cloud computing primer 04.ppt [read-only] - aapm...

Computing in the Cloud

An amalgamation of ruminations, considerations, facts and findings culled from far and near on the history, workings and the good and bad sides of computing with our new best frenemy, the cloud.

by Herb Hamilton, BSEESystems ManagerRadiation OncologyUniversity HospitalsSeidman Cancer CenterCleveland, Ohio

What is it?

Some History

Why is it?

Where is it?

Who runs it?

When to use it?

Some Risk Considerations - What, me worry?

Some Thoughts about Implementation - Don’t worry be happy!

The Cloud

What is the Cloud?

• Most of us call it the Internet– email

– banking

– shopping

– information

– social networking sites

– remote access to the workplace

– government

1950’s Computing History Highlights• Hardware

– mainframes– expensive hardwired systems– first transistors used in a computer– many types of memory: delay line, magnetic tape, magnetic core,

magnetic drum, card punches• Software

– assembly languages, FORTRAN, ALGOL– system specific programs

• Network– isolated centralized systems

• People– Grace Hopper writes the first compiler “A-0” which can call

numbered routines from storage and load them for execution. Go UNIVAC! She also found the first computer bug, a moth, which shepasted in the UNIVAC 1 log book.

• A Grace Hopper quote “You manage things, you lead people. We went overboard on management and forgot about leadership. It might help if we ran the MBAs out of Washington.”


– IBM system 360– PDP-8, the first relatively inexpensive 12-bit minicomputer– flipchips– magnetic core memory is standard– Fairchild creates the first (8 bit) MOS ALU and accumulator chip

• Software– COBOL (OK late 1959), LISP, C (1969-70), BASIC, ASCII– still system specific programs– Multics, "Multiplexed Information and Computing Service”,

delivers multiuser timesharing on mainframe computers– the first computer game “Spacewar!” written for the PDP-1 at MIT

• Network– RS-232-C– acoustic coupled modems– Arpanet has 4 nodes at the end of 1969

• People– Ted Nelson coins the terms hypertext and hypermedia in a model

he developed for creating and using linked text

The first Arpanet node went online in September 1969 at UCLA, by the end of 1969 there are four nodes on the "ARPA NETWORK", as shown in the right hand schematic above. These were University of California Los Angeles (UCLA), University of California Santa Barbara (UCSB), University of Utah and the Stanford Research Institute (SRI).(Source : "Casting the Net", page 55, 56. See also The Computer Museum's Timeline.)

Arpanet, grandfather of the internet

Images and caption excerpted from http://personalpages.manchester.ac.uk/staff/m.dodge/cybergeography/atlas/historical.html

ARPANET grew rapidly as more sites are connected. The map above shows the situation in September 1971. (Sources : "Casting the Net", page 64; CCR, page 93)

Image and caption excerpted from http://personalpages.manchester.ac.uk/staff/m.dodge/cybergeography/atlas/historical.html



For more information on this map see the Map of the Month article "ARPANET, October 1980" in Mappa.Mundi Magazine

IMP = Interface Message Processor, TIP = Terminal Interface Processor

Image and caption excerpted from http://personalpages.manchester.ac.uk/staff/m.dodge/cybergeography/atlas/historical.html


– (4 - 16 bit) microprocessors, discrete logic chips, RAM chips– PDP-11, VAX– VT-100 terminal– Cray 1– the ‘personal computer’ is born

• Software– UNIX, RT-11, CP/M– Pascal, SQL, SmallTalk (object oriented)– generally still specialized programs

• Network– Arpanet grows– Usenet established in 1979– The first MUD (Multi-User Dungeon) goes online in 79

• People– Steve Wozniak and Steve Jobs start Apple– Bill Gates and Paul Allen start Micro-soft to license Altair Basic

for the Altair 8800 kit pc, based on the Intel 8080 microprocessor


– 32 bit microprocessors, VLSI chips– Apple Macintosh brings the mouse and GUI to the masses!– Personal computers and workstations become common, the IBM pc

• Software– C ++, Matlab, PERL, MS-DOS– commodity programs take off - word processing, graphics, games

• Network– ethernet and token ring become dominant, Novell netware– the (text-based dialup) public internet is born!

• AOL, fidonet, FREEnet, newsgroups

– NSFnet abbsorbs the civilian part of ARPAnet while the military forms MILnet

– Sun Microsystems - “The network is the computer”, NFS• People

– William Gibson coins the word cyberspace in his novel Neuoromancer

NSFnet, father of the internet

Image from http://cla.calpoly.edu/~lcall/354/internet.html


– the Pentium processor– Network Attached Storage and Storage Area Networks mature– Virtualization

• Software– Visual basic, Python, Ruby, Java, Java Script, PHP, XML– The worldwide web is launched by researchers at CERN– the www becomes main stream, graphical and commercialized

• National Center for Supercomputing Applications Mosaic• It may be spelled N E T S C A P E, but it is pronounced Mozilla

– Salesforce.com introduces SaaS for their CRM product• Networks

– ethernet wins the networking wars– Internet Corporation for Assigned Names and Numbers

(ICANN)• People

– Linus Torvolds releases LINUX– a Compaq marketing executive named George Favaloro and a

young technologist named Sean O’Sullivan coin the term “cloud computing” and envision “cloud computing-enabled applications”

New Millenium Computing History Highlights • Hardware

– Multi-core processors become the standard in commodity pc’s– data centers spread around the world– virtualization becomes more widespread

• Software– XML extends into more spheres - MS file formats go XML– more companies contribute to LINUX– Apple joins the UNIX club with OS X

• Network– Microsoft .net– active directory debuts in Windows 2000 server edition– Sun’s ZFS - the last file system we may ever need!– wide expansion of available network based services– IP v6 - 128 bit addresses!

• People?– US government decides we need to standardize cloud

terminology, NIST begins the process

What is the Cloud?

As defined by NIST SP500-291 v2 (July 2013):

“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

This cloud model is composed of five essential characteristics, three service models, and four deployment models.”

The Five Characteristics of a Cloud

1. On demand self service

Interaction with other humans is not necessarily needed

2. Broad network access

A variety of devices access diverse resources over a network

3. Resource pooling

The physical location of the resources does not matter

4. Rapid elasticity

The resources available can be scaled up or down as needed

5. Measured/metered service

Resource utilization can be monitored, reported and controlled

The Three Cloud Service Models

1. Software as a Service (SaaS)

Consumers access resources using an interface, but do not control or manage any of the underlying cloud infrastructure

2. Platform as a Service (PaaS)

Consumers can deploy created or acquired applications to the cloud, but still do not manage or control the underlying infrastructure, however may control the deployed applications and their configuration settings

3. Infrastructure as a Service (IaaS)

Consumers can provision processing, storage, networks and other basic computing resources (OS, applications, possibly firewalls) related to their applications, but still do not manage or control the underlying cloud infrastructure

Differences in Scope and Control between the Cloud Service Models

Image from NIST publication SP800-144, page 5

Virtualized Infrastructure• Servers

– multiple independent virtual servers run on one physical server controlled by hypervisor software

• Storage– Network attached storage and storage area network devices with a layer of

management software allowing for provisioning as needed

• Network– multiple independent virtual networks and virtual network devices co-exist

on a single physical network’s hardware

• Desktop

– multiple independent desktops are provided to client devices from servers

• Application– applications (possibly on virtual servers) are provisioned to run on (possibly

virtualized) desktop clients over a (possibly virtualized) network

Virtual Infrastructure Overview

Image from http://digitalinnovators.wordpress.com/2011/09/13/re-network-model-of-the-future/

Hardware Full Virtualization Architecture Comparison

HardwareHardware

Hypervisor

Guest OS

Application

Guest OS

Application

Host OS

..

....

Hypervisor

Guest OS

Application

Guest OS

Application

..

....

Application

Application

Application

..

.

Bare Metal Hosted

From NIST SP800-125 final Guide To Security For Full Virtualization Technologies page 2-3

Virtual Network Architecture Example

Images from http://www-phare.lip6.fr/projet-horizon/WP2.html

The Four Cloud Deployment Models1. Private Cloud

Infrastructure is provisioned for exclusive use by a single organization. It may be owned, managed and operated by the organization, a third party or a combination of the two. It may be located on or off premises.

2. Community Cloud

Infrastructure is provisioned for the exclusive use of a community of users from various organizations with shared concerns. It may be owned, managed and operated by any sub-group of the community, a third party or a combination of the two. It may be located on or off premises.

3. Public Cloud

Infrastructure is provisioned for use by the general public. It may be owned, managed and operated (for example) by a business, academic or governmental organization, or any combination thereof. It is located on the premises of the cloud provider.

4. Hybrid Cloud

Infrastructure is any mixture of private, community and public cloud models, which remain unique entities, but are bound together by technology enabling data and application portability and interaction.

Why do we have the Cloud?

• To take advantage of economies of scale

• To (try to) move liability to a third party

• To move capital costs to operational costs

• To make it easier to deploy IT solutions without directly purchasing hardware and software

• To enable worldwide access to data without the need to directly own or manage all the applications and hardware needed for the storage and access

Excerpted from a number of websites - google “reasons to use the cloud”

Where is the cloud?

• Consumer cloud access is all around you– on your cell phone

– on your desktop computer, iPad and laptop

– in your car

– on the street

– soon your house will talk to the cloud on its own

– Google glasses

Providers have data centers around the world

From http://www.wired.com/wiredenterprise/2012/10/ff-inside-google-data-center/

From http://techcrunch.com/2008/04/11/where-are-all-the-google-data-centers/

Who runs the Cloud?• In general its a mixture of public and private institutions

– Companies provide infrastructure and host content• service providers

• carriers provide the interconnections and sometimes services

– Governments and groups regulate infrastructure and content• Infrastructure regulation examples

– ICANN

– national infrastructure such as power and radio spectrum

• Content regulation examples– intellectual property laws/copyright

– the great firewall of China

– HIPAA

– limiting/banning of “harmful” content

Who runs the Cloud?

• NIST defines five major actors (which do not really address the regulatory side of things)– Consumers use services from Providers

– Providers supply services

– Brokers manage use and delivery of cloud services and negotiate relationships between Consumers and Providers

– Auditors conduct independent assessment of services, operations, performance and security

– Carriers provide connectivity and transport of services

Image from NIST publication SP500-291, page 12

NIST defined Cloud Actors

A Provider in the Cloud

Image from NIST_SP500-299_Security_Reference_Architecture_2013.05.15_v1.0 page 29

When to use the Cloud

• When it simplifies regulatory compliance

• When it reduces cost

• When it simplifies management

• When it improves access

Some Potential Risks to Cloud Use

• Security

• Legal

• Functional Issues

• Vendor Lockin

• Loss of Knowledge to the Consumer

• Public Perception

Some Potential Security Risks

• Most cloud environments are on to the internet

• Larger infrastructure attack surface

• Trust with the provider - insider access

• Provider subcontractors

• Multi-tenant provider environment

• Decreased client protection - BYOD!

• Data protection and sanitization

Some Potential Legal Risks• Confidentiality

• Liability/Indemnity

• Breach of Contract

• Trade secret protection/copyright

• Insolvency (of any involved party…)

• Electronic discovery– would you know if your data was subpoenaed?

• Compliance with the law– where in the world is your data really located?

Some Potential Functional Issues

• Governance

• Data segregation and isolation

• Encryption of data, in use and while stored

• Change

• Testing

• Performance levels

• Problem resolution

• Uptime

• Data backup and recovery

• Business continuity

• Possible need to impose geographical restrictions

• Change of provider - ending the relationship

Vendor Lockin

• Software

• Database

• Hardware

• Contractual

SaaS Lockin

• Provider supplied API’s– This is SaaS, at most expect API’s to allow you to directly

read database fields, but this is not always the case

• Provider supplied database structures– Provider may (should?) supply help with export (at a cost!)

• Provider customized software/applications– Consumer will need to replace applications/retrain

• Hardware/Infrastructure– Consumer has no control over the ‘hardware’ environment

PaaS Lockin

• Provider supplied API’s– Different Providers provide different API’s and databases

• Consumer designed databases– It is the Consumer’s responsibility to export their data

• Consumer developed software and API’s– Consumer will need to rewrite applications and API’s

• Hardware/Infrastructure– Consumer (still) has no control over the ‘hardware’ environment

IaaS Lockin

• Provider supplied API’s– Different Providers provide different API’s and databases

• Consumer designed databases– It is the Consumer’s responsibility to export their data

• Consumer developed software and API’s– Consumer will need to rewrite applications and API’s

• Hardware/Infrastructure– The Consumer will need to replicate their environment on a

potentially different set of underlying hardware with incompatible configuration commands and allowed configurations

Loss of Knowledge by the Consumer

Reliance on outside sources to supply cloud based services can result in the loss of technical expertise in the enterprise as cost cutting measures reduce the number of highly trained technical staff with the ability to assemble, configure and directly manage the hardware and underlying infrastructure of the cloud.

Everyone cannot be a manger, someone must actually be able to understand and do the work.

Eventually the Eloi will be eaten.

Public Perception

• The way you are perceived by the public, for better or worse, becomes tied to your cloud provider’s reputation.

• For example, vendors using Amazon.com’s cloud for marketing/sales gain visibility as Amazon is one of the largest cloud retailers.

• Similarly, everyone has opinions of eBay, Google, Apple and Microsoft be it good or bad. All have extensive cloud presence.

Some Thoughts on Implementation

• The cloud is not the answer to everything!– Some tasks will still be best served by traditional solutions

• The cloud can take many forms.– Pick the mixture of cloud types and traditional solutions that

works best for you.

• Get help!– Moving to the cloud can be complex, with many regulatory,

legal and governance requirements. If in doubt, get competent advice. Make sure you have solid, detailed, unambiguous written contracts which cover every conceivable situation.

• Retain control of your workloads.– Select a provider that offers high levels of visibility and control

over your cloud workloads, through real-time dashboards and simple user interfaces. Try to maintain independent metering of your resource consumption.

A Legal Checklist

• Protection of information– privacy

– security

– confidentiality

– records management requirements

– audit

– compensation for data loss/misuse

– subcontractors

• Liability– limitations on liability

– indemnity

• Dispute resolution– choice of law

• Performance management– service levels

– response times

– flexibility of service

– business continuity and disaster recovery

• Ending the arrangement– termination for convenience and

early termination fees

– termination for default

– provider's right to terminate

– legal advice on termination

– disengagement/transition of services

Based on http://www.finance.gov.au/files/2012/02/Cloud-Legal-Better-Practice-Guide-FINAL.doc

A Legal Checklist (cont’d)• Other legal issues

– introduction of harmful code

– change of control and assignment/novation

– change of terms at discretion of the provider

– application of foreign laws and transborder data transfer

– further issues:

• information disclosure obligations - provider data breach!

• intellectual property ownership

• publicity in respect of agreement

• use of branding and logos

• responsibility for end-users

• export controls

• requirement to take updates

• Managing the agreement– ensure that agreement terms are

appropriate and reasonable

– understand the terms of the agreement and keep a copy handy

– enforce the service level arrangements

– be prepared to audit the provider

– within reasonable limits, maintain a good relationship with the provider

– if things go wrong, be aware of contractual rights and obligations

– seek legal advice if difficult issues arise

Based on http://www.finance.gov.au/files/2012/02/Cloud-Legal-Better-Practice-Guide-FINAL.doc

Functional issues which should be explicitly specified in the Service Level Agreement

• Uptime requirements

• Governance/access controls

• Performance levels

• Performance and utilization monitoring

• Data segregation and isolation

• Data encryption requirements - who holds the keys?

• Change control

• Testing/modification

• Problem resolution

• Data backup and recovery

• Business continuity

Some References• NIST SP800-145 Definition Of Cloud Computing

• NIST SP800-144 Guidelines On Security And Privacy In Public Cloud Computing

• NIST SP800-125 final Guide To Security For Full Virtualization Technologies

• NIST_SP500-299 Security Reference Architecture 2013.05.15_v1.0

• NIST_SP500-292 Cloud Computing Reference Architecture

• http://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment

• http://www.isaca.org/Groups/Professional-English/cloud-computing/GroupDocuments/DLA_Cloud%20computing%20legal%20issues.pdf

• IBM sponsored executive briefing by Frost and Sullivan (stratecast.com) on “Why Choice and Control are Critical to a Successful Cloud Strategy”

• http://personalpages.manchester.ac.uk/staff/m.dodge/cybergeography/atlas/historical.html

• http://www.nsf.gov/discoveries/disc_summ.jsp?cntn_id=100662&org=ACI

• https://www.arin.net/

• http://www.computerhistory.org

• http://www.multicians.org

• http://www.lexology.com/library/detail.aspx?g=4b3e2c88-747a-4f07-abd9-74a43f1f35f3

• http://www.computerweekly.com/opinion/Cloud-computing-the-legal-risks

• http://www.finance.gov.au/files/2012/02/Cloud-Legal-Better-Practice-Guide-FINAL.doc

• http://www.scottandscottllp.com/main/uploadedFiles/resources/Articles/ScottChapter.pdf

• http://www.slideshare.net/wenwenqi/internet-content-regulation-in-2010

• http://en.wikipedia.org/wiki/Digital_Equipment_Corporation

• http://en.wikipedia.org/wiki/Programming_language

• http://www.cpu-world.com/CPUs/CPU.html

• http://www.technologyreview.com/news/425970/who-coined-cloud-computing/

• http://en.wikipedia.org/wiki/History_of_programming_languages

• http://cloud-standards.org

• http://ted.hyperland.com/

• http://alexmckenzie.weebly.com/index.html

• http://hub.jhu.edu/2014/04/16/cloud-storage-security-flaw#

• http://www.govinfosecurity.com/nist-to-drop-crypto-algorithm-from-guidance-a-6770