Towards a Federated Cloud Ecosystem

Towards a Federated Cloud
Ecosystem
Clovis Chapman, Dell Cloud R&D
Clovis_Chapman@dell.com

1

NIST Definition

“Cloud computing is a model for enabling convenient, on-demand
network access to a shared pool of configurable computing
resources (e.g. networks, servers, storage, applications and services)
that can be rapidly provisioned and released with minimal
management effort or service provider interaction. “

2 Cloud Research and Development Center

NIST Definition of Cloud Computing

Broad network Measured On-demand
Rapid elasticity
access Access self service
Essential
Characteristics
Resource Pooling

Software as a Platform as a Infrastructure as
Service Models
Service (SaaS) Service (PaaS) a Service (IaaS)

Com- Deployment
Public Private Hybrid munity Models


Elastic Resource Provisioning

Under-provisioning
Traditional IT provisioning
 Risks of overprovisioning (under-utilisation) or under-
provisioning (saturation).
 Real world estimates of server utilisation 5% to 20%
 Upfront capital expense and slow capacity adjustment
Over-provisioning

Fully Cloud hosted solution
Resource Capacity

 Usage-based pricing
 Risk of misestimating workload shifted from service
provider to cloud provider

Hybrid Solution
 “Cloud bursting”
 Leverage existing assets: performance and cost
management

Usage Capacity Forecast
Time


Enterprise Cloud Requirements

Commodity Clouds VS Data Center

Designed for: Designed for:
• Self-service oriented • Proprietary, customised environment
• Low prices - inexpensive entry point • Organisation level scale
• Volume operations • Single tenant with full control
• Ecosystem of applications and tenants • Dedicated support

Applications: Applications:
• Design for failure • Resilience: N+1
• Horizontal scaling • Vertical scaling
• Weak SLAs that do not cover all resource types • Dedicated resources
• Shared network and data • 4 or 5 nine availability
Examples: Amazon AWS and EC2 (IaaS)
/Google AppEngine (PaaS)

Enterprise
Cloud


Key Challenges

• Scalability
– Developing/Re-engineering applications to scale
– Means of exploiting application structural information for elasticity

• Resource Utilisation
– Capacity planning: Balancing overprovisioning/performance
– Infrastructure to monitor, supervise and control

• Vendor lock-in
– Strong divergences in (proprietary) interfaces: image formats, APIs etc.
– Requires re-developing applications


Key Challenges

• Quality of Service and Service Level Agreements
– Performance stability and homogeneity of shared resources (disk, network, etc)
– Relationship between application level SLAs and Cloud SLAs
– “4 or 5 nine” SLAs: increased amounts of redundancy

• Security
– Modeling overall security profile
– Data protection, privacy

• Compliance, Governance, Regulation
– It auditing: “The process of collecting and evaluating evidence to determine whether a
computer system (information system) safegaurds assets, maintains data integrity, achieves
organisation goals effectively and consumes resources effectively.”
– Need audit tracking for business processes that may span multiple providers


Services delivery model

 License model (per server)
 Managed by the customer:
• Infrastructure and deployment costs
Software as • Upgrade costs/training …
product

 Pay per use subscription model
Public  Managed by the service provider:
SaaS
Cloud • Cost of remote access
Software as
service

 Composite Services
Public  Focused on the business process:
Cloud Public • Multiple service providers involved
SaaS
SaaS
Cloud Business • Potential combination of local and
cloud resources
Services

Private data center


Identity and Access Management

• Identity Provisioning
– Secure and timely management of on-boarding (provisioning) and off-boarding (de-provisioning) of users in the cloud.
– Extending enterprise user management processes to the cloud.
– Existing standards: SPML, WS-provisioning, SCIM

• Authentication
– Organizations must address authentication-related challenges such as credential management, strong authentication,
delegated authentication, and managing trust across all types of cloud services

• Access Control
– The requirements for user profiles and access control policy vary, depending on whether the user is acting on their own
behalf (such as a consumer) or as a member of an organization (such as an employer, university, hospital, or other
enterprise).
– The access control requirements in SPI environments include establishing trusted user profile and policy information,
using it to control access within the cloud service, and sdoing this in an auditable way
– Existing standards: XACML

• Identity Federation
– Federated Identity Management plays a vital role in enabling organizations to authenticate their users of cloud services
using the organization’s chosen identity provider
– Existing standards: SAML Based WS-Trust & SSO, OpenID, OAuth


Example: N-tier Architecture

Mobile Browser API access

Load balancing

Web
Servers

Application
Cloudbursting Servers

Data Access layer
Public Cloud Other
LDAP SaaS
User Store


Key Enablers

• Open-source Cloud platforms:
– Technology transfer instrument across domains and communities,
– Encourage wider interoperability between solutions – open APIs, etc.
– Increased degree of transparency
› Visibility into roadmap/objectives
› Increased predictability for end-user service delivery

• Cloud Computing Standards
– Interoperability across products and organisational boundaries
– Portability across vendors
– Concerns: Landscape is still changing / Numerous emerging standards


Open Source Cloud Middleware

• Example Infrastructure-as-a-Service clouds:

Since 2010 – Apache Licence
Who: Started by NASA and Rackspace, now a multi-vendor consortium
(including Dell)
What: Collection of software for building private and public clouds –
compute, storage and server library

Who: DSA Research Group at Complutense University of Madrid | Open
Nebula Community
What: Dynamic management of virtual infrastructures within and across
sites, with support for hybrid integration with public clouds

Who: Cloud.com | Citrix
What: Java based framework for managing networks of Virtual Machines


Open Source Cloud Middleware

• Example Platform-as-a-Service Open Source:

Who: VMWare
What: Open source (free) cloud computing platform as a service (PaaS)
software - provides support for various services (e.g. MySQL, MongoDB,
etc.)


OpenStack Architecture

Centralized Services

Nova Compute
Dashboard Queue
Network Worker

API Scheduler DB
Compute Worker

Manager
Authentication
Driver
Image Service
(Glance)

Hypervisor

Swift_Proxy

Swift_Object

Swift_Acct
Zones
Swift_Container


OVF | CIMI Standard /
Proprietary
Interfaces
Service Management Interface
Private
Cloud

SaaS

PaaS

DaaS
SCIM Security

Management

Hybrid
Cloud
IaaS
…


Example: Open Virtualisation Format

• DMTF standard backed by VMWare
and XenSource which aims to offer a
packaging mechanism in a portable
and platform neutral way

• The OVF descriptor is an XML-based
document composed of three main
parts:
– Description of the ﬁles included in the
overall service (disks, ISO images,
etc.),
– Meta-data for all virtual machines
included
– Description of the different virtual
machine systems.

Develop Package Distribute Install Manage Retire


SCIM

• Simple Cloud Identity Management (?)
• Focus on Identity Provisioning and facilitating federation
• Features:
– Emerging open standard
– REST API
– Platform neutral schema.
– SAML binding.
– Emphasis on simplicity and interoperability: operation across organisational boundaries

• Started Q1 2011, Involves Ping, UnboundID, Salesforce, Cisco, …


SCIM Specification Set

REST API SAML Binding Future Binding
CRUD Methods Attribute Mapping
Endpoint URI/Attributes
Response Codes

Core Schema
User, Groups, Enterprise Extensions

REST API
Resource Endpoint HTTP Operations
User /Users GET, POST, PUT, PATCH, DELETE
Group /Groups GET, POST, PUT, PATCH, DELETE
Service Provider /ServiceProviderConfigs GET
Configuration
Schema /Schemas GET

Bulk /Bulk POST


SCIM Use Case: User Provisioning

Cloud Service User

Register

HTTP Create
SaaS (Identity)
User
application
Store

201 OK
SCIM
Consumer SCIM
Service
Provider

User Store
(LDAP,
DB, etc)
User
Store


SCIM Use Case: User Provisioning

Cloud Service User HTTP POST /Users application/json
{
Register
"schemas": ["urn:scim:schemas:core:1.0"],
"id":"2819c223-413861904646",
"userName":“clovis_chapman",
HTTP Create
(Identity)
"externalId":“clovis",
SaaS
"name":{ User
application
Store
"formatted":“Clovis Chapman”,
201 OK
"familyName":“Chapman“,
SCIM },
Consumer SCIM
"emails":[
Service
Provider
{ "value":"bjensen@example.com" },
{ "value":"babs@jensen.org" }
User Store ]}
(LDAP,
DB, etc) …
} User
Store


SCIM Use Case: SSO - Just In Time Provisioning

Enterprise
SaaS IDP

Login

SSO Redirect

SAML Response

SAML Attribute Query

SCIM User Identity

Create
User


Conclusions

• Cloud ecosystem is growing:
– Applications can involve various SaaS, PaaS and IaaS offerings
– Enabling complex workflows requires interoperability between both service and infrastructure
providers – current silos must be removed.
– Standards and Open Source offerings are key to encouraging adoption.

• References:
– OpenStack - http://openstack.org/
– OpenNebula - http://opennebula.org/
– SCIM Standard Specification: http://www.simplecloud.info/
– DMTF OVF: http://dmtf.org/standards/ovf


Towards a Federated Cloud Ecosystem

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Towards a Federated Cloud Ecosystem (20)

Recently uploaded (20)

Towards a Federated Cloud Ecosystem