Unisys Secure Private Cloud Solution

  • Published on

  • View

  • Download

Embed Size (px)


Unisys SPC


<ul><li> 1. Understanding Unisys SecurePrivate CloudWhite Paper</li></ul><p> 2. The emergence of public cloud computing has created anirreversible trend in IT. But public clouds raise issues regardingregulations with respect to data security and sheer data sizeneeded for many enterprise applications. Organizations aremoving to Private Clouds to take advantage of cloud capabilitieswhile maintaining control over data.Unisys Secure Private Cloud (SPC) provides the advantage ofcloud computing principles and capabilities within an enterprisesdata center. Unlike many private cloud solutions, SPC offersadaptation capabilities so that cloud resources can be managedas another form factor within the data center, using the currentmanagement processes and tools.In addition, integration with the Unisys Stealth Solution enablesadministers to isolate resources that need to comply with specificprivacy regulations.2 3. 3Table of ContentsIntroduction 4Secure Private Cloud Capabilities 4Secure Private Cloud Concepts 4Multi-Cloud Instances and Rich N-tenant Hierarchy 5Hybrid Cloud Support Support for Amazon EC2 6Stealth - Defense in Depth for Regulated Data 6Secure Private Cloud Use Cases 7Test/Development Environment 7Enterprise Production Applications 8Enterprise Mission Critical Applications 8High Value Service Provider 8Conclusion 8Additional References 8 4. IntroductionAccording to the Gartner Data Center Conference poll-December 2012, Private cloud computing is just past thepeak of the hype cycle and deployments are increasingthroughout 2013. A significant number of respondentsindicate they are putting a private Cloud plan together andconsidering deploying the Private Clouds by the end of2014. Management, operational processes and securityare still considered to be among the top 3 challenges in aprivate cloud computing service among respondents.Unisys Secure Private Cloud (SPC) enables customers togain the advantage of cloud computing principles andcapabilities within an enterprises data center. Through itsopen framework and integration with the Unisys StealthSolution, SPC offers key differentiation and addresses thekey challenges faced by Private Cloud Customers.Secure PrivateCloud CapabilitiesKey capabilities of SPC include: Service-Oriented Infrastructure Cloud users can4use a web-based portal to commission and managetheir own infrastructure resources. This provides agilityfor the cloud user as well as relieving administratorsfrom repetitive, low-level infrastructure tasks. Utility Infrastructure resources are optimized andhighly utilized by sharing resources among all cloudusers as appropriate. Utility computing includesutilization monitoring for chargeback / showback. Elasticity As application workloads wax and wane,the utilitys resources can be commissioned anddecommissioned to accommodate changingrequirements. Ubiquity Private cloud resources can be managedas a service wherever internet/intranet access isprovided.Unlike many private cloud solutions, SPC providesadaptability and mission critical security. Adaptability - Secure Private Cloud has beenarchitected to provide a cloud framework, withadapters that connect to IT automation software. Inthis way, resource requests can be integrated withthe datacenters own management processes,including incident, configuration, asset and changemanagement processes. Adaptation to thedatacenters security model, through LDAP/ActiveDirectory integration, facilitates single sign-on, thusallowing cloud resources to be accessed andmanaged in the same manner as other datacenterresources. Adaptability avoids the cloud in a cornersyndrome. Mission Critical Security Secure Private Cloud isintegrated with the Unisys Stealth technology, whichallows cloud administrators to isolate specificresources that require compliance with specificprivacy regulations. Stealth provides encryption for alldata transmitted among the specific resources thathave these requirements. Built to meet requirementsof the U.S. Department of Defense to help securesensitive information, Unisys Stealth achieved theNational Security Agencys National InformationAssurance Partnership Common Criteria EAL-4+certification, protecting data-in-motion across anynetwork regardless if it is private or public.Secure Private Cloud ConceptsThis section provides the fundamental SPC conceptsthat can be used to form a mental model of how thecloud is architected and managed.Within the SPC cloud, a tenant is defined as anindividual entity that is entitled, through a contract, toprovide virtual machine resources for cloud users. Thesetenants might be the enterprises external customers, itssubsidiaries or its internal departments that requiremanagement as separate entities. Depending on theenterprises needs, SPC can be configured as a single-tenantor a multitenant environment.Tenants can have one or more projects. Projects areused to further subdivide the tenant organization. Youcan configure projects based on the needs of a tenantenvironment. For example, you could configure oneproject for each tenant department or each sub-department,or you could configure projects based onuser responsibilities in the organization. 5. 5A blueprint defines a class of resources. Cloud userscan commission instances of these resources as aservice using the Secure Private Cloud Single Pane ofGlass. When users commission resources, they providevalues for a set of parameters, based on constraints thatthe administrator or operator configures. Blueprints canbe refined to create new blueprints with specificattributes that fit an organizations requirements andconstraints. Cloud users request infrastructure as aservice through a service catalog that shows theblueprints that are contracted for their project.The number of resources available for an end user ismanaged using contracts that provide the number ofentitled resources on a blueprint by blueprint basis.Contracts are specified at the tenant level and can befurther refined at the project level.The Secure Private Clouds value to the datacenter lieson its ability to automate infrastructure management byexposing infrastructure as a service.Multi-Cloud Instances and RichN-tenant HierarchyThe description above exposes the basic structure of theSecure Private Cloud. Secure Private Cloud providesadditional structure to address enterprise-classscalability and control.The overall cloud can be partitioned into multiple cloudinstances. Each instance can be considered as anindependent cloud where all instances are managedthrough the Single Pane of Glass. This addressesscalability in the following ways. Multiple cloud instancescan be used to support dispersed geographicallocations. Similarly, multiple instances can be used toeffectively manage resources that are virtualized onmultiple instances of vCenter. Scalability ofadministration is also enabled. The overall cloudadministrator is the super user of the cloud. As thecloud grows, the cloud administrator can set up multiplecloud instances that are administered by cloudadministrators who are super users of their instance.In the below description, the structure is shown asprojects that are associated with tenants. A rich structurecan be established using folders. Multiple folders canbe defined for each tenant. Each folder can, in turn, havesub-folders. An N-level Hierarchy, where N is unlimited,can be constructed to create a structure that reflects theenterprises organization. Folder Administrators can bedefined that have exclusive visibility and control of thefolder and all subfolders, projects and resourcesthroughout the folders sub tree. In this way, specificorganization can work in an autonomous manner. 6. Hybrid Cloud Support Supportfor Amazon EC2Enterprises today are looking favourably at public cloud tohelp them build their infrastructure natively on cloud.However public cloud raises issues related to control andsecurity. According to a study by the Aberdeen Group, publiccloud users suffered from an overall 25 percent of incidentsrelated to audit deficiencies, data loss or data exposure, andunauthorized access. Hybrid cloud gives customersreliability, flexibility, as well as scalability to meet theiragility and budgetary requirements.With Secure Private Cloud release 2.5, user-commissioned6virtual machines can now be hosted by apublic cloud such as Amazon Web Services (AWS)besides the internal on-premise VMware vSphere ESXor ESXi workload virtualization servers. If user-commissionedvirtual machines are hosted by a publiccloud, the Secure Private Cloud portal can be configuredto communicate with the cloud service so that users canuse the portal to deploy and manage virtual machines.Automated Provisioning of Internal IT and Externalpublic clouds.As depicted in the graphic, customers can expose AWSspecific resources in their service catalog and cancommission and de-commission Amazon virtual resources.The Secure Private Cloud environment enables you totake snapshots of your virtual machines at anytime. Avirtual machine snapshot is a representation of the stateof a virtual machine and its data at a given time. and areuseful for storing a virtual machine state that you mightneed to restore as the current processing state in the future.To help enterprises manage the machine images(templates) available from a public cloud, the SecurePrivate Cloud manages images so that you can selectthe ones that you want to use and import them into thecloud environment.Hybrid Cloud and Rich N-Tenant HierarchyEnterprises can organize Amazon resources usingSPCs rich N-tenant hierarchy. In this way, an Amazonaccount can be managed with a multi-level hierarchicalstructure that reflects the enterprises organization.Stealth - Defense in Depth forRegulated DataThe Unisys Stealth technology has been available andintegrated within SPC since release 2.2. In functionalterms, Unisys Stealth enables the definition ofCommunities of Interest (COIs) where all VMs who areenabled can communicate within their COI using high-gradeencryption as well as obfuscation algorithms thatrender the VMs dark to all resources outside the COI.Within SPC, VMS who are members of the same COItransmit through a software-defined Stealth vLAN. Tounderstand the value of Stealth integration within SPC,consider a use case where isolation of VM functionality,as well as architectural isolation, is required to satisfy asecurity audit within the cloud.PCI compliance requires that VMs handling card holderdata must be isolated from other VMs that are not at thesame trust level. Also, the transmission of informationfrom one server to another or to the Internet must beencrypted. In addition to this, datacenter securitypractices often require isolation between the web,application and database tiers in a typical three tierapplication pattern.Mixing VMs with varying trust levels and architecturallevels using the same underlying hardware and networkis a practice that requires considerable up-front planning 7. 7as well as complex processes and configuration. Insome cases, isolation using separate host servers, alongwith firewalls, may remediate non-compliance.Isolation using Firewalls and Separate Servers (a)Graphic (a) above shows a typical approach to isolationof VMs in a three tiered application. Note the firewallsbetween the database/application/web tiers. Also notethat the physical hosts are not totally utilized.Isolation using Stealth Technology (b)Graphic (b) shows how VMs that communicate usingencryption, even though they may be a mix of trust levelsto comply with requirements for isolation and encryption.In the Unisys Stealth implementation, fewer servers arerequired. If another web server is needed to scale up web,application or database capabilities, it can be commissionedusing a Stealth blueprint that determines its membership tothe proper Stealth vLAN and it can be added to the pool ofVMs without regard for the specific physical host server.Secure Private Cloud Use CasesUse cases are defined and driven by various types ofusers. As such, the concept of user is a bit morecomplex in a cloud discussion than it is when discussinga single application. The following users are defined forthese use cases as: Administrators use the cloud managementcapabilities to define and control tenants, projects,contracts and blueprints. Operators are responsible for manual administrationof cloud resources that cannot be automated. Cloudoperators receive notifications (by e-mail, by Remedyticket, or by both) when any action occurs in theSecure Private Cloud portal. This includes whenresources are commissioned, when operationalchanges take place, and if any errors occur duringthe commissioning process. Cloud Users Commission, Decommission andmanage their portion of the infrastructure in a service-orientedfashion.Test/Development EnvironmentAdministration of resources for Test and Developmentactivities accounts for the majority of IT administrative costs.For every one server in production, four or more servers aremanaged for test and development. This use case isconsidered the low hanging fruit for private clouddeployment. In this use case, the cloud administrator definesthe structure of the cloud as well as setting up the servicecatalog of blueprints. The cloud users are the techniciansthat are developing and testing their software.Unisys has deployed SPC throughout the developmentand service organizations in their Engineering ResourceLaboratory (ERL). Ninety-five percent of all resourcerequests can be satisfied through the service catalogthat provides over 80 different services. When adeveloper selects a service, the parameters of theblueprint can be selected through the user interface.The other 5% of user requests may require interventionof the cloud operator. The cloud operator also monitorscloud events, identifying error conditions as well as 8. monitoring the level of service that is being experiencedby the cloud usersAlthough the Test/Development cloud started as a singletenant cloud, it has evolved to include multiple cloudinstances, tenants and organizational folders for anumber of reasons. One reason has been to managetest/development activities on a global basis. With theformation of multiple tenants and folders, specificorganizations can have their own administrator and workfairly autonomously regarding the other tenants.Multiple tenantss and folders not only implies autonomousmanagement, but it also allows that each organization isisolated and contained from the others. Test/Developmentcloud uses defined tenants to support self-serviceinfrastructure requests from non-Unisys contractors.Enterprise Production ApplicationsThe Secure Private Cloud has become the next phase ofa continual process/cost improvement regarding theinfrastructure needed to support critical Unisysproductions systems, such as employee travel, benefits,time management, customer relationship management,sales support and others.About five years ago, Unisys consolidated itsdat...</p>


View more >