Chapter Objectives Explore virtualizatio cocepts Become familiar with cloud cocepts Chapter #15: Architecture ad Desig 2 Hypervisor Virtualizatio ad cloud services are becomig commo eterprise tools to maage costs capacity resources Virtualizatio techology eables a com puter to have m ore tha oe O S ad operatig at the sam e tim e It is a abstractio of the O S layer To eable virtualizatio, a hypervisor is em ployed A hypervisors are a low- le v e l p ro g ra m s th a t a llo w m u ltip le o p e ra ti g s y s te m s to ru o a sigle host com puter complexity risk They use a thi layer of code to allocate resources i real tim e they cotrol I/Os ad m em ory m aagem et: separatio of software ad hardware Host machie ad host OS - guest m achie ad guest OS Type I ad Type II hypervisors 3 4 CIS 3500 1
Type I Type II Type I hypervisors ru directly o the system hardware Native, bare-metal, or embedded hypervisors They are desiged for speed ad efficiecy o additioal OS layer KVM (Kerel-based Virtual Machie, a Liux implemetatio), Xe (Citrix Liux implemetatio), Type II hypervisors ru o top of a host operatig system Oracle s VirtualBox ad VMware s VMware Player These are desiged for limited umbers of VMs, typically ruig i a desktop or small server eviromet Microsoft Widows Server Hyper-V (Widows OS core) VMware s vsphere/esxi platforms They come with maagemet tools 5 6 Applicatio Cells/Cotaiers VM Sprawl Avoidace A hypervisor eables multiple OS istaces to coexist The cocept of applicatio cells/cotaiers is similar Cotaier holds the portios of a OS that it eeds But have separate memory, CPU, ad storage threads so they will ot iteract with each other Multiple istaces of a applicatio or differet applicatios share a host OS with virtually o overhead It is the evolutio of the VM cocept to the applicatio space This elimiates the differeces betwee a developmet, test, or productio eviromet 7 You ca lose track of a VM VMs basically are files that cotai a copy of a workig machie s disk ad memory structures Creatig a ew VM is a simple process As the umber of VMs grows over time, sprawl ca set i Ca be avoided through amig covetios ad proper storage architectures VMware ca maage, locate ad use resources whe required 8 CIS 3500 2
VM Escape Protectio Cloud Storage Oe cocer is VM escape, where escapes from oe VM to the uderlyig OS VMs use the same RAM, the same processors, ad so forth Large-scale VM eviromets have specific modules desiged to detect escape ad provide VM escape protectio to other modules Cloud storage: computer storage provided over a etwork Oe of the characteristics is trasparecy to the ed user This improves usability, performace, scalability, flexibility, security, ad reliability Security is a particular challege: how to allow data to be stored outside your eterprise ad yet remai i cotrol The commo aswer is ecryptio Apple icloud, Microsoft OeDrive, ad Dropbox 9 10 Cloud Deploymet Models SaaS Cloud deploymet models: iteral ad exteral Big scale from Google ad Amazo The promise of cloud computig is improved utility Platform as a Service, Software as a Service, ad Ifrastructure as a Service Software as a Service (SaaS) is the offerig of software to ed users from withi the cloud SaaS acts as software o demad, ad rus from the cloud Advatages: updates ca be seamless to ed users, ad itegratio betwee compoets ca be ehaced Microsoft Office 365 ad Adobe Creative Suite 11 12 CIS 3500 3
PaaS IaaS Platform as a Service (PaaS): computig platform i the cloud Multiple sets of software ca be delivered PaaS offerigs geerally focus o security ad scalability Ifrastructure as a Service (IaaS) is a virtual solutio for computig Rather tha buildig data ceters, IaaS allows firms to cotract for utility computig as eeded IaaS is specifically o a pay-per-use basis, scalable directly with eed You ca eve ret supercomputers 13 14 Private Public Private clouds are essetially reserved resources used oly for the orgaizatio your ow little cloud withi the cloud This service will be more expesive, but it should also carry less exposure Better defied security, processig, hadlig of data Public cloud is redered over a system that is ope for public use There is little operatioal differece betwee public ad private cloud architectures Security ramificatios ca be substatial Services separate users with security restrictios, the depth ad level of these restrictios, will be sigificatly less i a public cloud 15 16 CIS 3500 4
Commuity Hybrid A commuity cloud system for several orgaizatios with a commo iterest They share a cloud eviromet for the specific purpose Commuity iitiatives Cost-sharig mechaism for specific data-sharig iitiatives A hybrid cloud: elemets are combied from private, public, ad commuity cloud structures They ca be used together: sesitive iformatio ca be stored i the private cloud issue-related iformatio ca be stored i the commuity cloud 17 18 O-Premise vs Hosted vs Cloud VDI/VDE O-premises: the system resides locally VM, storage, or eve services locally hosted ad maitaied advatage: orgaizatio has total cotrol, high coectivity disadvatage: requires local resources, ot as easy to scale Hosted services: the services hosted somewhere else provides a set cost based o the amout you use advatage: costs, especially whe scale is icluded Virtual desktop ifrastructure (VDI) ad virtual desktop eviromet (VDE): hostig of a desktop eviromet o a cetral server VDI: all the compoets eeded to set up the eviromet VDE: what the user sees, the actual user eviromet User machie ad all of its data are persisted i the server eviromet Users ca use a wide rage of machies, eve mobile phoes, to access their desktop ad perform their work Tremedous security advatages because all data resides o servers 19 20 iside the eterprise, i the data ceter CIS 3500 5
Cloud Access Security Broker Security as a Service Cloud access security brokers (CASBs): security policy eforcemet betwee cloud service providers ad their customers to maitai ad eforce security policies CASBs belog to the broader category of maaged security service providers (MSSPs) CASB vedors provide a rage of security services desiged to protect cloud ifrastructure ad data Security as a Service: outsourcig security fuctios Advatages: scale, costs, ad speed Security is a complex, wide-ragig corucopia of techical specialties, all workig together to provide appropriate risk reductios Techically savvy security pros, experieced maagemet, specialized hardware ad software, fairly complex operatios ay or all of this ca be outsourced Specializatios i etwork security, web applicatio security, e-mail security, icidet respose services, ifrastructure updates 21 22 There is o 100 percet secure system, ad there is othig that is foolproof! Stay Alert! CIS 3500 6