Use IaaS for PaaS

Exploring IaaS delivery services available to PaaS developers

Some Infrastructure as a Service (IaaS) providers aren't willing to give Layer 4-7 services to enterprises that want to migrate applications requiring complex load balancing, applications, and firewalls from their private data centers into a public IaaS. Providers who do give Layer 4-7 services take prudent, proactive steps to offer Platform as a Service (PaaS) developers a wider range of IaaS delivery services (for example, disaster recovery service). Learn which delivery services the PaaS can use and what layers of multi-defense mechanisms should be considered to better protect the IaaS from cloud abuse.

Judith M. Myerson, Systems Engineer and Architect

Judith M. Myerson is a systems architect and engineer. Her areas of interest include middleware technologies, enterprise-wide systems, database technologies, application development, network management, security, RFID technologies, and project management. She is the author of RFID in the Supply Chain and the editor of Enterprise Systems Integration, Second Edition Handbook.



10 May 2013

Also available in Chinese Russian Portuguese Spanish

On a cloud island, the PaaS developers regularly blog with the IaaS network specialists about different ways the developers can use the IaaS virtual machines. One day, a developer could not run and test an application. He groans when he discovers, too late, that the capacity of a virtual machine is insufficient to cope with the sudden increase in the size of big data that's needed to meet ever-growing compliance requirements.

The PaaS developer does not have control over virtual machines, so he immediately tweets the IaaS specialist to call him about increasing the capacity of the virtual machine. In response, the IaaS specialist increases the capacity the developer needs. He apologizes for not having threshold policies and a capacity for demand policy in place.

The IaaS specialist sets up a web meeting with all developers. The agenda includes:

  • How developers can use the IaaS for different services (other than testing)
  • Threshold policies that can be negotiated with the IaaS
  • Establishing a capacity for demand policy
  • Layer 4-7 cloud networking services offered by IaaS

This article explores the IaaS provider delivery services that are available to PaaS developers. It also examines the delivery services the PaaS can use and what layers of multi-defense mechanisms should be considered to better protect the IaaS from cloud abuse.

Layer 4-7 cloud networking

Layer 4-7 cloud networking services are one way of increasing the capacity of virtual machines, but such services have been scarce in the 2012 IaaS market. Many enterprises were unable to mirror Layer 4-7 services that they've used in their private data centers for use in a public IaaS due to load balancing compatibility issues. If the applications require complex load balancing and proprietary firewalls, the enterprise could not migrate them.

Layer 4-7 refers to the two layers in a network packet that identify its content. They identify the application that created the packets and the specifics of the request. Inspecting layer 4 can identify HTTP traffic (web traffic), but inspecting layer 7 can determine what the HTTP request is for.

Many IaaS providers can sell Layer 4-7 cloud networking services, but these services tend to be limited and sometimes proprietary. The providers can not provide adequate load balancing capabilities.

2013 has brought growth of virtual application delivery controllers (ADCs) and WAN optimization controllers. Many enterprises can take advantage of these controllers to replicate their Layer 4-7 services in an IaaS provider's cloud. But, your enterprise might discover that some IaaS providers aren't always willing to give you Layer 4-7 services. Providers who do offer Layer 4-7 services can offer PaaS developers a wider range of IaaS's delivery services. (See IaaS provider service delivery model for more detail.)


Users of the cloud service model

In addition to working with IaaS specialists, the PaaS works with the SaaS users. The model users, either individually or by group, can use the cloud to:

  • Get SaaS on demand.
  • Build applications with the PaaS.
  • Work with IaaS virtual machines.

Get SaaS on demand

When getting SaaS on demand, the SaaS end user has the least control and the provider has the most control.

End user control
The only control end users have, whether they are private individuals, businesses (small or medium) or government agencies, is to access the SaaS application from a partition on a mobile device. Examples of SaaS applications include ship arrival and departure schedules, customer relationship management, human resource, and spreadsheets.

The end user uses company-approved social media tools to communicate with one another, including PaaS developers on an SaaS application built on the PaaS.

SaaS provider control
At a minimum, the provider manages access controls by limiting the number of authorized users who can concurrently access the application from a mobile device or a virtual desktop as set forth in the user threshold policy (see Resources). The provider limits the number of authorized users who can have access to each virtual desktop instance as set forth in the virtual desktop threshold. The provider controls the operating systems, servers, and network infrastructure needed to run the SaaS application. The virtual desktop and load balancing thresholds are the user's new threshold policies (as conceived by the author).

Build SaaS applications with PaaS

When building SaaS applications with PaaS, the PaaS developer has more control and the provider has less control.

Developer control
The developer controls and protects all the applications found in a full business life cycle created with the PaaS. For example, the developer builds, deploys, tests, and runs a custom ship arrival and departure management application. The developer controls the applications migrated from the enterprise's internal data center. The developer can set the user and virtual desktop threshold levels.

The developer uses company-approved social media tools to communicate with SaaS end users, IaaS specialists, other developers, and the provider.

PaaS provider control
At a minimum, the provider controls operating systems, servers, and network infrastructure needed to run the SaaS application, develop new enterprise applications, or test the scalability of the existing applications in the cloud.

The provider also controls what social media tools to download to the developer's mobile device. The provider sets the resource, data requests, social media, and load balancing threshold levels.

Work with IaaS virtual machines

When working with IaaS virtual machines, the IaaS infrastructure or network specialist has the most control.

Network specialist control
The infrastructure or network specialist:
  • Controls the operating systems, network equipment, and deployed applications at the virtual machine level
  • Can scale up or scale down virtual servers or blocks of storage area
  • Uses social media tools to communicate with other IaaS infrastructure specialists, PaaS developers, and the provider

The infrastructure specialist can set the user, load balancing, and virtual desktop threshold levels.

IaaS provider control
At a minimum, the provider controls the infrastructure of traditional computing resources underlying virtual machines and which mobile applications are needed to access the IaaS. The provider controls what social media tools to use in a collaborative environment. The provider sets the user, resource, data requests, social media, and load balancing threshold levels.

IaaS provider service delivery model

The IaaS provider provides IaaS infrastructure specialists or network specialists with IaaS delivery services that the PaaS developers can use. Services include:

  • Disaster recovery
  • Failover service
  • Compute as a service
  • Storage as a service
  • Data center as a service
  • Virtual desktop infrastructure
  • High input/output cloudburst
  • Testing environment

The rest of this section reviews, for each IaaS service, what tasks the IaaS infrastructure specialists should do and how the PaaS developers can use the service.

Disaster recovery service

The IaaS infrastructure specialist uses this service to:

  • Consolidate multiple disparate disaster recovery systems into a single virtualized instance.
  • Share the same instance across multiple IT applications.

PaaS developers can negotiate with the IaaS infrastructure specialist on:

  • A separate disaster recovery plan for their application development projects
  • Threshold policies to recover resources: User, data requests, resource, social media, load balancing, and virtual desktop

Failover service

The infrastructure specialist uses the failover service to set up a plan for all virtual machines to fail over to healthy servers underlying the IaaS locally and remotely.

The PaaS developers may negotiate with the infrastructure specialist to:

  • Run a special application the PaaS has developed to fail over to healthy virtual machines.
  • Set threshold levels to fail over: User, data requests, resource, social media, load balancing, and virtual desktop.

Compute as a service

The infrastructure specialist ensures that the pay-as-you-go service provides adequate capacity on demand for two types of PaaS applications:

  • Enterprise decision support systems that require large data sets
  • Seasonal or short-term application projects

PaaS developers can choose compute as a service when they need to build, run, test, and deploy applications. They may negotiate with the infrastructure specialist on threshold policies.

Storage as a service

The infrastructure specialist ensures specific virtual machines can be:

  • Used as storage as a service to meet requirements for compliance and data protection
  • Expanded to store the exponential growth of unstructured data from the enterprise applications

PaaS developers can use storage as a service to store test data for use with large-scale applications under development. They may negotiate with the infrastructure specialist to set resource, load balancing, and data requests threshold levels.

Data center as a service

The infrastructure specialist can set up the IaaS as the data center as a service for PaaS developers with compute-intensive data center capacity requirements. PaaS developers may negotiate with the infrastructure specialist to set resource, load balancing, and data requests threshold levels.

Virtual desktop infrastructure

The infrastructure specialist sets up an infrastructure of virtual desktops by:

  • Installing a desktop operating system within a virtual machine running on a server
  • Designating which physical desktop and mobile devices can run virtual desktops

The PaaS developers may negotiate with the infrastructure specialist on:

  • Limiting the number of virtual desktops they can use, as set forth in the virtual desktop threshold
  • Establishing configuration criteria for each virtual desktop
  • Setting resource, load balancing, and virtual desktop threshold levels

Hi-I/O/Cloudburst

The infrastructure specialist helps the enterprise developers combine corporate infrastructure with the clouds. The enterprise is provided with the IaaS provider's Layer 4-7 services to help the IaaS specialist ensure the enterprise creates a flexible, highly scalable application hosting environment with the PaaS.

The PaaS developers use the IaaS to cloudburst the applications that:

  • Impose seasonal resource demands that the enterprise's internal data center cannot handle
  • Need additional capacity for peaks of demand without impacting the virtual machine resources

Testing environment

The infrastructure specialist establishes configurations of development or testing environments and ensures that the testing environment responds quickly to planned and unplanned (short term) testing requests from the PaaS developers.

The PaaS developers use the IaaS to:

  • Reduce underutilized capacity and equipment.
  • Support all software testing phases.
  • Perform scalability tests.

Risk mitigation plan

This section describes five practical steps for mitigating risks. Following these steps can make your job easier when restoring the PaaS from an IaaS disaster. Repeat the steps if the threat priority changes. When the priority changes, safeguard requirements and costs also change.

Identify assets

When you perform risk assessment for the first time, identify the components of the IaaS and PaaS. Your assessment should include the IaaS disaster recovery service plan, virtual operating system, servers, desktops, and any associated security policies. Other assets to identify should cover:

  • IaaS provider's delivery services, including disaster recovery, failover service, and storage as a service
  • Contact information on authorized SaaS users, PaaS developers, and IaaS infrastructure specialists
  • An enterprise server that is used to control mobile computers (physical or virtual) remotely, either individually or by group
  • Company-approved social media tools as near real-time communication among the mobile computer, tablet, device, and virtual desktop users
  • Threshold policies: User, data request, resource, social media, load balancing, and virtual desktop
  • Type of Service Level Agreements (SLA): External, internal, or internalized (see Resources)
  • A map showing the complex SLA relationships among the IaaS specialists, PaaS developers, and infrastructure vendors

Analyze critical information

Identify critical information on mobile devices or virtual desktops that PaaS developers use to:

  • Build, run, test, and deploy applications.
  • Check the health of the IaaS.
  • Communicate via social media tools.

The criticality of corporate data downloaded to the PaaS is usually high, and includes the company's accounting records and C-level executives' contact information.

Analyze vulnerabilities

Make a list of vulnerabilities that could be exploited on mobile devices, virtual desktops, and virtual machines. Rate each vulnerability as high, medium, or low qualitatively. For example, the threat to PaaS applications via a mobile device has, at a minimum, five vulnerabilities:

  • Device password is not set.
  • Social media is not applied.
  • Remote data wiping is not enabled.
  • Data encryption is not turned on.
  • Performance monitoring is inadequate.

Each vulnerability is rated as high. By exploiting the vulnerabilities, a hacker can get into the device without a password or a biometric authentication (fingerprinting or iris scanning) and see unencrypted information downloaded from the IaaS health dashboard.

If the vulnerability priority changes or new vulnerabilities emerge for the same threat, you must repeat this step. For example, assume that a different type of PaaS vulnerability emerges as a result of changes in mobile technology or in users' perceptions of networking infrastructure underlying the IaaS. You must reevaluate and mitigate risks, beginning at Identify assets.

Assess risks

Assess the likelihood, or risk, of a hacker taking advantage of a vulnerability and the business impact in terms of loss of corporate revenue and reputation. The value of the likelihood is somewhere between 0 and 1. When high likelihood approaches the value of 1, there is a very high chance of the vulnerability being exploited. A value of 0 means there is no risk, which is not likely for cloud abuse or cloud shutdown. The lower the likelihood value, the better your chance would be to mitigate the risks of cloud abuse using cost-effective safeguards.

Fix the problem

Even the best available Information Assurance products for cloud services have inherent weaknesses. Technologically sophisticated adversaries will find vulnerabilities they can exploit in these products. Exploitable vulnerabilities that adversaries find in one product might not exist in another product.

To fix the problem, set up a countermeasure by deploying layers of multi-defense mechanisms between the adversaries and their targets—the IaaS and the PaaS. Each cost-effective mechanism must present unique obstacles to the adversaries. This helps to better detect the adversaries while mitigating the adversaries' chances of successful penetration into the IaaS provider's delivery services.

Here are five tips that, at a minimum, set up layers of defenses.

For the passive class of attack:

  • First line of defense: Network layer encryption
  • Second line of defense: Social media, load balancing, and virtual desktop thresholds

For the insider class of attack:

  • First line of defense: Physical and personnel security
  • Second line of defense: Audit, access control, and associated security policies

For the exploitation class of attack:

  • First line of defense: Physical and personnel security
  • Second line of defense: Technical surveillance countermeasures for cloud services and social media tools

For the distribution class of attack:

  • First line of defense: Trusted software distribution
  • Second line of defense: Runtime integrity and protected storage controls

For the active class of attack:

  • First line of defense: Defend the enclave boundaries (for example, outside firewalls).
  • Second line of defense: Defend the provider's data center (for example, inside firewalls) and/or fail over virtual machines to healthy, secure data centers within the borders of the United States.

In reality, there are more classes of attacks against IaaS delivery services, social media tools, and cloud services. There are also more lines of defense for each class. Each line of defense can be further broken down into lower level lines of defense with relationships of varying complexity among them. For more detail, see the National Security Agency's "Defense in Depth" article (Resources).


Conclusion

This article highlighted why you should consider best practices for developing IaaS provider's delivery services that PaaS developers could use. Make sure the IaaS provider can offer compatible Layer 4-7 services for your enterprise to migrate applications to the cloud. The three most important IaaS delivery services are disaster recovery, failover service, and cloudburst service. Load balancing and virtual desktop thresholds are new and have been added to the list of other threshold terminologies. We need to build a team and make it easier for this team of developers, managers, business analysts, and system engineers to provide IaaS delivery services to PaaS developers.

Resources

Learn

Get products and technologies

  • Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, use a product in a cloud environment, or spend a few hours in the SOA Sandbox learning how to implement Service Oriented Architecture efficiently.

Discuss

  • Get involved in the developerWorks community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Cloud computing on developerWorks


  • Bluemix Developers Community

    Get samples, articles, product docs, and community resources to help build, deploy, and manage your cloud apps.

  • Cloud digest

    Complete cloud software, infrastructure, and platform knowledge.

  • DevOps Services

    Software development in the cloud. Register today to create a project.

  • Try SoftLayer Cloud

    Deploy public cloud instances in as few as 5 minutes. Try the SoftLayer public cloud instance for one month.

static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Cloud computing
ArticleID=929349
ArticleTitle=Use IaaS for PaaS
publish-date=05102013