Securing Enterprise Assets In The Cloud


Published on

From the Gaming Scalability event, June 2009 in London (

In this talk, Chris Purrington will discuss security challenges for cloud deployments and present VPN Cubed, a solution for the problem of integrating your existing infrastructure with the cloud. VPN-Cubed is a federated mesh of VPN servers that can be embedded in applications to run as a secure overlay network across multple locations, allowing your cloud machines can appear to exist on an extension of your local network. The enables you to run applications in the cloud while remaining connected to immobile systems such as databases and management interfaces.

As VP Sales at cloud enabler CohesiveFT Chris is responsible for worldwide sales. With over 20 years in the software industry. Chris has extensive experience in leading ISVs to success in EMEA, this includes 9+ years at Application Lifecycle Management company Borland where he was UK MD and VP UK , Ireland and Africa. Chris is an active member of the London cloud community, organising CloudCamp London and the AWS London User Group. Don't hold it against him but Chris started his career as a 'bean counter', and is a Fellow of the Chartered Association of Certified Accountants.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Securing Enterprise Assets In The Cloud

  1. 1. Cohesive Flexible Technologies Controlling and Securing Your Assets in the Cloud Chris Purrington, CohesiveFT Copyright CohesiveFT 2009 1
  2. 2. CohesiveFT - on boarding solutions for public, private and hybrid clouds Team looks like this 20 Cloud Computing Startups You Should Know Copyright CohesiveFT 2009 2
  3. 3. CohesiveFT - on boarding solutions for public, private and hybrid clouds We do this Copyright CohesiveFT 2009 3
  4. 4. The cloud is not a panacea for bad design. But moving applications to the cloud can quickly reduce capital expenditure, speed time to market. Copyright CohesiveFT 2009 4
  5. 5. The first question on everyone’s mind: Is my stuff safe up there? ? ? ? ? ? ? ? ? ? ? ? ? Copyright CohesiveFT 2009 5
  6. 6. Security and control remain top concerns Copyright CohesiveFT 2009 6
  7. 7. Use “your father’s VPN” Copyright CohesiveFT 2009 7
  8. 8. Typical VPN: Remote office access Copyright CohesiveFT 2009 8
  9. 9. Typical VPN: Remote office access X X X X X Copyright CohesiveFT 2009 9
  10. 10. Typical VPN does not provide high availability, overlapping address spaces, multi-site routing, etc.. But an overlay network can. confidential 10
  11. 11. I will be robust and secure using cloud-to-cloud DR confidential 11
  12. 12. Do x-cloud fail over...somehow.... Cloud A Copyright CohesiveFT 2009 12
  13. 13. Somehow... Cloud A Copyright CohesiveFT 2009 13
  14. 14. Do this! (somehow) Cloud A Cloud B Copyright CohesiveFT 2009 14
  15. 15. (somehow) When you put your assets in a cloud you surrender CONTROL of addressing, protocols, topology, and secure communications. But an overlay network gives back CONTROL. confidential 15
  16. 16. Speaking of security... What’s inside this VM? Copyright CohesiveFT 2009 16
  17. 17. Speaking of security... What’s inside this VM? Copyright CohesiveFT 2009 17
  18. 18. Speaking of security... What’s inside this VM? I know, let’s ask him... Picture from: Copyright CohesiveFT 2009 18
  19. 19. Speaking of security... What’s inside this VM? ...or him. Picture from: Copyright CohesiveFT 2009 19
  20. 20. Server “assembly” costs are THE Enterprise IT cost 20-year journey from single file deployment to homogenous architecture (the “C” program on Unix) to single file deployment on heterogeneous architecture (the VM to everywhere) As such - assembly error and propagation represents one of the biggest security risks as well Photo credit: Zach Rosing, May 25, 2007, Copyright CohesiveFT 2009 20
  21. 21. Do you have evil clones? Good clones? There is going to be a lot of them. Run the numbers... Photo credit: Paramount 10,000,000 - today 250,000,000 - 2015 2,500,000,000 - is not impossible Copyright CohesiveFT 2009 21
  22. 22. “P2V and SLA are mutually EXCLUSIVE!” Why? The 3 rules of hardware computing... 1) When you get a physical machine installed and working - NEVER MOVE IT 2) When you get the software installed and PHYSICAL TO VIRTUAL........easy. working - NEVER TOUCH IT 3) When you “touch it”, don’t tell anyone. Copyright CohesiveFT 2009 22
  23. 23. So...I am highlighting 2 issues in securing your assets in the cloud Even if using a needs Working from a “bill of materials” to be YOUR infrastructure in approach is the only way to safely YOUR control survive the clone wars Copyright CohesiveFT 2009 23
  24. 24. YOUR infrastructure in YOUR control in the clouds Use an “overlay network” that you acquire, configure, deploy and manage. Enterprise IT is about checks, balances, and risk mitigation. Copyright CohesiveFT 2009 24
  25. 25. What is an overlay network? An overlay network is a computer network which is built on top of another network. Nodes in the overlay can be thought of as being connected by virtual or logical links, each of which corresponds to a path, perhaps through many physical links, in the underlying network. Copyright CohesiveFT 2009 25
  26. 26. Use an overlay network CONTROL: - Your addressing - Your topology - Your protocols - Your secure communications Copyright CohesiveFT 2009 26
  27. 27. I have software that REQUIRES multicast for service discovery This is true of many enterprise software packages (grid computing packages, database clusters, wikis and more).  Even inside the enterprise complexity and lead times prevent shared use of available resources in disparate customer controlled data centers because VLAN reconfiguration would be too expensive.  VPN-Cubed allows you to get the multicast traffic into the overlay network before it is rejected by the underlying network infrastructure. This allows you control of your protocols. Copyright CohesiveFT 2009 27
  28. 28. I want to control my own network addresses I am an early adopter of cloud computing and love the flexibility provided by public cloud like Amazon EC2 but I want to control my own network addresses, not be given some different set of VLAN addresses when I reboot my servers.  VPN-Cubed gives you control of your addressing allowing you to give your cloud servers static addresses that only change when YOU want them to.  Local infrastructure control of addressing in the public clouds! Copyright CohesiveFT 2009 28
  29. 29. Can’t I use my existing data center NOC? I have completed some of my “datacenter to cloud” migrations but am now under pressure to use new monitoring and management tools.  Can’t I use my existing datacenter NOC (network operations center)?  VPN-Cubed allows you to simply set up an overlay network for the express purpose of connecting cloud VLANS (at EC2 for example) to data center management installations using popular commercial systems like Tivoli, Unicenter, OpenView, as well as leading open source systems like Nagios, Hyperic and GroundWorks. Copyright CohesiveFT 2009 29
  30. 30. I want to use EC2 USA and EC2 Europe for both fail over and data privacy issues I am a cloud early adopter and I want to use both Amazon EC2 USA and Amazon EC2 Europe for both fail over and data privacy issues.  How can I securely link the two environments and treat them as one logical network?  VPN-Cubed does this “out of the box” with a pre-packaged solution “VPN-Cubed for EC2” available for self-service clients as well as those needing some professional services support. Copyright CohesiveFT 2009 30
  31. 31. Isn’t there a way I can test ISV solutions as if on my local network? I have an ISV who has a solution which I would like to evaluate but it will be quite disruptive for me to install. Can’t I can test their solution as if it was on my local network?  VPN-Cubed allows your ISV to install their solution as a virtual server in a public cloud like EC2, yet make it available to a DMZ or particular set of VLANs in your corporate environment.  The burden of testing the ISV solution should rest with your vendor with minimal impact or workload on your team. Copyright CohesiveFT 2009 31
  32. 32. VPN-Cubed Overlay Network Customers Addressing Customer Encryption Customer Multicast VPN-Cubed Managers Virtual Servers create an overlay network. Internet, leased or private network Data Center Cloud A VPN-Cubed Managers synchronize state and management information across N managers Copyright CohesiveFT 2009 32
  33. 33. VPN-Cubed Edtions -VPN-Cubed for EC2 (Free) -VPN-Cubed for EC2 (Paid AMIs) -VPN-Cubed: Datacenter to EC2 -VPN-Cubed: Datacenter to EC2 (IPsec) -VPN-Cubed: Enterprise Edition Copyright CohesiveFT 2009 33
  34. 34. VPN-Cubed for EC2 (Free Edition) Build an overlay network controlled by VPN-Cubed Managers in US and/or EU Peers Peers OR EC2 EC2 OR Peers USA EU EC2 EC2 USA EU Copyright CohesiveFT 2009 34
  35. 35. VPN-Cubed for EC2 (Paid AMIs) Build an overlay network controlled by 4 managers in US and/or EU regions Peers Peers EC2 EC2 USA EU Copyright CohesiveFT 2009 35
  36. 36. VPN-Cubed: Datacenter to EC2 Run an overlay network using Manager pairs in EC2 region and your data center WHAT IS DIFFERENT? The local VPN-Cubed Managers will need to be Peers assembled in a virtual machine format you can support. You WILL need to allow the Managers in your Peers data center to initiate outbound connections. You MIGHT want to allow the Managers in EC2 to initiate inbound connections to the local managers, if so you LIKELY will have to make some NAT entries in your network control equipment. Your EC2 You SHOULD put the VPN-Cubed Managers in a Data EU VLAN setup where you are comfortable with what traffic can and cannot traverse to and from Center or your EC2 VLAN. EC2 USA Copyright CohesiveFT 2009 36
  37. 37. VPN-Cubed: Datacenter to EC2 (IPSEC) Overlay network created via Manager pairs in EC2 and your data center equipmentt WHAT IS DIFFERENT? There are no local VPN-Cubed Managers. Your data center extranet solution (Cisco ASA, Cisco Pix, Juniper Netscreen) will connect to IPSEC VPN-Cubed Managers in the cloud, front-ended Gateways Peers by VPN-Cubed IPSEC Gateways. You MIGHT want to allow the Managers in the cloud to route traffic to your datacenter, if so you WILL have to make some routing entries in the VPN-Cubed Managers. EC2 Your EU Data or Center EC2 USA Copyright CohesiveFT 2009 37
  38. 38. VPN-Cubed: Enterprise Edition Complex, multi-manager, custom topology captured as a specification Evolution of use cases. As we discover different use cases we retrofit them as specification to automatically drive the user interface for peering and monitoring. It is in incremental and ongoing process at this point of the market. Copyright CohesiveFT 2009 38 38
  39. 39. YOUR infrastructure in YOUR control in the clouds THIS or THIS Enterprise IT is about checks, balances, and risk mitigation. Copyright CohesiveFT 2009 39
  40. 40. With a BOM approach: - Identity - Customization - Provenance This is an EC2 server... Bill of Materials right? Look again... Copyright CohesiveFT 2009 40
  41. 41. With a BOM approach: Bill of Materials Re-master device: - new cloud - new VM type - new OS Make clones with unique IDs, unique MAC addresses It the BOM! Copyright CohesiveFT 2009 41
  42. 42. Copyright CohesiveFT 2009 42
  43. 43. What does Elastic Server do? Gives Anyone THEIR own SOFTWARE FACTORY Copyright CohesiveFT 2009 43
  44. 44. What does Elastic Server do? Any developer, SI, ISV, project, team, enterprise can SOURCE THEIR own component supply chain can CREATE THEIR own server design center can MARKET, can MESSAGE, can DISTRIBUTE THEIR own server product Copyright CohesiveFT 2009 44
  45. 45. Server assembly like hardware Elastic Server Platform confidential 45
  46. 46. Build from components just like your would from HP or Dell... confidential 46
  47. 47. Source Assemble Allows choice at every level - Open Source Components - Commercial Source Components - Proprietary Source Components - Multiple Operating Systems confidential 47
  48. 48. Assemble Create Upload your own or your licensed ISV component Capture Operating Instructions confidential 48
  49. 49. Create Deploy Rapid deployment to virtual and cloud infrastructures Assembly portals allow precise control of enterprise architecture confidential 49
  50. 50. Market Message Distribute Assembly portals allow: - control of your message - control of your brand - control of your architecture - control of your execution context - control of your customer connection - support and highlight your ecosystem - support e-commerce integration - support usage pattern analysis confidential 50
  51. 51. Manage Save Bill of Material as a template Rebuild button - allows “remanufacturing” for patch mgmt - allows “remanufacturing” for migrations or heterogeneous deployment Bill of Materials confidential 51
  52. 52. Manage Manage Each Elastic Server is injected with management components to facilitate enterprise virtualization Common device control across environments confidential 52
  53. 53. Elastic Server Key Themes and Values ES as a meta-packaging system ES covers the continuum from “vm building” to an online community for teamsourcing/crowdsourcing virtual servers - Appliance Builders - OSS ISVs - Traditional ISVs - Enterprises ES as a driver of provenance, certification and standards ES as a tool to integrate developers to the production flow ES as an e-commerce system for marketing, messaging and distributing virtual servers ES as a defense against vendor lock in confidential 53
  54. 54. Copyright CohesiveFT 2009 54
  55. 55. Thanks Copyright CohesiveFT 2009 55