Security Management in the Cloud - IaaS Availability Management

Managing your IaaS virtual infrastructure in the cloud depends on five factors:

• Availability of a CSP network, host, storage, and support application infrastructure. This factor depends on the following:

  • CSP data center architecture, including a geographically diverse and fault-tolerance architecture.

  • Reliability, diversity, and redundancy of Internet connectivity used by the customer and the CSP.

  • Reliability and redundancy architecture of the hardware and software components used for delivering compute and storage services.

  • Availability management process and procedures, including business continuity processes established by the CSP.

  • Web console or API service availability. The web console and API are required to manage the life cycle of the virtual servers. When those services become unavailable, customers are unable to provision, start, stop, and deprovision virtual servers.

  • SLA. Because this factor varies across CSPs, the SLA should be reviewed and reconciled, including exclusion clauses.

• Availability of your virtual servers and the attached storage (persistent and ephemeral) for compute services (e.g., Amazon Web Services’ S3^[52] and Amazon Elastic Block Store).

  ^[52] Amazon Simple Storage Service (S3). See http://aws.amazon.com/s3/ for more information.

• Availability of virtual storage that your users and virtual server depend on for storage service. This includes both synchronous and asynchronous storage access use cases. Synchronous storage access use cases demand low data access latency and continuous availability, whereas asynchronous use cases are more tolerant to latency and availability. Examples for synchronous storage use cases include database transactions, video streaming, and user authentication. Inconsistency or disruptions to storage in synchronous storage has a higher impact on overall server and application availability. A common example of an asynchronous use case is a cloud-based storage service for backing up your computer over the Internet.

• Availability of your network connectivity to the Internet or virtual network connectivity to IaaS services. In some cases, this can involve virtual private network (VPN) connectivity between your internal private data center and the public IaaS cloud (e.g., hybrid clouds).

• Availability of network services, including a DNS, routing services, and authentication services required to connect to the IaaS service.

IaaS Health Monitoring

The following options are available to IaaS customers for managing the health of their service:

• Service health dashboard published by the CSP.

• CCID (this database is generally community-supported, and may not reflect all CSPs and all incidents that have occurred).

• CSP customer mailing list that notifies customers of occurring and recently occurred outages.

• Internal or third-party-based service monitoring tools (e.g., Nagios) that periodically check the health of your IaaS virtual server. For example, Amazon Web Services (AWS) is offering a cloud monitoring service called CloudWatch. This web service provides monitoring for AWS cloud resources, including Amazon’s Elastic Compute Cloud (EC2). It also provides customers with visibility into resource utilization, operational performance, and overall demand patterns, including metrics such as CPU utilization, disk reads and writes, and network traffic.

• Web console or API that publishes the current health status of your virtual servers and network.

Similar to SaaS service monitoring, customers who are hosting applications on an IaaS platform should take additional steps to monitor the health of the hosted application. For example, if you are hosting an e-commerce application on your Amazon EC2 virtual cloud, you should monitor the health of both the e-commerce application and the virtual server instances.