Cloud Bound


Published on

This white paper is the first in a series describing EMC IT’s initiative to move towards a private cloud-based infrastructure. It describes EMC’s IT computing strategy, how the strategy evolved, and the three steps in transitioning to the cloud. Happy reading!!!

Published in: Business, Technology
1 Comment
  • Introducing Chuck Hollis, VP - Global Marketing CTO, EMC Corporation and a Keynote speaker at the EMC Forum 2011, Mumbai.
    Chuck has been with EMC for 16 years, most of them pretty good. He enjoys speaking to customer and industry audiences about a variety of technology topics, and -- of course -- enjoys blogging. Get to know his perspective on IT and customer challenges through his blog
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cloud Bound

  1. 1. Issue 1 Cloud Bound Journey to the Private CloudFeaturing research from
  2. 2. Cloud Bound2 Executive summaryCloud Bound: EMC Whitepaper EMC is transforming its IT operations to improve its customer focus,EMC IT’s Journey to the Private Cloud: create business transformation, and deliver operational efficiencies.A Practitioner’s Guide To achieve these goals, EMC IT has embraced the private cloud approach to IT infrastructure. EMC IT defines the private cloud as the next-generation IT infrastructure comprising both internal and external12 clouds that enables efficiency, control, and choice for the internal ITGartner Research: From Secure organization.Virtualization to Secure Private Clouds By transitioning to a private cloud-based IT infrastructure, and using the advanced capabilities that such an infrastructure provides, EMC IT’s ultimate goal is to enable end-to-end, on-demand self-service provisioning of IT services to its customers – the business units at EMC. EMC IT has been concentrating first on its internal infrastructure to prepare for the transition to the cloud – and virtualization is at the core of this effort in shaping the new infrastructure. EMC IT has defined six key programs, introduced in this white paper, that are focused on the various components of the enterprise data center. Each initiative’s goal is to move EMC further along on its vision to build integrated infrastructures for virtualization at scale. Separate papers describing each initiative in detail are currently being developed to provide more information on EMC IT’s respective strategies in moving toward a cloud-based IT infrastructure. In parallel, EMC IT is developing policies and governance mechanisms for managing the new IT services paradigm. EMC IT has also designed frameworks for preparing the organization at various levels to achieve the transition to the private cloud. EMC IT’s structured approach helps accelerate its journey to the private cloud by enabling the organization to get started with cloud initiatives versus waiting for complete solutions to emerge. By building solutions using existing technologies – in line with global trends – EMC IT hopes to adapt them to new technologies when they become available. All told, EMC’s journey from 2004 through 2009 resulted in savings of $104.5 million, including an estimated $88.3 million in capital equipment cost avoidance and $16.2 million of operating cost reduction due to increased data center power, cooling, and space efficiency. In addition, EMC expects to increase its storage utilization rate from 68 percent to 80 percent and avoid the purchase of more than 1.5 petabytes of storage over five years.Cloud Bound is published by EMC. Editorial supplied by EMC is independent of Gartner analysis. All Gartner research is © 2011 by Gartner, Inc. All rights reserved. All Gartner materials are used with Gartner’spermission. The use or publication of Gartner research does not indicate Gartner’s endorsement of EMC’s products and/or strategies. Reproduction or distribution of this publication in any form without priorwritten permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of suchinformation. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change withoutnotice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a publiccompany, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds.Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartnerresearch, see “Guiding Principles on Independence and Objectivity” on its website,
  3. 3. 3 Curabitur at nibh Consectetuer adipiscing elit tortor lacus nonummy purusIntroduction In line with its Vision of Enabling Customer’s Journey to the Private Cloud , EMC hasThis white paper includes the following launched the Industry’s first Cloud Architect Certification Program.sections: It is ideal to address cloud requirements when planning extensive virtualized environment• “An introduction to EMC IT” on page 3 to avoid potentially costly rework. For that reason , forming a team of experienced architects is a priority on the Journey to the Cloud.• “EMC IT’s cloud computing strategy: a key You can now build your team of trusted advisors with Certified Cloud Architects (EMCCA) to realizing IT priorities” on page 4 and Data Center Arhictects (EMCDCA) certification program.• “Making the transition to the private cloud” Please find more information on http:/ on page 4This white paper is the first in a series transformation, and customer focus. Making • Architect for the future – Making ITdescribing EMC IT’s initiative to move toward that vision a reality requires attention to the investments toward architecting thea private cloud-based IT infrastructure. It following priorities: desired future state – as well as future-describes EMC IT’s cloud computing strategy, proofing solutions so they accommodatehow the strategy evolved, and the three steps • Reduce operational costs – Helping future requirements and transitioning to the cloud. business units lower the overall cost of operations by reducing IT operational • Implement IT-proven solutions –The paper also introduces the six key costs. Enabling the development of the highest-programs and the use case that helped EMC quality EMC products by serving as a livemove toward an integrated infrastructure for • Improve agility of IT delivery – Increasing production testbed for EMC technologyvirtualization. the flexibility of IT systems and processes and driving customer orientation through to meet the changing needs of business use of the technology being developed.Audience units in the shortest possible time. EMC IT also publishes documentsThis white paper is intended for IT program internally that describe the challengesmanagers, IT architects, and IT management. • Drive workforce productivity – Increasing faced in using new EMC technology global employee productivity through and how users have overcome theseAn introduction to EMC IT innovative applications, and investing challenges.EMC, the world’s leading developer and in communication and collaborationprovider of information infrastructure technologies such as social computing EMC IT believes a key component of satisfyingtechnology and solutions, has a large, and telepresence. its priorities is the private cloud.internal IT organization that supports thebusiness operations of its global workforce.EMC IT supports nearly 50,000 users FIguRE 1across over 80 countries and in excess EMC’s guiding principles and top IT prioritiesof 400 business applications. Like all ITorganizations, EMC IT faces the challenge Guiding Principlesof balancing cost, risk, and agility in its 1 Reduce operational costsoperations. The functionality, interoperability,and performance requirements of its internal Operational Efficiencycustomers must be satisfied – without 2 Improve agility of IT deliverycompromising the security and manageabilityof IT systems and processes. EMC ITmust also justify all of its investments with Business 3 Drive workforce productivity Transformationstrong, metrics-based business cases thatdemonstrate return on investment (ROI) andtotal cost of ownership (TCO) before receiving 4 Architect for the futuremanagement approvals. Customer FocusPrinciples and priorities 5 Implement EMC “IT Proven” solutionsEMC IT’s vision is based on three guidingprinciples: operational efficiency, business Source: EMC 3
  4. 4. EMC IT’s cloud computing strategy: of increased choice, self-provisioning, Transitioning to a cloud-based modela key to realizing IT priorities and utility-based chargeback models as provides the IT organization with the benefits well as the benefits of next-generation of flexibility, efficiency, and dynamic, on-EMC IT has embarked on a bold mission to security, compliance, and service delivery demand resource allocation. However, themove to a private cloud-based infrastructure. management. IT organization may need to divest some ofEMC defines the private cloud as the next- the control and choice of IT components togeneration IT infrastructure that provides all EMC IT believes cloud computing has a few a third-party provider of cloud services, ifof the benefits of cloud-based IT systems differentiating characteristics: external service providers are involved. It is(for example, quality of service (QoS), in this context that EMC’s governance modelperformance, scalability, security, and • IT is built differently using pooled in the cloud environment becomes moremanagement) even as it retains complete architectures with defined service catalogs significant.control of the IT infrastructure. A private cloud for each IT service and the ability tomay use internal resources (internal cloud), partition/move workloads to where they EMC believes that the capabilities of theexternal resources (external cloud, delivered can best run. private cloud will first evolve in the internalvia service providers in the public cloud), or a cloud and then federate out into the externalcombination of both, as shown in Figure 2. • IT is run differently by using low- and and partner clouds. The private cloud has to zero-touch modes for IT operations, integrate with the public cloud (for example,Cloud computing enables EMC to create provisioning, and management., and thereby EMC IT’s cloudan elastic, agile environment that provides strategy includes private as well as publicbusiness units with the ability to scale their • IT is consumed differently where end cloud.IT resource requirements based on actual consumers of IT services can benefit fromneeds. Resource utilization is improved byprovisioning the infrastructure for normal on-demand provisioning of IT, based EMC IT’s evolution in the journey to on immediate requirements, and from the private cloudrather than peak loads with greater agility. By multiple IT service providers.using the services of external cloud service The internal data center is at the core ofproviders and third parties, cloud-based EMC’s vision of the private cloud. Virtualization • IT is governed differently from QoS forIT can transform fixed costs into variable is a key enabling technology of the private services to security as new sets of rulescosts. This model also offers the benefits cloud. Virtualization is the ability to increase and roles emerge. the utilization of physical resources through techniques such as pooling and multiplexing. The evolution to the cloud begins by using virtualization effectively across all FIguRE 2 components of the data center infrastructure, EMC IT’s cloud strategy namely systems, storage, network, security, monitoring and management, the application stack – all the way up to the desktop. Figure 3 illustrates this evolution, which involves redefining the IT organization’s mandate from being a provider of stand- alone components to being a provider of fully integrated, tested, validated, and ready-to- grow infrastructure and application packages that contain best-in-class components for a data center. The platform adopted by EMC IT is based on the x86 architecture, with 100 percent virtualization leveraging VMware vSphere™. The end goal of EMC IT’s transition to the private cloud is to achieve the ability to offer IT as a service to internal customers – the business units at EMC – with options for self-Source: EMC provisioning through a portal interface. 4
  5. 5. 5In this model, IT is more than a supplier – IT • Infrastructure as a Service (IaaS) offers the previous figure, it is necessary to set up abecomes a business partner – and both IT EMC business units the ability to provision roadmap, as shown in Figure 4, that furtherand the business benefit. With access to IT infrastructure components such as develops the components of the a service, the business benefits from the network, storage, compute, and operatingfollowing: systems as a service. EMC IT’s roadmap of the transition to the private cloud• Simplicity of self-service access • Platform as a Service (PaaS) provides the application and information frameworks Planning the transition to the cloud• Alignment of costs with utility with a pay- on top of application server, web server, EMC believes that in order to transform for-use utility model and database components as a service the IT organization, it isn’t enough to just to business units from which to develop concentrate on changing the technology• Agility for faster time-to-market and the solutions. aspects. An IT transformation initiative must flexibility to change address five perspectives: • Software as a Service (SaaS) provides• A user-centric, outcome-based approach applications and tools in a services model • Technology to supporting business goals for business enablement. • Business capabilities and experienceThe benefits for IT include efficiency through The next step in the journey is the ability toautomation of tasks to do more faster; achieve federation of data and resources • Peopleelasticity to acquire, deploy, change, or between data centers, beginning withrelease on-demand; greater visibility into internal virtual data centers and going on • Operationscosts and control over service levels for better to federation between internal and externalresponsiveness; and greater control over the clouds. The aim is to equip the IT organization • IT policies/process/governanceIT environment. with the capabilities to move data and resources between internal and third-party Moreover, it is essential not to just considerEMC IT is starting to offer services at various data centers to achieve the real benefits of these elements in isolation but to assess andlevels: elastic IT provisioning. EMC IT recommends plan for the complex interactions among that to manage the progression shown in them. In line with the components of an IT transformation initiative, EMC believes there are essentially three stages of adoption for FIguRE 3 organizations that are considering a private EMC IT’s evolution in the journey to the private cloud cloud strategy at the enterprise level and are at various stages. They are as follows: • The IT Production stage, which targets dev/test/IT applications for virtualization to achieve cost efficiencies. Key capabilities leveraged include shared resource pools and elastic capacity. • The Business Production stage, which enables business applications, including mission-critical applications with an emphasis on high QoS. Key capabilities leveraged include a zero-touch infrastructure and increased control combined with service assurance. • The IT-as-a-Service stage, which emphasizes business agility. Key capabilities include service definition, service catalog, self-service, and chargeback.Source: EMC 5
  6. 6. FIguRE 4EMC IT’s roadmap of the transition to the private cloud Source: EMCEach stage is characterized by business share information on basic cloud enabling This requires investments in hiring anddrivers and triggers, level of sponsorship for technologies, their operations, and their cultivating specialists who can providevirtualization, types of applications virtualized, integration methodologies. As virtualization an overall solution view of cloud-based ITpercentage of the x86 server infrastructure is a key enabler of the transition to a cloud- offerings and ensure the dissemination ofvirtualized, and the IT competencies acquired based infrastructure, it is critical that IT information, reference architectures, andalong the journey. Success is measured by practitioners learn and understand the product and solution documentation to thetracking business value realized (the value impact of applying virtualization. Given the technology audience.path). Examples include the areas of ongoing rapid pace of technology developmentsfinancial and productivity results achieved and extensions in the areas of virtualization Step 2: Accelerate changealong the journey to the cloud, such as Capex and cloud computing, it is important that The next step in this process, from EMC IT’sand Opex savings and improved business these discussions cover the current state of experience, consists of bringing discussionsagility. technology as well as trends, scenarios, and to the operations level with the delivery alternatives that might emerge in this vibrant audience – those people focused onWhen considering these three stages of segment of the IT landscape. delivering IT services to the business. Theseadoption, it is important to plan the transition discussions should focus on the two clearin measured steps as follows. It is also critical to encourage technologists agendas of IT operations personnel: to look beyond individual pieces of theStep 1: Build the foundation technology and look toward an integrated • Leveraging new technologies to better As a first step, EMC has been working on view of how the various components work meet key performance indicators used tobuilding the foundations at the technical together. This involves a number of domain- measure IT effectivenesslevel. This involves reaching out to technology crossing discussions that bring togetherpractitioners in the IT organization to experts from different fields such as storage, network, backup, and server among others. 6
  7. 7. 7• Making organizational and process EMC IT recognizes that an important 1. Server virtualization and consolidation changes, including the policy and transformational initiative of this nature With the goals of improving the utilization of governance mechanisms needed, to brings with it the need for organizational IT resources in data centers and reducing fully leverage the capabilities of the new change as well as a change in behavior the footprint of physical machines, EMC IT technologies from its employees. Continuous education embarked on a server virtualization and and communication are crucial to getting the consolidation exercise across all of itsChanges in technology can provide only organization ready for this journey. enterprise data centers. By 2008, EMC hadlimited benefits to businesses unless consolidated 1,250 servers into just 250accompanied by process and organizational Building EMC’s private cloud machines, a transition that has reducedchange. Therefore, challenging standard infrastructure space requirements by 60 percent andoperating procedures, default assumptions power and cooling costs by 70 percent. By At the heart of EMC’s transition to the privatearound service levels and IT provisioning, ensuring that all new solutions are VMware- cloud is EMC IT’s “Virtualize Everything”and even the way IT is accounted and compliant, and by following an aggressive strategy, which focuses on virtualizingpaid for, are essential to these discussions. plan to consolidate 1,600 additional servers all elements of a data center: systems,These conversations may also result in the to 40 servers over 2009-2010, EMC expects storage, network, security, monitoring anddevelopment of new operational roles, to save $13 million in costs and save an management, application stack (applications,metrics, and service delivery models additional $10 million over the next five years, databases, middleware), and even thepatterned around the concept of delivering as well as dramatically reduce its carbon desktop.IT as a service. However, during discussions footprint and improve CPU and memoryat this level, EMC has found that it is critical utilization rates. EMC’s vision is also in line EMC IT identified six key programs alongto recognize the close links between people with its commitment to the Virtual Computing with a use case (virtual desktop), referencedand processes, and pay careful attention to Environment (VCE) coalition’s Vblock™ vision in Figure 5 and described next, to makethe complex interplays between operations, for building integrated infrastructures for the transition to a private cloud-based ITprocesses, and organizational change. virtualization at scale. organization.Step 3: Focus on the advantages ofservice managementBusiness units may not fully understand FIguRE 5the advantages in migrating to a private Key programs leading to private cloudcloud-based IT infrastructure beyond IT costreduction. Therefore, EMC IT discovered that itis critical to educate businesses leaders aboutthe additional value that EMC IT can create forthem by leveraging the benefits of the cloudinfrastructure. Discussions with businessunits must focus on the enhanced servicemanagement benefits the new infrastructureoffers, such as:• Introducing new services that can drive value to business units (for example, truly elastic IT provisioning, choice of service providers, and utility chargeback models)• Reducing the cycle time for businesses through self-service IT provisioning, choice of multiple providers, and service level agreement-based IT service delivery• Providing customers, clients, and employees with better user experiences through optimized IT infrastructures Source: EMC 7
  8. 8. 2. Optimized storage and network 4. Security to provide IT in a self-service model to itsEMC is a world leader in information EMC’s private cloud vision involves the ability business units. In addition, EMC IT is lookinginfrastructure. By leveraging EMC’s own for IT managers to freely move and federate to leverage Atmos® as an internal platformexperience and comprehensive product data and resources across internal and for offering compute and storage solutions asportfolio in the storage and information external clouds. Therefore, it is critical to a public cloud service to its customers.lifecycle management (ILM) space, EMC IT enhance security to support multi-tenancy;is working on further optimizing information data leakage protection; governance, risk, Virtual desktop infrastructure – an implementation use casestorage for a cloud-based storage design. and compliance (GRC); and carrier securityWith technologies such as Fully Automated requirements. EMC collaborates with divisions Using the power of VMware’s Virtual DesktopStorage Tiering (FAST), Virtual Provisioning™, such as RSA and Archer to virtualize security Infrastructure (VDI), EMC is working onand tiering, EMC IT separates information components and develop governance, risk, desktop virtualization approaches to simplifybased on its criticality to the business. EMC and compliance tools to monitor and manage and lower the cost of IT management,IT has moved to a five-tier configuration the challenges related to transitioning IT to a increase IT security, optimize informationfrom a two-tier storage model and has private cloud-based infrastructure. storage, and provision IT resources basedalso increased the utilization of its storage on the needs, requirements, and profiles ofinfrastructure by 19 percent. 5. Management and automation its workers. The goal of EMC IT is to provision As private cloud-based IT management the user and not the device, hence theEMC expects to increase its storage utilization becomes a reality, it is imperative to track implementation of VDI will provide the abilityrate from 68 percent to 80 percent, thereby IT resources and information using an for IT to enable different devices used byavoiding the purchase of more than 1.5 integrated tool suite. EMC’s Ionix™ suite of the end user. This would include the usualpetabytes of storage over five years. EMC IT management software provides a single- company-issued desktop or laptop butexpects to achieve the goal of 100 percent pane-of-glass view of all of the IT resources extend to a bring-your-own-device (BYOPCvirtualized storage by 2011. EMC VPLEX™ is across the virtualized data center. Using or BYOD) model in addition to thin clients anda key enabling technology that will enable the advanced integrated IT management mobile devices.EMC IT to virtualize and move workloads and capabilities of Ionix tools such as Ionixassociated information around data centers, Unified Infrastructure Manager (UIM) and EMC plans to have 100 percent virtualizedand across internal and external clouds. Server Configuration Manager (SCM), and desktops by 2012, resulting in improved and virtualization management tools from the simplified security, lower client TCO, rapidOn the network side, EMC is leveraging its VMware family such as VMware vCenter™ deployment, reduced support costs, andalliances with VMware and Cisco in achieving and vCloud™, EMC IT is working on solutions user-based virtualization. Using technologies to accelerate self-provisioning of IT services,like IP-based storage and Fibre Channel over reduce time-to-market, and support Making the transition to the privateEthernet (FCoE), EMC is focused on reducing innovative chargeback models. cloudcabling while increasing the speed and Before transitioning existing IT resources toefficiency of data transfer. 6. Applications and cloud experience a private cloud-based infrastructure, EMC IT EMC’s vision for the virtualized data center performs the following key activities.3. Backup, recovery, and archiving and the transition to the private cloud is toBy using best-in-class EMC solutions such as enable its IT organization to offer platforms Ensure basic enabling technologies workAvamar®, Data Domain®, and NetWorker® and applications as services (for example, The first activity is to ensure that the basicfor replication, backup, recovery, and IaaS, SaaS, and PaaS). EMC is moving enabling technologies work, as advertised,archiving, EMC facilitates complete and highly application servers, databases, and in EMC’s own IT environment. This requireseffective information management from a middleware to a virtualized platform, with rigorous testing of all infrastructurevirtual cloud-based infrastructure. In addition, the goal to provide them as on-demand components within the virtualized datadata deduplication capabilities increase the infrastructure services to business units for center – compute, storage, network,efficiency of EMC’s growing backup-to-disk their development activities. And EMC IT has and orchestration – to ensure that theirpolicy. Key benefits include reducing overall been on the path to providing database grids performance is in line with requirementsbackup by 50 percent; decreasing backup on Oracle and Microsoft SQL Server to enable and established benchmarks. Next, EMC ITtime by 75 percent; using Avamar data virtualized functionality. EMC IT also views the configures and tests all software componentsdeduplication capabilities to back up remote cloud model as a mechanism to support the for the required performance levels. Focusedusers; and increasing remote backup and movement of currently business-supported attention on security requirements and issuesrecovery success rates from 38 percent to 98 applications such as vApps into a controlledpercent. IT-supported model. EMC is working on enabling infrastructures based on vCloud 8
  9. 9. 9relating to federation between locations is resulting in significant savings at the end • Time-to-market – Rapid provisioningcritical during this phase. of the transition. Therefore, it is essential requirements to make adequate budgetary provisionsCreate use cases and assess capabilities initially to receive rewards later. • Demand elasticity – Ability to deal withacross requirements changes in the requirements of businessThe second general activity involves creating • Impact to risks – A private cloud units, as well as scale-up and scale-downa high-level framework of use cases within infrastructure uses both internal and needsthe business and assessing the current external cloud infrastructures. This calls forcapabilities across those requirements. The new approaches to manage the business EMC IT has created a set of business useobjective of identifying the use cases is to and information risks for the organization. cases, such as those mentioned in Figure 6,match the business needs to the appropriate for various profiles of services requested bycloud model for providing IT services. Therefore, it is essential to establish a business units with policies and small-scaleThe high-level use cases are based on governance body (involving people from governance functions for each use case.parameters such as time-to-market, demand business, finance, legal, and IT disciplinespredictability and IT elasticity, integration from within the company) for evaluating The transition to the private cloud will enableneeds, network bandwidth and latency, the migration of IT to a private cloud-based EMC IT with a transparent method for trackingsecurity, risk and compliance, and business infrastructure. the usage of IT resources by business unit.impact. The requirements across each of This empowers EMC IT with the capability ofthese parameters are dynamic and vary EMC IT has developed a high-level policy and constructing new chargeback models.significantly across applications, affecting governance framework to move applications,the choice of internal and external cloud platforms, and infrastructures to the Conclusionresources required. external and public cloud. EMC has defined EMC’s cloud computing strategy is designed lead criteria that decide the policies and to completely transform its IT organizationDefine policy and governance mechanisms governance frameworks for an application: and operations. Such a transformationThe third activity is to define policy and means making changes in the way IT isgovernance mechanisms to manage • Application classification – Classifying built, run, consumed, and governed at theand operate the private cloud-enabled IT applications as mission-critical (directly company. The goal of this strategic initiative isorganization. It is essential to define robust affecting customer service delivery, or to make EMC IT a customer-centric providermechanisms to handle critical issues around affecting EMC’s revenue or its reputation), of end-to-end IT solutions to meet thetechnical characteristics such as security, business-critical (critical to the operations business needs of EMC business units.bandwidth, and integration, followed by of a business unit), or business supportingperformance, which encompasses service (a supporting application) Leveraging the power of the private cloud,delivery aspects such as IT management. EMC IT is introducing innovative services such • Security – The information security as on-demand IT infrastructure provisioningEMC IT’s private cloud policy and requirements necessary for the and self-service options for IT servicegovernance framework application enablement. To facilitate this transition,The transition of IT to the private cloud EMC IT has concentrated its efforts on thedirectly impacts the revenue, operational • Risk and compliance – A profile of definition of a clear strategy for internal cloudand business costs, and risks faced by the the risks of incidents, from outages to implemented through six programs, whichorganization, as described next: information leaks, and the required focus on transitioning its IT infrastructure compliance requirements to the virtualized data center model. This• Impact to revenue – The transition to initiative is in line with EMC’s vision for the the private cloud helps IT organizations • Connectivity – Bandwidth and Virtual Computing Environment, which it provide improved services to business performance requirements for globally shares with its partners VMware and Cisco. units. These IT services help business units distributed applications and users find new customers, enhance quality while To prepare the organization for a new lowering the cost of goods and services • Integration – The requirements to ensure paradigm of IT operations, EMC IT is also delivered, and sell more successfully to that tightly coupled applications can work educating stakeholders at various levels on existing customers. together the new IT service paradigms, as well as developing a strong policy and governance• Impact to costs – Transitioning the entire IT • Performance – Service delivery framework for managing the new IT infrastructure to the private cloud calls for requirements such as availability, infrastructure. Working closely with partners large organizational investments upfront, service level agreements, and IT service and product divisions, EMC IT is concentrating management 9
  10. 10. FIguRE 6 A high-level abstraction of EMC IT’s policy and governance model for external cloud usage Source: EMCon maximizing the business benefits of of operating cost reduction due to increased • The following can be found on Chuck’s technology that can move its existing IT data center power, cooling, and space Blog, an EMC insider’s perspective oninfrastructure to the private cloud. efficiency. information, technology, and customer challenges:EMC’s structured approach helps accelerate By having “risk versus reward” conversationsits journey to the private cloud. It provides with stakeholders at each level, EMC IT has • “Not All Clouds Are Private Clouds”the company with the opportunity to begin been successful in accelerating the adoptioncloud initiatives without waiting for complete of private cloud-based technologies within • “Private Clouds and the Fixed to emerge even as it moves from the company. This approach enables EMC Variable Discussion”the Business Production stage to the IT-as- to better structure discussions with partnersa-Service stage (Figure 7). This enables EMC and external IT cloud service providers. EMC • “Private Cloud – The TOS Model”IT to more easily leverage these solutions as IT is able to provide vendors with the granulartechnologies evolve. details of candidate workloads and the • “Private Cloud Adoption Models” solution requirements they seek.Looking forward, EMC expects to increase the • “Good Governance Equals Good IT?”storage utilization rate from 68 percent to 80 Referencespercent and avoid the purchase of more than Read the following for more information: • Announcement of the VCE coalition1.5 petabytes of storage over five years. • EMC IT’s Journey to the Private Cloud blog • Vblock Infrastructure PackagesAll told, EMC’s journey from 2004 through at resulted in savings of $104.5 million, • EMC IT, A Blueprint for Data Centerincluding an estimated $88.3 million in capital Efficiency white paperequipment cost avoidance and $16.2 million 10
  11. 11. 11• Learn more about these EMC offerings on FIguRE 7 EMC IT’s progression to the private cloud-based infrastructure • EMC Atmos • EMC Symmetrix Virtual Provisioning • EMC FAST • EMC Ionix • VCE Cloud Computing Strategy ServiceTake the next step.To learn how EMC products, services, andsolutions help solve your business and ITchallenges, contact your local representativeor authorized reseller – or visit us Source: EMCEMC CorporationHopkinton, Mass. 01748-9103 EMC’s Cloud Optimiser Model1-508-435-1000 (in North America1-866-464-7381) • A model developed by EMC and McKinsey.Abstract • Assesses their environment and provides recommendations on the optimal use of Cloud in their environmentThis white paper is the first in a series of EMCIT Proven papers describing EMC IT’s initiative – Includes private, Public and Hybrid Cloudto move toward a private cloud-based ITinfrastructure. EMC IT defines the private • The Cloud Optimizer places application workloads based on three cloud as the next-generation IT infrastructure “filters”:comprising both internal and external cloudsthat enables efficiency, control, and choice for – Economicthe internal IT organization. – Trust – FeasibilityPlease click here to access a copy of the whitepaper. 11
  12. 12. From the Gartner Files: From Secure Virtualization to Secure Private CloudsAs enterprises move beyond virtualizing their • In evaluations, heavily weight the ability these attributes in “Five Refining Attributes ofdata centers to build private cloud-computing to use a consistent way of expressing Public and Private Cloud Computing.”infrastructures, security must evolve to security policy across physical,support this. While the fundamental principles virtualized and private cloud-computing At its core, private cloud computing is builtof information security don’t change, how environments as compared to using on the same concepts, and clients indicateenterprises provision and deliver security different vendors and solutions to address their desire to bring these same attributesservices must change. This research outlines each separately. into the enterprise data center. Here, thethe foundational capabilities that will be IT department becomes the cloud servicerequired from enterprise security infrastructure • Maintain separation of duties between provider to deliver IT as an elastic serviceto secure private cloud computing. security policy enforcement and IT to multiple internal customers. While the operations in the transition to virtualized focus may shift slightly (for example, self-Key Findings data centers and then to private cloud- service provisioning for IT customers is• Policies tied to physical attributes, security computing environments. more important, chargeback capabilities policy enforcement points embedded are typically less so), the desired attributes within physical appliances, and the usage • Begin the transformation to context-aware are the same. For most organizations, of air gaps for security will inhibit private and adaptive security infrastructure now virtualization will provide the foundation and cloud adoption. as you upgrade and replace legacy the steppingstone for the evolution to private static security infrastructure, such as cloud computing. However, the need for• Virtualization of security controls is an network and application firewalls, security must not be overlooked or “bolted important step in enabling secure private intrusion detection systems (IDSs)/intrusion on” later during the transition to private cloud clouds, but other capabilities are required. prevention systems (IPSs) and Web security computing. platforms.• Context enablement, including application, Private Clouds: Same Security identity and content awareness, will be STRATEgIC PLANNINg ASSuMPTIONS Needs, New Capabilities Required critical to supporting secure private cloud By 2015, 40% of the security controls used Whether securing physical data centers, computing. within enterprise data centers will be virtualized data centers or private clouds, the virtualized, up from less than 5% in 2010. fundamental tenets of information security• Securing a private cloud can’t be just don’t change – ensuring the confidentiality, about technology, or it will fail. Changes to By 2015, 70% of enterprises will allow server integrity, authenticity, access, and audit processes and a shift in mind-set will also workloads of different trust levels to share of our information and workloads. These be required. the same physical hardware within their own objectives translate into traditional security data center, except where explicitly prohibited controls and policy enforcement points• The need for security must not be by a regulatory or auditor compliance (PEPs) – for example, firewalling, IPS, IDS, overlooked or “bolted on” later during the concern. encryption, digital signatures, authentication transition to private cloud computing. and authorization. However, there will be ANALYSIS significant changes required in how securityRecommendations Gartner defines “cloud computing” (including is delivered. Whether supporting private• Change your mind-set about information both private and public clouds) as a style cloud computing, public cloud computing, security to think of it as a set of of computing where scalable and elastic or both, security must become adaptive adaptive services that are delivered IT-enabled capabilities are delivered as to support a paradigm where workloads via programmable infrastructure and a service to customers using Internet are decoupled from the physical hardware controlled by contextual policies based on technologies. Often, the term “cloud” is used underneath and dynamically allocated to a logical attributes to create adaptive zones as a shorthand to talk about the attributes fabric of computing resources. Policies tied of trust, using a separately configurable that enterprises believe cloud-based to physical attributes, such as the server, control plane. computing architectures will offer. Consumers Internet Protocol (IP) address, Media Access of cloud-based services want usage-based Control (MAC) address or where physical• Pressure incumbent security vendors to consumption of the services via standard host separation is used to provide isolation, deliver their security controls in a virtualized Internet technologies and self-service break down with private cloud computing. form to more easily address secure private interfaces. Providers of cloud-based services For many organizations, the virtualization of cloud-computing requirements. want the ability to deliver scalable, shareable, security controls will provide the foundation automated and elastic services. We discuss to secure private cloud infrastructures, but 12
  13. 13. 13alone, it will not be enough to create a secure Although it is possible FIguRE 1private cloud. this type of adaptive Evolving to Secure Private Clouds security protectionTo support secure private cloud computing, could be accomplished Noncontextual Contextualsecurity must be an integral, but separately solely with physical Runtime contextconfigurable, part of the private cloud fabric, security infrastructure Policies tied to logicaldesigned as a set of on-demand, elastic and complex virtual Virtualand programmable services, configured by LAN (VLAN) overlays, we Multitenantpolicies tied to logical attributes to create believe most enterprises Adaptive policiesadaptive trust zones capable of separating will use a combination ofmultiple tenants (see Figure 1). physical and virtualized Static context security controls to Policies tied to physicalIdeally, the security models used to support extend security policy into Physical Single tenantprivate clouds would enable multidimensional private cloud structures. Predetermined policieshybrid environments – spanning physical There are a variety ofto virtual workloads within the same data reasons for this, including Static Dynamiccenter and spanning between on-premises addressing the lossand public cloud-based computing of visibility of inter-VM Source: Gartner (October 2010)environments. In this research, we outline six traffic within a virtualizednecessary attributes of private cloud security data center, as well asinfrastructure and describe how security must the input/output overhead if traffic is routed By 2015, 40% of the security controls usedchange to support the construction of secure out to physical hardware for security policy within enterprise data centers will beprivate clouds. enforcement. Virtualized security controls can virtualized up from less than 5% in 2010. place policy enforcement within the physicalA Set of On-Demand and Elastic host, closer to the workload and information The transition from security as a set ofServices it is protecting when and where it is needed, products to delivering security as a set of enabling dynamic data center infrastructuresRather than security being delivered as services is a significant mind-set shift for as well as the potential to leveragea set of siloed security product offerings information security professionals. Virtualized alternative computing sourcing options.embodied within physical appliances, it security controls will help to enable this shift.needs to be delivered as a set of services In contrast to physical security controls, which Physical appliances will continue to beavailable “on demand” to protect workloads scale up using larger and larger hardware- used for high-bandwidth applications atand information when and where they are based appliances, virtualized security PEPs the physical boundaries of organizations.needed. These services need to be integrated running within security VMs will support the Virtualized security controls will be usedinto the private cloud provisioning and simultaneous need to scale out with a larger throughout the private cloud fabric for inter-management processes (not bolted on as number of security VMs running in parallel VM inspection and at logical boundariesan afterthought) and be made available to closer to the workloads and information they to create zones of trust for workloads ofany type of workload – server or desktop protect, and taking advantage of the high- different trust levels. Ideally, physical and(see Note 1). As workloads are provisioned, availability and load-balancing capabilities virtual security controls will intelligentlymoved, modified, cloned and ultimately available to all VMs. coordinate their inspection to avoidretired, the appropriate security policy would redundant associated with the workload throughout Programmable Infrastructureits life cycle. The security infrastructure that supplies the security services discussed in the prior section must become “programmable” – meaning that the services are exposed Note 1. Workloads for programmatic access (see Note 2). By definition, private and public cloud- Workloads, in this sense, are the set of applications and services that computing infrastructure is consumable support a given process, which may span more than one VM and one using Internet-based standards. In the case physical machine. This includes server and desktop workloads. of programmable security infrastructure, the services are typically exposed using RESTful 13
  14. 14. To enable faster and more-accurate Note 2. Programmatic API Access assessments of whether a given action should be allowed or denied, we must These APIs will become a target for attack. To reduce the threat of attacks, incorporate more real-time context the best practice will remain the isolation and separation of security and information at the time a security decision management control traffic to a separate physical network. is made. Context is not limited to identity, application and content awareness. It will expand to include environmental context (such as the time of day and geographic location of the server), trustAPIs, which are programming language and of the security and management plane, not of the device, integrity of the virtualizationframework independent. information technology professionals. By platform underneath, reputation of the VM enabling security professionals to focus on being loaded, behavior the user or VM isBy exposing security services via APIs, policies, this capability has the added benefit exhibiting, and so on. Context should alsothe security policy enforcement point of reducing the chance for human error in the include virtualization awareness so that, asinfrastructure becomes programmable programming of the security infrastructure a workload is live migrated or cloned, thefrom policy administration and policy underneath. associated security automatically moves withdecision points (such as operational and the workload throughout its life cycle, withoutsecurity management consoles or from Policies That Are Based on Logical, requiring manual intervention.other security intelligence systems such as Not Physical, Attributes and Aresecurity information and event management There are multiple benefits to decoupling Capable of Incorporating Runtimesystems). There are multiple benefits to this security policies from the workloads Context Into Real-Time Security and information they protect. Powerfulshift in capability. This enables significantlyhigher levels of automation than are possible Decisions compound security policies can be deliveredwith traditional security infrastructure. As The nature of the security policies that drive the independent of network topology, avoidingnew workloads are introduced into the automated configuration of the programmable complexity in VLAN configurations andprivate cloud, security infrastructure can be infrastructure needs to change as well. As network-cabling infrastructure. Also, byautomatically configured via “self-service we move to virtualized data centers and then moving up the stack, security policies can beinterfaces” (where the “user” is a provisioning to private cloud infrastructure, increasingly, expressed in more business-friendly terms.system, not an end user) to protect the security policies need to be tied to logical, For example, identifying which users andnew workload based on predefined not physical, attributes. The decoupling groups should access which applications is asecurity policies without requiring manual and abstraction of the entire IT stack and straightforward policy to compose and attestprogramming of the security controls. movement to private and public cloud- to by the business process, information and computing models mean that workloads and application owners. Finally, by incorporatingThis shift will enable information security information (even entire data centers with the runtime context into security decisions,professionals to focus their attention on notion of a virtual data center) will no longer organizations can implement adaptivemanaging policies, not programming be tied to specific devices, fixed IP or MAC security policy based on the behavior of theinfrastructure. Programmable security addresses, breaking static security policies user or of the workload (for example, if ainfrastructure can be modified in real time so based on physical attributes. workload is behaving oddly, place a strongerthat security services can adapt to workloads auditing control on it or limit its networkas they move dynamically within a private Security policies need to shift “up the stack” to access).cloud or adapt as a workload’s behavior logical attributes, such as the identity, groupchanges. Longer term, as application or role of the VM being protected; the identity, Adaptive Trust Zones That Areinfrastructure evolves within private clouds, group or role of the application; the identity, Capable of High-Assuranceapplications will come prepackaged group or role of the users; and the sensitivity Separation of Differing Trust Levelswith models of deployment, topology, of the workload and information being processed. The shift to identity, application Instead of administering security policies on amanagement and security policies for policy- and content awareness is part of a broader VM-by-VM basis, security policies based ondriven automation. Policies consumed by shift in information security to become context logical attributes as described in the previousmanagement consoles and other security aware and adaptive. section will be used to create zones of trustpolicy administration points will ultimately – logical groups of workloads with similardrive the configuration and programming security requirements and levels of trust (for 14
  15. 15. 15example, all Payment Card Industry [PCI]- Trust zones may be nested so that what was This separation occurs at multiple levels. Ifrelated workloads are assigned a specified a single, physical data center can now be software controls are virtualized, we shouldlevel of security policy). As the policies are managed and secured as multiple, virtual not lose the separation of duties we hadlinked to groups of VMs and not physical data centers, each composed of multiple in the physical world. This requires thatinfrastructure, the zones adapt throughout the logical, not physical, perimeters around virtualization and private cloud-computinglife cycle of the VM as individual VMs move trust zones. Security policy may then be platform vendors provide the ability toand as new workloads are introduced and applied as needed within and between separate security policy formation and theassigned to the trust zone. zones. In most cases, multiple trust zones operation of security VMs from management will be allowed to reside on a single physical policy formation and the operation of theIn today’s virtualized data center, workloads host with the enterprise able to define how other data center VMs. Typically, this willof different trust levels are not typically much separation is sufficient for security be enabled by integrating and controllingcombined onto the same physical server. and compliance purposes. For example, access to security operations at a granularHowever, this breaks the fluidity of private storage and backup can be isolated, and level, using role-based access control withincloud-computing models. Increasingly, this network traffic can be separated using IPS the management system controlled bycapability will be desired for higher levels of and firewalling enforcement, as internal or integration with organizational and groupefficiency and effectiveness of the resource external compliance policies dictate. information located in enterprise directoriesfabric being shared. Leveraging emerging (typically Active Directory or an LDAP-root of trust measurements for hypervisors Private cloud infrastructure will require enabled repository) along with delegatedand embedded hypervisors, secure private security services that are designed to provide administration capabilities. Likewise, allclouds need to be able to support workloads high-assurance separation of workloads security policy changes and operations toof different trust levels on the same physical of different trust levels as a core capability. security VMs must be fully audited in tamper-hardware, without requiring the use of This is exactly the same type of separation resistant logs that are inaccessible to securityseparate physical servers. capability required by public cloud providers administrators. to separate and isolate tenants fromBy 2015, 70% of enterprises will allow server different organizations. For enterprises A security policy manager will enable theworkloads of different trust levels to share building private clouds, the concepts are orchestration and definition of securitythe same physical hardware within their own identical – although instead of tenants from policies and the assignment of policies todata center, except where explicitly prohibited different organizations, they will routinely the logical attributes of the workloads andby a regulatory or auditor compliance be responsible for separating workloads groups of workloads, as described previouslyconcern. of different trust levels, including different with an emphasis on policy integrity and business units and divisions sharing the testing. As a given, VMs may be assignedAdaptive trust zones will become the basis for same underlying physical infrastructure. multiple security policies and may betrust, audit and compliance policies. Security members of more than one trust zone. Thepolicies will vary between trust zones, and Separately Configurable Security policy management system should supportsecurity controls will be placed at the logical Policy Management and Control multiple, overlapping security policies to beperimeters between key trust boundaries. assigned and be able to identify the resultant Security must not be weakened as it isFor example, a trust zone of PCI-related least-privilege policy and provide for policy virtualized and incorporated into cloud-workloads may require encryption of all data resolution in the event of a conflict. Ideally, based computing infrastructures. Thebetween virtual machines within the trust the system will support proactive modeling of security controls and policies discussedzone. It may also be restricted to access from “what if” scenarios before policy changes are previously must not be able to be arbitrarilyonly users associated with the PCI group; it implemented. disabled by operational staff and shouldmay have all inter-VM traffic monitored with fail open or closed as enterprise policiesan intrusion detection system; and it may dictate. Strong separation of duties/ “Federatable” Security Policy andbe separated from all other trust zones with Identity concerns between IT operations and securitystateful firewall inspection, as required by needs to be enforceable within a private Private clouds will be deployed incrementally,PCI. In contrast, a trust zone of virtual desktop cloud infrastructure, just as within physical not all at once. Private clouds will be carvedinfrastructure (VDI)-related workloads may infrastructure and virtualized infrastructure out of existing data centers, where only abe treated as untrusted with firewalling and today. portion has been converted to a private cloudin-line IPS-based inspection of all traffic to model. In addition, many enterprises willand from the zone, as well as blocking of any have a percentage of workloads that haven’tdirect peer-to-peer traffic within the zone. been virtualized for years to come. 15
  16. 16. Ideally, private cloud security infrastructure Organizations will also begin experimentation security policy will remain fragmented, relyingwould be able to exchange and share with public cloud infrastructure as a service on a combination of controls bundled withinpolicies with other data center security (IaaS) providers creating hybrid private/ workloads, virtual private network-basedinfrastructure – virtualized and physical. public cloud-computing environments. extension of network security policies, remoteThere are no clear standards for the sharing Ideally, security policies designed to protect console-based policy management, remoteof security policy. Spanning physical to workloads, when on premises, would also be API-based programming of service providervirtualized infrastructure will require using able to be federated (along with user identity- policies, and written commitments for securitythe same vendor the enterprise has chosen related information) to public cloud providers. service provide security in both environments, or There are no established standards for thisusing different vendors in each environment. either. However, the VMware vCloud API Gartner RAS Core Research Note, G00208507, Neil MacDonald, Thomas J. Bittman 12 October 2010Ideally, security controls placed across is a start, as is work within the Distributedphysical and virtualized infrastructure will be Management Task Force (DMTF) to extendable to intelligently cooperate for workload Open Virtualization Format (OVF) to expressinspection – for example, data going to and security policy. Absent clear standards andfrom the data center inspected by hardware- APIs, capabilities for extending enterprisebased physical security appliances. 16