Appendix A. Cloud Computing Mechanisms Glossary
Technology mechanisms represent well-defined IT artifacts that are established within an IT industry and commonly distinct to a certain computing model or platform. The technology-centric nature of cloud computing requires the establishment of a formal level of mechanisms to be able to explore how a given pattern can be applied differently via alternative combinations of mechanism implementations. This not only standardizes proven practices and solutions in a design pattern format, it further adds standardization to pattern application options. It is for this reason that the following mechanisms have been defined and are formally associated with design pattern profiles.
Additional content from select Cloud Certified Professional (CCP) course modules has been assembled into an expanded version of Appendix A that has been made available by Arcitura Education via the InformIT Web site. This content examines each mechanism in closer detail and provides supplementary diagrams. To download this version, register the book at www.informit.com/title/9780133858563. (To register your book, click the Register Your Product link on this page. You are prompted to sign in or create an account. When asked for the ISBN, enter 9780133858563. This is the print book ISBN and must be entered even if you have a digital copy of the book. The expanded version of the appendix can then be accessed by clicking the Access Bonus Content link in the Registered Products section of your account page.) The content from the expanded version of Appendix A is also available at www.cloudpatterns.org.
Application Delivery Controller (ADC)
The application delivery controller (ADC) is used to combine security functions, such as application layer security, distributed denial-of-service (DDoS) protection, advanced routing strategies, and server health monitoring combined with basic application acceleration and server load balancing, in one device. It is typically placed in a data center between the firewall and one or more application servers in the DMZ.
Attestation Service
An attestation service is responsible for assessing the integrity of cloud compute nodes through techniques introduced by the trusted computing technology and trusted platform modules (TPMs). Remote attestation services are critical for implementing secure compute platforms in the cloud. They check whether a platform is launched with known-good firmware and software components, communicating the security trust level or trustworthiness of a platform to users and supporting visibility and auditability.
Attribute Authority
The attribute authority, also known as an attribute store, is a directory or database in which systems can create, read, update, and delete (CRUD) consumer attributes. It is a trusted source of consumer attributes to support making attribute-based access control (ABAC) decisions. The attribute authority is considered an identity provider (IdP) that provides user attributes to an attribute consumer. Attributes are encoded into signed tokens, such as Security Assertion Markup Language (SAML) tokens, for consumers to submit to providers to support determination of access privileges.
Attribute-Based Access Control (ABAC) System
Attribute-based access control (ABAC) is a logical access control model used by relying parties that controls access to objects. Attributes may be considered characteristics of anything that may be defined and to which a value may be assigned. In its most basic form, ABAC relies on the evaluation of the attributes of the consumer and the resource and a formal relationship or access control rule defining the allowable operations for consumer/resource attribute and environment condition combinations.
Audit Monitor
The audit monitor mechanism is used to collect audit tracking data for networks and IT resources in support of, or dictated by, regulatory and contractual obligations.
Authentication Gateway Service (AGS)
The authentication gateway service (AGS) provides proxy/brokered authentication for applications unable to natively support PKI authentication. Brokered authentication allows for a more secure and standard authentication method utilizing hardware-based credentials. The service can also provide username/password authentication. Once a consumer’s credential is verified via a directory or PKI service, the AGS can be configured to query other data sources, such as identity attribute services, and pass this data on to the application. Once passed to the application, attributes can be utilized in support of capabilities such as attribute-based access control (ABAC).
Automated Scaling Listener
The automated scaling listener mechanism is a service agent that monitors and tracks communications between cloud service consumers and cloud services for dynamic scaling purposes. Automated scaling listeners are deployed within the cloud, typically near the firewall, from where they automatically track workload status information.
Automatically Defined Perimeter (ADP) Controller
The automatically defined perimeter (ADP) controller uses secure channels to control ADP participating hosts. ADP hosts can either initiate connections or accept connections managed by interactions with the ADP controller. This architecture separates the control plane from the data plane, enabling greater security and scalability. All endpoints attempting to access a given infrastructure must be authenticated and authorized prior to entrance. The ADP relies on authentication and access control mechanisms. It mitigates many network-based attacks such as scanning, distributed denial-of-service (DDoS), injection attacks, OS and application vulnerability exploits, man-in-the-middle (MITM), cross-site scripting (XSS), cross-site request forgery (CSRF), pass-the-hash (PTH) and other attacks.
Billing Management System
The billing management system mechanism is dedicated to the collection and processing of usage data as it pertains to cloud provider accounting and cloud consumer billing. Specifically, the billing management system relies on pay-per-use monitors to gather runtime usage data that is stored in a repository that the system components then draw from for billing reporting and invoicing purposes.
Certificate
A certificate is a data file that binds the identity of an entity to a public key, and contains the user’s identification and a signature from an issuing authority. It is also referred to as a digital certificate, X.509 certificate, or a public key certificate. Certificates are issued from a public key infrastructure (PKI), which provides a registration authority to determine the identity of the certificate holder or subject to a required level of assurance, and a certification authority to issue the certificate. The PKI also contains a repository of the issued certificate and the certificate revocation list (CRL).
Certificate Authority (CA)
The certificate authority is the public key infrastructure (PKI) entity that digitally signs certificates and certificate revocation lists (CRLs). The CA generates some certificate information but is primarily responsible for collecting information from authorized sources and entering that information into a certificate before signing. The CA digitally signs and issues a subscriber’s certificate when authorized by the appropriate trusted person, called a registration authority.
Certificate Revocation List (CRL)
The certificate revocation list (CRL) is a signed list that is published and maintained by each certification authority (CA) that lists all of its revoked certificates still within their validity dates. When a CA revokes a certificate, the CA administrator (CAA) prepares a new CRL and posts it to the directory server. The CRL has additional fields, including the reason for revocation and date and time for the next update. When a consumer requests access to a resource, the resource can allow or deny access based on the CRL entry for the issuer of the certificate of that particular consumer.
Certificate Trust Store
The certificate trust store provides a mechanism for trusting self-signed root certificates from internal and other organizations. It is essentially a container for certificate trust lists. Provisioning certificate stores with only the certificate issuers trusted by the organization is critical. The stores must also be locked down so that they cannot be updated without a secure process. Relying parties must consult their certificate trust store to determine if a particular submitted certificate is trusted.
Certificate Validation Service (CVS)
A certificate validation service (CVS) provides certificate validation using revocation checking with the Online Certificate Status Protocol (OCSP) or the Server-based Certificate Validation Protocol (SCVP) for all aspects of validation checking. Complete certificate validation requires that the certificate is issued from a trusted source, which requires building a validated chain of intermediate certificates up to a trusted root, which involves checking all of the digital signatures. The certificate must be within its validity period, within its appropriate usage, and not revoked.
Cloud Consumer Gateway (CCG)
The cloud consumer gateway (CCG) is a secure network router anchored on the cloud consumer side of a cloud provider connection. The CCG is a hardware or software-based appliance located on the customer premises that serves as a bridge between local networks and remote cloud-based networks. Optimally, gateway encryption is managed by the cloud consumer and is required by many industry compliance regulations.
Cloud Storage Data Placement Auditor
The cloud storage data placement auditor mechanism is used to govern and control where datasets can be stored. This mechanism can be used to enforce policies on where each dataset can or cannot be stored and perform frequent checks and audits of each dataset’s storage location to ensure the appropriate cloud storage device is used according to the requirements established in the service contract.
Cloud Storage Device
The cloud storage device mechanism represents storage devices that are designed specifically for cloud-based provisioning. Instances of these devices can be virtualized, similar to how physical servers can spawn virtual server images. They are commonly able to provide fixed-increment capacity allocation in support of the pay-per-use mechanism. Cloud storage devices can be exposed for remote access via cloud storage devices.
Cloud Storage Device Performance Monitor
The cloud storage device performance monitor mechanism is used to ensure pre-defined levels of performance are met using a policy-driven model of storage allocation. The cloud storage device performance monitor mechanism can perform further functions, such as automatically checking the current location of datasets against the pre-defined required performance metrics in order to ensure datasets always reside in a cloud storage device that matches its requirements. It can send an alert if data resides in a cloud storage device that does not meet the cloud consumer’s requirements.
Cloud Storage Management Portal
The cloud storage management portal mechanism allows cloud consumers and cloud service consumers access to interact with and control data stored in a cloud environment. This mechanism can be implemented to store data in the cloud in different formats, including structured or unstructured datasets. It can also be implemented to store data in different types of cloud storage devices and to allow cloud consumers to access data regardless of its type and underlying cloud storage device type.
Cloud Usage Monitor
The cloud usage monitor mechanism is a lightweight and autonomous software program responsible for collecting and processing IT resource usage data.
Cloud Workload Scheduler
The cloud workload scheduler automates, monitors, and controls the workflow throughout the cloud infrastructure. This automation usually manages hundreds of thousands of workloads per day from a single point of control. A workload is a process or set of processes that can be componentized, individually operated upon, and produce a product, with the abstraction being above the network, hardware, and operating system layers but requiring security at each layer.
Cloud-based Security Groups
The process of resource segmentation creates cloud-based security group mechanisms that are determined through security policies. Networks are segmented into logical cloud-based security groups that form logical network perimeters. Each cloud-based IT resource is assigned to at least one logical cloud-based security group, which is assigned specific rules that govern the communication between security groups.
Cryptographic Key Management System (CKMS)
The cryptographic key management system (CKMS) consists of policies, procedures, components, and devices that are used to protect, manage, and distribute cryptographic keys and certain specific information, called metadata. A CKMS includes all devices or sub-systems that can access an unencrypted key or its metadata. Encrypted keys and their cryptographically protected metadata can be handled by computers and transmitted through communications systems and stored in media that are not considered to be part of a CKMS.
Digital Signature
The digital signature mechanism is a means of providing data authenticity and integrity through authentication and non-repudiation. A message is assigned a digital signature prior to transmission, which is then rendered invalid if the message experiences any subsequent unauthorized modifications. A digital signature provides the evidence that the message received is the same as the one created by its rightful sender.
Domain Name Service (DNS)
The domain name service (DNS) is an Internet service that translates domain names into IP addresses. Since domain names are alphabetic, the corresponding IP addresses are determined by a DNS lookup. The DNS is a network of servers that maps Internet domain names to their numeric IP addresses. Information from all the domain name servers across the Internet are gathered together and housed at the central DNS registry that is then distributed on the Internet.
Encryption
The encryption mechanism is a digital coding system dedicated to preserving the confidentiality of data. It is used for encoding plaintext data into a protected and unreadable format.
Endpoint Threat Detection and Response (ETDR)
Endpoint security refers to the protection of an organization’s network when accessed via remote devices such as laptops or other wireless and mobile devices. Endpoint threat detection and response (ETDR) focuses on the endpoint as opposed to the network, threats as opposed to only malware, and officially declares incidents and the collection of tools’ primary usage for both detection and incident response.
Enterprise Mobility Management (EMM) System
EMM is a comprehensive approach to securing mobile devices such as smartphones and tablets. EMM typically involves some combination of mobile device management (MDM), mobile application management (MAM), and mobile information management (MIM).
Failover System
The failover system mechanism is used to increase the reliability and availability of IT resources by using established clustering technology to provide redundant implementations. A failover system is configured to automatically switch over to a redundant or standby IT resource instance whenever the currently active IT resource becomes unavailable.
Geotag
A geotag is a data receptacle in a trusted platform module (TPM) that holds geolocation attributes and provides the mechanism for geolocation capability. Geolocation tagging is initiated by a cloud administrator when the server is first provisioned in the data center. This allows a cloud consumer to specify the location(s) where a workload should be placed, and to verify whether virtual servers and workloads are running in the correct geographic location. The geographic location determination capability supports many industry regulatory compliance requirements.
Hardened Virtual Server Image
The hardened virtual server image is a template for virtual service instance creation that has been subjected to a hardening process. This generally results in a virtual server template that is significantly more secure than the original standard image. Hardened virtual server images help counter the denial of service, insufficient authorization, and overlapping trust boundaries threats.
Hardware-Based VM Discovery System
The hardware-based VM discovery system operates in the physical hardware and provides the capability to locate hypervisors in memory, analyze nested virtualization setups showing the relationships among the same machines, and also provides a transparent mechanism to recognize and support the address space of the virtual machines.
Hardware Security Module (HSM)
The hardware security module (HSM) is a dedicated hardware cryptographic processor that is designed for the protection of the encryption key lifecycle. HSMs provide the capability to securely manage, process, and store encryption keys inside a hardened tamper-resistant device that is also resistant to bus probing. HSMs normally have features that provide tamper evidence, such as logging and alerting, and tamper resistance, such as deleting keys upon tamper detection. HSMs are mission critical as they manage the cryptography that is foundational for security, and are typically clustered for high availability.
Honeypot
Honeypots are decoy systems implemented to gather information on an attacker. They are hosts that have no authorized users other than the honeypot administrators because they serve no business function. Honeypots collect data on threats and activity directed at them is considered suspicious. Honeypots can be set up inside, outside, in the DMZ of a firewall design, or in all three locations. They are most often deployed inside of a firewall for control purposes. Honeypots are variants of standard intrusion detection and prevention systems (IDPSs) but with a greater focus on information gathering and deception.
Host-Based Security System (HBSS)
The host-based security system (HBSS) is automated and standardized security software used to provide host-oriented security on servers, desktops, and laptops rather than at the boundary, such as on routers and switches, to protect against both internal and external threats. HBSS is a suite of security applications that protect at the host server level. It contains security systems such as the host intrusion prevention system (HIPS) and firewall and virus scan. It protects multiple weak points simultaneously, especially at the client. HBSS provides detailed report capabilities, realtime asset status, central configuration management, and defense-in-depth protection of the latest cyber threats.
Hypervisor
The hypervisor mechanism is a fundamental part of virtualization infrastructure that is primarily used to generate virtual server instances of a physical server. A hypervisor is generally limited to one physical server and can therefore only create virtual images of that server. Similarly, a hypervisor can only assign the virtual servers it generates to resource pools that reside on the same underlying physical server.
Identity and Access Management (IAM)
The identity and access management (IAM) mechanism encompasses the components and policies necessary to control and track user identities and access privileges for IT resources, environments, and systems. IAM mechanisms exist as systems comprised of four main components that are authentication, authorization, user management, and credential management.
Intrusion Detection and Prevention System (IDPS)
Intrusion detection and prevention systems (IDPS) automate the process of monitoring the events occurring in a computer system or network, and attempt to identify possible incidents, log information about them, stop them, and report them to security administrators. They are typically used to record information related to observed events, notify security administrators of important observed events, and automatically generate reports, with remediation actions performed manually after human review of the report. Many IDPSs can also be configured to respond to a detected threat using a variety of techniques, including changing security configurations or blocking the attack.
Live VM Migration
Live VM migration can be used to migrate virtual servers from one location to another without service interruption if both the source and destination locations are using a compatible hypervisor brand and version. Live migration moves running virtual machines from one physical server to another without impacting virtual machine availability. This is done by pre-copying the memory of the migrating virtual machine to the destination server. An administrator or orchestrator that initiates the live migration must determine which computer to use as the destination for the live migration, considering the security requirements. The guest operating system of the migrating virtual machine is not aware that the migration is happening, so no special configuration for the guest operating system is needed. Networking must be managed.
Load Balancer
The load balancer mechanism is a runtime agent with logic fundamentally based on the premise of employing horizontal scaling to balance a workload across two or more IT resources to increase performance and capacity beyond what a single IT resource can provide. Beyond simple division of labor algorithms, load balancers can perform a range of specialized runtime workload distribution functions that include asymmetric distribution, workload prioritization, and content-aware distribution.
Logical Network Perimeter
A logical network perimeter establishes a virtual network boundary that can encompass and isolate a group of related cloud-based IT resources that may be physically distributed. It is defined as the isolation of a network environment from the rest of a communications network.
LUN Masking
The LUN masking mechanism is used to configure required security policies to present the storage LUNs to only those systems and cloud storage devices that require access via the interfaces and configuration options provided by physical storage vendors.
Malware Hash
Malware hashes are used by virus protection systems to identify viruses. They consist of calculated numerical values of code unique to the virus. Malware authors have learned to customize viruses for each infected machine, challenging anti-virus systems.
Multi-Device Broker
The multi-device broker mechanism is used to facilitate runtime data transformation so as to make a cloud service accessible to a wider range of cloud service consumer programs and devices.
Network Forensics Monitor
The network forensics monitor captures, records, and analyzes network events in order to discover the source of security attacks or other problem incidents. Computer forensics involve the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis. Network forensics monitors aid in acquiring and analyzing evidence.
Orchestration Engine
Orchestration is the automated coordination and management of computer resources and services. Orchestration provides for deployment and execution of interdependent workflows completely on external resources. A cloud orchestration engine manages complex cross-domain workflows, involving systems, enterprises and firewalls, and processes including handling exceptions.
Pay-Per-Use Monitor
The pay-per-use monitor mechanism measures cloud-based IT resource usage in accordance with predefined pricing parameters and generates usage logs for fee calculations and billing purposes. The data collected by the pay-per-use monitor is processed by a billing management system.
Physical Uplink
A physical uplink is used by virtual servers to communicate with the virtual and physical servers that are hosted outside of their virtual switch. This path must be guaranteed to be redundant and reliable at all times.
Platform Trust Policy
The platform trust policy is a security assurance policy for a platform, such as its secure launch control policy restricting applications to only execute on platforms that meet a specified trust assurance level. Compliance and auditing mechanisms must demonstrate that critical, personal, or sensitive data has only been processed on platforms that meet trust requirements.
Public Key Infrastructure (PKI)
The public key infrastructure (PKI) mechanism exists as a system of protocols, data formats, rules, and practices that enable large-scale systems to securely use public key cryptography. This system is used to associate public keys with their corresponding key owners while enabling the verification of key validity. A PKI enables the use of encryption and digital signature services across a wide variety of security services and applications.
RAID-level Idenfitier
The RAID-level identifier mechanism is used to provide RAID-level information on cloud storage devices. If cloud storage device vendors provide APIs or SDKs, this mechanism can be implemented automatically for integration into the management portal mechanism. If no API or SDK is provided, the cloud storage administrator should manually populate the information using available features or options.
Ready-Made Environment
The ready-made environment mechanism is a defining component of the PaaS cloud delivery model that represents a pre-defined, cloud-based platform comprised of a set of already installed IT resources, ready to be used and customized by a cloud consumer. These environments are utilized by cloud consumers to remotely develop and deploy their own services and applications within a cloud. Typical ready-made environments include pre-installed IT resources, such as databases, middleware, development tools, and governance tools.
Remote Administration System
The remote administration system mechanism provides tools and user interfaces for external cloud resource administrators to configure and administer cloud-based IT resources. A remote administration system can establish a portal for access to administration and management features of various underlying systems.
Resource Cluster
The resource cluster mechanism is used to group multiple IT resource instances so that they can be operated as a single IT resource. This increases the combined computing capacity, load balancing, and availability of the clustered IT resources.
Resource Management System
The resource management system mechanism helps coordinate IT resources in response to management actions performed by both cloud consumers and cloud providers.
Resource Replication
Resource replication is defined as the creation of multiple instances of the same IT resource, and is typically performed when an IT resource’s availability and performance need to be enhanced. Virtualization technology is used to implement the resource replication mechanism to replicate cloud-based IT resources.
Sandbox
Sandbox is a testing environment that isolates untested or unknown code. Sandboxing protects operational systems and their data from unknown code that may have arrived on the network from unknown external sources. It can provide threat intelligence by analyzing code behavior, and can be used in conjunction with rogue executables captured in a honeypot.
Secure Token Service (STS)
A secure token service (STS) issues security tokens as a result of consumer requests for single sign-on (SSO) tokens. The STS authenticates the consumer and issues a security token that contains consumer claims and is protected from manipulation by a digital signature. Example tokens issued include Kerberos and SAML.
Security Information and Event Management (SIEM) System
SIEM combines security information management (SIM) and security event management (SEM) functions into one security management system. SIEM collects relevant data about an enterprise’s security posture in multiple locations and analyzes all the data from a single point of view, providing the capability to spot trends and patterns that may be the result of malicious activity.
Single Sign-On (SSO)
The single sign-on (SSO) mechanism enables one cloud service consumer to be authenticated by a security broker, which establishes a security context that is persisted while the cloud service consumer accesses other cloud services or cloud-based IT resources. Otherwise, the cloud service consumer would need to re-authenticate itself with every subsequent request.
SLA Management System
The SLA management system mechanism represents a range of commercially available cloud management products that provide features pertaining to the administration, collection, storage, reporting, and runtime notification of SLA data.
SLA Monitor
The SLA monitor mechanism is used to specifically observe the runtime performance of cloud services to ensure that they are fulfilling the contractual QoS requirements that are published in SLAs. The data collected by the SLA monitor is processed by an SLA management system to be aggregated into SLA reporting metrics. This system can proactively repair or failover cloud services when exception conditions occur, such as when the SLA monitor reports a cloud service as “down.”
State Management Database
A state management database is a storage device that is used to temporarily persist state data for software programs. As an alternative to caching state data in memory, software programs can offload state data to the database in order to reduce the amount of runtime memory they consume. As a result, the software programs and the surrounding infrastructure are more scalable.
Storage Path Masking
The storage path masking mechanism is used to discover the available paths to a cloud storage device or physical storage device in a similar way to the multipathing mechanism. This mechanism can be used to establish concurrent communication over multiple pathways, and to hide some or all paths to a cloud or physical storage device from systems or applications.
Sub-LUN Migration
A logical unit number (LUN) is a unique identifier used to designate individual or collections of hard disk devices for address by a protocol associated with a SCSI, iSCSI, fibre channel (FC), or similar interface. A sub-LUN is a higher granularity designation of a LUN. Sub-LUN migration automates the process of moving data to optimum storage devices by, for example, detecting data that has a high access rate and temporarily moving it to faster storage. When requests for the data drop off, it is moved back to the disk location where the original copy is stored.
Threat Intelligence System
A threat intelligence system provides evidence-based threat knowledge, including context, mechanisms, indicators, implications, and actionable advice for use in countering threats. Threat intelligence can provide information about an emerging threat to an asset that can be used to inform decisions as to how the subject will respond to that threat. Common forms of threat intelligence data include security threats, threat actors, exploits, malware, vulnerabilities, and compromise indicators.
Traffic Filter
Traffic filtering is a method used to provide network security by filtering network traffic based on many types of criteria. Traffic filters are used as distributed denial-of-service (DDoS) protection devices that provide ingress filtering, rate limiting, reverse address lookup, and network traffic monitoring. Inbound filters are employed by routers to limit traffic towards a network to authorized traffic only, and to specify rules and policies that govern a specific port, service, server, or network. Inbound filters are implemented in network hardening and security planning to manage the traffic flow and allow only secure and trusted networks, hosts, or autonomous systems to access the protected network.
Traffic Monitor
Network traffic monitoring is the process of reviewing, analyzing, and managing network traffic for any abnormality or process that can affect network performance, availability, and/or security. The traffic monitor allows categorization of a network’s bandwidth usage. It provides network administrators with realtime data as well as long-term usage trends for all network devices.
Trusted Platform Module (TPM)
A trusted platform module (TPM) is a tamper-resistant integrated circuit built into some computer motherboards that can perform cryptographic operations, such as key generation, and protect small amounts of sensitive information, such as passwords and cryptographic keys. The TPM securely stores artifacts used to authenticate the platform, including passwords, certificates and encryption keys. The TPM is used to store platform measurements that help ensure that the platform remains trustworthy. Authentication and attestation are necessary steps to attain trust to a policy-specified level of assurance.
Virtual Appliance
A virtual appliance typically comes in the open virtualization format (OVF) and is either a pre-installed and configured virtual server image or a pre-installed virtual server that can be imported and used immediately.
Virtual CPU (vCPU)
Virtual CPU (vCPU) is the amount of processing power that a hypervisor provides to a virtual server. Four to eight vCPUs can usually be allocated to each physical core to accommodate varying workloads.
Virtual Disk (vDisk)
A virtual disk (vDisk) is a specialized variation of the cloud storage device mechanism that exists as a single file or a set of files split into smaller parts that represent the virtual server’s hard disk. A virtual disk is the consolidation of hard drives that are allocated to a virtual server before or after its creation.
Virtual Firewall
The virtual firewall is software running in a virtual server that controls and filters communication to, from, and between virtual servers. It is a network firewall service or appliance running within a VM that provides the protection and monitoring functions of a physical network firewall.
Virtual Infrastructure Manager (VIM)
The virtual infrastructure manager (VIM) coordinates the server hardware so that virtual server instances can be created from the most expedient underlying physical server. The VIM is a commercial product that can be used to manage a range of virtual IT resources across multiple physical servers.
Virtual Network
The virtual network is a combination of virtual switches and their uplinks to a physical network that isolates a network environment. The virtual network requires a minimum of one physical uplink and one virtual switch, although it can have more virtual switches.
Virtual Private Cloud (VPC)
The virtual private cloud (VPC) is the segmentation of a public cloud service provider’s multitenant environment to support private cloud computing. The VPC provides secure data transfer between an organization’s on-premise and public cloud provider, ensuring isolated boundaries from every other customer’s data both in transit and inside the cloud provider’s network.
Virtual Private Network (VPN)
The virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide consumers with secure connections to their organization’s network. The VPN ensures privacy through security procedures and tunneling protocols, including the Layer Two Tunneling Protocol (L2TP). Data is encrypted at the sending end for transmission and decrypted at the receiving end.
Virtual RAM (vRAM)
Virtual RAM (vRAM) is the amount of RAM that a hypervisor allocates to a virtual server. When a virtual server is created with a certain amount of RAM, a hypervisor must allocate the same amount of vRAM to that virtual server.
Virtual Server
The virtual server, also known as virtual machine (VM), is a form of virtualization software that emulates a physical server and is used by cloud providers to share the same physical server with multiple cloud consumers by providing cloud consumers with individual virtual server instances.
Virtual Server Snapshot
Snapshotting a virtual server is a method of creating a full restore point for the virtual server, including the virtual server’s applications, hardware settings, and operating system.
Virtual Server State Manager
The virtual server state manager enables the virtual server to be paused and saved in any state. This can be performed in the middle of any action, such as copying files or installing the operating system. Virtual server state managers are supported by all hypervisors.
Virtual Switch
A virtual switch is a logical network switch that operates at the hypervisor level. Network interface cards (NICs) are emulated into a single virtual switch.
Virtualization Agent
The virtualization agent mechanism is an agent that is installed inside the virtual server and typically provides load-enhanced drivers for the virtual servers to add various types of common functionality, synchronization of the date and time of the virtual server to the host, and securing of communication between the virtual server and hypervisor.
Virtualization Monitor
The virtualization monitor is a specialized variation of the usage monitor mechanism that provides monitoring functionality specific to virtualization-related usage. A variety of virtualization monitors can be used to perform different forms of monitoring. Virtualization monitors are typically implemented as service agents.
VPN Cloud Hub
The VPN cloud hub provides secure communication between distributed data centers using a hub-and-spoke model with VPC architecture. It enables connection to organizational data centers, whether on-premise or in the cloud, in order to function as part of a single, private network. These networks can use IPsec or TLS in hardware or software.