#CompTIA Security+ 501 exam Chapter06 Understanding Cloud Models and Virtualization
Posted by Superadmin on November 16 2018 15:16:57

Understanding Cloud Models and Virtualization

 

In this chapter, we will be learning about the deployment and security issues of virtualization. We will get acquainted with the deployment and storage environments of the cloud models. We will also learn about different scenarios to learn when to use on-premises, hosted, and cloud environments.

We will cover the following exam objectives in this chapter:

Cloud computing

 

The demand for cloud services has risen in recent years as the workforce has been more mobile; the cloud solution is very cost-effective and maintains the high availability of systems. Before you decide to move to a cloud service provider (CSP), you need to ensure that you trust them 100%.

 

This module will look at different cloud models, coupled with cloud storage and how machines in the cloud are created. There are many good reasons why cloud computing has become popular:

When they move to the cloud, they just roll out one image and the CSP clones it so they don't need to reimage each laptop. Today, they are delivering Word 2016, therefore the cloud machines need an i5 processor with 4 GB of RAM for 2 days. They go to a CSP and lease the hardware specification that they need.

The next week, in another location, they will deliver Skype for Business, so there is no need to reimage the laptops but they now leave quad i7 processors with striped disk sets and 64 GB of RAM. The course is now for 5 days, so it is longer and more expensive. The image is uploaded and the cloud machines are upgraded, resulting in a much higher cost as they are using more resources. They do not need to purchase the additional hardware and the setup is more cost-effective.

 

Normally, when a new site is opened, it needs to invest $50,000 in IT equipment, so the company has turned to a cloud model for the new equipment. They will lease the offices until sufficient sales have been made to invest in purchasing a property. All of the employees will have laptops and high-speed fiber broadband.

The network infrastructure will be cloud-based, therefore there is no need to purchase physical servers that would have an impact in reducing their cashflow. Cashflow is maintained, even though new equipment has been provided.

If they move to the cloud, it is going to cost them $60,000 a year. However, they don't need to find the whole $250,000 in one lump sum as the CSP will update their hardware perpetually so that the hardware will never be obsolete.

It will also help the company maintain a better cashflow, as capital expenditure is not required. The difference in price is 1.8% higher per year, which could be justified as there are no maintenance fees or disaster recovery site required, making it very cost-effective. The CSP deals with maintenance and disaster recovery as part of the cloud plan.

Exam tip:
Private cloud = single tenant. Public cloud = multitenant.
Community cloud = same industry.

 

 

Implementing different cloud deployment models

 

We will first of all look at the different cloud models and their characteristics, the most common cloud model is the public cloud, so let's start with that:

Figure 1: Public cloud

Just like in the public cloud, none of the tenants owns their apartment.

Example: A small company does not want to invest $50,000 in IT systems, so they purchase their cloud package from a cloud provider where they and another company are hosted by the cloud provider. This is similar to someone renting one apartment in a block from a landlord—you lease but do not own the flat. This is a multitenant environment where the cloud provider has multiple companies on the same virtual host.

Figure 2: Private cloud

Example: An insurance company wants its sales staff on a cloud environment where they can access resources from anywhere—whether they are at home, at a customer's site, or in a hotel room. The problem they have is that they do not wish to share resources with other cloud tenants. Therefore, they purchase the hardware and their IT team hosts its own private cloud. The benefit of this is that the sales team can access any resources they want at any time of day or night.

It is known as single-tenant, but like owning your own home, they buy the equipment.

Figure 3: Community cloud

In the preceding diagram, you can see lawyers on the left-hand side and on the right-hand side is a group of medical people—doctors and nurses. The lawyers cannot share the same software package as medical people, since they have different requirements. Therefore, Community Cloud 1 is for lawyers who have brainstormed and financed the perfect legal application, which is hosted in the cloud—this is private to them. Community Cloud 2 is for a group of medical people, it could maybe be two hospitals, who have designed and shared the cost of making the perfect medical software package, which is hosted by the CSP.

Three of the largest pawnbroking companies enter into a business venture where they get together and design the perfect application to enable their companies to be more efficient and save labor costs over time. The cloud provider creates this application and hosts it. This saves them the costs of purchasing new hardware. The cloud provider will also back up the data each night and guarantee a 99.99% availability of the systems. This is known as a community cloud as the application is no good to anyone who is not a pawnbroker.

Figure 4: Hybrid cloud

In the bottom left-hand corner, we have a brick factory. This is known as on-premises, where the company owns a brick-and-mortar building. In the top left are servers in the cloud. The cloud access security broker (CASB) enforces the company's policies between the on-premises situation and the cloud.

 

 

Cloud service models

 

There are different types of cloud services, and these are very heavily tested in the Security+ exam, therefore we will show screenshots of the types of offerings. We will first look at infrastructure as a service which is the model that you may have more control over:

 

Figure 5: Microsoft's IaaS offering (July 2018)

Exam tip:
IaaS is where you will install the operating system and patch it. This is the model you have more control over.

 

Figure 6: Goldmine—SaaS

Figure 7: Salesforce—SaaS

Figure 8: Microsoft Office 365—SaaS

Figure 9: Okta security as a service (SECaaS) for Google Apps

The preceding diagram shows Okta providing secure web authentication into Google Apps.

 

 

Disk resiliency and redundancy

 

We are going to look at different disk setups—some of which can provide fault tolerance or redundancy, meaning that if a disk fails, then the data is still available. RAID 0 is used for faster disk access, but provides neither fault tolerance nor redundancy. Let's first look at the different RAID setups, as these will be heavily tested.

 

 

Redundant array of independent disks

 

There is a need for the disk setup on servers to provide redundancy; this is where if one disk fails, the data is still available. We have already looked at failover clustering in Chapter 5, Understanding Network Components, where two servers share a quorum disk—the single point of failure in that scenario would be the shared disk. We are going to look at different Redundant Array of Independent Disks (RAID) levels and their characteristics:

Figure 10: RAID 0

This is known as a stripe set, as the data is written across Disks 1-3 in 64 KB stripes. Should one disk fail, then all of the data will be lost, so RAID 0 does not provide fault tolerance or redundancy. The benefit of RAID 0 is its faster read access, so it may be used for the proxy server's cache.

Figure 11: RAID 1

You can see from the preceding mirror set that the disk on the left has the original data and the disk on the right is a copy of that data. Should Disk 1 fail, you would "break the mirror" and then Disk 2 would provide the copy of the data for those who need access to it. At a later stage, we will add another disk and then reestablish the mirror set.

Figure 12: RAID 5

RAID 5 can suffer a single-disk failure but still allow access to the data, as the parity bits can recreate the missing data, but access will be slower than normal. This will give the IT team time to replace the missing disk.

Example: The preceding diagram represents a RAID 5 set, but we are using a mathematical equation to represent the disk set so that you can see the impact of losing one disk and then losing two disks:

Figure 13: RAID 5 as a mathematical equation

Each of the disks has a numerical value. For example, if Disk 3 fails, the equation would be (7 +? = 10) and the answer would be 3. If we lose a second disk, Disk 1, the equation would then be (? + ? = 10) and you could not work it out; the same happens if you lose two disks—parity cannot recreate the missing data.

Figure 14: RAID 6

A RAID 5 disk set can afford to lose one disk but still be available. The good thing about a RAID 6 set is that it can lose two disks and still be redundant as it has double parity.

Figure 15: RAID 10

From this diagram, you can see a RAID 1 on the left and then it is striped, so this will allow you to lose two disks.

 

 

Storage area network

 

A storage area network (SAN) is a hardware device that contains a large number of fast disks, such as solid-state drives (SSDs), and is isolated from the LAN as it has its own network. A SAN typically has host bus adapters (HBAs) (https://searchstorage.techtarget.com/definition/host-bus-adapter) and switches (https://searchnetworking.techtarget.com/definition/switch) attached to storage arrays and servers. The disks are set up with some form of redundancy, such as RAID 5 and upward, so that the storage space is redundant:

Figure 16: Storage area network

Each switch and storage system on the SAN must be interconnected, and the physical interconnections must support bandwidth levels that can adequately handle peak data activities. There are two connection types:

The servers that use SAN storage are diskless, but use the SAN storage as if they had disks installed, but you need very fast connection speeds so that the server does not suffer performance issues. Example Server 1 is a virtual host and it needs another 200 TB of data to host more virtual machines. It connects to the SAN using Ethernet and Ethernet switches, this connector is known as an iSCSI connector:

Figure 17: SAN—iSCSI Connector

The SAN allocates 200 TB by giving it a logical unit number (LUN). This is known as an iSCSI target. Server 1, which has been allocated the space, is known as the iSCSI initiator. Server 1 is diskless but still sets up the disk space using disk management as if it were a physical disk. To prevent latency, the connection between Server 1 and the SAN must be fast.

 

 

Understanding cloud storage concepts

 

It is quite common to use cloud storage to hold your data from the iCloud provided by Apple, Google Drive provided by Google, OneDrive provided by Microsoft, or Dropbox provided by Dropbox, Inc. The consumer versions of cloud storage allow you to have limited storage space, but offer to sell you a business version or additional storage by charging a monthly subscription fee. Let's look at the following image:

Figure 18: Cloud storage

In this diagram, you can see on the left-hand side a datacenter that has a vast amount of storage servers in a configuration called a server farm. The datacenter is a secure location where your data resides, but the data must stay within your world region. The datacenter has a backup datacenter to provide redundancy. The storage on these servers is likely to be diskless SAN storage.

 

 

Exploring virtual networks

 

A virtual network is very similar to a physical network in many ways, but for the Security+ exam, we must know the concepts of virtualization. To be able to host a virtual environment, we must install a hypervisor on a computer hosting the virtual machines. There are two different types of hypervisor:

Exam tip: Type 1 hypervisor can be installed on a bare metal machine—examples are VMWare, Hyper V, and ESX.

The main server in a virtual environment is called a host and the virtual machines are called guests. This is very similar to a party where the person holding the party is a host and the people attending the party are called guests. There are various different components to virtualization:

Figure 19: Virtualization

Now, we will look at each of the components:

Example: Server 1 is a virtual host, already has 50 guest machines, and is running out of physical disk space, but there is a requirement for Server 1 to host another 20 guest machines. There is enough memory and there are enough processing cores, but there is a lack of disk space. The solution would be to create a LUN on the SAN, giving Server 1 another 10 TB of disk space that it can allocate to the new virtual machines. Server 1 then connects to the SAN and configures the disk space allocated in disk management.

Figure 20: Virtual host with two guest machines

Figure 21: Virtual switch—Internal Network 1 with VLAN 2

Figure 22: Snapshot of Server 2016

Exam tip:
When we create a VLAN on a SAN, we will always use an iSCSI connector.

 

 

Virtual desktop infrastructure

 

A virtual desktop infrastructure (VDI) is a pool of virtual desktop pools for groups of users who share the same needs, such as a sales team whose members need access to the same applications and utilities on their desktops.

When the salespeople access their desktops, their settings are copied elsewhere; if the desktop becomes corrupt, another desktop from the pool is taken and the settings are then placed on the new desktop.
Example: A company has 50 users, who access their desktops remotely, as they are hosted in a virtual environment. There are another 100 virtual. There are 100 virtual machines all set up and waiting to be allocated to users. When a user uses their virtual machine, all of their desktop settings are copied onto another disk. If the virtual machine that they are using fails, then a new virtual machine is taken from the pool and their settings are then applied so that their desktop is recovered in the span of a few minutes.

 

 

VDE

 

When users use a virtual machine as their desktop, they can be set up in two ways: permanent or nonpermanent:

 

 

Heating, ventilation, and air-conditioning

 

The servers for both cloud and virtualization, the storage servers and virtual hosts, are located in server farms that are in data centers. If these servers get too hot, the devices will fail. Therefore, in a data center, we have hot and cold aisles:

Figure 23: HVAC

The cold aisle is where the cold air comes in and that faces the front of the servers. The rear of the servers face each other, they push out hot air into the hot aisles, and this is allowed to escape through a chimney. This way, the temperature can be regulated and this ensures the availability of the IT systems.

 

 

Network environments

 

Let's look at some of the network environments.

 

 

On-premises

 

On-premises is where your company's network is inside a physical building; you will then have physical firewalls, routers and switches. Each person will have a physical machine, the software is normally held on disks and, the IT team is on-site. You have total control and responsibility over your resources.

 

 

Hosted services

 

Hosted services are technology services offered to you or your company by a provider that hosts the physical servers running that service somewhere else. Access to the service is usually provided through a direct network connection that may or may not run via the internet. The hosted services provider has full responsibility over your resources, including backup.

 

 

Cloud-hosting services

 

Cloud-hosting services provide hosting on virtual servers, which pull their computing resources from high-end servers that obtain their storage from a SAN. Access to resources is either via a lease line or the internet. The cloud provider has full responsibility over the hardware and availability of the IT systems:

 

 

 

Practical exercise – is the cloud cost-effective?

 

In this exercise, you are going to go to Amazon Web Services, which provides a calculator to see how much you could save by moving your infrastructure into the cloud. The instructions are accurate at the time of printing, but you may need to use them as a guideline if Amazon changes its website.

Search Google for: Amazon Web Services, pricing. Or go to Amazon Web Services and press the Pricing tab. Perform the following steps:

  1. Select Pricing:

AWS Pricing: Calculate My Cloud Savings

  1. Press Calculate TCO

  2. How much did you save? Was it cost-effective?

  3. Now, search for another cloud provider and use their calculator to see who is more cost-effective.

 

 

Review questions

 

  1. In a cloud environment, what is elasticity?

  2. In which cloud environment would I install the software and then have to update the patches?

  3. Which cloud model is Office 365?

  4. What is the major benefit of using a public cloud?

  5. What is a cloud single-tenant model?

  6. What is a cloud multitenant model?

  7. Describe how a community cloud operates.

  8. What are the limitations imposed on a CSP regarding data storage?

  9. Who is responsible for the disaster recovery of hardware in a cloud environment?

  10. What is a cloud access security broker (CASB)?

  11. What model is it if you own the premises and all of the IT infrastructure resides there?

  12. What is a hybrid cloud model?

  13. What is distributive allocation?

  14. What type of model deals with identity management?

  15. What RAID model has a minimum of three disks? How many disks can it afford to lose?

  16. What are the two RAID models that have a minimum of four disks?

  17. What is the difference between RAID 5 and RAID 6?

  18. Where will a diskless virtual host access its storage?

  19. If you have a virtual switch that resides on a SAN, what connector will you use for a VLAN?

  20. What type of disks does a SAN use?

  21. Name a Type 1 hypervisor.

  22. What type of hypervisor can be installed on bare-metal machines?

  23. What is the machine that holds a number of virtual machines called?

  24. What is a guest and what is it called if you isolate it?

  1. In a virtual environment, what is sandboxing and how does it relate to chroot jail?

  2. Which is faster for data recovery: a snapshot or a backup tape?

  3. Why does HVAC produce availability for a datacenter?

  4. Which cloud model is it if you decide to use Salesforce?

  5. What do you call the cloud model where people from the same industry share resources and the cost of the cloud model?

  6. What is an example of cloud storage for a personal user?

 

 

Answer and explanations

 

  1. Elasticity allows you to increase and decrease cloud resources as you need them.

  2. Infrastructure as a service (IaaS) requires you to install the operating systems and patch the machines. The CSP provides bare-metal computers.

  3. Office 365 is a software as a service (SaaS) that provides email, Skype, and Office applications.

  4. The major benefit of a public cloud is that there is no capital expenditure.

  5. A private cloud is a single-tenant setup where you own the hardware.

  6. Public cloud is multitenant.

  7. A community cloud is where people from the same industry, such as a group of lawyers, design and share the cost of a bespoke application and its hosting, making it cost-effective.

  8. A CSP must store the data within regions. It cannot even more backup data to another region for resiliency.

  9. The CSP is responsible for the hardware fails.

  10. The CASB ensures that the policies between the on-premises and the cloud are enforced.

  11. On-premises is where you own the building and work solely from there.

  12. A hybrid cloud is where a company is using a mixture of on-premises and cloud.

  13. Distributive allocation is where the load is spread evenly across a number of resources, ensuring no one resource is overutilized. An example of this is using a load balancer.

  14. Security as a service (SECaaS) provides secure identity management.

  15. RAID 5 has a minimum of three disks and you can afford to lose one disk without losing data.

  16. RAID 6 and RAID 10 both have a minimum of four disks.

  17. RAID 5 has single parity and can lose one disk, where RAID 6 has double parity and can lose two disks.

  18. A diskless virtual host will get its disk space from a SAN.

  19. A VLAN on a SAN will use an iSCSI connector.

  20. A SAN will use fast disks, such as SSDs.

  1. Hyper V, VMware, and Zen are all Type 1 hypervisors.

  2. Type 1 hypervisors can be installed on bare-metal machines.

  3. A host holds a number of virtual machines—it needs fast disks, memory, and CPU cores.

  4. A guest is a virtual machine, for example a Windows 10 virtual machine, and if it is isolated it is called containers.

  5. Sandboxing is where you isolate an application for patching, testing, or because it is dangerous. A chroot jail is for sandboxing in a Linux environment.

  6. A snapshot is faster at recovering than any other backup solution.

  7. HVAC keeps the servers cool by importing cold air and exporting hot air. If a server's CPU overheats, it will cause the server to crash.

  8. Salesforce is an online sales package, this is software as a service (SaaS).

  9. A community cloud is where people from the same industry share resources.

  10. Cloud storage for personal users could be iCloud, Google Drive, Microsoft Onedrive, or Dropbox.