Vmware Cloud Computing

Security Within the Cloud

Dave Wright Senior Director, Technical Services, EMEA March 2010

Confidential
2009 VMware Inc. All rights reserved

Preparing for the Techtonic shift

Cloud Web Client/Server + Distributed CPU utilization + Simple to deploy and manage + Broader access + Frictionless deployment + Simplified mgmt thru abstraction + On-demand scale

Cloud is not a destination, but a way + Scale + Unparalleled of doing computing. + Added flexibility flexibility + Centralized mgmt - Limited flexibility
Mainframe + Secure - Limited access - Inflexible - Costly - Complex / costly Paul Maritz - Limited efficiency to deploy & President & CEO, manage - NotVMware secure - Not secure - Not efficient + Secure + Highly efficient

Confidential

Virtualization & Cloud = Top Priorities for CIOs

CIO Technology

2010 Priority

2009 Priority

Virtualization

Cloud Computing

14

Source: Gartner CIO study, Q4 2009

3 Confidential

Cloud Computing Characteristics

Cloud Computing is not a destination, but a way of doing computing.

Efficiency thru Utilization and Automation Pooling From machines to on-demand, highly elastic resource pools

Agility with Control

Freedom of Choice

Self-Service Easy access with policybased provisioning and deployment

Open & Interoperable Application mobility between clouds, based on open standards

Zero-touch Infrastructure Policy-driven automation of provisioning, deployment and management

Control Application-aware infrastructure with built-in availability, scalability, security and performance guarantees

Leverage Existing Investments Benefits of cloud computing to existing applications and datacenters

Confidential

Cloud Brings Benefits to Both Sides

Confidential

Flexible Cloud Deployment Models = Choice

Enterprises

Cloud Service Providers

Private Cloud
Operated solely for an organization, typically within the firewall Low total cost of ownership Greater control over security, compliance, QoS Easier integration Support existing applications

Public Cloud Hybrid Cloud

Composition of 2 or more interoperable clouds, enabling data and application portability Accessible over the Internet for general consumption Low acquisition costs Less administrative burden On-demand capacity Limited offerings

VMware focus to deliver the best of both worlds

Confidential

VMware vSphere 4 Enables: The Software Mainframe

The Cloud The Giant Computer 32 hosts 2,048 processor cores 1,280 virtual machines 3 Million IOPs 32TB of RAM 16PB of storage

Confidential

Increased Scalability to handle all workloads

95% of Applications

VMware Infrastructure 3

VMware vSphere 4

CPU

1 to 2 CPUs

4 VCPUs

8 VCPUs

% of Applications

Memory

< 4 GB per VM

64 GB per VM

256 GB per VM

Network

< 300 Kb/s

9 Gb/s

30 Gb/s

IOPS

< 10,000

100,000

350,000

HPC
Applications Performance Requirements

Confidential

VMware Cloud Infrastructure & Services

SaaS

Core IT Services via Virtual Appliances

Zimbra

File/ Print

Directory

PaaS

SpringSource: Programming Model for the Cloud

Redwood: Common Service Model for Infrastructure Clouds

vCenter : Policy-based Management & Automation IaaS

vCloud Partners Proprietary Clouds

Enterprise vSphere: View : Desktop Computing Platform for Cloud via Cloud Infrastructure

Private Cloud

VMware Virtualized Public Cloud

Confidential

Public Cloud

Key Challenges Of Cloud Computing

10

Confidential

VMware VCloud Security Strategy

11 Confidential

Security and Network solutions

VMs Web vApps

Zones Edge
VMsafe

Complianc e View Finance

VMsafe

vCloud

APIs

VDC vService vSphere Security & Network vServices VMware vSphere Compute | Storage | Network Cluster vShield Manager vCenter Server

12

Confidential

Current VMsafe Program Partnerships

13

Confidential

Secure Networking
Installation
Organization vDC 1 vApp vDC 2 vApp

Network
A VLAN or Portgroup, plus gateway, netmask, and IP range, named and associated to a container A single network can be shared between multiple organizations with soft restrictions set on IP address usage
ND

foo bar (isolated)

WSnet (fenced) WSnet

The same network can be named differently in each container

ND
Private Public VLAN 1 VLAN 2

Network Device (ND)

Virtual appliance that isolates networks with router, NAT, and firewall functionality
Portgroups mapped into installation

VLAN 1 VLAN 2 Same color means same layer 2 network

Created and configured at attachment time. create an isolated vDC, deploy fenced

14

Confidential

User Security
Organizations and Multi-Tenancy
Org 1: Coke Org 2: Pepsi Org 3: Dr Pepper

Users only get access to resources that are associated with their organizations Authentication off of central or tenant specific LDAP Roles and Rights The system comes with built-in roles that range from root to view-only users Custom roles can be defined by those with the rights from a set of over 50 rights If a user has multiple roles he/she gets the union of rights

15

Confidential

Image Transfer

Client

All state in DB to handle failures in cell

vCloud cell
vDC service Transfer Server

OVF validated at multiple points Object complete before sent to Datastore

Transfer session

Message Bus

Datastore

Spooling FS

Pragmatic Path to Cloud Computing

COST EFFICIENCY QUALITY OF SERVICE BUSINESS AGILITY IT Production Business Production IT as a Service
85%

70%

30%

15%

How?
17 Confidential