Securing Enterprise Assets In The Cloud

Copyright CohesiveFT 2009

Cohesive Flexible Technologies

Controlling and Securing Your Assets in the Cloud

Chris Purrington, CohesiveFT

1

Copyright CohesiveFT 2009 2

CohesiveFT - on boarding solutions for public, private and hybrid clouds

Team looks like this

20 Cloud Computing Startups You Should Know

keynote:/PJK%20Workspace/CFT%20Shared%20Source/CFT%20Shared%20-%20DROP%20BOX%20(for%20file%20transfer)/PJK%20Work%20in%20Progress/VC%20Intro%20Pats6%20for%20Webex.key?id=BGSlide-55




CohesiveFT - on boarding solutions for public, private and hybrid clouds

We do this





The cloud is not a panacea for bad design. But moving applications to the cloud can quickly

reduce capital expenditure, speed time to market.





?

? ?

?

? ?

5

??

?

?

??

The first question on everyone’s mind: Is my stuff safe up there?





Security and control remain top concerns





Use “your father’s VPN”





Typical VPN: Remote office access

8





XX

X

XX

Typical VPN: Remote office access

9




confidential 10

Uhhh...no.

Typical VPN does not provide high availability,overlapping address spaces, multi-site routing, etc..

But an overlay network can.




confidential 11

I will be robust and secure usingcloud-to-cloud DR





Cloud A

Do x-cloud fail over...somehow....

12





Cloud A

Somehow...

13





Cloud A

Do this! (somehow)

Cloud B

14




confidential 15

(somehow)When you put your assets in a cloud you

surrender CONTROL of addressing, protocols, topology, and secure communications.

But an overlay network gives back CONTROL.





Speaking of security...

What’s inside this VM?





Speaking of security...

What’s inside this VM?





Speaking of security...What’s inside this VM?

I know, let’s ask him...Picture from: www.sysadminday.com




http://www.sysadminday.com



Speaking of security...What’s inside this VM?

...or him.Picture from: www.sysadminday.com







Server “assembly” costs are THE Enterprise IT cost

20-year journey from single file deployment to homogenous architecture (the “C” program on Unix) to single file deployment on heterogeneous architecture (the VM to everywhere)

As such - assembly error and propagation represents one of the biggest security risks as well

Photo credit: Zach Rosing, May 25, 2007,





Do you have evil clones?

Good clones?

There is going to be a lot of them.

Run the numbers...

10,000,000 - today250,000,000 - 20152,500,000,000 - is not impossible

Photo credit: Paramount





“P2V and SLA are mutually EXCLUSIVE!”

Why? The 3 rules of hardware computing...

1) When you get a physical machine installed and working - NEVER MOVE IT2) When you get the software installed and working - NEVER TOUCH IT3) When you “touch it”, don’t tell anyone.

PHYSICAL TO VIRTUAL........easy.

Ahh...you will use P2V(somehow)





So...I am highlighting 2 issues in securing your assets in the cloud

23

Even if using a cloud...it needs to be YOUR infrastructure in

YOUR control

Working from a “bill of materials” approach is the only way to safely

survive the clone wars





YOUR infrastructure in YOUR control in the clouds

24

Use an “overlay network”that you acquire, configure,

deploy and manage.

Enterprise IT is about checks, balances, and risk mitigation.





An overlay network is a computer network which is built on top of another network.

Nodes in the overlay can be thought of as being connected by virtual or logical links, each of

which corresponds to a path, perhaps through many physical links, in the underlying network.

What is an overlay network?





Use an overlay network

CONTROL:- Your addressing- Your topology- Your protocols- Your secure communications





I have software that REQUIRES multicast for service discovery

This is true of many enterprise software packages (grid computing packages, database clusters, wikis and more).

Even inside the enterprise complexity and lead times prevent shared use of available resources in disparate customer controlled data centers because VLAN reconfiguration would be too expensive.

VPN-Cubed allows you to get the multicast traffic into the overlay network before it is rejected by the underlying network infrastructure. This allows you control of your protocols.





I want to control my own network addresses

I am an early adopter of cloud computing and love the flexibility provided by public cloud like Amazon EC2 but I want to control my own network addresses, not be given some different set of VLAN addresses when I reboot my servers.

VPN-Cubed gives you control of your addressing allowing you to give your cloud servers static addresses that only change when YOU want them to. Local infrastructure control of addressing in the public clouds!





Can’t I use my existing data center NOC?

I have completed some of my “datacenter to cloud” migrations but am now under pressure to use new monitoring and management tools. Can’t I use my existing datacenter NOC (network operations center)?

VPN-Cubed allows you to simply set up an overlay network for the express purpose of connecting cloud VLANS (at EC2 for example) to data center management installations using popular commercial systems like Tivoli, Unicenter, OpenView, as well as leading open source systems like Nagios, Hyperic and GroundWorks.





I want to use EC2 USA and EC2 Europe for both fail over and data privacy issues

I am a cloud early adopter and I want to use both Amazon EC2 USA and Amazon EC2 Europe for both fail over and data privacy issues. How can I securely link the two environments and treat them as one logical network?

VPN-Cubed does this “out of the box” with a pre-packaged solution “VPN-Cubed for EC2” available for self-service clients as well as those needing some professional services support.





Isn’t there a way I can test ISV solutions as if on my local network?

I have an ISV who has a solution which I would like to evaluate but it will be quite disruptive for me to install. Can’t I can test their solution as if it was on my local network?

VPN-Cubed allows your ISV to install their solution as a virtual server in a public cloud like EC2, yet make it available to a DMZ or particular set of VLANs in your corporate environment.

The burden of testing the ISV solution should rest with your vendor with minimal impact or workload on your team.





Cloud AData Center

Customers AddressingCustomer EncryptionCustomer Multicast

Internet, leased or private network

Virtual ServersVPN-Cubed Managerscreate an

overlay network.

VPN-Cubed Managers synchronize state and management information across N managers

VPN-Cubed Overlay Network





-VPN-Cubed for EC2 (Free)

-VPN-Cubed for EC2 (Paid AMIs)

-VPN-Cubed: Datacenter to EC2

-VPN-Cubed: Datacenter to EC2 (IPsec)

-VPN-Cubed: Enterprise Edition

VPN-Cubed Edtions





EC2EU

Peers

EC2USA

Peers OR EC2USA

OR

EC2EU

Peers

VPN-Cubed for EC2 (Free Edition) Build an overlay network controlled by VPN-Cubed Managers in US and/or EU





VPN-Cubed for EC2 (Paid AMIs) Build an overlay network controlled by 4 managers in US and/or EU regions

35

EC2USA

EC2EU

Peers

Peers





VPN-Cubed: Datacenter to EC2 Run an overlay network using Manager pairs in EC2 region and your data center

36

WHAT IS DIFFERENT?The local VPN-Cubed Managers will need to be assembled in a virtual machine format you can support.

You WILL need to allow the Managers in your data center to initiate outbound connections.

You MIGHT want to allow the Managers in EC2 to initiate inbound connections to the local managers, if so you LIKELY will have to make some NAT entries in your network control equipment.

You SHOULD put the VPN-Cubed Managers in a VLAN setup where you are comfortable with what traffic can and cannot traverse to and from your EC2 VLAN.

EC2EUor

EC2USA

Peers

Peers

YourData

Center





VPN-Cubed: Datacenter to EC2 (IPSEC) Overlay network created via Manager pairs in EC2 and your data center equipmentt

37

WHAT IS DIFFERENT?There are no local VPN-Cubed Managers.

Your data center extranet solution (Cisco ASA, Cisco Pix, Juniper Netscreen) will connect to VPN-Cubed Managers in the cloud, front-ended by VPN-Cubed IPSEC Gateways.

You MIGHT want to allow the Managers in the cloud to route traffic to your datacenter, if so you WILL have to make some routing entries in the VPN-Cubed Managers. EC2

EUor

EC2USA

Peers

YourData

Center

IPSECGateways





VPN-Cubed: Enterprise EditionComplex, multi-manager, custom topology captured as a specification

38

Evolution of use cases.As we discover different use cases we retrofit them as specification to automatically drive the user interface for peering and monitoring.

It is in incremental and ongoing process at this point of the market.




YOUR infrastructure in YOUR control in the clouds

39

THIS

Enterprise IT is about checks, balances, and risk mitigation.

or THIS





Bill of Materials

With a BOM approach:

- Identity - Customization- Provenance

This is an EC2 server...right?

Look again...


Bill of Materials

With a BOM approach:

Re-master device:- new cloud- new VM type- new OS

Make clones with unique IDs, unique MAC addresses

It the BOM!






Gives AnyoneTHEIR own

SOFTWARE FACTORY

What does Elastic Server do?





Any developer, SI, ISV, project, team, enterprise

can SOURCE THEIR own component supply chain

can CREATETHEIR own server design center

can MARKET,can MESSAGE,

can DISTRIBUTETHEIR own server product

What does Elastic Server do?




confidential

Elastic Server Platform

Server assembly like hardware

45




confidential

Build from components just like your would from HP or Dell...

46




confidential

Assemble

Allows choice at every level

- Open Source Components

- Commercial Source Components

- Proprietary Source Components

- Multiple Operating Systems

Source

47




confidential

Upload your own or your licensed ISV component

Capture Operating Instructions

AssembleCreate

48




confidential

Deploy

Rapid deployment to virtual and cloud infrastructures

Assembly portals allow precise control of enterprise architecture

Create

49




confidential

Assembly portals allow:- control of your message

- control of your brand

- control of your architecture

- control of your execution context

- control of your customer connection

- support and highlight your ecosystem

- support e-commerce integration

- support usage pattern analysis

MarketMessage

Distribute

50

confidential

Save Bill of Material as a template

- allows “remanufacturing” for patch mgmt

- allows “remanufacturing” for migrations or heterogeneous deployment

Bill of Materials

Rebuild button

Manage

51




confidential

Manage

Each Elastic Server is injected with management components to facilitate enterprise virtualization

Common device control across environments

Manage

52




confidential

Elastic Server Key Themes and Values

53

ES as a meta-packaging system

ES covers the continuum from “vm building” to an online community for teamsourcing/crowdsourcing virtual servers- Appliance Builders

- OSS ISVs

- Traditional ISVs

- Enterprises

ES as a driver of provenance, certification and standards

ES as a tool to integrate developers to the production flow

ES as an e-commerce system for marketing, messaging and distributing virtual servers

ES as a defense against vendor lock in





www.elasticsever.com

blog.elasticserver.comtwitter.com/elasticserver

www.cohesiveft.com

http://www.elasticsever.com

http://www.elasticsever.com

http://www.cohesiveft.com

http://www.cohesiveft.com


Thanks

[email protected]




mailto:[email protected]

mailto:[email protected]

Technology

Securing Enterprise Assets In The Cloud