Presented at MPLS 2010 Oct 24-27 Washington D.C.
Monique Morrow, Cisco Distinguished Consulting Engineer, discussed the role of the network in developing as a base for cloud computing in developing XaaS models across a private backbone vs offering Cloud-based services over the Internet.
The presenter further presented the potential evolution of Cloud Computing in the form of Private, Hybrid and Inter-Cloud.
Service Level Management and Security are also highlighted themes in this presentation.
An overview of the various standards organizations and forums that may be specific to cloud computing and emerging inter-cloud was also provided
Discussion and takeaway - the value of these models to your business.
Boost PC performance: How more available memory can improve productivity
MPLS 2010: Network Enabled Cloud and Service Models
1. Network Enabled Cloud and Service Models
Monique J. Morrow
Cisco
mmorrow@cisco.com
www.mpls2010.com
Insert Company
Logo Here
2. Agenda
Service and Deployment Models
Factoring the Network Into the Cloud
Cloud Management
Cloud Security
Inter-cloud
Standards
Summary
Insert
Company
Logo Here
3. Common Taxonomy
Cloud Framework from NIST
Essential Measured
Rapid Elasticity
Characteristics Service
On-Demand Broad Network Resource
Self Service Access Pooling
Service Software as a Infrastructure
Platform as a
as a Service
Models Service (SaaS) Service (PaaS)
(IaaS)
Deployment
Models Public Private Hybrid Community
http://www.csrc.nist.gov/groups/SNS/cloud-computing/index.html
Insert
Company
Logo Here
4. Cloud Services Taxonomy
SaaS Enabled Applications
Software as a CRM/ERP Desktop Apps
Service (SaaS)
End Users
UC Video Other Apps
Platform Enabled Applications
Platform as a Billing Collaboration
Service (PaaS) Developers
Apps Dev Workflow Metadata
Infrastructure Enabled Services
Business Data
Infrastructure as a
Service (IaaS) System Infrastructure
IT Department
Hosted Hardware Grid
Insert
Company
Logo Here
5. Applications in the Cloud
Supporting Hybrid: Not One-Size-Fits-All
Future
Data “Trust” (Verifiable)
- Secure and Private
- Compliant
Strategic
Today
Development and Test
Web Apps (some)
Media Distribution Service
Levels
Large Scale Compute/Storage
Mission
Critical Insert
Company
Logo Here
6. Agenda
Service and Deployment Models
Factoring the Network Into the Cloud
Cloud Management
Cloud Security
Inter-cloud
Standards
Summary
Insert
Company
Logo Here
7. Hybrid Cloud for Enterprise Extension
Multi-Tenant SP
virtual private cloud services
IaaS
Enterprise
- w/security Enterprise
Internal Cloud - SLA support Virtualized DC
Enterprise
Virtualized DC
Internet
Seamless Extension of the Enterprise DC (IaaS)
(elastic compute, storage, network, services)
Insert
Company
Logo Here
8. Challenge: Tightly Integrating Network
Services
One-size-fits-all makes it
easier, but at the expense of
functionality
More than just VMs on a
VLAN!
Scaling becomes a challenge
with just 20K VM’s and 100’s
of tenants
Requires understanding of
NW service abstraction,
template-based
configuration, tiered network
designs
Insert
Company
Logo Here
9. Network Factored Cloud
App Tiers in a Typical DC Branch Branch
DC
Dept/Customer 1 Dept/Customer 2
Internet MAN/WAN/SP Net
Web Tier
DMZ
App Tier
Core
Distribution
DB Tier
Aggregation
Storage Tier
Dept 2 Dept 1
App 6 App 1
Tiered Network:
Access
Storage
SAN/NAS DB 2 DB 1
Access: App tiers reside here
Aggregation, distribution, core SAN
Outsource
(part of app tiers may reside here) to Cloud
DMZ Insert
Campus core/MAN/WAN edges
Company
Logo Here
10. Multi-tenant Cloud DC
Need Support for Following, for Example: (Via Support Of API,
vDC Configuration Spec A La OVF)
Isolate vDCs not just VM level, but also at network level
Network service or capability insertion (virtual or physical) at various layers on-demand
Isolation
Dept/Customer 1 Dept/Customer 2
Network QoS
Firewall
VPN
Storage Tier
Network QoS
SSL Acceleration
App Tier Load Balancing
Firewall
Network QoS
DB Tier Load Balancing
Firewall
Network QoS
Storage Tier VSAN
Insert
Company
Logo Here
11. Hybrid Cloud With Intelligent Network - High Level Use Case
Additional Capacity
Needs – Request
Cloud Cloud Resources
Data Center
Internal
Data Center
Check Availability,
Performance,
Determine Optimal
Location
Cloud VPN Self-provision Network
Tenant, Virtual
Core Compute, Storage,
Cloud
Data Center VPN
Workloads
Deployed
Cloud
Data Center
‘Pay-as-you-go’ for compute, storage, network
Insert
Company
Logo Here
12. Changing the Approach
Current state Cloud Aware Infrastructure
Periodic polling from Real-time publishing of state
network mgmt system to from Network Devices – Scales
devices does not scale well
Management plane driven Network Control plane reduces
– Scaling is achieved using the scaling challenges of
technologies like clustering management plane
Policy Definition and Policy Definition resides in
Enforcement happens in Management tool &
Management tool - communicates via Service
requires update for every Layer APIs to Network Elements
new device, flow, model to enforce policy
Insert
Company
Logo Here
13. Where to Provision the Tenant?
Utilizing Network Intelligence
Key for many SP applications
Video – where to go that’s closest for particular video segment
Mobile – where to go for resources needed for a particular customer
Cloud (intra-DC) – workload positioning across pods within a DC
Cloud (inter-DC) – workload positioning across DCs within an NGN
Network can provide more than just proximity information
View into not only topology but performance data, link costs, etc.
API call provides customer identity, policy, requirements, receives top
location(s) of / for resources
Insert
Company
Logo Here
14. Agenda
Service and Deployment Models
Factoring the Network Into the Cloud
Cloud Management
Cloud Security
Inter-cloud
Standards
Summary
Insert
Company
Logo Here
15. Cloud Management
Not traditional management Cloud User Admin (CUA)
vDC Creation and VPN
Association
Everything has to be on-demand,
on-line and elastic Cloud Service
Mgmt MW
Cloud Service Component
If management layer does not have Service Composition
Service Composition
on-line, on-demand interfaces, it (Via OVF Spec, for
Example)
will be not be suitable for Cloud Cloud Provider
+ + + Corp VPN
Admin (CPA)
Static provisioning has
to be minimal, if at all Cloud Infra
Management Decompose Services
and Orchestrate
Autonomic flow-through Provisions
+ + + Corp VPN
provisioning should be the norm
Compute, storage and network Compute Element Storage Element Network Service Network Service
managed as a whole, interrelated,
Management Management Mgmt L4–7 Mgmt L2–3 VPN
not in isolation
Corp VPN
Provisions
On-demand
Insert
Company
Logo Here
16. Agenda
Service and Deployment Models
Factoring the Network Into the Cloud
Cloud Management
Cloud Security
Inter-cloud
Standards
Summary
Insert
Company
Logo Here
17. Cloud Security Threats and Issues
Where is my data?
Geographical location of data
Who is accessing it on the physical and virtual servers?
Is it segregated from others?
Can I recover it?
What is the threat vector for cloud services?
Will it be heavily targeted?
How do I identify the weakest link in cloud
services security chain?
Would centralization of data bring more security?
Federated trust and identity issues
Who would manage risk for my business assets?
And, can I comply with regulatory requirements
set by (choose your standards body)
Insert
Company
Logo Here
18. Private Cloud
Private Cloud Security
What is a Private Cloud?
– It’s Private ;-)
– You have control of everything
– You decide the security policy
– No need for total seperation of resources (some
exceptions apply)
– Need to secure virtual machines and services
Insert
Company
Logo Here
19. Public Cloud
Public Cloud Security
What is a Public Cloud?
– You are sharing a public infrastructure with others
– You do not have control of the infrastructure
– You do not decide the common security policy
– You control access to the leased infrastructure (IaaS/PaaS)
– You control access to your own services (IaaS/PaaS/SaaS)
– You need to work together with the Cloud Provider to establish
trust and control
Need to set up a framework for controlling SLA’s and
ensure that Security/Monitoring/Compliance/Audit
requirements are fulfilled
Insert
Company
Logo Here
20. Securing Clouds – Approach
As with any security area, organizations should adopt
a risk-based approach to moving to the cloud and
selecting security options (*)
– Identify the asset for the cloud deployment
– Evaluate the asset
– Map the asset to potential cloud deployment models
– Evaluate potential cloud service models and providers
– Sketch the potential data flow
– Conclusion / Decision
* Cloud Security Alliance Whitepaper v2.1
Insert
Company
Logo Here
21. What Assets Do We Protect?
Company reputation
Customer trust
Employee loyalty and experience
Intellectual property
Service delivery
Personal data
Credentials
User directory
Cloud service management interface
Network
Physical hardware
Buildings
Logs
Backup or archive data
Insert
Company
Logo Here
22. Risks
Policy and organizational
Lock-in, Loss of governance, Compliance challenges, Cloud
service termination or failure, Supply chain failure
Technical
Resource exhaustion, Isolation failure, Cloud provider malicious
insider, Management interface compromise, Intercepting data in
transit, Insecure or ineffective deletion of data, DDoS
Legal
Subpoena and e-discovery, Changes of jurisdiction, Data protection
risks, Licensing risks
Non cloud
Network breaks, Network management, Modifying network traffic, Privilege
escalation, Social engineering
Insert
Company
Logo Here
23. Benefits
Security and the benefits of scale
Multiple locations
Edge networks
Improved timeliness of response: larger to incidents
Threat management
Security as a market differentiator
Standardized interfaces for managed security services
Rapid, smart scaling of resources
Audit and evidence-gathering
More timely and effective and efficient updates and defaults
Benefits of resource concentration
Insert
Company
Logo Here
24. Securing Clouds – Approach
As with any security area, organizations should adopt a
risk-based approach to moving to the cloud and selecting
security options (*)
– Identify the asset for the cloud deployment
– Evaluate the asset
– Map the asset to potential cloud deployment models
– Evaluate potential cloud service models and providers
– Sketch the potential data flow
– Conclusion / Decision
* Cloud Security Alliance Whitepaper v2.1
Insert
Company
Logo Here
25. Evaluate the asset
How Important is the asset, what is the harm if
the asset became widely public and widely distributed?
an employee of our cloud provider accessed the asset?
the process or function were manipulated by an outsider?
the process or function failed to provide expected results?
the information/data were unexpectedly changed?
the asset were unavailable for a period of time?
Confidentiality, integrity and availability requirements
when (part of) the resource is in the cloud
Insert
Company
Logo Here
26. Security as a Service — Assessments
Regulatory Compliance Audits and Reports
Vulnerability Assessment
Define Security Policies
Global Security Intelligence Center Automate
Mitigate risk and eliminate
Insert
Monitor and measure network compliance
Company
Distribute security and compliance reports Logo Here
27. References
NIST Cloud Definition
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc
ENISA Cloud Computing Risk Assessment
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-
computing-risk-assessment/at_download/fullReport
Cloud Security Alliance
http://cloudsecurityalliance.org/
Insert
Company
Logo Here
28. Agenda
Service and Deployment Models
Factoring the Network Into the Cloud
Cloud Management
Cloud Security
Inter-cloud
Standards
Summary
Insert
Company
Logo Here
29. The Inter-Cloud
Apps Integrate Services
from Multiple Clouds
Naming/Discovery
Trust
Exchange/Peering
Apps Integrate Services
Dynamic Workload from Multiple Clouds
Migration
Insert
Company
Logo Here
30. Inter-cloud Potential for Disruption
Interoperable Server
Side Protocols and
Formats
Proprietary Proprietary
Computing, Storage Computing, Storage
Client Client
SVMP*, SSRP*, SOIP*
Proprietary Proprietary
Computing, Storage Computing, Storage
Client Client
*Simple VM Mobility Protocol
*Simple Storage Replication Protocol
*Simple Other Inter-cloud Protocols As Needed Insert
Company
Logo Here
31. Evolution of the Cloud Computing Market
from Stand-alone to the Inter-cloud
Open Cloud
(Federations)
Private Cloud Private Cloud
Virtual
Inter Cloud
Private Cloud
Stand Alone
Data Centers
Public Cloud Public Cloud Public Cloud (1) Public Cloud (2)
Phase 1 Phase 2 (Present) Phase 3 Phase 4 (2015–2017)
Federation/Workload Portability/
Insert
Interoperability/Security Company
Logo Here
32. Agenda
Service and Deployment Models
Factoring the Network Into the Cloud
Cloud Management
Cloud Security
Inter-cloud
Standards
Summary
Insert
Company
Logo Here
33. Where Is the Standards Work to be Done?
CSA DMTF
NIST IEEE
OGF
ETSI-TC Grid MEF
ITU-T
And More…. SNIA
CCIF
OCM
OASIS
NCOIC IETF
OCM LA TMF
Insert
Company
Logo Here
34. Interoperability Standards
Common Interfaces/APIs for Cloud services
offered by Cloud SP (CSP)
OCCI for compute, SNIACDMI for storage
Not much for network, such as standard API for Virtual private Cloud
(VPC), load-balancing (LB), firewall, QoS, bandwidth and other services
Workload mobility/migration with following elements moving between
Clouds (End user to CSP to Enterprise to CSP, CSP to CSP)
Virtual DC (vDC) with App, VM and relevant (App, VM, network) Configurations
Both static or live migration considered
OVF for vDC specification move the OVF spec
Currently lacks features, such as network related
No standard VM (disk) format
Insert
Company
Logo Here
35. Agenda
Service and Deployment Models
Factoring the Network Into the Cloud
Cloud Management
Cloud Security
Inter-cloud
Standards
Summary
Insert
Company
Logo Here
36. Summary
Cloud Computing Represents a Shift in how
Application and Data Center Resources
Will be Architected and Consumed
Sample Areas for Standardization:
Network abstraction, virtualization
Cloud security
Federation and interoperability
Innovation – What disrupts YOU?
Insert
Company
Logo Here