Encryption: a digital coding sys dedicated to preserving the confidentiality and integrity of data, used for encoding plaintext

data into a protected and unreadable format, 2 common forms: symmetric and
asymmetric, encryption techno relies on a standardized algorithm called a cipher to transform original plaintext data into encrypted data referred to as ciphertext, when encryption is applied to plaintext
data the data is paired with a string of characters called an encryption key a secret message that is established by and shared among authorized parties, the encryption key is used to decrypt t he ciphertext
back into its original plaintext format | encryption mechanism can help counter the traffic eavesdropping malicious intermediary insufficient authorization and overlapping trust boundaries security threats
| Symmetric encryption: uses same key for both encrypt and decrypt both of which are performed by authorized parties that use the one shared key, also known as secret key crypto | asymmetric
encryption: uses 2 different keys a private key and a public key, also known as public key crypto, the private key is known only to the owner and the public key is commonly available (encryption key public
key, decryption key private key) | Hashing: is used when a one way non reversible form of data protection is required, password storage, one way pass, often used to create a hashing code or message
digest from a message which is often of fixed length and smaller than the original message | Message digest: is a cryptographic hash func containing a string of digits created by a one way hashing formula,
are designed to protect the integrity of a piece of data or media to detect changes and alterations to any part of a message | Hashing and Clouds: hashing is applied to protect the integrity of a message
that may be intercepted and altered by a malicious service, a firewall can be configured to determine that the message has been altered thereby enabling it to reject the message before it can proceed to
the cloud service | Digital signatures: is a means of providing data authenticity and integrity through authentication and non-repudiation, provides evidence that the message received is the same as the
one created by its rightful sender, helps mitigate the malicious intermediary insufficient authorization and overlapping trust boundaries security threats | Public Key Infrastructure PKI: used for managing
the issuance of asymmetric keys, system of protocols data formats rules and practices that enable large scale systems to securely use public key crypto, used to counter the insufficient authorization threat
| Identity and Access Management IAM: control and track user identities and access privileges for IT resources enviro and sys, comprised of four main components: authentication, authorization, user
management credential management | Single Sign On SSO: enables one cloud service consumer to be authenticated by a security broker which est a security context that is persisted while the cloud service
consumer accesses other cloud services or cloud based IT resources, a cloud service consumer provides the security broker with login credentials, the security broker responds with an authentication token
upon successful authentication which contains cloud service consumer identity info that is used to automatically authenticate the cloud service consumer across cloud services | SSO Security Broker: useful
when a cloud service consumer needs to access cloud services residing on different clouds, credentials received by the security broker are propagated to ready made enviro across two diff clouds, the
security broker is responsible for selecting the appropriate security procedure with which to contact each cloud | cloud based security groups: cloud based resource segmenation process creates cloud
based security groups that are determined through security policies, networks are segmented into logical cloud based security groups that form logical netwok perimeters, each cloud based IT resource is
assigned to at leat one logical cloud based security group, each logical cloused based security group is assigned specific rules that govern the community between the security groups | logical clous based
security groups: multi virtual servers running on the same physical server can become members of different logical cloud based security groups | Hardened virtual server images: a hardware virtual server
image is a template for virtual servie instance creation that has been subj to a security process ( close unused ports, disable unused services, disable guest accounts, limit root accounts, uninstall redundant
and unused software, establish memory quotas | Data collection: finding labeling recording and mining forensic data from a cloud is difficult, info resides in many diff locations and maybe offshore, data
collection from a cloud provider may violate privacy laws protecting other customers, access to data forensic logs vary according to cloud model (1) IaaS: easy access to data for forensics, (2) PaaS: less
flexible access through the cloud API, (3) SaaS: almost no access from client side | Technical issues with elastic static and live forensics: time synchronization is very difficult when data resides in multiple
locations machines or data centers, log format unification is difficult, recovering deleted data is almost impossible | Evidence segmentation: very difficult to identify only the data belonging to a particular
suspect, separating log files per client is a huge management overhead, weak registration allows criminals to use cloud almost anonymously, good tools do not exist yet but are areas for opportunities |
Investigating virtual machines: clients don’t use physical hardware directly rather use virtualized hardware and vms, the evidence may be spread across the clients machine, even clients cannot locate the
physical position of a piece of data at any time | legal issues: multi jurisdiction and tenancy, SLAs still do not include support for cloud forensics | Pros for forensics in the cloud: cost effective for forensics as
a service, data abundance: many replicas of a data obj in a clous so deletion does not remove all traces of data, performance: faster data processing even for smaller law enforcements and reduced total
cost of investigation | Problems: creating a framework for a regulatory compliant cloud: a cloud that allows for some level of forensic scrutiny as required by regulations such as SOX HIPPA GLB, creating a
privacy preserving forensic audit | Roadmap for detecting cloud security: CSA guidelines 14 steps, vendors reputation and clients, Fed Info Sec Manag Act FISMA compliant, NIST 800-53, SAS 70
certification, ISO 27001 certification | NIST Risk Management Framework (1) Categorize info systems: define critical /sensitive ingo systems according to potential worst case adverse impact to mission /
bness (2) select security controls: select baseline secutiy controls apply tailoring guidance and supplement controls as needed based on risk assessment (3) Implement security controls: implement security
controls within enterprise architecture using sound systems engineering practices, apply security configurations settings (4) Assess security controls: determine security controls effectiveness (5) authorize
information system: determine risk to organ operations and assets (6) monitor security controls: continuously track changes to the info sys that may affect sec controls
and reassess controls effectiveness | FIPS Standards (1) Hardware software and Networking: systematic change management, phased updates deployment, safe storage
decommission, automated monitoring and self audit, advanced network protection (2) Physical: datacenters in nondescript facilities, physical access strictly controlled,
must pass 2 FA at least twice for floor access, physical access logged and audited (3) Certifications and accreditations: SAS 70 type II, ISO 27001, PCI, FISMA, DIACAP,
HIPPA, FIPS140-2 | FISMA Boundaries: est security guidelines that federal agencies or those entities which have outsourced agency bness must adhere to, requires
specific doc policies and procedures and defined processes to be in place to meet the rigorous requirements of the NSIT 800-53 | Cloud Security Alliance CSA is a
member driven organ chartered with promoting the use of best practices for providing security assurance within cloud computing, not for profit organ with a mission to
promote the use of best practices for providing security assurance within cloud computing and to provide edu on the uses of clouds to help secure all other forms of
computing, is led by a board coalition of industry practitioners corporations associations and other key stakeholders | Security guidance for critical areas of focus in cloud
computing: architectural framework, governance and enterprise risk management, legal and electronic discovery, compliance and audit, info lifecycle management,
portability and interoperability, traditional security bness continuity and disaster recovery, data center operations, incident response notification and
remediation, application security, encryption and key management, identity and access management, virtualization | Internet threats: data integrity: the
contents of a packet can be accidentally or deliberately modified, identity spoofing: the origin of an IP packet can be forged, Anti reply attack: unauthorized data
can be retransmitted, loss of privacy: the contents of a packet can be examined in transit | Packet Encapsulation: the data is sent down the protocol stack, each
layer adds to the data by prepending headers | IP Security: have a range of application specific security mechanisms (SMIME PGP Kerberos SSL HTTP) there are
still security concerns that cut across protocol layers | services mechanisms algorithms: a protocol provides one or more services, services are built from
mechanisms, mechanisms are implemented using algorithms (Services: SSL, in security protocol, Mechanisms: signatures, encryption hashing, Algorithms:
[signatures DSA RSA] [encrypt RSA DES] [hashing: SHA1 MD5] | security protocol layers: the further down you go the more transparent it is, the further up you
go the easier it is to deploy | PPP encrypt control protocol ECP this protocol is responsible for negotiating and managing the use of encryption on a PPP link
| IPsec is a framework of open standards dev by the internet engineering task force IETF which creates secure authenticated reliable communications over
IP networks, provides security functions at the IP level, applicable to both IP 4 and 6 , available in win linux and cisco routers| IPsec provides authentication
confidentiality key management, available over Lan across public and private WAN and for the internet | Goals of IPSec: verify sources of IP packets
(authentication), prevent replaying of old packets, to protect integrity and or confidentiality of packets (data integrity / data encryption) | IPsec services: (1)
Integrity: assurance that received traffic has not been modified integrity includes anti reply defenses (2) data origin authentication: assurance that traffic is
sent by legitimate party(s), (3) confidentiality: encryption, assurance that users traffic is not examined by non-authorized parties (4) access control:
prevention of unauthorized use of a resource | IPSec Architecture: IPSec provides security in three situations | IPSec architecture: provides security in 3
situations: host to host, host to gateway and gateway to gateway | IPsec operates in 2 modes: transport mode (for end to end) and tunnel mode (for VPN) |
Outbound / Inbound IPsec processing: the inbound and the outbound IPsec processing are independent | Host to Host mode: protected data at the app layer transport layer and Ip layer | Transport Mode:
to encrypt and optionally authenticate IP data, traffic analysis, ESP host to host traffic | Tunnel Mode: encrypts entire IP packet, adds new header for next hop, no routers on way can examine inner IP
header, good for VPN and gateway to gateway security | Authenitcation Header AH: provides integrity, data origin authentication, protection against replay attacks, 32 bit monotonically increasing
sequence number to avoid replay attacks, uses crypto strong hash to protect integrity 96 bit, uses symmetric crypto , HMAC-SHA-96 or HMAC-MD5-96, provides source authentication, protection against
source spoofing, protects against DoS, NO protection against confidentiality | Encapsulated Security Payload ESP: provides confidentiality (encryption), integrity, data origin authentication, protection
against reply attacks; both protocols may be used alone or in combination with each other, encrypt occurs before authentication, authentication is applied to data in the IPsec header as well as the data
contained as payload, provides all that AH offers in addition to confidentiality, uses symmetric key encryption, 32 bit, uses integrity check algorithms, data confidentiality by symmetric key of packet with
triple DES or AES for confidentiality | Internet Key Exchange IKE: RFC 2409, AH: RFC 2402, ESP: RFC 2406, IP Payload compression IPcomp: RFC 3173, reduces the size of data transmitted over slow or
congested networks, therefor increasing the speed of such networks without losing data | IKE: negotiates sec policies, est secure sessions (security association SA) is asymmetric one SA for inbound and one
for outbound, key exchange , key management, can be used outside IPsec, SADB: a database for SAs | IKE operates in 2 phases: (1) negotiate and est an auxiliary end to end secure channel, only est once
(2) negotiate and est custom secure channels, occurs multiple times, both phases use Diffie-Hellman key exchange to est a shared key | IKE Phase 1: est a secure channel btw 2 end points, provides source
authentication, data integrity, confidentiality, protection against replay attacks, four different ways to authenticate: digital signatures, 2 forms of authentication with public key encryption, preshared key,
IKE uses public key encrypt | IPsec Phase 2: end points are identified by <IP, port> or by packet

Building IaaS enviro: the virtual server and the cloud storage device mechanisms represent the 2 most fund IT resources that are delivered as part of a standard rapid provisioning architecture within IaaS, configurations include: OS, primary
memory capacity, processing capacity, virtualized storage capacity | Data centers: IaaS based IT can be from multi geographically diverse data centers, benefits include resiliency lower chance of single failure, connected through high speed
networks with low latency, load balancing, backup and replication, improved reliability and availability, multi data centers spread over a greater area reduces network latency, data centers in diff countries make access to IT resources more
convenient for cloud consumers that are constricted by legal and regulatory requirements | When IaaS enviro is used to provide cloud consumers with virtualized network enviro, each cloud consumer is segregated into a tenant enviro that
isolates IT resources from the rest of the cloud through the internet. VLANs and network access control software collaboratively realize the corresponding logical network perimeters | Scalability and Reliability with IaaS: cloud providers
auto provision virtual servers via dynamic vertical scaling, performed through the VIM, manual scaling requires the could consumer to interact with a usage and admin program to explicitly request IT resource scaling, replicated IT resources
can be arranged in high avail config that forms a failover sys for implementation via standard VIM, an alternative is a high availability / high performance resource cluster can be created at the physical or virtual server level or both together
| Monitoring with IaaS platforms: (1) virtual server lifecycle: recording and tracking uptime and the allocation of IT resources for pay per use monitors and time based billing (2) data storage: tracking and assigning the allocation of storage
capacity to cloud devices on virtual servers for pay per use monitoring and record storage useage for billing (3) network traffic: for pay per use monitors that measure inbound and outbound network usage and SLA monitors that track QoS
metrics such as response time and network losses (4) failure conditions: For SLA monitors that track IT resource and QoS metrics to provide warning in times of failure (5) event triggers: for audit monitors that appraise and evaluate the
regulatory compliance of select IT resources; monitoring architectures within IaaS enviro typically involve service agents that comm directly with backend management sys | IaaS Security: encrypt hashing digital signatures PKI for overall
protection of data transmission, IAM and SSO for accessing services and interface security sys that rely on user identification authorization, cloud based security groups for isolating virt enciro through hypervisors and network segments via
network management software, hardened virtual server images for internal and externally available virtual server enviro, cloud usage monitors to track provisioned virt IT resources to detect abnormal usage patterns | PaaS Enviro: need
app development and deployment platforms in order to accommodate diff programming models lang and frameworks, a separate ready made enviro is usually created for each program stack that contains the necessary soft to run apps
specifically deceloped for the platform, offer a resource management sys that is customized for the PaaS so that cloud consumers can create and control customized virtual server images with ready made enviro | PaaS scalability and
reliability: addressed via dynamic scalability and workload distribution that rely on the use of native automated scaling listeners and load balancers, the resource pooling arch is used to provision resource pools made avail to multi could
consumers | Failover system: the reliability of ready made enviro and hosted cloud services and apps can be supp with standard failover sys | PaaS security: by default does not have any new cloud security controls beyond those for IaaS |
SaaS: implements cloud services that are based on multitenant enviro that enable and regulate concurrent cloud consumer access | SaaS models: (1) service load balancing: for workload distribution across redundant SaaS based cloud
service (2) dynamic failure detection and recovery: to est a sys that can auto resolve saome failure conditions without disruption in service to the SaaS (3) storage maintenance window: toa llow for planned maintenance outages that do not
impact SaaS (4) elastic resource capacity / elastic network capacity: to est inherent elasticity within the SaaS based cloud service arch that enables it to auto accommodate a range of runtime scalability requirements (5) cloud balancing: to
instill broad resiliency within the SaaS which can be important for cloud services subjected to extreme concurrent usage volumes | SaaS cloud usage monitors: (1) tenant subscription period: metric used by pay oer use monitors to record
and track app usage for time based billing, incorporates app licensing and leasing period that extend beyond the hourly period of IaaS and PaaS (2) application usage: metric based on user or security group is used with pay per use monitors
for billing (3) tenant application functional module: metric used by pay per use monitors for functional based billing, cloud services can have different func tiers according to whether the cloud consumer is free tier or paid subscriber | SaaS
security: distinct bness processing logic will then add layers of additional cloud security or technologies | IaaS enviro: accessed by remote terminal applications (1) remote desktop for windows based enviro provides a GUI, (2) SSH client for
mac and other to allow for secure channel connections to text based shell accounts; Cloud consumers have a high degree of control over how and to what extent IT resources are provisioned as part of their IaaS enviro |PaaS: Ide can
offer a range of tools and programming resources such as software and class libraries frameworks APIs and various runtime capabilities that emulate the intended cloud based deployment, features allow for developers to create test and
run app code within the cloud while using the IDE, compiled app are then bundled and uploaded to the cloud and deployed via the ready made enviro, PaaS also allows for apps to use cloud storage devices as independent data storing sys
for holding dev specific data such as a repository that is avail outside of the cloud enviro, both SQL and NoSQL are supported, PaaS enviro provide less admin control than IaaS but still offer a significant range of management features |
SaaS are accompanied by refined APIs are designed to be part of a larger solution ex Google Maps incorporated into a website, cloud consumers are relieved of the responsibilities and administration for the hosting enviro, there are options
for customization of runtime usage, security config, availability, usage costs, managing user accounts access, SLA, automated options |AWS: IaaS, consists of compute and storage servers interconnected by high speed networks, data
centers in each region and available time zone, regions do not share resources and communicate through the internet, AWS Instances: is a virtual server with specific resources CPU cycles memory storage communication I/O bandwidth,
the user chooses the region and availability zone, the instance is provided with a DNS name maped to a private IP (for internal comm within the EC2 network) a public IP (for comm outside the internal AWS), NAT maps external IP to
internal ones, public IP is assigned for the lifetime of the instance, can request an elastic IP (a static public IP allocated to an instance from the avail pool of the zone) the elastic IP is not released when the instance is stopped or terminated it
must be manually released | DTGOV: network virt is used with logical network topologies, VIM is positioned as the center tool for controlling the IaaS, dynamic scalling is added using the VIM | Steps to run an app: (1) retrieve the user input
from the front end, (2) retrieve the VM image from repository (3) locate a sys and request the hypervisor running on that sys to setup a VM (4) invoke the DHCP and the IP bridging software to set up MAC and IP for the VM | AWS
management console: easiest way to manage services, SDK libraries and toolkits are provided for programming lang, RAW REST requests | AWS services: Elastic Cloud EC2 ( OSes), Simple Queuing Service SQS (multi EC2 instance), Simple
Storage S3 ( elastic block storage EBS and storage), Cloud Watch (performance monitoring), Auto Scaling (elastic resource management), Virtual Private Cloud (allows direct migration of parallel apps) | EC2 Instance is characterized by:
Virtual computers VC the virtual sys running the instance, Compute Units CU the measure of computing power of each sys, memory, I/O capabilities | Instance Type: standard: StdM (micro), StdS (small), StdL (large), high memory instances
HMXL, High CPU instances HcpuXL, cluster computing Cl4XL | S3: can handle a large number of obj raning in size from 1 byte to 5 TB, stored in buckets with a dev assigned key, a bucket stored in a region, read write delete but does not
support copy rename or move, obj names are global, maintains the name modification time access control list and up to 4KB of metadata per obj, obj can be made public, computes the MD5 of every obj written and returns it as a ETag |
Elastic Block Store EBS: provides consistent block level storage columes for use with EC2 instances, used for databases file sys and apps with raw data devices, a volume appears to an app as raw unformatted and reliable physical disk 1GB -
1TB, may mount many volumes but cannot be shared among multiple instances, supports snapshots, volumes are grouped together in availability zones | Simple DB: non relational datastore, supports query func traditionally provided by
relational databases, high performance web apps, creates multi geographical distributed copies of each data item, automatically manages the infrastructure provisioning hardware and sotware maintenance replication and indexing of data
items performance tuning | Simple Queue Service SQS: hosted message queues are accessed through standard SOAP, supports automated workflow, EC2 instances can coordinate by sending and receiving SQS msg, a receive msg is locked
during processing if processing fails the lock expires and the message is available again, queue sharing can be restricted by IP and time of day | CloudWatch: monitoring used by app dev and sys admin to collect and track metrics, monitor 7
or 8 metrics, when launching a AMI the user can start the cloudwatch and specify type of monitoring, basic (free, collects every 5 min) detailed monitoring (charges, data every minute) | Route 53: low latency DNS service used to manage
user’s DNS public record | Elastic MapReduce EMR: supports processing of large amounts of data using a hosted Hadoop running on EC2, simple Workflow service SWF: supports workflow management allows scheduling management of
dependencies and coordination of multi EC2 instances | ElasticCache: enables web apps to retrieve data from a manged in memory chaching sys rather thana much slower disk based database | DynamoDB: scalable and low latency fully
managed NoSQL database service | CloudFront: web service for content delivery | Elasti Load Balancer: auto distributes the incoming requests across multi instances of the app | Elastic Beanstalk: handles auto deployment capacity
provisioining load balancing auto scaling and app monitoring, interacts with EC2 S3 SNS elastic load balancing autoscaling, (1) deploy new app or rollback (2) access to the results from CloudWatch (3) email notification when app status
changes (4) access to server log files without needing to login to the app server, available using java php or .net | Cloud Formation: allows the creation of a stack describing the infra for an app | SaaS by Google: Gmail, google docs, google
cal, google groups, picasa (edit images), google maps | PaaS by Google: AppEngine: dev platform hosted on the cloud (python java GQL), Google Co-op: allows users to create customized search engines based on a set of categories, Google
Drive, Google Base: allos users to load structured data from diff sources to a central repository |PaaS and SaaS by Microsoft: Windows Azure: OS (3 components: compute, storage, fabric controller (deploys manages and monitors apps)),
SQL Azure: cloud SQL server, Azure AppFabric (formally .NET a collection of services for cloud apps) | AWS Security requirements users can control: what contents are stored, which AWS services are used with the contents, what country
the contents are stored, the format and structure of that content and whether it is masked or encrypted, who has access to that content and how those access rights are granted managed or revoked | AWS Shared Responsibility model:
aws customers retain control over their data, the shared responsibility is fundamental to understanding the respective roles of the customer and aws in the context of the cloud security principles, aws operates manages and controls the
components from the host os and virtualization layer down to the physical security of the facilities in which the service operates, customers are responsible for updates and patching config of firewall, host based firewalls or IPS IDS can
enhance the security while using AWS | AWS Global Sec Infrastructure best practices and IT security standards include: FISMA NIST, PCI level 1, ISO 9001 27001 27017 27018, SOC 1, FIPS 140-2, | AWS Datacenter availability: no data center
is cold, built in clusters , in case of a failure automated processes move customer data traffic away from the affected area core applications are deployed in an N+1* configuration so that in the event of a datacenter failure there is sufficient
capacity to enable traffic to be load balanced to the remaining sites | AWS Transmission protection: connect to AWS access points using HTTP(s) using SSL crypto protocol | AWS passwords: individual IAM accounts can be up to 128
characters, uses MFA | Access Keys: aws requires that all API requests be signed and include a digital signature | Key Pairs: EC2 uses public key crypto to encrypt and decrypt login info, public key to encrypt and private key to decrypt | AWS
direct connect security: 802.1q VLAN dedicated connection can be partitioned into multi virtual instances

Pricing structure for clouds: based on utility centric pay per usage models and allow organ to avoid up front infrastructure costs | Up front costs: associated with the initial investment that organ need to make in order to fund the IT
resources they intend to use, purchase or leasing | On going Costs: represent the expenses required by an organ to run and maintain IT resources, on premise or cloud based | Additional costs: to supp and extend a financial nalysis beyond
the calculation and comparison of standard upfront and on going cost metric, several other more specialized bness cost metrics can be taken into account (1) cost of capital: the cost of capital is a value that represents the cost incurred by
raising required funds (2) sunk cost: an organ will often have existing IT resources that are already paid for an operational (3) integration costs: integration testing is a form of testing required to measure the effort required to make it
resources compatible and interoperable within a foreign environment such as a new cloud platform (4) locked in cost: cloud environments can impose portability limitation | cloud usage cost metrics: a set of usage cost metrics for calc costs
assoc with cloud resources usage measurements (1) network usage: inbound and outcound network traffic as well as intra cloud network traffic (2) server usage: virtual server allocation and resource reservation (3) cloud storage device:
storage capacity allocation (4) cloud service: subscription duration number of nominated users number of transactions of cloud services and cloud based application; for each usage metric a description measurement unit and frequency is
provided | Network usage: defined as the amount of data that is transferred over a network connection, network usage is typically calculated using separately measured inbound network usage traffic and outbound network usage traffic
metrics in relation to cloud services or other IT resources (inbound network outbound network intracloud WAN usage metrics) | Network related cost metrics are determined by the following: (1) static IP usage: IP allocation time (2)
Network load balancing: the amount of load balanced network traffic in bytes (3) virtual firewall: t he amount of firewall processed network traffic per allocation time | Server usage: allocation of virtual servers is measured using common
pay per use metrics in IaaS and PaaS enviro tend to provision virtual servers with a range of performance attributes that are generally determined by CPU and RAM consumption and the amount of avail dedicated allocation storage | Cloud
storage device usage: charged by the amount of space allocated within a predefined period, on demand stoage allocation metric, short term increments such as on an hourly basis, another common cost metric for cloud storage is I/O data
transferred which measure the amount of transferred input and output data | Cloud Service Usage: in SaaS enviro measured using the following 3 metrics: application subscription duration metric, number of nominated users metric,
number of transactions users metric | cost management considerations: (1) cloud service design and dev: during this stage the vanilla pricing models and cost templates are typically defined by the organ delivering the cloud service (2)
cloud service deployment: prior to and during the deployment of a cloud service the backend architecture for usage measurements and billing related data collection is determined and implemented including the positioning of pay per use
monitor and billing management sys mechanisms | cloud service contracting: this phase consists of negotiation btw the cloud consumer and cloud provider with the goal of reaching a mutal agreement on rates based on usage cost metrics
| cloud service offering: this stage entails the concrete offering of a cloud service pricing model through cost templates and any available customization option | cloud service provisioning: cloud service usage and instance creation
threshold may be imposed by the cloud provider or set by the cloud consumer | cloud service operation: phase where active usage of the cloud service produces usage cost metric data | cloud service decommissioning: when a cloud
service is temporarily or permanently deactivated statistical cost data may be archived | Cloud service lifecycle: (1) cloud service design implementation deployment pricing model design (2) cloud servie offering (3) cloud service
contracting, price negotiation (4) cloud service provisioning (5) cloud service operation, runtime costs (6) cloud service decommissioning | Pricing models: defined using templates that specify unit costs for fine grained resource usage
according to usage cost metrics, factors that influence a pricing model: (1) market competition and regulatory requirements (2) overhead incurred during design development deployment and operation of cloud services and IT resources (3)
opportunities to reduce expenses via IT resource sharing and data center optimization | A pricing Model: (1) cost metrics and associated prices: these are costs that are dependent on the type of IT resource allocation such as on-demand vs
reserved allocation (2) fixed and variable rates definitions: fixed rates are based on resource allocation and define the usage quotas included in the fixed price while variable rates are aligned with actual resource usage (3) volume discounts:
more it resources are consumed as the degree of IT resources scaling progressively increases thereby possibly qualifying a cloud consumer for higher discounts (4) cost and price customization options: the variable is associated with
payment options and schedules | price template: for cloud consumers that are appraising cloud providers and negotiating rates since they can vary depending on the adopted cloud delivery model EX. (1) IaaS: pricing is usually based on IT
resource allocation and usage, includes the amount of transferred network data, number of virtual servers, and allocation storage capacity (2) PaaS: defines pricing for network data transferred, virtual servers, storage, pricing is based on
software configurations, deployment tools, and licensing fees (3) SaaS: this model is solely concerned with application software usage, pricing is determined by the number of app modules in the subscription, the number of nominated
cloud service consumers and the number of transactions | negotiation: cloud provider pricing is often open to negotiation, can be executed online via the cloud providers website by submitting estimated usage volumes alone with proposed
discount | Payment Options: after completing each measurement period the cloud providers billing management system calculates the amount owed by a cloud consumer, two payment options prepayment and post payment | cost
archiving: tracking historical billing info both cloud providers and cloud consumers can generate insightful reports that help identify usage and financial trends SLA: focal points of negotiations contract terms legal obligations and runtime
metrics, include pricing models and payment terms, set cloud consumer expectations and are integral to how organ build bness automation around the utilization of clouse based it resources, human readable documents that describe QoS,
guarantees and limitations | Measurable QoS: (1) availability: up time outages service duration (2) reliability: minimum time btw failures guaranteed rate of successful responses (3) performance: capacity response time and delivery time (4)
scalability: capacity fluctuation and responsiveness guarantees (5) resiliency: mean time to switchover and recovery | service Quality metrics: (1) quantifiable: the unit of measurement is cleary set absolute and appropriate so that the
metric can be based on quantitative measurements (2) repeatable: the method of measuring the metric need to yield identical results when repeated under identical conditions (3) comparable: unit of measurement used by a metric need
to be standardized and comparable, a service quantity metric cannot measure smaller quantities of data in bits and larger quantities in bytes WTF? , (4) Easily obtainable: the metric needs to be based on a non-proprietary common form of
measurement that can be easily obtained and understood by cloud consumers | availability rate metric: the overall availability of an IT resource is usually expressed as a % of up time | outage duration metric: the service quality metric is
used to define both maximum and avg continuous outage service level targets | Mean time between failures MTBF metric: expected time btw consecutive servie failures = sum of normal operational period duration / number of faiures |
reliability rate metric: overall reliability is more complicated to measure and is usually defined by a reliability rate, measures the effect of non-fatal errors and failures that occur during uptime periods | server capacity metrics: measured in
CPUs GHz RAMsice GB | Web App Capacity Metric: rate per minute