mirror of
https://github.com/jackyzha0/quartz.git
synced 2025-12-27 23:04:05 -06:00
134 lines
4.0 KiB
Markdown
134 lines
4.0 KiB
Markdown
---
|
|
title: "16-cloud-security"
|
|
aliases:
|
|
tags:
|
|
- comp210
|
|
- lecture
|
|
---
|
|
|
|
- what is cloud computing
|
|
- what is service virtualisation
|
|
- security issues
|
|
|
|
# what is cloud
|
|
- largely a marketing term
|
|
- vague - doesn't mean much
|
|
- slowly replacing the word 'web'
|
|
|
|
implies
|
|
- large cluster of networked servers acting as hosts
|
|
- usually virtualised
|
|
- large number of users
|
|
- complexity of infrastructure hidden from devs
|
|
- and users
|
|
|
|
## cloud platforms
|
|
### SaaS
|
|
- provider has an actual product
|
|
- they host it (or delegate the hosting)
|
|
- customer doesn't need to host anything
|
|
- thin client
|
|
- usually web based
|
|
- maybe also mobile app
|
|
|
|
examples
|
|
- customer realtions (salesforce)
|
|
- accounting (xero)
|
|
- PoS (vend)
|
|
- dropbox, gmail, google docs
|
|
|
|
### PaaS
|
|
- provides a solution stack
|
|
- tools, environment, services, libraries to run a system
|
|
- storage services / libaries / tools
|
|
- email libraries
|
|
- web app libraries
|
|
- admin tools: deployment, scaling, logs, billing, quotas etc
|
|
- extensible
|
|
- devs can add their own libraries
|
|
|
|
examples
|
|
- google app engine
|
|
- elastic beanstalk
|
|
- azure cloud services
|
|
- heroku
|
|
|
|
### IaaS
|
|
- virtual hosting
|
|
- allows custome to run own VM
|
|
- linux or wiindows server
|
|
- customer can install whatever on the VM
|
|
- barebones or canned VM images are available
|
|
- customer can provide own images
|
|
- virtual networking
|
|
- public facing IP addresses mapped to virtual network interfaces for load balancing, and fault tolerance
|
|
- virtual storage
|
|
- file storage
|
|
- exampkes
|
|
- amazon S3
|
|
- google cloud storage
|
|
- azure storage
|
|
- hot storage for frequently access data
|
|
- higher performance, higher cost
|
|
- cold for infrequent access
|
|
|
|
## primary selling points
|
|
- agility/elasticity
|
|
- scalable as needed
|
|
- reduced cost
|
|
- multitenancy
|
|
- economies of scale
|
|
- usage based billing
|
|
- reliability
|
|
- massive redundancy
|
|
- low capital expenditure
|
|
- greener
|
|
- low power hardware, virtualisation, centralisation of cooling, environmental cooling, sharing of resources, on demand activation
|
|
|
|
## potential problems
|
|
- Saas
|
|
- need to train staff
|
|
- importing and exporting data may be difficult
|
|
- dependent on provider health
|
|
- vulnerable to price changes
|
|
- provider may be aquired by another company with different goals
|
|
- Paas
|
|
- use of common APIs libraries and services mitigate the lock-in problem
|
|
- avoid using vendor specific APIs, or wrap them with facades
|
|
- IaaS
|
|
- mitigated by sticking to the standard services (MySQL & nginx for example) and standard libs
|
|
- avoid vendor specific interfaces to proprietary services
|
|
|
|
# Cloud Security
|
|
- large orgs can spend more money on security than small ones
|
|
- find flaws in the full stack
|
|
- however only covers their infrastructure
|
|
- your application can have its own security flaws
|
|
- virtualisation segregates apps from each other
|
|
- a flaw in the application of another organisation should not be able to be exploited in a way that puts your application at risk
|
|
- need to trust provider admins
|
|
- need to trust governments of host countries
|
|
|
|
# Virtualisation
|
|
- when a real computer runs virtual machines
|
|
- virtual computers where the hardware is virtual (implemented entirely in software)
|
|
- software that provides the virtual hardware is called hypervisor
|
|
- can run linux, windows —nesting operating systems
|
|
- os on real computer is called the host os
|
|
- os running on VM is called the guest os
|
|
- a single host can run many guests (limited by memory usually)
|
|
|
|
|
|
|
|
## virtualisation within cloud computing
|
|
- makes it easy for providers to run several services on a single physical server
|
|
- efficient use of hardware
|
|
- no idle servers
|
|
- move services from busy server to idle servers to balance load
|
|
- standardised virtual hardware exposed to guest OS simplifies guest configuration
|
|
- guests are segregated
|
|
- deployed using machine image
|
|
- file containing a bit for bit copy of what a real hard drive would contain if it contained
|
|
- an OS (usually linux)
|
|
- a deployment environment (web server, database server, libraries, etc)
|
|
- the service application/executables |