This document discusses securing enterprise assets in the cloud. It highlights two key issues: 1) Infrastructure in the cloud still needs to be under the enterprise's own control and 2) Working from a "bill of materials" approach is the only way to safely manage virtual machines and servers in the cloud. The document advocates using an "overlay network" that is acquired, configured, deployed and managed by the enterprise to maintain control over addressing, topology, protocols and secure communications in public clouds.
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Securing Enterprise Assets In The Cloud
1. Cohesive Flexible Technologies
Securing Enterprise Assets in the Cloud
Chris Purrington, CohesiveFT
Copyright CohesiveFT 2009 1
2. CohesiveFT - on boarding solutions for
public, private and hybrid clouds
Team looks like this
Copyright CohesiveFT 2009 2
3. CohesiveFT - on boarding solutions for
public, private and hybrid clouds
We do this
Copyright CohesiveFT 2009 3
4. The cloud is not a panacea for bad design.
But moving applications to the cloud can quickly
reduce capital expenditure, speed time to market.
Copyright CohesiveFT 2009 4
5. The first question on everyone’s mind:
Is my stuff safe up there?
?
?
?
?
? ?
?
?
?
?
? ?
Copyright CohesiveFT 2009 5
17. Speaking of security...
What’s inside this VM?
I know, let’s ask him... Picture from: www.sysadminday.com
Copyright CohesiveFT 2009 17
18. Speaking of security...
What’s inside this VM?
...or him. Picture from: www.sysadminday.com
Copyright CohesiveFT 2009 18
19. Server “assembly” costs are THE
Enterprise IT cost
20-year journey from single file deployment
to homogenous architecture (the “C”
program on Unix) to single file deployment
on heterogeneous architecture (the VM to
everywhere)
As such - assembly error and
propagation represents one of the
biggest security risks as well
Photo credit: Zach Rosing, May 25, 2007,
Copyright CohesiveFT 2009 19
20. Do you have evil clones?
Good clones?
There is going to be a lot of them.
Run the numbers...
Photo credit: Paramount
10,000,000 - today
250,000,000 - 2015
2,500,000,000 - is not impossible
Copyright CohesiveFT 2009 20
21. Repeat after me:
“P2V and SLA are
mutually EXCLUSIVE!”
Why? The 3 rules of hardware
computing...
1) When you get a physical machine installed and
working - NEVER MOVE IT
2) When you get the software installed and
PHYSICAL TO VIRTUAL........easy.
working - NEVER TOUCH IT
3) When you “touch it”, don’t tell anyone.
Copyright CohesiveFT 2009 21
22. So...I am highlighting 2 issues in
securing your assets in the cloud
Even if using a cloud...it needs Working from a “bill of materials”
to be YOUR infrastructure in approach is the only way to safely
YOUR control survive the clone wars
Copyright CohesiveFT 2009 22
23. YOUR infrastructure in YOUR control
in the clouds
Use an “overlay network”
that you acquire, configure,
deploy and manage.
Enterprise IT is about checks,
balances, and risk mitigation.
Copyright CohesiveFT 2009 23
24. Use an overlay network
CONTROL:
- Your addressing
- Your topology
- Your protocols
- Your secure communications
Copyright CohesiveFT 2009 24
25. I have software that REQUIRES
multicast for service discovery
This is true of many enterprise software
packages (grid computing packages, database
clusters, wikis and more).
Even inside the enterprise complexity and lead
times prevent shared use of available resources
in disparate customer controlled data centers
because VLAN reconfiguration would be too
expensive.
VPN-Cubed allows you to get the multicast
traffic into the overlay network before it is
rejected by the underlying network
infrastructure. This allows you control of your
protocols.
Copyright CohesiveFT 2009 25
26. I want to control my own network addresses
I am an early adopter of cloud computing and
love the flexibility provided by public cloud like
Amazon EC2 but I want to control my own
network addresses, not be given some different
set of VLAN addresses when I reboot my
servers.
VPN-Cubed gives you control of your
addressing allowing you to give your cloud
servers static addresses that only change when
YOU want them to. Local infrastructure
control of addressing in the public clouds!
Copyright CohesiveFT 2009 26
27. Can’t I use my existing data center NOC?
I have completed some of my “datacenter to
cloud” migrations but am now under pressure
to use new monitoring and management tools.
Can’t I use my existing datacenter NOC
(network operations center)?
VPN-Cubed allows you to simply set up an
overlay network for the express purpose of
connecting cloud VLANS (at EC2 for example)
to data center management installations using
popular commercial systems like Tivoli,
Unicenter, OpenView, as well as leading open
source systems like Nagios, Hyperic and
GroundWorks.
Copyright CohesiveFT 2009 27
28. I want to use EC2 USA and EC2 Europe for both
fail over and data privacy issues
I am a cloud early adopter and I want to use
both Amazon EC2 USA and Amazon EC2
Europe for both fail over and data privacy
issues. How can I securely link the two
environments and treat them as one logical
network?
VPN-Cubed does this “out of the box” with a
pre-packaged solution “VPN-Cubed for EC2”
available for self-service clients as well as those
needing some professional services support.
Copyright CohesiveFT 2009 28
29. Isn’t there a way I can test ISV solutions
as if on my local network?
I have an ISV who has a solution which I would
like to evaluate but it will be quite disruptive
for me to install. Can’t I can test their solution
as if it was on my local network?
VPN-Cubed allows your ISV to install their
solution as a virtual server in a public cloud like
EC2, yet make it available to a DMZ or
particular set of VLANs in your corporate
environment.
The burden of testing the ISV solution should
rest with your vendor with minimal impact or
workload on your team.
Copyright CohesiveFT 2009 29
30. YOUR infrastructure in YOUR control
in the clouds
THIS or THIS
Enterprise IT is about checks,
balances, and risk mitigation.
Copyright CohesiveFT 2009 30
31. With a BOM approach:
- Identity
- Customization
- Provenance
This is an EC2 server... Bill of Materials
right?
Look again...
Copyright CohesiveFT 2009 31
32. With a BOM approach:
Bill of Materials
Re-master device:
- new cloud
- new VM type
- new OS
Make clones with unique
IDs, unique MAC
addresses
It the BOM!
Copyright CohesiveFT 2009 32
33. <a little overlay network demo>
or
<a little BOM demo>
or
<let’s take some questions>
Copyright CohesiveFT 2009 33