Davija-Cs8791 Cloud Computing

Subject Code :CS8791
Subject Name :Cloud Computing

Department :CSE
Regulation :2017
CS8791-CLOUDCOMPUTING
SYLLABUS
UNIT I INTRODUCTION
Introduction to Cloud Computing –Definition of Cloud –Evolution of Cloud

Computing –Underlying Principles of Parallel and Distributed Computing –Cloud
Characteristics –Elasticity in Cloud –On-demand Provisioning.
UNIT II CLOUDENABLINGTECHNOLOGIES
Service Oriented Architecture – RESTful Systems – Web Services – Publish-

Subscribe Model – Basics of Virtualization – Types of Virtualization –
Implementation Levels of Virtualization – Virtualization Structures – Tools and
Mechanisms – Virtualization of CPU – Memory – I/O Devices – Virtualization
Support and Disaster Recovery.
UNIT III CLOUDARCHITECTURE,SERVICESANDSTORAGE
Layered Cloud Architecture Design – NIST Cloud Computing Reference

Architecture – Public, Private and Hybrid Clouds - laaS – PaaS – SaaS –
Architectural Design Challenges – Cloud Storage – Storage-as-a-Service –
Advantages of Cloud Storage – Cloud Storage Providers – S3.
UNIT IV RESOURCEMANAGEMENTANDSECURITYINCLOUD
Inter Cloud Resource Management – Resource Provisioning and Resource

ProvisioningMethods–GlobalExchangeofCloudResources–Security Overview –
Cloud Security Challenges – Software-as-a-Service Security –Security Governance
– Virtual Machine Security – IAM – Security Standards.
UNIT V CLOUDTECHNOLOGIESANDADVANCEMENTS
Hadoop – MapReduce – Virtual Box -- Google App Engine – Programming

Environment for Google App Engine – Open Stack – Federation in the Cloud –
Four Levels of Federation – Federated Services and Applications – Future of
Federation.
REFERENCES
1. Kai Hwang, Geoffrey C. Fox, Jack G. Dongarra,"Distributed and Cloud

Computing, From Parallel Processing to the Internet of Things", Morgan
Kaufmann Publishers, 2012
2. Rittinghouse, JohnW., and James F. Ransome, “Cloud Computing:
Implementation, Management and Security”, CRC Press, 2017.
3. Rajkumar Buyya, Christian Vecchiola, S. ThamaraiSelvi, “Mastering Cloud
Computing”, Tata Mcgraw Hill, 2013.
4. Toby Velte, Anthony Velte, Robert Elsenpeter, "Cloud Computing -A Practical
Approach”, Tata Mcgraw Hill, 2009.
5. George Reese, "Cloud Application Architectures: Building Applications and
Infrastructure in the Cloud: Transactional Systems for EC2 and Beyond (Theoryin
Practice)”, O'Reilly, 2009
6. FangLiu,JinTong,JianMao,RobertBohn,JohnMessina,LeeBadgerand Dawn Leaf,
“Recommendations of the National Institute of Standards and Technology”,
Special publication, NIST, U.S. Department of Commerce, 500-292.
7. OracleVirtualBoxofficialdocumentation
8. https://en.wikipedia.org/wiki/VirtualBox
9. https://docs.openstack.org/train/install/
10. https://en.wikipedia.org/wiki/OpenStack
11. https://cacoo.com/examples/network-diagram-software
12. https://www.supraits.com/infrastructure/managed-cloud/hybrid-cloud-3/cloud-
computing/
13. https://www.researchgate.net/figure/Components-make-up-of-Cloud-Computing-
Solution_fig1_289259494
14. https://www.telegraph.co.uk/technology/connecting-britain/colossus-bletchley-
computer-broke-hitler-codes/
15. https://medium.com/penn-engineering/on-eniacs-anniversary-a-nod-to-its-female-
computers-267c97a0a17
16. https://arstechnica.com/information-technology/2011/11/the-40th-birthday-
ofmaybethe-first-microprocessor/
17. https://newatlas.com/anniversary-of-vannavar-bushs-famous-essay-describing-
the-memex-machine/4303/
18. https://wiki.xenproject.org/wiki/Book/HelloXenProject/1-Chapter
19. https://www.safe.com/industry/natural-resources-solutions/
20. https://www.researchgate.net/figure/The-cases-of-over-provisioning-under-
provisioning-and-delay-caused-by-under-provisioning_fig5_283948945
21. https://www.researchgate.net/figure/An-Enterprise-Inter-cloud-Architecture-
Adapted-from-Dayananda-and-Kumar-2012_fig2_314057960
22. https://www.researchgate.net/figure/The-Hadoop-Master-Slave-Architecture-232-
MapReduce-MapReduce-is-a-Hadoop-computational_fig1_274069405
23. https://mindmajix.com/hadoop-mapreduce
24. https://docs.openstack.org/train/install/
25. https://www.researchgate.net/figure/Results-of-IDC-ranking-security-challenges-
3Q2009-n263_fig4_224162841
UNITI INTRODUCTION
Introduction to Cloud Computing – Definition of Cloud – Evolution of Cloud Computing –

Underlying Principles ofParallel andDistributed Computing– Cloud Characteristics –Elasticity in
Cloud – On-demand Provisioning.
IntroductiontoCloudComputing
● Over the last three decades, businesses that use computing resources have learned to
face a vast array of buzzwords like grid computing, utility computing, autonomic
computing, on-demand computing and so on.
● A new buzzword named cloud computing is presently in state-of-the-art and it is

generating all sorts of confusion about what it actually means.
● Inhistory,thetermcloudhasbeenusedasametaphorfortheInternet.
Figure1.1illustrationofnetworkdiagram
● This usage of the term was originally derived from its common illustration in network
diagrams as an outline of a cloud and the symbolic representation used to represent the
transport of data across the network to an endpoint location on the other side of the
network.
● Figure1.1 illustratesthe networkdiagram which includes the symbolic representation of

cloud
● The cloud computing concepts were initiated in 1961, when Professor John McCarthy
suggested that computer time-sharing technology might lead to a future where
computing power and specific applications might be sold through a utility-type business
model.
● This idea became very popular in the late 1960s, but in mid 1970s the idea vanished
awaywhenitbecameclearthattheITIndustriesof thedaywereunabletosustainsuch a
innovative computing model. However, since the turn of the millennium, the concept
has been restored.
● Utility computing is the provision of computationalresources and storage resourcesasa

metered service, similar to those provided by a traditional public utility company. This is
nota new idea. Thisform of computing isgrowing in popularity,however,ascompanies
havebeguntoextendthemodeltoacloudcomputingparadigmprovidingvirtualservers that IT
departments and users can access on demand.
● In early days, enterprises used the utility computing model primarily for non-mission-
critical requirements, but that is quickly changing as trust and reliability issues are
resolved.
● Research analysts and technology vendors are inclined to define cloud computing very
closely, as a new type of utility computing that basically uses virtual servers that have
been made available to third parties via the Internet.
● Others aimed to describe the term cloud computing using a very broad, all-inclusive
application of the virtual computing platform. They confront that anything beyond the
network firewall limit is in the cloud.
● A more softened view of cloud computing considers it the delivery of computational

resourcesfrom a location other than the one fromwhich the end users arecomputing.
● The cloud sees no borders and thus has made the world a much smaller place. Similarto
that the Internet is also global in scope but respects only established communication
paths.
● Peoplefromeverywherenowhaveaccesstootherpeoplefromanywhereelse.
● Globalization of computing assets may be the major contribution the cloud has made to
date. For this reason, the cloud is the subject of many complex geopoliticalissues.
● Cloud computing is viewed as a resource available as a service for virtual data centers.
Cloud computing and virtual data centers are different one.
● For example, Amazon’s S3 is Simple Storage Service. This is a data storage service
designed for use across the Internet. It is designed to create web scalable computing
easier for developers.
● Another example is Google Apps. This provides online access via a web browser to the
most common office and business applications used today. The Google server stores all
the software and user data.
● Managed serviceproviders(MSPs)offersoneoftheoldestformofcloudcomputing.
● A managed service is an application that is accessible to an organization’s IT

infrastructure ratherthan to end users which include virusscanning foremail, antispam
services such as Postini, desktop management services offered by CenterBeam or
Everdream, and application performance monitoring.
● Grid computing is often confused with cloud computing. Grid computing is a form of
distributed computing model that implements a virtual supercomputer made up of a
clusterof networkedorInternetworked computersinvolvedtoperformverylargetasks.
● Most of the cloud computing deployments in market today are powered by grid
computing implementations and are billed like utilities, but cloud computing paradigm is
evolved next step away from the grid utility model.
● The majorityof cloud computing infrastructure consistsof time testedandhighly reliable

services built on servers with varying levels of virtualized technologies, which are
delivered via large scale data centers operating under various service level agreements
that require 99.9999% uptime.
Definitionofcloud
● Cloud computing is a model for delivering IT services in which resources are retrieved
from the internet through web based tools and applications rather than a direct
connection to the server.
Figure1.2CloudComputing Paradigm
● In other words, cloud computing is a distributed computing model over a network and
means the ability to run a program on many connected components at a sametime
● In the cloud computing environment, real server machines are replaced by virtual
machines. Such virtual machines do not physically exist and can therefore be moved
around and scaled up or down on the fly without affecting the cloud useras like a natural
cloud.
● Cloud refers to software, platform, and Infrastructure that are sold as a service. The
services accessed remotely through the Internet
● Theclouduserscansimplylogontothenetworkwithoutinstallinganything.Theydonot
payforhardwareandmaintenance.Buttheserviceproviderspayforphysicalequipment and
maintenance.
● The concept of cloud computing becomes much more understandable when one begins
to think about what modern IT environments always require scalable capacity or
additional capabilities to their infrastructure dynamically, without investing money in the
purchaseof newinfrastructure,all thewhilewithoutneedingto conduct trainingfornew
personnel and without the need for licensing new software.
● Thecloudmodeliscomposedofthreecomponents.
Figure 1.3CloudComponents
○ Clientsaresimplecomputersmightbelaptop,tablet,mobilephone.
○ CategoriesofclientsareMobileclients, Thin clientsandThickclients.
○ MobileclientswhichincludessmartphonesandPDAs
○ Thin clients which include servers without internal hardware. Usage of this type
of clients leadsto Lowhardware cost, Low IT Cost, Lesspowerconsumption and
less noise.
○ Thickclientswhichincludesregularcomputers.
○ Data Center is a collection of servers and it contains clients requested
applications.
○ Distributed Server in which server is distributed in different geographical
locations
EvolutionofCloudComputing
● Itisimportanttounderstandtheevolutionofcomputinginordertogetanappreciationof how IT
based environments got into the cloud environment. Looking at the evolution of the
computing hardware itself, from the first generation to the fourth generation of
computers, shows how the IT industry’s gotfrom there tohere.
● The hardware is a part of the evolutionary process. As hardware evolved, so did the
software. As networking evolved, so did the rulesfor how computers communicate. The
development of such rules or protocols, helped to drive the evolution of Internet
software.
● Establishing a common protocol for the Internet led directly to rapid growth in the
number of users online.
● Today, enterprises discuss about the uses of IPv6 (Internet Protocol version 6) to ease
addressing concerns and for improving the methods used to communicate over the
Internet.
● Usage of web browsers led to a stable migration away from the traditional data center
model to a cloud computing based model. And also, impact of technologies suchas
servervirtualization, parallelprocessing, vectorprocessing,symmetric multiprocessing, and
massively parallel processing fueled radical change in IT era.
HardwareEvolution
● Thefirststepalongwiththeevolutionarypathof computers wasoccurredin1930,when the

first binary arithmetic was developed and became the foundation of computer
processing technology, terminology, and programming languages.
● Calculating devices date back to at least as early as 1642, when a device that could
mechanically add numbers was invented.
● Adding devices were evolved from the abacus. This evolution was one of the most
significant milestones in the history of computers.
● In 1939, the Berry brothers were invented an electronic computer that capable of
operating digital aspects. The computations were performed using vacuum tube
technology.
● In 1941, the introduction of Z3 at the German Laboratory for Aviation purpose in Berlin
was one of the most significant events in the evolution of computers because Z3
machinesupportedbothbinaryarithmeticandfloatingpointcomputation.Becauseit was a
“Turing complete” device, it is considered to be the very first computer that was fully
operational.
FirstGenerationComputers
● Thefirstgenerationof modern computerstracedto 1943,whenthe MarkIandColossus

computers were developed for fairly different purposes.
● With financial support from IBM, the Mark I was designed and developed at Harvard
University. It was a general purpose electro, mechanical, programmable computer.
● Colossus is an electronic computer built in Britain at the end 1943. Colossus was the
world’s first programmable, digital, electronic, computing device.
Figure1.4Colossus
● In general, First generation computers were built using hard-wired circuits and vacuum
tubes.
● Datawerestoredusingpaperpunchcards.
SecondGenerationComputers
● Another general-purpose computer of this era was ENIAC (Electronic Numerical

Integrator and Computer), which was built in 1946. This was the first Turing complete,
digital computer that capable of reprogramming to solve a full range of computing
problems.
● ENIAC composed of 18,000 thermionic valves, weighed over 60,000 pounds, and
consumed 25 kilowatts of electrical power per hour. ENIAC was capable of performing
one lakh calculations a second.
Figure1.5ENIAC
● Transistorized computers marked the initiation of second generation computers, which

dominated in the late 1950s and early 1960s. The computers were used mainly by
universities and government agencies.
● The integrated circuit or microchip was developed by Jack St. Claire Kilby, an
achievement for which he received the Nobel Prize in Physics in 2000.
ThirdGenerationComputers
● Claire Kilby’sinventioninitiatedanexplosion in third generationcomputers.Eventhough the

first integrated circuit was produced in 1958, microchips were not used in programmable
computers until 1963.
● In1971,Intelreleasedtheworld’sfirstcommercialmicroprocessorcalledIntel4004.
Figure1.6Intel4004
● Intel 4004 was the first complete CPU on one chip and became the first commercially
available microprocessor. It was possible because of the development of new silicongate
technology that enabled engineers to integrate a much greater number of transistors on
a chip that would perform at a muchfaster speed.
FourthGenerationComputers
● The fourth generation computers that were being developed at this time utilized a
microprocessor that put the computer’s processing capabilities on a single integrated
circuit chip.
● By combining random access memory, developed by Intel, fourth generation computers

were faster than ever before and had much smaller footprints.
● The first commercially available personal computer was the MITS Altair 8800, releasedat
the end of 1974. What followed was a flurry of other personal computers to market,
such as the Apple I and II, the Commodore PET, the VIC-20, the Commodore 64, and
eventually the original IBM PC in 1981. The PC era had begun in earnest by the mid-
1980s.
● Even though microprocessing power, memory and data storage capacities have
increased by many orders of magnitude since the invention of the 4004 processor, the
technology for Large Scale Integration (LSI) or Very Large Scale Integration (VLSI)
microchips has not changed all that much.
● Forthisreason,mostof today’scomputersstillfallintothecategoryoffourthgeneration
computers.
InternetSoftwareEvolution
● The Internet is named after the evolution of Internet Protocol which is the standard
communications protocol used by every computer on the Internet.
● Vannevar Bush was written a visionary description of the potential uses for information
technology with his description of an automated library system called MEMEX.
● Bush introduced the concept of the MEMEX in late 1930s as a microfilm based device in
which an individual can store all his books and records.
Figure1.7MEMEXSystems
● ThesecondindividualwhohasshapedtheInternetwasNorbertWiener.
● Wiener was an early pioneer in the study of stochastic and noise processes. Norbert
Wiener work in stochastic and noise processes was relevant to electronic engineering,
communication, and control systems.
● SAGE refers Semi Automatic Ground Environment. SAGE was the most ambitious
computer project and started in the mid 1950s and became operational by 1963. It
remained in continuous operation for over 20 years, until 1983.
● A minicomputer was invented specifically to realize the design of the Interface Message
Processor (IMP). This approach provided a system independent interface to the
ARPANET.
● The IMP would handle the interface to the ARPANET network. The physical layer, the
data link layer, and the network layer protocols used internally on the ARPANET were
implemented using IMP.
● Using this approach, each site would only have to write one interface to the commonly
deployed IMP.
● The first networking protocol that was used on the ARPANET was the Network Control
Program (NCP). The NCP provided the middle layers of a protocol stack running on an
ARPANET connected host computer.
● The lower-level protocol layers were provided by the IMP host interface, the NCP
essentially provided a transport layer consisting of the ARPANET Host-to-Host Protocol
(AHHP) and the Initial Connection Protocol (ICP).
● The AHHP defines how to transmit a unidirectional and flow controlled stream of data
between two hosts.
● The ICP specifies how to establish a bidirectionalpair of data streams between a pair of
connected host processes.
● Robert Kahn and Vinton Cerf who built on what was learned with NCP to develop the
TCP/IPnetworkingprotocolcommonlyusednowadays.TCP/IPquicklybecamethe most
widely used network protocol in the world.
● Over time, there evolved four increasingly better versions of TCP/IP (TCP v1, TCP v2, a
split into TCP v3 and IP v3, and TCP v4 and IPv4). Now, IPv4 is the standard protocol,
but it is in the process of being replaced by IPv6.
● TheamazinggrowthoftheInternetthroughoutthe1990scausedahugereductioninthe number
of free IP addresses available under IPv4. IPv4 was never designed to scale to global
levels. To increase available address space, it had to process data packets that were
larger.
● After examining a number of proposals, the Internet Engineering Task Force (IETF)
settled on IPv6, which was released in early 1995 as RFC 1752. IPv6 is sometimescalled
the Next Generation Internet Protocol (IPNG) or TCP/IP v6.
ServerVirtualization
● Virtualizationisamethodof runningmultipleindependentvirtualoperatingsystemsona single

physical computer. This approach maximizes the return on investment for the computer.
● The creation and management of virtual machines has often been called platform
virtualization.
● Platformvirtualizationisperformedonagivencomputer(hardwareplatform)bysoftware called
a control program.
● Parallel processing is performed by the simultaneous execution of multiple program

instructions that have been allocated across multiple processors with the objective of
running a program in less time.
● Thenextadvancementinparallelprocessingwasmultiprogramming.
● Inamultiprogrammingsystem,multipleprogramssubmittedby usersareallowedtouse the

processor for a short time, each taking turns and having exclusive time with the
processor in order to execute instructions.
● This approach is called as round robin scheduling (RR scheduling). It is one of theoldest,
simplest, fairest, and most widely used scheduling algorithms, designedespecially for
time-sharing systems.
● Vector processing was developed to increase processing performance by operating in a

multitasking manner.
● Matrix operations were added to computers to allow a single instruction to manipulate

two arrays of numbers performing arithmetic operations. This was valuable in certain
typesof applications in which data occurred in theform of vectorsormatrices.
● The next advancement was the development of symmetric multiprocessing systems
(SMP) to address the problem of resource management in master or slave models. In
SMP systems, each processor is equally capable and responsible for managing the
workflow as it passes through the system.
● Massive parallel processing (MPP) is used in computer architecture circles to refer to a

computer system with many independent arithmetic units or entire microprocessors,
which run in parallel.
PrinciplesofParallelandDistributedComputing
● The two fundamental and dominant models of computing environment are sequential
and parallel. The sequential computing era was begun in the 1940s. The parallel and
distributed computing era was followed it within a decade.
● The four key elements of computing developed during these eras are architectures,
compilers, applications, and problem solving environments.
● Everyaspectofthisera willundergoathreephase process.
○ ResearchandDevelopment(R&D)
○ Commercialization
○ Commoditization
Parallelvsdistributedcomputing
● The termsparallelcomputing and distributed computing areoften used interchangeably,

even though which meant somewhat different things.
● The term parallel implies a tightly coupled system, whereas distributed refers to a wider
class of system which includes tightly coupled systems.
● Morespecifically,thetermparallelcomputingreferstoamodelinwhichthecomputation is
divided among several processors which sharing the same memory.
● The architecture of a parallel computing system is often characterized by the
homogeneity of components.
● Inparallelcomputingparadigm,eachprocessorisofthesametypeandithasthesame
capability.Thesharedmemoryhasasingleaddressspace,whichisaccessibletoallthe
processors.
● Processing of multiple tasks simultaneously on multiple processors is called as parallel

processing.
● The parallel program consists of multiple active processes or tasks simultaneouslysolving

a given problem.
● A given task is divided into multiple subtasks using a divide and conquer technique,and
each subtask is processed on a different Central Processing Unit (CPU).
● Programming on a multiprocessor system using the divide and conquer technique is

called parallel programming.
● The term distributed computing encompasses any architectureor systemthat allows the
computation to be broken down into units and executed concurrently on different
computing elements, whether these are processors on different nodes, processors onthe
same computer, or cores within the same processor.
● Therefore, distributed computing includes a wider range of systems and applications

than parallel computing and is often considered a most common term.
Elementsofparallelcomputing
● The core elements of parallel processing are CPUs. Based on the number of instruction
streams and data streams that can be processed simultaneously, computing systemsare
classified into four categories proposed by Michael J. Flynn in 1966.
○ SingleInstructionSingleDatasystems(SISD)
○ SingleInstructionMultipleDatasystems(SIMD)
○ MultipleInstructionSingleDatasystems(MISD)
○ MultipleInstruction,MultipleDatasystems(MIMD)
● An SISD computing system is a uniprocessor system capable of executing a single

instruction, which operates on a single data stream.
Figure1.8SISD
● An SIMD computing system is a multiprocessor system capable of executing the single

instruction on all the CPUs but operating on different data streams.
Figure1.9SIMD
● An MISD computing system is a multiprocessor system capable of executing different

instructionsondifferentprocessingelementsbutall of themoperatingonthesamedata
streams.
Figure1.10MISD
● An MIMDcomputing systemisa multiprocessorsystemcapable ofexecuting multiple

instructions on multiple data streams.
Figure1.11MIMD
● MIMD systems are broadly categorized into shared memory MIMD and distributed
memoryMIMDbasedonthe wayprocessingelementsarecoupledtothe mainmemory.
● In the shared memory MIMD model, all the processing elements are connected to a
single global memory and they all have access to it.
● In the distributed memory MIMD model, all processing elements have a local memory.
Systems based on this model are also called loosely coupled multiprocessorsystems.
● Ingeneral,FailuresinasharedmemoryMIMDaffectstheentiresystem,whereasthisis not the

case of the distributed model, in which each of the processing elements can be easily
isolated.
● A wide variety of parallel programming approaches are available in computing

environment. The most prominent among them are thefollowing:
○ Dataparallelism
○ Processparallelism
○ Farmer-and-workermodel
● Indataparallelism,thedivideandconquermethodologyisusedtosplitdataintomultiple sets,
and each data set is processed on different processing elements using the same
instruction.
● In process parallelism, a given operation has multiple distinct tasks that can be
processed on multiple processors.
● In farmer and worker model, a job distribution approach is used in which one processor
is configured as master and all other remaining processing elements are designated as
slaves. The master assigns jobs to slave processing elements and, on completion, they
inform the master, which in turn collects results.
● Parallelism within an application can be detected at several levels such as Large grain(or
task level), Medium grain (or control level), Fine grain (data level), Very fine grain
(multiple-instruction issue)
● Speed of computation is never increase linearly. It is proportional to the square root of
system cost. Therefore, the faster a system becomes, the more expensive it is to
increase its speed.
Figure1.12CostversusSpeed
● Speed by a parallel computer increases as the logarithm of the number of processors
(i.e.,y= klog(N)).
Figure 1.13NoofprocessorsversusSpeed
Elementsofdistributedcomputing
● A distributed systemis the collectionof independent computers that appears to itsusers

as a single coherent system.
● A distributed system is the result of the interaction of several components that pass
through the entire computing stackfrom hardware to software.
Figure1.14Alayeredviewofadistributedsystem
● At the very bottom layer, computer and network hardware constitute the physical
infrastructure.
● The hardware components are directly managed by the operating system, which
provides the basic services for inter process communication (IPC), process scheduling
and management, and resource management in terms of file system and localdevices.
● The use of well-known standards at the operating system level and even more at the
hardware and network levels allows easy harnessing of heterogeneous components and
their organization into a coherent and uniform system.
● The middleware layer leverages such services to build a uniform environment for the
development and deployment of distributed applications.
● The top of the distributed system stack is represented by the applications and services
designed and developed to use the middleware.
● In distributed computing, Architectural styles are mainly used to determine the

vocabulary of components and connectors that are used as instances of the style
together with a set of constraints on how they can be combined.
● Architecturalstylesareclassifiedintotwomajorclasses.
○ Softwarearchitecturalstyles
○ Systemarchitecturalstyles
● Thefirstclassrelatestothelogicalorganizationofthesoftware.
● The second class includes all those styles that describe the physical organization of
distributed software systems in terms of their major components.
● A component represents a unit of software that encapsulates a function or a feature of

the system. Examples of components can be programs, objects, processes, pipes, and
filters.
● A connector is a communication mechanism that allows cooperation and coordination

among components. Differently from components, connectors are not encapsulated in a
single entity, but they are implemented in a distributed manner over many system
components.
● Software architectural styles are based on the logical arrangement of software

components.
● AccordingtoGarlanandShaw,architecturalstylesareclassifiedas showninTable1.1
Category MostCommonArchitecturalStyles
Data-centered  Repository
 Blackboard
Dataflow  Pipeandfilter
 Batchsequential
Virtualmachine  Rule-basedsystem
 Interpreter
Callandreturn  Topdownsystems
 Objectorientedsystems
 Layeredsystems
Independentcomponents  Communicatingprocesses
 Eventsystem
Table1.1SoftwareArchitecturalStyles
● Therepositoryarchitecturalstyleisthemostrelevantreferencemodelinthiscategory.It is
characterized by two main components: the central data structure, which represents the
current state of the system, and a collection of independent components, which operate
on the central data.
● The batch sequential style is characterized by an ordered sequence of separateprograms

executing one after the other. These programs are chained together by
providingasinputforthenextprogramtheoutputgeneratedbythelastprogramafterits
completion, which is most likelyin theform of a file.
● Thepipe andfilterstyleisavariationof thepreviousstyleforexpressingtheactivityof a software

system as a sequence of data transformations. Each component of the processing chain
is called a filter, and the connection between one filter and the next is represented by a
data stream.
● Rule-Based Style architecture is characterized by representing the abstract execution

environment as an inference engine. Programs are expressed in the form of rules or
predicates that hold true.
● The core feature of the interpreter style is the presence of an engine that is used to
interpret a pseudo code expressed in a format acceptable for the interpreter. The
interpretation of the pseudo-programconstitutestheexecutionof theprogramitself.
● Top Down Style is quite representative of systems developed with imperative

programming, which leads to a divide and conquer approach to problem resolution.
● Object Oriented Style encompasses a wide range of systems that have been designed
and implemented by leveraging the abstractions of object oriented programming
● The layered system style allows the design and implementation of software systems in
terms of layers, whichprovidea differentlevel of abstractionof the system.
● Each layer generally operates with at most two layers: the one that provides a lower
abstraction level and the one that provides a higher abstraction layer.
● In Communicating Processes architectural style, components are represented by

independent processes that leverage IPC facilities for coordination management.
● On the other hand, Event Systems architectural style where the components of the
system are loosely coupled and connected.
● System architectural styles cover thephysical organization ofcomponents and processes

over a distributed infrastructure. They provide two fundamental reference styles:
client/server and peer-to-peer.
● The client/server model features two major components: a server and a client. These
two components interact with each other through a network connection using a given
protocol. The communication is unidirectional. The client issues a request to the server,
and after processing the request the server returns a response.
● The important operations in the client-server paradigm are request, accept (client side),
and listen and response (server side).
● Theclient/servermodelissuitableinmany-to-onescenarios.
● In general, multiple clients are interested in such services and the server must be
appropriately designed to efficiently serve requests coming from different clients. This
consideration has implications on both client design and server design.
● Fortheclientdesign,therearetwomodels:ThinclientmodelandFatclientmodel.
● Thin client model, the load of data processing and transformation is put on the server
side, and the client has a light implementation that is mostly concerned with retrieving
and returning the data it isbeing askedfor, with no considerable furtherprocessing.
● Fat client model, the client component is also responsible for processing and
transformingthedatabeforereturningittotheuser,whereastheserverfeaturesafairly light
implementation that is mostly concerned with the management of access to the data.
● The three major components in the client-server model are presentation, application
logic, and data storage.
● Presentation, application logic, and data maintenance can be seen as conceptual layers,
which are more appropriately called tiers.
● The mapping between the conceptual layers and their physical implementation in
modules and components allows differentiating among several types of architectures,
which go under the name of multi-tiered architectures.
● TwomajorclassesareTwo-tierarchitectureandThree-tierarchitecture.
● Two-tier architecture partitions the systems into two tiers, which are located one in the
client component and the other on the server. The client is responsible for the
presentation tier by providing a user interface. The server concentrates the application
logic and the data store into a single tier.
● Three-tier architecture separates the presentation of data, the application logic, and the
data storageinto three tiers. This architectureis generalized intoanN-tiermodelin case it is
necessary to further divide the stages composing the application logic and storage tiers.
● Thepeer-to-peermodelintroducesasymmetricarchitectureinwhichallthecomponents are
called as peers, play the same role and incorporate both client and servercapabilities of
the client/server model.
● The most relevant example of peer-to-peer systems is constituted by file sharing

applications such as Gnutella, BitTorrent, and Kazaa.
Modelsforinterprocesscommunication
● There are several different models in which processes can interact with each other;
these map to differentabstractionsforIPC.Among the most relevant modelsare shared
memory, remote procedure call (RPC), and message passing.
● Message passing introduces the concept of a message as the main abstraction of the
model. The entities exchanging information explicitly encode in the form of a message
thedatatobeexchanged.Thestructureand thecontentof amessage varyaccordingto the
model. Examples of this model are the Message-Passing Interface (MPI) and OpenMP.
● Remote procedure call paradigm extends the concept of procedure call beyond the
boundaries of a single process, thus triggering the execution of code in remote
processes. In this case, underlying client/server architecture is implied. A remoteprocess
hosts a server component, thus allowing client processes to request the invocation of
methods, and returns the result of the execution.
Modelsformessage-basedcommunication
Point-to-pointmessagemodel
● This model organizes the communication among single components. Each message is
sent from one component to another, and there is a direct addressing to identify the
message receiver. In a point-to-point communication model it is necessary to know the
location of or how to address another component in the system.
Publish-and-subscribemessagemodel
● This model introduces a different strategy, one that is based on notification among
components.
● Therearetwomajorroles:thepublisherandthesubscriber.
● Therearetwomajorstrategiesfordispatchingtheeventtothesubscribers:
○ Push strategy. In this case it is the responsibility of the publisherto notify all the
subscribers. For example, with a method invocation.
○ Pullstrategy. In thiscase thepublishersimplymakesavailable the messagefora
specific event, and it is the responsibility of the subscribers to check whether
there are messages on the events that are registered.
Request-replymessagemodel
● The request-replymessage modelidentifiesallcommunication modelsin which,foreach

message sent by a process, there is a reply.
● This model is quite popular and provides a different classification that does notfocus on
the number of the components involved in the communication but rather on how the
dynamic of the interaction evolves.
Technologiesfordistributedcomputing
Remoteprocedurecall
● RPC is the fundamental abstraction enabling the execution of procedures on client’s

request.
● RPC allows extending the concept of a procedure call beyond the boundaries of a
process and a single memory address space.
● The called procedure and calling procedure maybe on the same system or they maybe
on different systems in a network.
● An important aspect of RPC is marshaling, which identifies the process of converting
parameters and return values into a form that is more suitable to be transported over a
network through a sequence of bytes. The term unmarshaling refers to the opposite
procedure.
Distributedobjectframeworks
● Distributed object frameworks extend object-oriented programming systems by allowing

objects to be distributed across a heterogeneous network and provide facilities so that
they can coherently act as though they were in the same addressspace.
Service-orientedcomputing
● Service-oriented computing organizes distributed systems in terms of services, which

represent the major abstraction for building systems.
● Service orientation expresses applications and software systems as aggregations of

services that are coordinated within a service-oriented architecture (SOA).
● SOA is an architectural style supporting service orientation. It organizes a software

system into a collection of interacting services.
● SOA encompasses a set of design principles that structure system development and
provide means for integrating components into a coherent and decentralized system.
● SOA-based computing packages functionalities into a set of interoperable services,which

can be integrated into different software systems belonging to separate business
domains.
● TherearetwomajorroleswithinSOA:theserviceproviderandtheserviceconsumer.
CloudCharacteristics
Fromthecloudcomputing’svariousdefinitions;acertainsetofkey characteristicsemerges. Figure

1.15 illustrates various key characteristics related to cloud computing paradigm.
On-demandProvisioning
● On-demandprovisioningisthesinglemostimportantcharacteristicofcloudcomputing,it allows
the users to request or release resources whenever they want.
● These demands are thereafter automatically granted by a cloud provider’s service and
the users are only charged for their usage, i.e., the time they were in possession of the
resources.
● Thereactivityof a cloudsolution,withregardtoresourceprovisioningisindeedofprime
importance as it is closely related to the cloud’s pay-as-you-go businessmodel.
● It is one of the important and valuable features of Cloud Computing as the user can
continuously monitor the server uptime, capabilities, and allotted network storage. With
this feature, the user can also monitor the computing capabilities.
UniversalAccess
● Resources in the cloud need not only be provisioned rapidly but also accessed and
managed universally, using standard Internet protocols, typically via RESTful web
services.
● This enables the users to access their cloud resources using any type of devices,
provided they have an Internet connection.
● Universal access is a key feature behind the cloud’s widespread adoption, not only by
professional actors but also by the general public that is nowadays familiar with cloud
based solutions such as cloud storage or media streaming.
● Capabilities are available over the network and accessed through standard mechanisms
that promote usebyheterogeneousthinorthickclientplatformssuchasmobilephones,
tablets, laptops, and workstations.
Figure 1.15CloudCharacteristics
EnhancedReliability
● Cloudcomputingenablestheuserstoenhancethereliabilityoftheirapplications.
● Reliabilityisalreadybuiltinmanycloudsolutionsviastorageredundancy.
● Cloud providers usually have more than one data center and further reliability can be
achieved by backing data up in different locations.
● This can also be used to ensure service availability, in the case of routine maintenance
operations or the rarer case of a natural disaster.
● Theusercanachievefurtherreliabilityusingtheservicesofdifferentcloudproviders.
MeasuredServices
● Cloudcomputingrefersgenerallytopaidservices.
● The customers are entitled to a certain quality of service, guaranteed by the Service
Level Agreement that they should be able to supervise.
● Therefore,cloudprovidersoffermonitoringtools,eitherusingagraphicalinterfaceorvia an API.
● Thesetoolsalsohelptheprovidersthemselvesforbillingandmanagementpurposes.
Multitenancy
● As the grid before, the cloud’s resources are shared by different simultaneous users.
These users had to reserve in advance a fixed number of physical machines for a fixed
amount of time.
● In virtualized data centers, a user’s provisioned resources no longer correspond to the

physical infrastructure and can be dispatched over multiple physical machines.
● They can also run alongside other users’ provisioned resources thus requiring a lesser
amount of physical resources. Consequently, important energy savings can be made by
shutting down the unused resources or putting them in energy saving mode.
Resourcepooling
● The provider’s computing resources are pooled to serve multiple consumers using a
multi-tenant model, with different physical and virtual resources dynamically assigned
and reassigned according to consumer demand.
● There is a sense of location independence in that the customer generally has no control
or knowledge over the exact location of the provided resources but may be able to
specifylocation ata higherlevel of abstraction (e.g., country,state,ordatacenter).
● Examplesofresourcesincludestorage,processing,memory,andnetworkbandwidth.
RapidelasticityandScalability
● Elasticity is the ability of a system to include and exclude resources like CPU cores,
memory, Virtual Machine and container instances to adapt to the load variation in real
time.
● Elasticity is a dynamic property for cloud computing. There are two types of elasticity.
Horizontal and Vertical.
● Horizontal elasticity consists in adding or removing instances of computing resources

associated with an application.
● Vertical elasticity consists in increasing or decreasing characteristics of computing

resources, such as CPU time, cores, memory, and network bandwidth.
● There are other terms such as scalability and efficiency, which are associated with
elasticity but their meaning is different from elasticity while they are used
interchangeably in some cases.
● Scalability is the ability of the system to sustain increasing workloads by making use of
additional resources, it is time independent and it is similar to the provisioning state in
elasticitybut the time has no effecton the system(staticproperty).
● Thefollowingequationthatsummarizestheelasticityconceptincloudcomputing.
Autoscaling=Scalability+Automation
Elasticity=Autoscaling+Optimization
● It means that the elasticity is built on top of scalability. It can be considered as an
automation of the concept of scalability, however, it aims to optimize at best and as
quickly as possible the resources at a given time.
● Capabilities can be elastically provisioned and released, in some cases automatically, to

scale rapidly outward and inward commensurate with demand.
● To the consumer, the capabilitiesavailable for provisioning often appear to be unlimited

and can be appropriated in any quantity at anytime.
EasyMaintenance
● The servers are easily maintained and the downtime is very low and even in somecases,
there is no downtime.
● CloudComputingcomesupwithanupdateeverytime bygraduallymaking itbetter.The

updates are more compatible with the devices and performfaster than older ones along
with the bugs which are fixed.
HighAvailability
● The capabilities of the Cloud can be modified as per the use and can be extended a lot.
It analyzes the storage usage and allows the user to buy extra Cloud storage if needed
for a very small amount.
Security
● Cloud Security is one of the best features of cloud computing. It creates a snapshot of
the data stored so that the data may not get lost even if one of the servers gets
damaged.
● The data is stored within the storage devices, which cannot be hacked and utilized by
any other person. The storage service is quick and reliable.
TWOMARKQUESTIONS
1. Defineutilitycomputing.
● Utility computing is the provision of computational resources and storage resources

asametered service,similartothoseprovidedbyatraditionalpublicutilitycompany.
● Thisisnotanewidea.
● Thisform of computing isgrowing in popularity, however, as companieshave begun to
extend the model to a cloud computing paradigm providing virtual servers that IT
departments and users can access on demand.
2. WhatisGridComputing?
● Gridcomputingisoftenconfusedwithcloudcomputing.
● Grid computing is a form of distributed computing model that implements a virtual
supercomputer made up of a cluster of networked or Inter networked computers
involved to perform very large tasks.
3. DefineCloudcomputing.
● Cloud computing is a model for delivering IT services in which resources are

retrieved from the internet through web based tools and applications rather than a
direct connection to the server.
4. Define Cloud.
● Cloud refers to software, platform, and Infrastructure that are sold as a service. The
services accessed remotely through the Internet
● Theclouduserscansimplylogontothenetworkwithoutinstallinganything.Theydo not pay

for hardware and maintenance. But the service providers pay for physical equipment
and maintenance.
5. WhatisthepurposeofNCP?
● The first networking protocol that was used on the ARPANET was the Network
Control Program (NCP).
● The NCP provided the middle layers of a protocol stack running on an ARPANET
connected host computer.
6. Howtoincreasetheperformanceusingmultiprogramming?
● In a multiprogramming system, multipleprogramssubmittedby users are allowed to

use the processor for a short time, each taking turns and having exclusive time with
the processor in order to execute instructions.
● Thisapproachiscalledasroundrobinscheduling
7. DifferentiatebetweenVectorprocessingandMassiveparallel processing
● Vector processing was developed to increase processing performance by operatingin

a multitasking manner.
● Massive parallel processing (MPP) is used in computer architecture circles to refer to
a computer system with many independent arithmetic units or entire
microprocessors, which run in parallel.
8. Listthefourkeyelementsinparallelanddistributedcomputing.
● The four key elements of computing developed during these eras are architectures,
compilers, applications, and problem solving environments.
9. Differentiatebetweenparallelanddistributedcomputing.
● The terms parallel computing and distributed computing are often used
interchangeably, even though which meant somewhat different things. Parallel
implies a tightly coupled system, whereas distributed refers to a wider class of
system which includes tightly coupled systems.
● The term distributed computing encompasses any architecture or system that allows
thecomputationtobebrokendownintounitsandexecutedconcurrentlyondifferent
computing elements, whether these are processors on different nodes, processorson
the same computer, or cores within the same processor.
10. CategorizecomputingsystemsbaseonFlynn’sclassification.
● SingleInstructionSingleDatasystems(SISD)
● SingleInstructionMultipleDatasystems(SIMD)
● MultipleInstructionSingleDatasystems(MISD)
● MultipleInstruction,MultipleDatasystems(MIMD)
11. Listthemostprominentparallelprogrammingapproaches.
● Dataparallelism
● Processparallelism
● Farmer-and-workermodel
12. Whatisfarmerandworkermodel?
● A job distribution approach is used in which one processor is configured as master

and all other remaining processing elements are designated as slaves.
● The master assigns jobs to slave processing elements and, on completion, they
inform the master, which in turn collects results.
13. Differentiatebetweencomponentandconnector.
● Acomponentrepresentsaunitof softwarethatencapsulatesafunctionorafeatureof the

system.
● A connector is a communication mechanism that allows cooperation andcoordination
among components.
14. ClassifyarchitecturalstylesaccordingtoGarlanandShaw.
● Data-centered
● Dataflow
● Virtualmachine
● Callandreturn
● Independentcomponents
15. Whatisrepositoryarchitecturalstyle?
● The repository architectural style is the most relevant reference model in this
category.
● It is characterized by two main components: the central data structure, which
represents the current state of the system, and a collection of independent
components, which operate on the central data.
16. Whenthecomputingparadigmadaptclient/servermode?
● Theclient/servermodelissuitableinmany-to-onescenarios.
● Theclient/servermodelfeaturestwomajorcomponents:aserverandaclient.
● Thesetwocomponentsinteractwitheachotherthroughanetworkconnectionusing a
given protocol.
● Thecommunicationisunidirectional.
17. DifferentiatebetweenThinclientandFatclientmodel.
● Thinclientmodel,theloadofdataprocessingandtransformationisputontheserver side,
and the client has a light implementation that is mostly concerned with retrieving
and returning the data it is being asked for, with no considerable further processing.
● Fat client model, theclient component isalso responsibleforprocessingand

transformingthedatabeforereturning ittothe user.
18. Differentiatebetweentwotierandthreetierarchitecture.
● Two-tierarchitecturepartitionsthesystemsintotwotiers,whicharelocatedonein the
client component and the other on the server.
● Three-tierarchitectureseparatesthepresentationofdata,theapplicationlogic,and the
data storage into three tiers.
19. Whatispoint-to-pointmodel?
● Thismodelorganizesthecommunicationamongsingle components.
● Eachmessageissentfromonecomponenttoanother,andthereisadirect
addressing to identify the message receiver.
● Inapoint-to-pointcommunicationmodelitisnecessarytoknowthelocationofor how to
address another component in the system.
20. Listthestrategiesfordispatchingtheeventtothesubscribers
● Pushstrategy.Inthiscaseitistheresponsibilityofthepublishertonotifyallthe
subscribers.
● Pullstrategy. Inthiscase thepublishersimplymakesavailablethe messagefora
specific event.
21. Whatisrequest-replymodel?
● Therequest-replymessagemodelidentifiesallcommunicationmodelsinwhich,for each
message sent by a process, there is a reply.
● This model isquite popularand provides adifferent classificationthatdoes notfocus on

the number of the components involved in the communication but rather on how the
dynamic of the interaction evolves.
22. WhatisthepurposeofDistributedobjectframeworks?
● Distributed object frameworks extend object-oriented programming systems by

allowing objects to be distributed across a heterogeneous network and provide
facilities so that they can coherently act as though they were in the same address
space.
23. Listthekeycharacteristicsofcloud.
● On-demandprovisioningUniversalaccess
● EnhancedReliabilityMeasuresServices
● Multitentency ResourcePooling
● Elasticity Scalability
● HighAvailabilityMaintenance
● Security
-------------------------------------------------------------------------------------------------------------------------------
UNIT II CLOUD ENABLING TECHNOLOGIES
ServiceOrientedArchitecture–RESTandSystemsofSystems–WebServices–Publish-
Subscribe Model –Basics of Virtualization –Types of Virtualization –Implementation Levels of
Virtualization–Virtualization Structures–Tools andMechanisms–Virtualization ofCPU– Memory –
I/O Devices –Virtualization Support and Disaster Recovery.
-------------------------------------------------------------------------------------------------------------------------------
ServiceOrientedArchitecture
● A service encapsulates a software component that gives a set of coherent and related
functionalities that can be reused and integrated into larger and more complex
applications.
● The term service is a general abstraction that encompasses several different

implementations using different technologies and protocols.
● DonBoxidentifiesfourmajorcharacteristicswith theintentionofidentifyaservice.
● Boundariesareexplicit
○ A service oriented applications are generally composed of services that are

spreadacrossdifferentdomains,trustauthoritiesandexecutionenvironments.
● Servicesareautonomous
○ Servicesarecomponentsthatexisttoofferfunctionality.
○ Servicesareaggregated andcoordinatedtobuildmorecomplexsystem.
○ Servicesarenotdesignedtobepartof a specificsystembutthey canbe
integrated in several software systems.
○ Thenotionofautonomyalsoaffectsthewayserviceshandlefailures.
● Servicesshareschemaand contracts
○ Servicesnevershareclassandinterfacedefinitions.
○ In objectorientedsystems, servicesarenotexpressed in termsof classesor
interfaces but they define in terms of schemas and contracts.
○ Technologies such as XML and SOAP provide the appropriate tools to support
such features rather than class definition and an interface declaration.
● Servicescompatibilityisdeterminedbasedonpolicy
○ Serviceorientationseparatesstructuralcompatibilityfromsemanticcompatibility.
○ Structuralcompatibilityisbased on contractsandschema andcanbe validated by
machine based techniques.
○ Semanticcompatibilityisexpressedintheformofpoliciesthatdefine the
capabilities and requirements for a service.
● ServiceOrientedarchitectureisanarchitecturalstylesupportingserviceorientation.
● This architectural style organizes a software system into a collection of interacting

services.
● SOA encompasses a set of design principles that structure system development and
provide means for integrating components into a coherent and decentralized system.
● SOA based computing packages functionalities into a set of interoperable services,which

can be integrated into different software systems belonging to separate business
domains.
● TherearetwomajorrolesexistinSOA
○ Serviceprovider
○ Serviceconsumer
● First, the service provider is the maintainer of the service and the organization that
makes available one or more services for others to use.
● To advertise services, the provider can publish them in a registry along with a service
contractthatspecifiesthenatureoftheservice,howtousetheservice,therequirements for the
service and the fees charged.
● Second, the service consumer can locate the service metadata in the registry and
develop the required client components to bind and use the service.
● Serviceprovidersandconsumerscanbelongtodifferentorganization bodies.
● It is very common in SOA based computing systems that components play the roles of
both service provider and service consumer.
● Services might aggregate information and data retrieved from other services or create
workflows of services to satisfythe request of a given service consumer. This practice is
called as service orchestration, which more generally describes the automated
arrangement, coordination and management of more complex computer systems,
middleware and services.
● Another important interaction pattern is service composition is the coordinated

interaction of services without a single point of control.
● SOA provides a reference model for architecting several software systems primarily for
enterprise business applications and systems.
● Interoperability,standardsandservicecontractsplaysafundamentalrole.
● Inparticular,thefollowinglistofguidingprinciplescharacterizeSOAplatforms:
○ Standardizedservicecontract
■ Servicesadhere toa givencommunicationagreement,whichis specified

through one or more service description documents.
○ Loose coupling
■ Services are designed as self-contained components, maintain

relationships that minimizedependenciesandonly requirebeingaware of
each other.
■ Servicecontractswillenforcetherequiredinteractionamongservices.
■ This simplifies the flexible aggregation of services and enables a more
agile design strategy that supports the evolution of the enterprise
business.
○ Abstraction
■ A service is completelydefinedby service contracts anddescription

documents.
■ Abstraction hiding the logic, which is encapsulated within their
implementation.
■ Theuseof service descriptiondocumentsandcontracts removes the
need to consider the technical implementation details.
■ Itprovidesamoreintuitiveframeworktodefinesoftwaresystemswithina
business context.
○ Reusability
■ Designed ascomponents, servicescan be reused more efficiently, thus

reducing development time and the associated costs.
■ Reusabilityallowsforamore agile designand cost effective system
implementation and deployment.
○ Autonomy
■ Serviceshavecontroloverthe logic theyencapsulateanddonot know

about their implementation.
○ Lackofstate
■ By providing a stateless interaction pattern, services increase the chance
of being reused and aggregated, particularly in a scenario in which a
single service is used by multiple consumers that belong to different
administrative and business domains.
Discoverability
○
■ Services are defined by description documents that constitute
supplementalmetadatathroughwhichtheycanbeeffectivelydiscovered.
■ Servicediscoveryprovidesaneffectivemeansforutilizingthirdparty
resources.
○ Composability
■ Using services as building blocks, difficult operations can be

implemented.
■ Serviceorchestration andchoreographyprovideasolid supportfor
composing services and achieving desired business goals.
● Together with these principles, other resources guide the use of SOA for enterprise
application integration (EAI).
● The SOA manifest integrates the previously described principles with general
considerations about the overall goals of a service oriented approach to enterprise
application software design and what is valued in SOA.
● Modeling frameworks and methodologies, such as the Service Oriented Modeling

Framework (SOMF) and reference architectures introduced by the Organization for
Advancement of Structured Information Standards (OASIS), provide means for
effectively realizing service oriented architectures.
● SOAcanberealizedthroughseveraltechnologies.
● The first implementations of SOA have leveraged distributed object programming
technologies such as CORBA and DCOM.
● CORBA has been a suitable platform for realizing SOA systems because it provides
interoperability among different implementations and has been designed as a
specification supporting the development of industrial applications.
● Nowadays, SOA is mostly realized through Web services technology, which provides an
interoperable platform for connecting systems and applications.
WebServices
● Web services are the prominent technology for implementing SOA systems and
applications.
● They leverage Internet technologies and standards for building distributed systems.
Several aspects make Web services the technology of choice for SOA.
○ First, they allow for interoperability across different platforms and programming
languages.
○ Second, they are based on well-known and vendor independent standards such
asHTTP, SOAP,XML and WSDL.
○ Third, they provide an intuitive and simple way to connect heterogeneous
software systems, enabling the quick composition of services in a distributed
environment.
○ Finally, they provide the features required by enterprise business applications to
be used in an industrial environment.
● Theydefine facilitiesforenabling service discovery, which allows the systemarchitect to

more efficiently compose SOA applications and service metering to assess whether a
specific service complies with the contract between the service provider and the service
consumer.
● TheconceptbehindaWebserviceisverysimple.
● Using as a basis the object oriented abstraction, a Web service exposes a set of
operations that can be invoked by leveraging Internet based protocols.
● The semantics for invoking Web service methods is expressed through interoperable
standards such as XML and WSDL, which also provide a complete framework for
expressing simple and complex types in a platform independent manner.
● Webservices aremadeaccessibleby beinghostedinaWebserver
● HTTPisthemostpopulartransportprotocolusedforinteractingwithWebservices.
WSDL
WebServer
WSClient
Query UDDIRegis try
WSDL
Invocation
WebServer
Application
WebService
WSDL
Figure 2.1ReferencescenarioforWebServices
● Figure2.1describesthecommonusecasescenarios forWebservices.
● Systemarchitectsdevelop aWeb service with their technologyof choice and deploy itin
compatible Web or application servers.
● The service description document is expressed by means of Web Service Definition

Language (WSDL), can be either uploaded to a global registry or attached as ametadata
to the service itself.
● Service consumers can look up and discover services in global catalogs using Universal
Description Discovery and Integration (UDDI).
● The Web service description document allows service consumers to automatically

generate clientsfor the given service and embed them in their existingapplication.
● Web services are now extremely popular, so bindings exist for any mainstream
programming language in the form of librariesordevelopment supporttools.
● This makes the use of Web services seamless and straightforward with respect to
technologies such as CORBA that require much more integration effort.
● Moreover, being interoperable, Web services constitute a better solution for SOA with
respecttoseveral distributed object frameworks, such as .NETRemoting,JavaRMI, and
DCOM/COM1, which limit their applicability to a single platform orenvironment.
● Besides the main function of enabling remote method invocation by using Web based
and interoperable standards, Web services encompass several technologies that put
together and facilitate the integration of heterogeneous applications and enable service
oriented computing.
● Figure 2.2 showstheWeb service technologies stack thatlistsall the componentsof the
conceptual framework describing and enabling the Web services abstraction.
● These technologies cover all the aspects that allow Web services to operate in a
distributed environment, from the specific requirements for the networking to the
discovery of services.
WebServiceFlow(WSFL)
ServiceDiscovery(UDDI)
Management
Security
ServicePublication(UDDI)
QoS
ServiceDescription(ASDL)
XMLbasedmessaging(SOAP)
Network(HTTP,FTP,Email,...)
Figure2.2Webservicestechnologiesstack
● The backbone of all these technologies is XML, which is also one of the causes of Web
service’s popularity and ease of use.
● XML based languages are used to manage the low level interaction for Web service
method calls (SOAP), for providing metadata about the services (WSDL), for discovery
services (UDDI), and other core operations.
● Inpractice,the corecomponentsthatenableWeb servicesare SOAPandWSDL.
● Simple Object Access Protocol (SOAP) is an XML based language for exchanging
structured information in a platform-independent manner, constitutes the protocol used
for Web service method invocation.
● Within a distributed context leveraging the Internet, SOAP is considered an application

layer protocol that leverages the transport level, most commonly HTTP, for IPC.
● SOAP structures the interaction in terms of messages that are XML documentsmimicking
the structureof a letter,withanenvelope,a header,anda body.
● Theenvelopedefinestheboundaries oftheSOAPmessage.
● Theheaderisoptionalandcontainsrelevantinformationonhowtoprocessthe
message.
Host:www.sample.com
Content-Type: application/soap+xml; charsetutf-8
Content-Length: <Size>
<?xmlversion=“1.0”>
<soap:Envelopexmlns:soap=“http://www.w3.org/2001/12/soap-envelope”
soap:encodingStyle=“http://www.w3.org/2001/12/soap-enoding”>
<soap:Header></soap:Header>
<soap:Bodyxmlns=http://www.sample.com/stock>
<m:GetPrice><m:StockName>DELL</m:StockName>
</m:GetPrice>
</soap:Body>
</soap: Envelope>
POST /StockPrice HTTP/1.1

Host : www.sample.com
Content-Type: application/soap+xml; charsetutf-8
Content-Length: <Size>
<?xmlversion=“1.0”>
<soap:Envelopexmlns:soap=“http://www.w3.org/2001/12/soap-envelope”
soap:encodingStyle=“http://www.w3.org/2001/12/soap-enoding”>
<soap:Header></soap:Header>
<soap:Bodyxmlns=http://www.sample.com/stock>
<m:GetPriceResponse>
<m:Price>58.5</m:Price>
</m:GetPriceResponse>
</soap:Body>
</soap: Envelope>
Figure2.3SOAPMessage
● In addition to that it contains information such as routing and delivery settings,
authentication, transaction contexts and authorization assertions.
● Thebodycontainstheactualmessagetobeprocessed.
● ThemainusesofSOAPmessagesaremethodinvocationandresultretrieval.
● Figure2.3showsanexampleofaSOAPmessageusedtoinvokea Webservice method that

retrieves the price of a given stockand the correspondingreply.
● Despite thefactthat XML documents are easy toproduceandprocess inanyplatformor

programminglanguage, SOAP has often beenconsidered quiteinefficientbecause of
theexcessiveuseof markupthatXML imposesfororganizingthe information intoa well-
formed document.
● Therefore,lightweightalternativesto theSOAP/XML pairhave beenproposed to support

Web services.
RESTandSystemsofSystems
● The most relevant alternative to SOAP/XML pair is Representational State Transfer

(REST), which provides a model for designing network based software systems utilizing
the client / server model and leverages the facilities provided by HTTP for IPC without
additional burden.
● In a RESTful system, a client sends a request over HTTP using the standard HTTP
methods(PUT,GET,POST,andDELETE)andtheserverissuesaresponsethat includes the
representation of the resource.
● Byrelyingonthisminimalsupport, itispossibletoprovidewhateveritneededtoreplace the basic

and most important functionality provided by SOAP, which is method invocation.
● The GET, PUT, POST, and DELETE methods constitute a minimal set of operations for
retrieving, adding, modifying and deleting the data.
● Together with an appropriate URI organization to identify resources, all the atomic
operations required by a Web service are implemented.
● The content of data is still transmitted using XML as part of the HTTP content, but the
additional markup required by SOAP is removed.
● For this reason, REST represents a lightweight alternative to SOAP, which works
effectively in contexts where additional aspects beyond those manageable throughHTTP
are absent.
● RESTful Web services operate in an environment where no additional security beyond

the one supported by HTTP is required.
● This is not a great limitation, and RESTful Web services are quite popular and used to
deliver functionalities at enterprise scale:
○ Twitter
○ Yahoo!(searchAPIs,maps,photos,etc)
○ Flickr
○ Amazon.com
● Web Service Description Language (WSDL) is an XML based language for thedescription
of Web services.
● It is used to define the interface of a Web service in terms of methods to be called and
types and structures of the required parameters and return values.
● In Figure 2.3 we notice that the SOAP messages for invoking the GetPrice method and
receiving the result do not have any information about the type and structure of the
parameters and the return values.
● ThisinformationisstoredwithintheWSDLdocumentattachedtotheWebservice.
● Therefore, Web service consumer applications already know which types of parameters
are required and how to interpret results.
● As an XML based language, WSDL allows for the automatic generation of Web service
clients that can be easily embedded into existing applications.
● Moreover, XML is a platform and language independent specification, so clients for web
services can be generated for any language that is capable of interpreting XMLdata.
● This is a fundamental feature that enables Web service interoperability and one of the
reasons that make such technology a solution of choice for SOA.
● Besides those directly supporting Web services, other technologies that characterizeWeb
2.0 and contribute to enrich and empower Web applications and then SOA based
systems.
● These fall under the names of Asynchronous JavaScript and XML (AJAX), JavaScript
Standard Object Notation (JSON) and others.
● AJAX is a conceptual framework based on JavaScript and XML that enablesasynchronous

behavior in Web applications by leveraging the computing capabilities of modern Web
browsers.
● This transforms simpleWeb pages in complete applications and used to enrich the user
experience.
● AJAXusesXMLtoexchangedatawithWebservicesandapplications
● An alternative to XML is JSON, which allows representing objects and collections of

objects in a platform independent manner.
● Often it is preferred to transmit data in an AJAX context because compared to XML, it is

a lighternotation andthereforeallowstransmitting the same amountof information in a
more concise form.
Publish-SubscribeModel
● Publish-and-subscribe message model introduces a different message passing strategy,

one that is based on notification among components.
● Therearetwomajorroles:
○ Thepublisherandthesubscriber
■ Thepublisherprovidesfacilitiesforthesubscribertoregisteritsinterestin a
specific topic or event.
■ Specificconditionsholdingtrueonthepublishersidecantriggerthe
creation of messages that are attached to a specific event.
■ Amessagewillbeavailabletoallthesubscribersthatregisteredforthe
corresponding event.
● Therearetwomajorstrategiesfordispatchingtheeventtothesubscribers:
○ Pushstrategy
■ Inthiscaseitistheresponsibilityofthepublishertonotifyallthe
subscribers using method invocation.
○ Pullstrategy
■ In this case the publisher simply makes available the message for a
specific event and it is responsibility of the subscribers to check whether
there are messages on the events that are registered.
● Publishandsubscribemodel isverysuitable for implementingsystems based onthe one to

many communication model and simplifies the implementation of indirect
communication patterns.
● It is, in fact, not necessary for the publisher to know the identity of the subscribers to
make the communication happen.
BasicsofVirtualization
● Virtualization technology is one of the fundamental components of cloud computing,

especially in regard to infrastructure based services.
● Virtualization allows the creation of a secure, customizable and isolated execution

environment for running application.
● Virtualization is a large umbrella of technologies and concepts that are meant to provide
an abstract environment whether virtual hardware or an operating system to run
applications.
● The term virtualization is often synonymous with hardware virtualization, which plays a
fundamental role in efficiently delivering Infrastructure as a Service (IaaS) solutions for
cloud computing.
● Virtualization technologies have gained renewed interested recently due to the

confluence of several phenomena:
○ Increasedperformanceandcomputingcapacity.
○ Underutilizedhardwareandsoftwareresources
○ Lackofspace
○ Greeninginitiatives
○ Riseofadministrativecosts
● Virtualizationisabroadconceptthatreferstothecreationofavirtualversionof
something,whetherhardware,asoftwareenvironment,storageandanetwork.
● Inavirtualizedenvironment,therearethreemajorcomponents:
○ Guest
○ Host
○ Virtualizationlayer
● Theguestrepresentsthesystemcomponentthatinteractswiththevirtualizationlayer rather
than with the host, as would normally happen.
● Thehostrepresentstheoriginalenvironmentwheretheguestissupposedtobe
managed.
● Thevirtualizationlayerisresponsibleforrecreatingthesameoradifferentenvironment where
the guest will operate.
Characteristicsofvirtualizedenvironments
● Increasedsecurity
○ Theabilitytocontroltheexecutionofaguestinacompletelytransparentmanner
opensnewpossibilitiesfordelivering a secure, controlled executionenvironment.
○ The virtual machine represents an emulated environment in which the guest is
executed.
○ This level of indirection allows the virtual machine manager to control and filter
the activity of the guest, thus preventing some harmful operations from being
performed.
● ManagedexecutionVirtualizationoftheexecutionenvironmentnotonlyallows
increased security, but a wider range of features also can be implemented.
● Inparticular,sharing,aggregation,emulation,andisolationarethemostrelevant
features
● Sharing
○ Virtualizationallowsthecreationofaseparatecomputingenvironmentwithinthe same
host.
○ Inthiswayitispossibletofullyexploitthecapabilitiesofapowerfulguest,which would
otherwise be underutilized.
● Aggregation
○ Not only is it possible to share physical resource among several guests but
virtualization also allows aggregation, which is the opposite process.
○ A group of separate hosts can be tied together and represented to guests as a
single virtual host.
● Emulation
○ Guest programs are executed within an environment that is controlled by the

virtualization layer, which ultimately is a program.
○ Thisallowsforcontrollingandtuningtheenvironmentthatisexposedtoguests.
● Isolation
○ Virtualization allows providing guests whether they are operating systems,

applications, or other entities with a completely separate environment, in which
they are executed.
○ The guest program performs its activity by interacting with an abstraction layer,
which provides access to the underlying resources.
○ Benefitsof Isolation
■ Firstitallowsmultiplegueststorunonthesamehostwithoutinterfering with
each other.
■ Second,itprovidesaseparationbetweenthehostandtheguest.
● Anotherimportantcapabilityenabledbyvirtualizationisperformancetuning.
● This feature is a reality at present, given the considerable advances in hardware and
software supporting virtualization.
● It becomeseasierto controltheperformanceof theguestbyfinely tuningtheproperties of the

resources exposed through the virtual environment.
● This capability provides a means to effectively implement a quality of service (QoS)

infrastructure that more easily fulfills the service level agreement (SLA) established for
the guest.
● Portability
○ The concept of portability applies in different ways according to the specific type
of virtualization considered.
○ In the case of a hardware virtualization solution, the guest is packaged into a
virtual image that, in most cases, can be safely moved and executed on top of
different virtual machines
TypesofVirtualization
● Virtualizationismainlyusedtoemulateexecutionenvironments,storageandnetworks.
● Execution virtualization techniques into two major categories by considering the type of
host they require.
● Processlevel techniquesare implemented on topof an existing operating system, which
has full control of the hardware.
● System level techniques are implemented directly on hardware and do not require or
require a minimum of support from existing operating system.
● Withinthesetwocategorieswecanlistvarioustechniquesthatoffertheguestadifferent type of
virtual computation environment:
○ Barehardware
○ Operatingsystemresources
○ Lowlevelprogramminglanguage
○ Applicationlibraries
● Execution virtualization includes all techniques that aim to emulate an execution

environment that is separate from the one hostingthe virtualization layer.
● All these techniques concentrate their interest on providing support for the execution of
programs, whether these are the operating system, a binary specification of a program
compiled against an abstract machine model or an application.
● Therefore, execution virtualization can be implemented directly on top of the hardware

by the operating system, an application and libraries (dynamically or statically) linked to
an application image.
● Modern computing systems canbe expressed in terms of the reference modeldescribed

in Figure 2.4.
Applications
API APICalls
Libraries
ABI SystemCalls
OperatingSystem User
ISA ISA
Hardware
Figure2.4Machinereference model
● At thebottom layer, the modelfor thehardwareis expressed in terms of the Instruction

Set Architecture (ISA), which defines the instruction set for the processor, registers,
memory and an interrupt management.
● ISAistheinterfacebetweenhardwareandsoftware.
● ISAisimportanttotheoperatingsystem(OS)developer(SystemISA)anddevelopersof
applications that directly manage the underlying hardware (User ISA).
● The application binary interface (ABI) separates the operating system layer from the
applications and libraries, which are managed by the OS.
● ABI covers details such as low level data types, alignment, call conventions and definesa
format for executable programs.
● Systemcallsaredefinedatthislevel.
● This interface allows portability of applications and libraries across operating systems
that implement the same ABI.
● Thehighest level of abstraction is representedbythe application programming interface

(API), which interfaces applications to libraries and the underlying operating system.
● For this purpose, the instruction set exposed by the hardware has been divided into
different security classes that define who can operate with them.
● Thefirstdistinctioncanbemadebetweenprivilegedandnonprivilegedinstructions.
○ Nonprivilegedinstructionsarethoseinstructionsthatcanbeusedwithout
interfering withothertasksbecausetheydonot access sharedresources.
○ Thiscategorycontainsallthefloating,fixed-point,andarithmeticinstructions.
● Privileged instructions are those that are executed under specific restrictions and are
mostly used for sensitive operations, which expose (behavior-sensitive) or modify
(control-sensitive) the privileged state.
● Some types of architecture feature more than one class of privileged instructions and
implement a finer control of how these instructions can be accessed.
● Forinstance,apossible implementationfeaturesahierarchyof privileges illustrate inthe

figure 2.5 in the form of ring-based security: Ring 0, Ring 1, Ring 2,and Ring3;
○ Ring0isinthemostprivilegedlevelandRing3intheleastprivilegedlevel.
○ Ring0isusedbythekerneloftheOS,rings1and2areusedbytheOSlevel
services,and Ring3 isusedbytheuser.
○ Recentsystemssupportonlytwolevels,withRing0forsupervisormodeand Ring 3
for user mode.
Ring0
(Mostprivileged
Mode)
Ring1
Ring2
Ring3
(Leastprivileged
Mode)
Figure2.5Security rings
● All the currentsystemssupportat leasttwodifferentexecution modes:supervisor mode and

user mode.
○ The supervisor mode denotes an execution mode in which all the instructions
(privileged and non privileged) can be executed without anyrestriction.
○ This mode, also called master mode or kernel mode, is generally used by the
operatingsystem(orthehypervisor)toperformsensitiveoperationsonhardware level
resources.
○ Inusermode,therearerestrictionstocontrolthemachinelevelresources.
● The distinction between user and supervisor mode allows us to understand the role of
the hypervisor and why it is called that.
● Conceptually, the hypervisor runs above the supervisor mode and from here the prefix
“hyper” is used.
● In reality, hypervisors are run in supervisor mode and the division between privileged
and non privileged instructions has posed challenges in designing virtual machine
managers.
Hardwarelevelvirtualization
● Hardware level virtualization is a virtualization technique that provides an abstract

executionenvironmentintermsofcomputerhardwareontopofwhichaguestoperating system
can be run.
● Inthismodel,theguestisrepresentedbytheoperatingsystem,thehostby the physical

computer hardware, the virtual machine by its emulation and the virtual machine
manager by the hypervisor.
● The hypervisor is generally a program or a combination of software and hardware that

allows the abstraction of the underlying physical hardware.
● Hardware level virtualization is also called system virtualization, since it provides ISA to
virtual machines, which is the representation of the hardware interface of asystem.
● This is to differentiate it from process virtual machines, which expose ABI to virtual
machines.
● Hypervisors is a fundamental element of hardware virtualization is the hypervisor, or

virtual machine manager (VMM).
● Itrecreatesahardwareenvironmentinwhichguestoperatingsystemsareinstalled.
● There are two majortypesof hypervisor: Type I and Type II. Figure 2.6 showsdifferent
type of hypervisors.
○ TypeIhypervisorsrundirectlyontopofthehardware.
○ Type I hypervisor take the place of the operating systems and interact directly
withtheISAinterfaceexposedbytheunderlyinghardwareandtheyemulatethis
interface in order to allow the management of guest operating systems.
○ This type of hypervisor is also called a native virtual machine since it runs
natively on hardware.
○ Type II hypervisors require the support of an operating system to provide

virtualization services.
○ This means that they are programs managed by the operating system, which
interactwithitthroughtheABIandemulatetheISAof virtualhardwareforguest
operating systems.
○ This type of hypervisor is also called a hosted virtual machine since it is hosted
within an operating system.
Hardwarevirtualizationtechniques
● Hardware virtualization provides an abstract execution environment by Hardware

assisted virtualization, Full virtualization, Paravirtualization and Partial virtualization
techniques.
VirtualMachine
ISA
VirtualMachine
VirtualMachineManager ISA
ABI
VirtualMachineManager
OperatingSystem
ISA
ISA
Hardware
Hardware
Figure2.6Hostedvirtualmachineandnativevirtualmachine
Hardwareassistedvirtualization
● Hardware assisted virtualization refers to a scenario in which the hardware provides

architectural support for building a virtual machine manager able to run a guest
operating system in complete isolation.
● ThistechniquewasoriginallyintroducedintheIBMSystem/370.
● At present, examples of hardware assisted virtualization are the extensions to the x86
architecture introduced with Intel-VT (formerly known as Vanderpool) and AMD-V
(formerly known as Pacifica).
● These extensions, which differ between the two vendors, are meant to reduce the
performance penalties experienced by emulating x86 hardware with hypervisors.
● Before the introduction of hardware assisted virtualization, software emulation of x86

hardware was significantly costlyfrom the performance point of view.
● The reason for this is that by design the x86 architecture did not meet the formal
requirements introduced by Popek and Goldberg and early products were using binary
translation to trap some sensitive instructions andprovide an emulated version.
● Products such as VMware Virtual Platform, introduced in 1999 by VMware, which

pioneered the field of x86 virtualization, were based on this technique.
● After 2006, Intel and AMD introduced processor extensions and a wide range of
virtualization solutions took advantage of them: Kernel-based Virtual Machine (KVM),
VirtualBox, Xen, VMware, Hyper-V, Sun xVM, Parallels, and others.
Fullvirtualization
● Full virtualization refers to the ability to run a program, most likely an operating system,
directly on top of a virtual machine and without any modification, as though it were run
on the raw hardware.
● To make this possible, virtual machine managers are required to provide a complete
emulation of the entire underlying hardware.
● The principal advantage of full virtualization is complete isolation, which leads to

enhanced security, ease of emulation of different architectures and coexistence of
different systems on the same platform.
● Whereas it is a desired goal for many virtualization solutions, full virtualization poses
important concerns related to performance and technical implementation.
● A key challenge is the interception of privileged instructions such as I/O instructions:

Since they change the state of the resources exposed by the host, they have to be
contained within the virtual machine manager.
● A simple solution to achieve full virtualization is to provide a virtual environment for all
the instructions, thus posing some limits on performance.
● A successful and efficient implementation of full virtualization is obtained with a

combinationofhardwareandsoftware,notallowingpotentiallyharmfulinstructionstobe
executed directly on the host.
Paravirtualization
● Paravirtualizationisanottransparentvirtualizationsolutionthatallows implementingthin
virtual machine managers.
● Paravirtualization techniques expose a software interface to the virtual machine that is
slightly modified from the host and, as a consequence, guests need to bemodified.
● The aim of paravirtualization is to provide the capability to demand the execution of

performance critical operations directly on the host, thus preventing performance losses
that would otherwise be experienced in managed execution.
● This allows a simpler implementation of virtual machine managers that have to simply
transfer the execution of these operations, which were hard to virtualize, directly to the
host.
● To take advantageof such an opportunity, guestoperating systems needto be modified

andexplicitlyportedbyremappingtheperformancecriticaloperationsthroughthevirtual
machine software interface.
● This is possible when the source code of the operating system is available, and this isthe
reason that paravirtualization was mostly explored in the opensource and academic
environment.
● This technique has been successfully used by Xen for providing virtualization solutions
for Linux-based operating systems specifically ported to run on Xenhypervisors.
● Operating systems that cannot be ported can still take advantage of para virtualization
by using ad hoc device drivers that remap the execution of critical instructions to the
paravirtualization APIs exposed by the hypervisor.
● Xen provides this solution for running Windows based operating systems on x86
architectures.
● Other solutions using paravirtualization include VMWare, Parallels, and some solutions
for embedded and real-time environments such as TRANGO, Wind River, and XtratuM.
Partialvirtualization
● Partial virtualization provides a partial emulation of the underlying hardware, thus not
allowing the complete execution of the guest operating system in complete isolation.
● Partial virtualization allows many applications to run transparently, but not all the
features of the operating system can be supported as happens with fullvirtualization.
● An example of partial virtualization is address space virtualization used in time sharing

systems; this allows multiple applications and users to run concurrently in a separate
memory space, but they still share the same hardware resources (disk, processor, and
network).
● Historically, partial virtualization has been an important milestone for achieving full
virtualization, and it was implemented on the experimental IBMM44/44X.
● Addressspacevirtualizationisacommonfeatureof contemporaryoperatingsystems.
Operatingsystemlevelvirtualization
● Operating system level virtualization offers the opportunity to create different and
separated execution environments for applications that are managed concurrently.
● Differently from hardware virtualization, there is no virtual machine manager or

hypervisor and the virtualization is done within a single operating system where the OS
kernel allows for multiple isolated user space instances.
● The kernel is also responsible for sharing the system resourcesamong instancesand for
limiting the impact of instances on each other.
● A user space instance in general contains a proper view of the file system which is
completely isolated and separate IP addresses, software configurations and access to
devices.
● Operating systems supporting this type of virtualization are generalpurpose, timeshared

operating systems with the capability to provide stronger namespace and resource
isolation.
● This virtualization technique can be considered an evolution of the chroot mechanism in

Unix systems.
● Thechrootoperationchangesthefilesystem rootdirectoryforaprocessanditschildren to a
specific directory.
● As a result, the process and its children cannot have access to other portions of the file
system than those accessible under the new root directory.
● Because Unix systems also expose devices as parts of the file system, by using this
method it is possible to completely isolate a set of processes.
● Following the same principle, operating system level virtualization aims to provide
separated and multiple execution containers for running applications.
● This techniqueisanefficient solutionforserverconsolidationscenariosin whichmultiple

application servers share the same technology: operating system, application server
framework, and other components.
● Examples of operating system-level virtualizations are FreeBSD Jails, IBM Logical

Partition (LPAR), SolarisZones and Containers, Parallels Virtuozzo Containers, OpenVZ,
iCore Virtual Accounts, Free Virtual Private Server (FreeVPS), and others.
Programminglanguage-levelvirtualization
● Programming language level virtualization ismostly used to achieve ease of deployment

of applications, managed execution, portability across different platforms and operating
systems.
● It consists of a virtual machine executing the byte codeof aprogram which is the result
of the compilation process.
● Compilers implemented and used this technology to produce a binary format

representing the machine code for an abstract architecture.
● Thecharacteristicsofthisarchitecturevaryfromimplementationtoimplementation.
● Generally these virtual machines constitute a simplification of the underlying hardware

instructionsetandprovidesomehighlevelinstructionsthatmapsomeofthefeaturesof the
languages compiled for them.
● At runtime, the byte code can be either interpreted or compiled on the fly against the
underlying hardware instruction set.
● Programming language level virtualization has a long trail in computer science history
and originallywasused in 1966 forthe implementation of BasicCombined Programming
Language (BCPL), a language for writing compilers and one of the ancestors of the C
programming language.
● Other importantexamples of the use of this technologyhave been the UCSD Pascal and
Smalltalk.
● Virtual machine programming languages become popular again with Sun’s introduction
of the Java platform in 1996.
● The Java virtual machine was originally designed for the execution of programs written
in the Java language, but other languages such as Python, Pascal, Groovy and Ruby
were made available.
● The ability to support multiple programming languages has been one of the key
elementsofthe CommonLanguageInfrastructure(CLI)which isthespecification behind
.NET Framework.
Applicationlevelvirtualization
● Application level virtualization is a technique allowing applications to be run in runtime

environments thatdo not natively supportall the features required bysuchapplications.
● In this scenario, applications are not installed in the expected runtime environment but
are run as though they were.
● Ingeneral,thesetechniquesaremostlyconcernedwithpartialfilesystems,libraries,and
operating system component emulation.
● Such emulation is performed by a thin layer called a program or an operating system

component that is in charge of executing the application.
● Emulationcanalsobeusedtoexecuteprogram binaries compiledfordifferent hardware

architectures.
● Inthiscase,oneofthefollowingstrategiescanbeimplemented:
● Interpretation:Inthistechniqueeverysourceinstructionisinterpretedbyanemulatorfor
executing native ISA instructions, leading to poor performance. Interpretation has a
minimal startup cost but a huge overhead, since each instruction is emulated.
● Binary translation: In this technique every source instruction is converted to native
instructions with equivalent functions. After a block of instructions is translated, it is
cached and reused.
● Application virtualization is a good solution in the case of missing libraries in the host
operating system.
● In this case a replacement library can be linked with the application or library calls can
be remapped to existing functions available in the host system.
● Anotheradvantage is that in this case the virtualmachine manageris much lightersince it

provides a partial emulation of the runtime environment compared to hardware
virtualization.
● Compared to programming level virtualization, which works across all the applications
developed for that virtual machine, application level virtualization works for a specific
environment.
● Itsupportsalltheapplicationsthatrunontopofaspecificenvironment.
● One of the most popular solutions implementing application virtualization isWine, which
is a software application allowing Unix-like operating systems to execute programs
written for the Microsoft Windows platform.
● Wine features a software application acting as a container for the guest application anda
set of libraries, called Winelib, that developers can use to compile applications to be
ported on Unix systems.
● Wine takes its inspiration from a similar product from Sun, Windows Application Binary
Interface (WABI) which implements the Win 16 API specifications on Solaris.
● A similar solution for the Mac OS X environment is CrossOver, which allows running
Windows applications directly on the Mac OS X operating system.
● VMware ThinApp is another product in this area, allows capturing the setup of an
installed applicationand packaging it into an executable image isolated fromthe hosting
operating system.
Othertypesof virtualization
● Other than execution virtualization, other types of virtualization provide an abstract

environment to interact with.
● Thesemainlycoverstorage,networking,andclient/serverinteraction.
Storage virtualization
● Storage virtualization is a system administration practice that allows decoupling the

physical organization of the hardware from its logical representation.
● Usingthistechnique,users donothave tobe worriedaboutthe specific location of their data,

which can be identified using a logical path.
● Storage virtualization allows us to harness a wide range of storage facilities and

represent them under a single logical file system.
● There are different techniques for storage virtualization, one of the most popular being
network based virtualization by means of storage area networks (SANs).
● SANs use a network accessible device through a large bandwidth connection to provide
storage facilities.
Networkvirtualization
● Network virtualization combines hardware appliances and specific software for the
creation and management of a virtual network.
● Network virtualization can aggregate different physical networks into a single logical
network (external network virtualization) or provide network like functionality to an
operating systempartition (internalnetwork virtualization).
● TheresultofexternalnetworkvirtualizationisgenerallyavirtualLAN(VLAN).
● A VLAN is an aggregation of hosts that communicate with each other as though they
were located under the same broadcasting domain.
● Internalnetwork virtualizationis generallyappliedtogetherwithhardwareand operating

system-level virtualization, in which the guests obtain a virtual network interface to
communicate with.
● Thereareseveraloptionsforimplementinginternalnetworkvirtualization:
○ TheguestcansharethesamenetworkinterfaceofthehostanduseNetwork Address
Translation (NAT) to access the network;
○ Thevirtualmachinemanagercanemulate,andinstallonthehost,anadditional
network device, together with the driver.
○ Theguestcanhaveaprivatenetworkonlywiththeguest.
Desktopvirtualization
● Desktop virtualization abstracts the desktop environment available on a personal

computer in order to provide access to it using a client/server approach.
● Desktopvirtualizationprovidesthesameoutcomeof hardwarevirtualizationbutservesa
different purpose.
● Similarly to hardware virtualization, desktop virtualization makes accessible a different

systemasthoughitwerenativelyinstalledonthehostbutthissystemisremotelystored on a
different host and accessed through a network connection.
● Moreover, desktop virtualization addresses the problem of making the same desktop
environment accessible from everywhere.
● Although the term desktop virtualization strictly refers to the ability to remotely accessa
desktop environment, generally the desktopenvironment is stored ina remote server or a
data centerthat provides ahighavailability infrastructure andensures theaccessibility and
persistence of the data.
● In this scenario, an infrastructure supporting hardware virtualization is fundamental to

provide access to multiple desktop environments hosted on the same server.
● A specific desktop environment is stored in a virtual machine image that is loaded and
started on demand when a client connects to the desktopenvironment.
● This is a typical cloud computing scenario in which the user leverages the virtual
infrastructure for performing the daily tasks on his computer.
● The advantages of desktop virtualization are high availability, persistence, accessibility,

and ease of management.
● The basic services for remotely accessing a desktop environment are implemented in
software components such as Windows Remote Services, VNC, and X Server.
● InfrastructuresfordesktopvirtualizationbasedoncloudcomputingsolutionsincludeSun
VirtualDesktop Infrastructure (VDI), ParallelsVirtualDesktop Infrastructure (VDI), Citrix
XenDesktop, and others.
Applicationservervirtualization
● Application server virtualization abstracts a collection of application servers that provide

the same services as a single virtual application server by using load balancingstrategies
and providing a high availability infrastructure for the services hosted in the application
server.
● This is a particular form of virtualization and serves the same purpose of storage
virtualization by providing a better quality of service rather than emulating a different
environment.
ImplementationLevelsofVirtualization
● Virtualization is a computer architecture technology by which multiple virtual machines

(VMs) are multiplexed in the same hardware machine.
● The purpose of a VM is to enhance resource sharing by many users and improve

computerperformance in terms of resource utilization and applicationflexibility.
● Hardware resources (CPU, memory, I/O devices) or software resources (operating

system and software libraries) can be virtualized in various functional layers.
● Theidea isto separatethehardwarefrom the softwaretoyieldbetter systemefficiency. For

example, computer users gained access to much enlarged memory space when the
concept of virtual memory was introduced.
● Similarly, virtualization techniques can be applied to enhance the use of compute

engines, networks and storage.
● Withsufficientstorage,anycomputerplatformcanbeinstalledinanotherhostcomputer, even if
theyuseprocessorswithdifferentinstruction setsand run with distinctoperating systems on
the same hardware.
Levelsofvirtualizationimplementation
● A traditional computer runs with a host operating system specially tailored for its
hardware architecture, as shown in Figure 2.7(a).
● After virtualization, different user applications managed by their own operating systems
(guest OS) can run on the same hardware, independent of the host OS. This is often
done by adding additional software, called a virtualization layer as shown in Figure
2.7(b).
● This virtualization layer is known as hypervisor or virtual machine monitor (VMM). The
VMs are shown intheupper boxes, whereapplicationsrunwiththeirownguest OSover the
virtualized CPU, memory, and I/O resources.
● The main function of the software layer for virtualization is to virtualize the physical
hardware of a host machine into virtual resources to be used by the VMs, exclusively.
This can be implemented at various operational levels, as we will discuss shortly.
● The virtualization software creates the abstraction of VMs by interposing a virtualization

layer at various levels of a computer system.
● Common virtualization layers include the instruction set architecture (ISA) level,
hardware level, operating system level, library support level, and application level.
Figure2.7(a)TraditionalComputer Figure(b)AfterVirtualization
Instructionsetarchitecturelevel
● At the ISA level, virtualization is performed by emulating a given ISA by the ISA of the
host machine. For example, MIPS binary code can run on an x86-based host machine
with the help of ISA emulation.
● With this approach, it is possibleto run a large amount of legacy binary code writtenfor
various processors on any given new hardware host machine. Instruction set emulation
leads to virtual ISAs created on any hardware machine.
● The basic emulation method is through code interpretation. An interpreter program

interprets the source instructions to target instructions one by one.
● One source instruction may require tens or hundreds of native target instructions to
perform its function. This process is relatively slow.
● For better performance, dynamic binary translation is desired. This approach translates
basic blocks of dynamic source instructions to target instructions.
● The basic blocks can also be extended to program traces or super blocks to increase
translation efficiency.
● Instructionsetemulationrequiresbinarytranslationandoptimization.
APPLICATIONLEVEL
JVM/.NETCLR/Panot
LIBRARY(USER-LEVELAPI)LEVEL
WINE/WABI/LXRUN/VISUALMAINWIN/VCUDA
OPERATINGSYSTEMLEVEL
JAIL/ VIRTUALENV/ENSIM’SVPS/FVM
HARDWAREABSTRACTIONLAYER(HAL)LEVEL
VMWARE/VIRTUALPC/XEN/L4
INSTRUCTIONSETARCHITECTURE(ISA)LEVEL
BOCHS/CRUSOE/QEMU/BIRD/DYNAMO
Figure2.8Virtualizationrangingfromhardwaretoapplicationsinfiveabstractionlevels
Hardwareabstractionlevel
● Hardware-levelvirtualization isperformedrightontopof the barehardware.Onthe one hand,

this approach generates a virtual hardware environment for a VM. On the other hand,
the process manages the underlying hardware through virtualization.
● The idea is to virtualize a computer’s resources, such as its processors, memory, andI/O
devices.
● Theintentionistoupgradethehardwareutilizationratebymultipleusersconcurrently.
● The idea was implemented in the IBM VM/370 in the 1960s. Xen hypervisor has been
applied to virtualize x86-based machines to run Linux or other guest OSapplications.
Operatingsystemlevel
● This refers to an abstraction layer between traditional OS and user applications. OS-level
virtualization creates isolated containers on a single physical server and the OS instances
to utilize the hardware and software in data centers.
● The containers behave like real servers. OS-level virtualization is commonly used in
creating virtual hosting environments to allocate hardware resources among a large
number of mutually distrusting users.
● It is also used, to a lesser extent, in consolidating server hardware by moving services

on separate hosts into containers or VMs on one server.
● Operating system virtualization inserts a virtualization layer inside an operating systemto

partition a machine’s physical resources. It enables multiple isolated VMs within a single
operating system kernel.
● This kind of VM is often called a virtual execution environment (VE), Virtual Private
System (VPS), or simply container.
● Comparedtohardware-level virtualization, the benefitsof OS extensionsare twofold:

VMsattheoperatingsystemlevelhaveminimalstartup/shutdowncosts,lowresource
requirements, and high scalability
● Foran OS-levelVM, it is possibleforaVManditshost environment to synchronize state

changes when necessary.
● Thesebenefitscan be achievedviatwomechanismsofOS-levelvirtualization:
● AllOS-levelVMsonthesamephysicalmachineshare asingleoperatingsystemkernel
○ The virtualization layer canbe designed in a waythatallows processes in VMs to

access as many resources of the host machine as possible, but never to modify
them.
● VirtualizationSupportfortheLinuxPlatform
○ OpenVZ is an OS-level tool designed to support Linux platforms to create virtual

environments for running VMs under different guest Operating Systems.
○ OpenVZ is an open source container-based virtualization solution built on Linux.

To support virtualization and isolation of various subsystems, limited resource
management, and check pointing, OpenVZ modifies the Linux kernel.
Librarysupportlevel
● Most applications use APIs exported by user level libraries rather than using lengthy
system calls by the OS. Since most systems provide well-documented APIs, such an
interface becomes another candidate for virtualization.
● Virtualization with library interfaces is possible by controlling the communication link

between applications and the rest of a system through API hooks.
● The software tool WINE has implemented this approach to support Windowsapplications
on top of UNIX hosts. Another example is the vCUDA which allows applications
executing within VMs to leverage GPU hardware acceleration.
● Library level virtualization is also known as user-level Application Binary Interface (ABI)
or API emulation.
● This type of virtualization can createexecutionenvironmentsfor running alienprograms on

a platform ratherthan creating a VMto run theentire operatingsystem.
● API call interception and remapping are the key functions performed. The WABI offers
middleware to convert Windows system calls to Solaris system calls.
● Lxrun is really a system call emulator that enables Linux applications written for x86
hosts to run on UNIX systems.
● Similarly, Wine offers library support for virtualizing x86 processors to run Windows
applications on UNIX hosts.
● Visual MainWin offers a compiler support system to developWindows applications using

Visual Studio to run on some UNIX hosts.
● The vCUDA for Virtualization of General-Purpose GPUs. CUDA is a programming model

and library for general-purpose GPUs. It leverages the high performance of GPUs to run
compute-intensive applications on host operating systems. However, it is difficult to run
CUDA applications on hardware-level VMs directly.
● vCUDA virtualizes the CUDA library and can be installed on guest OSes. When CUDA
applications run on a guest OS and issue a call to the CUDA API, vCUDA intercepts the
call and redirects it to the CUDA API running on the host OS.
Userapplicationlevel
● VirtualizationattheapplicationlevelvirtualizesanapplicationasaVM.
● On a traditional OS, an application often runs as a process. Therefore, application-level

virtualization is also known as process level virtualization. The most popular approach is
to deploy high level language (HLL) VMs.
● In this scenario, the virtualization layer sits as an application program on top of the
operating system, and the layer exports an abstraction of a VM that can run programs
written and compiled to a particular abstract machine definition.
● Any program written in the HLL and compiled for this VM will be able to run on it. The
Microsoft.NETCLRandJavaVirtualMachine(JVM)aretwogoodexamplesofthis class of VM.
● Other forms of application-level virtualization are known as application isolation,

application sandboxing, or application streaming.
● The process involves wrapping the application in a layer that is isolated from the hostOS
and other applications. The result is an application that is much easier to distribute and
remove from user workstations.
● An example is the LANDesk application virtualization platform which deploys software

applications as self contained, executable files in an isolated environment without
requiring installation, system modifications or elevated security privileges.
Relativemeritsofdifferent approaches
Level of Higher Application Implementation Application

Implementation Performance Flexibility Complexity Isolation
InstructionSet
VeryLow VeryHigh Moderate Moderate
Architecture
Hardware-level
VeryHigh Moderate VeryHigh High
virtualization
OS-level
VeryHigh Low Moderate Low
virtualization
Librarysupport
Moderate Low Low Low
level
Userapplication
Low Low VeryHigh VeryHigh
level
Table2.1 RelativeMeritsofVirtualizationatVariousLevels
VirtualizationStructures,ToolsandMechanisms
● Ingeneral,therearethreetypicalclassesofVMarchitecture.
● The virtualization layer is responsible for converting portions of the real hardware into
virtual hardware.
● Therefore, different operating systems such as LinuxandWindows can run on the same
physical machine, simultaneously.
● Depending on the position of the virtualization layer, there are several classes of VM
architectures, namely the hypervisor architecture, paravirtualization and host based
virtualization.
● The hypervisor is also known as the VMM (Virtual Machine Monitor). They both perform
the same virtualization operations.
HypervisorandXenarchitecture
● The hypervisor supports hardware level virtualization on bare metal devices like CPU,
memory, disk and network interfaces.
● The hypervisor software sits directly between the physical hardware and its OS. This
virtualization layer is referred to as either the VMM or the hypervisor.
● The hypervisorprovideshypercallsforthe guestOSesandapplications.
● Depending on the functionality, a hypervisor can assume micro kernel architecture like
the Microsoft Hyper-V.
● It can assume monolithic hypervisor architecture like the VMware ESX for server
virtualization.
● A micro kernel hypervisor includes only the basic and unchanging functions (such as
physical memory management and processor scheduling).
● Thedevicedriversandotherchangeablecomponentsareoutside thehypervisor.
● A monolithic hypervisor implements all the aforementioned functions, including those of

the device drivers. Therefore, the size of the hypervisor code of a micro-kernel
hypervisor is smaller than that of a monolithic hypervisor.
● Essentially, a hypervisor must be able to convert physical devices into virtual resources
dedicated for the deployed VM to use.
Xen architecture
● Xenisanopensourcehypervisorprogram developedbyCambridgeUniversity.
● Xenisamicrokernelhypervisor,whichseparatesthe policyfromthemechanism.
● The Xen hypervisor implements all the mechanisms, leaving the policy to be handled by
Domain 0. Figure 2.9 shows architecture of Xen hypervisor.
● Xendoes not include any device drivers natively.It just provides a mechanism bywhich a
guest OS can have direct access to the physical devices.
● Asaresult,thesizeoftheXenhypervisoriskeptrathersmall.
● XenprovidesavirtualenvironmentlocatedbetweenthehardwareandtheOS.
APPLICATION
APPLICATION
APPLICATION
APPLICATION
APPLICATION
APPLICATION
DOMAIN 0 GUESTDOMAIN
XEN
HARDWAREDEVICES
Figure2.9Xendomain0forcontrolandI/O&guestdomainforuserapplications.
● ThecorecomponentsofaXensystemarethehypervisor,kernel,andapplications.
● Theorganizationofthethreecomponentsisimportant.
● Likeothervirtualizationsystems,manyguestOSescanrunontopofthehypervisor.
● However,notallguestOSesarecreatedequal,andoneinparticularcontrolstheothers.
● The guest OS, which has control ability, is called Domain 0, and the others are called
Domain U.
● Domain 0 is a privileged guest OS of Xen. It is first loaded when Xen boots without any
file system drivers being available.
● Domain 0 is designed to access hardware directly and manage devices. Therefore, oneof
the responsibilities of Domain 0 is to allocate and map hardware resources for the guest
domains (the Domain U domains).
● For example, Xen is based on Linux and its security level is C2. Its management VM is
named Domain 0 which has the privilege to manage other VMs implemented on the
same host.
● If Domain 0 is compromised, the hacker can control the entire system. So, in the VM
system, security policies are needed to improve the security of Domain 0.
● Domain 0, behaving as a VMM, allows users to create, copy, save, read, modify, share,
migrate and roll back VMs as easily as manipulating a file, which flexibly provides
tremendous benefits for users.
Binarytranslationwithfullvirtualization
● Depending on implementation technologies, hardware virtualization can be classifiedinto

two categories: full virtualization and host based virtualization.
● Full virtualization does not need to modify the host OS. It relies on binary translation to
trapand to virtualizetheexecutionof certain sensitive,non virtualizableinstructions.
● TheguestOSesandtheirapplicationsconsist ofnoncriticalandcriticalinstructions.
● Inahost-basedsystem,bothahostOSandaguestOSareused.
● AvirtualizationsoftwarelayerisbuiltbetweenthehostOSandguestOS.
● With full virtualization, noncritical instructions run on the hardware directly while critical
instructions are discovered and replaced with traps into the VMM to be emulated by
software.
● Boththehypervisorand VMMapproachesareconsidered fullvirtualization.

● The VMMscans the instruction stream and identifies the privileged,controland behavior
sensitive instructions. When these instructions are identified, they are trapped into the
VMM, which emulates the behavior of these instructions.
● Themethodusedinthisemulationiscalledbinarytranslation.
● Fullvirtualizationcombinesbinarytranslationanddirectexecution.
● AnalternativeVMarchitectureistoinstallavirtualizationlayerontopofthehostOS.
● ThishostOSisstillresponsibleformanagingthehardware.
● The guest OSes are installed and run on top of the virtualization layer. Dedicated
applications may run on the VMs. Certainly, some other applications can also run with
the host OS directly.
● Hostbasedarchitecturehassomedistinctadvantages,asenumeratednext.
○ First,theusercaninstallthisVMarchitecturewithoutmodifyingthehostOS.
○ Second,thehost-basedapproachappeals tomany hostmachineconfigurations.
Paravirtualizationwithcompilersupport
● When x86 processor is virtualized, a virtualization layer is inserted between thehardware

and the OS.
● According to the x86 ring definitions, the virtualization layer should also be installed at
Ring 0. Different instructions at Ring 0 may cause some problems.
● Althoughparavirtualizationreducestheoverhead,ithasincurredotherproblems.
○ First,itscompatibilityandportabilitymaybeindoubt,becauseitmustsupport the
unmodified OS as well.
○ Second, thecost of maintaining paravirtualized OSes ishigh,becausethey may
require deep OS kernel modifications.
○ Finally,theperformanceadvantageofparavirtualizationvariesgreatlydue to
workload variations.
● Compared with full virtualization, paravirtualization is relatively easy and more practical.
The mainproblem infull virtualization is its low performance in binarytranslation.
● KVMisaLinuxparavirtualizationsystem.ItisapartoftheLinuxversion2.6.20kernel.
● In KVM, Memory management and scheduling activities are carried out by the existing
Linux kernel.
● The KVM does the rest, which makes it simpler than the hypervisor that controls the
entire machine.
● KVM isa hardware assisted and paravirtualization tool, whichimproves performance and
supports unmodified guest OSes such as Windows, Linux, Solaris, and other UNIX
variants.
● Unlike the full virtualization architecture which intercepts and emulates privileged and
sensitive instructions at runtime, paravirtualization handles these instructions at compile
time.
● The guest OS kernel is modified to replace the privileged and sensitive instructions with
hypercalls to the hypervisor or VMM. Xen assumes such paravirtualizationarchitecture.
● The guest OS running in a guest domain may run at Ring 1 instead of at Ring 0. This
implies that the guest OS may not be able to execute some privileged and sensitive
instructions.The privileged instructionsare implemented byhypercallsto thehypervisor.
VirtualizationofCPU, MemoryandI/ODevices
● To support virtualization, processors such as the x86 employ a special running modeand
instructions known as hardware assisted virtualization.
● For the x86 architecture, Intel and AMD have proprietary technologies for hardware
assisted virtualization.
Hardwaresupportforvirtualization
● Modern operating systems and processors permit multiple processes to run

simultaneously. If there is no protection mechanism in a processor, all instructions from
different processes will access the hardware directly and cause a system crash.
● All processors have at least two modes, user mode and supervisor mode, to ensure
controlled access of critical hardware.
● Instructions running in supervisor mode are called privileged instructions. Other

instructions are unprivileged instructions.
● In a virtualized environment, it is more difficult to make OSes and applications run

correctly because there are more layers in the machine stack.
● Atthetimeofthiswriting,manyhardwarevirtualizationproductswereavailable.
● TheVMwareWorkstationisa VMsoftware suiteforx86 andx86-64computers.
● This softwaresuite allows users to set up multiplex86and x86-64 virtualcomputersand to

use one or more of these VMs simultaneouslywith the host operating system.
● TheVMwareWorkstationassumes thehost-based virtualization.
● Xenisahypervisorforusein IA-32,x86-64,Itaniumand PowerPC970hosts.

● OneormoreguestOScanrunontopofthehypervisor.
● KVMisaLinuxkernel virtualizationinfrastructure.
● KVM can support hardware assisted virtualization and paravirtualization by using the
Intel VT-x or AMD-v and VirtIO framework, respectively.
● The VirtIO framework includes a paravirtual Ethernet card, a disk I/O controller and a
balloon device for adjusting guest memory usage and a VGA graphics interface using
VMware drivers.
CPUvirtualization
● A VM is a duplicate of an existing computer system in which a majority of the VM

instructions are executed on the host processor in native mode.
● The unprivileged instructions of VMs run directly on the host machine for higher
efficiency.
● The critical instructions are divided into three categories: privileged instructions, control
sensitive instructions, and behavior sensitive instructions.
● Privileged instructions execute in a privileged mode and will be trapped if executed

outside this mode.
● Controlsensitiveinstructionsattempttochangetheconfigurationofresourcesused.
● Behavior sensitive instructions have different behaviors depending on the configuration

of resources, including the load and store operations over the virtual memory.
● CPU architecture is virtualizable if it supports the ability to run the VM’s privileged and
unprivileged instructions in the CPU’s user mode while the VMM runs in supervisormode.
● The privileged instructions including control and behavior sensitive instructions of a VM

are executed; they are trapped in the VMM.
● RISC CPU architectures can be naturally virtualized because all control and behavior
sensitive instructions are privileged instructions.
● Thex86CPUarchitecturesarenotprimarilydesigned to supportvirtualization.
Hardware-assistedCPUvirtualization
● This technique attempts to simplify virtualization because full or paravirtualization is

complicated.
● Intel and AMD add an additional mode called privilege mode level (some people call it
Ring-1) to x86 processors.
● Therefore,operatingsystemscanstillrunatRing0andhypervisorcanrunatRing1.
● Alltheprivilegedandsensitiveinstructionsaretrappedinthehypervisorautomatically.
● This technique removes the difficulty of implementing binary translation of full

virtualization.
● ItalsoletstheoperatingsystemruninVMswithoutmodification.
Memoryvirtualization
● Virtualmemoryvirtualizationissimilartothevirtualmemorysupportprovidedbymodern
operating systems.
● In a traditional execution environment, the operating system maintains mappings of
virtual memory to machine memory using page tables, which is a one stage mapping
from virtual memory to machine memory.
● All modern x86 CPUs include a memory management unit (MMU) and a translation
lookaside buffer (TLB) to optimize virtual memory performance.
● However, in a virtual execution environment, virtual memory virtualization involves

sharing the physicalsystem memory in RAManddynamically allocating it to the physical
memory of the VMs.
● That means a two stage mapping process should be maintained by the guest OS andthe
VMM, respectively: virtual memory to physical memory and physical memory to machine
memory.
● MMUvirtualizationshouldbesupported,whichistransparenttotheguestOS.
● The guest OS continues to control the mapping of virtual addresses to the physical
memory addresses of VMs.
● ButtheguestOScannotdirectlyaccesstheactual machinememory.
● The VMM is responsible for mapping the guest physical memory to the actual machine
memory.
● Since each page table of the guest OSes has a separate page table in the VMM
corresponding to it, the VMM page table is called the shadow page table.
● Nestedpagetablesaddanotherlayerofindirectiontovirtualmemory.
● TheMMUalready handlesvirtual-to-physicaltranslations as definedbythe OS. Then the
physical memory addresses are translated to machine addresses using another setof
page tables defined by the hypervisor.
● VMware uses shadow page tables to perform virtual-memory-to-machine-memory

address translation.
● Processors use TLB hardware to map the virtual memory directly to the machine
memory to avoid the two levels of translation on every access.
● When the guest OS changes the virtual memory to a physical memory mapping, the
VMM updates the shadow page tables to enable a direct lookup.
● The AMD Barcelona processor has featured hardware assisted memory virtualization
since 2007.
● It provides hardware assistance to the two stage address translation in a virtual

execution environment by using a technology called nested paging.
I/O virtualization
● I/O virtualization involves managing the routing of I/O requests between virtual devices
and the shared physical hardware.
● There are three ways to implement I/O virtualization: full device emulation,
paravirtualization, and direct I/O.
● Full device emulation is the first approach for I/O virtualization. Generally, thisapproach
emulates well known and real world devices.
● All the functions of a device or bus infrastructure, such as device enumeration,

identification, interrupts, and DMA are replicated in software.
● Thissoftware islocated in theVMMand actsasavirtualdevice.
● The I/O access requests ofthe guest OS aretrappedin the VMM whichinteracts with the
I/O devices.
● AsinglehardwaredevicecanbesharedbymultipleVMsthatrunconcurrently. However,
software emulation runs much slower than the hardware itemulates.
GuestOS
GuestDeviceDriver
VirtualizationLayer
VirtualHardware
DeviceEmulation
I/OStack
DeviceDriver
PhysicalHardware
Figure2.10DeviceemulationforI/OVirtualization
● The paravirtualization method of I/O virtualization is typically used in Xen. It is also

known asthe splitdriver model consisting of a frontend driverand a backenddriver.
● Thefrontend driver isrunning inDomainUandthe backenddriverisrunninginDomain

0.Theyinteractwitheachotherviaablockofsharedmemory.
● Thefrontenddrivermanagesthe I/O requestsof theguestOSes andthebackenddriver

isresponsibleformanagingtherealI/OdevicesandmultiplexingtheI/Odataofdifferent VMs.
● Para I/O-virtualization achieves better device performance than full device emulation, it
comes with a higher CPU overhead.
● Direct I/O virtualization lets the VM access devices directly. It can achieve close-to-
native performance without high CPU costs.
● However, current direct I/O virtualization implementations focus on networking for

mainframes. There are a lot of challenges for commodity hardware devices.
● For example, when a physical device is reclaimed (required by workload migration) for
later reassignment, it may have been set to an arbitrary state (e.g., DMA to some
arbitrarymemorylocations)thatcanfunctionincorrectlyorevencrashthewholesystem.
● Since software based I/O virtualization requires a very high overhead of device
emulation, hardware-assisted I/O virtualization is critical.
● IntelVT-dsupportstheremappingofI/ODMAtransfersanddevicegeneratedinterrupts. The
architecture of VT-d provides the flexibility to support multiple usage models that may
run unmodified, special-purpose, or “virtualization-aware” guestOSes.
● AnotherwaytohelpI/OvirtualizationisviaselfvirtualizedI/O(SV-IO).
● The key ideaof SV-IO is to harness the richresources of a multicoreprocessor.All tasks

associated with virtualizing an I/O device are encapsulated in SV-IO.
● It provides virtual devices and an associated access API to VMs and a management API
to the VMM.
● SV-IO definesone virtual interface (VIF)foreverykind of virtualized I/O device, such as

virtual network interfaces, virtual block devices (disk), virtual camera devices,
Virtualizationinmulti-coreprocessors
● Virtualizing a multi-core processor is relatively more complicated than virtualizing a uni-

core processor.
● Muti-core virtualizationhasraised some newchallengesto computerarchitects, compiler

constructors, system designers, and application programmers.
● There are mainly two difficulties: Application programs must be parallelized to use all
cores fully, and software must explicitly assign tasks to the cores, which is a very
complexproblem.
○ Thefirstchallenge,newprogrammingmodels,languages,and librariesare
needed to make parallel programming easier.
○ The second challenge has spawned research involving scheduling algorithms
and resource management policies.
● Dynamic heterogeneity is emerging to mix the fat CPU core and thin GPU cores on the
same chip, which further complicates the multi core or many core resourcemanagement.
● The dynamic heterogeneity of hardware infrastructure mainly comes from less reliable
transistors and increased complexity in using the transistors.
Physicalversusvirtualprocessorcores
● A multicore virtualization method to allow hardware designers to get an abstraction of

the low-level details of the processor cores.
● This technique alleviates the burden and inefficiency of managing hardware resourcesby
software.
● ItislocatedundertheISAandremainsunmodifiedbytheoperatingsystemorVMM
(hypervisor).
GuestVMs
System
Software
V0 V1 V3
Chip C0 C1 C3
Figure2.11MulticoreVirtualizationmethod
● Figure 2.11 illustrates the technique of software visible VCPU moving from one core to
anotherand temporarily suspending execution of a VCPUwhenthere are noappropriate
cores on which it can run.
Virtualhierarchy
● The emerging many core chip multiprocessors (CMPs) provide a new computing
landscape.
● Instead of supporting time sharing jobson oneorafewcores, we canusethe abundant

cores in a space sharing, where single threaded or multithreaded jobs aresimultaneously
assigned to separate groups of cores for long time intervals.
● To optimize for space shared workloads, they propose using virtual hierarchies tooverlay
a coherence and caching hierarchy onto a physical processor.
● A virtual hierarchy is a cache hierarchy that can adapt to fit the workload or mix of
workloads.
● The hierarchy’s first level locates data blocks close to the cores needing them for faster
access, establishes a shared-cache domain and establishes a point of coherence for
faster communication.
● Whena missleavesatile, itfirstattempts to locate theblock (orsharers)withinthefirst level.
The first level can also provide isolation between independent workloads. A missat the
L1 cache can invoke the L2 access.
● Spacesharingisappliedtoassignthreeworkloadstothreeclustersofvirtualcores:
○ Namely VM0 and VM3 for database workload,VM1 and VM2 for web server
workload and VM4–VM7 for middleware workload.
● Each VM operates in a isolated fashion at the first level. This will minimize both miss
access time and performance interference with other workloads or VMs.
● The shared resources of cache capacity, inter-connect links, and miss handling are
mostly isolated between VMs. The second level maintains a globally shared memory.
● This facilitates dynamically repartitioning resources without costly cache flushes. Avirtual
hierarchy adapts to space-shared workloads like multiprogramming and server
consolidation.
VirtualizationSupportandDisasterRecovery
● One very distinguishing feature of cloud computing infrastructure is the use of system
virtualization and the modification to provisioning tools.
● Virtualizationofserversonasharedclustercanconsolidatewebservices.
● In cloud computing, virtualization also means the resources and fundamental

infrastructure are virtualized.
● Theuserwillnotcareaboutthecomputingresourcesthatareusedforprovidingthe
services.
● Cloudusersdonotneed to knowandhave no waytodiscoverphysicalresourcesthat are

involved while processing a service request.
● In addition,applicationdevelopersdonotcareaboutsome infrastructureissues suchas

scalability and fault tolerance. Application developers focus on service logic.
Infrastructureservices
Mirror User System System Accountbilling

management management management Provisioning
VirtualizedInfrastructure
Virtualizedintegratedmanager
Load Resource Security Resource Data

management deployment management Provisioning management
Blackbox
VirtualSolution Whitebox
VM VM management
Agent Agent
Virtualizedplatforms
Figure2.12Virtualizedservers,storage,andnetworkforcloudplatformconstruction
● Inmanycloudcomputingsystems,virtualizationsoftwareisusedtovirtualizethe
hardware.
● Systemvirtualizationsoftwareisaspecialkindofsoftwarewhichsimulatesthe
execution of hardware and runs even unmodified operating systems.
● Cloud computing systems use virtualization soware as the running environment for
legacy software such as old operating systems and unusual applications.
HardwareVirtualization
● Virtualization softwareisalsousedastheplatformfordevelopingnewcloudapplications that

enable developers to use any operating systems and programming environments they
like.
● The development environment and deployment environment can now be the same,
which eliminates some runtime problems.
● VMs provide flexible runtime services to free users from worrying about the system
environment.
● Using VMs in a cloud computing platform ensures extreme flexibility for users. As the
computing resources are shared by many users, a method is required to maximize the
user’s privileges and still keep them separated safely.
● Traditionalsharing of cluster resources depends on the user and group mechanismon a

system.
○ Suchsharingisnotflexible.
○ Userscannot customize thesystemfortheirspecialpurposes.
○ Operating systemscannot be changed.
○ Theseparationisnotcomplete.
● An environment that meets one user’s requirements often cannot satisfy another user.
Virtualization allows us to have full privileges while keeping themseparate.
● Users havefullaccess to theirownVMs, whichare completely separatefromother
user’s VMs.
● Multiple VMscanbemountedon thesamephysicalserver.DifferentVMsmayrun with

different OSes.
● The virtualizedresourcesformaresourcepool.
● Thevirtualizationiscarriedoutbyspecialserversdedicatedtogeneratingthevirtualized
resource pool.
● Thevirtualizedinfrastructure(blackboxinthemiddle)isbuiltwithmanyvirtualizing
integration managers.
● These managershandle loads, resources, security, data, and provisioningfunctions.

Figure 2.13 shows two VM platforms.
● Eachplatformcarriesoutavirtualsolutiontoauserjob.Allcloudservicesaremanaged in the
boxes at the top.
Install
Configure Configure Automatic
InstallOS backup
hardware OS agent revocery
Restore VM startdata
configuration recovery
Figure2.13Conventionaldisasterrecoverschemeversuslivemigrationof VMs
VirtualizationSupportinPublicClouds
● AWSprovidesextremeflexibility(VMs)foruserstoexecutetheirownapplications.
● GAEprovideslimitedapplicationlevelvirtualizationforusers to buildapplicationsonly
based on the services that are created by Google.
● Microsoftprovidesprogramminglevelvirtualization(.NETvirtualization)foruserstobuild their
applications.
● TheVMwaretoolsapplytoworkstations,servers,andvirtualinfrastructure.
● TheMicrosofttoolsareusedonPCsandsomespecialservers.
● TheXenEnterprisetoolappliesonlytoXen-basedservers.
VirtualizationforIaaS
● VM technologyhasincreasedin ubiquity.
● This hasenableduserstocreate customized environmentsatopphysical infrastructure for

cloud computing.
● UseofVMsincloudshasthefollowingdistinctbenefits:
○ Systemadministratorsconsolidate workloadsof underutilized serversinfewer

servers
○ VMshavetheabilitytorunlegacycodewithoutinterferingwithotherAPIs
○ VMscanbeusedtoimprovesecuritythroughcreationof sandboxesforrunning
applications with questionable reliability
○ Virtualizedcloudplatformscanapplyperformanceisolation,lettingproviders offer
some guarantees and better QoS to customer applications.
VMCloningforDisasterRecovery
● VMtechnologyrequiresan advanceddisasterrecoveryscheme.
○ Oneschemeistorecoveronephysicalmachinebyanotherphysicalmachine.
○ ThesecondschemeistorecoveroneVMbyanotherVM.
● AsshowninthetoptimelineofFigure2.13,traditional disasterrecoveryfromone
physical machine to another is rather slow, complex, and expensive.
● Totalrecoverytimeisattributedtothehardwareconfiguration,installingandconfiguring the
OS, installing the backup agents and the longtime to restart the physicalmachine.
● TorecoveraVMplatform,theinstallationandconfigurationtimesfortheOSandbackup agents
are eliminated.
● Virtualizationaids infastdisasterrecoverybyVMencapsulation.
● ThecloningofVMsoffersaneffectivesolution.
● The idea isto makea clone VMona remote serverforeveryrunning VMonalocal

server.
● Among theentire clone VMs,onlyone needstobeactive.
● TheremoteVMshouldbeinasuspendedmode.
● A cloud control center should be able to activate this clone VM in case of failure of the
originalVM, taking a snapshotof theVMto enable live migration in a minimalamount of
time.
● The migrated VM can run on a shared Internet connection. Only updated data and
modified states are sent to the suspended VM to update itsstate.
● The Recovery Property Objective (RPO) and Recovery Time Objective (RTO) areaffected
by the number of snapshots taken.
● SecurityoftheVMsshouldbeenforcedduringlivemigrationofVMs.
TWOMARKQUESTIONS
1. Listthefourmajorcharacteristicstoidentifyaservice.
● Boundariesareexplicit.
● Servicesareautonomous.
● Servicesshareschemaandcontracts,
● Servicescompatibilityisdeterminedbasedonpolicy.
2. DefineSOA.
● ServiceOrientedarchitectureisanarchitecturalstylesupportingserviceorientation.
● Itorganizesasoftwaresystemintoacollectionofinteractingservices.
● SOA encompasses a set of design principles thatstructure system development and
providemeansforintegratingcomponentsintoacoherentanddecentralizedsystem.
3. ListthetwomajorrolesinSOA.
● The serviceproviderandtheserviceconsumer.
● Theserviceprovideristhemaintainerof theserviceandtheorganizationthatmakes
available one or more services for others to use.
● The serviceconsumercan locate the servicemetadata inthe registryanddevelop the
required client components to bind and use the service.
4. CharacterizeSOAplatformswithinanenterprise context.
● Standardizedservicecontract
● Loosecoupling
● Abstraction
● Reusability
● Autonomy
● Lackofstate
● Discoverability
5. DefineWebservices.
● Web servicesare the prominenttechnologyfor implementing SOA systems and

applications.
● TheconceptbehindaWebserviceisverysimple.
● Usingas abasis theobject orientedabstraction,aWeb serviceexposesa set of
operations that can be invoked by leveraging Internet based protocols.
6. ListtheaspectsthatmakeWeb servicesthetechnologyofchoiceforSOA.
● First,theyallowforinteroperabilityacrossdifferentplatformsandprogramming
languages.
● Second, theyare basedonwell-knownand vendor-independentstandardssuch as
HTTP, SOAP, XML, and WSDL.
● Third, they provide an intuitive and simple way to connect heterogeneous software
systems
● Finally, they provide the features required by enterprise business applications to be
used in an industrial environment.
7. Whatisthepurpose ofWSDLandUDDI?
● The service description document, expressed by means of Web Service Definition

Language (WSDL), can be either uploaded to a global registry or attached as a
metadata to the service itself.
● Service consumers can look up and discover services in global catalogs using
Universal Description Discovery and Integration (UDDI) or, most likely, directly
retrieve the service metadata by interrogating the Web servicefirst.
8. WhatisSOAP?
● Simple Object Access Protocol (SOAP), an XML-based language for exchanging

structured information in a platform-independent manner, constitutes the protocol
used for Web service method invocation.
9. WriteshortnoteonRESTful systems.
● Representational State Transfer (REST) provides a model for designing network-

based software systems utilizing the client/ server model and leverages the facilities
provided by HTTP for IPC without additional burden.
10. WhatisPublish-and-subscribemessagemodel?
● Publish-and-subscribe message model introduces a different message passing

strategy, one that is based on notification among components.
● Therearetwomajorroles:Thepublisherand thesubscriber.
● It is very suitable for implementing systems based on the one-to-many
communication model
11. ListthemeritsofVirtualization.
● Virtualization technology is one of the fundamental components of cloud computing,

especially in regard to infrastructure-based services.
● Virtualization allows the creation of a secure, customizable, and isolated execution
environment for running applications, even if they are untrusted, without affecting
other users’ applications.
12. Listcharacteristicsofvirtualizedenvironments.
● Increasedsecurity
○ Sharing
○ Aggregation
○ Emulation
○ Isolation
● Performancetuning.
● Portability
13. Categorizeexecutionvirtualizationtechniques.
● Process level techniques are implemented on top of an existing operating system,

which has full control of the hardware.
● Systemlevel techniques are implementeddirectlyonhardwareand donot require or
require a minimum of support from an existing operating system.
14. Differentiatebetweenprivilegedandnonprivilegedinstructions.
● Nonprivilegedinstructionsarethoseinstructionsthatcanbeusedwithoutinterfering with
other tasks because they do not access shared resources.
● Privileged instructions are those that are executed under specific restrictions and are
mostly used for sensitive operations, which expose (behavior-sensitive) or modify
(control-sensitive) the privileged state.
15. Illustrateringbasedsecurity.
Ring0
(Mostprivileged
Mode)
Ring1
Ring2
Ring3
(Least
privileged
Mode)
16. WhatisHardware-levelvirtualization?
● Hardware-level virtualization is a virtualization technique that provides an abstract

execution environment in terms of computer hardware on top of which a guest
operating system can be run.
17. Define hypervisor.
● The hypervisor is generally a program or a combination of software and hardware

that allows the abstraction of the underlying physical hardware.
● Hypervisors isa fundamental element of hardware virtualization is the hypervisor, or
virtual machine manager (VMM).
18. Listthetypesofhypervisor.
● TypeIhypervisorsrundirectlyontopofthehardware.
● Type II hypervisors require the support of an operating system to provide
virtualization services.
19. Whatishardwareassistedvirtualization?
● This term refers to a scenario in which the hardware provides architectural support
for building a virtual machine manager able to run a guest operating system in
complete isolation.
● ThistechniquewasoriginallyintroducedintheIBMSystem/370.
20. Compare FullvirtualizationandParavirtualization
● Full virtualization refers to the ability to run a program, most likely an operating
system,directlyontopofavirtualmachineandwithoutanymodification,asthoughit were
run on the raw hardware.
● Paravirtualizationisanot-transparentvirtualizationsolutionthatallowsimplementing thin
virtual machine managers.
● Paravirtualization techniques expose a software interface to the virtual machine that
is slightly modified from the host and, as a consequence, guests needto be modified.
21. Howtovirtualizationimplemented inpartialvirtualization?
● Partialvirtualizationprovidesapartialemulationoftheunderlyinghardware,thusnot
allowingthe completeexecutionof theguestoperating systemincompleteisolation.
● Partial virtualization allows many applications to run transparently, but not all the
features of the operating system can be supported, as happens with full
virtualization.
22. What isOperatingsystem-level?
● Operating system-level virtualization offers the opportunity to create different and

separated execution environments for applications that are managed concurrently.
● Differently from hardware virtualization, there is no virtual machine manager or
hypervisor,andthevirtualizationisdone withinasingleoperatingsystem, wherethe OS
kernel allows for multiple isolated user space instances.
23. Whatisstoragevirtualization?
● Storage virtualization is a system administration practice that allows decoupling the

physical organization of the hardware from its logicalrepresentation.
● Using this technique, users do not have to be worried about the specific location of
their data, which can be identified using a logical path.
24. DefineDesktop virtualization.
● Desktop virtualization abstracts the desktop environment available on a personal

computer in order to provide access to it using a client/server approach.
● Desktop virtualization provides the same outcome of hardware virtualization but
serves a different purpose.
25. ListthemeritsofVirtualizationatvariousimplementationlevels.
Higher Application Implementation Application

LevelofImplementation
Performance Flexibility Complexity Isolation
InstructionSet Architecture Very Low Very High Moderate Moderate
Hardware-levelvirtualization Very High Moderate Very High High
OS-levelvirtualization Very High Low Moderate Low
Librarysupportlevel Moderate Low Low Low
Userapplicationlevel Low Low Very High Very High
26. Differentiatebetweenmicro-kernelandmonolithichypervisor.
● A micro-kernelhypervisorincludes only thebasicand unchangingfunctions (suchas

physical memory management and processor scheduling).
● Amonolithichypervisorimplementsalltheaforementionedfunctions,includingthose of
the device drivers.
-------------------------------------------------------------------------------------------------------------------------------
UNIT III CLOUD ARCHITECTURE, SERVICES AND STORAGE
LayeredCloudArchitectureDesign–NISTCloudComputingReferenceArchitecture–Public,
PrivateandHybridClouds-laaS–PaaS–SaaS–ArchitecturalDesignChallenges–Cloud Storage –Storage-
as-a-Service –Advantages ofCloudStorage–Cloud Storage Providers –S3.
-------------------------------------------------------------------------------------------------------------------------------
LayeredCloudArchitecture Design
● Thearchitectureofacloudisdevelopedatthreelayers:infrastructure,platformand
application as demonstrated in Figure 3.1.
● Thesethreedevelopmentlayersareimplementedwithvirtualizationandstandardization of
hardware and software resources provisioned in the cloud.
● The servicestopublic,privateand hybrid cloudsare conveyedtousersthrough

networking support over the Internet and intranetsinvolved.
● ItisclearthattheinfrastructurelayerisdeployedfirsttosupportIaaSservices.
● Thisinfrastructurelayerservesasthefoundationforbuildingtheplatformlayerofthe cloud
for supporting PaaS services.
● Inturn,theplatformlayerisafoundationforimplementingtheapplicationlayerforSaaS
applications.
● Differenttypesofcloudservicesdemandapplicationoftheseresourcesseparately.
Internet
PrivateCloud PublicCloud HybridCloud
Provisioningofresources
SoftwareLayer(SaaS)
PlatformLayer(PaaS)
InfrastructureLayer(IaaS)
Figure3.1 Layeredarchitecturaldevelopment
● Theinfrastructurelayerisbuiltwithvirtualizedcompute,storageandnetworkresources.
● Theabstractionofthesehardwareresourcesismeanttoprovidetheflexibility
demanded by users.
● Internally,virtualizationrealizesautomatedprovisioningof resourcesandoptimizesthe
infrastructure management process.
● Theplatformlayerisforgeneralpurposeandrepeatedusageofthecollectionof
software resources.
● Thislayerprovidesuserswithanenvironmenttodeveloptheirapplications,totest
operation flows and to monitor execution results and performance.
● Theplatformshouldbeabletoassureusersthattheyhavescalability,dependability, and
security protection.
● In a way, the virtualized cloud platform serves as a “system middleware” between the
infrastructure and application layers of the cloud.
● Theapplication layerisformed with a collectionof allneededsoftware modulesforSaaS

applications.
● Service applications in this layer include daily office management work such as
information retrieval, document processing and calendar and authentication services.
● The applicationlayer is alsoheavily used by enterprises in business marketing and sales,

consumer relationship management (CRM), financial transactions and supplychain
management.
● From the provider’s perspective, the services at various layers demand differentamounts
of functionality support and resource management by providers.
● In general, SaaS demands the most work from the provider, PaaS is in the middle, and
IaaS demands the least.
● Forexample,AmazonEC2providesnotonlyvirtualizedCPUresourcestousersbut also
management of these provisioned resources.
● Servicesattheapplicationlayerdemandmoreworkfromproviders.
● The best example of this is the Salesforce.com CRM service in which the provider
suppliesnotonlythe hardware at the bottom layer and the software at the top layerbut
also the platform and software toolsfor user application development andmonitoring.
● In Market Oriented Cloud Architecture, as consumers rely on cloud providers to meet

more of theircomputing needs, they willrequire aspecific levelof QoS to be maintained by
theirproviders, inorder to meettheir objectivesand sustain theiroperations.
● Market-oriented resource managementisnecessaryto regulate the supplyand demand of
cloud resources to achieve market equilibrium between supply and demand.
● Thiscloudisbasicallybuiltwiththefollowingentities:
○ Users or brokers acting on user’s behalf submit service requests from anywhere
in the world to the data center and cloud to beprocessed.
○ The request examinerensuresthat there isno overloading of resourceswhereby
many service requests cannot be fulfilled successfully due to limited resources.
○ The Pricing mechanism decides how service requests are charged. For instance,
requestscan be charged based on submission time (peak/off-peak),pricing rates
(fixed/changing), or availability of resources (supply/demand).
○ The VM Monitor mechanism keeps track of the availability of VMs and their
resource entitlements.
○ The Accounting mechanism maintains the actual usage of resources by requests
so that the final cost can be computed and charged to users.
○ In addition, the maintained historical usage information can be utilized by the
Service Request Examiner and Admission Control mechanism to improveresource
allocation decisions.
○ The Dispatcher mechanism starts the execution of accepted service requests on
allocated VMs.
○ The Service Request Monitor mechanism keeps track of the execution progressof
service requests.
NISTCloudComputingReferenceArchitecture
● NISTstandsforNationalInstituteofStandardsandTechnology
● Thegoalistoachieveeffectiveand securecloudcomputing to reduce costand improve

services
● NISTcomposedforsixmajorworkgroupsspecifictocloudcomputing
○ Cloudcomputingtargetbusinessusecasesworkgroup
○ CloudcomputingReferencearchitectureandTaxonomyworkgroup
○ Cloudcomputingstandardsroadmapworkgroup
○ Cloud computing SAJACC (Standards Acceleration to Jumpstart Adoption of
Cloud Computing) work group
○ CloudComputing securityworkgroup
● ObjectivesofNISTCloudComputingreferencearchitecture
○ Illustrateandunderstandthevariouslevelofservices
○ Toprovidetechnicalreference
○ Categorizeandcompareservices ofcloudcomputing
○ Analysisofsecurity,interoperatabilityandportability
● Ingeneral,NISTgeneratesreportforfuturereferencewhichincludessurvey,analysisof
existing cloud computing reference model, vendors and federal agencies.
● The conceptualreference architectureshown infigure3.2 involvesfive actors.Each

actor as entity participates in cloud computing
● Cloudconsumer: Apersonoranorganization thatmaintainsabusinessrelationship with and

uses a services from cloud providers
CloudConsumer CloudBroker
CloudProvider
Serviceorchestration CloudServicema
nagement
ServiceImplem
CloudAuditor ServiceLayer entation
SaaS
Provisioning
Security Audit
Security
PaaS andConfigur
Privacy
ing ServiceAggrega
IaaS
tion
Privacyimpact PortabilityandI
Resourceabstraction
Audit nteroperat-
& Control Layer
Service Arbitrage
Performance Audit PhysicalresourceL Businesssupport
ayer
CloudCarrier
Figure3.2Conceptualreferencemodel
● Cloud provider: A person, organization or entity responsible for making a service
available to interested parties
● Cloud auditor: A party that conduct independent assessment of cloud services,

information system operation, performance and security of cloud implementation
● Cloud broker: An entity that manages the performance and delivery of cloud services
and negotiates relationship between cloud provider and consumer.
● Cloud carrier: An intermediary that provides connectivity and transport of cloud services
from cloud providers to consumers.
Consumer Auditor
Broker Provider
Figure3.3Interactionbetweenactors
● Figure 3.3 illustrates the common interaction exist in between cloud consumer and
provider where as the broker used to provide service to consumer and auditor collects
the audit information.
● Theinteractionbetweentheactorsmayleadtodifferentusecasescenario.
● Figure3.4 showsone kind of scenario in which the Cloud consumermay request service
from a cloud broker instead of contacting service provider directly. In this case, a cloud
broker can create a new service by combining multiple services.
Provider1
Consumer Broker
Provider2
Figure3.4Service from CloudBroker
● Figure3.5 illustratestheusageof different kindofServiceLevelAgreement (SLA)

between consumer, provider and carrier.
SLA #1 SLA #2
Consumer Provider Carrier
Maintaintheconsistent Specifythecapacity and
levelofservice functionality
Figure3.5MultipleSLAbetweenactors
● Figure 3.6 shows the scenario where the Cloud auditor conducts independent
assessment of operation and security of the cloud service implementation.
Auditor
Consumer Provider
Figure3.6Independentassessmentsbycloudauditor
● Cloud consumer is a principalstake holderforthe cloud computing serviceand requires

service level agreements to specify the performance requirements fulfilled by a cloud
provider.
● TheservicelevelagreementcoversQualityofServiceandSecurityaspects.
● Consumershave limitedrightstoaccessthesoftwareapplications.
● There are three kinds of cloud consumers: SaaS consumers, PaaS Consumers and
IaaS consumers.
● SaaS consumers are members directly access the software application. For example,
document management, content management, social networks, financial billing and so
on.
● PaaS consumers are used to deploy, test, develop and manage applications hosted in
cloud environment. Database application deployment, development and testing is an
example for these kind of consumer.
● IaaS Consumer can accessthe virtualcomputer,storage and networkinfrastructure. For

example, usage of Amazon EC2 instance to deploy the web application.
● On the other hand, Cloud Providers have complete rights to access software
applications.
● In Software as a Service model, cloud provider is allowed to configure, maintain and

update the operations of software application.
● Management process is done by Integrated Development environment and Software

Development Kit in Platform as a Service model.
● InfrastructureasaServicemodelcoversOperatingSystemandNetworks.
● Normally, the service layer defines the interfaces for cloud consumers to access the
computing services.
● Resource abstraction and control layer contains the system components that cloud
provider use to provide and mange access to the physical computing resources through
software abstraction.
● Resource abstraction covers virtual machine management and virtual storage

management.
● Controllayerfocuson resourceallocation,accesscontrolandusagemonitoring.
● PhysicalresourcelayerincludesphysicalcomputingresourcessuchasCPU,Memory,
Router,Switch,FirewallsandHardDisk Drive.
● Service orchestration describes the automated arrangement, coordination and

management of complex computing system.
● In cloud service management, business support entails the set of business related
services dealing with consumer and supporting services which includes content
management, contract management, inventory management, accounting service,
reporting service and rating service.
● Provisioningofequipments,wiringandtransmissionismandatory tosetupanewservice that

provides a specific application to cloud consumer. Those details are described in
Provisioning and Configuring management.
● Portability enforces theability to work in more thanone computingenvironment without

major task. Similarly, Interoperatability means the ability of the system work with other
system.
● SecurityfactorisapplicabletoenterpriseandGovernment.Itmayincludeprivacy.
● Privacyisoneappliestoa cloudconsumer’srightsto safeguardhis informationfrom other
consumers are parties.
● ThemainaimofSecurityandPrivacyincloudservicemanagementistoprotectthe system
from vulnerable customers.
● Cloud auditor performs independent assessmentsamong the servicesand cloud broker

act as intermediate module.
● Service intermediation enhancesagiven serviceby improving some specificcapability

and providing value added services to cloud consumers,
● Serviceaggregationprovidesdata integration. Cloudbrokercombinesandintegrate

multiple service into one or more new services.
● DuetoServicearbitrage,cloudbrokerhasaflexibilitytochooseservicesfrommultiple
providers.
● Cloudcarrierisanintermediarythatprovidesconnectivityandtransportofcloudservice
between cloud consumer and cloud provider.
● Itprovidesaccesstocloudconsumerwiththehelpofnetwork,telecommunicationand other
access devices where as distribution is done with transport agent,
● Transportagentisthebusinessorganizationthatprovides physicaltransportof storage

media.
CloudDeploymentModel
● As identified in the NIST cloud computing definition, a cloud infrastructure may be
operated in one of the following deployment models: public cloud, private cloud,
community cloud, or hybrid cloud.
● The differences are based on how exclusive the computing resources are made to a
Cloud Consumer.
PublicCloud
● A public cloud is one in which the cloud infrastructure and computing resources are
made available to the general public over a public network.
● A public cloud is owned by an organization selling cloud services, and serves a diverse
pool of clients.
● Figure4.7presentsasimpleviewofapubliccloudanditscustomers.
Figure3.7PublicCloud
BenefitsofchoosingaPublic Cloud
● One of the main benefits that come with using public cloud services is near unlimited
scalability.
● The resourcesarepretty muchoffered based ondemand.So anychangesinactivity level

can be handled veryeasily.
● Thisinturnbringswithitcosteffectiveness.
● Publiccloudallowspooling ofa large numberof resources,usersare benefitingfromthe

savings of large scale operations.
● TherearemanyserviceslikeGoogle Drivewhichareofferedforfree.
● Finally, the vast network of servers involved in public cloud services means that it can
benefit from greater reliability.
● Even if one data center was to fail entirely, the network simply redistributes the load
among the remaining enters making it highly unlikely that the public cloud would ever
fail.
● Insummary,thebenefitsofthepubliccloudare:
○ Easyscalability
○ Costeffectiveness
○ Increasedreliability
DisadvantagesofchoosingaPublicCloud
● Thereareofcoursedownsidestousing publiccloudservices.
● At the top of the list is the fact that the security of data held within a public cloud is a
cause for concern.
● It is often seen as an advantage that the public cloud has no geographical restrictions
making access easy from everywhere, but on the flip side this couldmean that the server
is in a different country which is governed by an entirely different set of security and/or
privacy regulations.
● Thiscouldmeanthatyourdataisnotallthatsecuremakingitunwisetousepubliccloud services
for sensitive data.
PrivateCloud
● Aprivate cloud gives asingleCloudConsumer’sorganizationthe exclusive accessto and

usage of the infrastructure and computational resources.
● It may be managed either by the Cloud Consumer organization or by a third party, and
may be hosted on the organization’s premises (i.e. on-site private clouds) or outsourced
to a hosting company (i.e. outsourced private clouds).
● Figure 3.8 presents an on-site private cloud and an outsourced private cloud,
respectively.
Figure3.8(a)On-sitePrivateCloud (b)Out-sourcedPrivateCloud
BenefitsofchoosingaPrivateCloud
● The main benefit of choosing a private cloud is the greater level of security offered
making it ideal for business users who need to store and/or process sensitivedata.
● A good example is a company dealing with financial information such as bank or lender
who is required by law to use secure internal storage to store consumerinformation.
● With a private cloud this can be achieved while still allowing the organization to benefit
from cloud computing.
● Private cloud services also offer some other benefits for business users including more
control over the server allowing it to be tailored to your own preferences and in house
styles.
● Whilethiscan remove someofthe scalabilityoptions,private cloudprovidersoftenoffer

whatis knownascloudburstingwhichis whennon sensitive data is switchedtoapublic cloud
to free up private cloud space in the event of a significant spike in demand until such
times as the private cloud can be expanded.
● Insummary,themainbenefitsoftheprivatecloudare:
○ Improvedsecurity
○ Greatercontrolovertheserver
○ FlexibilityintheformofCloudBursting
DisadvantagesofchoosingaPrivateCloud
● The downsides of private cloud services include a higher initial outlay, although in the
long term many business owners find that this balances out and actual becomes more
cost effective than public cloud use.
● It is also more difficult to access the data held in a private cloud from remote locations
due to the increased security measures.
CommunityCloud
● A community cloud serves agroupof Cloud Consumers whichhave shared concerns

suchasmissionobjectives,security,privacyandcompliancepolicy,ratherthanserving
asingleorganizationasdoesaprivatecloud.
● Similarto private clouds,a communitycloud maybe managedbytheorganizationsorby a
third party and may be implemented on customer premise (i.e. on-site community cloud)
or outsourced to a hosting company (i.e. outsourced communitycloud).
● Figure 3.9 (a) depicts an on-site community cloud comprised of a number of participant
organizations.
● A cloud consumer can access the local cloud resources, and also the resources of other
participating organizations through the connections between the associated
organizations.
● Figure 3.9 (b) shows an outsourced community cloud, where the server side is
outsourced to a hosting company.
● In this case, an outsourced community cloud builds its infrastructure off premise, and
serves a set of organizations that request and consume cloud services.
(a) On-siteCommunityCloud
Figure3.9(b)OutsourcedCommunityCloud
BenefitsofChoosingaCommunityCloud
● Abilitytoeasilyshareandcollaborate
● Lowercost
DisadvantagesofChoosingaCommunityCloud
● Nottherightchoiceforeveryorganization
● Slowadoptiontodate
HybridCloud
● A hybrid cloud is a composition of two or more clouds (on-site private, on-site

community, off-site private, off-site community or public) that remain asdistinct entities
but are bound together by standardized or proprietary technologythat enablesdata and
application portability.
● Figure 3.10 illustrates a simple view of a hybrid cloud that could be built with a set of
clouds in the five deployment model variants.
Figure3.10HybridCloud
CloudServiceModel
● The development of cloud computing introduces the concept of everything as a Service

(XaaS). This is one of the most important elements of cloud computing
● Cloud services from different providers can be combined to provide a completely

integrated solution covering all the computing stack of a system.
● IaaS providers can offer the bare metal in terms of virtual machines where PaaS
solutions are deployed.
● When there is no need for a PaaS layer, it is possible to directly customize the virtual
infrastructure with the software stackneeded to run applications.
● This is the case of virtual Web farms: a distributed system composed of Web servers,
database servers and load balancers on top of which prepackaged software is installedto
run Web applications.
● Other solutions provide prepackaged system images that already contain the software
stack required for the most common uses: Web servers, database servers or LAMP
stacks.
● Besides the basic virtual machine management capabilities, additional services can be
provided, generally including the following:
○ SLAresourcebasedallocation
○ Workloadmanagement
○ SupportforinfrastructuredesignthroughadvancedWebinterfaces
○ IntegratethirdpartyIaaSsolutions
● Figure 3.11 provides an overall view of the components forming an Infrastructure as a

Service solution.
● Itispossibletodistinguishthreeprincipallayers:
○ Physicalinfrastructure
○ Softwaremanagementinfrastructure
○ Userinterface
WebbasedManagementInterface
InfrastructureManagementService
Monitoring Reservation Scheduling Provisioning
QoS,Billing VMImage VM Pool
PhysicalInfrastructure Thirdparty
IaaS
DataCenter Cluster Desktop
Cloud
Figure3.11IaaS referenceimplementation
● At thetop layertheuserinterfaceprovidesaccesstothe servicesexposedbythe
software management infrastructure.
● Such an interface is generally based onWeb 2.0 technologies:Web services, RESTful

APIs and mash ups.
● Webservicesand RESTfulAPIsallowprogramsto interact withthe service without

human intervention,thusprovidingcomplete integrationwithinasoftwaresystem.
● ThecorefeaturesofanIaaSsolutionareimplementedintheinfrastructuremanagement
software layer.
● Inparticular,managementofthevirtualmachinesisthemostimportantfunction
performed by this layer.
● Acentralroleisplayedbythescheduler,whichisinchargeofallocatingtheexecutionof virtual
machine instances.
● Theschedulerinteractswiththeothercomponentssuchas
○ Pricingandbillingcomponent
○ Monitoringcomponent
○ Reservationcomponent
○ QoS/SLAmanagementcomponent
○ VMrepository component
○ VMpoolmanagercomponent
○ Provisioningcomponent
● Thebottomlayeriscomposedofthephysicalinfrastructure,ontopofwhichthe
management layer operates.
● From anarchitectural pointof view,the physical layer also includes the virtual resources
that are rented from external IaaS providers.
● Inthecaseof completeIaaSsolutions,allthreelevelsareofferedasservice.
● This is generally the case with public clouds vendors such as Amazon, GoGrid, Joyent,
Rightscale, Terremark, Rackspace, ElasticHosts, and Flexiscale, which own large
datacenters and give access to their computing infrastructures using an IaaSapproach.
laaS
● Infrastructure or Hardware as a Service (IaaS/HaaS) solutionsare the most popular and

developed market segment of cloud computing.
● Theydelivercustomizableinfrastructureondemand.
● The available options within the IaaS offering umbrella range from single servers to
entire infrastructures, including network devices, load balancers, database servers and
Web servers.
● The main technology used to deliver and implement these solutions is hardware
virtualization: one or more virtual machines opportunely configured and interconnected
define the distributed system on top of which applications are installed anddeployed.
● Virtual machines also constitute the atomic components that are deployed and priced
accordingtothespecificfeaturesofthevirtualhardware:memory,numberofprocessors and
disk storage.
● IaaS/HaaS solutions bring all the benefits of hardware virtualization: workload

partitioning, application isolation, sandboxing and hardware tuning.
● From the perspective of the service provider, IaaS/HaaS allows better exploiting the IT
infrastructure and provides a more secure environment where executing third party
applications.
● From the perspective of the customer, it reduces the administration and maintenance
cost as well as the capital costs allocated to purchase hardware.
● At the same time, users can take advantage of the full customization offered by
virtualization to deploy their infrastructure in the cloud.
PaaS
● Platform as a Service (PaaS) solutions provide a development and deployment platform

for running applications in the cloud.
● Theyconstitutethemiddlewareontopofwhichapplicationsarebuilt.
● A general overview of the features characterizing the PaaS approach is given in Figure
3.12.
WebbasedManagementInterface ProgrammingAPI/
Libraries
PaaSCoremiddleware
Elasticity Runtime Resource
QoS,Billing Application User
PhysicalInfrastructure IaaS
DataCenter Cluster Desktop Cloud
Figure3.12PaaSreferenceimplementation
● Applicationmanagementisthecorefunctionalityofthemiddleware.
● PaaS implementations provide applications with a runtime environment and do not
expose any service for managing the underlying infrastructure.
● They automate the process of deploying applications to the infrastructure, configuring

application components, provisioning and configuring supporting technologies such as
load balancersand databasesandmanagingsystem change basedonpoliciessetby the user.
● The core middleware is in chargeof managing the resources and scaling applications on
demand or automatically, according to the commitments made with users.
● From a user point of view, the core middleware exposes interfaces that allow
programming and deploying applications on the cloud.
● Some implementations provide a completely Web based interface hosted in the cloud
and offering a variety of services.
● It is possible to find integrated developed environments based on 4GL and visual

programmingconceptsorrapidprototypingenvironmentswhereapplicationsarebuilt by
assembling mash ups and user defined components and successively customized.
● Other implementations of the PaaS model provide a complete object model for
representing an application and provide a programming language-based approach.
● DevelopersgenerallyhavethefullpowerofprogramminglanguagessuchasJava,
.NET,PythonandRubywithsomerestrictionstoprovidebetterscalabilityandsecurity.
● PaaS solutions can offer middleware for developing applications together with the
infrastructure or simply provide users with the software that is installed on the user
premises.
● In thefirst case, thePaaSprovideralsoownslarge datacenterswhereapplicationsare
executed
● In thesecond case, referredtointhisbookasPure PaaS, the middlewareconstitutes the

core value of the offering.
● PaaSimplementationclassifiedinto threewidecategories:
○ PaaS-I
○ PaaS-II
○ PaaS-III
● ThefirstcategoryidentifiesPaaSimplementationsthatcompletelyfollowthecloud
computing style for application development and deployment.
○ They offer an integrated development environment hosted within the Web

browser where applications are designed, developed, composed, and deployed.
○ This is the case of Force.com and Longjump. Both deliver as platforms the
combination of middleware and infrastructure.
● In thesecond classfocusedonprovidinga scalable infrastructureforWebapplication,

mostly websites.
○ In this case, developers generally use the provider’s APIs, which are built on top
of industrial runtimes, to develop applications.
○ GoogleAppEngineisthemostpopularproductinthiscategory.
○ It provides a scalable runtime based on the Java and Python programming
languages, which have been modified for providing a secure runtimeenvironment
and enriched with additional APIs and components to support scalability.
○ AppScale, an open source implementation of Google AppEngine, provides
interfacecompatible middleware that has to be installed on a physical
infrastructure.
● Thethirdcategoryconsistsofallthosesolutionsthatprovideacloudprogramming
platform for any kind of application, not onlyWebapplications.
○ Among these, the most popular is Microsoft Windows Azure, which provides a
comprehensive framework for building service oriented cloud applications on top
of the .NET technology, hosted on Microsoft’s datacenters.
○ Other solutions in the same category, such as Manjrasoft Aneka, Apprenda
SaaSGrid, Appistry Cloud IQ Platform, DataSynapse, and GigaSpaces DataGrid,
provide only middleware with different services.
● SomeessentialcharacteristicsthatidentifyaPaaSsolution:
○ Runtime framework: This framework represents the software stack of the PaaS
model and the most intuitive aspect that comes to people’s minds when they
refer to PaaS solutions.
○ Abstraction: PaaS solutions are distinguished by the higher level of abstraction
that they provide.
○ Automation: PaaS environments automate the process of deploying applications
to the infrastructure, scaling them by provisioning additional resources when
needed.
○ Cloud services: PaaS offerings provide developers and architects with services
and APIs, helping them to simplify the creation and delivery of elastic and highly
available cloud application.
SaaS
● Software as a Service (SaaS) is a software delivery model that provides access to

applications through the Internet as a Web based service.
● It provides a means tofree users from complex hardware and software management by
offloading such tasks to third parties, which build applications accessible to multiple
users through a Web browser.
● On the provider side,the specificdetailsand features of each customer’s application are

maintained in the infrastructure and made available on demand.
● The SaaS model isappealingfor applications serving a wide range of users andthat can
be adapted to specific needs with little further customization.
● This requirement characterizes SaaS as a one-to-many software delivery model,whereby

an application is shared across multiple users.
● This is the case of CRM and ERP applications that constitute common needs for almost
all enterprises, from small to medium-sized and large business.
● Every enterprise will have the samerequirementsfor the basicfeatures concerning CRM
and ERP and different needs can be satisfied with further customization.
● SaaSapplicationsarenaturallymultitenant.
● Multitenancy, which is a feature of SaaS compared to traditional packaged software,

allows providers to centralize and sustain the effort of managing large hardware
infrastructures, maintaining as well as upgrading applications transparently to the users
and optimizing resources by sharing the costs among the large user base.
● On the customer side, such costs constitute a minimal fraction of the usage fee paid for
the software.
● The analysis carried out by Software Information and Industry Association (SIIA) was
mainly oriented to cover application service providers (ASPs) and all theirvariations,
which capturethe conceptofsoftware applicationsconsumedasa service inabroader sense.
● ASPsalreadyhad someofthecorecharacteristicsofSaaS:
○ Theproductsoldtocustomerisapplicationaccess
○ Theapplicationiscentrallymanaged
○ The servicedeliveredisone-to-many
○ Theservicedeliveredisanintegratedsolutiondeliveredonthecontract,which means
provided as promised.
● ASPs provided access to packaged software solutions that addressed the needs of a
variety of customers.
● Initially this approach was affordable for service providers, but it later became
inconvenient when the cost of customizations and specializations increased.
● TheSaaSapproach introduces amoreflexible way of deliveringapplication services that are

fully customizable by the user by integrating new services, injecting their own
components and designing the application and information workflows.
● InitiallytheSaaSmodelwasofinterestonlyforleadusersandearlyadopters.
● Thebenefitsdeliveredatthatstagewerethefollowing:
○ Softwarecostreductionandtotalcostofownership(TCO)wereparamount
○ Servicelevelimprovements
○ Rapidimplementation
○ Standaloneandconfigurableapplications
○ Rudimentaryapplicationanddataintegration
○ Subscriptionandpayasyougo(PAYG)pricing
● Withtheadvent of cloudcomputingtherehasbeen an increasingacceptanceof SaaS
asaviablesoftwaredeliverymodel.
● ThisleadtotransitionintoSaaS2.0,whichdoesnotintroduceanewtechnologybut
transforms the way in which SaaS is used.
● Inparticular,SaaS2.0isfocusedonprovidingamorerobustinfrastructureand
application platforms driven by SLAs.
● SaaS2.0willfocusontherapidachievementofbusinessobjectives.
● Software as a Service based applications can serve different needs. CRM, ERP, and
social networking applications are definitely the most popular ones.
● SalesForce.comisprobablythemostsuccessfulandpopularexampleofaCRMservice.
● Itprovidesawiderangeofservicesforapplications:customerrelationshipandhuman
resource management, enterprise resource planning, and many other features.
● SalesForce.combuildson topofthe Force.complatform,which providesafullyfeatured

environment for building applications.
● Inparticular,throughAppExchangecustomerscan publish,searchandintegratenew
services and features into their existing applications.
● ThismakesSalesForce.comapplicationscompletelyextensibleandcustomizable.
● SimilarsolutionsareofferedbyNetSuiteandRightNow.
● NetSuiteis an integrated softwarebusiness suitefeaturingfinancials, CRM, inventory,

and ecommerce functionalities integrated all together.
● RightNow is customer experience centered SaaS application that integrates together
different features, from chat to Web communities, to support the common activity of an
enterprise
● Another important class of popular SaaS applications comprises social networking

applications such as Facebook and professional networking sites such as LinkedIn.
● Other than providing the basic features of networking, they allow incorporating and
extending their capabilities by integrating third-party applications.
● Office automation applications are also an important representative for SaaS

applications:
○ GoogleDocumentsandZohoOffice are examplesof Web basedapplications that

aimto address all userneedsfordocuments, spreadsheets andpresentation
management.
○ These applications offer a Web based interface for creating, managing, and
modifying documents that can be easily shared among users and madeaccessible
from anywhere.
ArchitecturalDesignChallenges
Challenge1:ServiceAvailabilityandDataLock-inProblem
● The management of a cloud service by a single company is often the source of single
points of failure.
● ToachieveHA,onecanconsiderusingmultiplecloud providers.
● Even if a company has multiple data centers located in different geographic regions, it
may have common software infrastructure and accounting systems.
● Therefore,usingmultiplecloudprovidersmayprovidemoreprotectionfromfailures.
● Anotheravailabilityobstacleisdistributeddenialofservice(DDoS) attacks.
● Criminals threaten to cut off the incomes of SaaS providers by making their services
unavailable.
● Some utility computing services offer SaaS providers the opportunity to defend against
DDoS attacks by using quick scale ups.
● Software stacks have improved interoperability among different cloud platforms, but the
APIs itself are still proprietary. Thus, customers cannot easily extract their data and
programs from one site to run on another.
● The obvious solution is to standardize the APIs so that a SaaS developer can deploy
services and data across multiple cloud providers.
● Thiswillrescuethelossofalldataduetothefailureofasinglecompany.
● In addition to mitigating data lock-in concerns, standardization of APIs enables a new

usage model in which the same software infrastructure can be used in both public and
private clouds.
● Such an option could enable surge computing, in which the public cloud is used to
capturethe extratasksthatcannotbeeasily runin thedatacenterof aprivatecloud.
Challenge2:DataPrivacyandSecurityConcerns
● Currentcloudofferingsareessentiallypublic(ratherthanprivate)networks,exposingthe
system to more attacks.
● Many obstacles can be overcome immediately with well understood technologies suchas
encrypted storage, virtual LANs, and network middle boxes (e.g., firewalls, packet
filters).
● For example, the end user could encrypt data before placing it in a cloud. Many nations
have laws requiring SaaS providers to keep customer data and copyrighted material
within national boundaries.
● Traditional network attacks include buffer overflows, DoS attacks, spyware, malware,
rootkits, Trojan horses, and worms.
● In a cloud environment, newer attacks may result from hypervisor malware, guest
hopping and hĳacking or VM rootkits.
● Anothertypeofattackistheman-in-the-middleattackforVMmigrations.
● Ingeneral,passiveattacksstealsensitivedataorpasswords.
● On the other hand, Active attacks may manipulate kernel data structures which will
cause major damage to cloud servers.
Challenge3:UnpredictablePerformanceandBottlenecks
● Multiple VMs can share CPUs and main memory in cloud computing, but I/O sharing is
problematic.
● For example, to run 75 EC2 instances with the STREAM benchmark requires a mean
bandwidth of 1,355 MB/second.
● However,foreach of the 75 EC2 instances to write 1 GBfiles to the localdisk requires a

mean disk write bandwidth of only 55 MB/second.
● ThisdemonstratestheproblemofI/OinterferencebetweenVMs.
● OnesolutionistoimproveI/Oarchitecturesandoperatingsystemstoefficiently
virtualize interrupts and I/O channels.
● Internetapplicationscontinuetobecomemoredataintensive.
● If weassumeapplicationstobepulledapartacrosstheboundariesofclouds,thismay
complicate data placement and transport.
● Cloudusersandprovidershavetothinkabouttheimplications ofplacementandtraffic at
every levelof the system, if they want to minimize costs.
● This kind of reasoning canbeseeninAmazon’sdevelopmentof its new CloudFront

service.
● Therefore,datatransferbottlenecksmustberemoved,bottlenecklinksmustbewidened and
weak servers should be removed.
Challenge4:DistributedStorageandWidespreadSoftwareBugs
● Thedatabaseisalwaysgrowingincloudapplications.
● Theopportunityistocreateastoragesystemthatwillnotonlymeetthisgrowthbutalso combine
it with the cloud advantage of scaling arbitrarily up and down ondemand.
● ThisdemandsthedesignofefficientdistributedSANs.
● Datacentersmustmeetprogrammer’sexpectationsintermsof scalability,data
durability and HA.
● Data consistence checking in SAN connected data centers is a major challenge in cloud
computing.
● Large scaledistributedbugscannotbe reproduced,so thedebuggingmustoccurata scale

in the production data centers.
● No datacenterwillprovide sucha convenience.One solutionmaybea relianceon using

VMs in cloud computing.
● Thelevelofvirtualizationmaymakeitpossibletocapturevaluableinformationinways that are

impossible without using VMs.
● Debuggingoversimulatorsisanotherapproachtoattackingtheproblem,ifthesimulator is well
designed.
Challenge5:CloudScalability,Interoperability,andStandardization
● Thepayasyougomodelappliestostorageandnetworkbandwidth;botharecountedin terms of
the number of bytes used.
● Computationisdifferentdependingonvirtualizationlevel.
● GAE automatically scales in response to load increases or decreases and the users are
charged by the cycles used.
● AWSchargesby thehourforthenumberof VMinstancesused,even if the machine is idle.
● Theopportunityhereistoscalequicklyupanddowninresponsetoloadvariation,in order to
save money, but without violating SLAs.
● OpenVirtualization Format (OVF) describes anopen,secure,portable,efficient and
extensible format for the packaging and distribution of VMs.
● ItalsodefinesaformatfordistributingsoftwaretobedeployedinVMs.
● ThisVMformatdoesnotrelyontheuseofaspecifichostplatform,virtualization platform
or guest operating system.
● Theapproachistoaddressvirtualplatformisagnosticpackagingwithcertificationand
integrity of packaged software.
● ThepackagesupportsvirtualappliancestospanmorethanoneVM.
● OVFalsodefinesatransport mechanismforVMtemplatesand theformat canapply to

differentvirtualizationplatformswithdifferentlevelsof virtualization.
● Intermsofcloudstandardization,theabilityforvirtualappliancestorunonanyvirtual
platform.
● Theuserisalso need toenable VMsto runon heterogeneous hardwareplatform

hypervisors.
● This requireshypervisor-agnosticVMs.
● Andalsotheuserneedtorealizecrossplatformlivemigrationbetweenx86Inteland AMD
technologies and support legacy hardware for load balancing.
● Alltheseissuesarewideopenforfurtherresearch.
Challenge6:SoftwareLicensingandReputationSharing
● Many cloud computing providers originally relied on open source software because the
licensing modelfor commercial software is not idealforutility computing.
● The primary opportunity is either for open source to remain popular or simply for
commercial software companies to change their licensing structure to better fit cloud
computing.
● One can consider using both pay for use and bulk use licensing schemes to widen the
business coverage.
CloudStorage
● Cloudstoragemeansstoringthedatawithacloudserviceproviderratherthanonalocal system.
● TheendusercanaccessthedatastoredonthecloudusinganInternetlink.
● Cloudstoragehasanumberofadvantagesovertraditionaldatastorage.
● If the users stored some data on a cloud, they can get at it from any location that has
Internet access.
● Workersdonotneedtousethesamecomputertoaccessdatanordotheyhavetocarry around
physical storage devices.
● Also, if any organization has branch offices, they can all access the data from the cloud
provider.
● There are hundreds of different cloud storage systems, and some are very specific in
what they do.
● Some are niche-oriented and store just email or digital pictures, while others store any
type of data. Some providers are small, while others are huge and fill an entire
warehouse.
● At the most rudimentary level, a cloud storage system just needs one data server
connected to the Internet.
● A subscriber copies files to the server over the Internet, which then records the data.
When a client wants to retrieve the data, the client accesses the data server with a web
based interfaceand the servertheneithersendsthefiles back to the clientorallowsthe client
to access and manipulate the data itself.
● More typically, however, cloud storage systems utilize dozens or hundreds of data
servers.
● Because servers require maintenance or repair, it is necessary to store the saved dataon
multiple machines, providing redundancy.
● Without that redundancy, cloud storage systems couldnot assure clients that they could
access their information at any given time.
Storage-as-a-Service
● The term Storageas a Service(another Software as aService, or SaaS, acronym)

meansthat a third-partyproviderrentsspace on their storage to end users who lackthe
budgetor capitalbudgetto payfor iton their own.
● Figure3.13illustratesthestorageasaservicewherethedatastoredincloudstorage.
● It is alsoidealwhentechnicalpersonnelarenotavailableorhaveinadequateknowledge to
implement and maintain that storage infrastructure.
● Storage service providers are nothing new, but given the complexity of current backup,
replication, and disaster recovery needs, the service has become popular, especially
among small and medium sized businesses.
● The biggestadvantagetoSaaSiscostsavings.
● Storage is rented from the provider using a cost-per-gigabyte-stored or cost-per-data-

transferred model.
● Theenduserdoesnothavetopayforinfrastructure.Theysimplypayforhowmuchthey transfer
and save on the provider’s servers.
Figure3.13StorageasaService
● Acustomerusesclientsoftware to specifythebackup set and thentransfersdata across a

WAN.
● Examples:
○ GoogleDocsallowsuserstouploaddocuments,spreadsheets,and presentations to
Google’s data servers. Those files can then be edited using a Google application.
○ Web email providers like Gmail, Hotmail, and Yahoo! Mail store email messages
on their own servers. Users can access their email from computers and other
devices connected to the Internet.
○ Flickr and Picasa host millionsof digital photographs. Users can create their own
online photo albums.
○ YouTubehostsmillionsof useruploadedvideofiles.
○ HostmonsterandGoDaddystorefilesanddataformanyclientwebsites.
○ Facebook and MySpace are socialnetworking sites and allow members to post
pictures and other content. That content is stored on the company’sservers.
○ MediaMaxandStrongspaceofferstoragespaceforanykindofdigitaldata.
● Tosecuredata,mostsystemsuseacombinationofthelistedtechniques:
● Encryption: A complex algorithm is used to encode information. To decodethe encrypted

files, a user needs the encryption key.
● Authentication processes:Thisrequiresausertocreateanameandpassword.
● Authorization practices: The client lists the people who are authorized to access
information stored on the cloud system. Many corporations have multiple levels of
authorization.
● Theotherconcern isreliability.
● If a cloud storage system is unreliable, it becomes a liability. No one wants to save data
on an unstable system, nor would they trust a company that is financiallyunstable.
● Most cloud storage providers try to address the reliability concern through redundancy,
butthepossibilitystillexiststhatthesystemcouldcrashandleaveclientswithnowayto access
their saved data.
AdvantagesofCloud Storage
● Cloudstorageisbecominganincreasinglyattractivesolutionfororganizations.
● Cloud storage providers balance server loads and move data among
variousdatacenters,ensuringthatinformationisstoredcloseandtherebyavailablequicklywhile
using the data.
● Storingdataonthecloudisadvantageous,becauseitallowstheusertoprotectthedata in case
there’s a disaster.
● Havingthedatastoredoff-sitecanbethedifferencebetweenclosingthedoorforgood or being
down for a few days or weeks.
● Whichstoragevendortogowithcanbeacomplexissue,andhowtheenduser
technology interacts with the cloud can be complex.
● Forinstance, someproductsareagentbasedandthe applicationautomaticallytransfers

information to the cloud via FTP.
● Butothersemployawebfrontendandtheuserhastoselectlocalfilesontheir computer
to transmit.
● AmazonS3isthebestknownstoragesolution,butothervendorsmightbebetterfor large
enterprises.
● For instance,thosewho offer service levelagreementsanddirectaccess to customer

support are critical for a business moving storage to a service provider
CloudStorageProviders
● Therearehundredsofcloudstoreproviderseveryday.
● This is simplya listingof whatsome of thebigplayers inthe gamehavetoofferand

anyonecanuseitasastartingguidetodetermineiftheirservicesmatchuser’sneeds.
● AmazonandNirvanixarethecurrentindustrytopdogs,butmanyothersareinthefield, including
some well known names.
● Googleofferscloud storage solutioncalledGDrive.
● EMC is readyinga storage solutionand IBMalready hasanumber of cloudstorage

options called Blue Cloud.
S3
● The well known cloud storage service is Amazon’s Simple Storage Service (S3), which
is launched in 2006.
● AmazonS3isdesignedtomakewebscalecomputingeasierfordevelopers.
● AmazonS3providesa simple web services interfacethat canbe used to storeand

retrieve any amountof data,atany time,from anywhere on theWeb.
● Itgivesanydeveloperaccessto thesame highlyscalabledata storageinfrastructure that

Amazon uses to run its own global network of web sites.
● The serviceaimsto maximizebenefitsof scale and to passthosebenefitsonto

developers.
● AmazonS3isintentionallybuiltwithaminimalfeaturesetthatincludesthefollowing
functionality:
○ Write,read,anddeleteobjectscontainingfrom1byteto5gigabytesofdata each.
The number of objects that can be stored is unlimited.
○ Eachobject isstoredandretrievedviaauniquedeveloperassignedkey.
○ Objects canbemadeprivate orpublicand rights canbeassignedtospecific
users.
○ Uses standards based REST and SOAP interfaces designed to work with any
Internet development toolkit.
● DesignRequirementsAmazonbuiltS3tofulfillthefollowingdesignrequirements:
○ Scalable:Amazon S3 canscale intermsof storage, request rate andusers to

support an unlimited number of web-scale applications.
○ Reliable: Storedatadurably with99.99 percentavailability.Amazonsaysitdoes not
allow any downtime.
○ Fast: Amazon S3 was designed to be fast enough to support high-performance
applications.Server-sidelatencymustbeinsignificantrelativetoInternetlatency.
○ Inexpensive: AmazonS3 isbuiltfrominexpensivecommodityhardware
components.
○ Simple:Buildinghighlyscalable,reliable,fast andinexpensivestorageisdifficult.
● DesignPrinciplesAmazonusedthefollowing principlesof distributed systemdesignto meet

Amazon S3 requirements:
○ Decentralization: It uses fully decentralized techniques to remove scaling

bottlenecks and single points of failure.
○ Autonomy: The system is designed such that individual components can make
decisions based on local information.
○ Local responsibility: Each individual component is responsible for achieving its
consistency. This is never the burden of its peers.
○ Controlled concurrency: Operations are designed such that no or limited
concurrency control is required.
○ Failuretoleration:Thesystemconsidersthe failureof componentstobeanormal
modeof operation andcontinuesoperation withno or minimalinterruption.
○ Controlled parallelism: Abstractions used in the system are of such granularity
that parallelism can be used to improve performance and robustness of recovery
or the introduction of new nodes.
○ Symmetry:Nodesinthesystemareidenticalintermsoffunctionality,andrequire no or
minimal node specific configuration to function.
○ Simplicity: Thesystemshouldbemadeassimpleaspossible,butnosimpler.
● Amazon keeps its lips pretty tight about howS3 works, but according to Amazon, S3’s
designaimstoprovidescalability,highavailability,andlowlatencyatcommoditycosts.
● S3 storesarbitrary objects atupto5GB insize,and each is accompaniedbyupto2KB of
metadata.
● Objectsare organizedbybuckets.
● Each bucket isownedbyanAWSaccountand the bucketsare identified by aunique user

assigned key.
● Buckets and objects are created, listed and retrieved using either a REST or SOAP
interface.
● ObjectscanalsoberetrievedusingtheHTTPGETinterfaceor via BitTorrent.
● Anaccesscontrollistrestrictswhocanaccessthedataineachbucket.
● BucketnamesandkeysareformulatedsothattheycanbeaccessedusingHTTP.
● Requests are authorized using an access control list associated with each bucket and
object, for instance: http://s3.amazonaws.com/samplebucket/samplekey
● TheAmazonAWSAuthentication tools allowthebucketownerto createan

authenticated URL with a set amount of time that the URL will be valid.
● Bucket items can also be accessed via a BitTorrent feed, enabling S3 to act asa seed
for the client.
● Bucketscanalsobe setuptosave HTTPloginformationto anotherbucket.
● Thisinformationcanbeusedforlaterdatamining.
TWOMARKQUESTIONS
1. Illustratearchitectureofacloudisdevelopedusingthreelayers.
Internet
PrivateCloud PublicCloud HybridCloud
Provisioningofresources
SoftwareLayer(SaaS)
PlatformLayer(PaaS)
InfrastructureLayer(IaaS)
2. Whatis Market-OrientedCloud Architecture?
● As consumers rely on cloud providers to meet more of their computing needs, they
will require a specific level of QoS to be maintained by their providers, in order to
meet their objectives and sustain their operations.
● Market-oriented resource management is necessary to regulate the supply and
demand of cloud resources to achieve market equilibrium between supply and
demand.
3. Listtheentitiesinvolvedinthecloudplatform.
● Usersorbrokers andRequestexaminer
● Pricingmechanism andVM Monitormechanism
● Accountingmechanism
● ServiceRequestExaminerandAdmissionControlmechanism
● Dispatchermechanism
● ServiceRequestMonitormechanism
4. ListtheobjectivesofNISTCloudComputingreferencearchitecture
● Illustrateandunderstandthevariouslevelofservices
● Toprovidetechnicalreference
● Categorizeandcompareservices ofcloudcomputing
● Analysisofsecurity,interoperatabilityandportability
5. MentionthemajoractorsinvolvedinNISTreferencemodel.
● Cloudconsumer
● Cloudprovider
● Cloudauditor
● Cloudbroker
● Cloudcarrier
6. Defineserviceorchestration.
● Service orchestration describes the automated arrangement, coordination and

management of complex computing system.
7. DifferentiatebetweenPubliccloudandPrivateCloud.
● A public cloud is one in which the cloud infrastructure and computing resources are
made available to the general public over a public network.
● A public cloud is owned by an organization selling cloud services, and serves a
diverse pool of clients.
● AprivatecloudgivesasingleCloudConsumer’sorganizationtheexclusiveaccess to and
usage of the infrastructure and computational resources.
● It may be managed either by the Cloud Consumer organization or by a third party,
and may be hosted on the organization’s premises (i.e. on-site private clouds) or
outsourced to a hosting company (i.e. outsourced private clouds).
8. TabulatethemeritsanddemeritsofChoosingaCommunityCloud.
Merits Demerits
 Ability to easily share and  Nottherightchoiceforevery
collaborate organization
 Lowercost  Slowadoptiontodate
9. WhatisIaaSorHaaS?
● Infrastructure or Hardware-as-a-Service (IaaS/HaaS) solutions are the most popular

and developed market segment of cloud computing.
● Theydelivercustomizableinfrastructureondemand.
10. WhatisPaaS?
● Platform-as-a-Service (PaaS) solutions provide a development and deployment

platform for running applications in the cloud.
● Theyconstitutethemiddlewareontopofwhichapplicationsarebuilt.
11. ClassifyPassImplementation
● PaaSimplementationclassifiedinto threewidecategories:
● PaaS-I,PaaS-II,andPaaS-III.
12. WhatisSaaS?
● Software-as-a-Service (SaaS) is a software delivery model that provides access to

applications through the Internet as a Web-based service.
● It provides ameanstofree usersfromcomplexhardwareandsoftwaremanagement by
offloading such tasks to third parties, which build applications accessible to multiple
users through a Web browser.
13. WhatisSaaS2.0?
● SaaS2.0isnotanewtechnologybuttransformsthewayinwhichSaaS isused.
● In particular, SaaS 2.0 is focused on providing a more robust infrastructure and
application platforms driven by SLAs.
● SaaS2.0willfocusontherapidachievementofbusinessobjectives.
14. Listthesixarchitecturaldesignchallengesincloud.
● ServiceAvailabilityandDataLock-inProblem
● DataPrivacyandSecurityConcerns
● UnpredictablePerformanceandBottlenecks
● DistributedStorageandWidespreadSoftwareBugs
● CloudScalability,Interoperability,andStandardization
● SoftwareLicensingandReputation Sharing
15. What iscloudstorage?
● Cloud storage means storing the data with a cloud service provider rather than on a
localsystem.TheendusercanaccessthedatastoredonthecloudusinganInternet link.
● Cloudstoragehasanumberofadvantagesovertraditionaldatastorage.
● Iftheusersstoredsomedataonacloud,theycangetatitfromanylocationthathas Internet
access.
16. WhatisStorage-as-a-Service?
● The term Storage asa Service meansthata third-partyprovider rents space on their
storagetoenduserswholackthebudgetorcapitalbudgettopayforitontheirown.
● It is also ideal when technical personnel are not available or have inadequate
knowledge to implement and maintain that storage infrastructure.
17. Listtherealtimeexamplesforcloudstorage.
● Google Docs allows users to upload documents, spreadsheets, and presentations to

Google’s data servers.
● Webemail providers like Gmail, Hotmail, and Yahoo! Mail store email messageson
their own servers.
● Flickr andPicasahost millionsof digitalphotographs. YouTubehosts millionsof
user-uploaded video files.
● HostmonsterandGoDaddystorefilesanddataformanyclientwebsites.
● Facebook and MySpace are socialnetworking sites and allow members to post
pictures and other content.
● MediaMaxandStrongspace offerstoragespaceforanykindofdigitaldata.
18. Howtosecuredataincloudstorage?
● Mostsystemsuseacombinationoffollowingtechniques:
○ Encryption
○ Authenticationprocesses
○ Authorizationpractices
19. Listtheadvantagesofcloud storage.
● Storingdataonthecloudisadvantageous,becauseitallowsyoutoprotectyourdata in case
there’s a disaster.
● Havingyourdatastoredoff-sitecanbethedifferencebetweenclosingyourdoorfor good or
being down for a few days or weeks.
● Whichstoragevendortogowithcanbeacomplexissue,andhowtheenduser
technology interacts with the cloud can be complex.
20. Whatis S3?
● The best-known cloud storage service is Amazon’s Simple Storage Service (S3),
which launched in 2006.
● AmazonS3isdesignedtomakeweb-scalecomputingeasierfordevelopers.
● AmazonS3providesa simple web services interfacethat canbe used to storeand
retrieve any amountof data,atany time,from anywhere on theWeb.
● Itgivesanydeveloperaccessto thesame highlyscalabledata storageinfrastructure that
Amazon uses to run its own global network of web sites.
21. WhatarethedesignrequirementsconsidersbyAmazontobuildS3?
● Scalable
● Reliable
● Fast
● Inexpensive
● Simple
22. Whatarethedesignprinciples considersbyAmazontomeetS3requirements?
● Decentralization
● Autonomy
● Localresponsibility
● Controlled concurrency
● Failuretoleration
● Controlled parallelism
● Symmetry
● Simplicity
23. HowthedatastoredinS3?
● S3 storesarbitrary objects atupto5GB insize,and each is accompaniedbyupto 2KB

of metadata.
● Objectsare organizedbybuckets.
● Each bucket isownedbyanAWSaccountand the bucketsare identified by a
unique, user-assigned key.
● Bucketsandobjectsare created, listed,and retrievedusingeither a REST-styleor
SOAP interface.
-------------------------------------------------------------------------------------------------------------------------------
UNIT IV RESOURCE MANAGEMENT AND SECURITY IN CLOUD
InterCloudResourceManagement–ResourceProvisioningandResourceProvisioning
Methods–GlobalExchangeofCloudResources–SecurityOverview–CloudSecurity Challenges –
Software-as-a-Service Security –Security Governance –Virtual Machine Security – IAM –Security
Standards.
-------------------------------------------------------------------------------------------------------------------------------
InterCloudResourceManagement
Cloudapplication(SaaS)
CloudSoftwareenvironment(PaaS)
Cloudsoftwareinfrastructure(IaaS,DaaS, CaaS)
Collocationcloudservices(LaaS)
Networkcloudservices(NaaS)
HardwareorVirtualizationcloudServices(HaaS)
Figure4.1Astackofsixlayersofcloudservices
● Figure4.1showssixlayersofcloudservices,rangingfromhardware, network,and
collocation to infrastructure, platform and software applications.
● ThecloudplatformprovidesPaaS,whichsitsontopoftheIaaSinfrastructure.Thetop layer
offers SaaS.
● Thebottomthreelayersaremorerelatedtophysicalrequirements.
● Thebottommost layerprovidesHardware asaService(HaaS).

● The next layer is for interconnecting all the hardware components and it is simply called
Network as a Service (NaaS).
● VirtualLANsfallwithinthescopeofNaaS.
● The next layer up offers Location as a Service (LaaS), which provides a collocation
service to house, power and secure all the physical hardware as well as network
resources.
● Some authorssaythislayerprovidesSecurityasaService(SaaS).
● The cloud infrastructurelayer can be further subdivided as Data as a Service(DaaS) and

Communication as a Service (CaaS) in addition to compute and storage in IaaS.
● Thethreecloudmodelsasviewedbydifferentplayers.
● From the software vendor perspective, application performance on a given cloud

platform is most important.
● Fromtheproviderperspective,cloudinfrastructureperformanceistheprimaryconcern.
● From the end users perspective, the quality of services, including security, is the most
important.
● CRMofferedthe first SaaS onthecloudsuccessfully.
● The approach is to widen market coverage by investigating customer behaviors and

revealing opportunities by statistical analysis.
● SaaS tools also apply to distributed collaboration, financial and human resources
management. These cloud services have been growing rapidly in recent years.
● PaaSisprovidedbyGoogle,Salesforce.com,Facebook,andsoon.
● IaaSisprovidedbyAmazon,WindowsAzure,RackRack,andsoon.
● Based on the observations of some typical cloud computing instances, such as Google,
Microsoft, and Yahoo!, the overall software stack structure of cloud computing software
can be viewed as layers.
● Each layer has its own purpose and provides the interface for the upper layers just asthe
traditional soware stack does. However, the lower layers are not completely transparent
to the upper layers.
● The platform for running cloud computing services can be either physical servers or
virtual servers.
● By using VMs, the platform can be flexible; It means the running servicesare not bound
to specific hardware platforms.
● The software layer on top of the platform is the layer for storing massive amounts of
data.
● This layer acts like the file system in a traditional single machine. Otherlayers running on
top of the file systemare the layersfor executing cloud computing applications.
● Thenextlayersarethecomponentsinthesoftwarestack.
RuntimeSupportServices
● As in a cluster environment, there are also some runtime supportingservices in the cloud
computing environment.
● Clustermonitoringisusedtocollecttheruntimestatusoftheentirecluster.
● The scheduler queues the tasks submitted to the whole cluster and assigns the tasks to
the processing nodes according to node availability.
● The distributed scheduler for the cloud application has special characteristics that can
support cloud applications, such asscheduling the programswritten in MapReduce style.
● The runtime support system keeps the cloud cluster working properly with high
efficiency.
● Runtime support is software needed in browser initiated applications applied by

thousands of cloud customers.
● The SaaS model provides the softwareapplications as a service, ratherthan lifting users
purchase the software.
● As a result, on the customer side, there is no upfront investment in servers or software

licensing.
● On the provider side, costs are rather low, compared with conventional hosting of user
applications.
● The customer data is stored in the cloud that is either vendor proprietary or a publicly
hosted cloud supporting PaaS and IaaS.
ResourceProvisioning
● Providerssupply cloudservicesbysigningSLAswithendusers.
● The SLAs must commit sufficient resources such as CPU, memory and bandwidth that
the user can use for a preset period.
● Underprovisioningofresources willleadtobrokenSLAsandpenalties.
● Overprovisioningofresourceswillleadtoresourceunderutilization,andconsequently,a
decrease in revenue for the provider.
● Deploying anautonomous systemtoefficientlyprovisionresourcestousers isa

challenging problem.
● EfficientVMprovisioningdependsonthe cloudarchitectureand managementof cloud

infrastructures.
● Resource provisioning schemes also demandfast discovery of services and data in

cloud computing infrastructures.
● Inavirtualizedclusterof servers,thisdemandsefficientinstallationofVMs,liveVM
migration and fast recovery from failures.
● To deploy VMs, users treatthemas physical hosts with customizedoperating systems

for specific applications.
● Forexample,Amazon’sEC2usesXenasthevirtualmachinemonitor(VMM).Thesame VMM
is used in IBM’s Blue Cloud.
● In theEC2platform, some predefinedVMtemplates are alsoprovided. Userscan

choose different kinds of VMs from the teaplates.
● IBM’sBlueClouddoesnotprovideany VMtemplates.
ResourceProvisioningMethods
● Figure4.2 showsthreecasesof staticcloudresourceprovisioningpolicies.
● In case(a),overprovisioning withthepeakloadcauses heavyresource waste (shaded

area).
Figure4.2Threecasesofresourceprovisioning
● In case (b), underprovisioning (along the capacity line)of resources results in lossesby
both user and provider in that paid demand by the users (the shaded area above the
capacity) is not served and wasted resources still exist for those demanded areas below
the provisioned capacity.
● In case (c), the constant provisioning of resourceswithfixed capacitytoa declining user

demand could result in even worse resource waste.
● The user may give up the service by canceling the demand, resulting inreduced revenue
for the provider.
● Boththeuserandprovidermaybelosersinresourceprovisioningwithoutelasticity.
● The demand-driven method provides static resources and has been used in grid
computing for many years.
● Theevent-drivenmethodisbasedonpredictedworkloadbytime.
● Thepopularity-drivenmethodisbasedonInternettrafficmonitored.
Demand-DrivenResourceProvisioning
● This method adds or removes computing instances based on the current utilization level
of the allocated resources.
● The demand-driven method automatically allocates two Xeon processors for the user
application, when the user was using one Xeon processor more than 60 percent of the
time for an extended period
● In general, when a resource hassurpassed a thresholdfora certainamount of time, the

scheme increases that resource based on demand.
● When a resource is below a threshold for a certain amount of time, that resource could
be decreased accordingly.
● Amazon implements such an auto-scale feature in its EC2 platform. This method is easy
to implement.
● Theschemedoesnotworkoutrightiftheworkloadchangesabruptly.
Event-DrivenResourceProvisioning
● Thisschemeaddsorremovesmachineinstancesbasedonaspecifictime event.
● The scheme works betterfor seasonal or predicted events such as Christmastime in the
West and the Lunar New Year in the East.
● During these events, the number of users grows before the event period and then
decreases during the event period.
● Thisschemeanticipatespeaktrafficbeforeithappens.
● ThemethodresultsinaminimallossofQoS,iftheeventispredictedcorrectly.
● Otherwise, wasted resources are even greater due to events that do not follow a fixed
pattern.
Popularity-DrivenResourceProvisioning
● In this method, the Internet searches for popularity of certain applications and creates
the instances by popularity demand.
● Theschemeanticipatesincreasedtrafficwithpopularity.
● Again,theschemehasaminimallossofQoS,ifthepredictedpopularityiscorrect.
● Resourcesmaybe wasted iftrafficdoesnotoccurasexpected.
GlobalExchangeofCloud Resources
● In order to support a large number of application service consumers from around the
world, cloud infrastructure providers (i.e., IaaS providers) have established data centers
in multiple geographical locationsto provide redundancyand ensure reliability in case of
site failures.
● For example,Amazon hasdata centers in the United States (e.g., one on the East Coast
and another on the West Coast) and Europe.
● However, currently Amazon expects its cloud customers (i.e., SaaS providers) toexpress
a preference regarding where theywant their application services to behosted.
● Amazon does not provide seamless/automatic mechanisms for scaling its hostedservices
across multiple geographically distributed data centers.
● Thisapproachhasmanyshortcomings.
○ First, it is difficult for cloud customers to determine in advance the best location
for hosting their services as they may not know the origin of consumers of their
services.
○ Second, SaaS providers may not be able to meet the QoS expectations of their
service consumers originating from multiple geographical locations.
● Figure 4.3 shows the high-level components of the Melbourne group’s proposed Inter
Cloud architecture.
Figure4.3Intercloudarchitecture
● In addition, no single cloud infrastructure provider will be able to establish its data
centers at all possible locations throughout the world.
● As a result, cloud application service (SaaS)providers will have difficulty in meeting QoS
expectations for all their consumers.
● The Cloudbus Project at the University of Melbourne has proposed InterCloud

architecture supporting brokering and exchange of cloud resources for scaling
applications across multiple clouds.
● ByrealizingInterCloudarchitecturalprinciplesinmechanismsintheiroffering,
○ Cloud providers will be able to dynamically expand or resize their provisioning

capability based on sudden spikes in workload demands by leasing available
computational and storage capabilities from other cloud service providers.
○ Operateaspartofamarketdriven resourceleasingfederation,whereapplication
serviceproviderssuchasSalesforce.comhosttheirservicesbasedon negotiated SLA
contracts driven by competitive market prices.
○ Deliver on-demand, reliable, cost-effective, and QoS-aware services based on
virtualization technologies while ensuring high QoS standards and minimizing
service costs.
● They need to be able to utilize market-based utility models as the basis for provisioning
of virtualized software servicesand federated hardware infrastructure among users with
heterogeneous applications.
● Theyconsistofclientbrokeringandcoordinatorservicesthatsupportutility-driven federation of
clouds:
○ Applicationscheduling
○ Resourceallocation
○ Migrationofworkloads
● The architecture cohesively couples the administratively and topologically distributed

storage and compute capabilities of clouds as part of a single resource leasing
abstraction.
● TheCloudExchange(CEx)actsasamarketmakerforbringingtogetherservice producers
and consumers.
● It aggregates the infrastructure demands from application brokers and evaluates them
against the available supply currently published by the cloud coordinators.
● Itsupportstradingofcloudservicesbasedoncompetitiveeconomicmodelssuchas commodity
markets and auctions.
● An SLA specifies the details of the service to be provided in terms of metrics agreed
upon by all parties, and incentives and penalties for meeting and violating the
expectations, respectively.
● Theavailabilityofabankingsystem withinthemarketensuresthatfinancialtransactions
pertaining to SLAs between participants are carried out in a secure and dependable
environment.
SecurityOverview
● Cloud service providers must learnfrom the managed serviceprovider (MSP) model and
ensure that their customer’s applicationsanddata are secure if theyhopeto retain their
customer base and competitiveness.
● Today, enterprises are looking toward cloud computing horizons to expand their on-
premises infrastructure, but most cannot afford the risk of compromising the security of
their applications and data.
● For example, IDC recently conducted a survey1 (Figure 4.4) of 244 IT executives/CIOs
and their line-of-business (LOB) colleagues togauge their opinionsand understandtheir
companies’ use of IT cloud services.
● Securityrankedfirstasthegreatestchallengeorissueofcloudcomputing.
Figure4.4ResultsofIDC survey
● Moving critical applications and sensitive data to public and shared cloud environmentsis
of great concern for those corporations that are moving beyond their data center’s
network perimeter defense.
● To alleviate these concerns, a cloud solution provider must ensure that customers will
continue to have the same security and privacy controls over their applications and
services.
● In addition, solution provider give evidence to customers that their organization and
customers are secure and they can meet their service level agreements, and that they
can prove compliance to auditors.
CloudSecurityChallenges
● Although virtualization and cloud computing can help companies accomplish more by
breaking the physical bonds between an IT infrastructure and its users, heightened
security threats must be overcome in order to benefit fully from this new computing
paradigm.
● Enterprisesecurityisonlyasgoodastheleastreliablepartner,departmentandvendor.
● Withthecloudmodel,thecloudconsumer’slosscontroloverphysicalsecurity.
● Inapubliccloud,theconsumersaresharingcomputingresourceswithothercompanies.
● In a shared pool outside the enterprise, users do not have any knowledge or control of
where the resources run.
● Storage services provided by one cloud vendor may be incompatible with another
vendor’s services should you decide to move from one to theother.
● Ensuring the integrity of the data really means that it changes only in response to
authorized transactions.
● The immature use of mash up technology (combinations of web services), which is

fundamental to cloud applications, is inevitably going to cause unwitting security
vulnerabilities in those applications.
● Since access to logs is required for Payment Card Industry Data Security Standard (PCI
DSS) compliance and may be requested by auditors and regulators, security managers
need to make sure to negotiate access to the provider’s logs as part of any service
agreement.
● Cloud applications undergo constant feature additions and users must keep up to date
with application improvements to be sure they areprotected.
● The speed at which applications will change in the cloud will affect both the SDLC and
security.
● Security needs to move to the data level, so that enterprises can be sure their data is
protected wherever it goes.
● Sensitivedataisthedomainoftheenterprise,notthecloudcomputingprovider.
● Oneofthekeychallengesincloudcomputingisdatalevelsecurity.
● Mostcompliancestandardsdonotenvisioncomplianceinaworldofcloudcomputing.
● There is a huge body of standards that apply for IT security and compliance, governing
most business interactionsthat will,overtime,have to be translated to thecloud.
● SaaS makes the process of compliance more complicated, since it may be difficult for a
customer to discern where itsdata resides on a network controlled by its SaaSprovider,
or a partner of that provider, which raises all sorts of compliance issues of data privacy,
segregation, and security.
● Security managers will need to pay particular attention to systems that contain critical
data such as corporate financial information or source code during the transition to
server virtualization in production environments.
● Outsourcing means losing significant control overdata, and while this is nota good idea
from a security perspective, the business ease and financial savings will continue to
increase the usage of these services.
● Security managers will need to work with their company’s legal staff to ensure that
appropriate contract terms are in place to protect corporate data and provide for
acceptable service level agreements.
● Cloud based services will result in many mobile IT users accessing business data and
services without traversing the corporate network.
● This will increase the need for enterprises to place security controls between mobile
users and cloud based services.
● Although traditional data center security still applies in the cloud environment, physical
segregation and hardware based security cannotprotect against attacks between virtual
machines on the same server.
● Administrative access is through the Internet rather than the controlled and restricted
director on-premises connection that isadhered to in the traditionaldata centermodel.
● This increases risk and exposure and will require stringent monitoring for changes in
system control and access control restriction.
● Proving the security state of a system and identifying the location of an insecure virtual
machine will be challenging.
● The co-location of multiple virtual machines increases the attack surface and risk of
virtual machine to virtual machine compromise.
● Localized virtual machines and physical servers use the same operating systems as well
as enterprise and web applications in a cloud server environment, increasing the threat
of an attacker or malware exploiting vulnerabilities in these systems and applications
remotely.
● Virtual machines are vulnerable as they move between the private cloud and the public
cloud.
● Afullyorpartiallyshared cloudenvironmentisexpectedtohave agreaterattacksurface and

therefore can be considered to be at greater risk than a dedicated resources
environment.
● Operating system and application files are on a shared physical infrastructure in a

virtualizedcloudenvironmentandrequiresystem, file,andactivitymonitoringtoprovide
confidence and auditable proof to enterprise customers that their resources have not
been compromised or tampered with.
● In the cloud computing environment, the enterprise subscribes to cloud computing

resources, and the responsibility for patching is the subscriber’s rather than the cloud
computing vendors.
● Theneedforpatchmaintenancevigilanceisimperative.
● Data is fluid in cloud computing and may reside in on-premises physical servers, on-
premises virtual machines, oroff-premises virtual machines running on cloud computing
resources and this will require some rethinking on the part of auditors and practitioners
alike.
● To establish zones of trust in the cloud, the virtual machines must be self-defending,
effectivelymoving the perimeterto the virtual machine itself.
● Enterprise perimeter security (i.e., firewalls, demilitarized zones [DMZs], network

segmentation, intrusion detection and prevention systems [IDS/IPS], monitoring tools,
and the associated security policies) only controls the data that resides and transits
behind the perimeter.
● Inthecloudcomputingworld,thecloudcomputingproviderisinchargeofcustomerdata security
and privacy.
Software-as-a-ServiceSecurity
● Cloud computing models of the future will likely combine the use of SaaS (and other
XaaS’s as appropriate), utility computing and Web 2.0 collaboration technologies to
leverage the Internet to satisfy their customer needs.
● New business models being developed as a result of the move to cloud computing are
creating not only new technologies and business operational processes but also new
security requirements and challenges as described previously.
● As the most recent evolutionary step in the cloud service model (Figure 4.5), SaaS will
likely remain the dominant cloud service model for the predictable future and the area
where the most critical needfor security practices and oversight will reside.
● Thetechnology analyst and consultingfirmGartner lists seven security issues whichone
should discuss with a cloud computing vendor.
● Privileged user access inquires about who has specialized access to data and about the
hiring and management of such administrators.
● Regulatorycompliancemakessurethatthevendoriswillingtoundergoexternalaudits and/or
security certifications.
● Datalocationdoestheproviderallowforanycontroloverthelocationofdata.
● Datasegregation makesencryption isavailable atallstagesandthatthese encryption

schemes were designed and tested by experienced professionals.
Managed Infrastructureas Platformasa Softwareasa

ServiceProvider a Service Service Service
Figure4.5Evolutionofcloudservices
● Recoveryisthewaytofindoutwhatwillhappentodatainthecaseofadisaster.And also it
covers the way to perform complete restoration.
● Investigativesupportdoesthevendorhavetheabilitytoinvestigateanyinappropriateor illegal
activity.
● Long-termviabilityfocusondataif thecompanygoesoutofbusinessandformatand process

behind the returned data.
● To address the security issues listed above, SaaS providers will need to incorporate and
enhance security practices used by the managed service providers and develop newones
as the cloud computing environment evolves.
SecurityGovernance
● A security steering committee should be developed whose objective is to focus on

providing guidance about security initiatives and alignment with business and IT
strategies.
● A charterfor the security team is typically one of the first deliverables from the steering
committee.
● This charter must clearly define the roles and responsibilities of the security team and
other groups involved in performing information securityfunctions.
● Lackof a formalized strategy can lead to an unsustainable operating model and security
level as it evolves.
● In addition, lack of attention to security governance can result in key needs of the
business not being met, including but not limited to, risk management, security
monitoring, application security, and sales support.
● Lack of proper governance and management of duties can also result in potential
security risks being left unaddressed and opportunities to improve the business being
missed because the security team is not focused on the key security functions and
activities that are critical to the business.
VirtualMachineSecurity
● In the cloud environment, physical servers are consolidated to multiple virtual machine
instances on virtualized servers.
● Not only can data center security teams replicate typical security controls for the data
center at large to secure the virtual machines, they can also advise their customers on
how to prepare these machines for migration to a cloud environment when appropriate.
● Firewalls, intrusion detection and prevention, integrity monitoring and log inspection can
all be deployed as software on virtual machines to increase protection as well as
maintain compliance integrity of servers andapplications asvirtual resources movefrom
on-premises to public cloud environments.
● By deploying this traditional line of defense to the virtual machine itself, the user can
enable critical applications and data to be moved to the cloud securely.
● Tofacilitatethecentralizedmanagementofaserverfirewallpolicy,thesecuritysoftware loaded
onto a virtual machine should include a bidirectionalstatefulfirewall that enables virtual
machine isolation and location awareness, thereby enabling a tightened policyand the
flexibility to move the virtual machine fromon-premises to cloudresources.
● Integrity monitoring and log inspection software must be applied at the virtual machine
level.
● This approach to virtual machine security, which connects the machine back to the
mother ship, has some advantages in that the security software can be put into a single
software agent that provides for consistent control and management throughout the
cloud while integrating seamlessly back into existing security infrastructure investments,
providing economies of scale, deployment, and cost savings for both the serviceprovider
and the enterprise.
IAM
● Identity and access management is a critical function for every organization and a
fundamental expectation of SaaS customers is that the principle of least privilege is
granted to their data.
● The principle of least privilege states that only the minimum access necessary toperform
an operation should be granted, and that access should be granted only forthe minimum
amount of time necessary.
● However, business and IT groups will need and expect access to systems and
applications.
● The advent of cloud services and services on demand is changing the identity
management landscape.
● Most of the current identity management solutions are focused on the enterprise and
typicallyare architected to work in a very controlled, static environment.
● User-centric identity management solutions such as federated identity management

make some assumptions about the parties involved and their related services.
● In the cloud environment, where services are offered on demand and they can
continuously evolve, aspects of current models such as trust assumptions, privacy
implications, and operational aspects of authentication and authorization, will be
challenged.
● Meeting thesechallenges will require a balancing act for SaaS providers asthey evaluate
new models and management processes for IAM to provide end-to-end trust and
identity throughout the cloud and theenterprise.
● Another issue will be finding the right balance between usability and security. If a good
balance is not achieved, both business and IT groups may be affected by barriers to
completing their support and maintenance activities efficiently.
SecurityStandards
● Security standards define the processes, procedures, and practices necessary for
implementing a security program.
● These standards also apply to cloud related IT activities and include specific steps that
should betakentoensurea secure environment is maintainedthatprovidesprivacyand
security of confidential information in a cloud environment.
● Security standards are based on a set of key principles intended to protect this type of
trusted environment.
● Messagingstandards, especiallyforsecurity in the cloud, mustalso includenearly allthe

same considerations as any other IT security endeavor.
● Security (SAML OAuth, OpenID, SSL/TLS) A basic philosophy of security is to havelayers

of defense, a concept known as defense in depth.
● This means having overlapping systems designed toprovide security even if one system
fails. An example is a firewall working in conjunction with an intrusion-detection system
(IDS).
● Defense in depth provides security because there is no single point of failure and no
single entry vector at which an attack can occur.
● For this reason,a choice between implementingnetwork security inthe middle part of a
network (i.e., inthe cloud) orat theendpoints isafalsedichotomy.
● Nosinglesecuritysystemisasolutionbyitself,soitisfarbettertosecureallsystems.
● Thistypeoflayeredsecurityispreciselywhatweareseeingdevelopincloudcomputing.
● Traditionally, security was implemented at the endpoints, where the user controlled
access.
● Anorganizationhadnochoiceexcepttoputfirewalls,IDSs,andantivirussoftware inside its own

network.
● Today, with the advent of managed security services offered by cloud providers,
additional security can be provided inside the cloud.
SecurityAssertionMarkupLanguage(SAML)
● SAML is an XML-based standard for communicating authentication, authorization and

attribute information among online partners.
● It allows businesses to securely send assertions between partner organizationsregarding

the identity and entitlements of a principal.
● The Organization for the Advancement of Structured Information Standards (OASIS)

Security Services Technical Committee is in charge of defining, enhancing and
maintaining the SAML specifications.
● SAML is built on a number of existing standards, namely, SOAP, HTTP and XML. SAML
relies on HTTP as its communications protocol and specifies the use of SOAP (currently,
version 1.1).
● MostSAMLtransactionsareexpressedin astandardizedformofXML.
● SAMLassertionsandprotocolsarespecifiedusingXMLschema.
● Both SAML 1.1 and SAML 2.0 use digital signatures (based on the XML Signature
standard) for authentication and message integrity.
● XML encryption is supported in SAML 2.0, though SAML 1.1 does not have encryption
capabilities.
● SAMLdefinesXMLbasedassertionsandprotocols,bindingsandprofiles.
● The term SAML Core refers to the general syntax and semantics of SAML assertions as
well as the protocol used to request and transmit those assertions from one system
entity to another.
● SAMLprotocolreferstowhatistransmitted,nothowitistransmitted.
● A SAML binding determines how SAML requests and responses map to standard
messaging protocols. An important (synchronous) binding is the SAML SOAP binding.
● SAML standardizes queries for, and responses that contain, user authentication,
entitlements and attribute information in an XML format.
● This format can then be used to request security information about a principal from a
SAML authority.
● A SAML authority, sometimes called the asserting party. It is a platform or application

that can relay security information.
● The relying party (or assertion consumer or requesting party) is a partner site that
receives the security information.
● The exchanged information deals with a subject’s authentication status, access

authorization, and attribute information.
● Asubjectisanentityinaparticulardomain.
● Apersonidentifiedbyanemailaddressisasubject,asmightbeaprinter.
● SAMLassertionsareusuallytransferredfromidentityproviderstoserviceproviders.
● Assertions contain statements that service providers usetomakeaccess control

decisions.
● ThreetypesofstatementsareprovidedbySAML:
○ Authenticationstatements
○ Attributestatements
○ Authorizationdecisionstatements
● SAMLassertionscontainapacketofsecurityinformationinthisform:
<saml:Asssertion A>
<Authentication>
</Authentication>
<Attribute>
</Attribute>
<Authentication>
…
</Authentication>
</saml:AsssertionA>
● Theassertionshownaboveisinterpretedasfollows:
AssertionA,issuedattimeTbyissuerI,regarding subjectS,provided conditionsCare valid.
● Authentication statements assert to a service provider that the principal did indeed
authenticate with an identity provider at a particular time using a particular method of
authentication.
● Other information about the authenticated principal (called the authentication context)
may be disclosed in an authentication statement.
● Anattributestatementassertsthatasubjectisassociatedwithcertainattributes.
● Anattributeissimplyaname-valuepair.
● Anauthorizationdecisionstatementassertsthata subject ispermittedtoperform action A on

resource R given evidence E.
● A SAML protocol describes how certain SAML elements (including assertions) are
packaged within SAML request and response elements
● Generally,aSAMLprotocolisasimplerequest–responseprotocol.
● ThemostimportanttypeofSAMLprotocolrequestisaquery.
● A service provider makes a query directly to an identity provider over a secure back
channel. For this reason, query messages are typically bound to SOAP.
● Correspondingtothethreetypesofstatements,therearethreetypesofSAMLqueries:
○ Authenticationquery
○ Attributequery
○ Authorizationdecision query.
● Of these,the attributequeryisperhapsmostimportant.The resultofanattributequery isa

SAML response containingan assertion,which itselfcontainsanattributestatement.
OpenAuthentication(OAuth)
● OAuth is an open protocol, initiated by Blaine Cook and Chris Messina, to allow secure
APIauthorizationinasimple,standardizedmethodfor varioustypesofwebapplications.
● Cook and Messina had concluded that there were no open standardsfor API access
delegation.
● TheOAuthdiscussiongroupwascreatedinApril2007,forthesmallgroupof
implementers to write the draft proposalforan openprotocol.
● DeWittClintonofGooglelearnedoftheOAuthprojectandexpressedinterestin
supporting the effort.
● InJuly2007,theteamdraftedaninitialspecificationanditwasreleasedinOctoberof the
same year.
● OAuthisamethodforpublishingandinteractingwithprotecteddata.
● Fordevelopers, OAuthprovidesusersaccess to theirdata while protecting account

credentials.
● OAuth allows users to grant access to their information, which is shared by the service
provider and consumers without sharing all of their identity.
● The Core designation is used to stress that this is the baseline, and other extensionsand
protocols can build on it.
● By design, OAuth Core 1.0 does not provide many desired features (e.g., automated
discovery of endpoints, language support, support for XML-RPC and SOAP, standard
definition of resource access, OpenID integration, signing algorithms, etc.).
● Thisintentionallackoffeaturesupportisviewedbytheauthorsasasignificantbenefit.
● The Core deals with fundamental aspects of the protocol, namely, to establish a
mechanism for exchanging a user name and password for a token with defined rights
and to provide tools to protect the token.
● It is important to understand that security and privacy are not guaranteed by the
protocol.
● Infact,OAuthbyitselfprovidesnoprivacyatallanddependsonotherprotocolssuchas SSL to
accomplish that.
● OAuth canbeimplemented inasecuremanner.
● In fact, the specification includes substantial security considerations that must be taken
into account when working with sensitive data.
● WithOauth,sitesusetokenscoupledwithsharedsecretstoaccessresources.
● Secrets,justlikepasswords,mustbeprotected.
OpenID
● OpenID is an open, decentralized standard for user authentication and access control
that allows users to log onto many services using the same digital identity.
● It is a single-sign-on (SSO) method of access control. As such, it replaces the common

log-in process (i.e., a log-in name and a password) by allowing users to log in once and
gain access to resources across participating systems.
● The original OpenID authentication protocol was developed in May 2005 by Brad
Fitzpatrick, creator of the popular community web site LiveJournal.
● In late June 2005, discussions began between OpenID developers and other developers
from an enterprise software company named NetMesh.
● These discussions led to further collaboration on interoperability between OpenID and

NetMesh’s similar Light-Weight Identity (LID) protocol.
● The direct result of the collaboration was the Yadis discovery protocol, which was
announced on October 24, 2005.
● The Yadis specification provides a general-purpose identifier for a person and any other
entity, which can be used with a variety of services.
● It provides syntax for a resource description document identifying services available

usingthatidentifierandaninterpretationof theelementsof thatdocument.
● Yadis discovery protocol is used for obtaining a resource description document, given
that identifier.
● Togethertheseenablecoexistenceandinteroperabilityofarichvarietyof servicesusing a
single identifier.
● The identifieruses astandardsyntaxanda wellestablished namespaceand requires no

additional namespace administration infrastructure.
● AnOpenIDisintheformofauniqueURLandisauthenticatedbytheentityhostingthe OpenID
URL.
● TheOpenIDprotocoldoesnotrelyonacentralauthoritytoauthenticateauser’sidentity.
● Neither the OpenID protocolnorany web sites requiring identification can mandate that a
specific type of authentication be used; nonstandard forms of authentication such as
smart cards, biometrics, or ordinary passwords are allowed.
● AtypicalscenarioforusingOpenIDmightbesomethinglikethis:
○ AuservisitsawebsitethatdisplaysanOpenIDloginform
○ Unlike a typical log in form, which has fields for user name and password, the
OpenID log in form has only one field for the OpenID identifier (which is an
OpenID URL).
○ ThisformisconnectedtoanimplementationofanOpenIDclientlibrary.
○ AuserwillhavepreviouslyregisteredanOpenIDidentifierwithanOpenID
identity provider.
○ TheusertypesthisOpenIDidentifierintotheOpenIDlog-inform.
○ TherelyingpartythenrequeststhewebpagelocatedatthatURLandreadsan HTML
link tag to discover the identity provider service URL.
● WithOpenID 2.0,theclientdiscoverstheidentityproviderserviceURLbyrequestingthe XRDS

document (also called the Yadis document) with the content type application/xrds+xml,
which may be available at the target URL but is always available for a target XRI.
● There are two modes by which the relying party can communicate with the identity
provider: checkid_immediate and checkid_setup.
● In checkid_immediate, the relying party requests that the provider not interact with the
user.Allcommunication isrelayed through theuser’sbrowserwithoutexplicitlynotifying the
user.
● In checkid_setup, the user communicates with the provider server directly using the
same web browser as is used to access the relying party site.
● OpenIDdoesnotprovideitsownauthenticationmethods,butifanidentityprovideruses strong
authentication, OpenID can be used for secure transactions.
● SSL/TLS Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer(SSL),
are cryptographically secure protocols designed to provide security and data integrity for
communications over TCP/IP.
● TLSandSSLencryptthe segmentsofnetworkconnectionsatthetransportlayer.
● Several versions of the protocols are in general use in web browsers, email, instant
messaging and Voice-over-IP (VoIP).
● TLSisanIETFstandardprotocolwhichwaslast updatedinRFC5246.
● The TLS protocol allows client/server applications to communicate across a network in a

way specifically designed to prevent eavesdropping, tampering, and message forgery.
● TLSprovidesendpointauthenticationanddataconfidentialitybyusingcryptography.
● TLS authentication is one way in which the server is authenticated, because the client
already knowsthe server’s identity. In this case, the client remainsunauthenticated.
● TLS also supports a more secure bilateral connection mode whereby both ends of the
connection can be assured that they are communicating with whom they believe they
are connected.
● Thisisknownasmutualauthentication.
● MutualauthenticationrequirestheTLSclientsidetoalsomaintainacertificate.
● TLSinvolvesthreebasicphases:
○ Peernegotiationforalgorithmsupport
○ Keyexchangeandauthentication
○ Symmetriccipherencryptionandmessage authentication
TWOMARKQUESTIONS
1. Listtheruntimesupportingservicesinthecloudcomputingenvironment.
● Clustermonitoringisusedtocollecttheruntimestatusoftheentirecluster.
● The schedulerqueuesthe taskssubmitted tothewhole clusterand assignsthe tasks to
the processing nodes according to node availability.
● The distributed scheduler for the cloud application has special characteristics thatcan
support cloud applications, such as scheduling the programs written in MapReduce
style.
2. Whyintercloudresourcemanagementrequiresruntimesupportsystem?
● The runtime support system keeps the cloud cluster working properly with high
efficiency.
● Runtime support is software needed in browser-initiated applications applied by
thousands of cloud customers.
3. Differentiatebetweenoverprovisioningandunderprovisioning.
● Underprovisioningofresources willleadtobrokenSLAsandpenalties.
● Overprovisioningof resourceswill leadtoresource underutilization, and
consequently, a decrease in revenue for the provider.
● overprovisioning withthepeakloadcausesheavyresourcewaste (shadedarea).
● under provisioning (along the capacity line) of resources results in losses by both
user and provider in that paid demand by the users (the shaded area above the
capacity) is not served and wasted resources still exist for those demanded areas
below the provisioned capacity.
4. Listthevariousresourceprovisioningmethods.
● demand-drivenresourceprovisioning
● Event-DrivenResourceProvisioning
● Popularity-DrivenResourceProvisioning
● GlobalExchangeofCloudResources
5. Whatisdemand-driven resourceprovisioning?
● This method adds or removes computing instances based on the current utilization
level of the allocated resources.
● Thedemand-driven methodautomatically allocates two Xeon processorsfortheuser
application, when the user was using one Xeon processor more than 60 percent of
the time for an extended period
6. Writeshortnotesoncloudsecurity.
● Cloud service providers must learn from the managed service provider (MSP) model
and ensure that their customer’s applications and data are secure if they hope to
retain their customer base and competitiveness.
● Securityrankedfirstasthegreatestchallengeorissueofcloudcomputing.
7. Listthechallengesincloudsecurity.
● Enterprisesecurityisonlyasgoodastheleastreliablepartner,department,or vendor.
● Withthecloudmodel,userslosecontroloverphysicalsecurity.
● Inapubliccloud,theusersaresharingcomputingresourceswithothercompanies.
● Inasharedpooloutsidetheenterprise,usersdon’thaveanyknowledgeorcontrolof where
the resources run.
● Storageservicesprovidedbyonecloudvendormaybeincompatiblewithanother
vendor’s services should you decide to move from one to the other.
● Ensuringtheintegrityofthedatareallymeansthatitchangesonlyinresponseto
authorized transactions.
8. Listthesevensecurityissueswithrespecttocloudcomputingvendor.
● Privilegeduseraccess
● Regulatory compliance
● Datalocation
● Datasegregation
● Recovery
● Investigativesupport
● Long-term viability
9. Whatisthepurposeofsecuritygovernance?
● A security steering committee should be developed whose objective is to focus on

providing guidance about security initiatives and alignment with business and IT
strategies.
● A charter for the security team is typically one of the first deliverables from the
steering committee.
10. Howtoperformvirtualmachinesecurity?
● Firewalls, intrusiondetectionandprevention, integrity monitoring,andloginspection can
all be deployed as software on virtual machines to increase protection and maintain
compliance integrity of servers and applications as virtual resources move from on-
premises to public cloud environments.
● Integrity monitoring and log inspection software must be applied at the virtual
machine level.
11. DefineIAM.
● Identity and access management is a critical function for every organization, and a
fundamental expectation of SaaS customers is that the principle of least privilege is
granted to their data.
12. Whycloud requiressecuritystandards?
● Security standards define the processes, procedures, and practices necessary for
implementing a security program.
● These standards also apply to cloud related IT activities and include specific steps
that should be taken to ensure a secure environment is maintained that provides
privacy and security of confidential information in a cloud environment.
13. WhatisSAML?
● Security Assertion Markup Language (SAML) is an XML-based standard for

communicatingauthentication,authorization,andattribute informationamongonline
partners.
● It allows businesses to securely send assertions between partner organizations
regarding the identity and entitlements of a principal.
14. ListthetypesofstatementsareprovidedbySAML.
● Authenticationstatements
● Attributestatements
● Authorizationdecisionstatements
15. DescribeaboutSAMLprotocol.
● ASAMLprotocoldescribeshowcertainSAMLelements(includingassertions)are packaged
within SAML request and response elements
● SAMLprotocolisasimplerequest–responseprotocol.
● ThemostimportanttypeofSAMLprotocolrequestisaquery.
16. Listthe typesofSAMLqueries.
● Authenticationquery
● Attributequery
● Authorizationdecision query.
17. WhatisOAuth?
● OAuth (Open authentication) is an open protocol, initiated by Blaine Cook and Chris
Messina, to allow secure API authorization in a simple, standardized method for
various types of web applications.
● OAuthisamethodforpublishingandinteractingwithprotecteddata.
● OAuth allows users to grant access to their information, which is shared by the
service provider and consumers without sharing all of their identity.
18. WhatisthepurposeofOpenID?
● OpenID is an open, decentralized standard for user authentication and accesscontrol

that allows users to log onto many services using the same digitalidentity.
● Itisasingle-sign-on(SSO)methodof accesscontrol.
● An OpenID is in the form of a unique URL and isauthenticated bythe entityhosting
the OpenID URL.
19. WhycloudenvironmentneedSSL/TLS?
● SSL/TLS Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer
(SSL), are cryptographically secure protocols designed to provide security and data
integrity for communications over TCP/IP.
● TLSandSSLencryptthe segmentsofnetworkconnectionsatthetransportlayer.
20. Whatismutualauthentication?
● TLS also supports a more secure bilateral connection mode whereby both ends ofthe
connection canbeassured that theyare communicating with whom theybelieve they
are connected. This is known as mutual authentication.
● MutualauthenticationrequirestheTLSclientsidetoalsomaintainacertificate.
-------------------------------------------------------------------------------------------------------------------------------
UNIT V CLOUD TECHNOLOGIES AND ADVANCEMENTS
Hadoop–MapReduce–VirtualBox--GoogleAppEngine–ProgrammingEnvironmentfor
GoogleAppEngine–OpenStack–FederationintheCloud–FourLevelsofFederation– Federated Services
and Applications – Future of Federation.
-------------------------------------------------------------------------------------------------------------------------------
Hadoop
● Hadoop is an open source implementation of MapReduce coded and released in Java

(rather than C) by Apache.
● The Hadoop implementation of MapReduce usesthe Hadoop Distributed File System

(HDFS) as its underlying layer rather than GFS.
● TheHadoopcoreisdividedintotwofundamentallayers:
○ MapReduceengine
○ HDFS
● The MapReduceengine is the computationengine runningontopof HDFSas its data

storage manager.
● HDFS is a distributed file system inspired by GFS that organizesfilesand storestheir

data on a distributed computing system.
● HDFS Architecture: HDFS has a master/slave architecture containing a single

NameNode as the master and a number of DataNodes as workers (slaves).
● Tostoreafileinthisarchitecture,HDFSsplitsthefileintofixed-size blocks(e.g.,64 MB) and

stores them on workers (DataNodes).
● ThemappingofblockstoDataNodesisdeterminedbytheNameNode.
● TheNameNode(master)alsomanagesthefilesystem’s metadataandnamespace.
● In such systems, the namespace is the area maintaining the metadata and metadata
refers to all the information stored by a file system that is needed for overall
management of all files.
● For example, NameNode in the metadata storesall information regarding the location of
input splits/blocks in all DataNodes.
● Each DataNode, usually one per node in a cluster, manages the storage attached to the
node. Each DataNode is responsible for storing and retrieving its file blocks.
● HDFS Features: Distributed file systems have special requirements, such asperformance,
scalability, concurrency control, fault tolerance and security requirements, to operate
efficiently.
● However, becauseHDFS is not ageneral purpose filesystem, as it only executes specific

types of applications, it does not need all the requirements of a general distributed file
system.
● One of the main aspects of HDFS is its fault tolerance characteristic. Since Hadoop is
designed to be deployed on low-cost hardware by default, a hardware failure in this
system is considered to be common rather than an exception.
● Hadoopconsidersthefollowingissuestofulfillreliabilityrequirementsofthefilesystem
○ Blockreplication:Toreliablystoredata in HDFS,file blocksare replicatedin this

system. The replication factor is set by the user and is three bydefault.
○ Replica placement: The placement of replicas is another factor to fulfill the
desired fault tolerance in HDFS.
○ Heartbeat and Block report messages: Heartbeats and Block reports are periodic
messages sent to the NameNode by each DataNode in a cluster.
○ Applications run on HDFS typically have large data sets, individual files are
broken into large blocks (e.g., 64 MB) to allow HDFS to decrease the amount of
metadata storage required per file.
○ Thisprovidestwoadvantages:
■ The listofblocksperfilewillshrinkasthe sizeofindividualblocks

increases.
■ Keepinglargeamountsofdatasequentiallywithinablockprovidesfast
streaming reads of data.
● HDFS Operation: The control flow of HDFS operations such as write and read can
properlyhighlightrolesoftheNameNodeand DataNodesinthemanagingoperations
○ To read a file in HDFS, a user sends an “open” request to the NameNode to get
the location of file blocks.
○ For each file block, the NameNode returns the address of a set of DataNodes
containing replica information for the requestedfile.
○ The number of addresses depends on the number of block replicas. Upon
receiving such information, the user calls the read function to connect to the
closest DataNode containing the first block of the file.
○ After the first block is streamed from the respective DataNode to the user, the
established connection is terminated and the same process is repeated for all
blocksof the requestedfileuntilthe wholefile is streamed to theuser.
○ To write a file in HDFS, a user sends a “create” request to the NameNode to
create a new file in the file system namespace.
○ If thefile does not exist, the NameNode notifies the user and allows him to start
writing data to thefileby callingthe writefunction.
○ The first block of the file is written to an internal queue termed the data queue
while a data streamer monitors its writing into a DataNode.
○ Since each file block needs to be replicated by a predefined factor, the data
streamer first sends a request to the NameNode to get a list of suitable
DataNodes to store replicas of the first block.
○ ThesteamerthenstorestheblockinthefirstallocatedDataNode.
○ Afterward,theblockisforwardedtothesecondDataNodebythefirstDataNode.
○ The process continues until all allocated DataNodes receive a replica of the first
block from the previous DataNode.
○ Once this replication process is finalized, the same process starts for the second
blockand continuesuntilallblocksof thefilearestored and replicated on thefile
system.
MapReduce
● The topmost layer of Hadoop is the MapReduceengine that manages the data flow and
control flow of MapReduce jobs over distributed computing systems.
Figure5.1HDFSandMapReduceArchitecture
● Figure5.1showstheMapReduceenginearchitecturecooperatingwithHDFS.
● SimilartoHDFS,theMapReduceenginealsohasamaster/slavearchitectureconsisting of a
single JobTracker as the master and a number of TaskTrackers as the slaves
(workers).
● The JobTracker manages the MapReduce job over a clusterand is responsible for
monitoring jobs and assigning tasks to TaskTrackers.
● The TaskTrackermanagestheexecutionof the mapand/orreduce tasksona single

computation node in the cluster.
● Each TaskTrackernode has a number of simultaneous execution slots, each executing

either a map or a reduce task.
● Slotsaredefinedas the numberof simultaneous threads supportedby CPUsof the

TaskTracker node.
● For example, a TaskTrackernode with NCPUs, each supporting Mthreads, has M* N

simultaneous execution slots.
● Itisworthnotingthateachdatablockisprocessedbyonemaptaskrunningonasingle slot.
● Therefore, thereis aonetoone correspondence between maptasks ina TaskTracker and

data blocks in the respective DataNode.
RunningaJobinHadoop
● Threecomponentscontributeinrunningajobinthissystem:
○ Usernode
○ JobTracker
○ TaskTrackers
● The data flow starts by calling the runJob (conf) function inside a user program running
on the user node, in which conf is an object containing some tuning parameters for the
MapReduce framework and HDFS.
● The runJob (conf)function andconf are comparable tothe MapReduce (Spec,&Results)

function and Spec in the first implementation of MapReduce by Google.
● Figure5.2depictsthedataflowofrunningaMapReducejobinHadoop.
Figure5.2DataflowinHadoop
● Job Submission Each job is submitted from a user node to the JobTracker node that
mightbesituatedinadifferentnodewithintheclusterthroughthefollowingprocedure:
○ AusernodeasksforanewjobIDfromtheJobTrackerandcomputesinputfile splits.
○ The user node copies some resources, such as the job’s JAR file, configuration
file, and computed input splits, to the JobTracker’s file system.
○ The user node submits the job to the JobTracker by calling the submitJob()
function.
○ Task assignment The JobTracker creates one map task for each computed input
split by the user node and assigns the map tasks to the execution slots of the
TaskTrackers.
■ The JobTrackerconsidersthe localizationof thedatawhenassigning the
map tasks to the TaskTrackers.
■ The JobTrackeralso creates reduce tasks and assigns them to the
TaskTrackers.
■ Thenumberof reducetasksispredeterminedbytheuser,andthereis no
locality consideration in assigning them.
○ TaskexecutionThecontrolflowtoexecuteatask(eithermaporreduce)starts inside
the TaskTracker by copying the job JAR file to its file system.
○ Instructionsinsidethe job JARfileareexecuted afterlaunching aJavaVirtual
Machine (JVM) to run its map or reduce task.
○ Taskrunning checkAtaskrunning checkisperformedbyreceiving periodic
heartbeatmessagestotheJobTrackerfromtheTaskTrackers.
○ Each heartbeatnotifiesthe JobTrackerthat thesending TaskTrackeris alive,and
whether the sending TaskTracker is ready to run a newtask.
VirtualBox
● OracleVMVirtualBox isacross platformvirtualization application.
● Foronething,itinstallsontheexistingIntelorAMD-basedcomputers,whethertheyare running
Windows, Mac OS X, Linux, or Oracle Solaris operating systems (OSes).
● Secondly,itextendsthecapabilitiesofexistingcomputersothatitcanrunmultiple OSes,
inside multiple virtual machines, at the same time.
● As an example, the end user can run Windows and Linux on your Mac, run Windows
Server 2016 on your Linux server, run Linux on your Windows PC, and so on, all
alongside the existing applications.
● Theusercaninstallandrunasmanyvirtualmachines.
● Theonlypracticallimitsaredisk spaceandmemory.
● OracleVMVirtualBoxisdeceptivelysimpleyetalsoverypowerful.
● It can run everywhere from small embedded systems or desktop class machines all the
way up to datacenter deployments and even Cloud environments.
● Virtual Box is created by Innotek and it was acquired by Sun Microsystems. In 2010,
Virtual Box was acquired by Oracle.
Figure5.3architectureofVirtualBox
● VirtualBoxsupportedinWindows,macOS. Linux,SolarisandOpenSolaris.
● Figure5.3depictsthearchitectureofVirtualBox
● The user can independently configure each VM and run it under a choice of software-
based virtualization or hardware assisted virtualization if the underlying host hardware
supports this.
● The host OS and guest OSs and applications can communicate with each other througha
number of mechanisms including a common clipboard and a virtualized network facility.
● GuestVMscanalsodirectlycommunicatewitheachotherifconfiguredtodo so.
● The software based virtualization was dropped starting with VirtualBox 6.1. In earlier
versions the absence ofhardware assistedvirtualization,VirtualBoxadoptsa standard
software-based virtualization approach.
● Thismodesupports32bitguestOSswhichruninrings0and3ofthe Intel ring architecture.
○ The system reconfigures the guest OS code, which would normally run in ring 0,
to execute in ring 1 on the host hardware.
○ Because this code contains many privileged instructions which cannot runnatively
in ring 1, VirtualBox employs a Code Scanning and Analysis Manager (CSAM) to
scan the ring 0 code recursively before its first execution to identify problematic
instructions and then calls the Patch Manager (PATM) to perform in- situ
patching.
○ This replaces the instruction with a jump to a VM-safe equivalent compiled code
fragment in hypervisor memory.
○ The guest user mode code, running in ring 3, generally runs directly on the host
hardware in ring 3.
● In both cases, VirtualBox uses CSAMand PATMto inspect and patch the offending
instructions whenever a fault occurs.
● VirtualBox also contains a dynamic recompiler, based on QEMU to recompile any real
mode or protected mode code entirely.
● Hardwareassistedvirtualizationisstartingwithversion6.1,VirtualBoxonlysupports.
● VirtualBox supportsbothIntelVT-XandAMD-Vhardwareassistedvirtualization.
● Making use of thesefacilities,VirtualBox can runeach guest VMin itsown separate

address-space.
● TheguestOSring0code runsonthehostatring0inVMXnon-rootmoderatherthanin ring 1.
● Until then, VirtualBox specifically supportedsomeguests (including64bitguests, SMP

guestsand certain proprietary OSs)onlyonhostswith hardware-assistedvirtualization
● Thesystememulatesharddisksinoneofthreediskimageformats:
○ VDI: This format is the VirtualBox-specific VirtualBox Disk Image and stores data
in files bearing a ".vdi" .
○ VMDK: This open format is used by VMware products and stores data in one or
more files bearing ".vmdk" filename extensions. A single virtual hard disk may
span several files.
○ VHD: This format is used byWindows Virtual PCand Hyper-V and it is the native
virtualdiskformatoftheMicrosoftWindowsoperatingsystem.Datainthisformat are
stored in a single file bearing the ".vhd" filename extension.
● A VirtualBoxvirtualmachine can, therefore, usediskspreviouslycreated inVMware or
Microsoft Virtual PC, as well as its own native format.
● VirtualBoxcanalsoconnecttoiSCSI targetsandtorawpartitionsonthehost,using either

as virtual hard disks.
● VirtualBoxhassupportedOpenVirtualization Format(OVF).
● Bydefault,VirtualBoxprovidesgraphicssupportthroughacustomvirtualgraphics-card
● ForanEthernetnetworkadapter,VirtualBoxvirtualizestheseNetworkInterfaceCards.
○ AMDPCnetPCIII
○ AMDPCnet-FastIII
○ IntelPro/1000MTDesktop
○ IntelPro/1000MTServer
○ IntelPro/1000TServer
○ Paravirtualizednetworkadapter
● Forasoundcard,VirtualBoxvirtualizesIntelHDAudio.
● A USB controller is emulated so thatanyUSB devices attached to the hostcan be seen in

the guest.
● Oracle VMVirtualBoxwasdesignedto bemodularandflexible.
● When the Oracle VMVirtualBoxgraphical user interface (GUI) is opened and a VM is

started, at least the following three processes are running:
○ VBoxSVC is Oracle VM VirtualBox service process which always runs in the

background. This process is started automatically by the first Oracle VM
VirtualBox client process and exits a short time after the last clientexits.
○ ThefirstOracleVMVirtualBoxservicecanbetheGUI,VBoxManage,
VBoxHeadless,thewebserviceamongst others.
○ The service isresponsibleforbookkeeping, maintaining thestateof allVMs, and for

providing communication between Oracle VM VirtualBox components.
● OracleVMVirtualBoxcomeswithcomprehensivesupportforthird-partydevelopers.
● The Main API of Oracle VMVirtualBoxexposesthe entire feature set of the virtualization
engine.
● The Main API is made available to C++ clients through COM on Windows hosts or
XPCOM on other hosts. Bridges also exist for SOAP,Javaand Python.
GoogleAppEngine
● Googlehastheworld’slargestsearchenginefacilities.
● The company has extensive experience in massive data processing that has led to new
insights into data-center design and novel programming models that scale to incredible
sizes.
● Googleplatformisbasedonitssearchengine expertise.
● Google has hundreds of data centers and has installed more than 460,000 servers
worldwide.
● For example, 200 Google data centers are used at one time for a number of cloud
applications.
● Data items are stored in text, images, and video and are replicated to tolerate faults or
failures.
● Google’s App Engine (GAE) which offers a PaaS platform supporting various cloud and
web applications.
● Googlehaspioneered clouddevelopment byleveraging thelargenumberofdata

centers it operates.
● For example, Google pioneered cloud services in Gmail, Google Docs, and Google
Earth, among other applications.
● TheseapplicationscansupportalargenumberofuserssimultaneouslywithHA.
● Notable technology achievements include the Google File System (GFS), MapReduce,
BigTable, and Chubby.
● In 2008,GoogleannouncedtheGAEweb applicationplatformwhich isbecominga

common platform for many small cloud service providers.
● Thisplatformspecializesinsupportingscalable(elastic)webapplications.
● GAEenablesusersto runtheir applications ona largenumberof datacenters

associated with Google’s search engine operations.
GAEArchitecture
● Figure5.4showsthemajorbuildingblocksoftheGooglecloudplatformwhichhasbeen used to
deliver the cloud services highlighted earlier.
● GFSisusedforstoringlargeamountsofdata.
● MapReduceisforuseinapplicationprogramdevelopment.
● Chubbyisusedfordistributedapplicationlock services.
● BigTableoffersastorageserviceforaccessingstructureddata.
● Users can interact with Google applications via the web interface provided by each
application.
● Third-party application providers can use GAE to build cloud applications for providing
services.
● The applications all run in data centers under tight management by Google engineers.
Inside each data center, there are thousands of serversforming differentclusters
Node
Scheduler BigTableServerMapReduce
Chubby
Job
GFSMaster
GFSChunkServe
Application Node Node r
User Node SchedulerSlave
Figure 5.4Googlecloud platform
● Google is one of the larger cloud application providers, although it isfundamental service
program is private and outside people cannot use the Google infrastructure to build their
own service.
● The building blocks of Google’s cloud computing application include the Google File
System for storing large amounts of data, the MapReduce programming framework for
application developers, Chubbyfor distributed application lock services, and BigTable as
a storage service for accessing structural or semistructural data.
● Withthesebuildingblocks,Googlehasbuiltmanycloudapplications.
● Figure5.4showstheoverallarchitectureoftheGooglecloudinfrastructure.
● A typical cluster configuration can run the Google File System, MapReduce jobs and
BigTable servers for structure data.
● Extra servicessuchasChubbyfordistributedlockscanalsorun intheclusters.
● GAE runs the user program on Google’s infrastructure. As it is a platform running third-
partyprograms,applicationdevelopersnowdonotneedtoworryaboutthemaintenance of
servers.
● GAEcanbethoughtofasthecombinationofseveralsoftware components.
● The frontend is an application framework which is similar to other web application

frameworks suchas ASP, J2EE and JSP.
● At the time of this writing, GAE supports Python and Java programming environments.
The applications can run similar to web application containers.
● The frontend can be used as the dynamic web serving infrastructure which can provide
the full support of common technologies.
FunctionalModulesofGAE
● TheGAEplatformcomprisesthefollowingfivemajorcomponents.
● The GAE is not an infrastructure platform, but rather an application development

platform for users.
○ Thedatastoreoffersobject-oriented,distributed,structureddatastorageservices
based on BigTable techniques. The datastore secures data management
operations.
○ The application runtime environment offers a platform for scalable web
programmingandexecution.Itsupportstwodevelopmentlanguages:Pythonand Java.
○ The software development kit (SDK) is used for local application development.
The SDK allows users to execute test runs of local applications and upload
application code.
○ The administration console is used for easy management of user application
development cycles, instead of for physical resource management.
○ The GAE web service infrastructure provides special interfaces to guarantee
flexible use and management of storage and network resources by GAE.
● GoogleoffersessentiallyfreeGAEservicestoallGmailaccountowners.
● Theusercan registerfora GAEaccountoruse yourGmailaccount nametosign upfor the

service.
● Theserviceisfreewithinaquota.
● Iftheuserexceedsthequota,thepageinstructshowtopayfortheservice.Thenthe user can

download the SDK and read the Python or Java guide to get started.
● NotethatGAEonlyacceptsPython,RubyandJavaprogramminglanguages.
● Theplatformdoes notprovideany IaaS services,unlikeAmazon, whichoffers IaaSand

PaaS.
● This model allows the user to deploy user-built applications on top of the cloud
infrastructure that are built using the programming languages and software tools
supported by the provider (e.g., Java, Python).
● Azuredoesthis similarlyfor.NET. Theuserdoesnotmanage the underlyingcloud
infrastructure.
● Thecloudproviderfacilitatessupportofapplicationdevelopment,testing,andoperation
support on a well-defined service platform.
GAEApplications
● Best-known GAE applications include the Google Search Engine, Google Docs, Google
Earth and Gmail.
● Theseapplicationscansupport largenumbersof userssimultaneously.
● Userscan interactwithGoogleapplicationsvia the web interface provided byeach

application.
● Third partyapplicationproviders canuse GAEtobuildcloudapplicationsforproviding

services.
● TheapplicationsareallrunintheGoogledatacenters.
● Insideeachdatacenter,theremightbethousandsofservernodestoformdifferent
clusters.
● Eachclustercanrunmultipurposeservers.
● GAEsupportsmanywebapplications.
● Oneisastorage serviceto storeapplicationspecificdataintheGoogleinfrastructure.

● The data can be persistently stored in the backend storage server while still providing
the facility for queries, sorting and even transactions similar to traditional database
systems.
● GAEalsoprovidesGooglespecificservices,suchastheGmailaccountservice.This can eliminate

the tedious work of building customized user management components in web
applications.
ProgrammingEnvironmentforGoogleAppEngine
● Severalwebresources(e.g.,http://code.google.com/appengine/)andspecificbooksand
articles discuss how to program GAE.
● Figure 5.5 summarizes some key features ofGAE programmingmodel for two supported
languages: Java and Python.
● A client environment that includes an Eclipse plug-in for Java allows you to debug your
GAE on your local machine.
● Also, the GWT Google Web Toolkit is available for Java web application developers.
Developers can use this, or any other language using a JVM based interpreter or
compiler, such as JavaScript or Ruby.
● Python is often used with frameworks such as Django and CherryPy, but Google also
supplies a built in webapp Python environment.
● Thereareseveralpowerfulconstructsforstoringandaccessingdata.
● The data store is a NOSQL data management systemfor entities that can be, at most, 1
MB in size and are labeled by a set of schema-less properties.
Googlecorporate
DataStore apps
Memcache Blobstore Google API
PythonorJavaApplication
Tunnelserver URLFetch
Admin Console
Mail
Users
Firewall
GoogleappsecureData
Connection
SecureIntranet
Figure5.5ProgrammingEnvironmentofGoogleAppEngine
● Queries can retrieve entities of a given kind filtered and sorted by the values of the
properties.
● Java offers Java Data Object (JDO) and Java Persistence API (JPA) interfaces
implemented by the open source Data Nucleus Access platform, while Python has a
SQL-like query language called GQL.
● Thedatastoreisstronglyconsistentandusesoptimisticconcurrencycontrol.
● An update of an entity occurs in a transaction that is retried a fixed number of times if

other processes are trying to update the same entity simultaneously.
● Theuserapplicationcanexecutemultipledatastoreoperationsinasingletransaction which
either all succeed or all fail together.
● Thedatastoreimplementstransactionsacrossitsdistributednetworkusingentity
groups.
● Atransactionmanipulatesentitieswithinasinglegroup.
● Entitiesofthesamegrouparestoredtogetherforefficientexecutionoftransactions.
● TheuserGAE applicationcanassignentitiestogroupswhentheentitiesarecreated.
● Theperformanceofthedatastorecanbeenhancedbyin-memorycachingusingthe
memcache, which can also be used independently of the data store.
● Recently,Googleaddedtheblobstore which issuitableforlargefilesasitssize limit is2 GB.
● Thereareseveralmechanismsforincorporatingexternal resources.
● TheGoogle SDCSecure Data Connection cantunnelthroughthe Internet andlink your

intranet to an external GAE application.
● The URL Fetchoperationprovides theabilityforapplicationstofetchresourcesand

communicate with other hosts over the Internet using HTTP and HTTPS requests.
● There isa specializedmailmechanismtosende-mailfromyourGAEapplication.
● Applications canaccess resourcesonthe Internet, suchas web servicesorotherdata,

using GAE’s URL fetch service.
● The URL fetch service retrieves web resources using the same high-speed Google
infrastructure that retrieves web pages for many other Googleproducts.
● There are dozens of Google “corporate” facilities including maps, sites, groups,calendar,
docs, and YouTube, among others.
● ThesesupporttheGoogleDataAPIwhichcanbeusedinsideGAE.
● An application can use Google Accounts for user authentication. Google Accounts
handles user accountcreationandsign-in,anda user that already has aGoogle account
(such as a Gmail account) can use that account with your app.
● GAE provides the ability to manipulate image data using a dedicated Images service
which can resize, rotate, flip, crop and enhance images. An application can performtasks
outside of responding to web requests.
● A GAE application is configured to consume resources up to certain limits or quotas.With

quotas, GAE ensures that your application would not exceed your budget and that other
applications running on GAE would not impact the performance of your app.
● Inparticular,GAEuseisfreeuptocertainquotas.
● GFSwasbuiltprimarilyasthefundamentalstorageserviceforGoogle’ssearchengine.
● As the size of the web data that was crawled and saved was quite substantial, Google
neededa distributedfile systemto redundantly store massiveamountsof dataoncheap and
unreliable computers.
● In addition, GFS was designed for Google applications and Google applications werebuilt
for GFS.
● In traditionalfile systemdesign, such aphilosophyisnotattractive, asthere should be a
clear interface between applications and the file system such as a POSIX interface.
● GFStypicallywillholdalargenumberof hugefiles,each100MBorlarger,withfilesthat
aremultipleGBin size quitecommon. Thus,Google has chosenits filedatablock size to be
64 MB instead of the 4 KB in typical traditional file systems.
● TheI/OpatternintheGoogleapplicationisalsospecial.
● Files are typically written once, and the write operations are often the appending data
blocks to the end of files.
● Multipleappendingoperationsmightbeconcurrent.
● BigTable was designed to provide a service for storing and retrieving structured and
semi structured data.
● BigTable applications include storage of web pages, per-user data, and geographic
locations.
● The scale of such data is incredibly large. There will be billions of URLs, and each URL
can have many versions, with an average page size of about 20 KB per version.
● Theuserscaleisalsohuge.
● There are hundreds of millions of users and there will be thousands of queries per
second.
● The same scale occurs in the geographic data, which might consume more than 100 TB
of disk space.
● It isnotpossibletosolvesuchalargescaleof structuredorsemistructureddatausinga
commercial database system.
● This isonereasonto rebuildthedatamanagement systemandtheresultantsystemcan be

applied across many projects for a low incremental cost.
● Theothermotivationforrebuildingthedatamanagementsystemisperformance.
● Low level storage optimizations help increase performance significantly which is much
harder to do when running on top of a traditionaldatabase layer.
● ThedesignandimplementationoftheBigTablesystemhasthefollowinggoals.
○ The applications want asynchronous processes to be continuously updating

differentpiecesofdataandwantaccesstothemostcurrentdataatalltimes.
○ Thedatabaseneedstosupportveryhighread/writeratesandthescalemightbe millions
of operations per second.
○ Theapplicationmayneedtoexaminedatachangesovertime.
● Thus,BigTablecanbeviewedasadistributedmultilevelmap.Itprovidesafaulttolerant and
persistent database as in a storage service.
● The BigTable system is scalable, which means the system has thousands of servers,
terabytes of in-memory data, peta bytes of disk based data, millions of reads/writes per
second and efficient scans.
● BigTable is a selfmanaging system (i.e., servers can be added/removed dynamicallyand

it features automatic load balancing).
● Chubby, Google’s Distributed Lock Service Chubby is intended to provide a coarse-

grained locking service.
● It can storesmallfilesinside Chubbystorage which provides asimplenamespace asa file
system tree.
● ThefilesstoredinChubbyarequitesmallcomparedtothehugefilesinGFS.
OpenStack
● TheOpenStackprojectisanopen source cloud computingplatformforalltypesof

clouds,whichaimstobesimpletoimplement,massivelyscalableandfeaturerich.
● Developersandcloudcomputingtechnologistsfromaroundtheworldcreatethe
OpenStack project.
● OpenStackprovidesanInfrastructureasaService(IaaS)solutionthroughasetof
interrelated services.
● Eachserviceoffersanapplicationprogramminginterface(API)thatfacilitatesthis
integration.
● Dependingontheirneeds,administratorcaninstallsomeorall services.
● OpenStackbeganin2010asajointprojectofRackspaceHostingand NASA.
● Asof2012,itismanagedbytheOpenStackFoundation,anon-profitcorporateentity
established in September 2013 to promote OpenStack software and its community.
● Now,Morethan500companieshavejoinedtheproject
● TheOpenStacksystemconsistsofseveralkeyservicesthatareseparatelyinstalled.
● These services work together depending on yourcloud needs and include the Compute,
Identity, Networking, Image, Block Storage, Object Storage, Telemetry, Orchestration,
and Database services.
● The administrator can install any of these projects separately and configure them
standalone or as connected entities.
● Figure5.6showstherelationships amongtheOpenStack services:
Figure5.6RelationshipbetweenOpenStackservices
● To design,deploy,and configure OpenStack,administratorsmustunderstand the logical

architecture.
● OpenStack consists of several independent parts, named the OpenStack services. All
services authenticate through a common Identity service.
● Individual services interact with each otherthrough publicAPIs, except where privileged
administrator commands are necessary.
● Internally,OpenStackservicesarecomposedofseveralprocesses.
● All services have at least one API process, which listens for API requests, preprocesses
them and passes them on to other parts of the service.
● WiththeexceptionoftheIdentityservice,theactualworkisdonebydistinctprocesses.
● For communication between the processes of one service, an AMQP message broker is
used.
● The service’sstateisstored inadatabase.
● When deploying and configuring the OpenStack cloud, administrator can choose among
several message broker and database solutions, such as RabbitMQ, MySQL, MariaDB,
and SQLite.
● Users can access OpenStack via the web-based user interface implemented by the
Horizon Dashboard, via command-line clients and by issuing API requests through tools
like browser plug-ins or curl.
● For applications, several SDKs are available. Ultimately, all these access methods issue
REST API calls to the various OpenStack services.
Figure5.7ExampleOpenStackarchitecture
● The controller node runs the Identity service, Image service, Placement service,
management portions of Compute, management portion of Networking, various
Networking agents, and the Dashboard.
● ItalsoincludessupportingservicessuchasanSQLdatabase,messagequeue, and NTP.
○ Optionally,thecontrollernoderunsportionsoftheBlockStorage,Object
Storage, Orchestration, and Telemetry services.
● Thecontrollernoderequiresaminimumoftwonetworkinterfaces.
● The compute node runs the hypervisor portion of Compute that operates instances. By
default, Compute uses the KVM hypervisor.
● The compute node also runs a Networking service agent that connects instances to
virtual networks and provides firewalling services to instances via securitygroups.
● Administrator can deploy more than one compute node. Each node requires a minimum
of two network interfaces.
● The optional Block Storage node contains the disks that the Block Storage and Shared
File System services provision for instances.
● For simplicity, service traffic between compute nodes and this node uses the
management network.
● Production environments should implement a separate storage network to increase

performance and security.
● Administrator can deploy more than one block storage node. Each node requires a
minimum of one network interface.
● The optional Object Storage node contains the disks that the Object Storage serviceuses
for storing accounts, containers, and objects.
● For simplicity, service traffic between compute nodes and this node uses the
management network.
● Production environments should implement a separate storage network to increase

performance and security.
● This service requires two nodes. Each node requires a minimum of one network
interface. Administrator can deploy more than twoobject storage nodes.
● The provider networksoption deploys the OpenStack Networking service in the simplest
way possible withprimarily layer 2 (bridging/switching) servicesandVLAN segmentation of
networks.
● Essentially, it bridges virtual networks to physical networks and relies on physical
network infrastructure for layer-3 (routing) services.
● Additionally,aDHCPserviceprovidesIPaddressinformationtoinstances.
FederationintheCloud
● One challenge in creating and managing a globally decentralized cloud computing

environment is maintainingconsistentconnectivity between untrusted componentswhile
remaining fault tolerant.
● A key opportunity for the emerging cloud industry will be in defining a federated cloud
ecosystemby connecting multiple cloud computing providersusing a commonstandard.
● A notable research project being conducted by Microsoft called the Geneva Framework.
This framework focuses on issues involved in cloud federation.
● Geneva has been described as claims based access platform and is said to help simplify
access to applications and other systems.
● The concept allows for multiple providers to interact seamlessly with others and it
enables developers to incorporate various authentication models that will work with any
corporate identity system, including Active Directory,
● LDAPv3 based directories, application specific databases, and new user centric identity
models such as LiveID, OpenID, and InfoCard systems.
● ItalsosupportsMicrosoft’sCardSpaceandNovell’sDigitalMe.
● Federation in cloud isimplemented bythe use ofInternetEngineering TaskForce (IETF)

standard Extensible Messaging and Presence Protocol (XMPP) and inter domain
federation using the Jabber Extensible Communications Platform (Jabber XCP).
● Because this protocol is currently used by a wide range of existing services offered by
providers as diverse as Google Talk, Live Journal, Earthlink, Facebook, ooVoo, Meebo,
Twitter,theU.S.MarinesCorps, theDefense InformationSystemsAgency(DISA),the
U.S.JointForcesCommand(USJFCOM),andtheNationalWeatherService.
● Session Initiation Protocol (SIP), which is the foundation of popular

enterprisemessagingsystemssuchasIBM’sLotusSametimeandMicrosoft’sLive
Communications Server (LCS) and Office Communications Server (OCS).
● Jabber XCP is a highly scalable, extensible, available, and device-agnostic presence

solution built on XMPP and supports multiple protocols such as Session InitiationProtocol
for Instant Messaging and Presence Leveraging Extensions (SIMPLE) and Instant
Messaging and Presence Service (IMPS).
● Jabber XCPisahighlyprogrammableplatform,whichmakesitideal for adding presence and

messaging to existing applications or services and for building next- generation,
presence based solutions.
● Over the last few years there has been a controversy brewing in web services
architectures.
● Cloud services are being talked up as a fundamental shift in web architecture that
promises to move us from interconnected silos to a collaborative network of services
whose sum is greater than its parts.
● The problem is that the protocols powering current cloud services, SOAP (Simple Object
Access Protocol) and a few other assorted HTTP based protocols, are all one-way
information exchanges.
● Therefore cloud services are not real time, would not scale, and often cannot clear the
firewall.
● Many believe that those barriers can be overcome by XMPP (also called Jabber) as the
protocol that will fuel the Software as a Service (SaaS) models of tomorrow.
● Google, Apple, AOL, IBM, Live journal and Jive have all incorporated this protocol into
their cloud based solutions in the last few years.
● Since the beginning of the Internet era, if the user wanted to synchronize services
betweentwoservers,themostcommonsolutionwastohavetheclient“ping”thehostat regular
intervals, which is known as polling.
● Pollingishowmostofuscheckouremail.
● XMPP’sprofilehasbeensteadilygainingsinceitsinceptionastheprotocolbehindthe
opensourceinstantmessenger(IM)serverjabberdin1998.
● XMPP’sadvantagesinclude:
○ Itisdecentralized,meaninganyonemaysetupanXMPPserver.
○ Itisbasedonopenstandards.
○ Itismaturemultipleimplementationsofclientsandserversexist.
● Robust security is supported via Simple Authentication and Security Layer (SASL) and
Transport Layer Security (TLS).
● Itisflexibleanddesignedtobeextended.
● XMPP is a good fit for cloud computing because it allows for easy two way
communication
● XMPPeliminatestheneedforpollingandfocusonrichpublishsubscribefunctionality
● It in it is XML-based and easily extensible, perfect for both new IMfeatures and custom
cloud services
● It is efficient and has been proven to scale to millions of concurrent users on a single
service (such as Google’s GTalk). And also it has a built-in worldwide federationmodel.
● Of course, XMPP is not the only pub-sub enabler getting a lot of interest from web
application developers.
● AnAmazonEC2-backedservercanrunJettyandCometdfromDojo.
● Unlike XMPP, Comet is based on HTTP and in conjunction with the Bayeux Protocol,uses
JSON to exchange data.
● GiventhecurrentmarketpenetrationandextensiveuseofXMPPandXCPfor federation in
thecloudand that it isthedominantopenprotocolin thatspace.
● The ability to exchange data used for presence, messages, voice, video, files,
notifications,etc., withpeople, devices andapplications gain more powerwhenthey can be
shared across organizations and with other service providers.
● Federation differs from peering, which requires a prior agreement between parties
before a server-to-server (S2S) link can be established.
● In the past,peering was more commonamong traditional telecommunications providers

(because of the high cost of transferring voice traffic).
● In the brave new Internet world, federation has become a de facto standard for most
email systems because they are federated dynamically through Domain Name System
(DNS) settings and server configurations.
FourLevelsof Federation
● Federation is the ability for two XMPP servers in different domains to exchange XML
stanzas.
● AccordingtotheXEP-0238:XMPPProtocolFlowsforInter-DomainFederation,there are at
least four basic types of federation:
● Permissivefederation
○ Permissive federation occurs when a server accepts a connection from a peer

network server without verifying its identity using DNS lookups or certificate
checking.
○ The lack of verification or authentication may lead to domain spoofing (the
unauthorized use of a third-party domain name in an email message in order to
pretend to be someone else), which opens the door to widespread spam and
other abuses.With the release of the open source jabberd 1.2 server in October
2000, which included support for the Server Dialback protocol (fully supported in
Jabber XCP), permissive federation met its demise on the XMPP network.
● Verifiedfederation
○ Thistypeoffederation occurswhen aserveracceptsa connectionfroma peer after

the identity of the peer has been verified.
○ Itusesinformation obtained via DNSandbymeansofdomain-specifickeys
exchanged beforehand.
○ Theconnectionisnotencrypted,andtheuseofidentityverificationeffectively
prevents domain spoofing.
○ Tomakethiswork,federationrequiresproperDNSsetupandthatisstillsubject to DNS
poisoning attacks.
○ Verified federation has been the default service policy on the open XMPP since
the release of the open-source jabberd 1.2 server.
● Encryptedfederation
○ In this mode, a server accepts a connection from a peer if and only if the peer
supports Transport Layer Security (TLS) as defined for XMPP in Request for
Comments (RFC) 3920.
○ Thepeermustpresentadigitalcertificate.
○ Thecertificatemaybeselfsigned,butthispreventsusingmutualauthentication.
○ Ifthisisthecase,bothpartiesproceedtoweaklyverifyidentityusingServer Dialback.
○ XEP-0220definestheServerDialbackprotocol,whichisusedbetweenXMPP servers to
provide identity verification.
○ ServerDialbackusestheDNS asthebasisforverifyingidentity
○ The basic approach is that when a receiving server receives a server-to-server
connectionrequestfromanoriginatingserver,itdoesnotaccepttherequestuntil it has
verified a key with an authoritative server for the domain asserted by the
originating server.
○ Although Server Dialback does not provide strong authentication or trusted
federation, and although it is subject to DNS poisoning attacks, it has effectively
prevented most instances of address spoofing on the XMPP network since its
release in 2000.
○ Thisresultsinanencryptedconnectionwithweakidentityverification.
● Trustedfederation
○ In this federation, a server accepts a connection from a peer only under the
stipulation that the peer supports TLS and the peer can present a digital
certificate issued by a root certification authority (CA) that is trusted by the
authenticating server.
○ The list of trusted root CAs may be determined by one or more factors, such as
the operating system, XMPP server software or local service policy.
○ In trusted federation, the use of digital certificates results not only in a channel
encryption but also in strong authentication.
○ The use of trusteddomain certificates effectively prevents DNS poisoningattacks
but makes federation more difficult, since such certificates have traditionally not
been easy to obtain.
FederatedServicesandApplications
● S2Sfederationisagoodstarttowardbuildingareal-timecommunicationscloud.
● Clouds typically consist of all the users, devices, services, and applicationsconnected to
the network.
● Inordertofullyleveragethecapabilitiesofthiscloudstructure,aparticipantneedsthe ability
to find other entities of interest.
● Suchentitiesmightbeendusers,multiuserchatrooms,real-timecontentfeeds,user
directories, data relays, messaging gateways, etc.
● Findingtheseentitiesisaprocesscalleddiscovery.
● XMPP uses service discovery (as defined in XEP-0030) to find the aforementioned
entities.
● Thediscoveryprotocolenablesanynetworkparticipanttoqueryanotherentityregarding its
identity, capabilities and associated entities.
● Whenaparticipantconnectstothenetwork,itqueriestheauthoritativeserverforits
particular domain aboutthe entitiesassociated with thatauthoritative server.
● In response to a service discovery query, the authoritative server informs the inquirer
about services hosted there and may also detail services that are available but hosted
elsewhere.
● XMPP includesa method for maintaining personal lists of otherentities, known as roster
technology, which enables end users to keep track of various types of entities.
● Usually, these lists are comprised of other entities the users are interested in or interact
with regularly.
● Most XMPP deployments include custom directories so that internal users of those
services can easily find what they are looking for.
Futureof Federation
● The implementation of federated communications is a precursor to building a seamless

cloud that can interact with people, devices, information feeds, documents, application
interfaces and other entities.
● The power of a federated, presence enabled communications infrastructure is that it

enables software developers and service providers to build anddeploy such applications
without asking permission from a large, centralized communications operator.
● The process of server-to-server federation for the purpose of inter domain

communication has played a large role in the success of XMPP, which relies on a small
set of simple but powerful mechanisms for domain checking and security to generate
verified, encrypted, and trusted connections between any two deployed servers.
● These mechanisms have provided a stable, secure foundation for growth of the XMPP
network and similar real time technologies.
TWOMARKQUESTIONS
1. WhatisHadoop?
● Hadoop is an open source implementation of MapReduce coded and released in

Java (rather than C) by Apache.
● The Hadoop implementation of MapReduce usesthe Hadoop Distributed File
System (HDFS) as its underlying layer rather than GFS.
2. ListthefundamentallayersofHadoop core.
● TheHadoopcoreisdividedintotwofundamentallayers:
○ MapReduceengine
○ HDFS
3. DescribeaboutHDFS.
● HDFS is a Hadoop distributed file system inspiredby GFS that organizes files and
stores their data on a distributed computing system.
● HDFS has a master/slave architecture containing a single NameNode asthe master
and a number of DataNodes as workers (slaves).
● Tostoreafileinthisarchitecture,HDFSsplitsthefileintofixed-sizeblocks(e.g.,64 MB) and
stores them on workers (DataNodes).
● ThemappingofblockstoDataNodesisdeterminedbytheNameNode.
4. IsHDFSprovidesfault tolerant?
● One ofthemainaspects ofHDFS isits fault tolerancecharacteristic. SinceHadoop is

designed to be deployed on low-cost hardware by default, a hardware failure in this
system is considered to be common rather than an exception.
5. Listtheissuestofulfillreliabilityrequirementsofthefilesystembyhadoop.
● Blockreplication
● Replicaplacement
● HeartbeatandBlockreportmessages
6. Whatisthepurposeofheartbeatmessages?
● Heartbeat is a periodic message sent to the NameNode by each DataNode in a

cluster.
7. ListtheadvantagesofHDFS.
● The list of blocks perfile will shrink asthe size of individual blocks increases, and by
keeping large amounts of data sequentially within a block, HDFS provides fast
streaming reads of data.
8. Define MapReduce.
● The topmost layer of Hadoop is the MapReduce engine that manages the data flow
and control flow of MapReduce jobs over distributed computing systems.
● Similar to HDFS, the MapReduce engine also has a master/slave architecture
consistingof a singleJobTrackerasthemasterandanumberof TaskTrackersas the
slaves (workers).
● The JobTracker manages the MapReduce job over a cluster and is responsible for
monitoring jobs and assigning tasks to TaskTrackers.
● The TaskTracker managesthe execution of the map and/or reduce taskson a single
computation node in the cluster.
9. ListthecomponentscontributeinrunningajobinHadoopsystem.
● ausernode
● aJobTracker
● TaskTrackers
10. WhatistheuseofVirtualBox?
● OracleVMVirtualBox isacross-platformvirtualizationapplication.
● Foronething,it installsonthe existing IntelorAMD-based computers,whetherthey are
runningWindows, Mac OS X, Linux, or Oracle Solaris operating systems(OSes).
● Secondly,itextendsthecapabilitiesofexistingcomputersothatitcanrunmultiple OSes,
inside multiple virtual machines, at the same time.
11. IllustratethearchitectureofVirtualBox.
12. ListthethreediskimageformatsusedinVirtualBox:
● VDI:ThisformatistheVirtualBox-specificVirtualBoxDiskImageandstoresdatain files
bearing a“.vdi”.
● VMDK: This openformatis usedbyVMware productsand storesdatainoneor more
files bearing “.vmdk” filename extensions.
● VHD: Thisformat isused byWindowsVirtualPCand Hyper-V,and isthe native
virtual disk format of the Microsoft Windows operating system.
13. DescribeaboutGAE.
● Google’s App Engine (GAE) which offers a PaaS platform supporting various cloud
and web applications.
● Thisplatformspecializesinsupportingscalable(elastic)web applications.
● GAEenablesusersto runtheirapplications ona largenumberof datacenters
associated with Google’s search engine operations.
14. MentionthecomponentsmaintainedinanodeofGooglecloudplatform.
● GFSisusedforstoringlargeamountsofdata.
● MapReduceisforuseinapplicationprogramdevelopment.
● Chubbyisusedfordistributedapplicationlock services.
● BigTableoffersastorageserviceforaccessingstructureddata.
15. ListthefunctionalmodulesofGAE.
● Datastore
● Applicationruntimeenvironment
● Softwaredevelopmentkit(SDK)
● Administrationconsole
● GAEwebserviceinfrastructure
16. ListtheapplicationsofGAE.
● Well-known GAE applications include the Google Search Engine, Google Docs,
Google Earth, and Gmail.
● Theseapplicationscansupport largenumbersof users simultaneously.
● Userscan interactwithGoogleapplicationsvia the web interfaceprovided byeach
application.
● Third-partyapplication providers canuseGAE tobuildcloudapplicationsfor
providing services.
17. MentionthegoalsfordesignandimplementationoftheBigTablesystem.
● Theapplicationswantasynchronous processestobecontinuouslyupdatingdifferent
pieces of data and want access to the most current data at all times.
● Thedatabaseneedstosupportveryhighread/writeratesandthescalemightbe millions
of operations per second.
● Theapplicationmayneedtoexaminedatachangesovertime.
18. DescribeaboutOpenstack.
● TheOpenStack projectis anopen source cloud computingplatformforall typesof

clouds,whichaimstobesimpletoimplement,massivelyscalable,andfeaturerich.
● Developersandcloudcomputingtechnologistsfromaroundtheworldcreatethe
OpenStack project.
● OpenStackprovidesan Infrastructure-as-a-Service(IaaS)solutionthroughasetof
interrelated services.
19. List thekeyservicesofOpenStack.
● TheOpenStacksystemconsistsofseveralkeyservicesthat areseparatelyinstalled.
● Compute,Identity,Networking,Image,BlockStorage,ObjectStorage,Telemetry,
Orchestration and Database services.
20. Whatistheneedoffederatedcloudecosystem?
● One challenge in creating and managing a globally decentralized cloud computing

environment is maintaining consistent connectivity between untrusted components
while remaining fault-tolerant.
● Akeyopportunityfortheemergingcloudindustrywillbeindefiningafederatedcloud
ecosystem by connecting multiple cloud computing providers using a common
standard.
● A notable research project being conducted by Microsoft, called the Geneva
Framework, focuses on issues involved in cloud federation.
21. ListtheadvantagesofExtensibleMessagingandPresenceProtocol.
● XMPP’sisdecentralized,meaninganyonemaysetupanXMPPserver.Itisbased
onopenstandards. It ismaturemultiple implementationsof clientsandserversexist.
22. ListthelevelsofFederation.
● Permissivefederation
● Verifiedfederation
● Encryptedfederation
● Trustedfederation
23. WhatisS2Sfederation?
● S2S federation is a good start toward building a real-time communications cloud.

Clouds typicallyconsist ofall the users, devices,services, and applications connected
to the network.
24. Whatisthefutureoffederation?
● The power of a federated, presence enabled communications infrastructure is that it

enables software developers and service providers to build and deploy such
applications without asking permission from a large, centralized communications
operator.
● These mechanisms have provided a stable, secure foundation for growth of theXMPP
network and similar real time technologies.
MODELQUESTIONPAPER-I
B.E./B.Tech.DEGREEEXAMINATION
Seventh Semester
Computer Science and Engineering
CS8791 –Cloud Computing
(Regulation2017)
Time:Threehours Maximum:100marks
Answer ALL questions
PART A–(10X2=20marks)
1. DefineCloud.
2. Listthecomponentsofcloudmodel.
3. Mentionthefourcharacteristicstoidentifytheservice.
4. DifferentiatebetweenFullvirtualizationandParavirtualization.
5. Whatareadvantagesofcloudstorage?
6. Whatis Hardwareas aService?
7. Whatisthepurposeofruntimesupportservicenamedclustermonitoring?
8. Compareoverprovisioningandunderprovisioning?
9. IllustratethearchitectureofVirtualBox.
10. ListthemeritsofXMPP.
PARTB–(5X16 =80 marks)
11.(a) Explainaboutevolutionofcloudcomputing.
Or
(b) (i)Explainabouttheelementsofparallelanddistributedcomputing.(8)
(ii)Explainaboutelasticitynatureofcloudcomputingandon-demand
provisioning. (8)
12.(a) (i)ExplainaboutServiceOrientedArchitecture.(8)
(ii)ExplainaboutPublish-Subscribemodel.(8)
Or
(b) Explainaboutvariousimplementationlevelsofvirtualization.
13.(a) (i)Explainaboutlayeredarchitecturaldesignofcloudcomputing.(8)
(ii)Explainaboutclouddeploymentmodels.(8)
Or
(b) Explainaboutmajorarchitecturaldesignchallengesincloud.(16)
14.(a) (i)Explainaboutintercloudresourcemanagementwithneatdiagram.(8)
(ii)Explainaboutresourceprovisioningmethods.(8)
Or
(b) (i)ExplainaboutIdentityAccessManagement.(8)
(ii)ExplainaboutVirtualMachineSecurity.(8)
15.(a) ExplainaboutHDFSandMapReduceinHadoopframework.(16)
Or
(b) (i)ExplainaboutProgrammingenvironmentforGoogleAppEngine(8)
(ii)Explainaboutthelevelsoffederation.(8)
MODELQUESTIONPAPER-II
B.E./B.Tech.DEGREEEXAMINATION
Seventh Semester
Computer Science and Engineering
CS8791 –Cloud Computing
(Regulation2017)
Time:Threehours Maximum:100marks
Answer ALL questions
PART A–(10X2=20marks)
1. DifferentiatebetweenParallelandDistributedcomputing.
2. Listthevarious modelsformessagebased communication.
3. Defineserviceoriented architecture.
4. Illustrateringbasedsecuritywithneatdiagram.
5. ComparePubliccloudandPrivatecloud.
6. WhatarethedesignrequirementsconsidersbyAmazontobuildS3?
7. WhatisEvent-drivenprovisioning?
8. MentionthepurposeofSecurityGovernance.
9. WhatispurposeofTasktrackerandJobtrackerinHadoop?
10. Whatistheneedforfederatedcloudecosystem?
PARTB –(5X16 =80 marks)
11.(a) ExplainabouttheprinciplesofParallelandDistributedComputing.(16)
Or
(b) Explainaboutcharacteristicsofcloudcomputing.(16)
12.(a) (i)ExplainaboutRESTfulSystems.(8)
(ii)ExplainaboutWebservicetechnologiesstack.(8)
Or
(b) (i)ExplainaboutCPU,MemoryandI/Odevicevirtualization.(8)
(ii)Explainaboutvirtualizationsupportanddisasterrecoverystrategies.(8)
13.(a) ExplainaboutNISTreferencearchitecturewithneatdiagram.(16)
Or
(b) (i)Explainaboutcloudservicemodel.(8)
(ii)Explain aboutStorage-as-a-Service. (8)
14.(a) (i)Explainaboutglobalexchangeofcloudresources (8).

(ii)Explainaboutruntimesupportservicesinintercloudmanagement.(8)
Or
(b) Explain about cloud security and its challenges. Elaborate some standards
specific to cloud security. (16)
15.(a) Explainaboutfunctionalmodulesandprogrammingenvironmentof
Google App Engine. (16)
Or
(b) ExplainaboutOpenStackarchitecturewithneatdiagram.(16)

Davija-Cs8791 Cloud Computing

Uploaded by

Copyright:

Available Formats

Davija-Cs8791 Cloud Computing

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Davija-Cs8791 Cloud Computing

Uploaded by

Copyright:

Available Formats

Subject Code :CS8791

Subject Name :Cloud Computing

Introduction to Cloud Computing –Definition of Cloud –Evolution of Cloud

Service Oriented Architecture – RESTful Systems – Web Services – Publish-

UNIT III CLOUDARCHITECTURE,SERVICESANDSTORAGE

Layered Cloud Architecture Design – NIST Cloud Computing Reference

Inter Cloud Resource Management – Resource Provisioning and Resource

Hadoop – MapReduce – Virtual Box -- Google App Engine – Programming

1. Kai Hwang, Geoffrey C. Fox, Jack G. Dongarra,"Distributed and Cloud

Introduction to Cloud Computing – Definition of Cloud – Evolution of Cloud Computing –

● A new buzzword named cloud computing is presently in state-of-the-art and it is

● Figure1.1 illustratesthe networkdiagram which includes the symbolic representation of

● Utility computing is the provision of computationalresources and storage resourcesasa

● A more softened view of cloud computing considers it the delivery of computational

● A managed service is an application that is accessible to an organization’s IT

● The majorityof cloud computing infrastructure consistsof time testedandhighly reliable

● Thefirststepalongwiththeevolutionarypathof computers wasoccurredin1930,when the

● Thefirstgenerationof modern computerstracedto 1943,whenthe MarkIandColossus

● Another general-purpose computer of this era was ENIAC (Electronic Numerical

● Transistorized computers marked the initiation of second generation computers, which

● Claire Kilby’sinventioninitiatedanexplosion in third generationcomputers.Eventhough the

● By combining random access memory, developed by Intel, fourth generation computers

● Virtualizationisamethodof runningmultipleindependentvirtualoperatingsystemsona single

● Parallel processing is performed by the simultaneous execution of multiple program

● Inamultiprogrammingsystem,multipleprogramssubmittedby usersareallowedtouse the

● Vector processing was developed to increase processing performance by operating in a

● Matrix operations were added to computers to allow a single instruction to manipulate

● Massive parallel processing (MPP) is used in computer architecture circles to refer to a

● Everyaspectofthisera willundergoathreephase process.

● The termsparallelcomputing and distributed computing areoften used interchangeably,

● Processing of multiple tasks simultaneously on multiple processors is called as parallel

● The parallel program consists of multiple active processes or tasks simultaneouslysolving

● Programming on a multiprocessor system using the divide and conquer technique is

● Therefore, distributed computing includes a wider range of systems and applications

● An SISD computing system is a uniprocessor system capable of executing a single

● An SIMD computing system is a multiprocessor system capable of executing the single

● An MISD computing system is a multiprocessor system capable of executing different

● An MIMDcomputing systemisa multiprocessorsystemcapable ofexecuting multiple

● Ingeneral,FailuresinasharedmemoryMIMDaffectstheentiresystem,whereasthisis not the

● A wide variety of parallel programming approaches are available in computing

● A distributed systemis the collectionof independent computers that appears to itsusers

● In distributed computing, Architectural styles are mainly used to determine the

● A component represents a unit of software that encapsulates a function or a feature of

● A connector is a communication mechanism that allows cooperation and coordination

● Software architectural styles are based on the logical arrangement of software

● The batch sequential style is characterized by an ordered sequence of separateprograms

● Thepipe andfilterstyleisavariationof thepreviousstyleforexpressingtheactivityof a software

● Rule-Based Style architecture is characterized by representing the abstract execution

● Top Down Style is quite representative of systems developed with imperative

● In Communicating Processes architectural style, components are represented by

● System architectural styles cover thephysical organization ofcomponents and processes

● The most relevant example of peer-to-peer systems is constituted by file sharing

● The request-replymessage modelidentifiesallcommunication modelsin which,foreach

● RPC is the fundamental abstraction enabling the execution of procedures on client’s

● Distributed object frameworks extend object-oriented programming systems by allowing

● Service-oriented computing organizes distributed systems in terms of services, which

● Service orientation expresses applications and software systems as aggregations of

● SOA is an architectural style supporting service orientation. It organizes a software

● SOA-based computing packages functionalities into a set of interoperable services,which