Chapter 2 Literature Review
Chapter 2 Literature Review
Chapter 2 Literature Review
2.1 Introduction
The aim of the chapter is to provide an overview of the background about the emergence of
cloud computing, broad discussion of the concept of the cloud computing and the associated
security issues with it. The chapter will start with an introduction to cloud computing and its
characteristics. This will provide an insight to the cloud computing and its technology. This
will be followed by the in-depth study of its associated services i.e. Software, platform and
infrastructure (SPI) and the organizations providing these services in the present scenario.
Information about the different Service level agreement will also be given. Security will then
be discussed taking into consideration the risk standard established by organizations such as
Cloud Computing – a moderately new term, collaborates a decade of research been done on
virtualization, distributed computing, utility computing and very recently the sectors such as
networking and software services. Vouk (2008) mentioned cloud computing is a next answer
overhead for the end users, far more flexibility than that is present today, low cost of
ownership and on demand services to name a few. Naone (2007) further discusses cloud
computing depends to a large extent on the virtualization of the resources. The predecessors
of cloud computing have been around for a time now but the technology came into limelight
in 2007 when the giants such as IBM, Google announced their entrance into the arena.
ENISA (2009) mentions cloud computing as highly abstract, scalable and elastic where
sources which are shared and thus the money are charged on the usage. CSA (2009) describes
resource and infrastructure are separated. CSA further mentions that these separations come
with virtualization and brigs flexibility to the business. Some of the important characteristics
On demand
Resource grouping
Efficient elasticity
Measurable
These characteristics of cloud computing will discussed elaborately in the section stating
A number of enabling technologies contribute to Cloud computing. Ressee (2009) discusses some of
the state-of-the-art techniques which are employed to develop this esteemed technology. Each of these
Virtualization technologies mainly perform the partition of hardware and thus provide flexible
and scalable computing platforms. Virtual machine techniques, such as VMware and Hyper v,
Virtualization techniques are the bases of the Cloud computing since they render flexible and
services inside the computing Cloud. Computing Clouds therefore should be able to automatically
orchestrate services from different sources and of different types to form a service flow or a workflow
Computing Cloud services are normally exposed as Web services, which follow the industry
standards such as Web Service definition language (WSDL), Simple Object Access protocol
(SOAP) and Universal description, discovery and Integration (UDDI). The services
Architecture (SOA). A set of Cloud services furthermore could be used in a SOA application
environment, thus making them available on various distributed platforms and could be
Web 2.0 is an emerging technology describing the innovative trends of using World Wide
Web technology and Web design that aims to enhance creativity, information sharing,
collaboration and functionality of the Web. The essential idea behind Web 2.0 is to improve
the interconnectivity and interactivity of Web applications. The new paradigm to develop and
access Web applications enables users access the Web more easily and efficiently. Cloud
computing services in nature are Web applications which render desirable computing services
on demand. It is thus a natural technical evolution that the Cloud computing adopts the Web
2.0 technique.
centers), offers storage capacity for users to lease. The data storage could be migrated,
merged, and managed transparently to end users for whatever data formats. Examples are
A distributed data system which provides data sources accessed in a semantic way. Users
could locate data sources in a large distributed environment by the logical name instead of
Users drive into the computing Cloud with data and applications. Some Cloud programming
models should be proposed for users to adapt to the Cloud infrastructure. For the simplicity
and easy access of Cloud services, the Cloud programming model, however, should not be too
complex or too innovative for end users. The MapReduce is a programming model and an
associated implementation for processing and generating large data sets across the Google
operation to some data records a set of key/value pairs, and then processes a “reduce”
operation to all the values that shared the same key. The Map-Reduce-Merge method evolves
the MapReduce paradigm by adding a “merge” operation. Hadoop is a framework for running
paradigm and provides a distributed file system the Hadoop Distributed File System. The
MapReduce and the Hadoop are adopted by recently created international Cloud computing
With cloud computing, IT professionals can devote more energy to enhancing the value of
using IT for their enterprises and less on the day-to-day challenges of IT. Undoubtedly cloud
computing has brought a revolution in the IT world. The old orthodox method of providing
services has been overtaken with the advent of Cloud Computing. IBM (2009) listed some of
location. More rapid service delivery results from the ability to orchestrate the tasks to
create, configure provision and add computing power in support of IT and business
services much more quickly than would be possible with today’s computing
faster time to market and horizontal market expansion. Cloud computing can enhance
expanded or contracted without requiring overhauls to the core data centre. The
benefits include lower cost of ownership, which drives higher profitability, enabling
you to more easily reinvest in your infrastructure and answer the question, “How do I
quickly and cost effectively the potential of new, IT-enabled business enhancements
Not only does cloud computing deliver a greater return on IT equipment spending, but
it also promotes more efficient and effective use of technical staff. IT labor costs
Cloud computing also yields significant cost savings in the real estate required for the
data centre as well as power and cooling costs. Thanks to virtualization and the
computing resources i.e. networks, servers, services etc. that can be quickly changed and
The cloud computing model will provide an overview of all characteristic. The model was
developed by NIST which discuss all the aspects of cloud computing and consist of five
The figure above shows the cloud computing and its different sections. The first section
discusses the characteristics as mentioned earlier in section 2.1. The second section mentions
service models such as Software as a Service (SaaS), Platform as a Service (PaaS) and
Infrastructure as a Service (IaaS). The third and last section explains the models which are
deployed in the cloud computing i.e. Public, Private, Hybrid and Community.
Computing network. Mell & Grance (2009) mentions facilities are present over the network
and can be accessed through standard method that encourage use by diverse thin or thick
platforms such as mobile phones, laptops and PDAs. These features are omni-present into the
network and thus the clients requiring these facilities have to pay for the service.
Rapid Elasticity: NIST (2009) mentions the facilities in cloud computing can be provisioned
rapidly and elastically. In most of the cases it is been done automatically to “quickly scale out
and rapidly released to quickly scale in”. However the facilities available for customers often
appear unlimited and they can purchase in any amount they want and at any time.
Measured Services: Cloud system automatically controls and enhances the resource
utilization by the end user with the implication of metering capabilities at different levels and
different type of services offered. The service mainly includes storage, bandwidth, processing
This implies that the services provided by cloud system can be monitored, controlled and
accounted, thus providing the transparency for both the service provider and the customer for
On-Demand self service: As mentioned earlier, the cloud computing is the pool of services
and thus the customers can pay for the services they want. Mell, P. & Grance, T. (2009)
computing capabilities such as network storage capacity and server time. With this provision
changes can be made without requiring any human interaction with the service provider.
Resource Pooling: The cloud computing is a pool of services which is designed to serve
numerous customers who uses multi tenant model, containing different number of physical
and virtual resources assigned dynamically and reassigned according to the requirements of
the customer. NIST (2009) states one of the most important feature of cloud computing is
also the location independence. In this the customer normally has no idea or knowledge over
the precise location of the resources which are provided, however they may be able to specify
the location at higher level of abstraction such as country, state and data centre. The resources
mainly include storage, processing memory, network bandwidth and the virtual machines.
Infrastructure as a service. Software as a Service (SaaS) model has most of the responsibility
for security management. SaaS provides a number of ways to control access to the Web
portal, such as the management of user identities, application level configuration, and the
ability to restrict access to specific IP address ranges or geographies. Cloud models like
Platform as a Service allow clients to assume more responsibilities for managing the
configuration and security for the middleware, database software, and application runtime
environments. The Infrastructure as a Service (IaaS) model transfers even more control, and
responsibility for security, from the cloud provider to the client. In this model, access is
available to the operating system that supports virtual images, networking, and storage.
Each of these services will be discussed in detail below stating the pros and cons of using the
demand, usually via the Internet configurable remotely. Examples include online word
processing and spreadsheets tools, CRM Services and web content delivery services (Sales
force CRM, Google Docs, etc”). Rittinghouse & Ransome (2010) further describes that the
traditional method of distributing software was to install software on each computers which
was known as Software as a product. However SaaS is a software distribution model in which
the applications are given by the service provider on the network. This technology is
becoming very prominent method of delivery for the technologies that support web services
and service oriented models. SaaS also comes up with pay-as-you-go subscription method in
which the customers pay for the services they take. It is mostly implemented to offer
businesses software functionality to endeavour customers at a low cost which allows them to
gain the same benefits of commercially licensed, fully operated software with the
Carraro & Chong (2010) further mentions SaaS architectures has been differentiated into four
level of maturity based on the three attributes i.e. configurability, multi tenant efficiency and
scalability. Each of these levels is discerned from the previous by adding one of these
attributes.
SaaS Maturity Level 1- Ad Hoc / Custom: The first level of maturity is not a maturity level in
real. This level requires minimal development effort to migrate a non-networked application
to this level and thus offers lowest level of offers as well. In this each customer has a unique
and customized edition of application. These applications create an instance on the host’s
SaaS Maturity Level 2 – Configurability: This second level of maturity provides an extended
flexibility to the customers. At this level, customers can use separate instance of the same
application which enables the vendor to meet the different needs of customers by using this
option. This also permits the vendor to ease the load of maintenance by being able to update a
SaaS Maturity level 3- Multitenant Efficiency: As mentioned earlier, in this model each level
adds an attribute to previous level. Thus this level adds the multi tenancy feature to the
second level. This level enables the vendors to efficiently use the server resources without
affecting the quality of service to users. This multi tenancy feature results in the capability to
serve all the customers of the vendor. However this level is limited in its ability to provide the
balanced group of applications running on several servers, often in hundreds and thousands.
The capacity of the system can be varied depending upon the demand of the customers
Division of Responsibility mainly focus on the working relationship between the customers
and the service provider. According to ENISA (2009) “ with respect to security incidents,
there needs to be a clear definition and understanding between the customer and the
provider of security- relevant roles and responsibilities”. Thus this helps to understand the
Some of these roles of customer and service provider are stated below:
keeping in view the data collected and as rack, power, cabling, cooling etc.
processes by customers.
Maintaining identity management system Providing security and availability of
Security monitoring
Log collection
2.5.2.1.2 Benefits of SaaS model
Deployment of software in an organization can take years, consumes enormous resources and
need huge amount of investment and sometimes yields unsatisfied results. However the early
decision to give up the control is always difficult but it can lead to a better efficiency, lower
risk and huge return on the investment done. Traudt & Konary (2005) mentions a large
number of organizations are moving towards SaaS model for corporate applications as it
facilitates them to recognise that all the locations of the business are using the right software
and updated versions. Another advantage of using SaaS is that by deploying the service
providers for the maintenance and management of corporate applications, the organization
reduces their administration and management burden. Apart from these, some of the benefits
to customers are:
Modernized administration
Worldwide accessibility
Cloud computing has developed to comprise platforms for running and building custom
based application. This concept in cloud computing is known as Platform-as-a service. PaaS
is a result of the SaaS applications. In order to provide a complete cycle of the facilities to the
support building and delivering web applications and services mainly on Internet, PaaS is an
important prerequisite. According to Rittinghouse & Ransome (2010) the services offered by
PaaS facilitates the users to focus on innovation rather than creating complex infrastructure.
Thus now organizations can redirect a good amount of their budget in developing
applications that can help them in providing a value to their business using PaaS rather than
worrying about the infrastructure issues. Grossman (2009) discusses PaaS tenders a faster,
most cost effective model for developing application and delivering it to clients. It offers all
eBay, Google, iTunes etc. have been working on the same platform to deliver and develop
services and it is because of cloud only, such new capabilities are available in the market via
web browsers. This model is based on a metering system so the user has to pay for whatever
they use. PaaS mainly offers workflow facilities for application design, application
development, testing, deployment and hosting. It also includes application services such as virtual
offices, team collaboration, database integration, security, scalability, storage, persistence, state
Thus this model is bringing a period of innovation. Now the developers around the world can
build powerful applications and can easily make them available for users globally with the
advent of PaaS.
In this division of responsibility, the focus will be on the customer and service provider
respect to security incidents, there needs to be a clear definition and understanding between
the customer and the provider of security-relevant roles and responsibilities.” Thus again,
similar to SaaS, there should be clear understanding of the roles between customer and the
service provider.
Security monitoring
Log collection
PaaS has undoubtedly brought a revolution in the application development field. The
conventional approach of building and running on applications has been complex, expensive
and risky. Building own application for the business never guaranteed a success. In order to
Fast result: The early issue of setting up the infrastructure for the development of
applications and software no more exists. With the existence of PaaS, the organization can
instantly start developing the programs they want and get the result.
Lower Cost: Since there is no need of the entire infrastructure, as was earlier, the cost of
development of applications has significantly gone down. Moreover they have to pay only for
Easy deployment: The software developed with the help of PaaS can be easily made available
for use through web. Earlier the designers use to worry about the infrastructure development
Low Risk: Since there is minimal investment in the development of application, there is very
low risk with the advent of this new method of development of application.
Less Maintenance: With all the up gradation and maintenance been done by the service
providers, the customers have very less to do in this sector. Moreover customers also do not
storage system, platform virtualization infrastructure etc. as a service. IaaS mainly provides
important technology and data centre services to deliver IT services to the customer.
According to ENISA (2009) “Iaas provides virtual machines and other abstract hardware
and operating systems which may be controlled through a service API. Examples include
Amazon EC2 & S3, Terre mark Enterprise Cloud, Windows Live Skydrive and Rackspace
cloud”. Unlike other outsourcing methods, which requires a lot of negotiation between
customer and provider, lengthy contracts and wide thoroughness, IaaS is mainly deals with a
model which delivers services which are predefined, standard and specifically designed for
the customers’ requirements. Simple statements of work make it easier for the service
According to Ristol, Wozniak & Slabeva (2009) IaaS service providers manage the shifting
and hosting of the applications on their infrastructure. The customers’ duty is to have the
ownership of these applications while they are free from hosting and infrastructure
categorised under three sections which includes: Equipment, Facilities and Management
systems.
Equipment mainly consists of the computer hardware which is normally set up as grid and the
computer networking devices mainly routers, firewalls, load balancing etc. Equipment also
consists of:
Enterprise servers: is a device which provides important service across network. It is mainly
Storage: This is mainly a computer component which records and saves the data for an
organization.
Network: It is a group of computer and other devices that helps in communicating through
Data centre: This mainly comprises of computer system and the components such as
telecommunication and the storage devices mentioned earlier. It mainly includes backup
It consists of the device used for monitoring and managing the applications onsite and offsite.
Thus, customers rather than going to buy servers, software, network, equipments, take
everything on rent from the IaaS service providers and pay the rent for the usage. Usually the
bills paid by the customers are taken monthly like any other utility bills and the customers
Division of responsibility again discusses about the relationship between the customers and
the service providers. Division of responsibility in IaaS thus defines the role of customers i.e.
how to deal with the infrastructure provided by the supplier and the role of the service
provider is to manage and maintain the application and devices present along with meeting
With the advent of IaaS model, it brought scalability to the IT network. Moreover, the earlier
problems faced by the client such as installation, maintenance and management of the devices
disappeared with the arrival of IaaS. Some of the benefits of IaaS listed by Bon (2002) are as
follows:
It facilitates with the latest equipments available thus do not have to worry about the
It usually has a minimal risk as the off-site resources are maintained and managed by
third party.
It manages and fulfils the demand by the services and the customers.
It offers the services at lower cost, at a reduced time with additional features and
capabilities.
2.6 Cloud deployment Models
There are primarily four cloud computing models. These models used to provide the hosting
environment and the delivery model that provides the information regarding the cloud based
service. The four types of models are Public, Managed or Community, private and Hybrid.
CSA (2009) further explains that the cloud models are independent of the type of services i.e.
The figure above gives a broad description of all the models. The figure provides the
infrastructure and the accessibility and consumption of the model. Management of the models
demotes to the physical infrastructure i.e. servers, computers, network devices etc.
consumers are those who are part of an organization i.e. the employees, partners and
contractors whereas the untrusted partners are those who may be authorized to consume some
or all the services but are not the part of the organization.
Public Model: According to CSA (2009) “this cloud infrastructure is made available to the
general public or a large industry group and is owned by an organization selling cloud
services”. This model is generally owned by a service provider or the third party and is
generally not owned by any organization. As shown in the figure above, this model is
managed and the infrastructure is owned by the third party. It is also given that the located off
premises and is generally accessed and consumed by untrusted consumers. Thus this model is
used at a very large scale when there are number of customers or to the general public.
Though it delivers the best economics of scale but due to its shared infrastructure it has some
disadvantages as well. Security, configuration and SLA specificity makes it less ideal for the
service.
Managed or Community Model: CSA (2009) defined this model as “this cloud infrastructure
is shared by several organizations and supports a specific community that has shared
may be managed by the third party and may exist on premise”. Managed model are very
much restricted to group or within a community. The infrastructure is located on premise and
thus from there service is provided. However in this model, the service is accessible to both
Private Model: According to NIST (2009) “this cloud infrastructure is operated solely for an
organization. It may be managed by the organization or a third party and may exist on
premise or off premise”. Thus this type of model is designed for an organization and for
specific applications only. This type of model can be managed either by an organization and
third party supplier. As shown in the figure above if an organization is managing then the
infrastructure will also be owned by the organization itself and so is the case with third party.
However the location of infrastructure does not depends upon the owner of the infrastructure,
so it could either be on premise or off premise in both the cases. One of the most important
feature o f the private model is that unlike other models, services are accessed and consumed
Hybrid Model: According to Grance & Mell (2009), “ hybrid model infrastructure is a
composition of two or more clouds (private, community, or public) that remain unique
entities but are bound together by standardized or proprietary technology that enables data
and application portability (e.g., cloud bursting for load-balancing between clouds)”. As
given in the definition, it is a combination of two models which is designed to give more
shown in the figure, it could be both managed and infrastructure owned by either an
organization or the third party. Since it is a combination, thus the infrastructure could be
either on premise or off premise or both. Regarding the access and consumption, it could be