Unit III

Virtualization: Introduction - Approaches in Virtualization -

Hypervisors - Types of virtualization - Multi-core
Technology - Memory and Storage Technology. Security in
Cloud: Introduction - Security Aspects - Platform-Related
Security - Audit and Compliance.
Virtualization
• Virtualization allows to share a single physical instance of a
resource or an application among multiple customers and
organizations at one time
• This includes making a single physical resource (such as a
server, an operating system, an application, storage device)
appear to function as multiple virtual resources
• it can also include making multiple physical resources (such
as storage devices or servers) appear as a single virtual
resource
• Technique of how to separate a service from the underlying
physical delivery of that service
• With the help of Virtualization - multiple operating systems
and applications can run on same machine and its same
hardware at the same time increasing the utilization and
flexibility of hardware
Continued..
• The creation of many virtual resources from one physical
resource.
• The creation of one virtual resource from one or more
physical resource
• Technique to divide the computer resources logically
• Virtualization helps us to create software-based or virtual
versions of a computer resource.
• It allows organizations to partition a single physical computer
or server into several virtual machines (VM).
• Each VM can then interact independently and run different
operating systems or applications while sharing the
resources of a single computer.
Continued..

• The machine on which the virtual machine is

going to be built is known as Host Machine
• that virtual machine is referred as a Guest
Machine. 
Key terms

– Hypervisor
• A hypervisor is the software layer that coordinates VMs.
• It serves as an interface between the VM and the
underlying physical hardware, ensuring that each has
access to the physical resources it needs to execute.
• It is the OS that runs on actual hardware and the Virtual
counterpart is a part of this OS as a running process. 
– Virtual Machine (VM)
• It is a virtual computer that runs under a hypervisor
• They normally comprise several files containing the VM’s
configuration, the storage for the virtual hard drive, and
some snapshots of the VM that preserve its state at a
particular point in time
Continued..
– Container 
• These are light-weight VMs that are part of the same
OS instance as its hypervisor.
– Virtualization Software 
• It is a software that aids in implementing virtualization
on any computer.
– Virtual Network 
• Virtual Network is a logically separate network within
servers that can be extended to other servers or across
multiple servers. 
Benefits of virtualization 
• Resource efficiency
• previously each application server required its own
dedicated physical CPU
• server virtualization run several applications—each on its
own VM with its own OS—on a single physical computer
• Easier management
• physical computers with software-defined VMs makes it
easier to use 
• automated deployment and configuration tools enable
administrators to define collections of virtual machines
and applications as services, in software template
Continued..
• Minimal downtime
• OS and application crashes can cause downtime and disrupt user
productivity
• Running multiple redundant physical servers is more expensive.
• Faster provisioning
• Buying, installing, and configuring hardware for each application is time-
consuming.
• Provided that the hardware is already in place, provisioning virtual
machines to run all your applications is significantly faster.
• Vendor neutrality
• open-source configuration, it favors vendor-agnostic hardware
configuration
• greater flexibility to experiment, while also helping improve software
and features, enhance scalability, establish simplified and industry
standardized integrations
Types of Virtualization
• Desktop virtualization
• Network virtualization
• Storage virtualization
• Data virtualization
• Application virtualization
• Data center virtualization
• CPU virtualization
• GPU virtualization
• Linux virtualization
• Cloud virtualization
Continued..
• Desktop virtualization
• Desktop virtualization lets us deploy simulated desktop
environments to many physical machines at once
• desktop virtualization allows admins to perform mass
configurations, updates, and security checks on all virtual
desktops.
• There are two types of desktop virtualization
• Virtual desktop infrastructure (VDI)
– runs multiple desktops in VMs on a central server and streams them to
users who log in on thin client devices.
– VDI lets an organization provide its users access to variety of OS's from
any device, without installing OS's on any device
• Local desktop virtualization
– runs a hypervisor on a local computer, enabling the user to run one or
more additional OSs on that computer and switch from one OS to
another as needed without changing anything about the primary OS.
Continued..
• Network virtualization
• create a “view” of the network that an administrator
can use to manage the network from a single console
• The network administrator can modify and control
these elements without touching the underlying
physical components -which simplifies network
management
• software-defined networking (SDN)
– virtualizes hardware that controls network traffic routing
• network function virtualization (NFV)
– Virtualizes one or more hardware appliances that provide a
specific network function
Continued..
• Storage virtualization
– enables all the storage devices on the network -whether they’re
installed on individual servers or standalone storage units
– masses all blocks of storage into a single shared pool from which
they can be assigned to any VM on the network as needed
• Data virtualization
– multiple file formats, in multiple locations, ranging from the
cloud to on-premise hardware and software systems
– any application access all of that data—irrespective of source,
format or location
– Data virtualization tools create a software layer between the
applications accessing the data and the systems storing it
Continued..
• Application virtualization
– runs application software without installing it directly on
the user’s OS
– Local application virtualization
• The entire application runs on the endpoint device but runs in a
runtime environment instead of on the native hardware.
– Application streaming
• The application lives on a server which sends small components
of the software to run on the end user's device when needed.
– Server-based application virtualization 
• The application runs entirely on a server that sends only its user
interface to the client device.
Continued..
• Data centre virtualization
– enabling an administrator to divide a single
physical data center into multiple virtual data
centers for different clients
• CPU virtualization
– CPU virtualization - makes hypervisors, virtual
machines, and operating systems possible.
– It allows a single CPU to be divided into multiple
virtual CPUs for use by multiple VMs.
Continued..
• GPU virtualization (graphical processing unit)
– is a special multi-core processor that improves overall
computing performance by taking over heavy-duty graphic
or mathematical processing
– lets multiple VMs use all or some of a single GPU’s
processing power for faster video, artificial intelligence (AI),
and other graphic- or math-intensive applications
• Linux virtualization
– Linux includes its own hypervisor, called the kernel-based
virtual machine (KVM)
– As an open source OS, Linux is highly customizable
Continued..
• Cloud virtualization
– By virtualizing servers, storage, and other physical data center
resources, cloud computing providers can offer a range of
services to customers
– Infrastructure as a service (IaaS)
•  Virtualized server, storage, and network resources you can configure
based on their requirements.  
– Platform as a service (PaaS) 
• Virtualized development tools, databases, and other cloud-based
services you can use to build you own cloud-based applications and
solutions.
– Software as a service (SaaS)
• Software applications you use on the cloud. SaaS is the cloud-based
service most abstracted from the hardware.
Virtualization methods
• Full virtualization
• allows multiple guest operating systems to execute on a host
operating system independently
• virtual machine is used to completely isolate the guest OS
from the hypervisor and the hardware
• guest operating systems execute independently
• Full virtualization uses an unmodified version of the guest
operating system.
• The guest communicates directly with the CPU
• is slower, less secure, and lower performing in comparison to
para virtualization
• Examples:
– Microsoft and Parallels systems.
Continued..
• A host OS runs directly on
the hardware
• Guest OS runs on the virtual
machine
• Guest OS do not concern
about the presence of a
hypervisor
• each virtual machine and its
guest operating system
operate as independent
computers
Continued..
• Advantages
– No modification to the
Guest operating system
is required.
• Limitations
– Complex
– Slower due to emulation
– Installation of the new
device driver is difficult.
Full virtualization
Continued..
• Paravirtualization
• allows multiple guest operating systems to run on host
operating systems while communicating with
the hypervisor to improve performance.
• Para virtualization uses a modified guest operating system.
• The hypervisor passes the unmodified calls from the guest
to the CPU and other interfaces, both real and virtual.
• calls are routed through the hypervisor
• partial isolation of the guest OS from the hypervisor and
the hardware
•  it offers a higher performance and is faster
• Example : Xen and VMware
Continued..
• Hypervisor is installed on the
device
• Guest OS are installed into the
environment
• virtualization method
modifies the guest operating
system to communicate with
the hypervisor
Continued..
• Advantages
– Easier
– Enhanced Performance
– No emulation overhead
• Limitations
– Requires modification to
a guest operating system
Paravirtualization
Continued..
• Hardware-Assisted Virtualization
• Similar to Full Virtualization and Paravirtualization in
terms of operation except that it requires hardware
support
• underlying hardware provides special CPU instructions
to aid virtualization.
• used to create virtual versions of physical desktops and
operating systems
• it uses a virtual machine manager (VMM) called
a hypervisor to provide abstracted hardware to
multiple guest operating systems, which can then share
the physical hardware resources more efficiently
• Examples: Intel-VT and AMD’s AMD-V processors
Continued..
• Advantages: 
– better performance and lower costs
– Very less hypervisor overhead
• Limitations:
– Hardware support Required
Continued..
• Software virtualization
• Software virtualization uses binary translation -other
emulation techniques to run unmodified operating systems.
• Installation mechanism differs from application to
application. programs require certain helper applications or
frameworks and these applications may have conflict with
existing applications.
• Similar to virtualizations but here it abstracts the software
installation procedure and creates a virtual software out of
it
• Virtualization but able to abstract the software installation
procedure and create virtual software installations.
• Examples:
–  VMware software, virtual box
Cloud Computing and Virtualization
 Advantages of VMs Disadvantages of VMs

Infected VMs. It can be risky to create VMs from

Portability. VMs allow users to move systems to
weak host hardware. An improperly structured host
other computing environments easily.
system may spread its OS bugs to VMs.

Server sprawl. The ability to create virtual machines

Speed. Creating a VM is much faster than installing a
can quickly lead to a crowded network. It’s best to
new OS on a physical server. VMs can also be cloned,
monitor the creation of VMs to preserve
OS included.
computational resources.

Security. VMs help provide an extra layer of security

because they can be scanned for malware. They also Complexity. System failures can be challenging to
enable users to take snapshots of their current states. pinpoint in infrastructure with multiple local area
If an issue arises, users can review those snapshots to networks (LANs).
trace it and restore the VM to a previous version.
Virtualization Tools
– software that can be used to achieve various kinds
of virtualization
– popular virtualization platforms and tools
• VMWare workstation player
• Virtual Box
• Citrix Hypervisor
• Microsoft Hyper-V
Protection rings
– isolate the OS from untrusted user applications.
– OS can be protected with different privilege levels
– In protection ring architecture, the rings are
arranged in hierarchical order from ring 0 to ring 3.
– restricts the misuse of resources and malicious
behavior of untrusted user-level programs.
– Hypervisor will run with the most privileged level
at ring 0, and the guest OS will run at the least
privileged level than the hypervisor.
Protection rings in OS
Continued..
•ring 0
– programs that are most privileged
–highly trusted OS instructions
– unrestricted access to physical resources
• ring 3
– programs that are least privileged
– untrusted user applications
– it has restricted access to physical resources
• ring 1 and ring 2
– allotted for device drivers
Hypervisor
• Hypervisor software facilitates virtualization.
• A hypervisor sits on top of an operating system
but we can also have hypervisors that are
installed directly onto the hardware
• Hypervisors take physical resources and divide
them up so that virtual environments can use
them.
• It is the OS that runs on actual hardware and the Virtual
counterpart is a part of this OS as a running process
Types of Hypervisors
 Types of Hypervisors
• Hypervisors are available in two categories
– Type 1
– Type 2
• Type 1 Hypervisors (Bare Metal)
• A Type 1 hypervisor is installed directly on top of the physical
machine.
• more secure than the Type 2 hypervisors.
• lower amount of latency and are the most used in the market
• They most commonly appear in virtual server scenarios
Examples :
• VMware ESXi, Microsoft Hyper-V, or open-source Kernel-based
VMs (KVMs).
Advantages of Type-1 hypervisor
• Great performance
– They are not constrained by
the limitations that come
with OS - can provide great
performance
• Highly secure
– Since they run directly on
the physical hardware
without any underlying OS,
they are secured from the
flaws and vulnerabilities that
are often endemic to OS.
Continued..
• Type 2 Hypervisors (Hosted)
– there is a layer of host OS that sits between the
physical server and the hypervisor.
– For this reason, we call these hypervisors “hosted
hypervisors”
– more latency compared to Type 1
– Most commonly used on endpoint devices to run
alternative operating systems
– include Oracle VirtualBox or VMware
Workstation
Continued..
• Requirements
– A physical server
– OS installed on that server hardware (OS like
Windows, Linux, macOS)
– Type-2 hypervisor on that OS
– Virtual machine instances/guest VMs
Advantages of Type-2 hypervisor
• Simple management
– They essentially act as
management consoles.
– There is no need to install a
separate software package
to manage the virtual
machines running on type-2
hypervisors.
• Useful for testing purposes
– They are convenient for
testing any new software or
research projects.
 Differences
  Type 1 hypervisor Type 2 hypervisor

Definition Runs on bare metal Runs on an existing OS

Virtualization Hardware virtualization OS virtualization

Security More secure Less secure

Latency Lower latency Higher latency

Resource saving More effective Less effective

Cost Higher Lower

Remote console required Yes No

Suitability
• Type-1 hypervisors
– enterprise development environments, or large
organizations that need to deploy hundreds of
VMs

• Type-2 hypervisors
– personal use, smaller deployments, or multiple-
environment test requirements
Security Issues and Recommendations
• The hypervisor creates a virtual environment in the
data centers.
• The attack generally compromises the hypervisor
through malicious code written by any attacker to
corrupt the whole server.
• Bare metal hypervisor (type 1) - is very difficult to
perform the attack as it is deployed directly on the
hardware.
• Hosted hypervisors (type 2) are more vulnerable to the
attacks as hypervisors are running on top of the host
OSs.
 Security Issues and Recommendations
• There are two possibilities of attacking the hypervisor
• Through the host OS
• Through the guest OS

• Attack through the host OS

– Attacks from the host OS can be performed by exploiting the
vulnerabilities of the host OS.

– Hypervisors (type 2) are also an application that is running on top of

the OS - there is a possibility of attacking the hypervisor through the
compromised host OS.
Attack through the host OS
Continued..
• Attack through the guest OS:
– The hypervisor can also be compromised or attacked from the
malicious script from the compromised guest OS.
– Guest OS is communicating with the hypervisor to get virtual
resources - any malicious code from the guest OS or VMs can
compromise the hypervisor.
– hypervisor gets compromised from the guest OS or malicious VMs,
it can misuse the hypervisors’ high privilege on the hardware.
– This type of attack is possible in both type 1 and type 2 hypervisors.
– attacker can do the following malicious activities:
• Get the unauthorized access to the other VMs that share the physical
hardware.
• Attacker can utilize the hardware resources fully to launch resource
exhaustion attacks, etc.
Attack through the guest OS
Common virtualization attacks
• The attacker can do the following malicious activities:
– Denial of service attack
• A successful DoS attack here can lead to a shutdown of the
hypervisor.
– VM jumping
• If a security hole in the hypervisor occurs and is found, a user
logged into one VM can hop over to another VM and gain access
to it to look at information or acquire it
– Host traffic interception
• Vulnerabilities in the hypervisor can allow for tracking of system
calls, paging files, monitoring of memory and disk activity.
Virtualization to Cloud Computing
• virtualization is not cloud computing
– Type of service
– Service delivery
– Service provisioning
– Service orchestration
– Elasticity
– Targeted audience
 Cloud Computing Virtualization

Cloud computing refers to the distribution of Virtualization is a technology that lets you use
computer services such as servers, storage, a single physical hardware system to create
networking, and intelligence via the Internet, many virtual environments or dedicated
or the cloud. resources.

Deliver a range of resources to users in Packaged resources are delivered to specified

groups for a variety of objectives. consumers for a specific purpose.
Scalable to a large extent, Very flexible Low-scalability , less flexible than cloud
computing.
Cloud computing entails the use of several It is reliant on a single peripheral.
machines in the event of a disaster recovery
Cloud computing has a greater total cost than Virtualization has a lower total cost than
virtualization. virtualization.
Cloud computing provides unlimited storage While storage space depends on physical
space. server capacity in virtualization.
Pricing pay as you go model, and Pricing is totally dependent on infrastructure
consumption is the metric on which billing is costs.
done
Continued..
• Recommendations to avoid hypervisor attacks
• Most of the attacks on the hypervisor are through the
– Host OS
– Guest OS
• Hypervisor Secured
– Update the hypervisor software and the host OS regularly.
– Disconnect the unused physical resources from the host
system or hypervisor.
– Enable least privilege to the hypervisor and guest OS to
avoid the attacks through unauthorized access.
– Deploy the monitoring tools in the hypervisor to
detect/prevent malicious activities.
– Strong guest isolation.
– Employ mandatory access control policies.
Cloud Storage Requirements
• Scalability
– The storage system should support the scalability of the user’s data
• High availability
– The degree of availability of the storage solutions deployed in cloud
should be very high.
• High bandwidth
– cloud storage system should support the required fast data transfer rate
• Constant performance
– performance should be consistent throughout the contract period.
• Load balancing (LB)
– Achieve effective resource usage, the storage systems deployed in cloud
should be intelligent enough to support automatic LB of the users’ data.
Continued..
• Virtualization Support
– In storage virtualization, multiple network storage
devices are combined into a single storage unit
– Storage virtualization involves the pooling of
physical storage from various network storage
devices into a single logical storage device and that
is managed from a centralized console.
– Storage virtualization helps in achieving the easy
and efficient backup, archiving, and recovery
processes.
Storage as a Service
Storage as a Service (STaaS)
• Cloud storage can be internal to the organization or it could
be an external storage
• STaaS is a cloud business model in which a service provider
rents space in its storage infrastructure to various cloud users
• STaaS can have significant cost savings in hardware,
maintenance
• The STaaS provider agrees in the service-level agreement
(SLA) to rent storage space on a cost-per-gigabyte-stored and
cost-per-datatransfer basis.
• STaaS also helps in backup, disaster recovery, business
continuity, and availability
• STaaS is the capability to access the data stored in cloud from
anywhere.
Trends and Technologies in Cloud Storage

• Memory and storage technologies have been

developing at a rapid pace, and the emerging
technologies enable cloud to have a reliable,
secure, and scalable storage system
– Memory and Storage Technologies
– Hybrid HDDs with magnetic and flash memory
having second-level cache
– Developments in the RAID technology such as
RAID 6, RAID triple parity, erasure coding + RAIN
Continued..
• Converging of block, file, and content data in a single
storage subsystem
• Embedded deduplication, primary storage reductions
in the storage units
• D-RAM SSDs and flash HDDs having the features of
improved server utilization, much less energy
consumption, being less sensitive to vibration, etc
• File virtualization or clustered NAS, which supports
single namespace to view all files, scaling near linearly
by adding nodes, better availability and performance,
and LB.
Security in Cloud Computing
• Businesses are increasing Cloud adoption
• Cloud in Information Technology
– To make cloud more user friendly for computing
– Time and finance
• Businesses with time-sensitive data are quick to grab this opportunity
and harness the efficiency of the cloud.
– People and association
• Now it is easier to communicate and work with people located in
different areas, sometimes different countries.
• Teams now consist of members distributed across large geographic
areas
• Working together – through online meetings
Continued..
– Replacing hardware
• Companies no longer need to purchase hardware and systems that
need installation and maintenance.
• Data centers on the cloud can reallocate these resources to clients by
saving company dollars only by paying what is used and avoiding the
purchase of machines that will not be useful in the long run
• Cloud service providers (CSPs) also have the ability to optimize their
systems to reduce waste.
– Energy efficient
• A study reports that clients of Salesforce produced 95% less carbon
compared to companies with systems in their premises.
– Study from Accenture, Microsoft, and WSP Environment and
Energy
• A  2010 study from Accenture, Microsoft, and WSP Environment and
Energy reported a huge impact of the cloud on CO2 emissions.
Continued..
– Going green
• while efficiency is increasing, the energy source is also
varying.
• An analysis of Greenpeace showed that out of the 10
leading tech companies—Akamai, Amazon, Apple,
Facebook, Google, HP, IBM, Microsoft, Twitter, and
Yahoo!—Akamai and Yahoo! are the most environment
friendly and Apple the least.
– The future of the cloud and the environment
• Cloud technologies are quickly taking off, and it is a
chance for companies and businesses to think of creative
ways of harnessing its power while saving the
environment
Security Threats
• Abuse and nefarious use of cloud computing
• Insecure interfaces & API’s
• Unknown risk profile
• Malicious insiders
• Shared technology issues
• Data loss or leakage
• Account or service hijacking
Threat Mitigation
Abuse and nefarious  Stricter initial registration and validation processes.
 Enhanced credit card fraud monitoring and
use of cloud coordination.
computing  Comprehensive introspection of customer network
traffic.
 Monitoring public blacklists for one’s own network
blocks.
Insecure interfaces &  Analyze the security model of cloud provider
interfaces.
API’s  Ensure strong authentication and access controls
are
implemented in concert with encrypted transmission.
 Understand the dependency chain associated with
the API.
Unknown risk profile  Disclosure of applicable logs and data.
Partial/full disclosure of infrastructure details
 Monitoring and alerting on necessary information.
 Threat Mitigation
Malicious insiders  Enforce strict supply chain management and conduct
a comprehensive supplier assessment.
 Specify human resource requirements as part of
legal contracts.
 Require transparency into overall information security
and management practices, as well as compliance
reporting.
 Determine security breach notification processes.

Shared technology  Implement security best practices for installation and

configuration.
issues  Monitor environment for unauthorized
changes/activity.
 Promote strong authentication and access control for
administrative access and operations.
 Enforce service level agreements for patching and
vulnerability remediation.
 Conduct vulnerability scanning and configuration
audits.
 Threat Mitigation
Data loss or  Implement strong API access control.
leakage  Encrypt and protect integrity of data in transit.
 Analyze data protection at both design and run time.
 Implement strong key generation, storage and
management, and destruction practices.
 Contractually demand providers wipe persistent
media before it is released into the pool.
 Contractually specify provider backup and retention
strategies.
Account or  Prohibit the sharing of account credentials between
users and services.
service  Leverage strong two-factor authentication
hijacking techniques where possible.
 Employ proactive monitoring to detect unauthorized
activity.
 Understand cloud provider security policies and
SLAs.
Cloud General Challenges
• Vendors and service providers claim costs by
establishing an ongoing revenue stream
• Major Issues
– Threshold policy
• a threshold policy is a pilot study before moving the program to
the production environment
• check to determine how unused resources are to be deallocated
and turned over to other work
– Interoperability issues
• interoperability of applications between two cloud computing
vendors.
• The need to reformat data or change the logic in applications.
Continued..
• Hidden costs
– does not reveal the what are the hidden costs 
– companies who are far from the location of cloud
providers could experience latency, particularly when
there is heavy traffic
• Unexpected behavior
– The tests to be made to show unexpected results of
validation or releasing unused resources. 
– The need to fix the problem before running the
application in the cloud
Security Aspects
• security-related areas in cloud computing
– Reliable, distributed applications based on the Internet,
such as the e-commerce system- rely heavily on the trust
path among involved parties.
– cloud-based consumer and business applications is driving
the need for a next generation of data centers that must
be massively scalable, efficient, agile, reliable, and secure.
– network-based CSPs will leverage virtualization
technologies – allocate- right levels of virtualized
compute, network, and storage resources to applications
based on business demand
Data Security
• Here data do not reside in organization territory -many challenges
arise. Security challenges are
– The need to protect confidential business, government or regulatory data
– Cloud service models with multiple tenants sharing the same infrastructure
– Data mobility and legal issues relative to such government rules as the
European Union (EU) Data Privacy Directive
– Lack of standards about how CSPs securely recycle disk space and erase
existing data
– Auditing, reporting, and compliance concerns
– Loss of visibility to key security and operational intelligence that no longer is
available to feed enterprise IT security intelligence and risk management
– A new type of insider who does not even work for your company but may
have control and visibility into your data
Continued..
• The issues that must be addressed
– Breach notification and data residency
• all data do not require equal protection
• integrate the data intended for cloud storage and identify any
compliance requirements in relation to data breach
– Data management at rest
• Businesses should find out if
• Multitenant storage is being used, and if it is, find out what
separation mechanism is being used between tenants
• Mechanisms such as tagging are used to prevent data being
replicated to specific countries or regions
– Data protection in motion
• secure communication protocols such as Secure Socket Layer
(SSL)/Transport Layer Security (TLS) for browser access
• virtual private network (VPN)–based connections for system access
for protected access to their services.
Data Center Security
• Data Center
• Data are stored in outside territory of the user in a
location which is unknown (virtual data center) to the
user.
•two cornerstones of the data center
– Network
– Storage
Continued..
• Lack of performance and availability
– With a physical machine running a network application, that application
can have access to the full resources of the network card
– This can lead to overall network performance issues, reduced bandwidth,
and increased latency, the application might not be able to deal with all
these issues.

• Lack of application awareness

– One of the limitations of hypervisor- and kernel-based virtualization
solutions is that they only virtualize the operating system (OS).
– OS virtualization does not virtualize nor is it even aware of applications
that are running on the OS.
– Even the same applications do not realize that they are using virtual
hardware on top of a hypervisor.
Continued..
• Additional, unanticipated costs
– Two of the primary drivers for virtualization are cost reduction and data center
consolidation.
– virtualization hardware and software are acquired - operational expenses can
grow
– There can be additional growth requirements for the application and storage
networks

• Unused virtualization features

– New virtual platforms include advanced networking technologies like software
switching and support for virtual local area network (VLAN) segmentation.
– These new platforms may have problems integrating with existing application
and storage networks - requiring a redesign of the data center.
– network storage is a requirement for virtual platforms that implement live
machine migration
Continued..
• Overflowing storage network
– Although converting physical machines to VMs is an
asset for building dynamic data centers, hard drives
become extremely large flat file virtual disk images

• Congested storage network

– increase in data traversing the storage network
– VM disk files can overrun physical storage
– a challenge to prevent flooding of the storage network
when planning a large VM migration or move
Continued..
• Management complexity
– VMs will report with latency and response time of all physical
machines.
– The addition of two new components that need to be managed
• The hypervisor and the host system, either one of these devices that exist
in the physical server world is not part of existing data center
management solutions.
• Managing these devices and insight into these performance differences
are critical.

– Managing VMs, application network, and storage network

together
• Many VM platforms include built-in management tools, some of them
highly sophisticated, such as VMware’s Virtual Server.
 Access Control
• Data are stored in the data center - accessing
these critical data is a major concern.
• Cloud acts as per the access rights reserved for
the users to access the data.
• Gartner recommends that businesses require
the CSP to support IP subnet access restriction
policies – hence enterprises can restrict end
user access from known ranges of IP addresses
and devices.
Continued..
• The enterprise should demand that the
encryption provider offers
– adequate user access and
– administrative controls,
– stronger authentication alternatives ( two-factor
authentication,)
– management of access permissions,
– separation of administrative duties (security,
network, maintenance)
Virtualization Security
• Virtualization mainly focuses on three different areas:
– Virtual networks
• resources are pooled into a network and the network bandwidth is split
up into multiple channels where each individual channel is independent
of one another
– Storage virtualization
• Combines the physical storage from multiple network storage devices,
• storage is viewed as multiple different singular storage devices
– Server virtualization
• Individual server devices is masked from the users,
• servers are designed to view as individual servers where the resource
sharing and maintenance complexity are managed in a balanced way
 Continued..
• The critical areas during virtualization are as follows
– A new threat
• Virtualization alters the relationship between the OS and hardware
• This challenges traditional security perspectives
• There are several important security concerns you need to address
in considering the use of virtualization for cloud computing
• If the hypervisor is vulnerable to exploit - it will become a primary
target.
• A hypervisor does not undergo frequent change and does not run
third-party applications.
• Hypervisor is completely transparent to network traffic with the
exception of traffic to/from a dedicated hypervisor management
interface
Continued..
– Storage concerns
• nature of allocating and deallocating resources such as
local storage associated with VMs.
• During the deployment and operation of a VM, data are
written into physical memory.
• If it is not cleared before those resources are
reallocated to the next VM, there is a potential for
exposure.
• security practice is to verify that a released resource
was cleared
Continued..
– Traffic management
• for managing traffic flows between VMs is to use VLANs
to isolate traffic between one customer’s VMs and
another customer’s VMs.
• scaling VLAN-like capabilities beyond their current
limits to support larger clouds
• It will also need to be tied in with network
management and hypervisors.
Network Security
• Network is the backbone of the cloud, many
challenges are encountered in this network.
• Some of the challenges
– Application performance
• tenants should be able to specify bandwidth requirements
for applications hosted in the cloud, ensuring similar
performance to on-premise deployments.
• guaranteed bandwidth between server instances to satisfy
user transactions
• Insufficient bandwidth between these servers will impose
significant latency
Continued..
– Flexible deployment of appliances
• wide variety of security appliances are deployed in their data centers
• These are often employed alongside other appliances that perform
load balancing, caching, and application acceleration
• enterprise application should continue to be able to flexibly exploit
the functionality of these appliances when deployed in cloud

– Policy enforcement complexities

• Traffic isolation and access control to end users are among the
multiple forwarding policies that should be enforced.
• Changing requirements, different protocols Virtual Router
Redundancy Protocol [VRRP]), and different flavors of L2 spanning
tree protocols, along with vendor-specific protocols, make it
extremely challenging to build, operate, and interconnect a cloud
network at scale.
Continued..
– Topology-dependent complexity
• The network topology of data centers is usually tuned to match a
predefined traffic requirement.
– Application rewriting
• Applications should run out of the box as much as possible, in
particular for IP addresses and network-dependent failover
mechanisms
• Applications may need to be rewritten or reconfigured before
deployment in the cloud to address several network-related
limitations.
• Two key issues are
– (1) lack of a broadcast domain abstraction in the cloud network
– (2) cloud-assigned IP addresses for virtual servers
Continued..
– Location dependency
• Network appliances and servers are typically tied to a statically configured
physical network, which implicitly creates a location-dependent constraint
• VM cannot be easily and smoothly migrated across the network.

– Multilayer network complexity

• A typical three-layer data center network includes a TOR (Top of Rack)
layer connecting the servers in a rack, an aggregation layer, and a core
layer, which provides connectivity to/from the Internet edge
• multilayer architecture imposes significant complexities in defining
boundaries
• There may be situations where an organization needs to be able to work
with multiple cloud providers
• Cloud interoperability and the ability to share various types of information
between clouds become important
Platform-Related Security
• Security Issues in Cloud Service Models
– Three delivery models such as
• SaaS, PaaS, and IaaS
• Software-as-a-Service Security Issues
– Network security
– Resource locality
– Cloud standards
– Data segregation
– Data access
– Data breaches
– Backup
– Identity management (IdM) and sign-on process
Continued..
• Platform-as-a-Service Security Issues
– user privacy must be protected in a public, shared
cloud
• Infrastructure-as-a-Service Security Issues
– Hypervisor security
– Multitenancy
– Identity management and access control (IdAM)
– Network security
Continued..
• Platform-as-a-Service Security Issues
– Infrastructure is of the CSP - various security challenges
of the focused architecture are caused mainly by the
spread of the user objects over the hosts of the cloud
– Network access and service measurement bring
together concerns about secure communications and
access control
– user privacy must be protected in a public, shared cloud
– Service continuity is another concern
– fault-tolerant reliable systems are required.
Continued..
• Infrastructure-as-a-Service Security Issues
• Traditional problems faced
– Hypervisor security
– Multitenancy
– Identity management and access control
– Network security
Audit and Compliance
• Top security concerns
– data protection and regulatory compliance
– Stakeholders - the need to prevent data breaches
– data leaks in sensitive areas - financial and
governmental domains and web community
– cloud provider should provide encryption to
protect the stored personal data against
unauthorized access, copy, leakage, or processing
Issue of Cloud Computing
• companies have no control over their data
• company don’t know in which country its data
reside at any given point in time
• Disaster Recovery
• Privacy and Integrity
Continued..
• Disaster Recovery
– Backup as a Service and Disaster Recovery as a Service is now
available online through the cloud for every level of user- through
the Internet or via more secure dedicated access methods.
– Advantages
• No huge costs for capital investment or infrastructure management or
black boxes.
• Backups are physically stored in a different location from the original
source of your data.
• Remote backup does not require user intervention or periodic manual
backups.
• Unlimited data retention - You can get as much or as little data storage
space as you need.
• Backups are automatic and smart - They occur continuously and
efficiently back up your files only as the data change.
Continued..
• Privacy and Integrity
– Complexity of risk assessment in a cloud
environment
• every responsible person shall have transparent
policies with regard to the processing of personal data
• Stakeholders need to specify requirements for cloud
computing that meet the expected level of security and
privacy.
Continued..
• Emergence of new business models and their
implications for consumer privacy
• A report by the Federal Trade Commission (FTC) on
Protecting consumer privacy in an era of rapid change
analyzes the implications for consumer privacy of
technological advances in the IT sphere.
• According to the FTC, users are able to collect, store,
manipulate, and share vast amounts of consumer data
for very little cost.
• Advances led to an explosion of new business models
Pillars of Cloud Security
• Granular, policy-based IAM and authentication
controls across complex infrastructures
• Zero-trust cloud network security controls
across logically isolated networks and micro-
segments
• Enforcement of virtual server protection
policies and processes such as change
management and software updates
Continued..
• Safeguarding all applications (and especially
cloud-native distributed apps) with a next-
generation web application firewall
• Enhanced data protection
• Threat intelligence that detects and
remediates known and unknown threats in
real-time