloud
databases, and other cloud middleware services such as message
queues.
– Data and Application Federation: Enterprise applications need to
combine data from multiple cloud-based sources, and they need to
coordinate the activities of applications running in different clouds.
– SLAs and Benchmarks: In addition to the basic SLAs required by end
users, enterprises who sign contracts based on SLAs will need a
standard way of benchmarking performance.
– Lifecycle Management: Enterprises must be able to manage the
lifecycle of applications and documents.

47
Building Scalable Architecture (1..3)

• Most important factors in infrastructure architecture is the

ability to scale
• Horizontal Scaling vs. Vertical Scaling vs. Automated
Elasticity
– Vertical scaling (scale-up) assumes that organizations make
substantial up-front investment and do not worry about available
computing resources until the point when demand is approaching
capacity limit
– Horizontal scaling (scale-out) enables organizations to expand their
environment in small chunks on-demand
– Automated elasticity means that a cloud provider continuously
monitors a customer’s infrastructure and scales it on-demand.

48
Building Scalable Architecture – Example (2..3)

• Company XYZ plans to purchase servers to host their web

applications. They currently host serve 5000 users. XYZ
predicts user growth of approximately 1000 users per month.
These are their three choices:
– 1. Vertical scaling: purchase two powerful servers, $50,000/each. This
should provide the capacity to host up to 50,000 users. When these
servers reach capacity, XYZ will buy another two servers.
– 2. Horizontal scaling: purchase two servers, $3,000/ each, with the
capacity to serve 10,000 users. When XYZ needs to serve more users,
they will buy additional servers.
– 3. Automated Scaling: purchase the required computing resources from
a cloud provider to serve 5,000 users, and let the cloud provider auto-
scale the capacity.

49
Building Scalable Architecture – Example (3..3)

50
Managing the Cloud (1..2)

• Cloud management is aimed at efficiently managing the cloud

so as to maintain the QoS.
• Cloud management can be divided into two parts:
1. Managing the infrastructure of the cloud
2. Managing the cloud application
• Managing the Cloud Infrastructure
– The infrastructure of the cloud is considered to be the backbone of the
cloud.
– This component is mainly responsible for the QoS factor.
– The core of cloud management is resource management.
• resource scheduling, provisioning, and load balancing.

51
Managing the Cloud (2..2)

• Managing the Cloud Application

– shift or moving the applications to the cloud environment brings new
complexities
– Availability of an application requires inspecting the infrastructure, the
services it consumes,
– cloud-based monitoring and management services can collect a
multitude of events, analyze them, and identify critical information that
requires additional remedial actions like adjusting capacity or
provisioning new services. and the upkeep of the application

52
Architecture Overview (Re-cap)

Essential
Characteristics

Service
Models

Development
Models

53
Cloud Architecture – Examples (1..7)

Servers without virtualization Virtualized servers

54
Cloud Architecture (2..7)

55 Simplified cloud infrastructure

Google App Engine architecture (3..7)

• Google App Engine (GAE) is a pure PaaS platform that

completely abstracts infrastructure services away from
developers.

56
Amazon Elastic Beanstalk architecture (4..7)

• Amazon Elastic Beanstalk (AEB) is a PaaS platform built on

top of Amazon’s IaaS infrastructure

57
Amazon Web Services cloud (5..7)

• Amazon Elastic Compute Cloud (EC2) is a key web service

that provides a facility to create and manage virtual machine
instances with operating systems running inside them.
• Amazon Relational Database Service (RDS) provides MySQL
and Oracle database services in the cloud.
• Amazon S3 is a redundant and fast cloud storage service that
provides public access to files over http.
• Amazon SimpleDB is very fast, unstructured NoSQL
database
• Amazon Simple Queuing Service (SQS) provides a reliable
queuing mechanism with which application developers can
queue different tasks for background processing.

58
Amazon Web Services cloud (6..7)

59
Salesforce’s platform (7..7)

• Salesforce has both SaaS and PaaS components; however,

as with many other technologies, the line between SaaS and
PaaS is very thin.

60
Virtualization

1. Introduction to Virtualization
2. Hypervisor
3. Virtualization Elements
What is Virtualization?

• Virtualization is way to run multiple operating systems and user

applications on the same hardware
– E.g., run both Windows and Linux on the same laptop
• How is it different from dual-boot?
– Both OSes run simultaneously
• The OSes are completely isolated from each other

62
 Video 1_Virtually Speaking- What is Virtualization
Video 2_Virtualization Example

63
Cloud Services Models

64
Traditional versus Virtualized System (1..3)

65
Traditional versus Virtualized System (2..3)

66
Traditional versus Virtualized System (3..3)

67
After virtualization…

68
Benefits

• Industries adopt virtualization in their organization

because of the following benefits:
– Better resource utilization
– Increases ROI
– Dynamic data center
– Supports green IT
– Eases administration
– Improves disaster recovery

69
Drawbacks

• Single point of failure

• Demands high-end and powerful infrastructure
• May lead to lower performance
• Requires specialized skill set

70
Virtualization Opportunities

• Virtualization is the process of abstracting the physical

resources to the pool of virtual resources that can be given to
any virtual machines (VMs).
• The different resources like memory, processors, storage,
and network can be virtualized using proper virtualization
technologies.

71
Approaches to Virtualization (1..5)

• There are three different approaches to virtualization.

– Full virtualization
– Paravirtualization
– Hardware-assisted virtualization
• Before discussing them, it is important to know about
protection rings in OSs.
– Protection rings are used to isolate the OS from untrusted user
applications.
– The OS can be protected with different privilege levels. In protection
ring architecture, the rings are arranged in hierarchical order from ring
0 to ring 3.
– Ring 0 contains the programs that are most privileged, and ring 3
contains the programs that are least privileged.

72
Approaches to Virtualization (2..5)

• Depending on the type of virtualization, the hypervisor and

guest OS will run in different privilege levels.
• Normally, the hypervisor will run with the most privileged level
at ring 0, and the guest OS will run at the least privileged
level than the hypervisor.

73
Full virtualization (3..5)

• The guest OS is completely abstracted from the underlying

infrastructure. The virtualization layer or virtual machine
manager (VMM) fully decouples the guest OS from the
underlying infrastructure.

74
Paravirtualization (4..5)

• Provides partial simulation of the underlying infrastructure

• Hypercalls - direct communication between OS and
hypervisor

75
Hardware-Assisted Virtualization (5..5)

• OS requests directly trap the hypervisor without any

translation

76
Hypervisor (1..5)

• The hypervisor mechanism is a fundamental part of

virtualization infrastructure that is primarily used to generate
virtual server instances of a physical server.
• A hypervisor is generally limited to one physical server and
can therefore only create virtual images of that server.
• The VIM provides a range of features for administering
multiple hypervisors across physical servers.

77
Hypervisor (2..5)

Virtual servers are created via individual hypervisors on

individual physical servers. All three hypervisors are jointly
controlled by the same VIM.

78
Hypervisor Types (3..5)

79
Two types of hypervisors (4..5)

• Definitions
– Hypervisor (or VMM – Virtual Machine Monitor) is a software layer that
allows several virtual machines to run on a physical machine
– The physical OS and hardware are called the Host
– The virtual machine OS and applications are called the Guest

Type 1 (bare-metal) Type 2 (hosted)

VM1 VM2 Guest

Guest VM1 VM2 Process Hypervisor

Hypervisor OS Host
Host
Hardware Hardware

VMware ESX, Microsoft Hyper-V, Xen VMware Workstation, Microsoft Virtual PC,
Sun VirtualBox, QEMU, KVM

80
Bare-metal or hosted? (5..5)

• Bare-metal
– Has complete control over hardware
– Doesn’t have to “fight” an OS
• Hosted
– Avoid code duplication: need not code a process scheduler,
memory management system – the OS already does that
– Can run native processes alongside VMs
– Familiar environment – how much CPU and memory does a VM
take? Use top! How big is the virtual disk? ls –l
– Easy management – stop a VM? Sure, just kill it!
• A combination
– Mostly hosted, but some parts are inside the OS kernel for
performance reasons
– E.g., KVM

81
Load Balancer (1..3)

• The load balancer mechanism is a runtime agent with logic

fundamentally based on the premise of employing horizontal
scaling to balance a workload across two or more IT
resources to increase performance and capacity beyond what
a single IT resource can provide.
• Load balancers can perform a range of specialized runtime
workload distribution functions that include:
– Asymmetric Distribution – larger workloads are issued to IT resources
with higher processing capacities
– Workload Prioritization – workloads are scheduled, queued, discarded,
and distributed workloads according to their priority levels
– Content-Aware Distribution – requests are distributed to different IT
resources as dictated by the request content

82
Load Balancer (2..3)

A load balancer implemented as a service agent transparently distributes incoming

workload request messages across two redundant cloud service implementations,
which in turn maximizes performance for the clouds service consumers.
83
Load Balancer (3..3)

Benefits from load balancing:

• failover – in case of specific
server failure, the load
balancer will automatically
forward network traffic to
other servers;
• performance – because traffic
load is distributed between
multiple servers, network
response time is typically
faster;
• scalability – customers can
quickly add servers under the
load balancer to increase
computational capacity
without affecting other
network/system components.

84
Virtual Server (1..2)

• The virtual server, also known as virtual machine (VM), is a

form of virtualization software that emulates a physical server
and is used by cloud providers to share the same physical
server with multiple cloud consumers by providing cloud
consumers with individual virtual server instances.

The first physical server hosts two

virtual servers, while the second
physical server hosts one virtual
server.

85
Virtual Server (2..2)

• Cloud consumers that install or lease virtual servers can

customize their environments independently from other cloud
consumers that may be using virtual servers hosted by the
same underlying physical server.

A virtual server that hosts a cloud

service being accessed by Cloud
Service Consumer B, while Cloud
Service Consumer A accesses the
virtual server directly to perform an
administration task.

86
Virtual CPU

• A virtual CPU (vCPU) or virtual processor is a physical CPU

core that is assigned to a virtual machine. It is the amount of
processing power that a hypervisor provides to a virtual
server.

A physical CPU is partitioned between

two virtual machines, each with one
vCPU. Converting a virtual machine
from a single vCPU to multiple vCPUs
requires that the guest OS be able to
handle more than one CPU. This is
known as a symmetric multiprocessor
(SMP).

87
Virtual Disk (1..2)

• A virtual disk (vDisk) is a specialized variation of the cloud

storage device mechanism that exists as a single file or a set
of files split into smaller parts that represent the virtual
server's hard disk.
• A virtual disk is the consolidation of hard drives that are
allocated to a virtual server before or after its creation.
• Consider the following virtual disk scenario:
– A virtual server is created with two hard drives. One has 300 GBs and
the other has 500 GBs.
– Two virtual disks are created in the virtual server's folder. One has 300
GBs and the other has 500 GBs.
– If Microsoft Hyper-V is used, the virtual disks will be stored in a .VHD
file format (VHDX on Windows 8). If VMware ESX(i) is used, the hard
disks will be stored in a .VMDK file format.

88
Virtual Disk (2..2)

Three virtual servers, each of

which has two virtual hard
disks. A single-file hard disk is
used for VM A, hard disks
split on VM B and a mixture
of both applied to VM C.

89
Virtual Network

• The virtual network is a combination of virtual switches and

their uplinks to a physical network that isolates a network
environment. It requires a minimum of one physical uplink
and one virtual switch, although it can have more virtual
switches.

90
Virtual Switch (1..2)

• A virtual switch is a logical network switch that operates at the

hypervisor level.
• A virtual switch is an emulated switch that is used to provide
networking to virtual servers. They use their internal virtual
ports to connect virtual servers to one another or to the
hypervisors.
• Physical network interface cards (NICs) can be attached to
virtual switches. The NICs are used by the virtual switches as
uplink ports to connect to other virtual switches or physical
switches.

91
Virtual Switch (2..2)

Virtual Switches A and B each

have eight virtual ports and
several physical NICs. The virtual
servers are connected to the
virtual switches via virtual ports.
Communication between Virtual
Servers A and B occurs at the
virtual switch level. No traffic is
sent to the physical NICs. If any of
the virtual servers need to
communicate with Physical
Server A or Virtual Server C, the
traffic needs to pass through the
physical NICs and physical switch.

92
Virtual RAM

• In a virtualized computing environment, physical memory is

partitioned into virtualized physical memory. Virtual memory
management techniques are used to allocate additional
memory to a virtual machine.
• Virtual RAM (vRAM) is the amount of RAM that a hypervisor
allocates to a virtual server. A hypervisor has to allocate 2
GBs of vRAM to a virtual server that is being created with 2
GBs of RAM.

An example of vRAM on two virtual servers.

93
Virtual Infrastructure Manager

• Virtualized IT resource
management is often supported
by virtualization infrastructure
management (VIM) tools that
collectively manage virtual IT
resources and rely on a
centralized management
module, otherwise known as a
controller, that runs on a
dedicated computer.
• The VIM coordinates the server An example of a VIM and a VM image
hardware so that virtual server repository within a resource
management system.
instances can be created from
the most expedient underlying
physical server.
94
Virtualization Monitor (1..2)

• The virtualization monitor is a specialized variation of the

usage monitor mechanism that provides monitoring
functionality specific to virtualization-related usage.
• A variety of virtualization monitors can be used to perform
different forms of monitoring. Virtualization monitors are
typically implemented as service agents.

95
Virtualization Monitor (2..2)

1.Hypervisors are installed on

the three physical servers.
2.Virtual servers are created by
the hypervisors.
3.A shared cloud storage device
containing virtual server
configuration files is positioned
so that all hypervisors have
access to it.
4.The hypervisor cluster is
enabled on the three physical
server hosts via a central VIM,
and monitored by the VIM's
virtualization monitor function.

96
Virtualization Security
Cloud vs Virtualization

• Many cloud deployments are build on virtualized platforms

• However it is not a requirement
– Some Software as a Service (SaaS) deployments are not virtualized
• NIST does not include virtualization as pat of their cloud
description

98
Leveraging Virtualization in the Cloud

• Cloud deployments are all about pooling resources to

increase efficiency
• Also reduces cost
• Virtualization a natural platform for building clouds
– Hardware abstraction provides foundation
– Tear down and setup of software far quicker and efficient than
hardware

99
Virtualization Simplified

Emulates all required

hardware

100
Host OS versus Bare Metal

• Host OS
– Boot from operating system
– Hypervisor loaded as application or service
– Provides greater flexibility
• Bare metal
– Minimal boot strap built into hypervisor
– Typically Linux or BSD derivative
– Typically more difficult to upgrade

101
Flexibility of Abstraction

More resources needed: Less resources needed: Less resources needed:

Add 1 CPU Remove 1 CPU Remove .5TB of storage
Add 1TB of storage Remove .5TB of storage

102
What about security

• Code base for hypervisor and boot OS kept as small as

possible
– Creates a smaller attack surface
• VMs run at lower level of permissions than hypervisor
– Inhibits VW escape attacks
– Escapes have been found in the lab
– To date, no public escape compromises

103
The lack of an Air Gap

104
Which is more secure

105
Security gains and loses experienced when
moving to virtualization

106
Things to look out for

• VMs have DMA to controllers

– Video or network cards
– Better performance but higher risk
• Storage or resource sharing
– Permits simplified file exchanges between VMs or VMs and host
– More flexibility but higher risk
• Guest tools
– Increased VM access to host resources

107
Physical vs Logical Partitions

• Physical
– Physical resource is dedicated to VW
– Severely limits flexibility
– Arguably more secure
• Logical
– Physical resources are logically segregated
– Simplifies capacity tuning
– Arguably less secure

108
Potential Data Misplacement

109
Applying Security

• Best practices still apply

• Reduce risk to an acceptable level
• Leverage security layers
– As much as possible
• New security tools may be required
– Reworking of old tools

110
Layers with Virtualization

111
Cloud Standards
113
Standards

• The Green Grid brings together end users, technology

providers, utility companies, facility architects and policy
makers to create a set of standards that would allow for a
more efficient utilization of resources.
• Cloud Security Alliance, CSA, lays out the best practices for
cloud computing security.
• The Distributed Management Task Force The DMTF
focuses on IaaS (Infrastructure as a Service), and providing
standards that enable IaaS to be a flexible, scalable, high-
performance infrastructure.

114
Standards

• The Institute of Electrical and Electronics Engineers

Standards Association works to develop, nurture and
advance worldwide
• The National Institute of Standards and Technology is a
non-regulatory federal agency that pushes for standards in
science and technology.de technologies.
• Open Cloud Consortium (OCC) The OCC goal is to support
the development of standards for cloud computing and
frameworks for interoperating between clouds

115
Standards

• Open Grid Forum (OGF) The OGF is an open community that

focuses on driving the adoption and evolution of distributed
computing.
• The Object Management Group (OMG) The OMG is an
international group focused on developing enterprise
integration standards for a wide range of industries including
government, life sciences, and healthcare.
• Storage Networking Industry Association (SNIA) The
SNIA is focused on developing storage solution specifications
and technologies, global standards, and storage education.

116
Standards

117
 Complete Quiz 1

118
119