Chapter 2 Literature Review

2.1 Introduction

The aim of the chapter is to provide an overview of the background about the emergence of

cloud computing, broad discussion of the concept of the cloud computing and the associated

security issues with it. The chapter will start with an introduction to cloud computing and its

characteristics. This will provide an insight to the cloud computing and its technology. This

will be followed by the in-depth study of its associated services i.e. Software, platform and

infrastructure (SPI) and the organizations providing these services in the present scenario.

Information about the different Service level agreement will also be given. Security will then

be discussed taking into consideration the risk standard established by organizations such as

European Network and Information Security Agency (ENISA), National Institute of

Standards and Technology (NIST) and Cloud Security Alliance (CSA).

2.2 Cloud Computing

Cloud Computing – a moderately new term, collaborates a decade of research been done on

virtualization, distributed computing, utility computing and very recently the sectors such as

networking and software services. Vouk (2008) mentioned cloud computing is a next answer

in the development of on-demand characteristics of the Information technology services and

products. It basically implies service oriented architecture, less information technology

overhead for the end users, far more flexibility than that is present today, low cost of

ownership and on demand services to name a few. Naone (2007) further discusses cloud

computing depends to a large extent on the virtualization of the resources. The predecessors

of cloud computing have been around for a time now but the technology came into limelight

in 2007 when the giants such as IBM, Google announced their entrance into the arena.
ENISA (2009) mentions cloud computing as highly abstract, scalable and elastic where

sources which are shared and thus the money are charged on the usage. CSA (2009) describes

it as a growing technology where the different sectors such as applications, information

resource and infrastructure are separated. CSA further mentions that these separations come

with virtualization and brigs flexibility to the business. Some of the important characteristics

of the cloud computing mentioned are:

 On demand

 Wide network address

 Resource grouping

 Efficient elasticity

 Measurable

These characteristics of cloud computing will discussed elaborately in the section stating

cloud computing characteristics.

2.3 Technology behind Cloud Computing

A number of enabling technologies contribute to Cloud computing. Ressee (2009) discusses some of

the state-of-the-art techniques which are employed to develop this esteemed technology. Each of these

technology will be discussed below in detail.

2.3.1 Virtualization technology:

 Virtualization technologies mainly perform the partition of hardware and thus provide flexible

and scalable computing platforms. Virtual machine techniques, such as VMware and Hyper v,

offer virtualized IT-infrastructures on demand. Virtual network advances, such as VPN,

support users with a customized network environment to access Cloud resources.

Virtualization techniques are the bases of the Cloud computing since they render flexible and

scalable hardware services.

2.3.2 Orchestration of service flow and workflow:

Computing Clouds offer a complete set of service templates on demand, which could be composed by

services inside the computing Cloud. Computing Clouds therefore should be able to automatically

orchestrate services from different sources and of different types to form a service flow or a workflow

transparently and dynamically for users.

2.3.3 Web service and Service Oriented Architecture (SOA):

 Computing Cloud services are normally exposed as Web services, which follow the industry

standards such as Web Service definition language (WSDL), Simple Object Access protocol

(SOAP) and Universal description, discovery and Integration (UDDI). The services

organization and orchestration inside Clouds could be managed in a Service Oriented

Architecture (SOA). A set of Cloud services furthermore could be used in a SOA application

environment, thus making them available on various distributed platforms and could be

further accessed across the Internet .

2.3.4 Web 2.0:

 Web 2.0 is an emerging technology describing the innovative trends of using World Wide

Web technology and Web design that aims to enhance creativity, information sharing,

collaboration and functionality of the Web. The essential idea behind Web 2.0 is to improve

the interconnectivity and interactivity of Web applications. The new paradigm to develop and

access Web applications enables users access the Web more easily and efficiently. Cloud

computing services in nature are Web applications which render desirable computing services

on demand. It is thus a natural technical evolution that the Cloud computing adopts the Web

2.0 technique.

2.3.5 World-wide distributed storage system:

A Cloud storage model should foresee:

  A network storage system, which is backed by distributed storage providers (e.g., data

centers), offers storage capacity for users to lease. The data storage could be migrated,

merged, and managed transparently to end users for whatever data formats. Examples are

Google File System and Amazon S3.

 A distributed data system which provides data sources accessed in a semantic way. Users

could locate data sources in a large distributed environment by the logical name instead of

physical locations. Virtual Data System (VDS) is a good reference.

2.3.6 Programming model:

 Users drive into the computing Cloud with data and applications. Some Cloud programming

models should be proposed for users to adapt to the Cloud infrastructure. For the simplicity

and easy access of Cloud services, the Cloud programming model, however, should not be too

complex or too innovative for end users. The MapReduce is a programming model and an

associated implementation for processing and generating large data sets across the Google

worldwide infrastructures. The MapReduce model firstly involves applying a “map”

operation to some data records a set of key/value pairs, and then processes a “reduce”

operation to all the values that shared the same key. The Map-Reduce-Merge method evolves

the MapReduce paradigm by adding a “merge” operation. Hadoop is a framework for running

applications on large clusters built of commodity hardware. It implements the MapReduce

paradigm and provides a distributed file system the Hadoop Distributed File System. The

MapReduce and the Hadoop are adopted by recently created international Cloud computing

project of Yahoo!, Intel and HP.

2.4 Benefits of Cloud Computing

With cloud computing, IT professionals can devote more energy to enhancing the value of

using IT for their enterprises and less on the day-to-day challenges of IT. Undoubtedly cloud

computing has brought a revolution in the IT world. The old orthodox method of providing
services has been overtaken with the advent of Cloud Computing. IBM (2009) listed some of

the benefits of deploying the cloud computing into business:

 Cloud computing liberates organizations to deliver IT services as never before. Cloud

enables the dynamic availability of IT applications and infrastructure, regardless of

location. More rapid service delivery results from the ability to orchestrate the tasks to

create, configure provision and add computing power in support of IT and business

services much more quickly than would be possible with today’s computing

infrastructure. Enhanced service delivery reinforces efforts for customer retention,

faster time to market and horizontal market expansion. Cloud computing can enhance

SOA, information management and service management initiatives, which also

support your service delivery initiatives.

 Cloud computing also promotes IT optimization so that IT resources are configured

for maximum cost-benefit. This is possible because cloud computing supports

massive scalability to meet periods of demand while avoiding extended periods of

under-utilized IT capacity. With the click of a mouse, services can be quickly

expanded or contracted without requiring overhauls to the core data centre. The

benefits include lower cost of ownership, which drives higher profitability, enabling

you to more easily reinvest in your infrastructure and answer the question, “How do I

do more with fewer resources?”

 Cloud computing fosters business innovation by enabling organizations to explore

quickly and cost effectively the potential of new, IT-enabled business enhancements

that can grow with unprecedented scale.

 Not only does cloud computing deliver a greater return on IT equipment spending, but

it also promotes more efficient and effective use of technical staff. IT labor costs

alone represent as much as 70percent of an IT operating budget.13With its highly

 autonomic character, cloud computing eliminates much of the time traditionally

required to requisition and provision IT resources.

 Cloud computing also yields significant cost savings in the real estate required for the

data centre as well as power and cooling costs. Thanks to virtualization and the

cloud’s capability of tapping resources (either through a private cloud or tapping

publicly available cloud resources).

2.5 Cloud computing model

Cloud Computing is a model which is enables convenient, on demand network access to

computing resources i.e. networks, servers, services etc. that can be quickly changed and

released with minimum management efforts.

The cloud computing model will provide an overview of all characteristic. The model was

developed by NIST which discuss all the aspects of cloud computing and consist of five

essential characteristics, different services models and deployment models.

 Source:http://csrc.nist.gov/groups/SNS/cloud-computing/index.html

The figure above shows the cloud computing and its different sections. The first section

discusses the characteristics as mentioned earlier in section 2.1. The second section mentions

service models such as Software as a Service (SaaS), Platform as a Service (PaaS) and

Infrastructure as a Service (IaaS). The third and last section explains the models which are

deployed in the cloud computing i.e. Public, Private, Hybrid and Community.

2.5.1 Essential Characteristics:

Broad Network Access: It is one of the important characteristics provided by Cloud

Computing network. Mell & Grance (2009) mentions facilities are present over the network

and can be accessed through standard method that encourage use by diverse thin or thick

platforms such as mobile phones, laptops and PDAs. These features are omni-present into the

network and thus the clients requiring these facilities have to pay for the service.
Rapid Elasticity: NIST (2009) mentions the facilities in cloud computing can be provisioned

rapidly and elastically. In most of the cases it is been done automatically to “quickly scale out

and rapidly released to quickly scale in”. However the facilities available for customers often

appear unlimited and they can purchase in any amount they want and at any time.

Measured Services: Cloud system automatically controls and enhances the resource

utilization by the end user with the implication of metering capabilities at different levels and

different type of services offered. The service mainly includes storage, bandwidth, processing

and active user accounts.

This implies that the services provided by cloud system can be monitored, controlled and

accounted, thus providing the transparency for both the service provider and the customer for

the services they receive.

On-Demand self service: As mentioned earlier, the cloud computing is the pool of services

and thus the customers can pay for the services they want. Mell, P. & Grance, T. (2009)

describes the on-demand self service enables a customer to unilaterally prerequisite

computing capabilities such as network storage capacity and server time. With this provision

changes can be made without requiring any human interaction with the service provider.

Resource Pooling: The cloud computing is a pool of services which is designed to serve

numerous customers who uses multi tenant model, containing different number of physical

and virtual resources assigned dynamically and reassigned according to the requirements of

the customer. NIST (2009) states one of the most important feature of cloud computing is

also the location independence. In this the customer normally has no idea or knowledge over

the precise location of the resources which are provided, however they may be able to specify

the location at higher level of abstraction such as country, state and data centre. The resources

mainly include storage, processing memory, network bandwidth and the virtual machines.

2.5.2 Service Models

The service models are broadly divided into Software as a Service, Platform as a Service and

Infrastructure as a service. Software as a Service (SaaS) model has most of the responsibility

for security management. SaaS provides a number of ways to control access to the Web

portal, such as the management of user identities, application level configuration, and the

ability to restrict access to specific IP address ranges or geographies. Cloud models like

Platform as a Service allow clients to assume more responsibilities for managing the

configuration and security for the middleware, database software, and application runtime

environments. The Infrastructure as a Service (IaaS) model transfers even more control, and

responsibility for security, from the cloud provider to the client. In this model, access is

available to the operating system that supports virtual images, networking, and storage.

Each of these services will be discussed in detail below stating the pros and cons of using the

services for the business.

2.5.2.1 Software as a Service (SaaS):

According to ENISA (2009) “Software offered by a third party provider, available on

demand, usually via the Internet configurable remotely. Examples include online word

processing and spreadsheets tools, CRM Services and web content delivery services (Sales

force CRM, Google Docs, etc”). Rittinghouse & Ransome (2010) further describes that the

traditional method of distributing software was to install software on each computers which

was known as Software as a product. However SaaS is a software distribution model in which

the applications are given by the service provider on the network. This technology is

becoming very prominent method of delivery for the technologies that support web services

and service oriented models. SaaS also comes up with pay-as-you-go subscription method in

which the customers pay for the services they take. It is mostly implemented to offer

businesses software functionality to endeavour customers at a low cost which allows them to
gain the same benefits of commercially licensed, fully operated software with the

complication of installing, managing, licensing and high initial cost.

Carraro & Chong (2010) further mentions SaaS architectures has been differentiated into four

level of maturity based on the three attributes i.e. configurability, multi tenant efficiency and

scalability. Each of these levels is discerned from the previous by adding one of these

attributes.

SaaS Maturity Level 1- Ad Hoc / Custom: The first level of maturity is not a maturity level in

real. This level requires minimal development effort to migrate a non-networked application

to this level and thus offers lowest level of offers as well. In this each customer has a unique

and customized edition of application. These applications create an instance on the host’s

server every times it runs.

SaaS Maturity Level 2 – Configurability: This second level of maturity provides an extended

flexibility to the customers. At this level, customers can use separate instance of the same

application which enables the vendor to meet the different needs of customers by using this

option. This also permits the vendor to ease the load of maintenance by being able to update a

common data base.

SaaS Maturity level 3- Multitenant Efficiency: As mentioned earlier, in this model each level

adds an attribute to previous level. Thus this level adds the multi tenancy feature to the

second level. This level enables the vendors to efficiently use the server resources without

affecting the quality of service to users. This multi tenancy feature results in the capability to

serve all the customers of the vendor. However this level is limited in its ability to provide the

massive number of users.

SaaS Maturity Level 4 – Scalable: This level of maturity adds the scalability to the model

using the “multi-tiered architecture”. This architecture is competent of supporting a load

balanced group of applications running on several servers, often in hundreds and thousands.

The capacity of the system can be varied depending upon the demand of the customers

without any alteration to the application software architecture.

2.5.2.1.1 Division of Responsibility in SaaS

Division of Responsibility mainly focus on the working relationship between the customers

and the service provider. According to ENISA (2009) “ with respect to security incidents,

there needs to be a clear definition and understanding between the customer and the

provider of security- relevant roles and responsibilities”. Thus this helps to understand the

roles and responsibilities of both customers and service provider.

Some of these roles of customer and service provider are stated below:

Customer Service Provider

Agreement with the data protection law Provides physical infrastructure support such

keeping in view the data collected and as rack, power, cabling, cooling etc.

processes by customers.
Maintaining identity management system Providing security and availability of

infrastructure i.e. servers, storage etc.

Managing identity management system Operating system management
Managing authentication Security configurations such as Firewall rules

Security monitoring

Log collection
2.5.2.1.2 Benefits of SaaS model

Deployment of software in an organization can take years, consumes enormous resources and

need huge amount of investment and sometimes yields unsatisfied results. However the early

decision to give up the control is always difficult but it can lead to a better efficiency, lower

risk and huge return on the investment done. Traudt & Konary (2005) mentions a large
number of organizations are moving towards SaaS model for corporate applications as it

facilitates them to recognise that all the locations of the business are using the right software

and updated versions. Another advantage of using SaaS is that by deploying the service

providers for the maintenance and management of corporate applications, the organization

reduces their administration and management burden. Apart from these, some of the benefits

to customers are:

 Modernized administration

 Automated update and management of applications

 Worldwide accessibility

 Attuned services across the enterprise

2.5.2.2 Platform as a Service (PaaS)

Cloud computing has developed to comprise platforms for running and building custom

based application. This concept in cloud computing is known as Platform-as-a service. PaaS

is a result of the SaaS applications. In order to provide a complete cycle of the facilities to the

support building and delivering web applications and services mainly on Internet, PaaS is an

important prerequisite. According to Rittinghouse & Ransome (2010) the services offered by

PaaS facilitates the users to focus on innovation rather than creating complex infrastructure.

Thus now organizations can redirect a good amount of their budget in developing

applications that can help them in providing a value to their business using PaaS rather than

worrying about the infrastructure issues. Grossman (2009) discusses PaaS tenders a faster,

most cost effective model for developing application and delivering it to clients. It offers all

infrastructures required to run an application on an internet. Companies such as amazon.com,

eBay, Google, iTunes etc. have been working on the same platform to deliver and develop

services and it is because of cloud only, such new capabilities are available in the market via

web browsers. This model is based on a metering system so the user has to pay for whatever
they use. PaaS mainly offers workflow facilities for application design, application

development, testing, deployment and hosting. It also includes application services such as virtual

offices, team collaboration, database integration, security, scalability, storage, persistence, state

management, dashboard instrumentation, etc.

Thus this model is bringing a period of innovation. Now the developers around the world can

build powerful applications and can easily make them available for users globally with the

advent of PaaS.

2.5.2.2.1 Division of responsibility in PaaS

In this division of responsibility, the focus will be on the customer and service provider

relationship in PaaS environment. As already mentioned, according to ENISA (2009) “ with

respect to security incidents, there needs to be a clear definition and understanding between

the customer and the provider of security-relevant roles and responsibilities.” Thus again,

similar to SaaS, there should be clear understanding of the roles between customer and the

service provider.

Customer Service Provider

Maintaining identity management system Provides physical infrastructure support such

as rack, power, cabling, cooling etc.

Managing identity management system Providing security and availability of

infrastructure i.e. servers, storage etc.

Managing authentication platform Operating system management

Security configurations such as Firewall rules

Security monitoring

Log collection

2.5.2.2.2 Benefits of PaaS model

PaaS has undoubtedly brought a revolution in the application development field. The

conventional approach of building and running on applications has been complex, expensive
and risky. Building own application for the business never guaranteed a success. In order to

get over with these issues PaaS came into existence.

Some of the benefits of the PaaS are listed below:

Fast result: The early issue of setting up the infrastructure for the development of

applications and software no more exists. With the existence of PaaS, the organization can

instantly start developing the programs they want and get the result.

Lower Cost: Since there is no need of the entire infrastructure, as was earlier, the cost of

development of applications has significantly gone down. Moreover they have to pay only for

what they will use.

Easy deployment: The software developed with the help of PaaS can be easily made available

for use through web. Earlier the designers use to worry about the infrastructure development

but the deployment of PaaS, they concentrate only the development.

Low Risk: Since there is minimal investment in the development of application, there is very

low risk with the advent of this new method of development of application.

Less Maintenance: With all the up gradation and maintenance been done by the service

providers, the customers have very less to do in this sector. Moreover customers also do not

have to worry about the unused servers or any damages.

2.5.2.3 Infrastructure as a Service

Infrastructure as a Service, in general, is the delivery of computer infrastructure mainly

storage system, platform virtualization infrastructure etc. as a service. IaaS mainly provides

important technology and data centre services to deliver IT services to the customer.

According to ENISA (2009) “Iaas provides virtual machines and other abstract hardware

and operating systems which may be controlled through a service API. Examples include

Amazon EC2 & S3, Terre mark Enterprise Cloud, Windows Live Skydrive and Rackspace

cloud”. Unlike other outsourcing methods, which requires a lot of negotiation between
customer and provider, lengthy contracts and wide thoroughness, IaaS is mainly deals with a

model which delivers services which are predefined, standard and specifically designed for

the customers’ requirements. Simple statements of work make it easier for the service

provider to tailor a solution to the customers’ application oriented demands.

According to Ristol, Wozniak & Slabeva (2009) IaaS service providers manage the shifting

and hosting of the applications on their infrastructure. The customers’ duty is to have the

ownership of these applications while they are free from hosting and infrastructure

management. The components given by the provider-owned implementations are mainly

categorised under three sections which includes: Equipment, Facilities and Management

systems.

Equipment mainly consists of the computer hardware which is normally set up as grid and the

computer networking devices mainly routers, firewalls, load balancing etc. Equipment also

consists of:

Enterprise servers: is a device which provides important service across network. It is mainly

used either in private users in an organization or to publics users via internet.

Storage: This is mainly a computer component which records and saves the data for an

organization.

Network: It is a group of computer and other devices that helps in communicating through

channels which helps in communication among the different users.

Security devices: These devices help to provide security to the network and the organization.

The device mainly comprises of firewall for the network.

Facility mainly consists of:

Data centre: This mainly comprises of computer system and the components such as

telecommunication and the storage devices mentioned earlier. It mainly includes backup

power supplies, data communication etc.

Management systems consist of:

It consists of the device used for monitoring and managing the applications onsite and offsite.

Thus, customers rather than going to buy servers, software, network, equipments, take

everything on rent from the IaaS service providers and pay the rent for the usage. Usually the

bills paid by the customers are taken monthly like any other utility bills and the customers

just pay for what they use.

2.5.2.3.1 Division of responsibility in IaaS

Division of responsibility again discusses about the relationship between the customers and

the service providers. Division of responsibility in IaaS thus defines the role of customers i.e.

how to deal with the infrastructure provided by the supplier and the role of the service

provider is to manage and maintain the application and devices present along with meeting

the requirements of customer.

Customer Service Provider

Maintaining identity management system Providing security and availability of
 infrastructure i.e. servers, storage etc.
Managing identity management system Providing physical security to infrastructure

and the availability of the applications.

Managing authentication Host systems
Managing the Operating system (OS) for

guest and any hardening procedure.

Configuring the security platform for guest

i.e. firewall rules, Intrusion prevention

system or intrusion detection system etc.

Security monitoring

2.5.2.3.2 Benefits of IaaS model

With the advent of IaaS model, it brought scalability to the IT network. Moreover, the earlier

problems faced by the client such as installation, maintenance and management of the devices

disappeared with the arrival of IaaS. Some of the benefits of IaaS listed by Bon (2002) are as

follows:

 A preconfigured environment which is ready for the use of customers. The

environment is based on Information Technology infrastructure library (ITIL) which

is a framework for providing the best IT infrastructure in the computing sector.

 It facilitates with the latest equipments available thus do not have to worry about the

ongoing changes in the IT sector every day.

 It provides a secured, protected and insulated platform that is mostly monitored to

avoid any kind of security hassles.

 It usually has a minimal risk as the off-site resources are maintained and managed by

third party.

 It manages and fulfils the demand by the services and the customers.
 It offers the services at lower cost, at a reduced time with additional features and

capabilities.
2.6 Cloud deployment Models

There are primarily four cloud computing models. These models used to provide the hosting

environment and the delivery model that provides the information regarding the cloud based

service. The four types of models are Public, Managed or Community, private and Hybrid.

CSA (2009) further explains that the cloud models are independent of the type of services i.e.

it could be SaaS, PaaS or IaaS.

Source: CSA (2009)

The figure above gives a broad description of all the models. The figure provides the

information such as management of model, owner of the infrastructure, location of the

infrastructure and the accessibility and consumption of the model. Management of the models

refers to the security, operations, compliance of the infrastructure whereas Infrastructure

demotes to the physical infrastructure i.e. servers, computers, network devices etc.

Infrastructure location is both physical and relative to an organization management. Trusted

consumers are those who are part of an organization i.e. the employees, partners and
contractors whereas the untrusted partners are those who may be authorized to consume some

or all the services but are not the part of the organization.

Each of these models will be discussed below:

Public Model: According to CSA (2009) “this cloud infrastructure is made available to the

general public or a large industry group and is owned by an organization selling cloud

services”. This model is generally owned by a service provider or the third party and is

generally not owned by any organization. As shown in the figure above, this model is

managed and the infrastructure is owned by the third party. It is also given that the located off

premises and is generally accessed and consumed by untrusted consumers. Thus this model is

used at a very large scale when there are number of customers or to the general public.

Though it delivers the best economics of scale but due to its shared infrastructure it has some

disadvantages as well. Security, configuration and SLA specificity makes it less ideal for the

service.

Managed or Community Model: CSA (2009) defined this model as “this cloud infrastructure

is shared by several organizations and supports a specific community that has shared

concerns (e.g., mission, security requirements, policy, and compliance considerations). It

may be managed by the third party and may exist on premise”. Managed model are very

much restricted to group or within a community. The infrastructure is located on premise and

thus from there service is provided. However in this model, the service is accessible to both

trusted and untrusted customers.

Private Model: According to NIST (2009) “this cloud infrastructure is operated solely for an

organization. It may be managed by the organization or a third party and may exist on
premise or off premise”. Thus this type of model is designed for an organization and for

specific applications only. This type of model can be managed either by an organization and

third party supplier. As shown in the figure above if an organization is managing then the

infrastructure will also be owned by the organization itself and so is the case with third party.

However the location of infrastructure does not depends upon the owner of the infrastructure,

so it could either be on premise or off premise in both the cases. One of the most important

feature o f the private model is that unlike other models, services are accessed and consumed

by trusted customers only.

Hybrid Model: According to Grance & Mell (2009), “ hybrid model infrastructure is a

composition of two or more clouds (private, community, or public) that remain unique

entities but are bound together by standardized or proprietary technology that enables data

and application portability (e.g., cloud bursting for load-balancing between clouds)”. As

given in the definition, it is a combination of two models which is designed to give more

scalability and reliability to the infrastructure since it is a combination of two services. As

shown in the figure, it could be both managed and infrastructure owned by either an

organization or the third party. Since it is a combination, thus the infrastructure could be

either on premise or off premise or both. Regarding the access and consumption, it could be

combination of both trusted and untrusted customers.