UNIT-II

Federation in the cloud – presence in the cloud – Privacy and its Relation to cloud-Based Information
Systems– Security in the cloud – Common Standards in the cloud-End-User Access to the cloud
Computing.Introduction to Cloud Computing.

Federation in the Cloud:

Cloud federation is the practices of interconnecting the cloud computing environments of two
or more service providers for the purpose of load balancing traffic and accommodating spikes in
demand. Cloud federation requires one provider to wholesale or rent computing resources to another
cloud provider. Those resources become a temporary or permanent extension of the buyer's cloud
computing environment, depending on the specific federation agreement between providers.

Cloud federation offers two substantial benefits to cloud providers. First, it allows providers to
earn revenue from computing resources that would otherwise be idle or underutilized. Second, cloud
federation enables cloud providers to expand their geographic footprints and accommodate sudden
spikes in demand without having to build new points-of-presence (POPs).

Cloud Federation refers to the unionization of software, infrastructure and platform services
from disparate networks that can be accessed by a client via the internet. The federation of cloud
resources is facilitated through network gateways that connect public or external clouds, private or
internal clouds (owned by a single entity) and/or community clouds (owned by several cooperating
entities); creating a hybrid cloud computing environment. It is important to note that federated cloud
computing services still rely on the existence of physical data centers.

Cloud federation benefits:

The federation of cloud resources allows clients to optimize enterprise IT service delivery. The
federation of cloud resources allows a client to choose the best cloud services provider, in terms of
flexibility, cost and availability of services, to meet a particular business or technological need within
their organization. Federation across different cloud resource pools allows applications to run in the
most appropriate infrastructure environments. The federation of cloud resources also allows an
enterprise to distribute workloads around the globe, move data between disparate networks and
implement innovative security models for user access to cloud resources.

Cloud federation implementation:

One weakness that exists in the federation of cloud resources is the difficulty in brokering
connectivity between a client and a given external cloud provider, as they each possess their own
unique network addressing scheme. To resolve this issue, cloud providers must grant clients the
permission to specify an addressing scheme for each server the cloud provider has extended to the
internet. This provides customers with the ability to access cloud services without the need for
reconfiguration when using resources from different service providers. Cloud federation can also be
implemented behind a firewall, providing clients with a menu of cloud services provided by one or
more trusted entities.

Cloud computing 22
Presence in the Cloud:
Understanding the power of presence is crucial to unlocking the real potential of the Internet.
Presence data enables organizations to deploy innovative real-time services and achieve significant
revenue opportunities and productivity improvements. At the most fundamental level, understanding
presence is simple: It provides true-or-false answers to queries about the network availability of a
person, device, or application Its purpose is to signal availability for interaction over a network. It is
being used to determine availability for phones, conference rooms, applications, web-based services,
routers, firewalls, servers, appliances, buildings, devices, and other applications. The management of
presence is being extended to capture even more information about availability, or even the attributes
associated with such availability, such as a person's current activity, mood, location (e.g., GPS
coordinates), or preferred communication method (phone, email, IM, etc.). While these presence
extensions are innovative and important, they serve mainly to supplement the basic information about
an entity's network connectivity, which remains the core purpose of presence.

Presence is an enabling technology for peer-to-peer interaction. It first emerged as an aspect of

communication systems, especially IM systems such as ICQ, which allowed users to see the
availability of their friends. The huge role that IM has had in establishing presence is evident with the
protocols available today, such as Instant Messaging and Presence Service (IMPS), Session Initiation
Protocol (SIP) for Instant Messaging and Presence Leveraging Extensions (SIMPLE), the Extensible
Messaging and Presence Protocol (XMPP), first developed in the Jabber open source community and
subsequently ratified as an Internet standard by the IETF.

Implementation of presence follows the software design pattern known as publish-and-subscribe (pub-
sub). This means that a user or application publishes information about its network availability to a
centralized location and that information is broadcast to all entities that are authorized to receive it.
The authorization usually takes the form of a subscription.

Because business organizations require a great deal more control and flexibility over the technologies
they deploy, they needed a presence solution that could provide separation between the presence
service and the communication mechanisms (e.g., IM or VoIP) that presence enables. Any solution
had to be scalable, extensible, and support a distributed architecture with its own presence domain. It
should not overload the network and should support strong security management, system
authentication, and granular subscription authorization.

Presence Protocols
Proprietary, consumer-oriented messaging services do not enable enterprises or institutions to leverage
the power of messaging and presence protocol suite based on SIP and managed by the Internet
Engineering Task Force (IETF). XMPP is the IETF's formalization of the core XML messaging and
presence protocols originally developed by the open source Jabber community in 1999. These
protocols have been in wide use on the Internet for over five years.

The modern, reliable method to determine another entity's capabilities is called service discovery,
wherein applications and devices exchange information about their capabilities directly, without
human involvement. Even though no framework for service discovery has been produced by a
standards development organization such as the IETF, a capabilities extension for SIP/SIMPLE and a
robust, stable service discovery extension for XMPP does exist.

Cloud computing 23
The SIMPLE Working Group is developing the technology to embed capabilities information within
broadcasted presence information. A capability already exists in a widely-deployed XMPP extension.
Together, service discovery and capabilities broadcasts enable users and applications to gain
knowledge about the capabilities of other entities on the network, providing a real-time mechanism for
additional use of presence-enabled systems.

Leveraging Presence

The real challenge today is to figure out how to leverage the power of presence within an organization
or service offering. This requires having the ability to publish presence information from a wide range
of data sources, the ability to receive or embed presence information in just about any platform or
application, and having a robust presence engine to tie ubiquitous publishers and subscribers together.

It is safe to assume that any network-capable entity can establish presence. The requirements for
functioning as a presence publisher are fairly minimal. As a result, SIP software stacks are available
for a wide range of programming languages and it is relatively easy to add native presence publishing
capabilities to most applications and devices. Enabling devices and applications to publish presence
information is only half of the solution, however; delivering the right presence information to the right.

Presence Enabled

What does it mean to be "presence-enabled"? The basic concept is to show availability of an entity in
an appropriate venue. Some modern applications aggregate presence information about all of a
person's various connections. For communication devices such as phones and applications such as IM,
presence information is often built into the device itself. For less communication-centric applications,
such as a document or web page, presence may be gathered by means of a web services API or
channeled through a presence daemon. Providing presence data through as many avenues as possible
is in large measure the responsibility of a presence engine, as described below.

The presence engine acts as a broker for presence publishers and subscribers. A presence broker
provides aggregation of information from many sources, abstraction of that information into open and
flexible formats, and distribution of that information to a wide variety of interested parties. In the
realm of presence, the qualities of aggregation, abstraction, and distribution imply that the ideal
presence broker is trustworthy, open, and intelligent. As presence becomes more prevalent in Internet
communications, presence engines need to provide strong authentication, channel encryption, explicit
authorization and access control policies, high reliability, and the consistent application of aggregation
rules. Being able to operate using multiple protocols such as IMPS, SIMPLE, and XMPP is a basic
requirement in order to distribute presence information as widely as possible. Aggregating information
from a wide variety of sources requires presence rules that enable subscribers to get the right
information at the right time.

The Future of Presence

It will remain to be seen if XMPP is the future of cloud services, but for now it is the dominant
protocol for presence in the space. fixing the polling and scaling problems with XMPP has been
challenging but has been accomplished by providers such as Tivo, and the built-in presence

Cloud computing 24
functionality offers further fascinating possibilities. Presence includes basic availability information,
but it is extensible and can also include abilities.

The Interrelation of Identity, Presence, and Location in the Cloud

Digital identity refers to the traits, attributes, and preferences on which one may receive personalized
services. Identity traits might include government-issued IDs, corporate user accounts, and biometric
information. Two user attributes that may be associated with identity are presence and location. Over
the last few years, there has been an aggressive move toward the convergence of identity, location, and
presence. This is important because a standard framework tying identity to presence and location
creates the ability to develop standards-based services for identity management that incorporate
presence and location. Identity, presence, and location are three characteristics that lie at the core of
some of the most critical emerging technologies in the market today: real-time communications
(including VoIP, IM, and mobile communications), cloud computing, collaboration, and identity-based
security.

Presence is most often associated with real-time communications systems such as IM and describes
the state of a user's interaction with a system, such as which computer they are accessing, whether they
are idle or working, and perhaps also which task they are currently performing (reading a document,
composing email etc.). Location refers to the user's physical location and typically includes latitude,
longitude, and (sometimes) altitude. Authentication and authorization mechanisms generally focus on
determining the "who" of identity, location defines the "where," and presence defines the "what"—all
critical components of the identity-based emerging technologies listed above, including cloud
computing.

Privacy and its Relation to cloud-Based Information Systems:

Information privacy or data privacy is the relationship between collection and dissemination of
data, technology, the public expectation of privacy, and the legal issues surrounding them. The
challenge in data privacy is to share data while protecting personally identifiable information. The
fields of data security and information security design and utilize software, hardware, and human
resources to address this issue. The ability to control what information one reveals about oneself over
the Internet, and who can access that information, has become a growing concern. These concerns
include whether email can be stored or read by third parties without consent, or whether third parties
can track the web sites someone has visited. Another concern is whether web sites which are visited
collect, store, and possibly share personally identifiable information about users. Personally
identifiable information (PII), as used in information security, refers to information that can be used to
uniquely identify, contact, or locate a single person or can be used with other sources to uniquely
identify a single individual.

Privacy is an important business issue focused on ensuring that personal data is protected from
unauthorized and inappropriate collection, use, and disclosure, ultimately preventing the loss of
customer trust and inappropriate fraudulent activity such as identity theft, email spamming, and
phishing. According to the results of the Ponemon Institute and TRUSTe's 2008 Most Trusted
Companies for Privacy Survey, privacy is a key market differentiator in today's cyberworld.
"Consumer perceptions are not superficial, but are in fact the result of diligent and successful

Cloud computing 25
execution of thoughtful privacy strategies," said Dr. Larry Ponemon, chairman and founder of the
Ponemon Institute. "Consumers want to do business with brands they believe they can trust."

Adhering to privacy best practices is simply good business but is typically ensured by legal
requirements. Many countries have enacted laws to protect individuals' right to have their privacy
respected, such as Canada's Personal Information Protection and Electronic Documents Act
(PIPEDA), the European Commission's directive on data privacy, the Swiss Federal Data Protection
Act (DPA), and the Swiss Federal Data Protection Ordinance. In the United States, individuals' right to
privacy is also protected by business-sector regulatory requirements such as the Health Insurance
Portability and Accountability Act (HIPAA), The Gramm-Leach-Bliley Act (GLBA), and the FCC
Customer Proprietary Network Information (CPNI) rules.

Customer information may be "user data" or "personal data." User data is information collected from a
customer, including:

 Any data that is collected directly from a customer; e.g., entered by the customer via an
application's user interface
 Any data about a customer that is gathered indirectly; e.g., metadata in documents
 Any data about a customer's usage behavior; e.g., logs or history
 Any data relating to a customer's system; e.g., system configuration, IP address

Personal data, sometimes also called PII, is any piece of data that can potentially be used to uniquely
identify, contact, or locate a single person or can be used with other sources to uniquely identify a
single individual. Not all customer/user data collected by a company is personal data. Examples of
personal data include:

 Contact information (name, email address, phone, postal address)

 Forms of identification such as Social Security number, driver's license, passport, and
fingerprints
 Demographic information such as age, gender, ethnicity, religious affiliation, sexual
orientation, or criminal record
 Occupational information such as job title, company name, or industry
 Health care information such as plans, providers, history, insurance, or genetic information
 Financial information such as bank and credit/debit card account numbers, purchase history,
and credit records
 Online activity including IP address, cookies, flash cookies, and log-in credentials

A subset of personal data is defined as sensitive and requires a greater level of controlled collection,
use, disclosure, and protection. Sensitive data includes some forms of identification such as Social
Security number, some demographic information, and information that can be used to gain access to
financial accounts, such as credit or debit card numbers and account numbers in combination with any
required security code, access code, or password. Finally, it is important to understand that user data
may also be personal data.

1. Privacy Risks and the Cloud: Cloud computing has significant implications for the privacy of
personal information as well as for the confidentiality of business and governmental information. Any

Cloud computing 26
information stored locally on a computer can be stored in a cloud, including email, word processing
documents, spreadsheets, videos, health records, photographs, tax or other financial information,
business plans, PowerPoint presentations, accounting information, advertising campaigns, sales
numbers, appointment calendars, address books, and more.

The entire contents of a user's storage device may be stored with a single cloud provider or with many
cloud providers. Whenever an individual, a business, a government agency, or other entity shares
information in the cloud, privacy or confidentiality questions may arise.

A user's privacy and confidentiality risks vary significantly with the terms of service and privacy
policy established by the cloud provider. For some types of information and some categories of cloud
computing users, privacy and confidentiality rights, obligations, and status may change when a user
discloses information to a cloud provider. Disclosure and remote storage may have adverse
consequences for the legal status of or protections for personal or business information. The location
of information in the cloud may have significant effects on the privacy and confidentiality protections
of information and on the privacy obligations of those who process or store the information.
Information in the cloud may have more than one legal location at the same time, with differing legal
consequences. Laws could oblige a cloud provider to examine user records for evidence of criminal
activity and other matters. Legal uncertainties make it difficult to assess the status of information in
the cloud as well as the privacy and confidentiality protections available to users.

2. Protecting Privacy Information: The Federal Trade Commission is educating consumers and
businesses about the importance of personal information privacy, including the security of personal
information. Under the FTC Act, the Commission guards against unfairness and deception by
enforcing companies' privacy promises about how they collect, use, and secure consumers' personal
information.

The FTC publishes a guide that is a great educational tool for consumers and businesses alike, titled
"Protecting Personal Information: A Guide for Business." In general, the basics for protecting data
privacy are as follows, whether in a virtualized environment, the cloud, or on a static machine:

 Collection: You should have a valid business purpose for developing applications and
implementing systems that collect, use or transmit personal data.
 Notice: There should be a clear statement to the data owner of a company's or provider's
intended collection, use, retention, disclosure, transfer, and protection of personal data.
 Choice and consent: The data owner must provide clear and unambiguous consent to the
collection, use, retention, disclosure, and protection of personal data.
 Use: Once it is collected, personal data must only be used, including transfers to third parties,
in accordance with the valid business purpose and as stated in the Notice.
 Security: Appropriate security measures must be in place; e.g., encryption, to ensure the
confidentiality, integrity, and authentication of personal data during transfer, storage, and use.
 Access: Personal data must be available to the owner for review and update. Access to
personal data must be restricted to relevant and authorized personnel.
 Retention: A process must be in place to ensure that personal data is only retained for the
period necessary to accomplish the intended business purpose or that which is required by law.

Cloud computing 27
  Disposal: The personal data must be disposed of in a secure and appropriate manner; i.e., using
encryption disk erasure or paper shredders.

Particular attention to the privacy of personal information should be taken in an a SaaS and managed
services environment when (1) transferring personally identifiable information to and from a
customer's system, (2) storing personal information on the customer's system, (3) transferring
anonymous data from the customer's system, (4) installing software on a customer's system, (5) storing
and processing user data at the company, and (6) deploying servers. There should be an emphasis on
notice and consent, data security and integrity, and enterprise control for each of the events above as
appropriate.

3. The Future of Privacy in the Cloud: There has been a good deal of public discussion of the
technical architecture of cloud computing and the business models that could support it; however, the
debate about the legal and policy issues regarding privacy and confidentiality raised by cloud
computing has not kept pace. A report titled "Privacy in the Clouds: Risks to Privacy and
Confidentiality from Cloud Computing," prepared by Robert Gellman for the World Privacy Forum,
provides the following observations on the future of policy and confidentiality in the cloud computing
environment:

 Responses to the privacy and confidentiality risks of cloud computing include better policies
and practices by cloud providers, more vigilance by users, and changes to laws.
 The cloud computing industry could establish standards that would help users to analyze the
difference between cloud providers and to assess the risks that users face.
 Users should pay more attention to the consequences of using a cloud provider and, especially,
to the provider's terms of service.
 For those risks not addressable solely through policies and practices, changes in laws may be
needed.
 Users of cloud providers would benefit from greater transparency about the risks and
consequences of cloud computing, from fairer and more standard terms, and from better legal
protections. The cloud computing industry would also benefit.

Security in the cloud:

Cloud computing security is the set of control-based technologies and policies designed to adhere to
regulatory compliance rules and protect information, data applications and infrastructure associated
with cloud computing use.

Because of the cloud's very nature as a shared resource, identity management, privacy and access
control are of particular concern. With more organizations using cloud computing and associated
cloud providers for data operations, proper security in these and other potentially vulnerable areas
have become a priority for organizations contracting with a cloud computing provider.

Cloud computing security processes should address the security controls the cloud provider will
incorporate to maintain the customer's data security, privacy and compliance with necessary
regulations. The processes will also likely include a business continuity and data backup plan in the
case of a cloud security breach.

Cloud computing 28
Security of the cloud means the traditional security elements that go hand in hand with moving to the
cloud. They come with the cloud infrastructure a company might select; security at the compute,
storage and network service layers. These are maintained as foundational security elements of the
cloud infrastructure itself and provide the customer a baseline of comfort, if you will, that their cloud
is a secure environment from which to run their business.

Security in the cloud refers to the applications, the data and other services a company runs in their
cloud or clouds. These services are generally connected to each other, back into the organization and
most importantly, connected out to multiple end-points. And those end-points are exactly the targets
today‘s evolved cyber threats are looking to exploit. But here‘s the kicker: in today‘s world, it‘s the
responsibility of the customer — not the cloud provider — to ensure those services running in the
cloud are as secure as the cloud infrastructure itself.

Now, don‘t let this scare you. Solutions come in many forms and functions, including Rackspace
Managed Security services. But no matter which solution a company chooses, it‘s critical to
understand there is a difference in approach and responsibility between securing the foundational
elements of your cloud infrastructure (network, storage, compute) and ensuring that your business
services that run in the cloud are protected from advanced cyber threats.

There are three key elements a provider needs to have in place if they‘re going to adequately address
security in the cloud. They must be available around the clock — security isn‘t something that goes to
sleep at night, and it‘s not a nine to five gig. Security in the cloud demands 24x7x365 monitoring for
advanced cyber threats.

There should also be an expectation that the provider is using best of breed technologies. Because
threats are so varied, there is a need to have leading technologies in place which can prevent or detect
a variety of different threats.

But most importantly, the provider must have the expertise and processes in-house that allow them to
rapidly detect and remediate any threats on behalf of the customer, in order to minimize any business
impact that may occur. Rackspace Managed Security, for example, detects breaches through active
cyber hunting: an experienced Rackspace security team monitors and manages your environment
around the clock, using leading technology and advanced analytics to actively search for threats.

We also remediate breaches immediately with pre-approved actions: once detected, our security team
immediately responds to mitigate the threat without wasting precious time seeking approvals, and
dramatically reduce the risk of data loss by minimizing the breach window. Our active security
approach is designed to minimize a threat‘s most precious resource — time in your environment.

Business leaders must ensure their IT teams are protecting their company‘s security posture beyond
just the cloud infrastructure. Public clouds such as AWS and Microsoft Azure will get you a stable and
secure cloud foundation. But even more critical to push beyond security of the cloud, with partners
who can deliver a proactive approach to securing your data and apps from evolving cyber threats in the
cloud.

Cloud computing 29
Cloud security architecture is effective only if the correct defensive implementations are in place. An
efficient cloud security architecture should recognize the issues that will arise with security
management. The security management addresses these issues with security controls. These controls
are put in place to safeguard any weaknesses in the system and reduce the effect of an attack. While
there are many types of controls behind cloud security architecture, they can usually be found in one
of the following categories.

Deterrent controls
These controls are intended to reduce attacks on a cloud system. Much like a warning sign on a fence
or a property, deterrent controls typically reduce the threat level by informing potential attackers that
there will be adverse consequences for them if they proceed. (Some consider them a subset of
preventive controls.)

Preventive controls
Preventive controls strengthen the system against incidents, generally by reducing if not actually
eliminating vulnerabilities. Strong authentication of cloud users, for instance, makes it less likely that
unauthorized users can access cloud systems, and more likely that cloud users are positively identified.

Detective controls
Detective controls are intended to detect and react appropriately to any incidents that occur. In the
event of an attack, a detective control will signal the preventative or corrective controls to address the
issue. System and network security monitoring, including intrusion detection and prevention
arrangements, are typically employed to detect attacks on cloud systems and the supporting
communications infrastructure.

Corrective controls
Corrective controls reduce the consequences of an incident, normally by limiting the damage. They
come into effect during or after an incident. Restoring system backups in order to rebuild a
compromised system is an example of a corrective control.

The main responsibility for protecting corporate data in the cloud lies not with the service provider but
with the cloud customer. ―We are in a cloud security transition period in which focus is shifting from
the provider to the customer,‖ Heiser says. ―Enterprises are learning that huge amounts of time spent
trying to figure out if any particular cloud service provider is ‗secure‘ or not has virtually no payback.‖

To provide organizations with an up-to-date understanding of cloud security concerns so they can
make educated decisions regarding cloud adoption strategies, the Cloud Security Alliance (CSA) has
created the latest version of its Treacherous 12 Top Threats to Cloud Computing Plus:

The report reflects the current consensus among security experts in the CSA community about the
most significant security issues in the cloud. While there are many security concerns in the cloud, CSA
says, this list focuses on 12 specifically related to the shared, on-demand nature of cloud computing.

To identify the top concerns, CSA conducted a survey of industry experts to compile professional
opinions on the greatest security issues within cloud computing.

Cloud computing 30
Here are the top cloud security issues (ranked in order of severity per survey results):

1. Data breaches: A data breach might be the primary objective of a targeted attack or simply the
result of human error, application vulnerabilities, or poor security practices, CSA says. It might
involve any kind of information that was not intended for public release, including personal health
information, financial information, personally identifiable information, trade secrets, and intellectual
property. An organization‘s cloud-based data may have value to different parties for different reasons.
The risk of data breach is not unique to cloud computing, but it consistently ranks as a top concern for
cloud customers.
2. Insufficient identity, credential, and access management: Bad actors masquerading as legitimate
users, operators, or developers can read, modify, and delete data; issue control plane and management
functions; snoop on data in transit or release malicious software that appears to originate from a
legitimate source, CSA says. As a result, insufficient identity, credential, or key management can
enable unauthorized access to data and potentially catastrophic damage to organizations or end users.

3. Insecure interfaces and application programming interfaces (APIs): Cloud providers expose a
set of software user interfaces (UIs) or APIs that customers use to manage and interact with cloud
services. Provisioning, management, and monitoring are all performed with these interfaces, and the
security and availability of general cloud services depends on the security of APIs, CSA says. They
need to be designed to protect against accidental and malicious attempts to circumvent policy.

4. System Vulnerabilities: System vulnerabilities are exploitable bugs in programs that attackers can
use to infiltrate a system to steal data, taking control of the system or disrupting service operations.
Vulnerabilities within the components of the operating system put the security of all services and data
at significant risk, CSA says. With the advent of multi-tenancy in the cloud, systems from various
organizations are placed close to each other and given access to shared memory and resources,
creating a new attack surface.

5. Account hijacking: Account or service hijacking is not new, CSA notes, but cloud services add a
new threat to the landscape. If attackers gain access to a user‘s credentials, they can eavesdrop on
activities and transactions, manipulate data, return falsified information and redirect clients to
illegitimate sites. Account or service instances might become a new base for attackers. With stolen
credentials, attackers can often access critical areas of cloud computing services, allowing them to
compromise the confidentiality, integrity, and availability of those services.

6. Malicious insiders: While the level of threat is open to debate, the fact that insider threat is a real
adversary is not, CSA says. A malicious insider such as a system administrator can access potentially
sensitive information, and can have increasing levels of access to more critical systems and eventually
to data. Systems that depend solely on cloud service providers for security are at greater risk.

7. Advanced persistent threats (APTs): APTs are a parasitical form of cyber-attack that infiltrates
systems to establish a foothold in the IT infrastructure of target companies, from which they steal data.
APTs pursue their goals stealthily over extended periods of time, often adapting to the security
measures intended to defend against them. Once in place, APTs can move laterally through data center
networks and blend in with normal network traffic to achieve their objectives, CSA says.

Cloud computing 31
8. Data loss: Data stored in the cloud can be lost for reasons other than malicious attacks, CSA says.
An accidental deletion by the cloud service provider, or a physical catastrophe such as a fire or
earthquake, can lead to the permanent loss of customer data unless the provider or cloud consumer
takes adequate measures to back up data, following best practices in business continuity and disaster
recovery.

Common Standards in the cloud-End-User Access:

Cloud computing is an information technology (IT) paradigm that enables ubiquitous access to shared
pools of configurable system resources and higher-level services that can be rapidly provisioned with
minimal management effort, often over the Internet. Cloud computing relies on sharing of resources to
achieve coherence and economies of scale, similar to a public utility.

Third-party clouds enable organizations to focus on their core businesses instead of expending
resources on computer infrastructure and maintenance. Advocates note that cloud computing allows
companies to avoid or minimize up-front IT infrastructure costs. Proponents also claim that cloud
computing allows enterprises to get their applications up and running faster, with improved
manageability and less maintenance, and that it enables IT teams to more rapidly adjust resources to
meet fluctuating and unpredictable demand. Cloud providers typically use a "pay-as-you-go" model,
which can lead to unexpected operating expenses if administrators are not familiarized with cloud-
pricing models.

Bitium is a Santa Monica, California-based developer of the cloud service Bitium, which provides
single sign-on and identity management for Software as a Service (SaaS) cloud-based applications.
Bitium allows end users to access all of their cloud software accounts using a single set of login
credentials. The product can integrate with cloud apps using SAML for enhanced security.

Bitium also allows companies to extend their existing directory structured to cloud apps. Bitium can
integrate with Active Directory, LDAP, HRIS, Google Apps and other on-premises directories to
allow for centralized user access and control.

A cloud database is a database that is run on and accessed via the Internet, rather than locally. So,
rather than keep a customer information database at one location, a business may choose to have it
hosted on the Internet so that all its departments or divisions can access and update it. Most database
services offer web-based consoles, which the end user can use to provision and configure database
instances.

One challenge among standardization organizations is determining what areas of cloud computing to
standardize first. In 2005, researchers from the European Union defined three generations of service-
oriented systems. The development of cloud-based systems over time is analogous to the following
classification of the way that service-oriented systems have evolved

 First-generation. The location and negotiation of cloud resources occur at design time. Cloud
resources are provisioned and instantiated following the negotiation process.
 Second-generation. The location and negotiation of cloud resources occur at design time.
Depending on business needs, however, cloud resources are provisioned either at design time
or runtime, and instantiated at runtime. This approach would support, for example, a cloud-

Cloud computing 32
 bursting strategy in which developers design a system for an average load, but the system can
balance its load to a cloud provider when it reaches its full capacity.
 Third generation. In the third generation of cloud-based systems, the location, negotiation,
provisioning, and instantiation of cloud resources occur at runtime.

Reaching this third generation of cloud-based systems will most likely be the focus of future research.
This work will require cloud consumers, cloud providers, and software vendor groups to work together
to define standardized, self-descriptive, machine-readable representations of

 Basic resource characteristics such as size, platform, and API (application programming
interface); and
 More advanced resource characteristics such as pricing and quality attributes values,
negotiation protocols and processes; and billing protocols and processes.

Cloud computing 33