MPLS 2010: Network Enabled Cloud and Service Models

Network Enabled Cloud and Service Models Monique J. Morrow Cisco mmorrow@cisco.com www.mpls2010.com Insert Company Logo Here

Agenda Service and Deployment Models Factoring the Network Into the Cloud Cloud Management Cloud Security Inter-cloud Standards Summary Insert Company Logo Here

Common Taxonomy Cloud Framework from NIST Essential Measured Rapid Elasticity Characteristics Service On-Demand Broad Network Resource Self Service Access Pooling Service Software as a Infrastructure Platform as a as a Service Models Service (SaaS) Service (PaaS) (IaaS) Deployment Models Public Private Hybrid Community http://www.csrc.nist.gov/groups/SNS/cloud-computing/index.html Insert Company Logo Here

Cloud Services Taxonomy SaaS Enabled Applications Software as a CRM/ERP Desktop Apps Service (SaaS) End Users UC Video Other Apps Platform Enabled Applications Platform as a Billing Collaboration Service (PaaS) Developers Apps Dev Workflow Metadata Infrastructure Enabled Services Business Data Infrastructure as a Service (IaaS) System Infrastructure IT Department Hosted Hardware Grid Insert Company Logo Here

Applications in the Cloud Supporting Hybrid: Not One-Size-Fits-All Future Data “Trust” (Verifiable) -  Secure and Private -  Compliant Strategic Today Development and Test Web Apps (some) Media Distribution Service Levels Large Scale Compute/Storage Mission Critical Insert Company Logo Here

Hybrid Cloud for Enterprise Extension Multi-Tenant SP virtual private cloud services IaaS Enterprise - w/security Enterprise Internal Cloud - SLA support Virtualized DC Enterprise Virtualized DC Internet Seamless Extension of the Enterprise DC (IaaS) (elastic compute, storage, network, services) Insert Company Logo Here

Challenge: Tightly Integrating Network Services  One-size-fits-all makes it easier, but at the expense of functionality  More than just VMs on a VLAN!  Scaling becomes a challenge with just 20K VM’s and 100’s of tenants  Requires understanding of NW service abstraction, template-based configuration, tiered network designs Insert Company Logo Here

Network Factored Cloud App Tiers in a Typical DC Branch Branch DC Dept/Customer 1 Dept/Customer 2 Internet MAN/WAN/SP Net Web Tier DMZ App Tier Core Distribution DB Tier Aggregation Storage Tier Dept 2 Dept 1 App 6 App 1 Tiered Network: Access   Storage   SAN/NAS DB 2 DB 1   Access: App tiers reside here   Aggregation, distribution, core SAN Outsource (part of app tiers may reside here) to Cloud   DMZ Insert   Campus core/MAN/WAN edges Company Logo Here

Multi-tenant Cloud DC Need Support for Following, for Example: (Via Support Of API, vDC Configuration Spec A La OVF)   Isolate vDCs not just VM level, but also at network level   Network service or capability insertion (virtual or physical) at various layers on-demand Isolation Dept/Customer 1 Dept/Customer 2  Network QoS  Firewall  VPN Storage Tier  Network QoS  SSL Acceleration App Tier  Load Balancing  Firewall  Network QoS DB Tier  Load Balancing  Firewall  Network QoS Storage Tier  VSAN Insert Company Logo Here

Hybrid Cloud With Intelligent Network - High Level Use Case Additional Capacity Needs – Request Cloud Cloud Resources Data Center Internal Data Center Check Availability, Performance, Determine Optimal Location Cloud VPN Self-provision Network Tenant, Virtual Core Compute, Storage, Cloud Data Center VPN Workloads Deployed Cloud Data Center ‘Pay-as-you-go’ for compute, storage, network Insert Company Logo Here

Changing the Approach Current state Cloud Aware Infrastructure Periodic polling from Real-time publishing of state network mgmt system to from Network Devices – Scales devices does not scale well Management plane driven Network Control plane reduces – Scaling is achieved using the scaling challenges of technologies like clustering management plane Policy Definition and Policy Definition resides in Enforcement happens in Management tool & Management tool - communicates via Service requires update for every Layer APIs to Network Elements new device, flow, model to enforce policy Insert Company Logo Here

Where to Provision the Tenant? Utilizing Network Intelligence   Key for many SP applications Video – where to go that’s closest for particular video segment Mobile – where to go for resources needed for a particular customer Cloud (intra-DC) – workload positioning across pods within a DC Cloud (inter-DC) – workload positioning across DCs within an NGN   Network can provide more than just proximity information View into not only topology but performance data, link costs, etc.   API call provides customer identity, policy, requirements, receives top location(s) of / for resources Insert Company Logo Here

Cloud Management   Not traditional management Cloud User Admin (CUA) vDC Creation and VPN Association   Everything has to be on-demand, on-line and elastic Cloud Service Mgmt MW Cloud Service Component If management layer does not have Service Composition Service Composition on-line, on-demand interfaces, it (Via OVF Spec, for Example) will be not be suitable for Cloud Cloud Provider + + + Corp VPN Admin (CPA)   Static provisioning has to be minimal, if at all Cloud Infra Management Decompose Services and Orchestrate   Autonomic flow-through Provisions + + + Corp VPN provisioning should be the norm   Compute, storage and network Compute Element Storage Element Network Service Network Service managed as a whole, interrelated, Management Management Mgmt L4–7 Mgmt L2–3 VPN not in isolation Corp VPN Provisions On-demand Insert Company Logo Here

Cloud Security Threats and Issues   Where is my data? Geographical location of data Who is accessing it on the physical and virtual servers? Is it segregated from others? Can I recover it?   What is the threat vector for cloud services? Will it be heavily targeted?   How do I identify the weakest link in cloud services security chain?   Would centralization of data bring more security? Federated trust and identity issues   Who would manage risk for my business assets? And, can I comply with regulatory requirements set by (choose your standards body) Insert Company Logo Here

Private Cloud Private Cloud Security  What is a Private Cloud? –  It’s Private ;-) –  You have control of everything –  You decide the security policy –  No need for total seperation of resources (some exceptions apply) –  Need to secure virtual machines and services Insert Company Logo Here

Public Cloud Public Cloud Security  What is a Public Cloud? –  You are sharing a public infrastructure with others –  You do not have control of the infrastructure –  You do not decide the common security policy –  You control access to the leased infrastructure (IaaS/PaaS) –  You control access to your own services (IaaS/PaaS/SaaS) –  You need to work together with the Cloud Provider to establish trust and control  Need to set up a framework for controlling SLA’s and ensure that Security/Monitoring/Compliance/Audit requirements are fulfilled Insert Company Logo Here

Securing Clouds – Approach  As with any security area, organizations should adopt a risk-based approach to moving to the cloud and selecting security options (*) –  Identify the asset for the cloud deployment –  Evaluate the asset –  Map the asset to potential cloud deployment models –  Evaluate potential cloud service models and providers –  Sketch the potential data flow –  Conclusion / Decision * Cloud Security Alliance Whitepaper v2.1 Insert Company Logo Here

What Assets Do We Protect?   Company reputation   Customer trust   Employee loyalty and experience   Intellectual property   Service delivery   Personal data   Credentials   User directory   Cloud service management interface   Network   Physical hardware   Buildings   Logs   Backup or archive data Insert Company Logo Here

Risks  Policy and organizational Lock-in, Loss of governance, Compliance challenges, Cloud service termination or failure, Supply chain failure  Technical Resource exhaustion, Isolation failure, Cloud provider malicious insider, Management interface compromise, Intercepting data in transit, Insecure or ineffective deletion of data, DDoS  Legal Subpoena and e-discovery, Changes of jurisdiction, Data protection risks, Licensing risks  Non cloud Network breaks, Network management, Modifying network traffic, Privilege escalation, Social engineering Insert Company Logo Here

Benefits   Security and the benefits of scale Multiple locations Edge networks Improved timeliness of response: larger to incidents Threat management   Security as a market differentiator   Standardized interfaces for managed security services   Rapid, smart scaling of resources   Audit and evidence-gathering   More timely and effective and efficient updates and defaults   Benefits of resource concentration Insert Company Logo Here

Securing Clouds – Approach  As with any security area, organizations should adopt a risk-based approach to moving to the cloud and selecting security options (*) –  Identify the asset for the cloud deployment –  Evaluate the asset –  Map the asset to potential cloud deployment models –  Evaluate potential cloud service models and providers –  Sketch the potential data flow –  Conclusion / Decision * Cloud Security Alliance Whitepaper v2.1 Insert Company Logo Here

Evaluate the asset  How Important is the asset, what is the harm if the asset became widely public and widely distributed? an employee of our cloud provider accessed the asset? the process or function were manipulated by an outsider? the process or function failed to provide expected results? the information/data were unexpectedly changed? the asset were unavailable for a period of time?  Confidentiality, integrity and availability requirements when (part of) the resource is in the cloud Insert Company Logo Here

Security as a Service — Assessments Regulatory Compliance Audits and Reports Vulnerability Assessment Define Security Policies Global Security Intelligence Center Automate Mitigate risk and eliminate Insert Monitor and measure network compliance Company Distribute security and compliance reports Logo Here

References  NIST Cloud Definition http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc  ENISA Cloud Computing Risk Assessment http://www.enisa.europa.eu/act/rm/files/deliverables/cloud- computing-risk-assessment/at_download/fullReport  Cloud Security Alliance http://cloudsecurityalliance.org/ Insert Company Logo Here

The Inter-Cloud Apps Integrate Services from Multiple Clouds   Naming/Discovery   Trust   Exchange/Peering Apps Integrate Services Dynamic Workload from Multiple Clouds Migration Insert Company Logo Here

Inter-cloud Potential for Disruption Interoperable Server Side Protocols and Formats Proprietary Proprietary Computing, Storage Computing, Storage Client Client SVMP*, SSRP*, SOIP* Proprietary Proprietary Computing, Storage Computing, Storage Client Client *Simple VM Mobility Protocol *Simple Storage Replication Protocol *Simple Other Inter-cloud Protocols As Needed Insert Company Logo Here

Evolution of the Cloud Computing Market from Stand-alone to the Inter-cloud Open Cloud (Federations) Private Cloud Private Cloud Virtual Inter Cloud Private Cloud Stand Alone Data Centers Public Cloud Public Cloud Public Cloud (1) Public Cloud (2) Phase 1 Phase 2 (Present) Phase 3 Phase 4 (2015–2017) Federation/Workload Portability/ Insert Interoperability/Security Company Logo Here

Where Is the Standards Work to be Done? CSA DMTF NIST IEEE OGF ETSI-TC Grid MEF ITU-T And More…. SNIA CCIF OCM OASIS NCOIC IETF OCM LA TMF Insert Company Logo Here

Interoperability Standards Common Interfaces/APIs for Cloud services offered by Cloud SP (CSP)   OCCI for compute, SNIACDMI for storage   Not much for network, such as standard API for Virtual private Cloud (VPC), load-balancing (LB), firewall, QoS, bandwidth and other services Workload mobility/migration with following elements moving between Clouds (End user to CSP to Enterprise to CSP, CSP to CSP)   Virtual DC (vDC) with App, VM and relevant (App, VM, network) Configurations   Both static or live migration considered   OVF for vDC specification  move the OVF spec   Currently lacks features, such as network related   No standard VM (disk) format Insert Company Logo Here

Summary Cloud Computing Represents a Shift in how Application and Data Center Resources Will be Architected and Consumed Sample Areas for Standardization:   Network abstraction, virtualization   Cloud security   Federation and interoperability   Innovation – What disrupts YOU? Insert Company Logo Here

http://blogs.cisco.com	646
http://rtts-demo.lionbridge.com	1
http://translate.googleusercontent.com	1
http://webcache.googleusercontent.com	1

MPLS 2010: Network Enabled Cloud and Service Models

by Cisco Service Provider on Nov 15, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

4 Embeds 649

Statistics

MPLS 2010: Network Enabled Cloud and Service Models — Presentation Transcript