MPLS 2010: Network Enabled Cloud and Service Models

Network Enabled Cloud and Service Models
Monique J. Morrow
Cisco
mmorrow@cisco.com

www.mpls2010.com

Insert Company
Logo Here

Agenda
Service and Deployment Models

Factoring the Network Into the Cloud

Cloud Management

Cloud Security

Inter-cloud

Standards

Summary
Insert
Company
Logo Here

Common Taxonomy
Cloud Framework from NIST

Essential Measured
Rapid Elasticity
Characteristics Service

On-Demand Broad Network Resource
Self Service Access Pooling

Service Software as a Infrastructure
Platform as a
as a Service
Models Service (SaaS) Service (PaaS)
(IaaS)

Deployment
Models Public Private Hybrid Community

http://www.csrc.nist.gov/groups/SNS/cloud-computing/index.html
Insert
Company
Logo Here

Cloud Services Taxonomy

SaaS Enabled Applications
Software as a CRM/ERP Desktop Apps
Service (SaaS)
End Users
UC Video Other Apps

Platform Enabled Applications
Platform as a Billing Collaboration
Service (PaaS) Developers
Apps Dev Workflow Metadata

Infrastructure Enabled Services
Business Data
Infrastructure as a
Service (IaaS) System Infrastructure
IT Department
Hosted Hardware Grid
Insert
Company
Logo Here

Applications in the Cloud
Supporting Hybrid: Not One-Size-Fits-All

Future

Data “Trust” (Verifiable)
-  Secure and Private
-  Compliant
Strategic

Today

Development and Test
Web Apps (some)
Media Distribution Service
Levels
Large Scale Compute/Storage

Mission
Critical Insert
Company
Logo Here

Hybrid Cloud for Enterprise Extension

Multi-Tenant SP
virtual private cloud services

IaaS
Enterprise
- w/security Enterprise
Internal Cloud - SLA support Virtualized DC

Enterprise
Virtualized DC

Internet

Seamless Extension of the Enterprise DC (IaaS)
(elastic compute, storage, network, services)
Insert
Company
Logo Here

Challenge: Tightly Integrating Network
Services

 One-size-fits-all makes it
easier, but at the expense of
functionality
 More than just VMs on a
VLAN!
 Scaling becomes a challenge
with just 20K VM’s and 100’s
of tenants
 Requires understanding of
NW service abstraction,
template-based
configuration, tiered network
designs

Insert
Company
Logo Here

Network Factored Cloud
App Tiers in a Typical DC Branch Branch
DC
Dept/Customer 1 Dept/Customer 2
Internet MAN/WAN/SP Net

Web Tier

DMZ

App Tier
Core

Distribution
DB Tier

Aggregation

Storage Tier
Dept 2 Dept 1

App 6 App 1

Tiered Network:
Access
  Storage
  SAN/NAS DB 2 DB 1
  Access: App tiers reside here
  Aggregation, distribution, core SAN
Outsource
(part of app tiers may reside here) to Cloud
  DMZ Insert
  Campus core/MAN/WAN edges
Company
Logo Here

Multi-tenant Cloud DC

Need Support for Following, for Example: (Via Support Of API,
vDC Configuration Spec A La OVF)
  Isolate vDCs not just VM level, but also at network level
  Network service or capability insertion (virtual or physical) at various layers on-demand

Isolation

Dept/Customer 1 Dept/Customer 2
 Network QoS
 Firewall
 VPN
Storage Tier

 Network QoS
 SSL Acceleration
App Tier  Load Balancing
 Firewall

 Network QoS
DB Tier  Load Balancing
 Firewall

 Network QoS
Storage Tier  VSAN

Insert
Company
Logo Here

Hybrid Cloud With Intelligent Network - High Level Use Case

Additional Capacity
Needs – Request
Cloud Cloud Resources
Data Center
Internal
Data Center
Check Availability,
Performance,
Determine Optimal
Location
Cloud VPN Self-provision Network
Tenant, Virtual
Core Compute, Storage,
Cloud
Data Center VPN
Workloads
Deployed
Cloud
Data Center

‘Pay-as-you-go’ for compute, storage, network
Insert
Company
Logo Here

Changing the Approach

Current state Cloud Aware Infrastructure
Periodic polling from Real-time publishing of state
network mgmt system to from Network Devices – Scales
devices does not scale well
Management plane driven Network Control plane reduces
– Scaling is achieved using the scaling challenges of
technologies like clustering management plane
Policy Definition and Policy Definition resides in
Enforcement happens in Management tool &
Management tool - communicates via Service
requires update for every Layer APIs to Network Elements
new device, flow, model to enforce policy

Insert
Company
Logo Here

Where to Provision the Tenant?
Utilizing Network Intelligence
  Key for many SP applications
Video – where to go that’s closest for particular video segment
Mobile – where to go for resources needed for a particular customer
Cloud (intra-DC) – workload positioning across pods within a DC
Cloud (inter-DC) – workload positioning across DCs within an NGN

  Network can provide more than just proximity information
View into not only topology but performance data, link costs, etc.

  API call provides customer identity, policy, requirements, receives top
location(s) of / for resources

Insert
Company
Logo Here

Cloud Management

  Not traditional management Cloud User Admin (CUA)
vDC Creation and VPN
Association
  Everything has to be on-demand,
on-line and elastic Cloud Service
Mgmt MW
Cloud Service Component
If management layer does not have Service Composition
Service Composition
on-line, on-demand interfaces, it (Via OVF Spec, for
Example)
will be not be suitable for Cloud Cloud Provider
+ + + Corp VPN

Admin (CPA)
  Static provisioning has
to be minimal, if at all Cloud Infra
Management Decompose Services
and Orchestrate
  Autonomic flow-through Provisions
+ + + Corp VPN
provisioning should be the norm
  Compute, storage and network Compute Element Storage Element Network Service Network Service

managed as a whole, interrelated,
Management Management Mgmt L4–7 Mgmt L2–3 VPN

not in isolation
Corp VPN

Provisions
On-demand

Insert
Company
Logo Here

Cloud Security Threats and Issues
  Where is my data?
Geographical location of data
Who is accessing it on the physical and virtual servers?
Is it segregated from others?
Can I recover it?
  What is the threat vector for cloud services?
Will it be heavily targeted?
  How do I identify the weakest link in cloud
services security chain?
  Would centralization of data bring more security?
Federated trust and identity issues
  Who would manage risk for my business assets?
And, can I comply with regulatory requirements
set by (choose your standards body)
Insert
Company
Logo Here

Private Cloud

Private Cloud Security

 What is a Private Cloud?
–  It’s Private ;-)
–  You have control of everything
–  You decide the security policy
–  No need for total seperation of resources (some
exceptions apply)
–  Need to secure virtual machines and services

Insert
Company
Logo Here

Public Cloud

Public Cloud Security
 What is a Public Cloud?
–  You are sharing a public infrastructure with others
–  You do not have control of the infrastructure
–  You do not decide the common security policy
–  You control access to the leased infrastructure (IaaS/PaaS)
–  You control access to your own services (IaaS/PaaS/SaaS)
–  You need to work together with the Cloud Provider to establish
trust and control

 Need to set up a framework for controlling SLA’s and
ensure that Security/Monitoring/Compliance/Audit
requirements are fulfilled

Insert
Company
Logo Here

Securing Clouds – Approach

 As with any security area, organizations should adopt
a risk-based approach to moving to the cloud and
selecting security options (*)

–  Identify the asset for the cloud deployment
–  Evaluate the asset
–  Map the asset to potential cloud deployment models
–  Evaluate potential cloud service models and providers
–  Sketch the potential data flow
–  Conclusion / Decision

* Cloud Security Alliance Whitepaper v2.1

Insert
Company
Logo Here

What Assets Do We Protect?
  Company reputation
  Customer trust
  Employee loyalty and experience
  Intellectual property
  Service delivery

  Personal data
  Credentials
  User directory

  Cloud service management interface
  Network
  Physical hardware
  Buildings

  Logs
  Backup or archive data
Insert
Company
Logo Here

Risks

 Policy and organizational
Lock-in, Loss of governance, Compliance challenges, Cloud
service termination or failure, Supply chain failure
 Technical
Resource exhaustion, Isolation failure, Cloud provider malicious
insider, Management interface compromise, Intercepting data in
transit, Insecure or ineffective deletion of data, DDoS
 Legal
Subpoena and e-discovery, Changes of jurisdiction, Data protection
risks, Licensing risks
 Non cloud
Network breaks, Network management, Modifying network traffic, Privilege
escalation, Social engineering
Insert
Company
Logo Here

Benefits

  Security and the benefits of scale
Multiple locations
Edge networks
Improved timeliness of response: larger to incidents
Threat management

  Security as a market differentiator
  Standardized interfaces for managed security services
  Rapid, smart scaling of resources
  Audit and evidence-gathering
  More timely and effective and efficient updates and defaults
  Benefits of resource concentration

Insert
Company
Logo Here

Securing Clouds – Approach

 As with any security area, organizations should adopt a
risk-based approach to moving to the cloud and selecting
security options (*)
–  Identify the asset for the cloud deployment
–  Evaluate the asset
–  Map the asset to potential cloud deployment models
–  Evaluate potential cloud service models and providers
–  Sketch the potential data flow
–  Conclusion / Decision

* Cloud Security Alliance Whitepaper v2.1

Insert
Company
Logo Here

Evaluate the asset

 How Important is the asset, what is the harm if
the asset became widely public and widely distributed?
an employee of our cloud provider accessed the asset?
the process or function were manipulated by an outsider?
the process or function failed to provide expected results?
the information/data were unexpectedly changed?
the asset were unavailable for a period of time?

 Confidentiality, integrity and availability requirements
when (part of) the resource is in the cloud

Insert
Company
Logo Here

Security as a Service — Assessments
Regulatory Compliance Audits and Reports

Vulnerability Assessment

Define Security Policies
Global Security Intelligence Center Automate
Mitigate risk and eliminate
Insert
Monitor and measure network compliance
Company
Distribute security and compliance reports Logo Here

References

 NIST Cloud Definition
http://csrc.nist.gov/groups/SNS/cloud-computing/cloud-def-v15.doc

 ENISA Cloud Computing Risk Assessment
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-
computing-risk-assessment/at_download/fullReport

 Cloud Security Alliance
http://cloudsecurityalliance.org/

Insert
Company
Logo Here

The Inter-Cloud

Apps Integrate Services
from Multiple Clouds
  Naming/Discovery
  Trust
  Exchange/Peering

Apps Integrate Services
Dynamic Workload from Multiple Clouds
Migration

Insert
Company
Logo Here

Inter-cloud Potential for Disruption
Interoperable Server
Side Protocols and
Formats
Proprietary Proprietary
Computing, Storage Computing, Storage
Client Client

SVMP*, SSRP*, SOIP*

Proprietary Proprietary
Computing, Storage Computing, Storage
Client Client
*Simple VM Mobility Protocol
*Simple Storage Replication Protocol
*Simple Other Inter-cloud Protocols As Needed Insert
Company
Logo Here

Evolution of the Cloud Computing Market
from Stand-alone to the Inter-cloud

Open Cloud
(Federations)

Private Cloud Private Cloud

Virtual
Inter Cloud
Private Cloud

Stand Alone
Data Centers

Public Cloud Public Cloud Public Cloud (1) Public Cloud (2)

Phase 1 Phase 2 (Present) Phase 3 Phase 4 (2015–2017)

Federation/Workload Portability/
Insert
Interoperability/Security Company
Logo Here

Where Is the Standards Work to be Done?

CSA DMTF
NIST IEEE

OGF
ETSI-TC Grid MEF
ITU-T

And More…. SNIA
CCIF

OCM
OASIS
NCOIC IETF

OCM LA TMF
Insert
Company
Logo Here

Interoperability Standards

Common Interfaces/APIs for Cloud services
offered by Cloud SP (CSP)
  OCCI for compute, SNIACDMI for storage

  Not much for network, such as standard API for Virtual private Cloud
(VPC), load-balancing (LB), firewall, QoS, bandwidth and other services

Workload mobility/migration with following elements moving between
Clouds (End user to CSP to Enterprise to CSP, CSP to CSP)
  Virtual DC (vDC) with App, VM and relevant (App, VM, network) Configurations

  Both static or live migration considered

  OVF for vDC specification  move the OVF spec

  Currently lacks features, such as network related
  No standard VM (disk) format
Insert
Company
Logo Here

Summary

Cloud Computing Represents a Shift in how
Application and Data Center Resources
Will be Architected and Consumed
Sample Areas for Standardization:
  Network abstraction, virtualization

  Cloud security

  Federation and interoperability

  Innovation – What disrupts YOU?

Insert
Company
Logo Here

MPLS 2010: Network Enabled Cloud and Service Models

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (7)

Similar to MPLS 2010: Network Enabled Cloud and Service Models

Similar to MPLS 2010: Network Enabled Cloud and Service Models (20)

More from Cisco Service Provider

More from Cisco Service Provider (20)

Recently uploaded

Recently uploaded (20)

MPLS 2010: Network Enabled Cloud and Service Models