Post on 17-May-2015
description
transcript
Copyright CohesiveFT 2009
Cohesive Flexible Technologies
Controlling and Securing Your Assets in the Cloud
Chris Purrington, CohesiveFT
1
Copyright CohesiveFT 2009 2
CohesiveFT - on boarding solutions for public, private and hybrid clouds
Team looks like this
20 Cloud Computing Startups You Should Know
Copyright CohesiveFT 2009 3
CohesiveFT - on boarding solutions for public, private and hybrid clouds
We do this
Copyright CohesiveFT 2009 4
The cloud is not a panacea for bad design. But moving applications to the cloud can quickly
reduce capital expenditure, speed time to market.
Copyright CohesiveFT 2009
?
? ?
?
? ?
5
??
?
?
??
The first question on everyone’s mind: Is my stuff safe up there?
Copyright CohesiveFT 2009 6
Security and control remain top concerns
Copyright CohesiveFT 2009 7
Use “your father’s VPN”
Copyright CohesiveFT 2009
Typical VPN: Remote office access
8
Copyright CohesiveFT 2009
XX
X
XX
Typical VPN: Remote office access
9
confidential 10
Uhhh...no.
Typical VPN does not provide high availability,overlapping address spaces, multi-site routing, etc..
But an overlay network can.
confidential 11
I will be robust and secure usingcloud-to-cloud DR
Copyright CohesiveFT 2009
Cloud A
Do x-cloud fail over...somehow....
12
Copyright CohesiveFT 2009
Cloud A
Somehow...
13
Copyright CohesiveFT 2009
Cloud A
Do this! (somehow)
Cloud B
14
confidential 15
(somehow)When you put your assets in a cloud you
surrender CONTROL of addressing, protocols, topology, and secure communications.
But an overlay network gives back CONTROL.
Copyright CohesiveFT 2009 16
Speaking of security...
What’s inside this VM?
Copyright CohesiveFT 2009 17
Speaking of security...
What’s inside this VM?
Copyright CohesiveFT 2009 18
Speaking of security...What’s inside this VM?
I know, let’s ask him...Picture from: www.sysadminday.com
Copyright CohesiveFT 2009 19
Speaking of security...What’s inside this VM?
...or him.Picture from: www.sysadminday.com
Copyright CohesiveFT 2009 20
Server “assembly” costs are THE Enterprise IT cost
20-year journey from single file deployment to homogenous architecture (the “C” program on Unix) to single file deployment on heterogeneous architecture (the VM to everywhere)
As such - assembly error and propagation represents one of the biggest security risks as well
Photo credit: Zach Rosing, May 25, 2007,
Copyright CohesiveFT 2009 21
Do you have evil clones?
Good clones?
There is going to be a lot of them.
Run the numbers...
10,000,000 - today250,000,000 - 20152,500,000,000 - is not impossible
Photo credit: Paramount
Copyright CohesiveFT 2009 22
“P2V and SLA are mutually EXCLUSIVE!”
Why? The 3 rules of hardware computing...
1) When you get a physical machine installed and working - NEVER MOVE IT2) When you get the software installed and working - NEVER TOUCH IT3) When you “touch it”, don’t tell anyone.
PHYSICAL TO VIRTUAL........easy.
Ahh...you will use P2V(somehow)
Copyright CohesiveFT 2009
So...I am highlighting 2 issues in securing your assets in the cloud
23
Even if using a cloud...it needs to be YOUR infrastructure in
YOUR control
Working from a “bill of materials” approach is the only way to safely
survive the clone wars
Copyright CohesiveFT 2009
YOUR infrastructure in YOUR control in the clouds
24
Use an “overlay network”that you acquire, configure,
deploy and manage.
Enterprise IT is about checks, balances, and risk mitigation.
Copyright CohesiveFT 2009 25
An overlay network is a computer network which is built on top of another network.
Nodes in the overlay can be thought of as being connected by virtual or logical links, each of
which corresponds to a path, perhaps through many physical links, in the underlying network.
What is an overlay network?
Copyright CohesiveFT 2009 26
Use an overlay network
CONTROL:- Your addressing- Your topology- Your protocols- Your secure communications
Copyright CohesiveFT 2009 27
I have software that REQUIRES multicast for service discovery
This is true of many enterprise software packages (grid computing packages, database clusters, wikis and more).
Even inside the enterprise complexity and lead times prevent shared use of available resources in disparate customer controlled data centers because VLAN reconfiguration would be too expensive.
VPN-Cubed allows you to get the multicast traffic into the overlay network before it is rejected by the underlying network infrastructure. This allows you control of your protocols.
Copyright CohesiveFT 2009 28
I want to control my own network addresses
I am an early adopter of cloud computing and love the flexibility provided by public cloud like Amazon EC2 but I want to control my own network addresses, not be given some different set of VLAN addresses when I reboot my servers.
VPN-Cubed gives you control of your addressing allowing you to give your cloud servers static addresses that only change when YOU want them to. Local infrastructure control of addressing in the public clouds!
Copyright CohesiveFT 2009 29
Can’t I use my existing data center NOC?
I have completed some of my “datacenter to cloud” migrations but am now under pressure to use new monitoring and management tools. Can’t I use my existing datacenter NOC (network operations center)?
VPN-Cubed allows you to simply set up an overlay network for the express purpose of connecting cloud VLANS (at EC2 for example) to data center management installations using popular commercial systems like Tivoli, Unicenter, OpenView, as well as leading open source systems like Nagios, Hyperic and GroundWorks.
Copyright CohesiveFT 2009 30
I want to use EC2 USA and EC2 Europe for both fail over and data privacy issues
I am a cloud early adopter and I want to use both Amazon EC2 USA and Amazon EC2 Europe for both fail over and data privacy issues. How can I securely link the two environments and treat them as one logical network?
VPN-Cubed does this “out of the box” with a pre-packaged solution “VPN-Cubed for EC2” available for self-service clients as well as those needing some professional services support.
Copyright CohesiveFT 2009 31
Isn’t there a way I can test ISV solutions as if on my local network?
I have an ISV who has a solution which I would like to evaluate but it will be quite disruptive for me to install. Can’t I can test their solution as if it was on my local network?
VPN-Cubed allows your ISV to install their solution as a virtual server in a public cloud like EC2, yet make it available to a DMZ or particular set of VLANs in your corporate environment.
The burden of testing the ISV solution should rest with your vendor with minimal impact or workload on your team.
Copyright CohesiveFT 2009 32
Cloud AData Center
Customers AddressingCustomer EncryptionCustomer Multicast
Internet, leased or private network
Virtual ServersVPN-Cubed Managerscreate an
overlay network.
VPN-Cubed Managers synchronize state and management information across N managers
VPN-Cubed Overlay Network
Copyright CohesiveFT 2009 33
-VPN-Cubed for EC2 (Free)
-VPN-Cubed for EC2 (Paid AMIs)
-VPN-Cubed: Datacenter to EC2
-VPN-Cubed: Datacenter to EC2 (IPsec)
-VPN-Cubed: Enterprise Edition
VPN-Cubed Edtions
Copyright CohesiveFT 2009 3434
EC2EU
Peers
EC2USA
Peers OR EC2USA
OR
EC2EU
Peers
VPN-Cubed for EC2 (Free Edition) Build an overlay network controlled by VPN-Cubed Managers in US and/or EU
Copyright CohesiveFT 2009 35
VPN-Cubed for EC2 (Paid AMIs) Build an overlay network controlled by 4 managers in US and/or EU regions
35
EC2USA
EC2EU
Peers
Peers
Copyright CohesiveFT 2009 36
VPN-Cubed: Datacenter to EC2 Run an overlay network using Manager pairs in EC2 region and your data center
36
WHAT IS DIFFERENT?The local VPN-Cubed Managers will need to be assembled in a virtual machine format you can support.
You WILL need to allow the Managers in your data center to initiate outbound connections.
You MIGHT want to allow the Managers in EC2 to initiate inbound connections to the local managers, if so you LIKELY will have to make some NAT entries in your network control equipment.
You SHOULD put the VPN-Cubed Managers in a VLAN setup where you are comfortable with what traffic can and cannot traverse to and from your EC2 VLAN.
EC2EUor
EC2USA
Peers
Peers
YourData
Center
Copyright CohesiveFT 2009 37
VPN-Cubed: Datacenter to EC2 (IPSEC) Overlay network created via Manager pairs in EC2 and your data center equipmentt
37
WHAT IS DIFFERENT?There are no local VPN-Cubed Managers.
Your data center extranet solution (Cisco ASA, Cisco Pix, Juniper Netscreen) will connect to VPN-Cubed Managers in the cloud, front-ended by VPN-Cubed IPSEC Gateways.
You MIGHT want to allow the Managers in the cloud to route traffic to your datacenter, if so you WILL have to make some routing entries in the VPN-Cubed Managers. EC2
EUor
EC2USA
Peers
YourData
Center
IPSECGateways
Copyright CohesiveFT 2009 38
VPN-Cubed: Enterprise EditionComplex, multi-manager, custom topology captured as a specification
38
Evolution of use cases.As we discover different use cases we retrofit them as specification to automatically drive the user interface for peering and monitoring.
It is in incremental and ongoing process at this point of the market.
Copyright CohesiveFT 2009
YOUR infrastructure in YOUR control in the clouds
39
THIS
Enterprise IT is about checks, balances, and risk mitigation.
or THIS
Copyright CohesiveFT 2009 40
Bill of Materials
With a BOM approach:
- Identity - Customization- Provenance
This is an EC2 server...right?
Look again...
Copyright CohesiveFT 2009 41
Bill of Materials
With a BOM approach:
Re-master device:- new cloud- new VM type- new OS
Make clones with unique IDs, unique MAC addresses
It the BOM!
Copyright CohesiveFT 2009 42
Copyright CohesiveFT 2009 43
Gives AnyoneTHEIR own
SOFTWARE FACTORY
What does Elastic Server do?
Copyright CohesiveFT 2009 44
Any developer, SI, ISV, project, team, enterprise
can SOURCE THEIR own component supply chain
can CREATETHEIR own server design center
can MARKET,can MESSAGE,
can DISTRIBUTETHEIR own server product
What does Elastic Server do?
confidential
Elastic Server Platform
Server assembly like hardware
45
confidential
Build from components just like your would from HP or Dell...
46
confidential
Assemble
Allows choice at every level
- Open Source Components
- Commercial Source Components
- Proprietary Source Components
- Multiple Operating Systems
Source
47
confidential
Upload your own or your licensed ISV component
Capture Operating Instructions
AssembleCreate
48
confidential
Deploy
Rapid deployment to virtual and cloud infrastructures
Assembly portals allow precise control of enterprise architecture
Create
49
confidential
Assembly portals allow:- control of your message
- control of your brand
- control of your architecture
- control of your execution context
- control of your customer connection
- support and highlight your ecosystem
- support e-commerce integration
- support usage pattern analysis
MarketMessage
Distribute
50
confidential
Save Bill of Material as a template
- allows “remanufacturing” for patch mgmt
- allows “remanufacturing” for migrations or heterogeneous deployment
Bill of Materials
Rebuild button
Manage
51
confidential
Manage
Each Elastic Server is injected with management components to facilitate enterprise virtualization
Common device control across environments
Manage
52
confidential
Elastic Server Key Themes and Values
53
ES as a meta-packaging system
ES covers the continuum from “vm building” to an online community for teamsourcing/crowdsourcing virtual servers- Appliance Builders
- OSS ISVs
- Traditional ISVs
- Enterprises
ES as a driver of provenance, certification and standards
ES as a tool to integrate developers to the production flow
ES as an e-commerce system for marketing, messaging and distributing virtual servers
ES as a defense against vendor lock in
Copyright CohesiveFT 2009 54
www.elasticsever.com
blog.elasticserver.comtwitter.com/elasticserver
www.cohesiveft.com
Copyright CohesiveFT 2009 55
Thanks
chris.purrington@cohesiveft.com