Isolation of vm

Isolation of users/VMs from each
other.
How the cloud provider can provide
this?
School of Computing Science and Engineering
Course Code : CSCV4022 Course Name: Cloud Security
Program Name: B.Tech (Spl) Program Code:
G.Nagarajan
Assistant Professor
Galgotias University, Greater Noida, UP

What is a virtual machine?
• A virtual machine (VM) is a software-based computer
that exists within another computer’s operating system,
often used for the purposes of testing, backing up data,
or running SaaS applications.
• A virtual machine is a virtual representation, or
emulation, of a physical computer. They are often
referred to as a guest while the physical machine they
run on is referred to as the host.
• To fully grasp how VMs work, it’s important to first
understand how computer software and hardware are
typically integrated by an operating system.

What is an operating system?
• Traditional computers are built out of physical hardware, including
hard disk drives, processor chips, RAM, etc. In order to utilize this
hardware, computers rely on a type of software known as an
operating system (OS). Some common examples of OSes are Mac
OSX, Microsoft Windows, Linux, and Android.
• The OS is what manages the computer’s hardware in ways that are
useful to the user.
• For example, if the user wants to access the Internet, the OS directs
the network interface card to make the connection.
• If the user wants to download a file, the OS will partition space on
the hard drive for that file. The OS also runs and manages other
pieces of software. For example, it can run a web browser and
provide the browser with enough random access memory (RAM) to
operate smoothly.

Can you have two or more operating systems on one
computer?
• Some users want to be able to run multiple
operating systems simultaneously on one computer,
either for testing or one of the other reasons.
• This can be achieved through a process called
virtualization. In virtualization, a piece of software
behaves as if it were an independent computer.
• This piece of software is called a virtual machine,
also known as a ‘guest’ computer. (The computer on
which the VM is running is called the ‘host’.) The
guest has an OS as well as its own virtual hardware.

• Virtualization makes it possible to create multiple virtual
machines, each with their own operating system (OS) and
applications, on a single physical machine. A VM cannot
interact directly with a physical computer.
• Instead, it needs a lightweight software layer called
a hypervisor to coordinate between it and the underlying
physical hardware. The hypervisor allocates physical
computing resources—such as processors, memory, and
storage—to each VM. It keeps each VM separate from
others so they don’t interfere with each other.
• With virtualization, one computer can run two or more
operating systems. The number of VMs that can run on
one host is limited only by the host’s available resources.
The user can run the OS of a VM in a window like any
other program, or they can run it in fullscreen so that it
looks and feels like a genuine host OS.

Popular reasons people run virtual machines
include:
1. Testing - Oftentimes software developers want to be able
to test their applications in different environments. They
can use virtual machines to run their applications in
various OSes on one computer.
2. Running software designed for other OSes - Although
certain software applications are only available for a single
platform, a VM can run software designed for a different
OS. For example, a Mac user who wants to run software
designed for Windows can run a Windows VM on their
Mac host.
3.Running outdated software - Some pieces of older
software can’t be run in modern OSes. Users who want to
run these applications can run an old OS on a virtual
machine.

How does cloud computing use virtual machines?
• Several cloud providers offer virtual machines to their
customers. These virtual machines typically live on powerful
servers that can act as a host to multiple VMs and can be used
for a variety of reasons that wouldn’t be practical with a
locally-hosted VM. These include:
1. Running SaaS applications
Software-as-a-Service is a cloud-based method of providing
software to users. SaaS users subscribe to an application
rather than purchasing it once and installing it.
These applications are generally served to the user over the
Internet. Often, it is virtual machines in the cloud that are
doing the computation for SaaS applications as well as
delivering them to users.
If the cloud provider has a geographically distributed network
edge, then the application will run closer to the user, resulting
in faster performance.

2. Backing up data -
Cloud-based VM services are very popular for backing up
data, because the data can be accessed from anywhere.
Plus, cloud VMs provide better redundancy, require less
maintenance, and generally scale better than physical data
centers. (For example, it’s generally fairly easy to buy an
extra gigabyte of storage space from a cloud VM provider,
but much more difficult to build a new local data server
for that extra gigabyte of data.)
3. Hosting services like email and access management -
Hosting these services on cloud VMs is generally faster
and more cost-effective, and helps minimize maintenance
and offload security concerns as well.

Isolation of VM
• Temporal isolation or performance isolation among virtual
machine (VMs) refers to the capability of isolating the
temporal behavior (or limiting the temporal interferences) of
multiple VMs among each other, despite them running on
the same physical host and sharing a set of physical resources
such as processors, memory, and disks.
• In fact, an entire Operating System (OS), along with the
applications running within, can be run in a virtual
machine (VM). However, when multiple VMs concurrently
run on the same physical host, they share the available
physical resources, including CPU(s), network
adapter(s), disk(s) and memory.
• This adds a level of unpredictability in the performance that
may be exhibited by each individual VM, as compared to
what is expected

• For example, a VM with a temporary compute-
intensive peak might disturb the other running
VMs, causing a significant and undesirable
temporary drop in their performance.
• In a world of computing that is shifting
towards cloud computing paradigms where
resources (computing, storage, networking) may be
remotely rented in virtualized form under precise
service-level agreements, it would be highly
desirable that the performance of the virtualized
resources be as stable and predictable as possible.

Example :Isolation in the Azure Public Cloud
Azure allows you to run applications and virtual machines
(VMs) on shared physical infrastructure. One of the prime
economic motivations to running applications in a cloud
environment is the ability to distribute the cost of shared
resources among multiple customers.
This practice of multi-tenancy improves efficiency by
multiplexing resources among disparate customers at low
costs. Unfortunately, it also introduces the risk of sharing
physical servers and other infrastructure resources to run
your sensitive applications and VMs that may belong to an
arbitrary and potentially malicious user.

Tenant Level Isolation
• One of the primary benefits of cloud computing is concept
of a shared, common infrastructure across numerous
customers simultaneously, leading to economies of scale.
This concept is called multi-tenancy.
• Microsoft works continuously to ensure that the multi-
tenant architecture of Microsoft Cloud Azure supports
security, confidentiality, privacy, integrity, and availability
standards.
• In the cloud-enabled workplace, a tenant can be defined
as a client or organization that owns and manages a
specific instance of that cloud service. With the identity
platform provided by Microsoft Azure, a tenant is simply a
dedicated instance of Azure Active Directory (Azure AD)
that your organization receives and owns when it signs up
for a Microsoft cloud service.

• Each Azure AD directory is distinct and separate
from other Azure AD directories. Just like a
corporate office building is a secure asset specific
to only your organization, an Azure AD directory
was also designed to be a secure asset for use by
only your organization.
• The Azure AD architecture isolates customer data
and identity information from co-mingling. This
means that users and administrators of one
Azure AD directory cannot accidentally or
maliciously access data in another directory.

VLAN Isolation
There are three VLANs in each cluster:
• The main VLAN – interconnects untrusted customer nodes
• The FC VLAN – contains trusted FCs and supporting
systems
• The device VLAN – contains trusted network and other
infrastructure devices
Communication is permitted from the FC VLAN to the
main VLAN, but cannot be initiated from the main VLAN to
the FC VLAN. Communication is also blocked from the
main VLAN to the device VLAN. This assures that even if a
node running customer code is compromised, it cannot
attack nodes on either the FC or device VLANs.

Virtualization System Security Issues
Virtualization security Threats
1. Hypervisor security(piece of s/w)-if control goes to attacker zero security
2. VM identity security –hide IP address
3. VM Server Security - CSP
4. Securing host resources – Cloud paid user resource must be secured
5. Virtualization software security -

CSP security responsibility
1. Identify and hides the VM or host (hide identity of host –IP,
Name, location)
2. CSP is responsible for VM security
3. CSP is responsible SaaS and PaaS security
4. Protect unauthorized access to host resource

References
• https://www.cloudflare.com/learning/cloud/wha
t-is-a-virtual-machine/
• https://docs.microsoft.com/en-
us/azure/security/fundamentals/isolation-
choices

Isolation of vm

More Related Content

What's hot (20)

Similar to Isolation of vm (20)

Recently uploaded (20)

Isolation of vm