Resource Management (Erl, Naserpour)
How can a cloud consumer safely manage an IT resource without impacting neighboring IT resources?
ProblemWhen cloud consumers access and manage deployed IT resources that coexist with other IT resources as part of a live production environment, management changes to an IT resource may inadvertently negatively impact others.
SolutionA set of tools and backend controls are provided by the cloud provider to protect the management activity of one cloud consumer from others.
ApplicationCloud consumers are given limited access levels and management options and their management activity is further confined to their respective logical network perimeters.
MechanismsAudit Monitor, Cloud Usage Monitor, Logical Network Perimeter, Remote Administration System, Resource Management System
Compound PatternsBurst In, Burst Out to Private Cloud, Burst Out to Public Cloud, Elastic Environment, Infrastructure-as-a-Service (IaaS), Multitenant Environment, Platform-as-a-Service (PaaS), Private Cloud, Public Cloud, Resilient Environment, Software-as-a-Service (SaaS)
When a cloud consumer carries out management tasks on an IT resource, neighboring IT resources (belonging to the same or different cloud consumer) can be inadvertently impacted.
Figure 1 - In this example, the cloud consumer makes a remote management change to a physical server, which accidentally affects a virtual server hosting a database in another part of the cloud environment. In this scenario, all IT resources belong to the same cloud consumer.
For example, the logical network perimeter established for one cloud consumer may encompass IT resources that are shared by other cloud consumers. This means the same physical server may be hosting virtual servers that belong in different logical network perimeters.
A set of tools and backend controls are provided by the cloud provider to specifically limit the access levels and management options of each cloud consumer to the IT resources it is granted access.
This pattern is applied via frontend portal controls and corresponding backend scripts and logic, and is therefore typically combined with the Centralized Remote Administration pattern. The controls established by this pattern essentially confine each cloud consumer’s access to within its designated logical network perimeter and further enforce the levels of access the cloud consumer has to IT resources within the perimeter.
The tools established by this pattern can further include a sandbox environment that allows cloud consumers to safely test and execute management changes before committing the changes to the production environment. The sandbox environment limits the amount of access cloud consumers have to physical resources, and also allows for the monitoring of commands and configuration requests.
It provides two key features:
- An auditing system is put in place to audit commands and requests prior to passing them to actual IT resources. This way, any conflicts or misconfigurations can be detected and notified to the cloud consumer before they are applied to the production environment.
- Log files are maintained to keep a record of all commands and requests made. This can aid troubleshooting.
Figure 2 - Cross-IT resource management tools and logic are used to check (and optionally audit and log) commands before allowing them to be executed.
NIST Reference Architecture Mapping
This pattern relates to the highlighted parts of the NIST reference architecture, as follows: