Building Hybrid Clouds Manjunath Kanale Mahabhaleshwar Enterprise Architect, Intel IT 20th, August 2013
Agenda Definition Cloud Direction Maturity Demand Drivers Journey IAAS ( Infrastructure as Service) Securing Cloud services Recap 2
What the Cloud Means to Intel IT Delivering a highly available computing environment where secure services and data are delivered on-demand to authenticated devices and users utilizing a shared, elastic infrastructure that concurrently supports multiple tenants Attributes 1 On-demand self-service Broad network access Rapid elasticity Measured service Resource pooling Shared multiple tenants Service Models Software as a Service: on-demand packaged sw Platform as a Service: on-demand sw development and hosting Infrastructure as a Service: on-demand compute infrastructure Delivery Models Public, Private, or Hybrid Hybrid Cloud The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability 3
Intel IT Cloud Strategic Direction Deliver the necessary changes in how we expose applications/data to improve end user productivity Drive the transformation to a large-scale automated Hybrid Cloud infrastructure Accelerate the transformation of the Enterprise IT industry to Cloud 4
Intel and Industry Cloud Maturity End User App Dev App Owner Simple SaaS (e.g. exp reports) Legacy Apps Simple Compute IaaS Simple SaaS (e.g. exp reports) Cloud Aware Apps Legacy Apps Complex Compute IaaS Simple Compute IaaS Complex SaaS (e.g. B2B) Cloud Aware Apps Legacy Apps Private PaaS 5 Hybrid SaaS Cloud Aware Apps Legacy Apps Hybrid PaaS Federated and Open Cloud IT Ops Compute, Storage, and Network Compute, Storage, and Network Full Private IaaS Hybrid IaaS Consumers Minimal Industry Solutions Early Industry Solutions Open Industry Materializes Industry Normalizing Industry Normalized? 2010 Intel Cloud 1.0 2011 Intel Cloud 1.5 2012 Intel Cloud 2.0 2013 Intel Cloud 2.5 2014 Intel Cloud 3.0 In 2013 Hybrid applications are the norm enabling low latency, lowest cost, improved security, and seamless data sharing between services for end user productivity. 1 Intel IT future state goals subject to change as of June 2011 5
Demand Drivers Comparison Traditional Drivers Cloud Aware Drivers 1. Incremental Velocity Increase <3hrs good enough 70 day app release Bureaucracy normal 2. More Lifecycle Automation Reduce Downtime costs Reduce Ops labor time 3. Incremental Reliability Increase 99.7% Downtimes are normal and expected 4. Growth is linear Linear employee growth Linear Data Growth 1. Significant Velocity Increase Grow/shrink 20x in hours/minutes Need to release apps in days/weeks No patience for bureaucracy 2. All Components need Automation Expect APIs for all IT Services Manual is not an option 3. Significant Reliability Increase 99.99% Consumers expect always on 4. Growth is potentially exponential Consumers can grow without warning Massive increase in connected devices 5. Cost of Platform can impact Profit 5. Cost of Platform acceptable Traditional IT incremental improvements Cloud Aware requiring exponential improvements 6
Challenges Building applications to take the advantage of Hybrid cloud Security Policy and Management Strong auditing and reporting Capacity Utilization/Performance Analytics Significant multi-tenant sharing (flatten out peaks/valleys of usage) Most SW developers oblivious to HW below them Manageability/Automation Homogenous resources are easier to manage at scale Most IT shops are trying to simplify Workforce planning Support and Manage Cloud integration infrastructure Software development changes 7
Intel s Cloud Journey Today Tomorrow Large Private Cloud Limited Public Cloud Hybrid Cloud 76%+ Virtualized 80% of New Services in the Cloud Under 1 Hour to Deploy Infrastructure Small number of SaaS apps in usage Land Applications in Minutes Automation: Lower Cost with Less Resources Open Cloud for Bursting Capacity SaaS for non-differentiated apps 8
Infrastructure as a Service
Physical Infrastructure Infrastructure As a Service Monitoring As a Service Interfaces IaaS What is it? Developers/App Owners consuming all Infrastructure as Web Services Infrastructure exposed as APIs and UI to enable on-demand self-service Supporting everything from discovery, order, to deletion of Infrastructure services GUI (Graphical User Interface) API (Application Programming Interface) Manageability Watcher (e.g. Nagios * ) Decider (internal) Actor (e.g. Puppet * ) Collector (tbd) Cloud Operating Environment Dashboard Service Catalog Compute OS Images Block Storage Object Storage Network From innovative idea to production service in less than a day. Compute Storage Network 10
Intel IT Hybrid Cloud INTEL SITE A POD POD POD INTEL SITE B POD POD POD EXTERNAL PROVIDER POD POD POD GLB INTERNET Fully Meshed VPN Tunnels Focus Area Technical Operational Business Key Aspects Active/Active App Design- SW Design for Failure Unified Monitoring/Manageability/Authentication IT Service broker handling cloud on-boarding internal and external IT handling basic IaaS container levels externally, covering all IaaS internally Single contract with Intel IT funding and showback to BUs Liability/Indemnification at acceptable levels for associated risk 11
Intel IT Open Cloud - Details OPEN CLOUD HOSTING ENVIRONMENT COMPUTE NODES Cloud Controller Services Volume Controller Network Controller Tenant x Scheduler Tenant 2 Databases API Tenant 1 Hosting Services Domain Controllers DNS Automation Security Services Key Technologies Cloud OpenStack Essex Monitoring Nagios Configuration Puppet Hosts Intel Xeon 5600 Blades Network 10GBe Storage Scale out on 2U Integration with Support Desk and other Ops capabilities NETWORK FABRIC Load Balancer STORAGE NODES REMOTE DESKTOP SERVICE Load Balancer INTERNET ICC VPN Tunnel INTEL DMZ/ENCLAVE ENVIRONMENT CENTRALIZED MONITORING AND MANAGEMENT Patch Management Package Repository Rialto-l Monitoring ICC Firewalls Running cutting edge Web Services, on a predominantly open source cloud. 12
Securing the Cloud Services
IaaS PaaS SaaS Cloud Security Control Stack Platform security Infrastructure security Data protection Security Management Identity & Access management Configuration management Resource provisioning Capacity management Release management Service Availability Application Application security Software platform Operating system Hypervisor Hardware Storage Network Data Center Facility Physical security IaaS PaaS SaaS Agency Responsibility CSP Responsibility 14
2 Separate Risk Areas Provider Risk Posture Tenant Risk Posture Risk to Determine acceptable level of Risk to Intel and then adjust controls at CSP And Tenant level to reach goal. Risks and Controls for the Service Model (what the CSP provides) and for the Tenant usage must be measured separately. 15
IT Cloud Security Goals Assign Provider and Tenant different classes of risk based on controls they can provide Need to get a complete picture need to combine risk Provider Risk Posture Tenant Risk Posture Risk to Qualification Usage Example Required Controls Bronze Minimum Enterprise requirement Cloud security provider poses minimal Tenant s application has minimum security controls Silver Business Important CSP implements validated methods plus added controls (e.g., DDOS, code audits, certifications) Tenant s application has additional controls Gold Platinum Biz or Mission Critical or High data classification Foundational Security services CSP has implemented Enterprise requirements Tenant s application has well documented security implementation and controls CSP raises the bar, provides high assurance Tenant s application has maximum security controls. 16
Cloud Service Provider Controls Areas Controls Governance Training, Regulatory Controls, Investigations, E-D, Audits Secured Datacenters Data Location Secured Brokers and Support Applications Tools, Automation and accounts are hardened and logically isolated privileged accounts Code Auditing Data Protection Control of VM Images and Data Encryption* DLP Monitoring Security Monitoring and Alerting Security Logging (including Infrastructure and Management component Intrusion Detection Network, Host, Management, intra-host Hardened Management and Control Infrastructure Privileged Access Control Bastion Chokepoints Multi-factor access control Cloud Service Providers not only need specific controls but the controls must integrate with our enterprise controls. 17
Tenant Controls Areas Controls Governance Cloud Security Training Regulatory Controls, Investigations, E-D, Audits Data Location Secured Brokers and Support Applications Data Protection Control of VM Images and Data Encryption DLP Tools, Automation and accounts are hardened and logically isolated privileged accounts Code Auditing Identity management Lifecycle Logging Multi-factor authentication Privilege of services and automation Application layer Intrusion Detection Granular access control Control over Privileged activity Isolation (logical or physical) Application and Platform hardening Detect malicious activity at the application layer (WAF, mod_security) Security Groups, Vlans, VPC, else SDLC, Pre-launch code audits, pen test Tenants need to take some ownership of their own security controls and not rely on the provider 18
Recap and Summary
Wrap Up Our Direction- Federated, Interoperable and Open Cloud Transforming Data Center to Open APIs Exposing Specialized HW through Open APIs True Autonomics possible making the Decider brilliant Build more and more Cloud aware applications Enterprise IT will change massively in next 2-5 years 20
Resources for You Engage with ODCA Learn about usage models Use the RFP Tool www.opendatacenteralliance.org Over 300 Global IT leaders representing over $100B in annual IT spend Learn more about IT@Intel best practices www.intel.com/it Please check APM( Application Performance management) Poster 21 Please contact me if any thing required. Manjunath.k.mahabhaleshwar@intel.com
Rules of Cloud Aware Apps Software Developer Changes http://www.opendatacenteralliance.org/docs/devcloudcapapp.pdf Shift to stateless cloud services Assume and design for failure at all layers Scale horizontally Scaling up always has a break point, scaling horizontally ensures greater scalability (close to infinite if you remove app bottlenecks) Eventual consistency at the data layer Shift to DevOps or NoOps model Set rules/automation for desired effects, utilize APIs, continue to assume failure Developers involved in creating automation/remediation for production Developer and IT partnered to create agile and highly available services Never wait on IT, never wait on other software developers IT Infrastructure team should seem invisible Implement true Web services for consumption 23
What s Ahead for Cloud At Intel? Past (2009) Traditional Office & Enterprise Design Grid Current (2013) Distinct Clouds Office/Enterprise /Services Design Future Goals Federated Clouds Public Public 80% Effective Asset Utilization Velocity for Service Provisioning Zero Business Impact Pervasive virtualization (75%) Enterprise app virtualization Secure virtualization Larger pools in fewer data centers On-demand self-service the norm Innovative idea to production <day Provision VMs within minutes External Cloud for burst demand Automated sourcing decisions Application design for failure Reduce MTTR Increase availability Automated, end-to-end service-managed Cloud 24