Hybrid Cloud & the Enterprise
This document discusses how enterprises are extending their infrastructure into the cloud using hybrid cloud solutions. It provides examples of how various companies such as Shell, S&P Capital IQ, and Lionsgate are using Amazon Web Services (AWS) to augment their on-premises infrastructure. The presentation discusses how AWS enables hybrid environments through services like Virtual Private Clouds and identity and access management. It also discusses how enterprises can achieve security, control and governance when building hybrid cloud solutions with AWS and enterprise management platforms from partners like BMC.
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Extending Hybrid Infrastructure into the Cloud
1. Extending the Enterprise into the Cloud
- Hybrid Infrastructure & Security
Management
Seoul, Korea
COEX Convention Centre
24th October 2013
2. Hybrid Cloud & the
Enterprise
Anthony Russell
Technology Partner Manager – Amazon Web
Services (APAC)
3. How customers are using hybrid infrastructure
Augment On-Premises
resources with cloud
capacity
Migrate existing apps &
data to the cloud
Build new apps, sites,
services & lines of
businesses
4. Shell uses AWS to Develop Software Faster and Cheaper
Core Development
Team
Extra Development
Resources
Contractor Team
Remote Team
5. S&P Capital IQ Uses AWS for Big Data Processing
S3
Provides data to
4200+ top global
investment firms
Hadoop Cluster
Launched Hadoop
faster, Learned
Hadoop faster
6. Shaw Media uses AWS for Disaster Recovery
Before
Primary site
After
Primary site
Saved $1.8
Million in
second site
costs
Disaster Recovery Site
Snapshots for
granular
rollbacks
7. Lionsgate uses AWS To host SharePoint & SAP
Amazon VPC
Avoided data
center build
out
50% lower
cost than
hosting options
Saved $1M
over
3 years
8. How AWS enables the hybrid environment
Deployment & Administration
Application Services
Compute
Storage
Networking
AWS Global Infrastructure
Database
9. How you can extend your own on-premise environments
into the AWS Cloud?
Active Directory
VMware Images
VM Import/Export
Your networks
Virtual Private Network
Your Data
Cloud Storage
Your Apps
Your Data Centers
Users & Access Rules
Your Cloud Apps
10. Extending the power of existing applications with AWS
App 1
App 2
Compute
Hadoop
clusters
Analytics
Data
Warehouses
App 3
Backup
Your Data Centers
App N
Storage and
archives
VPC
11. Enterprise management & security objectives
1. Secure and robust infrastructure
2. Control access and authorisation
3. Keep track of assets and configuration
4. Governance across everything
12. AWS supports your enterprise Cloud based security objectives
AWS DirectConnect
Amazon VPC
Private connectivity
between AWS and your
datacenter
Private, isolated
section of the AWS
Cloud with VPN
connectivity
AWS IAM (Identity
& Access Mgmt)
Manage users,
groups &
permissions
AWS
CloudFormation
Templates to deploy
& manage
Web App
Enterprise
App
Database
13. Enterprise management & security objectives
1. Secure and robust infrastructure
2. Control access and authorisation
3. Keep track of assets and configuration
4. Governance across everything
14. AWS offers global reach and high-availability
US-WEST (N. California)
EU-WEST (Ireland)
GOV CLOUD
ASIA PAC (Tokyo)
US-EAST (Virginia)
ASIA PAC
(Sydney)
US-WEST (Oregon)
ASIA PAC
(Singapore)
SOUTH AMERICA (Sao Paulo)
15. The AWS platform has strong security foundations
•
SOC 1 (SSAE 16 & ISAE 3204) Type II Audit (was SAS70)
•
SOC 2 Type 1 Audit
•
ISO 27001 Certification
•
Payment Card Industry Data Security Standard (PCI DSS)
Level 1 Service Provider
•
FedRAMP (FISMA), ITAR, FIPS 140-2
•
Cloud Security Alliance Questionnaire
•
MPAA (best practices for storage, processing, delivery)
Foundation Services
Compute
Storage
Database
Networking
Availability Zones
AWS Global Infrastructure
Edge Locations
Regions
16. Security is a shared responsibility with AWS
Customer
Facilities
Network configuration
Physical security
Security groups
Compute infrastructure
Storage infrastructure
Network infrastructure
+
OS firewalls
Operating systems
Applications
Virtualization layer (EC2)
Proper service configuration
Hardened service endpoints
AuthN & acct management
Rich IAM capabilities
=
Authorization policies
Security scope for customers is reduced
Take advantage of high levels of uniformity and automation to
enhance security posture when moving into the cloud
17. AWS Partners help customers deploy & enhance their
own controls
AWS Partner Solutions
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
Virtualization layer (EC2)
+
=
Managed, secure
hybrid customer
solutions
Hardened service endpoints
Rich IAM capabilities
AWS Partners Build on AWS strong foundations to complete the
enterprise security solution
20. Connect over industry-standard IPSEC VPN
router
router
www
AWS Cloud
Data center
IPSec tunnel via
statically-routed or
dynamicallyrouted (BGP) VPN
21. Connect in private with AWS Direct Connect
AWS Direct
Connect
Location
Data center
Amazon Partner
Network suppliers
can hook up the
last leg
AWS Cloud
New York
Los Angeles
Washington DC
San Jose
Singapore
Tokyo
London Docklands
Sao Paulo
Sydney
22. Building a secure hybrid environment with the AWS Virtual
Private Cloud
23. The AWS Virtual Private Cloud
VPC A - 10.0.0.0/16
• VPC spans an AWS region
– Customer chooses what
geography their content resides
• Customer chooses their own
private IP address range
Subnet 10.0.1.0/24
Availability Zone
Router
• Split the VPC into multiple
internal public and private
network segments
• Retain full control over routing
Subnet 10.0.2.0/24
Availability Zone
Region
24. Security Groups and Network Access Control Lists
VPC A - 10.0.0.0/16
•
– Stateful ingress and egress firewall
rules
– Granular – firewalls for every host
in the VPC
•
Subnet 10.0.1.0/24
Router
•
Availability Zone
Region
Network Access Control Lists
– Stateless network filter controls
– Offer defence in depth over
security groups
Availability Zone
Subnet 10.0.2.0/24
AWS Security Groups
Duties can be controlled and
segregated
25. External VPC connectivity can be private or public
• Customers are in full control of
VPC external connectivity
VPC A - 10.0.0.0/16
Internet
• Internet connectivity is optional
and disabled by default
Internet
Gateway
Subnet 10.0.1.0/24
Availability Zone
Router
• Connect privately to on-premise
systems over VPN or direct
connect
Customer
Gateway
Subnet 10.0.2.0/24
Availability Zone
Region
On-premise
Data centres
26. Partners build on top of the strong AWS baseline
•
Customers remain in control to
implement their own security
controls on top of the AWS
environment
•
Trend Deep Security is a leading
partner solution for host protection
on the AWS environment in
addition to intrusion detection &
protection services
•
VPC A - 10.0.0.0/16
BMC integrate on-premise and
cloud management and monitoring
to provide a single pane of control
for your hybrid IT solutions
Subnet 10.0.1.0/24
Availability Zone
Router
Subnet 10.0.2.0/24
Availability Zone
Region
27. Enterprise management & security objectives
1. Secure and robust infrastructure
2. Control access and authorisation
3. Keep track of assets and configuration
4. Governance across everything
28. Get fine-grained control of the cloud environment
AWS IAM enables you to securely control access to AWS services
and resources
• Fine grained control of user permissions, resources and actions
• Configure users, groups, roles
• Several multi factor authentication options
• Hardware token or smartphone apps
• Create a private AWS console URL
(http://aws.yourcompany.com)
29. Enterprise management & security objectives
1. Secure and robust infrastructure
2. Control access and authorisation
3. Keep track of assets and configuration
4. Governance across everything
30. Using CloudFormation to deploy AWS configurations
Template
CloudFormation
Stack
Configuration files
Framework
Configured AWS services
Data centre configurations can be
treated as version controlled
configurations
Stack creation
Comprehensive service support
Stack updates
Service event aware
Error detection and rollback
Customisable
31. Enterprise management & security objectives
1. Secure and robust infrastructure
2. Control access and authorisation
3. Keep track of assets and configuration
4. Governance across everything
32. AWS governance augments existing processes …
Your compute
Your configurations
AWS configurations
Your network
AWS network
Your storage
Your Data Centers
AWS compute
AWS Storage
Your On-Premises Apps
Your Cloud Apps
Direct Connect
}
}
Existing governance processes
VPC
AWS governance enablers
33. … to give our customers governance over everything
Governance processes
Roles and responsibilities
Configuration management
Financial controls
Monitoring and reporting
Your Data Centers
Secure processing, storage and transmission
Network security
Access control
Identity and authorisation
Visibility across the complete hybrid environment
34. Trusted Advisor offers further governance review
•
Online service from AWS Support
– Analyzes account for various kinds of
issues and possible concerns
– Soon available as an API for integration
with your tools or 3rd party solutions
•
Four categories:
–
–
–
–
Cost savings
Security
Fault tolerance
Performance
35. AWS Partners Complete the Picture
AWS Partner Solutions
Facilities
Physical security
Compute infrastructure
Storage infrastructure
Network infrastructure
+
=
Secure hybrid
environments
Virtualization layer (EC2)
Hardened service endpoints
Rich IAM capabilities
AWS Partners Build on AWS strong foundations to complete the
enterprise security solution
38. REVOLUTION ONE
The front end
How services are consumed
Its Mobile
Its Social
Expectations of IT have changed
The Consumerization of IT
39. •REVOLUTION TWO
The back end
How services are delivered
Pay as you use
Scale up Scale down
Always on
Immediately available
Making IT fast, flexible and personal
Physical
Virtual
IaaS PaaS
SaaS
40. Cloud is transforming the way we deliver IT
The rise of the IT BROKER
The Business
IT / Cloud Management Platform
Private Cloud
SaaS
Public Cloud
45
PaaS
IaaS
Legacy Apps
41. Enterprise Hybrid Cloud is the Future
Reality
Public
Clouds
Internal
Private
Clouds
Virtual
Private
Clouds
Dedicated
Infrastructure
46
42. Why Enterprises are Embracing Cloud Computing
Accelerate business
Accelerate IT velocity
Improve IT efficiency and
effectiveness
Enable innovation
Enable alternative sourcing models
based on economic, service level
and compliance requirements
Response to demand
for“consumerisation”
47
43. Cloud Spending Is On The Rise In 2013-2014
Public Cloud Spending 2013-2014 (Gartner/IDC):
• 60% of Fortune 1000’s will increase current public cloud spend
• Spend on public cloud services will grow 18% in 2013-2014
• $131B in 2013 - $180B expected by 2015!
44. The cloud-enabled enterprise will be an agile, fierce
competitor
Current
Future
• Fixed Costs
• ‘Pay by the Drink’
• Cumbersome
• Responsive
• Capital Intensive
• Capital Light
• High Maintenance and
Run Costs
• 40%+ Lower Maintenance and
Run Costs
• Security Issues
• Managed Security
• Business Lagging
• Business Leading
• Outdated
• New Technologies
The Agile
Enterprise
…Cloud is the “on-ramp” to the Agile Enterprise
49
45. The Goals of a Hybrid IT Environment
•
•
•
•
•
•
•
•
A seamless end-user experience
regardless of how
a service is provisioned
Present users with a single unified
request portal
Instantly Deploy complete multi-tier
applications
Seamlessly incorporate Public Cloud
providers into IT architecture
Integrate with change and
configuration management
Maintain Security and Compliance
across all available resource sets
Optimize CapEx and OpEx to meet
business goals
While automation is key, the
governance, people and process
change is most significant
Single Pane of Glass
48. How do I make this work ?
How do you empower users with self-service,
implement cost effective sourcing strategies
while maintaining Control and Governance….
What is the impact
implementing a Hybrid
environment with no
change management ?
?
What is the impact of
implementing manual
process to control my
cloud ?
How do I make this work ?
49. Impact of Control & Governance for Cloud
No Control &
Governance
Manual Control & Automated Cloud
Governance
Management Platform
Speed
X
Cost
X
Control
X
Service
Quality
?
?
51. BMC and Amazon Web Services join forces to deliver
Managed Hybrid computing environments
On Premise
Resources
•
•
•
Amazon EC2
Amazon Elastic Block Storage
Amazon Virtual Private Cloud
Unified Management of the Hybrid Cloud
•
•
•
•
•
Self Service Management
Service Management
• Seamless provisioning
• Integrated Service Catalogue
Service Governance and control
Ongoing performance optimization
Monitoring and Analytics
55. Single, Unified User Request
BMC Cloud Lifecycle Management
Provide AWS
Service Options
56. Automated provisioning of cloud services
Provision complete cloud services with Post Deployment actions
“No one wants an empty Ipad”
From hardware…
…To fully configured services
Infrastructure
• Physical machines
• Virtual machines
• Physical or virtual
networks
• Operating Systems
Platforms
•
•
•
•
•
LAMP/WAMP
IBM Websphere
Microsoft SQL & .NET
Oracle Databases
Tibco
Applications
•
•
•
•
•
Exchange
Sharepoint
COTS
Custom Web App’s
SAP /Oracle / etc
Monitoring , compliance, configuration management
Deliver a broad range of complete cloud services (With PDA)
61
57. Aug 2013
Nov 2013
Feb 2014
Portal
Enterprise
Web
&
OS/MW/RTE Content available
Microsoft IIS 7.x
Microsoft IIS 8.x
Mid
Tier
MYSQL SE/EE
MYSQL CCE
DB
Tier
SQL 2K8R2
SQL 2K12
Virtual
Liferay
Portal 6.x
GWS
WAS 7.x
WAS 8.x
JBoss AS 7.1
WildFly 8
5.6
vFabric tc
Server
Oracle 11g
Oracle 11g RAC
RH 5.8
RH 6.2
W2K8R2
W2K12
NXT GEN
Apache
http 2.4
Gitla
b
HANA
Gitorious WAPP LAPP
APACHE
ZOOKEEPER
ownCloud
Alfresco
CMS
62. Integrated and Automated Change Control
Change
Management
1. Simple integration 2. Agile, automated
to IT release processes change management
(e.g. standard change
request to deploy a new
cloud service)
3. “Embedded” change,
patch, and incident
processes
(e.g. pre-approved change
request to increase
(e.g. drift mgmt, audit logging)
capacity)
4. Enterprise Governance and Compliance
(e.g. IT change policy adherence through automation)
64. BMC Software - AWS Resource Management capability
Amazon Web Services
•Fully Automated provisioning to AWS and support for provision, decommission, extend,
start, stop, modify CPU/RAM
•Full support for AWS VPC
•Support for multiple regions and AZs
•Multiple account management for AWS
•Layered software deployments on top of AMIs
•OOTB Content to create unique & “safe” MI’s
•Clone AMIs associated with EBS
•Specify AWS security groups
•Support for Elastic IPs
66. Visibility of current and forecasted cloud capacity
BMC Cloud Operations Management
Monitor capacity utilization
across data centers, private
and public cloud
infrastructures. Alert on
upcoming saturation
Perform what-if analysis for:
• Expected growth rates
• Unanticipated usage spikes
• Changes to existing
services
Provide foundation for
continued investment with
utilization data by cloud
service and users
Prepare for cloud capacity demands and optimize investment decisions
67. Real-time insight on health with cloud panorama
BMC Cloud Operations Management
• Identify performance issues
• Determine impacted users and
organizations
• Isolate root cause
• Trigger automated repair
Prioritize and resolve issues based on service levels and business priorities
68. Automated chargeback reporting for the business
BMC Cloud Lifecycle
Management records pricing
in customer contract
BMC Capacity Optimization
• measures usage
• reads service contract
• calculates costs
• produces reports by
tenant and service level
Accurately measure and charge for cloud resource consumption
70. The Power of BMC - Pearson
50% Reduction in Global Time to Provision
71. With both BMC Software and AWS, IT can deliver the
benefits of Cloud
Across both on-premise and AWS cloud services:
• Reduce up-front capital expenditures while managing existing IT
– Reduce operational expenditure by Automating repeatable tasks.
– Centralise cost reporting of Hybrid IT environment.
•
•
•
•
•
•
Provision (IAAS, SAAS, PAAS), configured applications stacks automatically
Ensure reliable cloud service performance for all users and services
Deliver role-based access through a business-friendly self-service portal in
BMC Cloud Lifecycle Management
Ensure appropriate automated or manual change approval
Maintain configurations and compliance rules
Unify operations management for hybrid IT
Unified Management of Hybrid Environments
72. SAFE CHOICE: A Mainstream Business for BMC
BMC Cloud Lifecycle Management Customers
Telco
Clouds
Service
Provider
Clouds
Private
Clouds
75. The Global Growth of Cloud Computing
Copyright 2013 Trend Micro Inc.
80 80
76. Source: Cloud Readiness Index 2012, Asia Cloud Computing Association
Copyright 2013 Trend Micro Inc.
77. Enterprises and the Cloud …
•
•
Security & compliance are top priorities for enterprise-wide adoption of the
cloud
Are cloud security needs that different than on-premise?
– Cloud introduces the concept of shared responsibility for securing their
services and applications running in the cloud
•
Security is not the only inhibitor …
– Many organizations are reluctant to change status quo
• Fear of the unknown
• Cloud concepts & terminology intimidating
• IT job loss concerns
• Dramatic change from a process & operations perspective …
• Not sure how/where to get started …
Copyright 2013 Trend Micro Inc.
8
79. Consumer of Cloud Services Responsibilities
• Consumers of cloud services are responsible
for
– Security of the VMs/Instances (OS & Applications)
– Ensuring SLA’s are maintained
– Ultimately it boils down to protecting your instances from compromise, the
integrity of the applications and privacy of data in the cloud…
• How do you protect AWS instances?
– Traditional network appliances are not feasible
• On-premise control rely on physical network access
– Agent based host security controls required
80. Need to Secure the Complete Journey to the Cloud
The AWS Shared Responsibility Model
OS Security
Application Security
OS Firewalls
Anti-Virus
Integrity Monitoring
Storage Encryption
Customer Domain
Partner Eco-System
Enterprise Applications
Facilities
Physical Security
Physical Infrastructure
Virtualized Infrastructure
AWS Domain
Enterprise Operating Systems
82. Security Considerations in the Cloud
Instance Awareness
• Knowing that the instance is
IN THE CLOUD
• Understanding where the
instance ‘lives’ and what its
identity is
• What security policies need to
be applied?
83. Security Considerations in the Cloud
Scale & Automation
• Next generation applications will
be elastic by nature
• Security also needs to be elastic
• All components, including security,
need to work in concert to be
effective
84. Security Considerations in the Cloud
Complexity
• Supporting large scale, distributed
and even distinct cloud
environments
• Provides mitigation to ever-increasing
vulnerabilities for applications & operating
systems
• Security to ensure confidentiality &
integrity of data stored in cloud
environment
85. Security Considerations in the Cloud
Data Access & Governance
• How do I ensure my data
confidentiality & integrity?
• Adopt necessary technology
control to meet data privacy
Copyright 2013 Trend Micro Inc.
10010011
01101100
86. Security Considerations in the Cloud
Security principles don’t change
Security policy don’t change
Implementation & management change
Extend your current security policy to the Cloud
88. Cloud Security: Shared Responsibility
What type of instance security controls are required?
The Need
Preferred Security Control
Data confidentiality
Encryption
Block malicious software
Anti-Malware
Detect & track vulnerabilities
Vulnerability scanning services
Control server communications
Host-firewalls
Detect suspicious activity
Intrusion Prevention
Detect unauthorized changes
File Integrity Monitoring
Block OS & App vulnerabilities
Patch & Virtual Patching
Data monitoring & compliance
Data Leakage Prevention
89. Trend Micro Deep Security for AWS
Next Generation Security for Hybrid Datacenter
Deep Packet Inspection
Defend against SQL injections
attacks, cross-site scripting
attacks & other web
application vulnerabilities
Virtual Patching (IDS/IPS)
Web Application Protection
Application Control
Leading Anti-Malware for
Virtualization & Cloud
Anti-Virus
Firewall
Optimizes the identification of
important security events
buried in log entries
Log
Inspection
Integrity
Monitoring
Provide vulnerability shielding to
known & zero-day vulnerabilities
Increased visibility into, or control
over, applications accessing the
network
Reduces attack surface.
Prevents DoS & detects
reconnaissance scans
Monitors critical operating system
and application files for
unexpected changes
Hybrid Datacenter
Physical
Virtual
Private Cloud
Public Cloud
90. Gartner Server Security Strategy
From Gartner paper in decreasing order of
importance)
Trend Micro Deep Security
capabilities
Security configuration mgmt.
Yes
Patch mgmt.
Yes (with Virtual Patching)
Application control
Yes
File Integrity Monitoring (FIM)
Yes
Antimalware (file servers)
Yes
Deep Packet Inspection based HIPS
Yes
Antimalware (Windows)
Yes
Behavioural HIPS
Yes
Application firewalling
Yes
Traditional host based firewall
Yes
Device control
-
Full drive encryption
Yes, with Trend Micro SecureCloud
Removable device encryption
-
91. Trend Micro Deep Security as a Service*
DS as a Service
Manager Service
DS as a
Manager Service
DS as a
Manager Service
DS as a
Manager
Protection for AWS
Instances
*Available in North America now, APAC in 2014.
92.
93. Which Deep Security version is for you?
Buy Deep Security Software
• Datacenter security
requirements
• Hybrid cloud environments
• Prefer to run Deep Security
Managers themselves
• Require a solution now
Buy Deep Security as a Service
•
•
•
•
AWS only security requirement
Prefer utility charging model
Want the convenience of a SaaS
Available in North America now,
APAC in 2014
94. Trend Micro SecureCloud for AWS
Securing and Controlling Sensitive Data in the Cloud
Encryption
Credit Card Payment
PatientSecurity Numbers
Sensitive Research Results
Social Medical Records
with Policy-based
Information
Key Management
• Unreadable for unauthorized users
• Control of when and where data is accessed
• Server validation
• Custody of keys
Encrypt throughout your cloud journey — data protection for
physical, virtual & cloud environments
Copyright 2012 Trend Micro Inc.
10/28/2013
99
95. Trend Micro SecureCloud for AWS
Protection for data in the cloud
Automated encryption and key management
Solution that helps you protect the privacy of data in AWS, making sure
that only authorized servers can access encryption keys.
Trend Micro’s highly automated data protection approach safely
delivers encryption keys to valid devices without the need for you to
deploy an entire file system and management infrastructure
Key benefits:
Policy-Based Key Management
Enterprise-Controlled Encryption and
Key Management
Standard Protocols and Advanced
Encryption
Authentication
Logging, Reporting, and Auditing
Separation of duties
96. Why Trend Micro for AWS?
Amazon Advanced Technology Partner
Deep Security is Common Criteria EAL 4+
#1 in Server Security (2012 IDC–Worldwide Endpoint Security Revenue Share by
Vendor, 2011)
#1 in Virtualization Security (2011 Technavio – Global Virtualization Security
Management Solutions)
#1 in Cloud Security (2012 Technavio – Global Security World Market)
1st & only security that extends from enterprise datacenter to cloud
Optimized for AWS