This chart is an attempt to summarize the features of the IBM SmartCloud Enterprise offering. The list on the right summarizes the elements of the offering: There are nine 32- and 64-bit configuration options that allow you to pick the virtual machine (VM) instance sizes that best fit your needs. These can be configured with either a Linux operating system (Redhat or Novell SUSE) or Microsoft Windows Server 2003 or 2008. There are dozens of preconfigured and tested software images that you can use as the basis for building and saving customized private images to suit your needs. Private images can be shared by users within an account. With the persistent storage option, you can order extra blocks of persistent storage to use with a virtual machine instance for longer term storage of content. Small (256 gigabyte [GB]), medium (512 GB) and large (2048 GB) blocks are available. The offering provides a virtual private network option that isolates your instances on a private virtual LAN (VLAN). In addition, servers can be configured with up to four IP addresses, which enables you to build more robust systems but implement fallback strategies while allowing you to segment your system into layers (security zones) with restricted network access.(VPN: Virtual private network; VLAN: Virtual local area network) IBM standard and add-on support services consist of: Standard services: Technical support for all services—available through the web portal and by checking the online Cloud Service forum pages after login Around-the-clock monitoring and management of the IBM cloud infrastructure, including: Security activities for the IBM SmartCloud Enterprise infrastructure to govern access to and use of our services Scheduled maintenance for the IBM SmartCloud delivery centers and base infrastructure to maintain our services Fee-based add-on services: Remote on-boarding support to help account managers and end users learn how to navigate and use the self-service web portal Premium support: around-the-clock telephone support with a web-based service request ticketing system Advanced Premium support: Advanced Premium Support extends Premium Support with customer severity-level driven response times and a service level agreement with credits if response times aren't met. Add-on operating system assistance on top of premium support for Linux as well as Microsoft Windows Server . From a payment perspective, all of the standard features are available on a pay-as-you-go model. Virtual servers, selected software images, persistent storage and static IP addresses are charged for by the hour. Persistent storage charges include charges for storage blocks as well as for storing private images. Virtual private network options are charged for per month. Use of certain software images require a prepaid license. Operating system charges are included in the virtual server per hour charge. IBM provides network bandwidth for inbound and outbound data transfers between the IBM SmartCloud delivery centers and the Internet for you to access and use the services. IBM tracks and measures the amount of data transferred. Data transfer is charged for on a GB-transferred basis. Reserved capacity packages consist of pools of resources from which customers can provision as required. They carry a monthly charge but also offer preferred (discounted) rates on the virtual servers provisioned. Premium support is charged for as a 5 percent uplift on other service charges, charged for monthly, excluding pay-as-you-go software charges. Monthly minimum charge is US$75 in the US (price current as of March 28 2011). Advanced Premium support is charged for as a 10 percent uplift on other service charges, charged for monthly, excluding pay-as-you-go software charges. Monthly minimum charge is US$1,000 (price current as of March 28 2011). Add-on operating support is charged for as a fixed per hour uplift on instance hourly charges. The uplift varies by operating system and instance size.
**Central processing unit (CPUs) **Redundant array of independent disks (RAID) **Gigabyte (GB) **Terabyte (TB) **ext3 is ‘third extended file system’, a file system that is commonly used by the Linux kernel The table illustrates the virtual machine instance types, storage and other options available with IBM SmartCloud Enterprise. Notes: The storage provided with an instance is divided up into a root segment (with 60 gigabytes) plus additional segments with the amount shown. Users may choose to provision an instance with just the root segment to shorten provisioning time. Virtual machine instance storage is erased when an instance is de-provisioned (deleted). Blocks of persistent storage and object storage should be used for storing data for longer periods. Persistent and object storage are both RAID protected, but instance storage is not. Although images can be built on one virtual machine configuration and migrated to a configuration of a different size, images have a limited set of virtual machines types and sizes they support. While small Linux virtual machines (Copper and Bronze) generally provision in approximately eight minutes or less, larger instances take longer, depending on storage size and operating system chosen.
The offering includes a set of images that may be used as a starting point for building the server configurations you require. These images consist of operating system images (Linux, either SUSE or RedHat, and Windows Server 2003 and 2008) with or without additional preinstalled IBM and third-party software. IBM software includes software products from IBM Lotus ® , IBM WebSphere ® , IBM Information Management, IBM Tivoli ® and IBM Rational ® . IBM software is available under several licensing options, including bringing your own license for software you already hold a valid license for and paying for use by the hour. It also includes software from a number of IBM Business Partners such as Alphinat, Aviarc, BeyondTrust, CohesiveFT, Corent, Grid Robotics, Kaavo, NetEnrich, OpenCrowd, Pragma Systems, Servoy, SugarCRM and Zeus. A software bundle is software that is installed and/or configured in a running instance of an image. The bundle includes installation files, configuration files, a parameter specification, and a description of prerequisites that the bundle requires. With a library of software bundles and a library of fixed images, you can compose a custom image with multiple software bundles. For image providers, software bundles can also reduce operational costs and the management challenge of providing and maintaining every possible combination of their base images preinstalled with multiple software bundles. You can provide your own software bundles that can be installed on multiple images. IBM offers flexibility regarding software licensing , as follows: Bring your own license: Clients who own a software license for the specified software can use the preinstalled software on the cloud at no additional charge. Charges for running this software amount to the charges for running the selected virtual server configuration with a standalone operating system. Pay by the hour: Clients who do not own a software license can use preinstalled software for a per instance per-hour usage charge. Charges for running this software amount to the charges for running the selected virtual server configuration with a standalone operating system plus a per hour software charge. Bring your own software and license: Clients who own the software and associated license for the required software can use their own software to build and save their own private images in IBM SmartCloud Enterprise. Charges for running this software amount to the charges for running the selected virtual server configuration with a standalone operating system. Clients who may want to test pre-releases of software may do so by choosing one of the available pre-release images. Pre-release images may only be used for test and other nonproductive use. Pre-release images are available at no charge and may be withdrawn without notice. When they have been withdrawn, customers must stop using them and any images derived from them. Charges for running pre-release software amount to the charges for running the selected virtual server configuration with a standalone operating system. Independent software vendor developers can use “development use only” ( DUO ) software in IBM SmartCloud Enterprise for development, test, proof of concept and sales demo , at no charge. DUO images are only available to an independent software vendor (ISV) or system integrator (SI) whose core business is solely the delivery of commercially available, network-delivered applications or software as a service (SaaS) applications for end users in the marketplace. Charges for running this software amount to the charges for running the selected virtual server configuration with a standalone operating system. For a current list of IBM middleware images and the configurations supported, please visit the IBM SmartCloud Enterprise website at: http://www.ibm.com/smartcloud/solutions/enterprise Note, all images have been built to fit a limited range of virtual machine sizes and types, licening options and operating systems. For example, a particular IBM DB2® image may have been built to run on 32-bit configurations with SUSE Linux and is available on ”bring your own license” terms. That DB2 software may not be available under Red Hat Enterprise Linux (RHEL) or on 64-bit configurations.
This chart shows you how quickly you can set up your virtualized server environment using IBM SmartCloud Enterprise. The normal provisioning flow has three steps once the user has logged into the IBM SmartCloud Enterprise portal and selected the Instances tab on the control panel: The user selects a data center location and an image for the required server from an image catalog, either a ‘public’ catalog of IBM-standard images, a ‘shared’ catalog of images the account manages or a private user catalog. The user selects the virtual machine configuration, network connectivity, security keys and storage required for the server, based on the user’s needs The user accepts the “Terms and Conditions” and thereby orders the provisioning of the server instance. The status of the order can be viewed in the control panel. After a few minutes, typically 6-7 minutes for a small Linux server and two to three times longer for a large Windows server, the server is ready for use. Per hour charges start when the server is ready for use (becomes ‘Active’). Once the server instance has been provided, the user can access, customize and use the server as if it was located in an in-house data center. Once the user has customized the instance as required (for example by having installed an application and configuring it), the user can save the customized version of the instance as a private image for future reuse, if desired. When the server is no longer needed, the user de-provisions the instance, stopping charges for the use of the server. Most of the functions can also be accomplished using the built-in application programming interfaces (APIs). The graphic on the slide shows the three steps required to set up and deploy a service with IBM SmartCloud Enterprise. It consists of three screen shots from the portal, the first one showing where you select an image, the second showing where to configure it and the third indicating that the application is provisioned. Above the third box is a picture of a hand holding a stopwatch, indicating the three steps can be accomplished quickly.
IBM SmartCloud Enterprise lets you remotely access a scalable, virtualized server environment in a multitenant, self-service mode on a pay-per-use basis, leveraging standardized assets owned and managed by IBM. When you access IBM SmartCloud Enterprise, you can realize several benefits, including: Reduced costs by virtually eliminating capital outlays and significantly reducing operational and labor expenses Faster setup and shorter cycle times, enabling improved time to market Improved quality by helping to reduce development and testing errors from faulty configurations Enhanced teaming and collaboration for greater efficiency of your distributed IT teams Improved governance and enhanced security
The graphic on the center-left of the slide illustrates ”Today’s data center,” showing a group of servers associated with a building. The servers are enclosed in a box with three figures in each corner—a clock, security guard and a certification badge. The arrow mark points from this graphic to another on the right, which depicts ”Tomorrow’s cloud environment.” This graphic shows a group of servers inside a figure of a cloud and overlaid by numerous question marks. These servers are associated with a map of the world. When you are considering a new technology such as cloud, there are always challenges and dependencies that need to be addressed. This chart summarizes many of the concerns that many enterprises have expressed. On the left, the well-known established environment which, while well understood, stable and security rich, is costly, slow to change and labor intensive. On the right, you see the cloud environment with the value proposition we have discussed, but with a lot of uncertainties. It is not the intention in this session to try to answer all of these questions, only to recognize that these challenges exist and that IBM can provide answers to them. However, it is also fair to say, that not all the answers will satisfy the needs of all enterprise workloads. There are workloads (understood as IT usage scenarios, be that by developers, testers or end users) for which the cloud is not suited, that best reside in the enterprise data center, behind the enterprise firewall. However, there are also workloads that fit well into a cloud context, for example the majority of development and test activities and many production workloads with less sensitive data (for example, web servers with static content). The challenge is therefore to identify the workloads for which the cloud is effective. Clients generally ask: “ Is IBM SmartCloud Enterprise secure?” “Will IBM guarantee the security of my data?” “ Are my applications and data protected against other tenants, IBM cloud administrators and developers, and external attackers?”
IBM provides expertise around the unique challenges associated with cloud computing. New considerations come into play around traditional security activities when a cloud initiative is being evaluated. For example, when looking at application security an organization must assess the impact to security and privacy related to shared imaging or multi-tenancy. Clients must look at their security policies and procedures to understand what modifications might be necessary to accommodate a cloud strategy. Virtualization brings new challenges to system security, and the open nature of public clouds increases risks from unknown, potentially hostile attackers from a network perspective.
Key Point: From a governance, risk and compliance perspective… organizations require visibility into the security posture of their cloud. This includes broad-based visibility into change, image, and incident management, as well as incident reporting for tenants and tenant-specific log and audit data. Visibility can be especially critical for compliance. The Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act (HIPAA), European privacy laws, and many other regulations require comprehensive auditing capabilities. Since public clouds are by definition a black box to the subscriber, potential cloud subscribers may not be able to demonstrate compliance. (A private or hybrid cloud, on the other hand, can be configured to meet those requirements.) In addition, providers sometimes are required to support third-party audits, and their clients can be directed to support e-Discovery and forensic investigations when a breach is suspected. This adds even more importance to maintaining proper visibility into the cloud. In general, organizations often cite the need for flexible Service Level Agreements (SLAs) that can be adapted to their specific situation, building on their experiences with strategic outsourcing and traditional, managed services.
Key Point: Organizations need to make sure that authorized users across their enterprise and supply chain have access to the data and tools that they need, when they need it, while blocking unauthorized access. Cloud environments usually support a large and diverse community of users, so these controls are even more critical. In addition, clouds introduce a new tier of privileged users: administrators working for the cloud provider. Privileged-user monitoring, including logging activities, becomes an important requirement. This monitoring should include physical monitoring and background checking. Identity federation and rapid onboarding capabilities must be available to coordinate authentication and authorization with the enterprise back-end or third-party systems. A standards-based, single sign-on capability is required to simplify user logons for both internally hosted applications and the cloud, allowing users to easily and quickly leverage cloud services.
Key Point: Most organizations cite data protection as their most important security issue . Typical concerns include the way in which data is stored and accessed, compliance and audit requirements, and business issues involving the cost of data breaches, notification requirements, and damage to brand value. All sensitive or regulated data needs to be properly segregated on the cloud storage infrastructure, including archived data. Encrypting and managing encryption keys of data in transit to the cloud or data at rest in the service provider's data center is critical to protecting data privacy and complying with compliance mandates. The encryption of mobile media and the ability to securely share those encryption keys between the cloud service provider and consumer is an important and often overlooked need. Because moving large volumes of data quickly and cheaply over the Internet is still not practical in many situations, many organizations must send mobile media, such as an archive tape, to the cloud provider. It is critical that the data is encrypted and only the cloud provider and consumer have access to the encryption keys. Significant restrictions regarding data co-location can arise with cloud computing, depending on an organization's location, the type of data it handles, and the nature of its business. Several member states of the European Union (EU), for example, expressly forbid the nonpublic personal information of its citizens to leave their borders. Additionally, a cloud deployment can raise export-law violation issues relative to encrypted information, and the deployment can potentially expose intellectual property to serious threats. The organization's legal counsel must perform a thorough review of all these requirements prior to cloud deployment, making sure the organization can maintain control over the geographic location of data in the provider infrastructure. In areas involving users and data with different risk classes that are explicitly identified (such as public and financial services), organizations need to maintain cloud-wide data classification. The classification of the data will govern who has access, how that data is encrypted and archived, and how technologies are used to prevent data loss.
Key Point: Clients typically consider cloud application security requirements in terms of image security. All of the typical application security requirements still apply to the applications in the cloud, but they also carry over to the images that host those applications. The cloud provider needs to follow and support a secure development process. In addition, cloud users demand support for image provenance and for licensing and usage control. Suspension and destruction of images must be performed carefully, ensuring that sensitive data contained in those images is not exposed. Defining, verifying, and maintaining the security posture of images in regards to client-specific security policies is an important requirement, especially in highly regulated industries. Organizations need to ensure that the Web services they publish into the cloud are secure, compliant, and meet their business policies. Leveraging secure-development best practices is a key requirement.
Key Point: In the shared cloud environment, clients want to ensure that all tenant domains are properly isolated and that no possibility exists for data or transactions to leak from one tenant domain into the next. To help achieve this, clients need the ability to configure trusted virtual domains or policy-based security zones. As data moves further from the client's control, they expect capabilities like Intrusion Detection and Prevention systems to be built into the environment. The concern is not only intrusions into a client's trusted virtual domain, but also the potential for data leakages and for extrusions, that is, the misuse of a client's domain to mount attacks on third parties. Moving data to external service providers raises additional concerns about internal and Internet-based denial of service (DoS) or distributed denial of service (DDoS) attacks. In a shared environment, all parties must agree on their responsibilities to review data and perform these reviews on a regular basis. The organization must take the lead in terms of contract management for any risk assessments or controls deployment that it does not perform directly. Where image catalogs are provided by the cloud provider, clients want these images to be secure and properly protected from corruption and abuse. Many clients expect these images to be cryptographically certified and protected.
Key Point: And finally, the cloud's infrastructure, including servers, routers, storage devices, power supplies, and other components that support operations, should be physically secure. Safeguards include the adequate control and monitoring of physical access using biometric access control measures and closed circuit television (CCTV) monitoring. Providers need to clearly explain how physical access is managed to the servers that host client workloads and that support client data.
* Intrusion protection systems (IPS) *Internet protocol (IP) (address) * Application programming interfaces (APIs) This slide shows three key concerns and how IBM SmartCloud Enterprise can address them. Numerous third-party studies have documented that the key concerns enterprises have with cloud computing revolve around security, reliability and control. These three themes categorize most of the challenges discussed previously. These themes have therefore been key considerations for the way IBM has built the IBM SmartCloud Enterprise offering. The chart lists some of the specific things we do and provide to help address enterprise concerns. ‘ Anti-collocation’ is a feature introduced in April 2011 that enables clients to specify that two virtual machine instances must reside on different physical nodes to safeguard against failure of a physical node in the cloud. ‘ Virtual IP addressing’ is a technique whereby two or more virtual machine instances, set up as a primary server plus one or more secondary backup servers, can serve the same ‘virtual’ IP address, and thereby increase the resiliency of the overall configuration.
For more information, please visit http://www.ibm.com/smartcloud/solutions/enterprise
IBM SmartCloud Enterprise - A Secure Infrastructure for Test and Development
IBM SmartCloud EnterpriseA Secure Infrastructure for Test and Development Piotr Pietrzak IBM Forum 2012 – Estonia Tallinn, October 9, 2012