Reinventing IT & Enabling Hybrid Cloud with Windows Server 2016

0 Copyright 2016 FUJITSU

Fujitsu Forum 2016

#FujitsuForum


Reinventing IT & Enabling Hybrid Cloud withWindows Server 2016

Manfred Helber

Senior Consultant Microsoft Solutions


Windows Server The foundation of hybrid cloud

On-premises datacenter Microsoft Azure Stack


IT is being pulled in two directions

Support business agility and innovation

Provide secure, controlled IT resources

By 2017, 50% of total IT spending will be spent outside of the formal IT organization.


IT stress points

Security threats

Datacenterefficiency

Supporting innovation


Security is a top IT priority

Security threats




Increasing incidents

Multiple motivations

Bigger risk

Why security is a top IT priority


Source: McKinsey, Ponemon Institute, Verizon.

Cyber threats are a material r isk to your business

Impact of lost productivity and growth

Average cost of a data breach (15% YoY increase)

$3.0 Tr i l l ion $4 Mil l ion

Corporate liabilitycoverage.

$500 Mil l ion

“Cyber security is a CEO issue .”- M c K i n s e y


Security threats



Datacenter efficiency


Protect identity

Help secure virtual machines

Protect the OS on-premises or in the cloud

Better security starts at the OS


Challenges in protecting credentials

Ben Mary Jake AdminDomain admin

Typical administrator

Cap

ab

ility

Time

Social engineering leads to credential theft.

Most attacks seek out and leverage administrative credentials (Pass the Hash).

Administrative credentials often provide more privilege than necessary.


Typical administrator

Protect against compromised admin credentials

Ben Mary Jake AdminDomain admin

Just Enough and Just in Time administration

Cap

ab

ility

Time

Credential Guard Prevents Pass-the-Hash and Pass-the-Ticket attacks by protecting stored credentials through virtualization-based security.

Remote Credential Guard Works in conjunction with Credential Guard for RDP sessions to deliver Single Sign-On (SSO), eliminating the need to pass credentials to the RDP host.

Just Enough AdministrationLimits administrative privileges to the bare-minimum required set of actions (limited in space).

Just-in-Time AdministrationProvides privileged access through a workflow that is audited and limited in time.

Capability and time needed


Challenges in protecting the OS

New exploits can attack the OS boot-path all the way up through applications.

Known and unknown threats need to be blocked without impacting legitimate workloads.


Help protect the OS and its applicationsOn-premises or in any cloud

Device GuardEnsure that only permitted binaries can be executed from the moment the OS is booted.

Windows Defender Actively protects from known malware without impacting workloads.

Control Flow Guard Protects against unknown vulnerabilitiesby protecting against classes of memory corruption attacks.


Challenges protecting virtual machines

Virtual machines are easy to modify and copy.

Multiple fabric administrators typically have access.

Any compromised or malicious fabric administrators can access guest virtual machines.


Features to help protect virtual machines

Shielded Virtual Machines Use BitLocker to encrypt the disk and state of virtual machines protecting secrets from compromised admins and malware.

Host Guardian Service Attests to host health releasing the keys required to boot or migrate a Shielded VM only to healthy hosts.

Generation 2 VMsSupports virtualized equivalents of hardware security technologies (e.g., TPMs) enabling BitLocker encryption for Shielded Virtual Machines.

Hyper-V

Virtual machine

Computer room

Building perimeter

Physical machine

Hyper-V

Shielded virtual machine

*

`


Shielded Virtual MachinesWorks with Host Guardian Service

Cloud/Datacenter

Hyper-V Host 1

Hypervisor

Guest VMGuest VM Guest VMHost OS

Hyper-V Host 2

Hypervisor

Guest VMGuest VMHost OS

Hyper-V Host 3

Hypervisor


Key Protection

Host Guardian Service


Cloud/Datacenter

Hyper-V Host 1

Hypervisor

Guest VMGuest VM Guest VMHost OS

Hyper-V Host 2

Hypervisor


Hyper-V Host 3

Hypervisor


Key Protection

Host Guardian Service

healthy

Key release criteria TPM-mode)

1. Known physical machines

2. Trusted Hyper-V instance

3. CI-compliant configuration

Shielded Virtual MachinesWorks with Host Guardian Service


Security threats

Transforming the datacenter




Security threats



Software-define the datacenter


Enterprise-class Virtualization

Software-defined Storage

Software-defined Networking


MANAGEMENTCLOUDDATACENTER

Azure Inspired Compute


Software-defined

Compute

Mission-critical

Industry-leading scale

Linux first-class citizen

DATACENTER

Network

Infrastructure agility

Proven at cloud scale

VXLAN support

Storage

Cloud economics

3x performance at half the cost

Multi-vendor ecosystem


DATACENTER

RAM

per physical server


DATACENTER

Logical Processors

per physical server


DATACENTER

RAM

per VM



Virtual Processors

per VM


Software-defined

Compute

Mission-critical



DATACENTER

Network



VXLAN support

Storage

Cloud economics





Azure Inspired SDN


DATACENTER

Azure Inspired

SDN

Azure Data Plane

Network Controller

Software Load Balancer

Distributed Firewall

VMs & Containers

RDMA Optimized

Micro-segmentation


Software-defined

Compute

Mission-critical



DATACENTER

Network



VXLAN support

Storage

Cloud economics




DATACENTER

Azure Inspired SDS



Azure Inspired

SDS

Storage Spaces Direct

Storage Replica

NVMe

Storage QoS

Hyper-Converged Optimized

RDMA Optimized


Converged solutionOn-premises disaggregated solution

Scale components separately

in this model.

Simultaneous scaling is possible

when compute (Hyper-V) and storage

components (Storage Spaces Direct)

reside on the same cluster.

Hyper-convergedScale compute, storage simultaneously

Storage Software

SMB3

Virtual machines on Hyper-V host

Scale-out file server

Storage Software

Virtual Machines

Scale-out file server

Storage Software

Industry-standard servers with internal drives

No shared storage, no fancy cables – just Ethernet

Let’s cluster them

Software-defined “pool” of storage

We’re ready to create volumes!

Hyper-Converged


Demo:Software-defined storage

© Fujitsu 2016

Storage Spaces Direct (S2D)

Scale-Out

Add new node to cluster

© Fujitsu 2016

Storage Spaces Direct (S2D)

Fault Tolerance

Server Fault ToleranceUp to 2 simultaneous failures

Copies always land in different servers

Accommodates servicing and maintenance

Data resyncs automatically





















Chassis & Rack Fault Tolerance

© Fujitsu 2016

Fault Domain Awareness

Flexible Scenarios

Set up with PowerShell or XML policy

Create flexible, nested topologies

Fault Domains

Clustering now understands

Node, Chassis, Rack, and Site

Failure policies and Spaces Direct data

placement

© Fujitsu 2016

Hyper-converged Storage Spaces Direct


Nano Server installation option - just enough OS

Nano ServerJust enough OS


Increase reliability with cluster enhancements

Cluster OS Rolling Upgrade Upgrade your fabric to Windows Server 2016, without

downtime to workloads running on Hyper-V virtual

machines.

Mixed OS Mode clusterProvides ability for Windows Server 2012 R2 cluster

nodes to operate with Windows Server 2016 nodes.

VM resiliencyDesigned for cloud-scale environments, this helps

preserve VM session state in the event of transient

storage or network disruptions.

Fault domain-aware clusters Enhances key operations during cluster lifecycle such

as failover behavior, placement policies, heartbeating

between nodes, and quorum behavior.


Complete software-defined storage solution

Storage ReplicaCreate affordable business

continuity and disaster recovery

among datacenters.

Storage Quality of ServicePrevent noisy neighbors from

impacting high priority workloads

with a Storage QoS policy.

Storage Spaces DirectUse standard servers with local

storage to build highly available and

scalable software-defined storage.

Site 1 Site 2


Azure-inspired, software-defined networking

Move faster with Network Controller

VXLAN-based virtual networking

Hybrid SDN gateways for cross-cloud deployment

External and internal software load balancing

Reduce costs

Ability to converge RDMA and Ethernet traffic on the same teamed NICs

QoS for predictable performance

Monitoring and automation to reduce OpEx

Enhance network security

Distributed firewall

Network Security Groups for microsegmentation

Routing and mirroring to specialized virtual appliances


Demo:Nano Server


Presentations & Public Speaking

Reinventing IT & Enabling Hybrid Cloud with Windows Server 2016