PART B

4. Explain in detail about IAM architecture(UNIT 5)

Identity Access Management is used by the root user (administrator) of the organization. The users
represent one person within the organization, and the users can be grouped in that all the users will have
the same privileges to the services.

Shared Responsibility Model for Identity Access Management

Cloud Service Provider (CSP)

 Infrastructure (Global Security of the Network)
 Configuration and Vulnerability Analysis
 Compliance Validation
Customer
 Users, Groups, Roles, Policies Management and Monitoring
 Use IAM tools to apply for appropriate permissions.
 Analyze access patterns and review permissions.
The Architecture of Identity Access Management
User Management:- It consists of activities for the control and management over the identity life cycles.
Authentication Management:- It consists of activities for effectively controlling and managing the
processes for determining which user is trying to access the services and whether those services are
relevant to him or not.
Authorization Management:- It consists of activities for effectively controlling and managing the
processes for determining which services are allowed to access according to the policies made by the
administrator of the organization.
Access Management:- It is used in response to a request made by the user wanting to access the
resources with the organization.
Data Management and Provisioning:- The authorization of data and identity are carried towards the IT
resource through automated or manual processes.
Monitoring and Auditing:- Based on the defined policies the monitoring, auditing, and reporting are done
by the users regarding their access to resources within the organization.
Operational Activities of IAM:- In this process, we onboard the new users on the organization’s system
and application and provide them with necessary access to the services and data. Deprovisioning works
completely opposite in that we delete or deactivate the identity of the user and de-relinquish all the
privileges of the user.
Credential and Attribute Management:- Credentials are bound to an individual user and are verified
during the authentication process. These processes generally include allotment of username, static or
dynamic password, handling the password expiration, encryption management, and access policies of the
user.
Entitlement Management:- These are also known as authorization policies in which we address the
provisioning and de-provisioning of the privileges provided to the user for accessing the databases,
applications, and systems. We provide only the required privileges to the users according to their roles. It
can also be used for security purposes.
Identity Federation Management:- In this process, we manage the relationships beyond the internal
networks of the organization that is among the different organizations. The federations are the associate of
the organization that came together for exchanging information about the user’s resources to enable
collaboration and transactions.
Centralization of Authentication and Authorization:- It needs to be developed in order to build custom
authentication and authorization features into their application, it also promotes the loose coupling
architecture.

UNIT 4
1. How could you use Google App Engine to create a website that helps people learn about protecting
the environment and taking care of animals?

GOOGLE APPLICATION ENGINE (GAE)

Google App Engine is a PaaS cloud that provides a complete Web service environment(Platform)
GAE provides Web application development platform for users.
All required hardware, operating systems and software are provided to clients.
Clients can develop their own applications, while App Engine runs the applications on Google’s servers.
GAE helps to easily develop an Web Application
App Engine only supports the Java and Python programming languages.
The Google App Engine (GAE) provides a powerful distributed data storage service.

GOOGLE CLOUD INFRASTRUCTURE

Google has established cloud development by making use of large number of data centers.
Eg: Google established cloud services in Gmail Google Docs, etc

These applications can support a large number of users simultaneously with High Availability (HA).

In 2008, Google announced the GAE web application platform. GAE enables users to run their
applications on a large number of data centers.

Google App Engine environment includes the following features :

Dynamic web serving Persistent(constant) storage with queries, sorting, and transactions
Automatic scaling and load balancing
Provides Application Programming Interface(API) for authenticating users.

FUNCTIONAL MODULES OF GAE

When the user wants to get the data, he/she will first send an authorized data requests to
Google Apps.
It forwards the request to the tunnel server.
The tunnel servers validate the request identity.
If the identity is valid, the tunnel protocol allows the SDC to set up connection,
authenticate, and encrypt the data that flows across the Internet.
SDC also validates whether a user is authorized to access a specified resource.
Application runtime environment offers a platform for web programming and execution.
It supports two development languages: Python and Java.
Software Development Kit (SDK) is used for local application development.
The SDK allows users to execute test runs of local applications and upload application code.
Administration console is used for easy management of user application development cycles.
GAE web service infrastructure provides special guarantee flexible use and management of storage and
network resources by GAE.
Google offers essentially free GAE services to all Gmail account owners
PART C
1.Compare and contrast the Docker containers to virtual machines and also describe the docker
architecture and its components.
Docker vs Virtual Machines
In the image, you’ll notice some major differences, including:
Docker is a software platform that allows you to build, test, and deploy applications quickly. Docker
packages software into standardized units called containers that have everything the software needs to run
including libraries, system tools, code, and runtime. Using Docker, you can quickly deploy and scale
applications into any environment.
Docker Architecture and Components
 Docker Engine is the core of Docker, following a client-server architecture. It consists of three
components:

1. **Server (dockerd)**: Manages Docker images, containers, networks, etc.

2. **Rest API**: Instructs the docker daemon what to do.
3. **Command Line Interface (CLI)**: Used to enter Docker commands.

**Docker Client**: Interacts with Docker through commands, sending them to the Docker daemon.

**Docker Registries**: Where Docker images are stored, including public (like Docker Hub) and private
registries.

**Docker Objects**:
- **Images**: Read-only templates with instructions to create containers. Base layer is read-only, top
layer can be modified.
- **Containers**: Instances of Docker images running applications and their environments.
- **Volumes**: Store persisting data used by containers, managed by Docker CLI or API.
- **Networking**: Allows communication between isolated containers.

**Sample command to run an Ubuntu Docker container**:

```
docker run -i -t ubuntu /bin/bash
```

**Network Drivers in Docker**:

1. **Bridge**: Default network driver for standalone containers.
2. **Host**: Removes network isolation between containers and Docker host.
3. **Overlay**: Enables swarm services to communicate with each other.
4. **None**: Disables all networking.
5. **macvlan**: Assigns MAC addresses to containers to resemble physical devices. Used for container-
to-container communication based on MAC addresses.

2 MARKS

1.Google App Engine is a PaaS cloud that provides a complete Web service environment(Platform)
GAE provides Web application development platform for users.
All required hardware, operating systems and software are provided
to clients.
Clients can develop their own applications, while App Engine runs
the applications on Google’s servers.
GAE helps to easily develop an Web Application
App Engine only supports the Java and Python programming
languages.
The Google App Engine (GAE) provides a powerful distributed data
storage service.

2. Azure is a cloud computing platform and an online portal that allows you to access and manage cloud services and
resources provided by
Microsoft. These services and resources include storing your data and transforming it, depending on your requirements. To get
access to
these resources and services, all you need to have is an active internet connection and the ability to connect to the Azure portal.
It’s free to start and follows a pay-per-use model, which means you pay only for the services you opt for.
Azure supports multiple programming languages, including Java, Node Js, and C#.

3. AWS EC2 (Elastic Compute Cloud)

Amazon Web Service EC2 is a web service which is provided by the AWS cloud which is secure, resizable, and scalable.
These virtual machines are pre-configured with the operating systems and some of the required software. Instead of managing
the infrastructure AWS will do that so you can just launch and terminate the EC2 instance whenever you want. You can scale
up and down the EC2 instance depending on the incoming traffic. The other advantage of AWS EC2 is that you need to pay
only for how much you use it is like the pay-as-you-go model.

4. OpenStack is an open-source cloud computing platform that provides a range of services for building and managing public
and private clouds. Some of its key services include:
OpenStack's key services include:
1. Nova: Compute service for managing virtual machines.
2. Swift: Object storage for unstructured data.
3. Cinder: Block storage for attaching volumes to VMs.
4. Neutron: Networking service for creating and managing networks.
5. Keystone: Identity service for authentication and authorization.
6. Glance: Image service for managing virtual machine images.
7. Horizon: Web-based dashboard for managing OpenStack resources.
8. Heat: Orchestration service for automating infrastructure deployment.
5.
Eucalyptus, an open-source software platform for building private and hybrid clouds compatible with AWS, offers three
modes of network components:
1. Managed Mode: Eucalyptus manages a local network of instances, handling tasks such as security groups and IP
address assignment.
2. System Mode: Eucalyptus assigns a MAC address to instances and attaches their network interface to the physical
network via the Node Controller's bridge. However, System Mode lacks features like elastic IP addresses, security
groups, and VM isolation.
3. Static Mode: Eucalyptus assigns IP addresses to instances, but like System Mode, it lacks features such as elastic IPs,
security groups, and VM isolation
6.
A virtualization attack targets vulnerabilities in virtualization infrastructure, aiming to compromise virtual machines,
hypervisors, or underlying hardware. These attacks exploit weaknesses like escape attacks, VM-to-VM attacks, hypervisor
attacks, resource exhaustion, and data interception.
1. Escape attacks:
2. VM-to-VM attacks:
3. Hypervisor attacks:.
4. Resource exhaustion attacks:.
5. Data interception attacks:

7.Guest hopping, also known as VM jumping, is a type of cyber attack where a malicious actor moves from one virtual
machine to another within the same virtualized environment. This attack exploits vulnerabilities in the virtualization
infrastructure, allowing the attacker to gain unauthorized access to multiple virtual machines and potentially compromise the
hypervisor.
The process typically involves the following steps
Identification
Initial Access
Lateral Movement
Complete Access

8. The five components of data security in cloud storage are:

1. Encryption: Securing data with at-rest encryption.
2. Client-side Encryption: Encrypting data before upload.
3. Zero-Knowledge Authentication: Provider has no access to keys.
4. Two-Factor Authentication (2FA): Additional login security.
5. Content Control and Ransom Protection: Preventing unauthorized access and detecting ransomware.

9. The principle of IAM (Identity and Access Management) is about controlling access to resources based on user identities. It
involves authentication to verify users' identities, authorization to grant or deny access, and ensuring the principle of least
privilege to limit access to only what is necessary for each user.

10. 10. Data Security and Storage in Cloud Computing: Data security and storage in cloud computing involve
safeguarding data stored in the cloud from unauthorized access, breaches, and loss. This includes encryption, access
controls, backups, disaster recovery plans, and compliance with data protection regulations.
11. Containers vs. Virtual Machines: Containers and virtual machines (VMs) both enable software to run in isolated
environments, but they differ in their architecture and resource utilization. VMs virtualize the entire hardware stack,
including the operating system, enabling multiple OS instances to run on a single physical server. Containers, on the
other hand, virtualize the operating system and share the host OS kernel, resulting in lightweight and faster
deployment compared to VMs.
12. Purpose of Docker Hub: Docker Hub is a cloud-based registry service provided by Docker, Inc. It serves as a
centralized repository for Docker images, enabling developers to share, distribute, and collaborate on containerized
applications. Docker Hub hosts official images, community-contributed images, and private repositories for
organizations, making it easier to build and deploy containerized applications.
13. Storage Virtualization: Storage virtualization is the process of abstracting physical storage resources and presenting
them as logical storage pools to users or applications. This allows for centralized management, scalability, and
flexibility in allocating storage resources across different storage devices or systems. Storage virtualization helps
optimize storage utilization, improve performance, and simplify storage management tasks.
14. Issues in Migration Process: Some common issues in the migration process to cloud computing include:
 Data security and compliance concerns
 Compatibility and interoperability with existing systems
 Data transfer and migration complexities
 Downtime and disruption to business operations
 Performance and latency considerations
 Cost management and budgeting
 Staff training and skill gaps
 Vendor lock-in and dependency
 Regulatory and legal issues, especially regarding data privacy and jurisdiction.