From the Gaming Scalability event, June 2009 in London (http://gamingscalability.org).
In this talk, Chris Purrington will discuss security challenges for cloud deployments and present VPN Cubed, a solution for the problem of integrating your existing infrastructure with the cloud. VPN-Cubed is a federated mesh of VPN servers that can be embedded in applications to run as a secure overlay network across multple locations, allowing your cloud machines can appear to exist on an extension of your local network. The enables you to run applications in the cloud while remaining connected to immobile systems such as databases and management interfaces.
As VP Sales at cloud enabler CohesiveFT Chris is responsible for worldwide sales. With over 20 years in the software industry. Chris has extensive experience in leading ISVs to success in EMEA, this includes 9+ years at Application Lifecycle Management company Borland where he was UK MD and VP UK , Ireland and Africa. Chris is an active member of the London cloud community, organising CloudCamp London and the AWS London User Group. Don't hold it against him but Chris started his career as a 'bean counter', and is a Fellow of the Chartered Association of Certified Accountants.
1. Cohesive Flexible Technologies
Controlling and Securing Your Assets in the Cloud
Chris Purrington, CohesiveFT
Copyright CohesiveFT 2009 1
2. CohesiveFT - on boarding solutions for
public, private and hybrid clouds
Team looks like this
20 Cloud Computing Startups
You Should Know
Copyright CohesiveFT 2009 2
3. CohesiveFT - on boarding solutions for
public, private and hybrid clouds
We do this
Copyright CohesiveFT 2009 3
4. The cloud is not a panacea for bad design.
But moving applications to the cloud can quickly
reduce capital expenditure, speed time to market.
Copyright CohesiveFT 2009 4
5. The first question on everyone’s mind:
Is my stuff safe up there?
?
?
? ?
?
?
? ?
?
?
? ?
Copyright CohesiveFT 2009 5
10. Uhhh...no.
Typical VPN does not provide high availability,
overlapping address spaces, multi-site routing, etc..
But an overlay network can.
confidential 10
11. I will be robust and secure using
cloud-to-cloud DR
confidential 11
12. Do x-cloud fail over...somehow....
Cloud A
Copyright CohesiveFT 2009 12
13. Somehow...
Cloud A
Copyright CohesiveFT 2009 13
14. Do this!
(somehow)
Cloud A Cloud B
Copyright CohesiveFT 2009 14
15. (somehow)
When you put your assets in a cloud you
surrender CONTROL of addressing, protocols,
topology, and secure communications.
But an overlay network gives back CONTROL.
confidential 15
18. Speaking of security...
What’s inside this VM?
I know, let’s ask him... Picture from: www.sysadminday.com
Copyright CohesiveFT 2009 18
19. Speaking of security...
What’s inside this VM?
...or him. Picture from: www.sysadminday.com
Copyright CohesiveFT 2009 19
20. Server “assembly” costs are THE
Enterprise IT cost
20-year journey from single file deployment
to homogenous architecture (the “C”
program on Unix) to single file deployment
on heterogeneous architecture (the VM to
everywhere)
As such - assembly error and
propagation represents one of the
biggest security risks as well
Photo credit: Zach Rosing, May 25, 2007,
Copyright CohesiveFT 2009 20
21. Do you have evil clones?
Good clones?
There is going to be a lot of them.
Run the numbers...
Photo credit: Paramount
10,000,000 - today
250,000,000 - 2015
2,500,000,000 - is not impossible
Copyright CohesiveFT 2009 21
22. “P2V and SLA are
mutually EXCLUSIVE!”
Why? The 3 rules of hardware
computing...
1) When you get a physical machine installed and
working - NEVER MOVE IT
2) When you get the software installed and
PHYSICAL TO VIRTUAL........easy.
working - NEVER TOUCH IT
3) When you “touch it”, don’t tell anyone.
Copyright CohesiveFT 2009 22
23. So...I am highlighting 2 issues in
securing your assets in the cloud
Even if using a cloud...it needs Working from a “bill of materials”
to be YOUR infrastructure in approach is the only way to safely
YOUR control survive the clone wars
Copyright CohesiveFT 2009 23
24. YOUR infrastructure in YOUR control
in the clouds
Use an “overlay network”
that you acquire, configure,
deploy and manage.
Enterprise IT is about checks,
balances, and risk mitigation.
Copyright CohesiveFT 2009 24
25. What is an overlay network?
An overlay network is a computer network
which is built on top of another network.
Nodes in the overlay can be thought of as being
connected by virtual or logical links, each of
which corresponds to a path, perhaps through
many physical links, in the underlying network.
Copyright CohesiveFT 2009 25
26. Use an overlay network
CONTROL:
- Your addressing
- Your topology
- Your protocols
- Your secure communications
Copyright CohesiveFT 2009 26
27. I have software that REQUIRES
multicast for service discovery
This is true of many enterprise software
packages (grid computing packages, database
clusters, wikis and more).
Even inside the enterprise complexity and lead
times prevent shared use of available resources
in disparate customer controlled data centers
because VLAN reconfiguration would be too
expensive.
VPN-Cubed allows you to get the multicast
traffic into the overlay network before it is
rejected by the underlying network
infrastructure. This allows you control of your
protocols.
Copyright CohesiveFT 2009 27
28. I want to control my own network addresses
I am an early adopter of cloud computing and
love the flexibility provided by public cloud like
Amazon EC2 but I want to control my own
network addresses, not be given some different
set of VLAN addresses when I reboot my
servers.
VPN-Cubed gives you control of your
addressing allowing you to give your cloud
servers static addresses that only change when
YOU want them to. Local infrastructure
control of addressing in the public clouds!
Copyright CohesiveFT 2009 28
29. Can’t I use my existing data center NOC?
I have completed some of my “datacenter to
cloud” migrations but am now under pressure
to use new monitoring and management tools.
Can’t I use my existing datacenter NOC
(network operations center)?
VPN-Cubed allows you to simply set up an
overlay network for the express purpose of
connecting cloud VLANS (at EC2 for example)
to data center management installations using
popular commercial systems like Tivoli,
Unicenter, OpenView, as well as leading open
source systems like Nagios, Hyperic and
GroundWorks.
Copyright CohesiveFT 2009 29
30. I want to use EC2 USA and EC2 Europe for both
fail over and data privacy issues
I am a cloud early adopter and I want to use
both Amazon EC2 USA and Amazon EC2
Europe for both fail over and data privacy
issues. How can I securely link the two
environments and treat them as one logical
network?
VPN-Cubed does this “out of the box” with a
pre-packaged solution “VPN-Cubed for EC2”
available for self-service clients as well as those
needing some professional services support.
Copyright CohesiveFT 2009 30
31. Isn’t there a way I can test ISV solutions
as if on my local network?
I have an ISV who has a solution which I would
like to evaluate but it will be quite disruptive
for me to install. Can’t I can test their solution
as if it was on my local network?
VPN-Cubed allows your ISV to install their
solution as a virtual server in a public cloud like
EC2, yet make it available to a DMZ or
particular set of VLANs in your corporate
environment.
The burden of testing the ISV solution should
rest with your vendor with minimal impact or
workload on your team.
Copyright CohesiveFT 2009 31
32. VPN-Cubed Overlay Network
Customers Addressing
Customer Encryption
Customer Multicast
VPN-Cubed Managers Virtual Servers
create an
overlay network.
Internet, leased
or private network
Data Center Cloud A
VPN-Cubed Managers synchronize state and
management information across N managers
Copyright CohesiveFT 2009 32
33. VPN-Cubed Edtions
-VPN-Cubed for EC2 (Free)
-VPN-Cubed for EC2 (Paid AMIs)
-VPN-Cubed: Datacenter to EC2
-VPN-Cubed: Datacenter to EC2 (IPsec)
-VPN-Cubed: Enterprise Edition
Copyright CohesiveFT 2009 33
34. VPN-Cubed for EC2 (Free Edition)
Build an overlay network controlled by VPN-Cubed Managers in US and/or EU
Peers
Peers
OR EC2 EC2 OR Peers
USA EU
EC2 EC2
USA EU
Copyright CohesiveFT 2009 34
35. VPN-Cubed for EC2 (Paid AMIs)
Build an overlay network controlled by 4 managers in US and/or EU regions
Peers
Peers
EC2 EC2
USA EU
Copyright CohesiveFT 2009 35
36. VPN-Cubed: Datacenter to EC2
Run an overlay network using Manager pairs in EC2 region and your data center
WHAT IS DIFFERENT?
The local VPN-Cubed Managers will need to be Peers
assembled in a virtual machine format you can
support.
You WILL need to allow the Managers in your Peers
data center to initiate outbound connections.
You MIGHT want to allow the Managers in EC2
to initiate inbound connections to the local
managers, if so you LIKELY will have to make
some NAT entries in your network control
equipment. Your EC2
You SHOULD put the VPN-Cubed Managers in a Data EU
VLAN setup where you are comfortable with
what traffic can and cannot traverse to and from Center or
your EC2 VLAN.
EC2
USA
Copyright CohesiveFT 2009 36
37. VPN-Cubed: Datacenter to EC2 (IPSEC)
Overlay network created via Manager pairs in EC2 and your data center equipmentt
WHAT IS DIFFERENT?
There are no local VPN-Cubed Managers.
Your data center extranet solution (Cisco ASA,
Cisco Pix, Juniper Netscreen) will connect to
IPSEC
VPN-Cubed Managers in the cloud, front-ended Gateways Peers
by VPN-Cubed IPSEC Gateways.
You MIGHT want to allow the Managers in the
cloud to route traffic to your datacenter, if so you
WILL have to make some routing entries in the
VPN-Cubed Managers.
EC2
Your EU
Data or
Center
EC2
USA
Copyright CohesiveFT 2009 37
38. VPN-Cubed: Enterprise Edition
Complex, multi-manager, custom topology captured as a specification
Evolution of use cases.
As we discover different use cases we retrofit
them as specification to automatically drive the
user interface for peering and monitoring.
It is in incremental and ongoing process at this
point of the market.
Copyright CohesiveFT 2009 38
38
39. YOUR infrastructure in YOUR control
in the clouds
THIS or THIS
Enterprise IT is about checks,
balances, and risk mitigation.
Copyright CohesiveFT 2009 39
40. With a BOM approach:
- Identity
- Customization
- Provenance
This is an EC2 server... Bill of Materials
right?
Look again...
Copyright CohesiveFT 2009 40
41. With a BOM approach:
Bill of Materials
Re-master device:
- new cloud
- new VM type
- new OS
Make clones with unique
IDs, unique MAC
addresses
It the BOM!
Copyright CohesiveFT 2009 41
43. What does Elastic Server do?
Gives Anyone
THEIR own
SOFTWARE FACTORY
Copyright CohesiveFT 2009 43
44. What does Elastic Server do?
Any developer, SI, ISV, project, team, enterprise
can SOURCE
THEIR own component supply chain
can CREATE
THEIR own server design center
can MARKET,
can MESSAGE,
can DISTRIBUTE
THEIR own server product
Copyright CohesiveFT 2009 44
49. Create
Deploy
Rapid deployment to virtual
and cloud infrastructures
Assembly portals allow
precise control of enterprise
architecture
confidential 49
50. Market
Message
Distribute
Assembly portals allow:
- control of your message
- control of your brand
- control of your architecture
- control of your execution context
- control of your customer connection
- support and highlight your ecosystem
- support e-commerce integration
- support usage pattern analysis
confidential 50
51. Manage
Save Bill of Material as a
template
Rebuild button
- allows “remanufacturing” for
patch mgmt
- allows “remanufacturing” for
migrations or heterogeneous
deployment
Bill of Materials
confidential 51
52. Manage Manage
Each Elastic Server is injected
with management
components to facilitate
enterprise virtualization
Common device control across
environments
confidential 52
53. Elastic Server Key Themes and Values
ES as a meta-packaging system
ES covers the continuum from “vm building” to an online community
for teamsourcing/crowdsourcing virtual servers
- Appliance Builders
- OSS ISVs
- Traditional ISVs
- Enterprises
ES as a driver of provenance, certification and standards
ES as a tool to integrate developers to the production flow
ES as an e-commerce system for marketing, messaging and
distributing virtual servers
ES as a defense against vendor lock in
confidential 53