Expert Reference Series of White Papers. Understanding NIST s Cloud Computing Reference Architecture: Part II

Transcription

1 Expert Reference Series of White Papers Understanding NIST s Cloud Computing Reference Architecture: Part II info@globalknowledge.net

2 Understanding NIST s Cloud Computing Reference Architecture: Part II Vince Lo Faso, Global Knowledge Instructor, Cloud Essentials Professional, ITIL Expert Introduction In 2010 the Federal CIO, Vivek Kundra, laid out a bold strategy for US federal agencies to adopt a cloud-first policy. 1 A cloud-first strategy encourages federal agencies to evaluate current delivery of IT services and assess if all, or a part of, such IT services can be deployed through a cloud-computing model. To support this initiative, the National Institute of Standards and Technology (NIST) was mandated to provide the technical leadership and the development of standards for the adoption and implementation of cloud computing for federal agencies. One of the key documents produced by the NIST workgroups is the Cloud Computing Reference Architecture. 2 The Reference Architecture provides a vendor-neutral cloud framework that serves as a reference model for discussion and clarification of cloud principles and operations. Understanding this reference model helps all cloud participants to better understand the scope of their roles and responsibilities. This white paper examines the NIST Cloud Computing Reference Architecture in a two-part series. The first part covers the cloud players and their roles and responsibilities. The second part, which is the subject of this white paper, focuses on the Reference Architecture components, activities, and functions. Together these white papers explain the NIST Reference Architecture in greater detail so all stakeholders can better discuss the requirements, standards, and operation of cloud-computing environments. Overview of Reference Architecture Model The NIST Reference Architecture model (see figure 1) defines five key cloud players: cloud consumer, cloud provider, cloud carrier, cloud broker, and cloud auditor. Each cloud player (called "actors" by NIST) can be an individual or an organization that "participates in a transaction or process and/or performs tasks in cloud computing." 3 Copyright 2014 Global Knowledge Training LLC. All rights reserved. 2

3 Figure 1: NIST Cloud Reference Architecture 4 Three cloud players have explicit processes and activities that they need to perform in order to ensure successful cloud service delivery. The activities related to the cloud provider as well as cloud broker and cloud auditor activities are later in this white paper. Cloud Provider Function Service Orchestration Through Service Orchestration, a cloud provider operates the underlying cloud-service infrastructure that supports its customers. NIST defined service orchestration as the composition of system components to support the Cloud Providers activities in arrangement, coordination and management of computing resources in order to provide cloud services to Cloud Consumers. 5 These activities are broken out into three areas and are discussed below. Service Layer The Service Layer is where the cloud provider defines the interface between the cloud consumer and the cloud services of the cloud provider. The interface points are grouped according to the three service models (SaaS, PaaS, and IaaS). A cloud provider may define interface points in all three service models or just a subset. Figure 2: Service Layers in Service Orchestration 6 Copyright 2014 Global Knowledge Training LLC. All rights reserved. 3

4 The layering of the service models in figure 2 indicates the dependencies between the cloud services. In some cases a provider may implement a high-level service model (i.e., SaaS) by using the interface points defined in the lower layers. For example, SaaS may be built by using components from the PaaS layer, and run operationally by using resource components from the IaaS layer (i.e. virtual servers, cloud storage, virtual firewalls, etc.). A realworld example of this is Google's cloud offerings. They offer a variety of SaaS products (Gmail, Google Search, Google Maps, Google Apps, etc.) by using PaaS components (Google App Engine) and are run operationally on Google's cloud IaaS (Google Cloud Platform). In figure 2, the angling of the service models represents when a cloud provider chooses to provide a service layer without the support of the lower-layer interface points. For example, salesforace.com provides both SaaS and PaaS products. The SaaS layer is built by using the well-defined interface components from the PaaS. However, in this case, there is no IaaS layer offered. They run SaaS directly on the resource abstraction layer (hypervisor/virtual storage) with no explicit IaaS components. Resource Abstraction and Control Layer This layer consists of two distinct but related areas: resource abstraction and control layer. The Resource Abstraction Layer primarily deals with virtualization. The Virtualization Essentials course defines the concept of virtualization as "a set of techniques for hiding hardware resources behind software abstractions to simplify the way other software or end users interact with those resources." This definition highlights the fact that the abstraction layer transforms the hardware resources into software objects, which make it is easier to manipulate. The manipulation of the software-abstracted resources enables greater functionality and easier configuration. This is what enables the cloud elasticity and automation. The hypervisor and storage area networks (SAN) are two examples of this concept. The Control Layer provides the resources management capabilities that allow dynamic resource allocation, scaling, dynamic reconfiguration, and dynamic access control. Commercial products such as vcloud from VMware, and open source projects such as OpenStack are prime examples. Physical Resource Layer The Physical Resource Layer covers all of the traditional hardware resources that underpin the IT infrastructure. This layer consists of physical servers (CPU, memory, bus architecture), disks and storage arrays, network wiring, switches, and routers. This layer also covers the physical data center facility components such as heating, ventilation, air conditioning (HVAC), electrical power, backup generators, and fuel; physical control of data centers by IT staff and contractors; and cabling to outside cloud carriers, phone communication, etc. Cloud Provider Function Cloud Service Management Cloud Service Management is a set of processes and activities a cloud provider must perform in order to satisfactorily deliver cloud service to consumers. These apply equally to a public cloud provider and a private cloud provider. NIST groups these processes and activities into three board areas: Business Support, Provisioning and Configuration, and Portability and Interoperability. See figure 2. Copyright 2014 Global Knowledge Training LLC. All rights reserved. 4

5 Figure 3: NIST - Cloud Service Management 7 Business Support The Business Support processes are business-oriented and focus on the business operations of a cloud provider as they relate to the delivery of cloud services to cloud consumers. There are six key functions. Customer Management: This area covers the activities necessary to manage and maintain the relationship with the cloud consumer. It deals with items such as customer accounts, complaints and issues, customer contact information, history of customer interactions, etc. In a traditional customer-vendor relationship these functions would be performed by a sales team. In a cloud environment, this activity is driven primarily by the customer. As per NIST's cloud definition, these traditional interactions through a sales representative should be minimal or nonexistent. All or most business contact should be conducted via a self-service portal, putting as much control as possible into the hands of the consumer. Contract Management: This process focuses on the management of contracts between the cloud provider and consumer. This is implemented via Service Level Agreements (SLAs). Consumers generally pick the level of SLA that meets their requirements and budget. Inventory Management: This process manages the definitive set of cloud services offered to cloud consumers. It establishes a service catalog and is the primary interface for the consumer to engage with the cloud provider. Accounting and Billing: This function handles the financial transactions between the provider and consumer. It generates the invoices, sends them to the consumer, and collects the revenue. This function supports the pay-as-you-go model as per NIST's cloud definition. Copyright 2014 Global Knowledge Training LLC. All rights reserved. 5

6 Reporting and Auditing: This function monitors, tracks, and logs activities performed by the consumer, usually through the management console. This helps to document what cloud resources the consumer requests, who requested it, and when. Pricing and Rating: This process establishes the price points and tiering for the cloud services of the cloud provider. It ensures that the cloud provider is competitive by monitoring the competition's pricing and making adjustments as required. The cloud provider usually offers discounts or credits to the consumer based on volume usage. Provisioning and Configuration The Provisioning and Configuration area deals with process activities that the cloud provider must execute as part of its internal operations. The more mature the provider's capabilities are in this area, the more effective and efficient the provider's deliver of cloud service will be. Rapid Provisioning: A cloud provider must be able to quickly respond to varying workload demands. This includes scaling up as well as scaling down. This must be fully automated and requires a scriptable, virtualized infrastructure. Resource Changing: To support rapid elasticity, the provider must implement changes to its underlying resources effectively and speedily, primarily through automation. These changes include replacing broken components, upgrading components, adding greater capacity, and reconfiguring existing components. Monitoring and Reporting: Ongoing monitoring of the provider's operations and cloud infrastructure is critical to ensure effective and optimal quality of service. The handling and resolution of events and incidents is ongoing 24 x 7 x 365. SLA Management: The cloud provider must ensure that it is meeting its contractual obligations to its customers. Ongoing management of SLA targets and operational level targets are performed to maintain a high quality of service. Portability and Interoperability In order for cloud providers to attract customers, they must make it as easy as possible to migrate existing data or software to the cloud. In addition to alleviating customers' concerns about vendor lock-in, cloud providers must provide a mechanism that permits cloud consumers to move easily from one cloud provider's environment to another, or to migrate cloud services across several cloud providers to deploy a complex cloud solution. Cloud consumers will not engage with cloud providers that build their cloud platform on closed, proprietary, nonstandard conforming technologies and standards. Cloud consumers need to have a viable exit strategy and are more willing to engage with a cloud provider that makes it easier to execute an exit strategy. Therefore it is advantageous for cloud providers to offer maximum interoperability and portability. Data Portability: A cloud provider must provide a mechanism to move large amounts of data into and out of the provider's cloud environment. For example, in a SaaS environment, the cloud consumer must be able to upload, in bulk, existing HR records into a HR SaaS application. The consumer must also be able to export in bulk from the HR SaaS application back to their own data center. Failure to provide easy and reliable transfer mechanisms will discourage the adoption of cloud services. Copyright 2014 Global Knowledge Training LLC. All rights reserved. 6

7 Service Interoperability: When a cloud provider adheres to well-known and accepted technology standards, it is easier for consumers to develop and deploy cloud solutions that span across more than one cloud provider's environment. For a cloud consumer, service interoperability delivers greater disaster recovery resiliency by removing a single point of failure (i.e. the cloud provider) and greater resource capacity by spreading the workload across several providers' IaaS resources. System Portability: This capability enables a consumer to move or migrate infrastructure resources, like virtual machines and applications, easily from one cloud provider to another. As in data portability, this enables a smoother exit strategy that protects a consumer from an unexpected, long-term disruption of a cloud provider's services. Cloud Provider Function Security In Part I of this two-part white paper series, we introduced the concept of Shared Security Model and the impact to both the cloud consumer and cloud provider. In this section we focus on only the cloud provider's perspective. The traditional confidentiality-integrity-availability (CIA) areas of security still need to be addressed in each of the three service layers (IaaS, PaaS, SaaS). For example, an IaaS provider needs to ensure that the hypervisor is secure and well-configured. In a multi-tenant hypervisor environment, the provider must ensure that one virtual machine cannot be hacked to acquire permission to another tenant's virtual machine. Other areas that a cloud provider must demonstrate and exercise mature capabilities include: Authentication: Provide a multi-factor authentication by augmenting username/password credentials with a hardware or software RSA token. Identity management: Provide an effective identify management solution to manage the consumer usernames and/or integrate to an in-house system such as Microsoft Active Directory. Security monitoring: Provider must have a strong Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools to track and identify any potential security issue. Incident response: A well-structured security process to deal with breaches with strong communication channels is necessary to minimize the impact of any security incident. Cloud Provider Function Privacy A cloud provider must ensure that consumer data stored in the cloud environment is protected and private to the consumer. If the cloud provider collects data about the consumer, or the consumer's activities and behavior patterns, then they must ensure that the collected data is fully protected and remains private, and cannot be accessed by anyone other than the consumer. For a global or international cloud provider this matter is further complicated due to national privacy laws. A case in point is the European Union Data Protection Directive which states "the data protection rules are applicable not only when the controller is established within the EU, but whenever the controller uses equipment situated within the EU in order to process data. (art. 4) Controllers from outside the EU, processing data in the EU, will have to follow data protection regulation." 8 A cloud provider must explicitly guarantee that a consumer's data remains in a well-defined geographical location with explicit acknowledgement of the consumer. Copyright 2014 Global Knowledge Training LLC. All rights reserved. 7

8 Cloud Broker Functions A cloud broker is an optional cloud player in the delivery of cloud services. NIST defines a cloud broker as an entity that acts as an intermediary between the consumer and provider. A cloud broker is involved in a cloud service delivery when a consumer chooses not to directly manage or operate the usage of a cloud service. A cloud broker can function in one or more of the following scenarios. Service Intermediation Service Intermediation is when a broker performs value-add service on behalf of the consumer. For example, in figure 4, the cloud broker performs some administrative or management function on behalf of the consumer for a particular cloud service. This value-add service may include activities such as invoice management, invoice and usage reconciliation, and end-user account management, etc. Figure 4 - Cloud Broker Service Intermediation Service Aggregation Service Aggregation is when a broker integrates two or more cloud services to provide a complex cloud solution to the consumer. Figure 5 illustrates a cloud service that is composed of three different cloud provider's services. Figure 5: Cloud Broker Service Aggregation Figure 6 illustrates a more complex cloud solution composed from several cloud services, each one delivered through a unique cloud provider. Figure 6: Cloud Broker Complex Service Aggregation Copyright 2014 Global Knowledge Training LLC. All rights reserved. 8

9 Service Arbitrage Service Arbitrage is when a broker dynamically selects the best cloud service provider in real time. Figure 7 illustrates a broker checking for the best cloud service, for example online storage, from three cloud providers. Figure 7: Cloud Broker Service Arbitrage Cloud Auditor Functions A cloud auditor is an optional cloud provider in the delivery of cloud services. They provide an independent evaluation of a cloud provider's capabilities in terms of security, SLA performance, or adherence to industry standards. A cloud auditor is usually requested by a cloud consumer to evaluate a cloud provider. In some cases, a cloud provider uses a cloud auditor to publically demonstrate their adherence to industry standards, such as SOX compliance, HIPPA, and PCI. Depending on the business industry and regulatory environment, a cloud consumer must have audited compliance records before they can utilize a cloud service. Security Audit In a security audit, a cloud auditor evaluates whether there are sufficient security controls in place and whether the cloud provider demonstrates adherence to best practice security processes. For example, a cloud auditor may validate whether or not a cloud provider is compliant to security standard ISO Privacy Impact Audit A privacy audit by a cloud auditor can provide assurance that personal information (PI) and personally identifiable information (PII) are protected by a cloud provider. Performance Audit Cloud providers are obliged to deliver the quality of service as agreed to in the SLA. A performance audit by a cloud auditor can independently verify whether or not such targets are consistently met. By using an independent third party, performance claims by either the cloud provider or cloud consumer can be more objectively verified. Conclusion In this second part of the Cloud Reference Architecture series, we reviewed the key processes and activities a cloud provider must perform to ensure high-quality, effective cloud services. The activities of two optional cloud players, cloud broker and cloud auditor, were reviewed as their services are necessary in some business circumstances for the delivery of cloud services. Copyright 2014 Global Knowledge Training LLC. All rights reserved. 9

10 Bibliography 1. Federal Cloud Computing Strategy, OMB, February 8, NIST Special Publication NIST Special Publication NIST Special Publication NIST Special Publication NIST Special Publication NIST Special Publication Learn More Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge through training. Cloud Essentials Cloud and Virtualization Essentials Cloud: Roadmap to Success Cloud Challenge Business Simulation Visit or call COURSES ( ) to speak with a Global Knowledge training advisor. About the Author Vince Lo Faso is the Managing Director of Cloud Service Management at Navigo Technologies, LLC. He is an IT Service and Cloud Management professional with more than 24 years of IT industry experience. He is ITIL V3 Expert certified; Cloud Essentials Professional (CEP) certified; and AWS Partner Business and Technical Professional accredited. Vince holds a master s degree in computer science and has spoken as conferences such as VMworld User Conference, HP Universe, and local user groups. In addition to having worked as a consultant and practice manager for several HP VARs, Vince Lo Faso has held IT positions with Kraft Canada, Sprint Paranet, and Concordia University. Copyright 2014 Global Knowledge Training LLC. All rights reserved. 10