Ian Evans, Cloud Solutions Architect at Quality Technology Services (QTS)
17 years of systems, network and infrastructure planning experience spanning multiple industries including Healthcare, Oil
and Gas, Hospitality and the Federal Government. In my current role as a Cloud Solutions Architect at QTS, I use a deep
understanding of cloud backbone systems, processes, management tools, and techniques to help customers construct,
modify, operate, and maintain geographically disperse cloud architectures that meet unique customer needs.
Prior to joining QTS, I have held multiple architect and product/account management positions at Verizon Enterprise
Solutions, RedHat, Amazon Web Services and Systems Technology Forum, Ltd. I am also an active member and contributor
within the Openstack Foundation.
My primary areas of interest are around newer container based technologies which aim to improve application deployment
time for customers.
3. THE CLOUD LANDSCAPE
According to a recent Rightscale survey, 94% of respondents said they are using Cloud.
74% of respondents said they have a multi-cloud strategy (Private and Public).
Respondents noted greater flexibility, faster provisioning and higher availability as the top motivating factors for a move
into the cloud.
Cloud security, compliance and cloud management were among the top 5 challenges in regards to cloud maturity.
AWS still dominates the public cloud landscape with VMWare vCHS, Rackspace, Google App Engine and Azure IaaS in the
Openstack is now considered production ready and is being experimented with heavily in the private cloud space.
4. CURRENT TRENDS
IaaS is becoming less important and the emphasis continues around improving the application deployment model. SaaS and
PaaS will be primary focus for organizations through 2016. Public cloud SaaS is expected to grow from $39B in 2014 to $298B
The performance differentiation between public cloud-driven IaaS and baremetal IaaS is rapidly diminishing. Some public
cloud providers are making huge gains in this area. We can expect to see public cloud adoption rates continue to increase with
most of these adoptions having some aspect of hybrid connectivity as well.
Cloud Management Products (CMP) and Unified Threat Management Appliances (UTM) will be a major focus for
organizations. Customers continue to demand better tools to manage their diverse cloud workloads and security within a
single pane of glass.
There will be continued Software Defined Networking (SDN) adoption into hybrid cloud environments. Now that compute
and storage are fairly well orchestrated and interconnected, customers would like the same type of functionality with their
networks. SDN platforms such as Opendaylight, MidoNet and Cumulus are all set to make a huge impact on public, private
and hybrid workloads in 2016.
Cybersecurity will be a top priority in 2016. In addition to initiatives to protect customer/consumer data, there will be more
regulations coming which will require organizations to meet stricter security guidelines.
Integrated Authentication Management (IAM) adoption will increase. ReasearchAndMarkets reports projected IAM growth
at 25.7% CAGR from 2015 levels.
Hardware Unified Fabrics will continue to decline as cloud software orchestration mechanisms continue to improve.
Customers will see significant cost savings in addition to better control over their hardware supply chain by adopting whitebox
solutions. We expect to see projects like Open Compute (OCP) rise significantly in 2016.
Containers will continue to gain popularity due to ease of provisioning applications and baremetal-like performance.
5. COMMON PITFALLS
Involving too many vendors in your overall cloud solution. As more vendors are added, maintaining a good security posture
becomes increasingly difficult. This also makes orchestrating workloads harder (e.g. too many panes of glass).
Relying too heavily on public cloud providers to provide application and data security through your service chain. Using
technologies like Unified Threat Management (UTM) and Cloud Management Portals (CMP) help mitigate risk by ensuring
unified security for networks, storage and application stacks.
Misunderstanding the current cloud deployment models:
Example: Common Hypervisor environments are well understood, but has any thought been put into implementing an
orchestrated container based system?
Example: Using a hardware based orchestration system rather than focusing on software driven orchestration on
Example: Relying to heavily on the IaaS deployment model. Most successful deployments look at IaaS as a commodity
resource and put emphasis on the application deployment model (e.g. SaaS and PaaS).
Example: Thinking application workloads cannot be easily spread over multiple providers to ensure better uptime and
resilience. This is a key area for CMP's as they ensure proper abstraction over multiple clouds which eases deployment
and management in multi-cloud environments.
Openstack is a free open-source platform for cloud computing created by NASA and Rackspace. It consists of compute pools,
software orchestrated networking, automated billing and block/object storage. All components within the Openstack ecosystem
can be orchestrated via the Openstack Horizon Dashboard or through the Openstack API.
The platform is community built, rather than having a sole organization responsible for development cycles. This methodology
speeds development, improves release cycles and fosters greater innovation into the product line.
The Openstack community has built the product with the goal of being able to create common compute, network and
storage pools that can be deployed across multiple private, public and hybrid clouds at any given time.
Openstack is very mature and production ready. Rackspace has been running it for years. RedHat, Mirantis, Ubuntu, Dell, HP
and Cisco all have Openstack private cloud offerings now as well. Walmart just deployed Openstack on a larger scale to drive
their eCommerce business.
There are many different CMP's that support Openstack's complete feature set. As an example, Scalr has commercial and open
source offerings that plug directly into Openstack API.
Native container support (Magnum) has been added into Openstack. Container technologies such as Kubernetes and Docker
can now be fully orchestrated using Heat. This is an extremely important addition as it allows both bare metal (CoreOS, Atomic)
and virtual deployment (Containers running inside of KVM) of containers.
The project is still maturing when it comes to building in a more robust network stack. As SDN controllers become more
integrated with Neutron, we will see this situation improve.
Openstack helps organizations lower cost and decouple proprietary infrastructure from their cloud strategy.
9. HYBRID CLOUD ADOPTION
In a recent survey, The New Era of Hosted Services noted 68% of all enterprises will be using Hybrid Cloud by the next two years.
Hybid cloud adoption will continue to increase as organization demand better cost, scalability, business continuity and compliance
out of their resources.
Hybrid Cloud continues to offer more architectural flexibility for many organizations. There is still massive demand for dedicated
infrastructure to meet specific compliance, security and performance requirements.
Multi-tenant public cloud infrastructure has many uses, however things like sustained IOPS performance are sometimes times better
suited in dedicated hosted environments.
Hybrid clouds allow a wider use of Operating Systems, specifically legacy systems (e.g. AIX) that cannot run in public cloud. By
adopting a hybrid approach these systems can be used and connected to more advanced services.
Source: The New Era of Hosted Services
✔ Federate your resources in a cost effective manner by spanning
private and public clouds.
✔ Connect legacy services with public cloud resources and
✔ Unify private and public clouds with on-prem baremetal
resources with a cloud based CMP.
✔ Provide cost effective bursting for on-prem resources.
✔ Establish a cost effective disaster recovery using lower cost
highly-available public cloud infrastructure.
✔ Pick and choose a variety of pricing models, SLA's and legal
✔ Meet specific compliance requirements by choosing providers
that have already completed the compliance/security legwork.
✔ Build a dynamic infrastructure meeting exact performance
10. HYBRID CLOUD MANAGEMENT
Dealing with multiple clouds and legacy infrastructure is a very complex task. A good Cloud Management Product (CMP) addresses these
Lack of abstraction: CMP's provide layers of abstraction over multiple clouds to achieve a proper policy based provisioning model. As
an example, an organization might want to select the cheapest object storage for specific archival requirements. The CMP would then
reach out via API make that selection automatically for the customer.
Unified network orchestration: SDN's can now be integrated into CMP's to provide unified network management across hybrid cloud
environments. Through technologies like Openflow, CMP's can make calls directly to SDN frameworks, switches, VPN's and route
Improved utilization of DevOps resources: CMP's can use common automation and orchestration languages to allow a more
seamless DevOps experience. With a CMP doing the DevOps orchestration, you can ensure better availability, accountability,
performance, security and compliance.
Better control and visibility over cloud finance: CMP's can control and monitor on-demand infrastructure, perform show-
back/charge-back and conduct expenditure forecasting/analysis. Policies within the CMP can be established to perform workflows
based on specific criteria. As an example: A report on instance activity can be generated showing development instances that were
accidentally left running.
Lack of focus around the application: A CMP will allow DevOps and System Administrators to spend more time focusing on
applications rather than getting tied up in the complexities of provisioning IaaS.
Lifecycle limitations: In order to ensure workflows are complete, the CMP needs visibility into every aspect of the organizations cloud
footprint. A good CMP will connect common compute, network and storage resources to form deployable application stacks.
13. CLOUD SECURITY AND COMPLIANCE MANDATES
Depending on the sensitivity of information (low or moderate), federal agencies must meet some strict guidelines:
FISMA: The Federal Information Security Modernization Act mandates organizations follow NIST (800-53A) recommendations based
on specific impact levels. Systems usually go through an Authority to Operate (ATO) and require continuous monitoring to ensure
DoD: DoD workloads hosted on Cloud Services must comply with DoD security standards which are additive to FedRAMP and address
DoD specific security requirements. The higher the Impact Level (IL) the greater number of additive controls that must be met.
FedRAMP: This mandate follows the governments “Cloud First” initiative, giving preference to cloud-based technologies over on-
prem counterparts. The Security Authorization of Information Systems in Cloud Computing memo also mandates federal agencies use
FedRAMP ready clouds.
Because the process to achieve FedRAMP status is so difficult and time consuming, many of the newer cloud technologies and
services may not be immediately available.
Agencies that wish to use services outside the already established FedRAMP boundary can cross-connect hybrid cloud
infrastructure ONLY once they have received a P-ATO (Preliminary Authority to Operate) or ATO (Authority to Operate).
The Joint Authorization Board (JAB) will review the cloud and issue a recommendation for a P-ATO or ATO.
Other federal mandates include: FIPS 140-2, CJIS, DoD SRG, FERPA, VPAT and ITAR.
In the commercial space, there are many different mandates that also need to be met:
HIPAA: Designed to protect healthcare related information.
SOC/SSAE/ISAE: Designed to protect consumer data. This mandate consists of various safeguards including auditing of data,
accounting practices, confidentiality, integrity and privacy.
PCI DSS: Designed to safeguard branded credit card transactions.
Other commercial mandates include: GxP, ISO 27001 and GLBA.
14. SECURING HYBRID CLOUD WORKLOADS
Securing individual cloud assets with multiple tools can be very time consuming and introduce gaps in the overall cloud
security posture. Here are some tips to improve Hybrid Cloud security:
Use a CMP or or Hybrid Overlay Appliance to ensure all network changes are made consistently throughout your entire
cloud ecosystem. The CMP will also facilitate logging for compliance purposes though common API's.
Start to experiment with SDN controllers and find one that can orchestrate your existing and cloud connected networks.
Most modern switches support some level of Openflow or sFlow API control. The OpenDaylight Project is a great place to
start and offers good Hybrid connectivity right out of the box.
Deploy a Unified Threat Management Appliance (UTM) with remote data collectors to actively monitor traffic, events and
correlate everything into a central logging facility. UTM's also has these features:
Multi-factor Authentication (FreeIPA, YubiKey, RSA, CAC, AD Integration, etc).
Software and hardware vulnerability assessment tools. UTM's can be deployed in each location to ensure uniform
software updates throughout the organizations cloud footprint.
Dynamic Firewall Policies. The UTM will respond to API calls from a CMP to configure firewalls. Once a policy is
created, it can be deployed on public and private clouds simultaneously.
File Integrity Monitoring. The UTM scans server and application deployments to ensure unauthorized changes are
not being made. File Integrity Monitoring can be coupled with a firewall policy allowing the UTM to issue isolation
commands in the event of a breach.
Cloud Intrusion Detection/Prevention. Each UTM can monitor incoming/outgoing traffic, port access and other
anomalies and report back into the CMP logging facility.
16. HOW CAN A UTM HELP YOUR HYBRID CLOUD
AZ B Subnet
SSL VPN'sSSL VPN's
CLOUD MANAGEMENT PORTAL
AZ A Subnet
Private Cloud Site Subnet A
Private Cloud Site Subnet B
Secure UTM Ecosystem
✔ DDOS Mitigation
✔ Traffic Inspection/IDS/IPS
✔ Web/Email Protection
✔ Secure VPN
The Hybrid Cloud market is growing rapidly and so are the security and compliance requirements.
A good security model should consist of a CMP and some sort of UTM design. This will ensure better management, rapid
provisioning, improved monitoring/logging and strengthen security across all of your clouds.
Technologies like Openstack have opened new possibilities in the multi-tenant Hybrid Cloud ecosystem.
Container based systems should be considered to ease the burden on DevOps and reduce overall application provisioning
SDN technologies are finally production ready and will be making headway in 2016. By adopting SDN, organizations will have
greater control over their network resources, provisioning, security, etc.
Cyber attacks will become more complex, requiring improved security posture throughout the cloud ecosystem. UTM's
coupled with SDN and CMP will help reduce attack surface and improve security awareness.
More importance will be given to the application provisioning process than standing up traditional IaaS silos. Organizations
are looking for ways to continually improve their DevOps processes.
Cheaper non-proprietary commodity hardware adoption rates will increase as the need to reduce OPEX and CAPEX becomes
more important for most organizations.
Integrated Authentication Management (IAM) will be a top priority for organizations as they add additional hybrid cloud
resources to their footprint.
The increase in government/industry regulations will necessitate a more proactive security approach.