SlideShare a Scribd company logo

Network and Security Reference Architecture For Driving Workstyle Transformation

Download as PPTX, PDF
M
Matsuo Sawahashi

Many companies have began to use multiple cloud services as usual. However, enterprise network has been built around the data center and it is a topology centered on the data center. The bandwidth of the Internet gateway on the data center becomes short. The access line from the site is also tight with massive data due to increase in use of SaaS such as O365 or Box. Meanwhile, employees have worked in various places such as office, outside and home. Business partners also want to access the enterprise network to collaborate business with the company. They want to use enterprise applications on both on-premise and cloud as same procedure. To solve above problems, we need to change our mind. - The data center is no longer the center, but the network becomes the center. - The Internet is dangerous, however if we use it well, it is cheap, we can build a strong network against failure or disaster - Boundary protection is no longer able to protect enterprises from recent threats, it does not accept diverse usage patterns – beyond various boundaries So, please look at the deck for understanding the solution

Technology
1 of 17
1 Network and Security Reference Architecture For Driving Workstyle Transformation Author: Matsuo Sawahashi Division: GTS Japan, Solutioning, Chief Architect Mail: matsuos@jp.ibm.com Chief Architect Reference Architecture Asset Series
2 Introduction Many companies have began to use multiple cloud services as usual. However, enterprise network has been built around the data center and it is a topology centered on the data center. The bandwidth of the Internet gateway on the data center becomes short. The access line from the site is also tight with massive data due to increase in use of SaaS such as O365 or Box. Meanwhile, employees have worked in various places such as office, outside and home. Business partners also want to access the enterprise network to collaborate business with the company. They want to use enterprise applications on both on-premise and cloud as same procedure. To solve above problems, we need to change our mind. - The data center is no longer the center, but the network becomes the center. - The Internet is dangerous, however if we use it well, it is cheap, we can build a strong network against failure or disaster - Boundary protection is no longer able to protect enterprises from recent threats, it does not accept diverse usage patterns – beyond various boundaries So, please look at the deck for understanding the solution
3 Executive Summary • Background • The way people work has diversified and it is becoming common to access from various places such as home and out side office • Interaction with collaborating business partners has become active and internal and external boundaries became uncertain • Shifting from in-house development to using external services such as SaaS • Especially shifting OA business application such as O365, Box and Concur, etc. to SaaS is actively performed • Issues • The limits of networks centered on data center as in the current situation • Narrow Internet access bandwidth through a data center • Waste of having to go through a distant data center to go to the Internet • Narrow branches’ network bandwidth and extensive route and bandwidth change • Vulnerable internal networks and devices to targeted e-mail attack • A standard terminal that does not meet diversified user needs • Access control and single sign-on have not been implemented despite the need for individual authentication to access for each cloud service • Solution • Zero Trust Security • Secure at terminal or device level without distinguishing between internal and external, and increase resilience against threats • SD-WAN • Improve accessibility to cloud services by overlaying virtualized network without distinct between private leased line and Internet • It is possible to respond flexibly to addition and change of new service by changing bandwidth and routing from one place • Cloud Exchange Service • We can connect immediately to the new cloud services by using the cloud exchange service pre-connected to the cloud services • ID Federation • Prepare an authentication infrastructure capable of linking cloud services and on-premise IDs, enabling single sign-on and access control
4 Current IT State • Data center centric network structure • The gateway to the Internet and the cloud is consolidated in the data center • Instead of thoroughly defending the boundary at the data center, the internal network is considered safe and sufficient security measures are not implemented • The branch networks have been changed manually Data Center Head Quarters Branch Office Service Office Store Factory WAN Cloud Services Internet WAN
5 Problems under Current IT State • Increasing use of cloud(not only IaaS but also PaaS and SaaS) • Bandwidth shortage of cloud connected network • Authentication to the cloud is managed separately from the on- premise environment • Routing and bandwidth change frequently occur and cost rises • Due to boundary defense, conversely, weak internal networks and devices • Flexibility to change and resistance to attack are lacking, and it becomes a burden of a new challenge Data Center Head Quarters Branch Office Service Office Store Factory WAN Cloud Services Internet WAN Bottleneck Bottleneck Increasing Demand Increasing cost of change work Bottleneck Bottleneck Vulnerable Vulnerable Isolated ID Management
6 Background • User view • The way people work has diversified and it is becoming common to access from various places such as home and out side office • Interaction with collaborating business partners has become active and internal and external boundaries became uncertain • Provider view • Shifting from in-house development to using external services such as SaaS • Especially shifting OA business application such as O365, Box and Concur, etc. to SaaS is actively performed
7 Business Problem • Limit of data center centered network structure • The doorway of the Internet is only in the data center • Concentration of access to the Internet at the Internet access gateway • Waste of having to go through a distant data center to go out to the Internet • Narrow branches’ network bandwidth and extensive route and bandwidth change • Vulnerable internal networks • Boundary defense is not effective against targeted e-mail attack • Vulnerable terminal security relying too much on boundary defense • Early virus detection and spreading prevention function is poor • No integrated, unsecure authenticating system • Access control and single sign-on have not been implemented despite the need for individual authentication to access for each cloud service • Dangerous authentication with ID and Password only
8 Use Case List • If we have a cheaper and more efficient cloud service than we develop ourselves, we want to actively use it • With the expansion of use of cloud services, we want to connect from the site to the Internet or the cloud via a high-speed, wide- capacity network • We want to use the unified authentication system for both internal and external systems to control access who can connect to what system • We want to minimize the cost and time for changing bandwidth or route setting of router and firewall at the sites due to increase or change cloud service providers • We want to use internal and external systems in the same procedure from the office, the outside and home • We want to make business partners use internet and external systems • Based on the premise that targeted e-mail attack can not be avoided, we want a mechanism that enables early detection and early countermeasure in case of infection
9 IT Requirements Category IT Requirement Priority Network Direct access to the public cloud (IaaS / PaaS / SaaS) without going through DC Must Network Since it is necessary to connect to various public cloud services, instead of providing access routes to each cloud service, using a cloud exchange service to make it simple network structure Must Network Be able to optimize cost and performance by using not only leased line but also the Internet to connect to the cloud and DCs Must Network To be able to flexibly increase and decrease the network bandwidth, it is easy to scale out lines by bundling multiple leased lines and the Internet Must Network Make it easy to change network bandwidth and route by center control Should Network In order to improve accessibility to the public cloud and not to put a burden on existing infrastructure in the company, it is necessary to be able to make an Internet breakout from the sites as much as possible Could Network
10 IT Requirements Category IT Requirement Priority Security Encryption is required when Internet is used as access network Must Security In case of using Internet breakout, it is necessary to provide a packet filtering feature to protect against external attack at the breakout sites Must Security Authentication and authorization to the applications not only on on-premise DCs but also on the public cloud services to be performed via a unified authentication system Must Security Take necessary defense measures without concern that internal network would be safe as active use of the Internet and public clouds progresses Must Security For authentication to the applications on on-premise DCs as well as on the cloud, multi-factor authentication and device authentication should be applied Should Security Ensure endpoint security rather than boundary defense so that detection and removal of threats can be performed promptly Must Security Ensure security monitoring (SIEM) and action (CSIRT) so that illegal access and attacks can be detected promptly and measures can be taken Must Security Ensure log management to detect unauthorized access and attacks Must Security Access to confidential data including personal information can be audited when, who requested what Must Security
11 Solution Approach • Software Defined Overlay Network • Cloud Exchange Service • Simple connectivity to public cloud • Easy cloud connection bandwidth change • Software Defined WAN (SD-WAN) • Using bundled multiple leased lines and Internet • Internet breakout feature • Center console operation • Zero Trust Security • Endpoint security • ID federation for the applications and public cloud services • Multi-factor authentication and device authentication • Log management and SIEM, CSIRT • DB audit
12 Architectural Overview Head Quarters Branch Office Service Office Store Factory WAN Cloud Services Internet Cloud Exchange Service Cloud Exchange Service On/Off premise Data Center IaaS PaaS SaaS Attack DetectionSIEM Attack Detection Protection Recovery Patch Zero Trust Security Action IDaaS DC is considered as a type of cloud service, preventing load concentration on DC and increasing toughness against disasters Protect devices and accesses rather than boundary defenses and totally enhances attack tolerance Realize diversification of workplaces by using the system regardless of where we work Utilizing the Internet as a route through an encrypted overlay network by SD-WAN High-speed, low- cost cloud access realized by breakout from the site to the Internet Realization of simple connection to multi cloud by utilizing a cloud exchange service Software Defined Overlay Network Prepare an authentication infrastructure that enables federation between cloud services and internal ID, realizing single sign-on and access control Home
13 Component Model High level component relationship Cloud Exchange Service ID Federation System Application On-premise DC Cloud Service Terminal Endpoint security User SD-WAN Overlay Network Internet Leased line Internet Internet Breakout Site Deploy Use Use Authenticate Authenticate Deploy Deploy Connect Connect Connect Connect Connect Connect Configure Connect Log ManagementTransfer SIEM / CSIRT Transfer Monitor Confidential Data DB Audit Audit Use Security Networking
14 Cloud Service Providers HUB-DC West CPE Cloud Exchange Service HUB-DC East CPE Cloud Exchange Service Operational Model High level diagram Data Center East IaaS PaaS SaaS WAN Internet Site CPE Site CPE Internet Breakout Data Center West CPE CPE CPE – Customer Premise Equipment – here, it refers to a routing device that support SD-WAN technology Endpoint Security SIEM / CSIRTDB Audit ID Federation Endpoint Security Log Mgmt DB Audit Log Mgmt
15 Value Proposition Flexibility Can promptly implement new installation, change, and cancellation of cloud services safely and inexpensively Can diversify our way of working through system use regardless of where we work Can made cross-site network inexpensively redundant Can be single sign-on with the same ID for both cloud and on-premise Can discover targeted e-mail attack early, and plan and implement countermeasures Can speed up access from the site to cloud services inexpensively Can implement the work of changing the bandwidth and the route of the inter-site network Can increase the tolerance to data leakage and quickly identify the range of impact in case Can become easier to design a data exchange system with business partners Availability Convenience Safety Cost Reduction Speediness DB Audit ID Federation Endpoint Security Log Management / SIEM / CSIRT SD-WAN Cloud Exchange Service Benefit Solution
16 Migration Plan First year Second year Third year Milestone Networking Security HUB-DC Build DC SD-WAN Build Sites SD-WAN Build and migration ID Federation Build DB Audit Build Endpoint Security Build Log mgmt Build SIEM Build CSIRT Build Endpoint Security Sites deployment Security Requirement Definition and Macro design Network Requirement Definition and Macro design Network migration start Migration complete
17 Architectural Decision Examples Issue How to connect between on-premise DCs and multi cloud DCs Decision We will develop HUB-DCs leveraging a cloud exchange service with SD-WAN technology Status Decided Category Infrastructure – Networking Assumptions • Increasing use of multiple cloud services • Adding, deleting, changing and replacing cloud services frequently • Changing bandwidth, routing and access control of the network connection to the cloud • Increasing the number of sites using Internet-breakout as of increasing the use of SaaS such as O365 and Box Options 1. Use leased lines for each connection (Mesh topology) 2. Develop HUB-DCs with a cloud exchange service (Hub-Spoke topology) 3. Develop HUB-DCs with a cloud exchange service and SD-WAN (Hub-Spoke topology + SD-WAN) Arguments (Rationale) Risk • SD-WAN would be a rapid growing technology • We have not experienced to develop SD-WAN Implications • CPE (Customer Premises Equipment) needs to be deployed on HUB-DCs to realize SD-WAN • HUB-DC must support Mega cloud services such as IBM Cloud, Azure and AWS Notes Option Flexibility Simplicity Security Stability Change Speed 1 Low Low Complex Low Low – few months 2 Medium Medium Complex Medium Medium – few weeks 3 High High Flexible High High – few hours

Recommended

Multi cloud network leveraging sd-wan reference architecture
Multi cloud network leveraging sd-wan reference architectureMulti cloud network leveraging sd-wan reference architecture
Multi cloud network leveraging sd-wan reference architectureMatsuo Sawahashi
 
IBM Cloud OpenStack Services
IBM Cloud OpenStack ServicesIBM Cloud OpenStack Services
IBM Cloud OpenStack ServicesOpenStack_Online
 
Delivering Hybrid Cloud Solutions on Microsoft Azure
Delivering Hybrid Cloud Solutions on Microsoft AzureDelivering Hybrid Cloud Solutions on Microsoft Azure
Delivering Hybrid Cloud Solutions on Microsoft AzureKemp
 
Azure Express Route
Azure Express RouteAzure Express Route
Azure Express RouteMustafa
 
AWS Hybrid Cloud Connectivity - VPN Solutions
AWS Hybrid Cloud Connectivity - VPN SolutionsAWS Hybrid Cloud Connectivity - VPN Solutions
AWS Hybrid Cloud Connectivity - VPN SolutionsKent Plummer
 
Turbo-boosting Hybrid WAN using SD-WAN
Turbo-boosting Hybrid WAN using SD-WANTurbo-boosting Hybrid WAN using SD-WAN
Turbo-boosting Hybrid WAN using SD-WANVeloCloud Networks, Inc.
 
Encor chapter 1_packet forwarding
Encor chapter 1_packet forwardingEncor chapter 1_packet forwarding
Encor chapter 1_packet forwardingmerhatsidikmelke
 
VMWare and SoftLayer Hybrid IT
VMWare and SoftLayer Hybrid ITVMWare and SoftLayer Hybrid IT
VMWare and SoftLayer Hybrid ITBenjamin Shrive
 

Recommended

Multi cloud network leveraging sd-wan reference architecture
Multi cloud network leveraging sd-wan reference architectureMulti cloud network leveraging sd-wan reference architecture
Multi cloud network leveraging sd-wan reference architectureMatsuo Sawahashi
 
IBM Cloud OpenStack Services
IBM Cloud OpenStack ServicesIBM Cloud OpenStack Services
IBM Cloud OpenStack ServicesOpenStack_Online
 
Delivering Hybrid Cloud Solutions on Microsoft Azure
Delivering Hybrid Cloud Solutions on Microsoft AzureDelivering Hybrid Cloud Solutions on Microsoft Azure
Delivering Hybrid Cloud Solutions on Microsoft AzureKemp
 
Azure Express Route
Azure Express RouteAzure Express Route
Azure Express RouteMustafa
 
AWS Hybrid Cloud Connectivity - VPN Solutions
AWS Hybrid Cloud Connectivity - VPN SolutionsAWS Hybrid Cloud Connectivity - VPN Solutions
AWS Hybrid Cloud Connectivity - VPN SolutionsKent Plummer
 
Turbo-boosting Hybrid WAN using SD-WAN
Turbo-boosting Hybrid WAN using SD-WANTurbo-boosting Hybrid WAN using SD-WAN
Turbo-boosting Hybrid WAN using SD-WANVeloCloud Networks, Inc.
 
Encor chapter 1_packet forwarding
Encor chapter 1_packet forwardingEncor chapter 1_packet forwarding
Encor chapter 1_packet forwardingmerhatsidikmelke
 
VMWare and SoftLayer Hybrid IT
VMWare and SoftLayer Hybrid ITVMWare and SoftLayer Hybrid IT
VMWare and SoftLayer Hybrid ITBenjamin Shrive
 
OpenStack Atlanta Summit - IBM, SoftLayer, and OpenStack: Present and Future
OpenStack Atlanta Summit - IBM, SoftLayer, and OpenStack: Present and FutureOpenStack Atlanta Summit - IBM, SoftLayer, and OpenStack: Present and Future
OpenStack Atlanta Summit - IBM, SoftLayer, and OpenStack: Present and FutureMichael Fork
 
DEVNET-1187 Cisco Intercloud Services: Delivering a Solution that Enables Hi...
DEVNET-1187 Cisco Intercloud Services: Delivering a Solution that Enables Hi...DEVNET-1187 Cisco Intercloud Services: Delivering a Solution that Enables Hi...
DEVNET-1187 Cisco Intercloud Services: Delivering a Solution that Enables Hi...Cisco DevNet
 
Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013
Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013
Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013Amazon Web Services
 
Torusware Corporate Presentation
Torusware Corporate PresentationTorusware Corporate Presentation
Torusware Corporate PresentationTorusware
 
SoftLayer Cloud Services
SoftLayer Cloud ServicesSoftLayer Cloud Services
SoftLayer Cloud ServicesAnna Landolfi
 
SoftLayer Value Proposition v1.04
SoftLayer Value Proposition v1.04SoftLayer Value Proposition v1.04
SoftLayer Value Proposition v1.04Avinaba Basu
 
Chapter 2 Service Model
Chapter 2 Service ModelChapter 2 Service Model
Chapter 2 Service Modelnewbie2019
 
AWS Direct Connect & Data Ingestion
AWS Direct Connect & Data IngestionAWS Direct Connect & Data Ingestion
AWS Direct Connect & Data IngestionAmazon Web Services
 
Serverless Computing: Driving Innovation and Business Value
Serverless Computing: Driving Innovation and Business ValueServerless Computing: Driving Innovation and Business Value
Serverless Computing: Driving Innovation and Business ValueAlibaba Cloud
 
SoftLayer at IBM Company [March 2016] - Ignacio Daza
SoftLayer at IBM Company [March 2016] - Ignacio DazaSoftLayer at IBM Company [March 2016] - Ignacio Daza
SoftLayer at IBM Company [March 2016] - Ignacio DazaIgnacio Daza
 
Eucalyptus-AWS Hybrid Using RightScale myCloud
Eucalyptus-AWS Hybrid Using RightScale myCloudEucalyptus-AWS Hybrid Using RightScale myCloud
Eucalyptus-AWS Hybrid Using RightScale myCloudRightScale
 
Enabling SDN for Service Providers by Khay Kid Chow
Enabling SDN for Service Providers by Khay Kid ChowEnabling SDN for Service Providers by Khay Kid Chow
Enabling SDN for Service Providers by Khay Kid ChowMyNOG
 
(NET303) Optimizing Your Cloud Architecture With Network Strategy
(NET303) Optimizing Your Cloud Architecture With Network Strategy(NET303) Optimizing Your Cloud Architecture With Network Strategy
(NET303) Optimizing Your Cloud Architecture With Network StrategyAmazon Web Services
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Amazon Web Services
 
AWS Direct Connect
AWS Direct ConnectAWS Direct Connect
AWS Direct ConnectAmazon Web Services
 
Openstack 101 by Jason Kalai
Openstack 101 by Jason KalaiOpenstack 101 by Jason Kalai
Openstack 101 by Jason KalaiMyNOG
 
Achieving Scalability and speed with IBM Solutions - IaaS Softlayer
Achieving Scalability and speed with IBM Solutions - IaaS SoftlayerAchieving Scalability and speed with IBM Solutions - IaaS Softlayer
Achieving Scalability and speed with IBM Solutions - IaaS SoftlayerAna Alves Sequeira
 
Aws re invent hybrid cloud breakout session
Aws re invent hybrid cloud breakout session Aws re invent hybrid cloud breakout session
Aws re invent hybrid cloud breakout session Angela_Tripp
 
Smart Cloud Webinar 2014-02-13 Introduction to Softlayer IaaS MDB
Smart Cloud Webinar 2014-02-13 Introduction to Softlayer IaaS MDBSmart Cloud Webinar 2014-02-13 Introduction to Softlayer IaaS MDB
Smart Cloud Webinar 2014-02-13 Introduction to Softlayer IaaS MDBManuel Daza
 
TFI2014 Session I - State of SDN - Scott Sneddon
TFI2014 Session I - State of SDN - Scott SneddonTFI2014 Session I - State of SDN - Scott Sneddon
TFI2014 Session I - State of SDN - Scott SneddonColorado Internet Society (CO ISOC)
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud ComputingNaveed Farooq
 
Cloud Computing.pptx
Cloud Computing.pptxCloud Computing.pptx
Cloud Computing.pptxraghurajsingh51
 

More Related Content

What's hot

OpenStack Atlanta Summit - IBM, SoftLayer, and OpenStack: Present and Future
OpenStack Atlanta Summit - IBM, SoftLayer, and OpenStack: Present and FutureOpenStack Atlanta Summit - IBM, SoftLayer, and OpenStack: Present and Future
OpenStack Atlanta Summit - IBM, SoftLayer, and OpenStack: Present and FutureMichael Fork
 
DEVNET-1187 Cisco Intercloud Services: Delivering a Solution that Enables Hi...
DEVNET-1187 Cisco Intercloud Services: Delivering a Solution that Enables Hi...DEVNET-1187 Cisco Intercloud Services: Delivering a Solution that Enables Hi...
DEVNET-1187 Cisco Intercloud Services: Delivering a Solution that Enables Hi...Cisco DevNet
 
Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013
Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013
Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013Amazon Web Services
 
Torusware Corporate Presentation
Torusware Corporate PresentationTorusware Corporate Presentation
Torusware Corporate PresentationTorusware
 
SoftLayer Cloud Services
SoftLayer Cloud ServicesSoftLayer Cloud Services
SoftLayer Cloud ServicesAnna Landolfi
 
SoftLayer Value Proposition v1.04
SoftLayer Value Proposition v1.04SoftLayer Value Proposition v1.04
SoftLayer Value Proposition v1.04Avinaba Basu
 
Chapter 2 Service Model
Chapter 2 Service ModelChapter 2 Service Model
Chapter 2 Service Modelnewbie2019
 
AWS Direct Connect & Data Ingestion
AWS Direct Connect & Data IngestionAWS Direct Connect & Data Ingestion
AWS Direct Connect & Data IngestionAmazon Web Services
 
Serverless Computing: Driving Innovation and Business Value
Serverless Computing: Driving Innovation and Business ValueServerless Computing: Driving Innovation and Business Value
Serverless Computing: Driving Innovation and Business ValueAlibaba Cloud
 
SoftLayer at IBM Company [March 2016] - Ignacio Daza
SoftLayer at IBM Company [March 2016] - Ignacio DazaSoftLayer at IBM Company [March 2016] - Ignacio Daza
SoftLayer at IBM Company [March 2016] - Ignacio DazaIgnacio Daza
 
Eucalyptus-AWS Hybrid Using RightScale myCloud
Eucalyptus-AWS Hybrid Using RightScale myCloudEucalyptus-AWS Hybrid Using RightScale myCloud
Eucalyptus-AWS Hybrid Using RightScale myCloudRightScale
 
Enabling SDN for Service Providers by Khay Kid Chow
Enabling SDN for Service Providers by Khay Kid ChowEnabling SDN for Service Providers by Khay Kid Chow
Enabling SDN for Service Providers by Khay Kid ChowMyNOG
 
(NET303) Optimizing Your Cloud Architecture With Network Strategy
(NET303) Optimizing Your Cloud Architecture With Network Strategy(NET303) Optimizing Your Cloud Architecture With Network Strategy
(NET303) Optimizing Your Cloud Architecture With Network StrategyAmazon Web Services
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Amazon Web Services
 
Openstack 101 by Jason Kalai
Openstack 101 by Jason KalaiOpenstack 101 by Jason Kalai
Openstack 101 by Jason KalaiMyNOG
 
Achieving Scalability and speed with IBM Solutions - IaaS Softlayer
Achieving Scalability and speed with IBM Solutions - IaaS SoftlayerAchieving Scalability and speed with IBM Solutions - IaaS Softlayer
Achieving Scalability and speed with IBM Solutions - IaaS SoftlayerAna Alves Sequeira
 
Aws re invent hybrid cloud breakout session
Aws re invent hybrid cloud breakout session Aws re invent hybrid cloud breakout session
Aws re invent hybrid cloud breakout session Angela_Tripp
 
Smart Cloud Webinar 2014-02-13 Introduction to Softlayer IaaS MDB
Smart Cloud Webinar 2014-02-13 Introduction to Softlayer IaaS MDBSmart Cloud Webinar 2014-02-13 Introduction to Softlayer IaaS MDB
Smart Cloud Webinar 2014-02-13 Introduction to Softlayer IaaS MDBManuel Daza
 

What's hot (20)

OpenStack Atlanta Summit - IBM, SoftLayer, and OpenStack: Present and Future
OpenStack Atlanta Summit - IBM, SoftLayer, and OpenStack: Present and FutureOpenStack Atlanta Summit - IBM, SoftLayer, and OpenStack: Present and Future
OpenStack Atlanta Summit - IBM, SoftLayer, and OpenStack: Present and Future
 
DEVNET-1187 Cisco Intercloud Services: Delivering a Solution that Enables Hi...
DEVNET-1187 Cisco Intercloud Services: Delivering a Solution that Enables Hi...DEVNET-1187 Cisco Intercloud Services: Delivering a Solution that Enables Hi...
DEVNET-1187 Cisco Intercloud Services: Delivering a Solution that Enables Hi...
 
Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013
Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013
Selecting the Best VPC Network Architecture (CPN208) | AWS re:Invent 2013
 
Torusware Corporate Presentation
Torusware Corporate PresentationTorusware Corporate Presentation
Torusware Corporate Presentation
 
SoftLayer Cloud Services
SoftLayer Cloud ServicesSoftLayer Cloud Services
SoftLayer Cloud Services
 
SoftLayer Value Proposition v1.04
SoftLayer Value Proposition v1.04SoftLayer Value Proposition v1.04
SoftLayer Value Proposition v1.04
 
Chapter 2 Service Model
Chapter 2 Service ModelChapter 2 Service Model
Chapter 2 Service Model
 
AWS Direct Connect & Data Ingestion
AWS Direct Connect & Data IngestionAWS Direct Connect & Data Ingestion
AWS Direct Connect & Data Ingestion
 
Serverless Computing: Driving Innovation and Business Value
Serverless Computing: Driving Innovation and Business ValueServerless Computing: Driving Innovation and Business Value
Serverless Computing: Driving Innovation and Business Value
 
SoftLayer at IBM Company [March 2016] - Ignacio Daza
SoftLayer at IBM Company [March 2016] - Ignacio DazaSoftLayer at IBM Company [March 2016] - Ignacio Daza
SoftLayer at IBM Company [March 2016] - Ignacio Daza
 
Eucalyptus-AWS Hybrid Using RightScale myCloud
Eucalyptus-AWS Hybrid Using RightScale myCloudEucalyptus-AWS Hybrid Using RightScale myCloud
Eucalyptus-AWS Hybrid Using RightScale myCloud
 
Enabling SDN for Service Providers by Khay Kid Chow
Enabling SDN for Service Providers by Khay Kid ChowEnabling SDN for Service Providers by Khay Kid Chow
Enabling SDN for Service Providers by Khay Kid Chow
 
(NET303) Optimizing Your Cloud Architecture With Network Strategy
(NET303) Optimizing Your Cloud Architecture With Network Strategy(NET303) Optimizing Your Cloud Architecture With Network Strategy
(NET303) Optimizing Your Cloud Architecture With Network Strategy
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
 
AWS Direct Connect
AWS Direct ConnectAWS Direct Connect
AWS Direct Connect
 
Openstack 101 by Jason Kalai
Openstack 101 by Jason KalaiOpenstack 101 by Jason Kalai
Openstack 101 by Jason Kalai
 
Achieving Scalability and speed with IBM Solutions - IaaS Softlayer
Achieving Scalability and speed with IBM Solutions - IaaS SoftlayerAchieving Scalability and speed with IBM Solutions - IaaS Softlayer
Achieving Scalability and speed with IBM Solutions - IaaS Softlayer
 
Aws re invent hybrid cloud breakout session
Aws re invent hybrid cloud breakout session Aws re invent hybrid cloud breakout session
Aws re invent hybrid cloud breakout session
 
Smart Cloud Webinar 2014-02-13 Introduction to Softlayer IaaS MDB
Smart Cloud Webinar 2014-02-13 Introduction to Softlayer IaaS MDBSmart Cloud Webinar 2014-02-13 Introduction to Softlayer IaaS MDB
Smart Cloud Webinar 2014-02-13 Introduction to Softlayer IaaS MDB
 
TFI2014 Session I - State of SDN - Scott Sneddon
TFI2014 Session I - State of SDN - Scott SneddonTFI2014 Session I - State of SDN - Scott Sneddon
TFI2014 Session I - State of SDN - Scott Sneddon
 

Similar to Network and Security Reference Architecture For Driving Workstyle Transformation

CLOUD COMPUTING.ppt
CLOUD COMPUTING.pptCLOUD COMPUTING.ppt
CLOUD COMPUTING.pptDss
 
AWS re:Invent 2016: Future-Proofing the WAN and Simplifying Security On Your ...
AWS re:Invent 2016: Future-Proofing the WAN and Simplifying Security On Your ...AWS re:Invent 2016: Future-Proofing the WAN and Simplifying Security On Your ...
AWS re:Invent 2016: Future-Proofing the WAN and Simplifying Security On Your ...Amazon Web Services
 
Unit 1.2 move to cloud computing
Unit 1.2 move to cloud computingUnit 1.2 move to cloud computing
Unit 1.2 move to cloud computingeShikshak
 
Level 3 Hybrid WAN/SDN Defined
Level 3 Hybrid WAN/SDN DefinedLevel 3 Hybrid WAN/SDN Defined
Level 3 Hybrid WAN/SDN DefinedScott Burns
 
Level 3 hybrid wan
Level 3 hybrid wan Level 3 hybrid wan
Level 3 hybrid wan Scott Burns
 
Level 3 hybrid wan
Level 3 hybrid wanLevel 3 hybrid wan
Level 3 hybrid wanScott Burns
 
Loughtec cloud computing
Loughtec cloud computing Loughtec cloud computing
Loughtec cloud computing Loughtec
 
network design chapter 4(1).pptx
network design chapter 4(1).pptxnetwork design chapter 4(1).pptx
network design chapter 4(1).pptxamanueltafese2
 
Cloud Computing and Services | PPT
Cloud Computing and Services | PPTCloud Computing and Services | PPT
Cloud Computing and Services | PPTSeminar Links
 
Cloud computing computer
Cloud computing computerCloud computing computer
Cloud computing computerSanath Surawar
 
Cloud computing by shashank
Cloud computing by shashankCloud computing by shashank
Cloud computing by shashankShashank Shekhar
 
Presentation on Cloud Computing
Presentation on Cloud ComputingPresentation on Cloud Computing
Presentation on Cloud ComputingHarpreetKaur1382
 
The wonders of Cloud Computing.pptx
The wonders of Cloud Computing.pptxThe wonders of Cloud Computing.pptx
The wonders of Cloud Computing.pptxOmSatpathy
 

Similar to Network and Security Reference Architecture For Driving Workstyle Transformation (20)

Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Cloud Computing.pptx
Cloud Computing.pptxCloud Computing.pptx
Cloud Computing.pptx
 
CLOUD COMPUTING.ppt
CLOUD COMPUTING.pptCLOUD COMPUTING.ppt
CLOUD COMPUTING.ppt
 
AWS re:Invent 2016: Future-Proofing the WAN and Simplifying Security On Your ...
AWS re:Invent 2016: Future-Proofing the WAN and Simplifying Security On Your ...AWS re:Invent 2016: Future-Proofing the WAN and Simplifying Security On Your ...
AWS re:Invent 2016: Future-Proofing the WAN and Simplifying Security On Your ...
 
Unit 1.2 move to cloud computing
Unit 1.2 move to cloud computingUnit 1.2 move to cloud computing
Unit 1.2 move to cloud computing
 
Level 3 Hybrid WAN/SDN Defined
Level 3 Hybrid WAN/SDN DefinedLevel 3 Hybrid WAN/SDN Defined
Level 3 Hybrid WAN/SDN Defined
 
Level 3 hybrid wan
Level 3 hybrid wan Level 3 hybrid wan
Level 3 hybrid wan
 
Level 3 hybrid wan
Level 3 hybrid wanLevel 3 hybrid wan
Level 3 hybrid wan
 
Loughtec cloud computing
Loughtec cloud computing Loughtec cloud computing
Loughtec cloud computing
 
network design chapter 4(1).pptx
network design chapter 4(1).pptxnetwork design chapter 4(1).pptx
network design chapter 4(1).pptx
 
Cloud Computing and Services | PPT
Cloud Computing and Services | PPTCloud Computing and Services | PPT
Cloud Computing and Services | PPT
 
Ms.azure in detail
Ms.azure in detailMs.azure in detail
Ms.azure in detail
 
Cloud computing computer
Cloud computing computerCloud computing computer
Cloud computing computer
 
Cloud computing by shashank
Cloud computing by shashankCloud computing by shashank
Cloud computing by shashank
 
CCNA 4 Hierarchical Network Design
CCNA 4 Hierarchical Network DesignCCNA 4 Hierarchical Network Design
CCNA 4 Hierarchical Network Design
 
Presentation on Cloud Computing
Presentation on Cloud ComputingPresentation on Cloud Computing
Presentation on Cloud Computing
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Maximize the Cloud Today
Maximize the Cloud TodayMaximize the Cloud Today
Maximize the Cloud Today
 
oracle.pptx
oracle.pptxoracle.pptx
oracle.pptx
 
The wonders of Cloud Computing.pptx
The wonders of Cloud Computing.pptxThe wonders of Cloud Computing.pptx
The wonders of Cloud Computing.pptx
 

Recently uploaded

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 

Recently uploaded (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 

Network and Security Reference Architecture For Driving Workstyle Transformation

  • 1. 1 Network and Security Reference Architecture For Driving Workstyle Transformation Author: Matsuo Sawahashi Division: GTS Japan, Solutioning, Chief Architect Mail: matsuos@jp.ibm.com Chief Architect Reference Architecture Asset Series
  • 2. 2 Introduction Many companies have began to use multiple cloud services as usual. However, enterprise network has been built around the data center and it is a topology centered on the data center. The bandwidth of the Internet gateway on the data center becomes short. The access line from the site is also tight with massive data due to increase in use of SaaS such as O365 or Box. Meanwhile, employees have worked in various places such as office, outside and home. Business partners also want to access the enterprise network to collaborate business with the company. They want to use enterprise applications on both on-premise and cloud as same procedure. To solve above problems, we need to change our mind. - The data center is no longer the center, but the network becomes the center. - The Internet is dangerous, however if we use it well, it is cheap, we can build a strong network against failure or disaster - Boundary protection is no longer able to protect enterprises from recent threats, it does not accept diverse usage patterns – beyond various boundaries So, please look at the deck for understanding the solution
  • 3. 3 Executive Summary • Background • The way people work has diversified and it is becoming common to access from various places such as home and out side office • Interaction with collaborating business partners has become active and internal and external boundaries became uncertain • Shifting from in-house development to using external services such as SaaS • Especially shifting OA business application such as O365, Box and Concur, etc. to SaaS is actively performed • Issues • The limits of networks centered on data center as in the current situation • Narrow Internet access bandwidth through a data center • Waste of having to go through a distant data center to go to the Internet • Narrow branches’ network bandwidth and extensive route and bandwidth change • Vulnerable internal networks and devices to targeted e-mail attack • A standard terminal that does not meet diversified user needs • Access control and single sign-on have not been implemented despite the need for individual authentication to access for each cloud service • Solution • Zero Trust Security • Secure at terminal or device level without distinguishing between internal and external, and increase resilience against threats • SD-WAN • Improve accessibility to cloud services by overlaying virtualized network without distinct between private leased line and Internet • It is possible to respond flexibly to addition and change of new service by changing bandwidth and routing from one place • Cloud Exchange Service • We can connect immediately to the new cloud services by using the cloud exchange service pre-connected to the cloud services • ID Federation • Prepare an authentication infrastructure capable of linking cloud services and on-premise IDs, enabling single sign-on and access control
  • 4. 4 Current IT State • Data center centric network structure • The gateway to the Internet and the cloud is consolidated in the data center • Instead of thoroughly defending the boundary at the data center, the internal network is considered safe and sufficient security measures are not implemented • The branch networks have been changed manually Data Center Head Quarters Branch Office Service Office Store Factory WAN Cloud Services Internet WAN
  • 5. 5 Problems under Current IT State • Increasing use of cloud(not only IaaS but also PaaS and SaaS) • Bandwidth shortage of cloud connected network • Authentication to the cloud is managed separately from the on- premise environment • Routing and bandwidth change frequently occur and cost rises • Due to boundary defense, conversely, weak internal networks and devices • Flexibility to change and resistance to attack are lacking, and it becomes a burden of a new challenge Data Center Head Quarters Branch Office Service Office Store Factory WAN Cloud Services Internet WAN Bottleneck Bottleneck Increasing Demand Increasing cost of change work Bottleneck Bottleneck Vulnerable Vulnerable Isolated ID Management
  • 6. 6 Background • User view • The way people work has diversified and it is becoming common to access from various places such as home and out side office • Interaction with collaborating business partners has become active and internal and external boundaries became uncertain • Provider view • Shifting from in-house development to using external services such as SaaS • Especially shifting OA business application such as O365, Box and Concur, etc. to SaaS is actively performed
  • 7. 7 Business Problem • Limit of data center centered network structure • The doorway of the Internet is only in the data center • Concentration of access to the Internet at the Internet access gateway • Waste of having to go through a distant data center to go out to the Internet • Narrow branches’ network bandwidth and extensive route and bandwidth change • Vulnerable internal networks • Boundary defense is not effective against targeted e-mail attack • Vulnerable terminal security relying too much on boundary defense • Early virus detection and spreading prevention function is poor • No integrated, unsecure authenticating system • Access control and single sign-on have not been implemented despite the need for individual authentication to access for each cloud service • Dangerous authentication with ID and Password only
  • 8. 8 Use Case List • If we have a cheaper and more efficient cloud service than we develop ourselves, we want to actively use it • With the expansion of use of cloud services, we want to connect from the site to the Internet or the cloud via a high-speed, wide- capacity network • We want to use the unified authentication system for both internal and external systems to control access who can connect to what system • We want to minimize the cost and time for changing bandwidth or route setting of router and firewall at the sites due to increase or change cloud service providers • We want to use internal and external systems in the same procedure from the office, the outside and home • We want to make business partners use internet and external systems • Based on the premise that targeted e-mail attack can not be avoided, we want a mechanism that enables early detection and early countermeasure in case of infection
  • 9. 9 IT Requirements Category IT Requirement Priority Network Direct access to the public cloud (IaaS / PaaS / SaaS) without going through DC Must Network Since it is necessary to connect to various public cloud services, instead of providing access routes to each cloud service, using a cloud exchange service to make it simple network structure Must Network Be able to optimize cost and performance by using not only leased line but also the Internet to connect to the cloud and DCs Must Network To be able to flexibly increase and decrease the network bandwidth, it is easy to scale out lines by bundling multiple leased lines and the Internet Must Network Make it easy to change network bandwidth and route by center control Should Network In order to improve accessibility to the public cloud and not to put a burden on existing infrastructure in the company, it is necessary to be able to make an Internet breakout from the sites as much as possible Could Network
  • 10. 10 IT Requirements Category IT Requirement Priority Security Encryption is required when Internet is used as access network Must Security In case of using Internet breakout, it is necessary to provide a packet filtering feature to protect against external attack at the breakout sites Must Security Authentication and authorization to the applications not only on on-premise DCs but also on the public cloud services to be performed via a unified authentication system Must Security Take necessary defense measures without concern that internal network would be safe as active use of the Internet and public clouds progresses Must Security For authentication to the applications on on-premise DCs as well as on the cloud, multi-factor authentication and device authentication should be applied Should Security Ensure endpoint security rather than boundary defense so that detection and removal of threats can be performed promptly Must Security Ensure security monitoring (SIEM) and action (CSIRT) so that illegal access and attacks can be detected promptly and measures can be taken Must Security Ensure log management to detect unauthorized access and attacks Must Security Access to confidential data including personal information can be audited when, who requested what Must Security
  • 11. 11 Solution Approach • Software Defined Overlay Network • Cloud Exchange Service • Simple connectivity to public cloud • Easy cloud connection bandwidth change • Software Defined WAN (SD-WAN) • Using bundled multiple leased lines and Internet • Internet breakout feature • Center console operation • Zero Trust Security • Endpoint security • ID federation for the applications and public cloud services • Multi-factor authentication and device authentication • Log management and SIEM, CSIRT • DB audit
  • 12. 12 Architectural Overview Head Quarters Branch Office Service Office Store Factory WAN Cloud Services Internet Cloud Exchange Service Cloud Exchange Service On/Off premise Data Center IaaS PaaS SaaS Attack DetectionSIEM Attack Detection Protection Recovery Patch Zero Trust Security Action IDaaS DC is considered as a type of cloud service, preventing load concentration on DC and increasing toughness against disasters Protect devices and accesses rather than boundary defenses and totally enhances attack tolerance Realize diversification of workplaces by using the system regardless of where we work Utilizing the Internet as a route through an encrypted overlay network by SD-WAN High-speed, low- cost cloud access realized by breakout from the site to the Internet Realization of simple connection to multi cloud by utilizing a cloud exchange service Software Defined Overlay Network Prepare an authentication infrastructure that enables federation between cloud services and internal ID, realizing single sign-on and access control Home
  • 13. 13 Component Model High level component relationship Cloud Exchange Service ID Federation System Application On-premise DC Cloud Service Terminal Endpoint security User SD-WAN Overlay Network Internet Leased line Internet Internet Breakout Site Deploy Use Use Authenticate Authenticate Deploy Deploy Connect Connect Connect Connect Connect Connect Configure Connect Log ManagementTransfer SIEM / CSIRT Transfer Monitor Confidential Data DB Audit Audit Use Security Networking
  • 14. 14 Cloud Service Providers HUB-DC West CPE Cloud Exchange Service HUB-DC East CPE Cloud Exchange Service Operational Model High level diagram Data Center East IaaS PaaS SaaS WAN Internet Site CPE Site CPE Internet Breakout Data Center West CPE CPE CPE – Customer Premise Equipment – here, it refers to a routing device that support SD-WAN technology Endpoint Security SIEM / CSIRTDB Audit ID Federation Endpoint Security Log Mgmt DB Audit Log Mgmt
  • 15. 15 Value Proposition Flexibility Can promptly implement new installation, change, and cancellation of cloud services safely and inexpensively Can diversify our way of working through system use regardless of where we work Can made cross-site network inexpensively redundant Can be single sign-on with the same ID for both cloud and on-premise Can discover targeted e-mail attack early, and plan and implement countermeasures Can speed up access from the site to cloud services inexpensively Can implement the work of changing the bandwidth and the route of the inter-site network Can increase the tolerance to data leakage and quickly identify the range of impact in case Can become easier to design a data exchange system with business partners Availability Convenience Safety Cost Reduction Speediness DB Audit ID Federation Endpoint Security Log Management / SIEM / CSIRT SD-WAN Cloud Exchange Service Benefit Solution
  • 16. 16 Migration Plan First year Second year Third year Milestone Networking Security HUB-DC Build DC SD-WAN Build Sites SD-WAN Build and migration ID Federation Build DB Audit Build Endpoint Security Build Log mgmt Build SIEM Build CSIRT Build Endpoint Security Sites deployment Security Requirement Definition and Macro design Network Requirement Definition and Macro design Network migration start Migration complete
  • 17. 17 Architectural Decision Examples Issue How to connect between on-premise DCs and multi cloud DCs Decision We will develop HUB-DCs leveraging a cloud exchange service with SD-WAN technology Status Decided Category Infrastructure – Networking Assumptions • Increasing use of multiple cloud services • Adding, deleting, changing and replacing cloud services frequently • Changing bandwidth, routing and access control of the network connection to the cloud • Increasing the number of sites using Internet-breakout as of increasing the use of SaaS such as O365 and Box Options 1. Use leased lines for each connection (Mesh topology) 2. Develop HUB-DCs with a cloud exchange service (Hub-Spoke topology) 3. Develop HUB-DCs with a cloud exchange service and SD-WAN (Hub-Spoke topology + SD-WAN) Arguments (Rationale) Risk • SD-WAN would be a rapid growing technology • We have not experienced to develop SD-WAN Implications • CPE (Customer Premises Equipment) needs to be deployed on HUB-DCs to realize SD-WAN • HUB-DC must support Mega cloud services such as IBM Cloud, Azure and AWS Notes Option Flexibility Simplicity Security Stability Change Speed 1 Low Low Complex Low Low – few months 2 Medium Medium Complex Medium Medium – few weeks 3 High High Flexible High High – few hours