The rapid transition of critical data into the cloud and the use of SaaS for business processes mean that organizations need to have a solid approach to manage the business risks of cloud. We have worked closely with customers and Cisco’s own IT department to identify some initial steps that organizations can put in place to mitigate the risks of cloud services with IT governance.
Revise how your company data classification system applies to cloud services.
Businesses typically have already established a tiered classification system including private, confidential, public, etc. This system needs to be revised to detail what and how information should be shared in the cloud. These policies also need to take into account any regulatory or compliance requirements.
Communicate an employee policy specific to cloud service usage.
Recently, I was speaking with a large healthcare provider about what policies they had that outlined what employees could share in the cloud. The customer’s IT group believed that a general company code of conduct safeguarded them. However, as the conversation progressed they realized that their current policies were not explicit as to how this applied to cloud.
Employee policies need to clearly outline what can and cannot be shared with approved corporate cloud vendors. For example, even though a vendor like Salesforce.com or Box.com might be approved, an organization may not want certain confidential information to be shared with an outside vendor. Additionally, these policies also need to address personal use of cloud services (file sharing services, for-free email accounts, etc.). These policies need to be periodically communicated to employees as well as how their actions might be monitored to ensure compliance.
Discover and determine the risk profile of shadow IT.
1) Assess and onboard critical cloud applications.
2) Block risky cloud applications with secure web gateways or data loss prevention solutions.
3) Monitor applications and as-a-service usage with alerts for unusual activity.
Establish a data security assessment process for new cloud services.
A vital way to ensure that business data is kept safe is to have a thorough risk assessment process as cloud vendors and services are brought on-board. This process should take into account the following five elements:
Initiation – Establish what elements of your business a vendor will be involved in and what data will be shared with the vendor. Will they handle confidential/private information or only public data?
Data encryption and integration – Test the encryption of data as it passes from the organization to the vendor as well as how the data will be stored at the vendor’s data center. Understand how a vendor would integrate with your systems (creating single sign-on, pull corporate data, etc.).
Vendor data security policies– Can the vendor uphold the policies for protecting your corporate data based on the classification system defined above, and do so the same way or better than your IT department would? Evaluate the vendor’s disaster recovery plan, compliance and regulatory processes, and identity and access controls.
Vendor stability and proprietary policies – According to Gartner, 1 out of 4 cloud service providers will be out of business in two years. This is largely due to financial instability or acquisitions. Businesses need to ensure that vendors they choose to work with are financially stable. Find out how the vendor would handle your data in the event of a business closure or acquisition. Additionally, do they use a proprietary technology approach that might lock you into using them? Insist that vendors use an open source approach that would help you transition to a new vendor if an SLA was not met or if the vendor was acquired or went out of business.
Ongoing vendor monitoring – Establish a process to regularly review vendors (annually for those dealing with business critical processes, less regularly for those with less impact).
These are some initial steps to managing the business risks of cloud. However, businesses that are looking to reap the benefits of cloud and avoid risk must put in place a lifecycle approach to manage cloud services.
Cisco has a broad base of data center customers with a diverse set of requirements and we meet their needs with Nexus -- the most comprehensive switching portfolio in the industry. This week, we are making announcements for both the Nexus 9000 series and the Nexus 3000 series that provide design and deployment flexibility for our commercial, enterprise, service provider, as well as cloud customers. Key points of the announcement include:
ACI (Application Centric Infrastructure) is shipping this month;
Additional linecard and chassis options provide customer choice and flexibility;
100G linecards for the Nexus 9500 will be available in Q4CY14 and will offer the highest density in the industry; and
New starter kits and bundles help customers ease transitions.
The Nexus 9000 Series
ACI is shipping this month
The Nexus 9000 series can operate in standard NX-OS mode or in ACI mode. In either case the Nexus 9000 portfolio delivers the value of the “5 P’s” of Power efficiency, Price, Port density, Performance, and Programmability. NX-OS mode provides customers with the value of the NX-OS operating system used by tens of thousands of customers in data centers around the world. ACI mode adds to NX-OS capabilities by providing an application driven policy model, integration of hardware and software, and centralized visibility, among other things. ACI requires a controller and switch software. Both are shipping this month. It is important to note that the pricing for this solution is simple and predictable. There is a perpetual license for each leaf switch. Other pricing approaches in the industry are monthly and are based on varying elements like number of VM’s. Comparing the two approaches is somewhat like comparing a cell phone bill that is either flat rate or usage based. Personally, I like the simplicity and predictability of flat rate. See The Future of Networking, as well as SDN and Beyond for additional details on new ACI announcements and how they can take you beyond SDN.
Additional linecard and chassis options underscore flexibility
We’ll consider how flexibility is delivered for both modular and fixed platforms. For modular switching, the Nexus 9500 modular chassis family offers different line card options that can be mixed in the same chassis and allow customers to “dial up” or “dial down” their design based upon the price, performance, feature set, and scale they want to achieve. There are basically 3 different ‘flavors’, all of which are now shipping:
The Nexus 9500 X9400 set of 1/10G and 40G line cards are based on merchant silicon and provide industry-leading price and performance compared to other merchant silicon switches. These provide a very cost effective solution ideal for traditional modular data center designs.
The Nexus 9500 X9500 set of 1/10G and 40G line cards are sometimes referred to as “merchant plus” because they have custom Cisco ASICs, in addition to merchant silicon, and are ideal for customers that need performance together with additional buffering and VXLAN routing capabilities. The X9500 line cards can be used in future ACI designs as well.
The Nexus 9500 X9600 set of 40G line cards provide performance without compromise even for small packet sizes.
The Nexus 9300 series offers ACI capabilities (ala the X9500 linecards in item 2 above) in a fixed form factor. For customers interested in a merchant only fixed form factor, we offer the Nexus 3000 family. This week, we announced the new Nexus 3164, which provides 64 ports of 40G and is a great solution for 40G access or space constrained aggregation.
We are also announcing 100G linecards that we believe will deliver industry leading port density of up to 128 ports of 100G in a single chassis. 100G for both the X9400 and X9600 series will be available for the Nexus 9500 in Q4CY14. Cisco will offer an 8 port 100G X9400 line card and a 12 port 100G X9600 line card.
New starter kits and bundles ease transitions
There are numerous packages available to ease transitions -- from 1G to 10G, 10G to 40G, or from traditional networks to ACI. There are 2 bundles I want to quickly call out. The first provides a smooth transition for customers with older End of Row Catalyst 6500’s in their data centers. It occupies the same rack space and uses the same cabling as they currently have, but provides 10X the performance. The second is basically an ACI starter kit, providing the APIC, spine switches and leaf switches, even optical cables – everything required to set up and get started with an ACI pod.
In summary, Cisco is continuing its rapid pace of innovation and execution around ACI and data center switching overall. Ultimately, this means customers gain choice, flexibility and true innovation to support their business needs.
In part one of this series we covered the internals of HDDs, in part two we went over the internals of SSD, In part three we continue reviewing storage concepts to refresh or learn the right lingo.
Lets start by understanding “Redundant Array of Independent Disks” (RAID). There are RAID levels like RAID0 and RAID1 that are easily to understand and others like RAID5 and RAID6, which many sysadmins misunderstand.
Redundant Array of Independent Disks (RAID)
In the past RAID was also referred as a “Redundant Array of Inexpensive Disks”. At the end of the day Read More »
ACI goes beyond SDN to help customers deliver business outcomes and not just network device programmability. That’s part of the reason over 175 customers signed up to trial the APIC during the hardware beta. Now Cisco ACI will start shipping to Data Centers worldwide on July 31! (See Soni’s blog)
From when we first announced the Vision for an Application Centric Infrastructure at Cisco Live Orlando in 2013, it’s been extremely exciting to see customers and ecosystem partners support this new operational model for centrally configuring, automating and operating network and security infrastructure.
The application model for abstracting network infrastructure requirements and policies really does address the operational needs of the infrastructure and application teams. That was by design, as Insieme’s engineering team worked with the leading cloud infrastructure customers of the world and our Cisco IT organization to incorporate their operational and application needs. In fact, IDC published a powerful report to confirm the ACI related 3 year OpEx savings forecast at Cisco’s IT Elastic Infrastructure Services (CITEIS), one of the largest data center environments in the world. Read the IDC Business Value Brief on Cisco ACI to learn more.
With the production APIC, customers can now begin running production applications on ACI. For insights into why our customers are deploying ACI, we spoke with the leaders of two world-class IT companies that are aggressively rolling out ACI within their own corporate IT.
Symantec IT is an early adopter of ACI and Sean Doherty (VP of Alliances Offerings, Symantec) spoke recently with Shashi Kiran (Senior Director, Cisco) about automating their IT infrastructure with ACI. About the Symantec IT environment, Sean said, “Some applications have been through the Physical to Virtual cycle and others are placed on clouds. We are looking to move those into a more modern agile environment. The ACI is providing the infrastructure to build out that new environment…”. Sean added that ACI helps in significantly accelerating the detection and remediation of security issues with business critical applications. Check out this YouTube video interview for the full story.
Representing another user adopting ACI, NetApp’s CTO Jay Kidd spoke recently about the ACI project in their global development lab. He said this is a large scale deployment covering 2300 racks of equipment wired end-to-end with 40G capacity with Nexus 9000. Talking about the lab, Jay stated, “One of the beauties of the (Nexus) 9K is the ability to gracefully transition and combine 10Gig and 40Gig together in the same infrastructure. Then with ACI, being able to build up these profiles for the applications or the test scenarios for those applications, store them, provision them dynamically. Anything we can do to make it easier for our developers to use this DevOps private cloud, we think will speed up the time to market and ACI is big part of that”. The Lab can spin up thousands of Virtual Machines per hour with an aggregate capacity of running well in excess of a million VMs at a given time. You can listen to Jay’s eloquent explanation on YouTube here.
Our Cisco sales teams have a great way to help Cisco customers to begin their own ACI deployments with the new ACI Starter Bundles. An ACI Starter Bundle (Fig 1) has everything you need to create an ACI POD including a resilient cluster of three APICs, two fixed or modular spine switches, eight 40G optics, and two or four leaf switches depending on which of the four bundles are selected.
Figure 1 ACI Starter Bundles include an APIC Cluster with 3 APICs and 8 40G AOC optics
#1 Two Fixed Spine Switches, Four Leaf Switches with 192 Ports
#2 Two Fixed Spine Switches, Four Leaf Switches with 384 Ports
#3 Two Modular Spine Switches, Two Leaf Switches with 96 Ports
#4 Two Modular Spine Switches, Two Leaf Switches with 192 Ports
Cisco customers can use ACI Starter Bundles 1 or 2 as policy appliance for flexible/ granular network virtualization and secure isolation in conjunction with their existing base of Nexus 2000 to Nexus 7000 (Fig. 2)
Figure 2 ACI Starter Bundles #1 or #2
ACI Starter Bundles #1 or #2 can also be used to scale out a UCS converged infrastructure solution such NetApp FlexPod and VCE VBlock. (Fig. 3)
Figure 3 Scale out UCS Converged Infrastructure Solutions
ACI Starter Bundles #3 or #4 can be used as a starting point to scale out private clouds with secure multi-tenancy since they are based upon the more expandable modular chassis. (Fig. 4)
When used in conjunction with the just released Application Virtual Switch, AVS, the APIC provides centralized policy based control and automation for any application composed of any number of server tiers containing any number of virtual or physical servers. These ACI starter bundles enable customers to begin ACI deployments for testing or production operations. The simple fixed price licensing for a set of leaf ports, 48 or 96, means there is no penalty for running lots of VMs per server vs. bare metal servers. (Fig 5) Customers can predict the cost of running their software defined network infrastructure.
Figure 5 No per VM Tax with ACI licensing
Contact your Cisco account manager to learn how the cost of an ACI POD is less than the cost of those dedicated x86 hardware gateways required with leading pure software overlay approaches. ACI delivers more scale, security, and performance at a fixed predictable cost with documented TCO benefits.
Many of our ecosystem partners announced at Cisco Live that they would be shipping their ACI Device Packages when Cisco’s APIC enters FCS. The following joint solutions have passed rigorous interoperability testing conducted jointly by the vendor’s and Cisco’s engineering teams in our own ACI testing lab. These partners demonstrate ACI’s open ecosystem for service integration, investment protection for existing ADC networks, and the benefits of a centralized control point for L2-L3 network and L4-L7 service policy coordination and automation.
Cisco ASA security and Cisco ACI solution: Customers can now deploy Cisco ACI with Cisco ASA and its ACI Device Package to provide automated, policy-based security provisioning, management, and security policy updates, for firewall, intrusion prevention, and more.
Citrix NetScaler and Cisco ACI joint solution: Customers can use the APIC to coordinate the Citrix NetScaler’s ADC unique application insights for optimized service delivery with ACI’s network automation and obtain end-to-end telemetry and visibility for service-aware applications and tenants.
Embrane and Cisco ACI joint solution: With the APIC and Embrane’s ACI Device Package, ESM automates the deployment and lifecycle management of Embrane’s network virtual services as well as those from Cisco ASA, Sourcefire, and Citrix.
F5 Synthesis and Cisco ACI joint solution: Customers can accelerate application deployment by automating insertion of SSL offload and L4-L7 SLB services using F5’s ACI Device Package and the Cisco APIC.
We are publishing interviews with the analysts, the leading practitioners that are hands on with ACI in August in an exciting ACI special edition of Unleashing IT. I’ll share the link for you here in a few weeks.
Today, we had some great news to share on Data Center and Cloud Networks. The Cisco ACI solution portfolio was orderable on July 1 and starts shipping July 31. This includes the four ACI starter bundles detailed above. For details on today’s exciting new Nexus switches announcement, please visit this blog -- Nexus Flexibility Eases Transitions.
(This is part 5 of a 7-part series sharing insights from Cisco partners about the Future of Cloud.)
“A lot of things go into building out a cloud practice that most people don’t realize until they get into it. Because we have been a systems integrator, we know the on-premises environment very well. That gives us an advantage over some cloud providers who may be more like service providers. They just don’t understand the integration piece. ”
Integration is an important part of a successful migration to cloud, according to Ludwig. Cisco has a whole ecosystem that has built applications to integrate with on-premises equipment. When moving to cloud, all of these integrations still have to work. “That was something we did a lot of research on, to make sure that all of the third party companies that we work with on-premises are going to work in the cloud.”
For NWN, the value of the Cisco partner ecosystem cannot be underestimated. Regarding which partners to work with, Ludwig said, “We certainly look to Cisco for guidance. We don’t want to pick a partner and then find out something doesn’t work right.
“It’s very helpful knowing that if they’re part of the ecosystem, we know that they are going to be a good partner. That they are going to be around. That they know how to work with the Cisco team and technology.”
You can also learn more about how providers are addressing the need for enterprise class services in the latest edition of Unleashing IT.