Virtualization Changes Everything | GSF 2012 | Session 3-3
-
Upload
cisco-public-sector -
Category
Technology
-
view
357 -
download
0
description
Transcript of Virtualization Changes Everything | GSF 2012 | Session 3-3
© 2009 VMware Inc. All rights reserved
Virtualization Changes Everything! Curtis Brazier
Sr. Program Manager, Federal Cloud
2
Agenda
• About Me • Virtualization – what is it?
• A little History Lesson • Where are we today?
• What’s next?
• Why should you care? • Closing
3
About Curtis
1987 – Control Data Institute
1988 – 1998 – installed, managed and maintained PC/LAN/WAN
1998 – 2003 – Novell, Inc.
2003 - 2006 – RSA and Gemplus
2006 – Present - VMware
4
Virtualization – What is it?
5
By Definition
Virtualization is a framework or methodology of dividing the resources of a computer into multiple execution environments, by applying one or more concepts or technologies such as hardware and software partitioning, time-sharing, partial or complete machine simulation, emulation, quality of service, and many others.
6
A little History Lesson
7
1963 – Term “virtual Machine” was introduced
IBM 7044 (M44) • Experimental
• Multiple images of itself • Bring down entire system to patch
underlying OS
Proved that “close enough” to a virtual machine system wasn’t good enough.
8
1964 – IBM System/360
IBM Cambridge Scientific Center and MIT
• CP-40 ran multiple OS instances
• CMS (Cambridge Monitor System)
• Multiple “client” interfaces
• GA January 1967
! "!!!!!!!!!!!!!!!!!!!"#$%&'()!!
!!
!
!!
"#$%&!!'(#!)$!%*#!$+,-%!./-!$),!%*#!01-%#234567!8+,8.!9:5;<!
!!!!!!!=*#!01-%#23456!>.-!$+,-%!.(()?(8#/!+(!@A,+B!)$!9:5;7!.(/!
!!!!!!!/#B+C#,#/!%)!8?-%)2#,-!+(!9:5D<!
!!!!!!!=*#!01-%#23456!8)-%!EFG!HD!I+BB+)(!%)!/#C#B)A7!>*+8*!>.-!
!!!!!!!-#8)(/!+(!8)-%!)(B1!%)!%*#!@A)BB)!G))(!A,)J,.27!/?,+(J!%*#!
!!!!!!!/#8./#!)$!%*#!9:56-<!
!!!
K+J*%&!L,<!M,#/#,+8N!F,))N-!O!%*#!A,)P#8%!2.(.J#,!)$!%*#!03456<!!
!!!!!!!Q#!*.-!>)(!)C#,!R6!*)(),-!.(/!!.>.,/-7!+(8B?/+(J!%*#!ST.%+)(.B!!
!!!!!!!G#/.B!)$!=#8*()B)J1S!+(!9:UD<!VW#(#!@2/.*B!>.-!%*#!8*+#$!.,8*+%#8%!
!!!!!!!)$!%*#!03456<X!
!!!
!
!! !!!!!!!!!!!
"#$%&!!'03456&!Y)(8?,,#(%!Z#,+A*#,.B!'A#,.%+)(7!8+,8.!9:55!
!!!!!!!V2?B%+O%.-N+(J7!+(A?%!.(/!)?%A?%![?#?#-7!8)(8?,,#(%!A,+(%+(J7!#%8X<!
!
K+J*%&!@!01-%#234\6O9DD!)A#,.%),]-!A.(#B!$,)2!%*#!#.,B132+/!9:\6-<!
!!!!!!!E%!>.-!)(#!)$!%*#!B.-%!EFG!2.+($,.2#-!%)!*.C#!.!A.(#B!>+%*!
!!!!!!!AB#(%+$?B!B+J*%-7!/+.B-7!.(/!->+%8*#-<!
!
9
1972 – the introduction of virtual memory
IBM Announces virtual memory for System/370
2012 – Virtual Memory can be overcommitted by ~2:1 (transparent page sharing, Balloon drivers, linked clones, etc.)
10
• 1974 – 8080 Microprocessor - “First True General Purpose Microprocessor”
• 1980 – Ethernet project began between Intel, DEC and Xerox
• 1981-1984 – Ethernet Voice over IP experiments expose weakness in Ethernet interconnection and scale. Concept of vLAN (virtual Local Area Network) and Ethernet Switching came alive.
• 1988 - Sun Version 1.0 - SoftPC and SoftWindows software emulators of x86 hardware.
As time goes by… 1970-1990
11
x86 Virtual Machine Monitor – Intro of privileged and non-privileged execution
Figure 2. Overshadow Architecture. The VMM enforces two vir-
tualization barriers (gray lines). One isolates the guest from the host, and
the other cryptographically isolates cloaked applications from the guest OS.
The shim cooperates with the VMM to interpose on all control flow between
the cloaked application and OS.
copy is still valid. If the (IV, H) had been discarded, it would not
be possible to decrypt the page after it is swapped back in.
Cloaking is compatible with copy-on-write (COW) techniques
for sharing identical pages within or between VMs. Plaintext pages
can be shared transparently, and page encryption handled like a
COW fault.
Virtual DMA. Cloaking is also compatible with virtual devices
that access guest memory using DMA. For example, suppose the
guest kernel performs disk I/O on a cloaked memory page via a
virtual SCSI adapter. For a disk read, the cloaked page contents are
already encrypted on disk, and the VMM simply permits the kernel
to issue a DMA request to read the page.
For a disk write, the action taken by the VMM depends on the
current state of the cloaked page. If the page is already encrypted,
the VMM allows the DMA to be performed directly. When the page
is in the plaintext read-only state, the VMM first encrypts the page
contents with its existing (IV, H) into a separate page that is used
for the DMA operation. Similarly, if the page is in the plaintext
read-write state, the VMM encrypts its contents into a separate page
used for the DMA operation. The cloaked page then transitions
to the read-only plaintext state, and is associated with the newly-
generated (IV, H). Note that in both plaintext states, the original
guest page is still accessible in plaintext form to the application,
since a transient encrypted copy is used during the actual DMA.
4. Overshadow Overview
Cloaking is a low-level primitive that protects the privacy and
integrity of individual memory pages. Overshadow leverages this
basic mechanism to cloak whole applications, cryptographically
isolating application resources from the operating system.
Figure 2 provides an overview of the Overshadow architecture.
A single VM is depicted, consisting of a guest OS together with
multiple applications, one of which is cloaked. The VMM enforces
a virtualization barrier between the cloaked application and the OS,
similar to the barrier it enforces between the guest OS and host
hardware. Overshadow introduces a shim into the address space
of the cloaked application, which cooperates with the VMM to
mediate all interactions with the OS.
Realizing the Overshadow design goal of whole-application
protection for unmodified applications running on unmodified com-
modity operating systems has proved challenging. In this section,
we describe several key challenges, sketch high-level solutions, and
explain where more complete technical details can be found in sub-
sequent sections.
Context Identification. The VMM must identify the guest con-
text accessing a cloaked resource precisely and securely, in order
to use the shadow page table with the correct GPPN-to-MPN view.
Section 5 explains how Overshadow leverages the shim to help
identify application contexts, without relying on an untrusted OS.
Secure Control Transfer. Applications must interact with the
OS to perform useful work, and need to be adapted for cloaked
execution. Overshadow performs this adaptation by injecting a
shim into the address space of each cloaked application. The VMM
cooperates with the shim to implement a transparent trampoline
that interposes on all control transfers between the application
and OS. The detailed mechanics of shim-based interposition for
interrupts, faults, and system calls are discussed in Section 5.
System Call Adaptation. Most system calls require only simple
argument marshalling between cloaked and uncloaked memory.
Others, such as file I/O operations, need more complex emulation.
For example, read and write system calls are implemented
using mmap for encrypted I/O. Section 6 explains how particular
system calls are adapted for cloaked execution.
Mapping Cloaked Resources. Overshadow must track the cor-
respondence between application virtual addresses and cloaked re-
sources. The shim is responsible for keeping a complete list of map-
pings, which is cached by the VMM. The shim resides in the same
guest virtual address as the application, and interposes on all calls
that modify it, such as mmap and mremap. A more detailed dis-
cussion is presented in Section 7.
Managing Protection Metadata. The VMM must maintain pro-
tection metadata, such as (IV, H) pairs, for each encrypted page, to
ensure privacy and integrity. For active mappings, the VMM main-
tains an in-memory metadata cache that is not accessible to the
guest. Metadata associated with persistent cloaked resources, such
as file-backed memory regions, is stored securely within the guest
filesystem. Section 7 contains a detailed treatment of Overshadow
metadata management.
5. OS Integration with Cloaking
The VMM interposes on transitions between the cloaked user-mode
application and the guest kernel, using distinct shadow page tables
for each. Privilege-mode transitions include asynchronous inter-
rupts, faults, and signals, and system calls issued by the cloaked
application. Mediating these interactions in a secure, backwards-
compatible manner requires adapting the protocols used to interact
with the operating system, as well as some system calls. This is fa-
cilitated by a small shim that is loaded into a cloaked application’s
address space on startup.
We describe the shim in the context of our Linux implementa-
tion, although we believe this approach could be applied to other
operating systems, including Microsoft Windows. While the sys-
tem call interface varies across kernels, low-level mechanisms for
system call vectoring, fault handling, and memory sharing are tied
more closely to the processor architecture than to a particular OS.
We begin by discussing the basic operation of the shim, how
it helps the VMM manage identity, and its interaction with the
kernel and VMM to adapt the application for cloaked execution.
Support for handling faults, interrupts, and system calls is presented
in detail. A discussion of how particular system calls are mediated
is deferred until the next section.
Overshadow: A Virtualization-Based Approach to Retrofitting
Protection in Commodity Operating Systems
Xiaoxin Chen Tal Garfinkel E. Christopher Lewis Pratap Subrahmanyam Carl A. WaldspurgerDan Boneh∗ Jeffrey Dwoskin† Dan R.K. Ports‡
VMware, Inc. ∗Stanford University †Princeton University ‡MIT{mchen,talg,lewis,pratap,carl}@vmware.com [email protected] [email protected] [email protected]
Abstract
Commodity operating systems entrusted with securing sensitivedata are remarkably large and complex, and consequently, fre-quently prone to compromise. To address this limitation, we in-troduce a virtual-machine-based system called Overshadow thatprotects the privacy and integrity of application data, even in theevent of a total OS compromise. Overshadow presents an applica-tion with a normal view of its resources, but the OS with an en-crypted view. This allows the operating system to carry out thecomplex task of managing an application’s resources, without al-lowing it to read or modify them. Thus, Overshadow offers a lastline of defense for application data.
Overshadow builds on multi-shadowing, a novel mechanismthat presents different views of “physical” memory, depending onthe context performing the access. This primitive offers an addi-tional dimension of protection beyond the hierarchical protectiondomains implemented by traditional operating systems and proces-sor architectures.
We present the design and implementation of Overshadow andshow how its new protection semantics can be integrated with ex-isting systems. Our design has been fully implemented and usedto protect a wide range of unmodified legacy applications runningon an unmodified Linux operating system. We evaluate the perfor-mance of our implementation, demonstrating that this approach ispractical.
Categories and Subject Descriptors D.4.6 [Operating Systems]:Security and Protection
General Terms Design, Security, Performance
Keywords Virtual Machine Monitors, VMM, Hypervisors, Oper-ating Systems, Memory Protection, Multi-Shadowing, Cloaking
1. Introduction
Commodity operating systems are ubiquitous in home, commer-cial, government, and military settings. Consequently, these sys-tems are tasked with handling all manner of sensitive data, fromindividual passwords and crypto keys, to databases of social secu-rity numbers, to sensitive documents and voice traffic.
Permission to make digital or hard copies of all or part of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies bear this notice and the full citationon the first page. To copy otherwise, to republish, to post on servers or to redistributeto lists, requires prior specific permission and/or a fee.ASPLOS’08, March 1–5, 2008, Seattle, Washington, USA.Copyright c� 2008 ACM 978-1-59593-958-6/08/0003. . . $5.00
Unfortunately, the security provided by commodity operatingsystems is often inadequate. Trusted OS components include notjust the kernel but also device drivers and system services thatrun with privilege (e.g., daemons that run as root in Linux). Thesecomponents generally comprise a large body of code, with broadattack surfaces that are frequently vulnerable to exploitable bugs ormisconfigurations. Once such privileged code is compromised, anattacker gains complete access to sensitive data on a system. Whilesome facets of security in these systems will continue to improve,we believe competitive pressures to provide richer functionalityand retain compatibility with existing applications will keep thecomplexity of such systems high, and their assurance poor.
To ameliorate this problem, many have attempted to retrofithigher-assurance execution environments onto commodity sys-tems. Previous efforts have explored executing applications han-dling sensitive data in separate virtual machines [10, 29, 8], usingsecure co-processors [7], or changing the processor architectureto introduce orthogonal protection mechanisms that protect appli-cation data from the OS [6, 13, 16, 19, 27]. Unfortunately, thesegenerally demand major changes in the way that applications arewritten [7, 8, 16, 18, 28] and used [8, 10], and how OS resourcesare managed [10, 29]. Such radical departures pose a substantialbarrier to adoption.
We offer an alternative in a system called Overshadow. Over-shadow protects legacy applications from the commodity operat-ing systems running them. Unlike other approaches, it requires nochanges to existing operating systems or applications, nor any ad-ditional hardware support. Instead, it works by extending the iso-lation capabilities of the virtualization layer to allow protection ofentities inside a virtual machine.
Overshadow adds this protection through a novel techniquecalled multi-shadowing which leverages the extra level of indirec-tion offered by memory virtualization in a virtual machine mon-itor (VMM). Conceptually, a typical VMM maintains a one-to-one mapping from guest “physical” addresses to actual machineaddresses. Multi-shadowing replaces this with a one-to-many,context-dependent mapping, providing multiple views of guestmemory. Overshadow leverages this mechanism to present an ap-plication with a cleartext view of its pages, and the OS with anencrypted view, a technique we call cloaking. Encryption-basedprotection allows resources to remain accessible to the OS, yetsecure, permitting it to manage resources without compromisingapplication privacy or integrity.
Cloaking is a low-level primitive that operates on basic mem-ory pages. However, nearly all higher-level application resources –including code, data, files, and even IPC streams – are already man-aged as memory-mapped objects by modern operating systems, or
mappings, and keeps them consistent with the GVPN-to-GPPNmappings managed by the guest OS [1]. Since the hardware TLBcaches direct GVPN-to-MPN mappings, ordinary memory refer-ences execute without incurring virtualization overhead.
3.2 Multi-ShadowingExisting virtualization systems present a single view of guest“physical” memory, faithfully emulating the properties of realhardware. One-to-one GPPN-to-MPN mappings are typically em-ployed, backing each guest physical page with a distinct machinepage. Some systems implement many-to-one mappings to sup-port shared memory; e.g., transparent page sharing maps multipleGPPNs copy-on-write to a single MPN [4, 30]. However, existingvirtualization systems do not provide flexible support for mappinga single GPPN to multiple MPNs.1
Multi-shadowing is a novel mechanism that supports context-dependent, one-to-many GPPN-to-MPN mappings. Conceptually,multiple shadow page tables are used to provide different views ofguest physical memory to different shadow contexts. The “context”that determines which view (shadow page table) to use for a partic-ular memory access can be defined in terms of any state accessibleto the VMM, such as the current protection ring, page table, in-struction pointer, or some other criteria.
Traditional operating systems and processor architectures im-plement hierarchical protection domains, such as protection rings[25]. Multi-shadowing offers an additional dimension of protectionorthogonal to existing hierarchies, enabling a wide range of uncon-ventional protection policies.
3.3 Memory CloakingCloaking combines multi-shadowing with encryption, presentingdifferent views of memory – plaintext and encrypted – to differentguest contexts. Our use of encryption is similar to XOM [19, 18],which modified both the processor architecture and operating sys-tem to encrypt and isolate application memory. The term “cloak-ing” has also been used by Intel’s LaGrande Technology (LT) [13],which introduced a different architectural mechanism for creatingorthogonal protection domains.
In contrast to XOM and LT, our virtualization-based cloakingdoes not require any changes to the processor architecture, OS, orapplications. In fact, cloaking based on multi-shadowing representsa relatively small change to the core MMU functionality alreadyimplemented by a VMM. We initially describe cloaking using ahigh-level model. Details concerning metadata management andintegration with existing systems are presented in later sections.
Single Page, Encrypted/Unencrypted Views. We represent eachGPPN using only a single MPN, and dynamically encrypt and de-crypt its contents depending on the view currently accessing thepage. This works well, since few pages are accessed simultaneouslyby both the application and the kernel in practice. As an optimiza-tion, the system could keep two read-only copies of the page, oneencrypted, and one plaintext, for pages that are read concurrentlyfrom both views.
When a cloaked page is accessed from outside the shadowcontext to which it belongs, the VMM first encrypts the page,using a fresh, randomly-generated initialization vector (IV), thentakes a secure hash H of this ciphertext. The pair (IV, H) is storedsecurely for future use. During decryption, the correct hash is firstverified. If verification fails, the application is terminated. If itsucceeds, the cloaked page is decrypted, and execution proceeds
1 Some x86 VMMs do statically map a single GPPN to multiple MPNs toemulate the legacy A20 line, for compatibility with real-mode applications.The A20 line forces physical address bit 20 to zero, aliasing adjacent 1MBregions of memory.
Figure 1. Basic Cloaking Protocol. State transition diagram formaintaining the secrecy and integrity of a single cloaked page. Applica-tion reads RA and writes WA manipulate plaintext page contents, whilekernel reads RK and writes WK use an encrypted version of the page. Asecure hash H is computed and stored immediately after page encryption,and verified immediately prior to page decryption.
as normal. By checking the hash before decryption, any attempts tocorrupt cloaked pages will be detected.
Overshadow currently uses a single secret key KVMM managedby the VMM to encrypt all pages; see Section 7.7 for details.Encryption uses AES-128 in CBC mode, and hashing uses SHA-256; both are standard constructions. An integrity-only mode couldbe supported easily, but is not part of the current implementation.
Basic Cloaking Protocol. Consider a single guest “physical”page (GPPN). At any point in time, the page is mapped into onlyone shadow page table – either a protected application shadowused by a cloaked user-space process, or the system shadow usedfor all other accesses. When the page is mapped into the applicationshadow, its contents are ordinary plaintext, and application readsand writes proceed normally.
Figure 1 presents the basic state transition diagram for man-aging cloaked pages. When the cloaked page is accessed via thesystem shadow (transition 1), the VMM unmaps the page from theapplication shadow, encrypts the page, generates an integrity hash,and maps the page into the system shadow. The kernel may thenread the encrypted contents, e.g., to swap the page to disk, and mayalso overwrite its contents, e.g., to swap in a previously-encryptedpage from disk.
When the encrypted page is subsequently accessed via the ap-plication shadow (transitions 2 or 3), the VMM unmaps the pagefrom the system shadow, verifies its integrity hash, decrypts thepage, and maps the page into the application shadow. For an ap-plication read (transition 3), the page is mapped read-only and its(IV, H) is retained. If the page is later written by the application(transition 4), the (IV, H) is discarded, and the page protection ischanged to read/write. If the page is instead accessed by the kernel(transition 5), the VMM proceeds as in transition 1, except that thehash for the (unmodified) page is not recomputed.
The read-only plaintext state, where the (IV, H) is retained, isrequired to correctly handle the case where the kernel legitimatelycaches a copy of the encrypted page contents. For example, thiscould occur if the kernel swaps a cloaked page to disk, which islater paged in due to an application read, and then swapped outagain before the application modifies it. The kernel can optimizethe second page-out by noticing that the page is not dirty, and sim-ply unmap the page without reading it, since the on-disk swapped
1998 – Vmware files US Patent 6,397,242
12
As time goes by… 1990 - present
• 1998 – Vmware files US Patent 6,397,242
• 1999 - VMware introduced VMware Virtual Platform for the Intel IA-32 architecture.
• 2001 - VMware created the first x86 server virtualization product (GSX)
• 2003- First release of first open-source x86 hypervisor, Xen
• 2003 - Microsoft acquires Virtual PC
• 2006 – VMware launches Type 1 Hypervisor (ESX)
• 2008 – Vmware acquires Trango (ARM Chip virtualization)
• 2008 – Microsoft unveils Hyper-V
• 2008 – New End Point Remote display capabilities (Virtual GPU, PCoIP, Citrix HDX, HTML 5, Web 2.0)
• 2009 – VDI starts to take hold as technology matures
13
Where are we today?
14
Where are we today?
• Virtual Infrastructure most likely logical extension of physical infrastructure
• 600+ x86 OSes can be virtualized
• A VM can have 8 vCPUs, 1TB RAM and 8 vNICs
• Hypervisor is now stateless – in memory/PXE enabled auto-deploy
• Centralized command and control of geographically dispersed virtual infrastructure available
• DMTF OVF (Open Virtual Format) Standard (VMW, MS, Citrix, Oracle, RSA, others)
• 1.0 – 2009, 1.1 2010, 2.0 in working group
• First and only virtualization standard • Now ISO standard
• Defines hypervisor agnostic workloads (1 or many VMs)
• Meta-data tagging
15
5.5 vMOTIONS PER SECOND
At any given time, more VMs are in motion than planes, which take off about once per second globally.
20 MILLION VMs running on VMware vSphere
If they were physical machines they would stretch
2x the length of Great Wall of
China
Someone turns on
That’s faster than the rate of babies born in the U.S.
1 VM EVERY SIX SECONDS
Finance
Healthcare Telecom
Retail
10 out of the Top 10
10 out of Top 10
5 out of Top 5
4 out of Top 5
>1,650 >3,000
ISV PARTNERS
APPS CERTIFIED ON VMware
Putting VM Maturity into Context
16
Support all applications vApp: Standard Application Package
Availability = 99.99% Security = High Performance = 500 msec
SLA Definitions vApp
App
OS
App
OS
App
OS
VMware Infrastructure à Virtual Datacenter OS
An uplifting of a virtualized workload
• VM = Virtualized Hardware Box • vApp = Virtualized Software Solution
Properties • Comprised of one or more VMs
(may be multi-tier applications) • Encapsulates resource requirements on
the deployment environment • Distributed in industry standard Open
Virtualization Format (OVF)
Built by • ISVs / Virtual Appliance Vendors • IT administrators • SI/VARs`
Cloud 1
Cloud OS
Management Federation & Choice
Standards
Cloud 2
Cloud OS
Management
17
VMware vSphere –Virtual Datacenters (vDC)
VMware vSphere
18
Automated….
Intelligent Policy Management – Standardized Service Tiers
Virtual Infrastructure
Gold Bronze Silver
Availability = 99.99% DR RTO = 1 hour
Max Latency = 500 ms
SLA Definitions Availability 99.99% DR RTO 1 hour Back up daily Storage capacity 1 TB Performance High I/O Security High
? 99.99% 1 hour daily 10 TB
High I/O High
99.9% 3 hour weekly 10 TB
Med I/O Mid
99.0% none none 10 TB low I/O
low
99.99% 1 hour daily 10 TB
High I/O High
99.9% 3 hour weekly 10 TB
Med I/O Mid
99.0% none none 10 TB low I/O
low
Placement
§ DR plan § Back up § Anti-virus § Firewall
Provisioning of infra services
Availability DR RTO Back up Storage
capacity Performance
Security
19
Secure and Agile Hybrid Infrastructure
Private Cloud
Portability
Cloud Consumption
Operations and Management
Security and Compliance
Virtualization
Public & Service Clouds
Cross-Cloud Standards vCloud API
Open Virtualization Format
Cross-Cloud Management vCloud Connector
VMware Driven Standards and Management Enable Enterprise
Class Clouds
vCloud Powered Broad array of
VMware-compatible clouds for any business need
Public Clouds VMware public cloud partners
vCloud Datacenter Security & performance
for enterprises
Externally Provided Cloud Options
20
What else is New?
• QoS guarantees for Compute, virtual Network and virtual Storage • Distributed Power Management – power on only what you need
• Predictive Analysis of issues with automated remediation when possible • Compliance templates that auto alert and remediate
• Applicable to infrastructure and PaaS applications
• Virtualization capable and aware TC and DB services • Not just hot add of CPU/RAM
• Integrated monitoring for performance issues from app to infrastructure.
• Application performance based expansion/contraction of services
• Full control of DB schema, table, clone, etc.
21
What else is new?
• Distributed Virtual Networking • Edge device - DHCP, NAT, Port level FW, Load Balancing, IPSEC
VPN, etc.
• You choose the edge! It’s virtual! How about every vNIC? • Automated policy enforcement
• Default fail closed
• VXLAN – extended virtual LAN • vMotion Anywhere enabler
• “flattens” your L2 geographically dispersed networks • Reduces network re-config of transient workloads
• In Cache Memory Data as-a-Service
• “Smart Data” – through persistent queries (more on this later)
22
What else is new?
• High Availability for all – not just high end services • Zero downtime and automated restart of failed service
• DR to the cloud if you like as a safety net • Virtual Security evolving quickly (more secure than physical)
• DIACAP and STIG hypervisor hardening
• Hypervisor based End Point anti virus protection • Security policy follows virtual workloads
• Dynamic Trust Zones can be established and enforced • DLP available
• Projects AppBlast, Octopus, Horizon Mobile
• Agentless Windows/Linux/Web App delivery to HTML5 • Dropbox for the enterprise
• Secure BYOM – virtualization of the ARM Chip has begun
23
What’s Next?
24
Personal
• Unrestricted access to personal data and applications
• Make calls, share pictures
• Personal (‘home’) phone cannot be altered by IT
Enterprise
• Virtual “Work” Phone - fully-encrypted Runs Locally
• Fully Managed by IT
• Corporate applications and Infrastructure support
• Complete Separation and Isolation
Bring Your Own Device Begins with Mobile
Mobile Virtualization Bridges Personal & Enterprise Workspaces
25
February 2012 study on mobility
4Take Away: Good Things Come in Small Packages
Mobility on the Rise
Feds anticipate increased use of PC alternatives
Approximately what percentage of employees at your agency use or will use each of the following devices for work-related tasks?
stay connected IT Manager, Civilian agency
That means, in the next two years, the Federal workforce* will need:
44,430 additional laptops
355,440 additional smartphones
533,160 additional tablets
*Based on 4,443,000 total Federal employees, http://www.opm.gov/feddata/HistoricalTables/TotalGovernmentSince1962.asp
26
Mobile Application Investments in Federal
Source: 2011 BizTech report, “Federal Mobile Applications: Lessons Learned and Best Practices in Supporting the Mobile and Digital Agenda to Enhance Citizen Services”
We have not invested in mobile apps to date
39%
n = 130 (Respondents could choose more than one answer)
The rising adoption of mobile devices is driving demand for mobile applications. Although most of the demand centers on custom software development vs. packaged software products, software vendors
should consider their ability to deliver capabilities through multiple devices and with varying delivery models.
27
End User Computing Platform for the Post-PC Era
CONNECT MANAGE SIMPLIFY
Desktop Service
App Catalog Service
Data Service
Secure Universal Access
Users, Desktops, Apps, Data
Policies
End Users
Universal Services Broker
28
Big Data
My Apps, My Files, Native Device Experience
29
Application Modernization Platform goes virtual
Data Services
Other Services
Msg Services
Micro Clouds
Public Clouds
Private Clouds
Deploy and Scale with PaaS
Create Agile Data Fabric
Modernize Applications
30
Back to why you care
31
Virtualization doesn’t change everything – but it does change IT
Process Project management methodology and SDLC to leverage virtualization
and cloud technology
People Staff trained in virtualization
and cloud computing
Technology Service-based architecture
with “cost arbitrage”
32
The Next Breakthrough in Datacenter Economics
Labor
Software
Hardware Facilities + Fabric
5 4 7
17
67
Legacy
100
Telecom
Source: TMT Value Migration Database, Gartner IT Key Metrics Data 2009; McKinsey
Decrease labor cost through self service,
policy based automation and post-ITIL management
33
Roles will changed - End-User Experiences Evolve
Cloud: Flexible, efficient, scalable
Task Workers Knowledge
Workers Mobile Users
Power Users
Infrastructure Administrators
Security & Architects
Service Managers
Software Developers
Library Administrators
34
Lessons Learned in Virtualization at Scale
Multi-Tenancy Establishing an organizationally
driven hierarchy and ensuring logical separation throughout the stack
Automation Cloud leverages automation from
both automatic and scripted sources
Maintaining security and compliance when users have access to and control
over the environment
Security and Control
Strategy Not all clouds are created equal – and not all applications behave the
same in the cloud
Standardization Software
products and versions must
be standardized, integrated and deployed on
standard infrastructure
blocks
Management Integrating the management of
multiple resource pools, environments, and clients within change processes
Virtual Infrastructure
Achieving benefits from the cloud requires an evolution of skills and
expertise
Expertise
Transformation Cloud requires transformation of
both architecture and organization
35
Data as-a-Service A DoD Example
36
Data as a Service
vFabric Mission Enablement
37
New Mission Apps SaaS Apps Existing Analytics
Private DaaS Infrastructure
Putting it all Together: Mission Enablement
Existing Data Sources
SOCOM DISA NAVSOC SOF Community
Cloud
38
Now What?
39
Learn and Benefit from others - Accelerated Project Strategy
Days per phase of Implementation
Cus
tom
er A
ppro
ach
to S
ervi
ces
§ Quick and seamless implementation • Learning during implementation impacts user satisfaction and
puts the entire project at risk • Lessons learned in early services shorten subsequent phases
40
Just a thought! DoE Hanford Federal Cloud (HFNet)
§ Initial projections over the next four years indicate about $12 million in total cost saving, DOE officials said. • The savings include: • Reducing CO2 emissions by 3 million pounds.
• Reducing power by 2 million kilowatt hours. • 30 percent reduction in the total cost of ownership.
• 48 percent reduction in operating expenses.
The Energy Department has forged a partnership with Lockheed Martin to increase energy efficiency through data center consolidation and IT enhancements.
The partnership is the first use of a federal Energy Savings Performance Contract to reach sustainability goals through improved IT practices, DOE and Lockheed Martin officials said. ESPC contracts let agencies embark on energy-savings projects without upfront capital costs and without special congressional appropriations.
41
Thank you!
Questions?