SIOS Cloud Lab'10


Published on

Follow Cloud Lab on Twitter

Cloud Slam Event on Facebook
Quick Links

* Digg Top Stories
* My account
* Products
* Create content
* Log out

Cloud Slam Event Blog

* The "Stealth" Cloud
* Considering Cloud Storage? Make Sure you Get your REST
* Virtually the same ?
* Vivek Kundra Steps Up to Cloud Computing's Next Challenge
* Vivek Kundra Steps Up to Cloud Computing's Next Challenge

Contact Us

General Questions:

Media Relations:


Speaker Engagement:



Media Partners






You are hereForums / Proceedings / CLOUD LAB '10 / CLOUD LAB '10 Presentation Proposals / How Your Mission Critical Applications Can Benefit from Cloud Computing
How Your Mission Critical Applications Can Benefit from Cloud Computing

* View
* Edit

By jimkaskade - Posted on 17 February 2010
To view session recording click HERE

SaaS and Cloud veteran Jim Kaskade presents use-cases where Fortune 1000 companies are using Cloud Computing to significantly reduce IT costs associated with mission-critical applications.

An IT organization's Cloud Computing initiative can typically begin with test, development, and potentially collaboration applications. This presentation will help you understand how to safely leverage the Cloud for other more critical applications, with the highest security, performance, and availability requirements. We also present several hybrid on-premise and off-premise architectures.

See how a financial trading application using IBM websphere and DB2 with the most stringent availability requirements is deployed on Amazon Web Services. We also detail a cloud deployment of an enterprise CRM application, significantly improving application availability while reducing total cost of ownership.

In this session you learn:

* Which applications are best suited for cloud computing services
* Key components needed to perform a successful cloud deployment
* Hybrid and federated on-premise and off-premise cloud architectures
* Approaches to increase (not decrease) availability in the cloud
* How cloud can be the best disaster recovery infrastructure
* Costs of Cloud versus on-premise
* Cloud security – we’re ready for mission-critical!

Published in: Technology
1 Comment
1 Like
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • SIOS was founded over a decade ago and is led by a visionary leader, Nobu Kita. SIOS is one of the largest and well-recognized providers of web application software and data center infrastructure in Japan. We’re publicly traded, and have been aggressively expanding our presence in the US and Europe through acquisitions and partnerships. We’ve recently announced our SIOS Cloud strategy, addressing a growing need for cloud technology from our established Fortune 1000 customers. (just Bing SIOS and Cloud)
  • OK. So lets get back to that disruptive technology I eluded to earlier. Beginning with the following multiple-choice question: “ How Does Your Organization Define ‘Downtime’”?
  • Is your definition of downtime taking last week off with your kids during Spring Break? Actually, this Muliple-choice Answer really defines a use-case where you blame your IT staff for being ON VACATION…..because some significant system error occurred, due to USER ERROR.
  • Answer B is when your IT staff schedules, quote-unquote, “necessary downtime” for maintenance which impacts the availability of your mission-critical application.
  • Answer C is a scenario which occurs due to an unexpected burst of activity resulting in being over capacity, and ultimately a period of downtime. AND then there is Answer D….
  • Ahh….oops…what happened. Can we get Rob back on the stage to take a look at this? [Rob Craft, MSFT Senior Director, Cloud ISV] Answer D is a host of many unpredictable things that may or may not happen. But are you willing to take that chance?
  • Well, the right answer, if you haven’t already figured it out, is “All of the Above”. I think we all can acknowledge that high availability associated with your SugarCRM application and business data is important … but what many have not considered is the cost to the business for an hour, half-day, or day of down-time….or worst-case, some disaster which results in data loss…not just reduced availability. Can you incur: database corruption resulting in loss of a significant amount of contacts A 6-hour outage for a daily workforce of customer service representatives supporting your customers Then there’s also the costs associated with establishing a comfortable level of High Availability and Disaster Recovery….1. Administrative resources, 2. Software, Server and Data center redundancy, 3. Risk of managing the HA/DR Software/Hardware complexities
  • OK. So lets talk about that disruptive technology I eluded to earlier. But first I want to ask the following multiple-choice question: “ How Does Your Organization Define ‘Downtime’”?
  • So since we are talking about availability, I thought it would be important to define exactly what I mean. Below is what has been termed the “Availability Equation”.
  • 525600
  • 525600
  • That’s why SIOS has been successful in protecting over 15,000 mission-critical applications around the world with its award-winning business continuity solutions , AND WHY Sugar chose US to ENABLE “HA For SugarCRM” Now you can achieve 5 nines of availability with installations of SugarCRM Pro and Enterprise applications when they are deployed in-house AND as you transition them into the cloud. Protect your business with: Application & Database Monitoring Automated Failover Real-time Data Replication with Recovery Point Rewind (if you have a database corruption, replicating it won’t help you). Automated Cloud HA/DR Deployment & Management (with an integrated SugarCRM offering) Automated Workload Migration (to reduce manual errors)
  • OK…now I’m going to ask my team to demonstrate a live use-case . Represented in this animation…is a scenario where we have temporarily brought our production SugarCRM application and database server off-line for upgrade testing , and we have migrated the workload to the Cloud .
  • We used HA For SugarCRM to create two identical HA/DR mirrors in two different geographical regions. End-users are currently accessing Sugar over a secure VPN network , with Sugar operating in the US Cloud.
  • Then we force the US Cloud to be unavailable…any one of those downtime scenarios A-D I referenced earlier will work. And with HA For SugarCRM , we automatically detect that event , and dynamically switch end-users to the EU Cloud mirror . ****This slide remains on the screen during the demo (on one side of the stage, while the demo occurs on the other**** Demo points below: Scott, our EVP of Sales for Business Continuity is entering in his contact information into his Sugar account. Lecole behind the scenes is going to initiate a disruption in US Cloud service, and HA For SugarCRM automatically detects, and immediately initiates a graceful failover into the EU Cloud. What you are seeing now is HA For SugarCRM checking to make sure all is in order with the storage volume, the file system, the SugarCRM application and associated database, and finally its dynamically changing the IP so that Sugar users don’t even have to be aware of where the new Sugar workload lives. Now we refresh Sugar and…..whalah!!! Scott’s critical information is there!!! This is when you are supposed to clap!!! Thank You!
  • * Host Operating System: AWS administrators with a business need are required to use their individual cryptographically strong SSH keys to gain access to a bastion host. These bastion hosts are specifically built systems that are designed and configured to protect the management plane of the cloud. Once connected to the bastion, authorized administrators are able to use a privilege escalation command to gain access to an individual host. All such accesses are logged and routinely audited. When an AWS employee no longer has a business need to administer EC2 hosts, their privileges on and access to the bastion hosts are revoked. * Guest Operating System: Virtual instances are completely controlled by the customer. They have full root access and all administrative control over additional accounts, services, and applications. AWS administrators do not have access to customer instances, and cannot log into the guest OS. Customers should disable password-based access to their hosts and utilize token or key-based authentication to gain access to unprivileged accounts. Further, customers should employ a privilege escalation mechanism with logging on a per-user basis. For example, if the guest OS is Linux, utilize SSH with keys to access the virtual instance, enable shell command-line logging, and use the ‘sudo’ utility for privilege escalation. Customers should generate their own key pairs in order to guarantee that they are unique, and not shared with other customers or with AWS. * Firewall: Amazon EC2 provides a complete firewall solution; this mandatory inbound firewall is configured in a default deny mode and the Amazon EC2 customer must explicitly open any ports to allow inbound traffic. The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or CIDR block). API: Calls to launch and terminate instances, change firewall parameters, and perform other functions are all signed by an X.509 certificate or the customer’s Amazon Secret Access Key. Without access to the customer’s Secret Access Key or X.509 certificate, Amazon EC2 API calls cannot be made on their behalf. In addition, API calls can be encrypted in transit with SSL to maintain confidentiality. Amazon recommends always using SSL-protected API endpoints. The Hypervisor Amazon EC2 currently utilizes a highly customized version of the Xen hypervisor, taking advantage of paravirtualization. Because paravirtualized guests rely on the hypervisor to provide support for operations that normally require privileged access, it is possible to run the guest OS with no elevated access to the CPU. This explicit virtualization of the physical resources leads to a clear separation between guest and hypervisor, resulting in strong security separation between the two. Instance Isolation Different instances running on the same physical machine are isolated from each other utilizing the Xen hypervisor. Amazon is an active participant and contributor within the Xen community, which ensures awareness of potential pending issues. In addition, the aforementioned firewall resides within the hypervisor layer, between the physical interface and the instance's virtual interface. All packets must pass through this layer, thus an instance’s neighbors have no additional access to that instance, and can be treated as if they are on separate physical hosts. The physical RAM is separated using similar mechanisms. Customer instances have no access to raw disk devices, but instead are presented with virtualized disks. The AWS proprietary disk virtualization layer automatically wipes every block of storage used by the customer, and guarantees that one customer’s data is never exposed to another. Note that unintentionally leaving data on disk devices is only one possible breach of confidentiality; many others exist, and for this reason AWS recommends that customers further protect their data using appropriate means. One common solution is to run an encrypted filesystem on top of the virtualized disk device.
  • Network Security The AWS network provides significant protection against traditional network security issues and the customer can implement further protection. The following are a few examples: * Distributed Denial Of Service (DDoS) Attacks: AWS API endpoints are hosted on the same Internet-scale, world class infrastructure that supports the retail site. Standard DDoS mitigation techniques such as syn cookies and connection limiting are used. To further mitigate the effect of potential DDoS attacks, Amazon maintains internal bandwidth which exceeds its provider-supplied Internet bandwidth. * Man In the Middle (MITM) Attacks: All of the AWS APIs are available via SSL-protected endpoints which provides server authentication. Amazon EC2 AMIs automatically generate new SSH host keys on first boot and log them to the console. Customers can then use the secure APIs to call the console and access the host keys before logging into the instance for the first time. Customers are encouraged to use the SSL endpoints for all of their interactions with AWS. * IP Spoofing: Amazon EC2 instances cannot send spoofed traffic. The Amazon -controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own. * Port Scanning: Port scans by Amazon EC2 customers are a violation of the Amazon EC2 Acceptable Use Policy (AUP). Violations of the AUP are taken seriously, and every reported violation is investigated. When Port scanning is detected it is stopped and blocked. Port scans of Amazon EC2 instances are generally ineffective because, by default, all inbound ports on Amazon EC2 instances are closed. The customer’s strict management of security groups can further mitigate the threat of port scans. If the customer configures the security group to allow traffic from any source to a specific port, then that specific port will be vulnerable to a port scan. In these cases, the customer must use appropriate security measures to protect listening services that may be essential to their application from being discovered by an unauthorized port scan. For example, a web server must clearly have port 80 (HTTP) open to the world, and the administrator of this server is responsible for ensuring the security of the HTTP server software, such as Apache. * Packet sniffing by other tenants: It is not possible for a virtual instance running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance. While customers can place their interfaces into promiscuous mode, the hypervisor will not deliver any traffic to them that is not addressed to them. This includes two virtual instances that are owned by the same customer, even if they are located on the same physical host. Attacks such as ARP cache poisoning do not work within EC2. While Amazon EC2 does provide ample protection against one customer inadvertently or maliciously attempting to view another’s data, as a standard practice customers should encrypt sensitive traffic.
  • SIOS Cloud Lab'10

    1. 1. © 2010 SIOS Technology Mission Critical Applications Can Benefit from Cloud Presented by: Jim Kaskade SIOS Chief of Cloud CLOUD LAB’10
    2. 2. SIOS Was Founded in 1997 Global Presence with HQ in Japan Provides Data Center Technology Servicing Fortune 1000 IT Needs
    3. 3. Which Cloud Are We Talking About? Cloud-Suited Applications Cloud Availability Cloud Economics Cloud Security
    4. 4. Which Cloud?
    5. 5. Level Of Adoption Of Public Cloud Deployments Importance to Business On-Premise Virtualization Test/Development Backup & Archive HA/DR Burst / Overflow Production Public Cloud
    6. 6. <ul><li>10 Minutes </li></ul><ul><li>of High Availability & </li></ul><ul><li>Disaster Recovery </li></ul>© 2010 SIOS Technology
    7. 7. Test Question #1: How Do You Define “ Downtime”?
    8. 8. Answer: A
    9. 9. Answer: B
    10. 10. Answer: C
    11. 11. Answer: D
    12. 12. Answer: All of the Above “ A majority of firms have little or no idea how much IT downtime could cost their business.” Forrester Research
    13. 13. Test Question #2: How Do You Define “ High Availability”?
    14. 14. Downtime = Time to Detect + Time to Recover Availability = Uptime Update + Downtime
    15. 15. <ul><li>“ My application crashes about once a year. Usually my customers are the first to see the problem. After we are notified, we generally have the problem fixed within the hour” </li></ul>Availability = 365 * 24 * 60 (365 * 24 * 60) + 80 Downtime = 20 minutes + 60 minutes Availability = 0. 999 8478161619236 (3 Nines)
    16. 16. <ul><li>“ My application crashes about once a year. Because it is protected, the problem is detected immediately and is always recovered in under a minute. We generally don’t even know there was a problem due to the automatic recovery.” </li></ul>Availability = 365 * 24 * 60 (365 * 24 * 60) + 1 Downtime = 30 sec + 30 sec Availability = 0. 99999 80974161008 (5 Nines)
    17. 17. High Availability Seconds Days
    18. 18. © 2010 SIOS Technology Using The Cloud For Protecting Your Mission-Critical Applications
    19. 19. <ul><li>Use The Cloud For… </li></ul><ul><li>Application & Database Mirror </li></ul><ul><li>Automated Failover Target </li></ul><ul><li>Real-time Data Replication Target </li></ul><ul><li>Simplified HA/DR Deployment & Management </li></ul><ul><li>Automated Workload Migration </li></ul>
    20. 20. Cloud-based High Availability & Disaster Recovery © 2010 SIOS Technology Cross-cloud HA/DR Federated HA/DR Intra-cloud HA/DR EC2 VM EC2 VM HA + DR HA + DR EC2 VM Enterprise VMware EC2 VM Cloud Provider Server HA + DR Other Cloud
    21. 21. © 2010 SIOS Technology SugarCRM Users Enterprise Data Center Cloud for High Availability
    22. 22. SugarCRM Users © 2010 SIOS Technology Enterprise Data Center Cloud for High Availability Off-Line Upgrade Tests
    23. 23. SugarCRM Users © 2010 SIOS Technology Enterprise Data Center Cloud for High Availability Unavailable Off-Line Upgrade Tests
    24. 24. Cloud for High Availability Enterprise Data Center
    25. 25. Cloud Economics
    26. 26. Traditional Datacenter Cloud
    27. 28. VM
    28. 29. VM
    29. 31. Cloud Security?
    30. 32. <ul><li>Certifications & Accreditations </li></ul><ul><li>Datacenter Security </li></ul><ul><li>Data Security </li></ul><ul><li>Compute Security </li></ul><ul><li>Network Security </li></ul>
    31. 33. <ul><li>SOX </li></ul><ul><li>SAS70 Type II </li></ul><ul><li>HIPPA </li></ul>Certifications & Accreditations
    32. 34. <ul><li>Military grade perimeter control </li></ul><ul><li>Two-factor Auth </li></ul><ul><li>Extensive background checks </li></ul>Data Center Security
    33. 35. <ul><li>Redundant (multiple locations) </li></ul><ul><li>EBS stored in same availability zone </li></ul>Backups
    34. 36. <ul><li>Host OS </li></ul><ul><li>Guest OS (VM) </li></ul><ul><li>Firewall </li></ul><ul><li>API </li></ul><ul><li>Instance isolation </li></ul>EC2 Security
    35. 37. <ul><li>DDoS mitigation </li></ul><ul><li>MIDM </li></ul><ul><li>IP spoofing, port scanning, packet sniff </li></ul>Network Security
    36. 38. Enough?
    37. 39. [email_address] Chief of Cloud Voice: (415) 938-7891 AIM: jimhkaskade Twitter: @jimkaskade Blog: