On a cloud island, the PaaS developers regularly blog with the IaaS network specialists about different ways the developers can use the IaaS virtual machines. One day, a developer could not run and test an application. He groans when he discovers, too late, that the capacity of a virtual machine is insufficient to cope with the sudden increase in the size of big data that's needed to meet ever-growing compliance requirements.
The PaaS developer does not have control over virtual machines, so he immediately tweets the IaaS specialist to call him about increasing the capacity of the virtual machine. In response, the IaaS specialist increases the capacity the developer needs. He apologizes for not having threshold policies and a capacity for demand policy in place.
The IaaS specialist sets up a web meeting with all developers. The agenda includes:
- How developers can use the IaaS for different services (other than testing)
- Threshold policies that can be negotiated with the IaaS
- Establishing a capacity for demand policy
- Layer 4-7 cloud networking services offered by IaaS
This article explores the IaaS provider delivery services that are available to PaaS developers. It also examines the delivery services the PaaS can use and what layers of multi-defense mechanisms should be considered to better protect the IaaS from cloud abuse.
Layer 4-7 cloud networking
Layer 4-7 cloud networking services are one way of increasing the capacity of virtual machines, but such services have been scarce in the 2012 IaaS market. Many enterprises were unable to mirror Layer 4-7 services that they've used in their private data centers for use in a public IaaS due to load balancing compatibility issues. If the applications require complex load balancing and proprietary firewalls, the enterprise could not migrate them.
Many IaaS providers can sell Layer 4-7 cloud networking services, but these services tend to be limited and sometimes proprietary. The providers can not provide adequate load balancing capabilities.
2013 has brought growth of virtual application delivery controllers (ADCs) and WAN optimization controllers. Many enterprises can take advantage of these controllers to replicate their Layer 4-7 services in an IaaS provider's cloud. But, your enterprise might discover that some IaaS providers aren't always willing to give you Layer 4-7 services. Providers who do offer Layer 4-7 services can offer PaaS developers a wider range of IaaS's delivery services. (See IaaS provider service delivery model for more detail.)
Users of the cloud service model
In addition to working with IaaS specialists, the PaaS works with the SaaS users. The model users, either individually or by group, can use the cloud to:
- Get SaaS on demand.
- Build applications with the PaaS.
- Work with IaaS virtual machines.
Get SaaS on demand
When getting SaaS on demand, the SaaS end user has the least control and the provider has the most control.
- End user control
- The only control end users have, whether they are
private individuals, businesses (small
or medium) or government agencies, is
to access the SaaS application from a partition on a mobile
device. Examples of SaaS applications
include ship arrival and departure schedules, customer
relationship management, human resource, and spreadsheets.
The end user uses company-approved social media tools to communicate with one another, including PaaS developers on an SaaS application built on the PaaS.
- SaaS provider control
- At a minimum, the provider manages access controls by limiting the number of authorized users who can concurrently access the application from a mobile device or a virtual desktop as set forth in the user threshold policy (see Resources). The provider limits the number of authorized users who can have access to each virtual desktop instance as set forth in the virtual desktop threshold. The provider controls the operating systems, servers, and network infrastructure needed to run the SaaS application. The virtual desktop and load balancing thresholds are the user's new threshold policies (as conceived by the author).
Build SaaS applications with PaaS
When building SaaS applications with PaaS, the PaaS developer has more control and the provider has less control.
- Developer control
- The developer controls and protects
all the applications found in a full business life cycle
created with the PaaS. For example, the developer builds,
and runs a custom ship arrival and departure management
application. The developer controls the
applications migrated from the enterprise's internal data
center. The developer can set the user and virtual desktop
The developer uses company-approved social media tools to communicate with SaaS end users, IaaS specialists, other developers, and the provider.
- PaaS provider control
- At a minimum, the provider
controls operating systems, servers, and network
infrastructure needed to run the SaaS application, develop new
enterprise applications, or test the scalability of the
existing applications in the cloud.
The provider also controls what social media tools to download to the developer's mobile device. The provider sets the resource, data requests, social media, and load balancing threshold levels.
Work with IaaS virtual machines
When working with IaaS virtual machines, the IaaS infrastructure or network specialist has the most control.
- Network specialist control
- The infrastructure or network specialist:
- Controls the operating systems, network equipment, and deployed applications at the virtual machine level
- Can scale up or scale down virtual servers or blocks of storage area
- Uses social media tools to communicate with other IaaS infrastructure specialists, PaaS developers, and the provider
The infrastructure specialist can set the user, load balancing, and virtual desktop threshold levels.
- IaaS provider control
- At a minimum, the provider controls the infrastructure of traditional computing resources underlying virtual machines and which mobile applications are needed to access the IaaS. The provider controls what social media tools to use in a collaborative environment. The provider sets the user, resource, data requests, social media, and load balancing threshold levels.
IaaS provider service delivery model
The IaaS provider provides IaaS infrastructure specialists or network specialists with IaaS delivery services that the PaaS developers can use. Services include:
- Disaster recovery
- Failover service
- Compute as a service
- Storage as a service
- Data center as a service
- Virtual desktop infrastructure
- High input/output cloudburst
- Testing environment
The rest of this section reviews, for each IaaS service, what tasks the IaaS infrastructure specialists should do and how the PaaS developers can use the service.
Disaster recovery service
The IaaS infrastructure specialist uses this service to:
- Consolidate multiple disparate disaster recovery systems into a single virtualized instance.
- Share the same instance across multiple IT applications.
PaaS developers can negotiate with the IaaS infrastructure specialist on:
- A separate disaster recovery plan for their application development projects
- Threshold policies to recover resources: User, data requests, resource, social media, load balancing, and virtual desktop
The infrastructure specialist uses the failover service to set up a plan for all virtual machines to fail over to healthy servers underlying the IaaS locally and remotely.
The PaaS developers may negotiate with the infrastructure specialist to:
- Run a special application the PaaS has developed to fail over to healthy virtual machines.
- Set threshold levels to fail over: User, data requests, resource, social media, load balancing, and virtual desktop.
Compute as a service
The infrastructure specialist ensures that the pay-as-you-go service provides adequate capacity on demand for two types of PaaS applications:
- Enterprise decision support systems that require large data sets
- Seasonal or short-term application projects
PaaS developers can choose compute as a service when they need to build, run, test, and deploy applications. They may negotiate with the infrastructure specialist on threshold policies.
Storage as a service
The infrastructure specialist ensures specific virtual machines can be:
- Used as storage as a service to meet requirements for compliance and data protection
- Expanded to store the exponential growth of unstructured data from the enterprise applications
PaaS developers can use storage as a service to store test data for use with large-scale applications under development. They may negotiate with the infrastructure specialist to set resource, load balancing, and data requests threshold levels.
Data center as a service
The infrastructure specialist can set up the IaaS as the data center as a service for PaaS developers with compute-intensive data center capacity requirements. PaaS developers may negotiate with the infrastructure specialist to set resource, load balancing, and data requests threshold levels.
Virtual desktop infrastructure
The infrastructure specialist sets up an infrastructure of virtual desktops by:
- Installing a desktop operating system within a virtual machine running on a server
- Designating which physical desktop and mobile devices can run virtual desktops
The PaaS developers may negotiate with the infrastructure specialist on:
- Limiting the number of virtual desktops they can use, as set forth in the virtual desktop threshold
- Establishing configuration criteria for each virtual desktop
- Setting resource, load balancing, and virtual desktop threshold levels
The infrastructure specialist helps the enterprise developers combine corporate infrastructure with the clouds. The enterprise is provided with the IaaS provider's Layer 4-7 services to help the IaaS specialist ensure the enterprise creates a flexible, highly scalable application hosting environment with the PaaS.
The PaaS developers use the IaaS to cloudburst the applications that:
- Impose seasonal resource demands that the enterprise's internal data center cannot handle
- Need additional capacity for peaks of demand without impacting the virtual machine resources
The infrastructure specialist establishes configurations of development or testing environments and ensures that the testing environment responds quickly to planned and unplanned (short term) testing requests from the PaaS developers.
The PaaS developers use the IaaS to:
- Reduce underutilized capacity and equipment.
- Support all software testing phases.
- Perform scalability tests.
Risk mitigation plan
This section describes five practical steps for mitigating risks. Following these steps can make your job easier when restoring the PaaS from an IaaS disaster. Repeat the steps if the threat priority changes. When the priority changes, safeguard requirements and costs also change.
When you perform risk assessment for the first time, identify the components of the IaaS and PaaS. Your assessment should include the IaaS disaster recovery service plan, virtual operating system, servers, desktops, and any associated security policies. Other assets to identify should cover:
- IaaS provider's delivery services, including disaster recovery, failover service, and storage as a service
- Contact information on authorized SaaS users, PaaS developers, and IaaS infrastructure specialists
- An enterprise server that is used to control mobile computers (physical or virtual) remotely, either individually or by group
- Company-approved social media tools as near real-time communication among the mobile computer, tablet, device, and virtual desktop users
- Threshold policies: User, data request, resource, social media, load balancing, and virtual desktop
- Type of Service Level Agreements (SLA): External, internal, or internalized (see Resources)
- A map showing the complex SLA relationships among the IaaS specialists, PaaS developers, and infrastructure vendors
Analyze critical information
Identify critical information on mobile devices or virtual desktops that PaaS developers use to:
- Build, run, test, and deploy applications.
- Check the health of the IaaS.
- Communicate via social media tools.
The criticality of corporate data downloaded to the PaaS is usually high, and includes the company's accounting records and C-level executives' contact information.
Make a list of vulnerabilities that could be exploited on mobile devices, virtual desktops, and virtual machines. Rate each vulnerability as high, medium, or low qualitatively. For example, the threat to PaaS applications via a mobile device has, at a minimum, five vulnerabilities:
- Device password is not set.
- Social media is not applied.
- Remote data wiping is not enabled.
- Data encryption is not turned on.
- Performance monitoring is inadequate.
Each vulnerability is rated as high. By exploiting the vulnerabilities, a hacker can get into the device without a password or a biometric authentication (fingerprinting or iris scanning) and see unencrypted information downloaded from the IaaS health dashboard.
If the vulnerability priority changes or new vulnerabilities emerge for the same threat, you must repeat this step. For example, assume that a different type of PaaS vulnerability emerges as a result of changes in mobile technology or in users' perceptions of networking infrastructure underlying the IaaS. You must reevaluate and mitigate risks, beginning at Identify assets.
Assess the likelihood, or risk, of a hacker taking advantage of a vulnerability and the business impact in terms of loss of corporate revenue and reputation. The value of the likelihood is somewhere between 0 and 1. When high likelihood approaches the value of 1, there is a very high chance of the vulnerability being exploited. A value of 0 means there is no risk, which is not likely for cloud abuse or cloud shutdown. The lower the likelihood value, the better your chance would be to mitigate the risks of cloud abuse using cost-effective safeguards.
Fix the problem
Even the best available Information Assurance products for cloud services have inherent weaknesses. Technologically sophisticated adversaries will find vulnerabilities they can exploit in these products. Exploitable vulnerabilities that adversaries find in one product might not exist in another product.
To fix the problem, set up a countermeasure by deploying layers of multi-defense mechanisms between the adversaries and their targets—the IaaS and the PaaS. Each cost-effective mechanism must present unique obstacles to the adversaries. This helps to better detect the adversaries while mitigating the adversaries' chances of successful penetration into the IaaS provider's delivery services.
Here are five tips that, at a minimum, set up layers of defenses.
For the passive class of attack:
- First line of defense: Network layer encryption
- Second line of defense: Social media, load balancing, and virtual desktop thresholds
For the insider class of attack:
- First line of defense: Physical and personnel security
- Second line of defense: Audit, access control, and associated security policies
For the exploitation class of attack:
- First line of defense: Physical and personnel security
- Second line of defense: Technical surveillance countermeasures for cloud services and social media tools
For the distribution class of attack:
- First line of defense: Trusted software distribution
- Second line of defense: Runtime integrity and protected storage controls
For the active class of attack:
- First line of defense: Defend the enclave boundaries (for example, outside firewalls).
- Second line of defense: Defend the provider's data center (for example, inside firewalls) and/or fail over virtual machines to healthy, secure data centers within the borders of the United States.
In reality, there are more classes of attacks against IaaS delivery services, social media tools, and cloud services. There are also more lines of defense for each class. Each line of defense can be further broken down into lower level lines of defense with relationships of varying complexity among them. For more detail, see the National Security Agency's "Defense in Depth" article (Resources).
This article highlighted why you should consider best practices for developing IaaS provider's delivery services that PaaS developers could use. Make sure the IaaS provider can offer compatible Layer 4-7 services for your enterprise to migrate applications to the cloud. The three most important IaaS delivery services are disaster recovery, failover service, and cloudburst service. Load balancing and virtual desktop thresholds are new and have been added to the list of other threshold terminologies. We need to build a team and make it easier for this team of developers, managers, business analysts, and system engineers to provide IaaS delivery services to PaaS developers.
For more information about risk mitigation read these articles by the
- "Craft security policy for mobile devices" (developerWorks, October 2011): The four variables that shape a cloud mobile security policy.
- "Cloud computing versus grid computing: Service types, similarities and differences, and things to consider" (developerWorks, March 2009): Explore security issues and choices for Web development in the cloud.
- "Change app behavior: From in house to the cloud" (developerWorks, March 2011): Proactive vs. reactive ways of making application changes when you migrate them to the cloud.
- "Cloud services: Mitigate risks, maintain availability" (developerWorks, March 2011): Cloud service security and how to mitigate risks to cloud services to ensure high uptime availability.
- "Craft a cloud performance metrics policy" (developerWorks, September 2011): Three proactive steps to ensure cloud performance: monitoring, testing, and policy-building.
- "Craft a SaaS-oriented web application vulnerability mitigation policy" (developerWorks, June 2012): Establish a SaaS-oriented web application vulnerability mitigation policy that anticipates application trouble spots and contains several pre-configured solutions to repair them.
- "Mitigate risks of cloud resource exhaustion outages" (developerWorks, February 2013): Use service level agreements and other proactive tools to avoid cloud outages.
For more information about threshold policies read these articles by
- "Balance workload in a cloud environment: Use threshold policies to dynamically balance workload demands" (developerWorks, January 2011): Learn what a threshold policy is and how it can help balance workload demands dynamically in a cloud environment.
- "Cloud computing versus grid computing: Service types, similarities and differences, and things to consider" (developerWorks, March 2009): Explore some of the security issues and choices for web development in the cloud.
- "Build proactive threshold policies on the cloud" (developerWorks, May 2011): Discover the impact of purpose, scope, background, consumer control, actions, and constraints.
- "Build and employ a threshold criteria for critical cloud components" (developerWorks, February 2013): Cloud-specific threshold criteria and scenarios of what proactive actions can be taken when failures happen.
- Defense in Depth (National Security Agency): A practical strategy for achieving Information Assurance in today’s highly networked environments.
- More on cloud networking:
- Networking outlook: Controllers, Layer 4-7 will roil SDN 2013 market (SearchNetworking, Jan 2013): What's in store for software defined networking in 2013.
- Layer 4-7 cloud networking still scarce in IaaS market (SearchNetworking, Aug 2012): Layer 4-7 network services remain a technical and operational headache.
- Find out how to access IBM SmartCloud Enterprise.
- In the developerWorks cloud developer resources, discover and share knowledge and experience of application and services developers building their projects for cloud deployment.
- Follow developerWorks on Twitter.
Get products and technologies
- Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, use a product in a cloud environment, or spend a few hours in the SOA Sandbox learning how to implement Service Oriented Architecture efficiently.
- Get involved in the developerWorks community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.