Header Ads

A very short intro to Cloud Computing .


The term “Cloud” has become some sort of a buzz word these days. We can thank Amazon because they were the first to use the word “cloud” in 2006 when they launched their Elastic Cloud Compute (EC2) services. The “cloud” is composed of various technologies which are combined to form a unified end product. To understand what the cloud is, you have to understand the underlining technologies which are virtualization, clustering and grid computing.

Virtualization
The first thing you need to know about the cloud or cloud computing is virtualization. This is a logical representation of a computer in software. By decoupling the physical hardware from the operating system, virtualization provides more operational flexibility and increases the utilization rate of the underlying physical hardware. To put it rather plainly, virtualization is the act of creating a virtual version of something. This is normally done by the use of some software to create a virtual machine that acts like a real computer with an operating system. A practical example is running a virtual machine of the Ubuntu Linux operating system on a windows host machine. Let’s expound more on this by considering the figure below.



Let me briefly explain the client to server relationship. In networking there are basically two models; peer to peer and server to client. In a peer to peer network, computers can communicate and share resources directly with each other. In a client to server network, resources are stored a central system called the server which other systems called client have to access to get the resources they require. Going back to our diagram, we see a classical server model and a virtualized server model. In the classical server model which is what is obtainable without virtualization, we can see that there is only one operating system running multiple applications. While on the virtualization model, the physical server holds the host operating system that is hosting several virtual machines. Each virtual machine has its own operating system and applications.

To see how virtualization helps in conserving resources, consider the scenario below. Imagine four organizations, let’s call them A, B, C, D. They each have a web server that they use to host their company’s website. In fig. a, we see how much each server is being utilized. Notice that none of the servers is used to its full capacity. In fig b, we see one server running a virtualization software that creates four virtual machine that act as each organizations web server. This helps to conserve resources and save costs.



Clustering
As the name implies, clustering has to do with grouping. To be more technical, this is the grouping of interconnected independent resources working as a single system. The main catch in clustering is that the servers being used must have identical hardware. To illustrate consider the figure below.



A typical Clustering technique works by having a front end server called a dispatcher. The dispatcher receives the requests from clients and forwards it to the cluster servers. The dispatcher holds the IP address for the cluster servers, this address is referred to as the cluster address. Clustering makes a service run by multiple servers seem like just one server is running it. Another technique is to set up the servers inside the clusters as independent servers and have the dispatcher distribute jobs between them.

Grid computing
This is a group of computers that work together without the need to be in the same physical location or have the same hardware specifications. The major components that make up grid computing are servers, networks, grid middleware and grid application. The speed, redundancy and overall efficiency of the network is very important when running grid computing. If you connect the servers using a slow and unreliable network the grid will not work. Then the servers must all run a grid-specific middleware that allows all the components to interact properly and communicate effectively. Finally, the grid applications must be written specifically for the grid computing model to be able to harness the benefits of this model.

Cloud Architecture
Basically, the cloud is based on multiple physical servers working as a single unit. The diagram below illustrates the different layers of cloud computing.



The lowest layer contains the servers’ hardware like processor, modules and storage. On top of the hardware layer runs an abstraction layer. The abstraction layer spans over multiple physical machines and is responsible for creating virtual machines and determine how these machines operate. In some cases, the host operating system is mixed with the abstraction layer. An example of this is the popular cloud-dedicated operating system Eucalyptus. In other cases, a hypervisor runs the abstraction layer. A hypervisor is a software, hardware or firmware that creates and runs virtual machines. Popular example includes virtual box and VMware. The cloud servers’ hardware and the abstraction layer are normally referred to as cloud infrastructure. Above this are three more layers; IaaS, PasS, and SaaS. The main thing to note about these layers is that they tell you how involved the client is in the service being provided. Let us consider each of these layer.

Infrastructure-as-a-service (IaaS)
This is the lowest level of service that can be provided to a client. It is similar to renting hardware from a service provider and allowing the provider to manage the hardware. But in this case the client is provided access to virtualized infrastructure and doesn’t have access to the physical hardware. This model requires the client to handle everything from the operating system up to the applications. The IaaS virtual infrastructure is provided on demand through an application programming interface or web interface. In summary IaaS takes away the burden of buying and maintaining hardware and pushes this responsibility to the cloud provider.

Platform-as-a-Service (PaaS)
Here the Operating System and all platform related tool are already installed for the client. These already installed components are managed by the cloud provider. The client has the liberty to install additional tool to aid with their application development, configuration and deployment. This model is similar to traditional web hosting services where you rent space on a server with development platform already preinstalled.  The major difference between this model and traditional web hosting is that the latter requires manual intervention when demand increases or decreases while the former is automatic and does not require any human intervention.

Software-as-a-service (SaaS)
This model focuses on the application level and doesn’t burden the user with infrastructure or platform issues. Applications are provided through interfaces such as web browsers or even mobile app. Microsoft office 365 is a good example of this. An organization can use office 365 via office.com without bothering about hardware maintenance, security or operating system management. The client is given control of certain aspects of the software configuration. The client can now focus solely on using the application to achieve business goals.

How is the Cloud deployed?
The various layers considered thus far have two major ways of deployment; public cloud and private cloud. A public cloud is a cloud service provided to the general public. The public cloud can either be dedicated or shared. In a dedicated public could, the cloud infrastructure is used by only one client while in a shared public cloud the infrastructure is used by multiple clients. A private cloud is a cloud service used by a single organization or its multiple business units. Private clouds can be self-hosted, hosted, or private cloud appliance. In self-hosted private cloud, the cloud infrastructure is located at the organization’s premises and everything about it is designed and managed by the owner organization. In hosted private cloud, the cloud solution is designed by the organization while hosted and managed by another organization. Finally, in private cloud appliance the cloud environment is designed by a service provider and hosted internally in the organization. There also exist two less popular methods of cloud deployment that you are not likely to come across but are worth mentioning. A community cloud is owned, managed, and operated by a specific community of client organizations that have a common goal. A hybrid cloud is a mix of two or more cloud infrastructures (public, private, and community) that are tied together using technologies that enable application and data portability.
The benefits of using the cloud include cost savings, scalability, reliability, flexibility, better hardware utilization and reduced management efforts.

Cloud Security
Cloud computing does come with its own unique challenges as per security concerns. Having multiple layers means an attack could be carried out at the hypervisor level, platform level or software level. Below are two popular attacks and mitigation techniques.

Distributed Denial of Service Attacks
This is an attack that targets the availability of a system and is launched from numerous locations at the same time. A hacker can implant malicious code in numerous unprotected servers and computing devices. This malicious code hijacks resources on the host system to turn it into a bot and at attack time receives instructions from the attacker to initiate an attack. Sometimes the attacker does not have to give orders as bots can work on a specific action time that has already been written into their code. The idea behind launching from multiple locations is to make the attack hard to detect.



The purpose of a DDoS attack is to prevent legitimate users from having access to system resources and can be carried out via flooding, amplification, malformed packets, or exploiting a vulnerability in a networking protocol. A recent example of an amplification attack was the 1.3 terabits per second attack on github using memcached severs. To mitigate DDoS attacks some researchers have proposed the use of software defined network technology.   Software defined networking applications improve application security, performance, availability and prevention of current DDoS attacks by programming the SDN which has a flexible control structure to collect and monitor data. This enables attack detection and allows for fast specific attack reaction.

Attacks on Hypervisor
As already stated, a hypervisor is the abstraction layer software that sits between the hardware and the VMs that comprise the cloud. There are two types of hypervisors namely type-1 and type-2. In type-1 hypervisors also called bare metal, the hypervisor run directly on the host’s hardware to control the hardware and to manage guest operating systems. See the figure below.



All guest operating systems then run on a level above the hypervisor. This model represents the classic implementation of virtual machine architectures. Modern hypervisors based on this model include Citrix XenServer, VMware ESX/ESXi, and Microsoft Hyper-V. The most common commercial hypervisors are based on a monolithic architecture below. The underlying hypervisor services all virtual sandboxes, each running a guest operating system. The hypervisor runs as part of the native monolithic operating system, side by side with the device drivers, file system, and network stack, completely in kernel space.

In type-2 or hosted hypervisor, the hypervisors run just above a host operating system kernel such as Linux, Windows, and others as in the figure below.



The hypervisor layer is a distinct second software level and the guest operating systems run at the third level above the hardware. The host operating system has direct access to the server’s hardware like host CPU, memory, and I/O devices and is responsible for managing basic OS services. The hypervisor creates virtual machine environments and coordinates calls to CPU, memory, disk, network, and other resources through the host OS. Modern hypervisors based on this model include KVM and VirtualBox.

In his blog “Yes, Hypervisors Are Vulnerable,” Neil MacDonald, observes the following about hypervisor and the vulnerabilities associated with it:
• The virtualization platform (hypervisor/VMM) is a software written by human beings and will contain vulnerabilities. Microsoft, VMware, Citrix, and others, all of them will and have had vulnerabilities.
• Some of these vulnerabilities will result in a breakdown in isolation that the virtualization platform was supposed to enforce.
Bad guys will target this layer with attacks. The benefits of a compromise of this layer are simply too great.
• While there have been a few disclosed attacks, it is just a matter of time before a widespread publicly disclosed enterprise breach is tied back to a hypervisor vulnerability.

Neil’s comments might not be too farfetched as there exists research that alludes to the possibility of implementing malware with virtual machines. The study involved the use of a type of malware called a virtual machine-based rootkit (VMBR), installing a virtual machine monitor underneath an existing operating system and hoisting the original operating system into a virtual machine. Also there are reports that show a vulnerability exists where an attacker can escape from a guest virtual machine to affect other virtual machines or the hypervisor itself.

General Cloud safety recommendations
  • Install and maintain a firewall configuration.

A firewall should be placed between each external network interface and between each security zone within the cloud. Firewall rules should be written to block unwanted traffic and close all unused ports.
  • Do not use default security parameters

Never use vendor supplied default passwords, usernames or other security parameters. These will be known to other cloud users and also a search on the internet will reveal default passwords. Always change all default security parameters.
  • Ensure that no unnecessary functions or processes are active

When unnecessary functions or processes are running, it is most likely they will have open ports on the firewall side. Such unnecessary process broadens the range of threats and expose you to more vulnerabilities.
  • Ensure patch management

Security vulnerabilities are detected every day; hence it is imperative to keep all systems patched in a timely manner. Patched should be installed both at the host and guest machine layers.
  • Protect encryption keys from misuse or disclosure
  • Promptly revoke access for terminated users.
  • Research into standardized SLAs and liability provisions could lead to greater accountability.


References
  1. Mohammed, M. A. (2016). Elements of Cloud Computing Security, A Survey of Key Practicalities. Springer.
  2.  Kizza, M. J. (2017). Guide to Computer Network Security, Fourth Edition. Springer




No comments

Powered by Blogger.