© 2009 VMware Inc. All rights reserved

Virtualization Changes Everything! Curtis Brazier

Sr. Program Manager, Federal Cloud

cbrazier@vmware.com

2

Agenda

•  About Me •  Virtualization – what is it?

•  A little History Lesson •  Where are we today?

•  What’s next?

•  Why should you care? •  Closing

3

About Curtis

1987 – Control Data Institute

1988 – 1998 – installed, managed and maintained PC/LAN/WAN

1998 – 2003 – Novell, Inc.

2003 - 2006 – RSA and Gemplus

2006 – Present - VMware

4

Virtualization – What is it?

5

By Definition

Virtualization is a framework or methodology of dividing the resources of a computer into multiple execution environments, by applying one or more concepts or technologies such as hardware and software partitioning, time-sharing, partial or complete machine simulation, emulation, quality of service, and many others.

6

A little History Lesson

7

1963 – Term “virtual Machine” was introduced

IBM 7044 (M44) •  Experimental

•  Multiple images of itself •  Bring down entire system to patch

underlying OS

Proved that “close enough” to a virtual machine system wasn’t good enough.

8

1964 – IBM System/360

IBM Cambridge Scientific Center and MIT

•  CP-40 ran multiple OS instances

•  CMS (Cambridge Monitor System)

•  Multiple “client” interfaces

•  GA January 1967

! "!!!!!!!!!!!!!!!!!!!"#$%&'()!!

!!

!

!!

"#$%&!!'(#!)$!%*#!$+,-%!./-!$),!%*#!01-%#234567!8+,8.!9:5;<!

!!!!!!!=*#!01-%#23456!>.-!$+,-%!.(()?(8#/!+(!@A,+B!)$!9:5;7!.(/!

!!!!!!!/#B+C#,#/!%)!8?-%)2#,-!+(!9:5D<!

!!!!!!!=*#!01-%#23456!8)-%!EFG!HD!I+BB+)(!%)!/#C#B)A7!>*+8*!>.-!

!!!!!!!-#8)(/!+(!8)-%!)(B1!%)!%*#!@A)BB)!G))(!A,)J,.27!/?,+(J!%*#!

!!!!!!!/#8./#!)$!%*#!9:56-<!

!!!

K+J*%&!L,<!M,#/#,+8N!F,))N-!O!%*#!A,)P#8%!2.(.J#,!)$!%*#!03456<!!

!!!!!!!Q#!*.-!>)(!)C#,!R6!*)(),-!.(/!!.>.,/-7!+(8B?/+(J!%*#!ST.%+)(.B!!

!!!!!!!G#/.B!)$!=#8*()B)J1S!+(!9:UD<!VW#(#!@2/.*B!>.-!%*#!8*+#$!.,8*+%#8%!

!!!!!!!)$!%*#!03456<X!

!!!

!

!! !!!!!!!!!!!

"#$%&!!'03456&!Y)(8?,,#(%!Z#,+A*#,.B!'A#,.%+)(7!8+,8.!9:55!

!!!!!!!V2?B%+O%.-N+(J7!+(A?%!.(/!)?%A?%![?#?#-7!8)(8?,,#(%!A,+(%+(J7!#%8X<!

!

K+J*%&!@!01-%#234\6O9DD!)A#,.%),]-!A.(#B!$,)2!%*#!#.,B132+/!9:\6-<!

!!!!!!!E%!>.-!)(#!)$!%*#!B.-%!EFG!2.+($,.2#-!%)!*.C#!.!A.(#B!>+%*!

!!!!!!!AB#(%+$?B!B+J*%-7!/+.B-7!.(/!->+%8*#-<!

!

9

1972 – the introduction of virtual memory

IBM Announces virtual memory for System/370

2012 – Virtual Memory can be overcommitted by ~2:1 (transparent page sharing, Balloon drivers, linked clones, etc.)

10

•  1974 – 8080 Microprocessor - “First True General Purpose Microprocessor”

•  1980 – Ethernet project began between Intel, DEC and Xerox

•  1981-1984 – Ethernet Voice over IP experiments expose weakness in Ethernet interconnection and scale. Concept of vLAN (virtual Local Area Network) and Ethernet Switching came alive.

•  1988 - Sun Version 1.0 - SoftPC and SoftWindows software emulators of x86 hardware.

As time goes by… 1970-1990

11

x86 Virtual Machine Monitor – Intro of privileged and non-privileged execution

Figure 2. Overshadow Architecture. The VMM enforces two vir-

tualization barriers (gray lines). One isolates the guest from the host, and

the other cryptographically isolates cloaked applications from the guest OS.

The shim cooperates with the VMM to interpose on all control flow between

the cloaked application and OS.

copy is still valid. If the (IV, H) had been discarded, it would not

be possible to decrypt the page after it is swapped back in.

Cloaking is compatible with copy-on-write (COW) techniques

for sharing identical pages within or between VMs. Plaintext pages

can be shared transparently, and page encryption handled like a

COW fault.

Virtual DMA. Cloaking is also compatible with virtual devices

that access guest memory using DMA. For example, suppose the

guest kernel performs disk I/O on a cloaked memory page via a

virtual SCSI adapter. For a disk read, the cloaked page contents are

already encrypted on disk, and the VMM simply permits the kernel

to issue a DMA request to read the page.

For a disk write, the action taken by the VMM depends on the

current state of the cloaked page. If the page is already encrypted,

the VMM allows the DMA to be performed directly. When the page

is in the plaintext read-only state, the VMM first encrypts the page

contents with its existing (IV, H) into a separate page that is used

for the DMA operation. Similarly, if the page is in the plaintext

read-write state, the VMM encrypts its contents into a separate page

used for the DMA operation. The cloaked page then transitions

to the read-only plaintext state, and is associated with the newly-

generated (IV, H). Note that in both plaintext states, the original

guest page is still accessible in plaintext form to the application,

since a transient encrypted copy is used during the actual DMA.

4. Overshadow Overview

Cloaking is a low-level primitive that protects the privacy and

integrity of individual memory pages. Overshadow leverages this

basic mechanism to cloak whole applications, cryptographically

isolating application resources from the operating system.

Figure 2 provides an overview of the Overshadow architecture.

A single VM is depicted, consisting of a guest OS together with

multiple applications, one of which is cloaked. The VMM enforces

a virtualization barrier between the cloaked application and the OS,

similar to the barrier it enforces between the guest OS and host

hardware. Overshadow introduces a shim into the address space

of the cloaked application, which cooperates with the VMM to

mediate all interactions with the OS.

Realizing the Overshadow design goal of whole-application

protection for unmodified applications running on unmodified com-

modity operating systems has proved challenging. In this section,

we describe several key challenges, sketch high-level solutions, and

explain where more complete technical details can be found in sub-

sequent sections.

Context Identification. The VMM must identify the guest con-

text accessing a cloaked resource precisely and securely, in order

to use the shadow page table with the correct GPPN-to-MPN view.

Section 5 explains how Overshadow leverages the shim to help

identify application contexts, without relying on an untrusted OS.

Secure Control Transfer. Applications must interact with the

OS to perform useful work, and need to be adapted for cloaked

execution. Overshadow performs this adaptation by injecting a

shim into the address space of each cloaked application. The VMM

cooperates with the shim to implement a transparent trampoline

that interposes on all control transfers between the application

and OS. The detailed mechanics of shim-based interposition for

interrupts, faults, and system calls are discussed in Section 5.

System Call Adaptation. Most system calls require only simple

argument marshalling between cloaked and uncloaked memory.

Others, such as file I/O operations, need more complex emulation.

For example, read and write system calls are implemented

using mmap for encrypted I/O. Section 6 explains how particular

system calls are adapted for cloaked execution.

Mapping Cloaked Resources. Overshadow must track the cor-

respondence between application virtual addresses and cloaked re-

sources. The shim is responsible for keeping a complete list of map-

pings, which is cached by the VMM. The shim resides in the same

guest virtual address as the application, and interposes on all calls

that modify it, such as mmap and mremap. A more detailed dis-

cussion is presented in Section 7.

Managing Protection Metadata. The VMM must maintain pro-

tection metadata, such as (IV, H) pairs, for each encrypted page, to

ensure privacy and integrity. For active mappings, the VMM main-

tains an in-memory metadata cache that is not accessible to the

guest. Metadata associated with persistent cloaked resources, such

as file-backed memory regions, is stored securely within the guest

filesystem. Section 7 contains a detailed treatment of Overshadow

metadata management.

5. OS Integration with Cloaking

The VMM interposes on transitions between the cloaked user-mode

application and the guest kernel, using distinct shadow page tables

for each. Privilege-mode transitions include asynchronous inter-

rupts, faults, and signals, and system calls issued by the cloaked

application. Mediating these interactions in a secure, backwards-

compatible manner requires adapting the protocols used to interact

with the operating system, as well as some system calls. This is fa-

cilitated by a small shim that is loaded into a cloaked application’s

address space on startup.

We describe the shim in the context of our Linux implementa-

tion, although we believe this approach could be applied to other

operating systems, including Microsoft Windows. While the sys-

tem call interface varies across kernels, low-level mechanisms for

system call vectoring, fault handling, and memory sharing are tied

more closely to the processor architecture than to a particular OS.

We begin by discussing the basic operation of the shim, how

it helps the VMM manage identity, and its interaction with the

kernel and VMM to adapt the application for cloaked execution.

Support for handling faults, interrupts, and system calls is presented

in detail. A discussion of how particular system calls are mediated

is deferred until the next section.

Overshadow: A Virtualization-Based Approach to Retrofitting

Protection in Commodity Operating Systems

Xiaoxin Chen Tal Garfinkel E. Christopher Lewis Pratap Subrahmanyam Carl A. WaldspurgerDan Boneh∗ Jeffrey Dwoskin† Dan R.K. Ports‡

VMware, Inc. ∗Stanford University †Princeton University ‡MIT{mchen,talg,lewis,pratap,carl}@vmware.com dabo@cs.stanford.edu jdwoskin@princeton.edu drkp@mit.edu

Abstract

Commodity operating systems entrusted with securing sensitivedata are remarkably large and complex, and consequently, fre-quently prone to compromise. To address this limitation, we in-troduce a virtual-machine-based system called Overshadow thatprotects the privacy and integrity of application data, even in theevent of a total OS compromise. Overshadow presents an applica-tion with a normal view of its resources, but the OS with an en-crypted view. This allows the operating system to carry out thecomplex task of managing an application’s resources, without al-lowing it to read or modify them. Thus, Overshadow offers a lastline of defense for application data.

Overshadow builds on multi-shadowing, a novel mechanismthat presents different views of “physical” memory, depending onthe context performing the access. This primitive offers an addi-tional dimension of protection beyond the hierarchical protectiondomains implemented by traditional operating systems and proces-sor architectures.

We present the design and implementation of Overshadow andshow how its new protection semantics can be integrated with ex-isting systems. Our design has been fully implemented and usedto protect a wide range of unmodified legacy applications runningon an unmodified Linux operating system. We evaluate the perfor-mance of our implementation, demonstrating that this approach ispractical.

Categories and Subject Descriptors D.4.6 [Operating Systems]:Security and Protection

General Terms Design, Security, Performance

Keywords Virtual Machine Monitors, VMM, Hypervisors, Oper-ating Systems, Memory Protection, Multi-Shadowing, Cloaking

1. Introduction

Commodity operating systems are ubiquitous in home, commer-cial, government, and military settings. Consequently, these sys-tems are tasked with handling all manner of sensitive data, fromindividual passwords and crypto keys, to databases of social secu-rity numbers, to sensitive documents and voice traffic.

Permission to make digital or hard copies of all or part of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies bear this notice and the full citationon the first page. To copy otherwise, to republish, to post on servers or to redistributeto lists, requires prior specific permission and/or a fee.ASPLOS’08, March 1–5, 2008, Seattle, Washington, USA.Copyright c� 2008 ACM 978-1-59593-958-6/08/0003. . . $5.00

Unfortunately, the security provided by commodity operatingsystems is often inadequate. Trusted OS components include notjust the kernel but also device drivers and system services thatrun with privilege (e.g., daemons that run as root in Linux). Thesecomponents generally comprise a large body of code, with broadattack surfaces that are frequently vulnerable to exploitable bugs ormisconfigurations. Once such privileged code is compromised, anattacker gains complete access to sensitive data on a system. Whilesome facets of security in these systems will continue to improve,we believe competitive pressures to provide richer functionalityand retain compatibility with existing applications will keep thecomplexity of such systems high, and their assurance poor.

To ameliorate this problem, many have attempted to retrofithigher-assurance execution environments onto commodity sys-tems. Previous efforts have explored executing applications han-dling sensitive data in separate virtual machines [10, 29, 8], usingsecure co-processors [7], or changing the processor architectureto introduce orthogonal protection mechanisms that protect appli-cation data from the OS [6, 13, 16, 19, 27]. Unfortunately, thesegenerally demand major changes in the way that applications arewritten [7, 8, 16, 18, 28] and used [8, 10], and how OS resourcesare managed [10, 29]. Such radical departures pose a substantialbarrier to adoption.

We offer an alternative in a system called Overshadow. Over-shadow protects legacy applications from the commodity operat-ing systems running them. Unlike other approaches, it requires nochanges to existing operating systems or applications, nor any ad-ditional hardware support. Instead, it works by extending the iso-lation capabilities of the virtualization layer to allow protection ofentities inside a virtual machine.

Overshadow adds this protection through a novel techniquecalled multi-shadowing which leverages the extra level of indirec-tion offered by memory virtualization in a virtual machine mon-itor (VMM). Conceptually, a typical VMM maintains a one-to-one mapping from guest “physical” addresses to actual machineaddresses. Multi-shadowing replaces this with a one-to-many,context-dependent mapping, providing multiple views of guestmemory. Overshadow leverages this mechanism to present an ap-plication with a cleartext view of its pages, and the OS with anencrypted view, a technique we call cloaking. Encryption-basedprotection allows resources to remain accessible to the OS, yetsecure, permitting it to manage resources without compromisingapplication privacy or integrity.

Cloaking is a low-level primitive that operates on basic mem-ory pages. However, nearly all higher-level application resources –including code, data, files, and even IPC streams – are already man-aged as memory-mapped objects by modern operating systems, or

mappings, and keeps them consistent with the GVPN-to-GPPNmappings managed by the guest OS [1]. Since the hardware TLBcaches direct GVPN-to-MPN mappings, ordinary memory refer-ences execute without incurring virtualization overhead.

3.2 Multi-ShadowingExisting virtualization systems present a single view of guest“physical” memory, faithfully emulating the properties of realhardware. One-to-one GPPN-to-MPN mappings are typically em-ployed, backing each guest physical page with a distinct machinepage. Some systems implement many-to-one mappings to sup-port shared memory; e.g., transparent page sharing maps multipleGPPNs copy-on-write to a single MPN [4, 30]. However, existingvirtualization systems do not provide flexible support for mappinga single GPPN to multiple MPNs.1

Multi-shadowing is a novel mechanism that supports context-dependent, one-to-many GPPN-to-MPN mappings. Conceptually,multiple shadow page tables are used to provide different views ofguest physical memory to different shadow contexts. The “context”that determines which view (shadow page table) to use for a partic-ular memory access can be defined in terms of any state accessibleto the VMM, such as the current protection ring, page table, in-struction pointer, or some other criteria.

Traditional operating systems and processor architectures im-plement hierarchical protection domains, such as protection rings[25]. Multi-shadowing offers an additional dimension of protectionorthogonal to existing hierarchies, enabling a wide range of uncon-ventional protection policies.

3.3 Memory CloakingCloaking combines multi-shadowing with encryption, presentingdifferent views of memory – plaintext and encrypted – to differentguest contexts. Our use of encryption is similar to XOM [19, 18],which modified both the processor architecture and operating sys-tem to encrypt and isolate application memory. The term “cloak-ing” has also been used by Intel’s LaGrande Technology (LT) [13],which introduced a different architectural mechanism for creatingorthogonal protection domains.

In contrast to XOM and LT, our virtualization-based cloakingdoes not require any changes to the processor architecture, OS, orapplications. In fact, cloaking based on multi-shadowing representsa relatively small change to the core MMU functionality alreadyimplemented by a VMM. We initially describe cloaking using ahigh-level model. Details concerning metadata management andintegration with existing systems are presented in later sections.

Single Page, Encrypted/Unencrypted Views. We represent eachGPPN using only a single MPN, and dynamically encrypt and de-crypt its contents depending on the view currently accessing thepage. This works well, since few pages are accessed simultaneouslyby both the application and the kernel in practice. As an optimiza-tion, the system could keep two read-only copies of the page, oneencrypted, and one plaintext, for pages that are read concurrentlyfrom both views.

When a cloaked page is accessed from outside the shadowcontext to which it belongs, the VMM first encrypts the page,using a fresh, randomly-generated initialization vector (IV), thentakes a secure hash H of this ciphertext. The pair (IV, H) is storedsecurely for future use. During decryption, the correct hash is firstverified. If verification fails, the application is terminated. If itsucceeds, the cloaked page is decrypted, and execution proceeds

1 Some x86 VMMs do statically map a single GPPN to multiple MPNs toemulate the legacy A20 line, for compatibility with real-mode applications.The A20 line forces physical address bit 20 to zero, aliasing adjacent 1MBregions of memory.

Figure 1. Basic Cloaking Protocol. State transition diagram formaintaining the secrecy and integrity of a single cloaked page. Applica-tion reads RA and writes WA manipulate plaintext page contents, whilekernel reads RK and writes WK use an encrypted version of the page. Asecure hash H is computed and stored immediately after page encryption,and verified immediately prior to page decryption.

as normal. By checking the hash before decryption, any attempts tocorrupt cloaked pages will be detected.

Overshadow currently uses a single secret key KVMM managedby the VMM to encrypt all pages; see Section 7.7 for details.Encryption uses AES-128 in CBC mode, and hashing uses SHA-256; both are standard constructions. An integrity-only mode couldbe supported easily, but is not part of the current implementation.

Basic Cloaking Protocol. Consider a single guest “physical”page (GPPN). At any point in time, the page is mapped into onlyone shadow page table – either a protected application shadowused by a cloaked user-space process, or the system shadow usedfor all other accesses. When the page is mapped into the applicationshadow, its contents are ordinary plaintext, and application readsand writes proceed normally.

Figure 1 presents the basic state transition diagram for man-aging cloaked pages. When the cloaked page is accessed via thesystem shadow (transition 1), the VMM unmaps the page from theapplication shadow, encrypts the page, generates an integrity hash,and maps the page into the system shadow. The kernel may thenread the encrypted contents, e.g., to swap the page to disk, and mayalso overwrite its contents, e.g., to swap in a previously-encryptedpage from disk.

When the encrypted page is subsequently accessed via the ap-plication shadow (transitions 2 or 3), the VMM unmaps the pagefrom the system shadow, verifies its integrity hash, decrypts thepage, and maps the page into the application shadow. For an ap-plication read (transition 3), the page is mapped read-only and its(IV, H) is retained. If the page is later written by the application(transition 4), the (IV, H) is discarded, and the page protection ischanged to read/write. If the page is instead accessed by the kernel(transition 5), the VMM proceeds as in transition 1, except that thehash for the (unmodified) page is not recomputed.

The read-only plaintext state, where the (IV, H) is retained, isrequired to correctly handle the case where the kernel legitimatelycaches a copy of the encrypted page contents. For example, thiscould occur if the kernel swaps a cloaked page to disk, which islater paged in due to an application read, and then swapped outagain before the application modifies it. The kernel can optimizethe second page-out by noticing that the page is not dirty, and sim-ply unmap the page without reading it, since the on-disk swapped

1998 – Vmware files US Patent 6,397,242

12

As time goes by… 1990 - present

•  1998 – Vmware files US Patent 6,397,242

•  1999 - VMware introduced VMware Virtual Platform for the Intel IA-32 architecture.

•  2001 - VMware created the first x86 server virtualization product (GSX)

•  2003- First release of first open-source x86 hypervisor, Xen

•  2003 - Microsoft acquires Virtual PC

•  2006 – VMware launches Type 1 Hypervisor (ESX)

•  2008 – Vmware acquires Trango (ARM Chip virtualization)

•  2008 – Microsoft unveils Hyper-V

•  2008 – New End Point Remote display capabilities (Virtual GPU, PCoIP, Citrix HDX, HTML 5, Web 2.0)

•  2009 – VDI starts to take hold as technology matures

13

Where are we today?

14

Where are we today?

•  Virtual Infrastructure most likely logical extension of physical infrastructure

•  600+ x86 OSes can be virtualized

•  A VM can have 8 vCPUs, 1TB RAM and 8 vNICs

•  Hypervisor is now stateless – in memory/PXE enabled auto-deploy

•  Centralized command and control of geographically dispersed virtual infrastructure available

•  DMTF OVF (Open Virtual Format) Standard (VMW, MS, Citrix, Oracle, RSA, others)

•  1.0 – 2009, 1.1 2010, 2.0 in working group

•  First and only virtualization standard •  Now ISO standard

•  Defines hypervisor agnostic workloads (1 or many VMs)

•  Meta-data tagging

15

5.5 vMOTIONS PER SECOND

At any given time, more VMs are in motion than planes, which take off about once per second globally.

20 MILLION VMs running on VMware vSphere

If they were physical machines they would stretch

2x the length of Great Wall of

China

Someone turns on

That’s faster than the rate of babies born in the U.S.

1 VM EVERY SIX SECONDS

Finance

Healthcare Telecom

Retail

10 out of the Top 10

10 out of Top 10

5 out of Top 5

4 out of Top 5

>1,650 >3,000

ISV PARTNERS

APPS CERTIFIED ON VMware

Putting VM Maturity into Context

16

Support all applications vApp: Standard Application Package

Availability = 99.99% Security = High Performance = 500 msec

SLA Definitions vApp

App

OS

App

OS

App

OS

VMware Infrastructure à Virtual Datacenter OS

An uplifting of a virtualized workload

•  VM = Virtualized Hardware Box •  vApp = Virtualized Software Solution

Properties •  Comprised of one or more VMs

(may be multi-tier applications) •  Encapsulates resource requirements on

the deployment environment •  Distributed in industry standard Open

Virtualization Format (OVF)

Built by •  ISVs / Virtual Appliance Vendors •  IT administrators •  SI/VARs`

Cloud 1

Cloud OS

Management Federation & Choice

Standards

Cloud 2

Cloud OS

Management

17

VMware vSphere –Virtual Datacenters (vDC)

VMware vSphere

18

Automated….

Intelligent Policy Management – Standardized Service Tiers

Virtual Infrastructure

Gold Bronze Silver

Availability = 99.99% DR RTO = 1 hour

Max Latency = 500 ms

SLA Definitions Availability 99.99% DR RTO 1 hour Back up daily Storage capacity 1 TB Performance High I/O Security High

? 99.99% 1 hour daily 10 TB

High I/O High

99.9% 3 hour weekly 10 TB

Med I/O Mid

99.0% none none 10 TB low I/O

low

99.99% 1 hour daily 10 TB

High I/O High

99.9% 3 hour weekly 10 TB

Med I/O Mid

99.0% none none 10 TB low I/O

low

Placement

§ DR plan § Back up § Anti-virus § Firewall

Provisioning of infra services

Availability DR RTO Back up Storage

capacity Performance

Security

19

Secure and Agile Hybrid Infrastructure

Private Cloud

Portability

Cloud Consumption

Operations and Management

Security and Compliance

Virtualization

Public & Service Clouds

Cross-Cloud Standards vCloud API

Open Virtualization Format

Cross-Cloud Management vCloud Connector

VMware Driven Standards and Management Enable Enterprise

Class Clouds

vCloud Powered Broad array of

VMware-compatible clouds for any business need

Public Clouds VMware public cloud partners

vCloud Datacenter Security & performance

for enterprises

Externally Provided Cloud Options

20

What else is New?

•  QoS guarantees for Compute, virtual Network and virtual Storage •  Distributed Power Management – power on only what you need

•  Predictive Analysis of issues with automated remediation when possible •  Compliance templates that auto alert and remediate

•  Applicable to infrastructure and PaaS applications

•  Virtualization capable and aware TC and DB services •  Not just hot add of CPU/RAM

•  Integrated monitoring for performance issues from app to infrastructure.

•  Application performance based expansion/contraction of services

•  Full control of DB schema, table, clone, etc.

21

What else is new?

•  Distributed Virtual Networking •  Edge device - DHCP, NAT, Port level FW, Load Balancing, IPSEC

VPN, etc.

•  You choose the edge! It’s virtual! How about every vNIC? •  Automated policy enforcement

•  Default fail closed

•  VXLAN – extended virtual LAN •  vMotion Anywhere enabler

•  “flattens” your L2 geographically dispersed networks •  Reduces network re-config of transient workloads

•  In Cache Memory Data as-a-Service

•  “Smart Data” – through persistent queries (more on this later)

22

What else is new?

•  High Availability for all – not just high end services •  Zero downtime and automated restart of failed service

•  DR to the cloud if you like as a safety net •  Virtual Security evolving quickly (more secure than physical)

•  DIACAP and STIG hypervisor hardening

•  Hypervisor based End Point anti virus protection •  Security policy follows virtual workloads

•  Dynamic Trust Zones can be established and enforced •  DLP available

•  Projects AppBlast, Octopus, Horizon Mobile

•  Agentless Windows/Linux/Web App delivery to HTML5 •  Dropbox for the enterprise

•  Secure BYOM – virtualization of the ARM Chip has begun

23

What’s Next?

24

Personal

•  Unrestricted access to personal data and applications

•  Make calls, share pictures

•  Personal (‘home’) phone cannot be altered by IT

Enterprise

•  Virtual “Work” Phone - fully-encrypted Runs Locally

•  Fully Managed by IT

•  Corporate applications and Infrastructure support

•  Complete Separation and Isolation

Bring Your Own Device Begins with Mobile

Mobile Virtualization Bridges Personal & Enterprise Workspaces

25

February 2012 study on mobility

4Take Away: Good Things Come in Small Packages

Mobility on the Rise

Feds anticipate increased use of PC alternatives

Approximately what percentage of employees at your agency use or will use each of the following devices for work-related tasks?

stay connected IT Manager, Civilian agency

That means, in the next two years, the Federal workforce* will need:

44,430 additional laptops

355,440 additional smartphones

533,160 additional tablets

*Based on 4,443,000 total Federal employees, http://www.opm.gov/feddata/HistoricalTables/TotalGovernmentSince1962.asp

26

Mobile Application Investments in Federal

Source: 2011 BizTech report, “Federal Mobile Applications: Lessons Learned and Best Practices in Supporting the Mobile and Digital Agenda to Enhance Citizen Services”

We have not invested in mobile apps to date

39%

n = 130 (Respondents could choose more than one answer)

The rising adoption of mobile devices is driving demand for mobile applications. Although most of the demand centers on custom software development vs. packaged software products, software vendors

should consider their ability to deliver capabilities through multiple devices and with varying delivery models.

27

End User Computing Platform for the Post-PC Era

CONNECT MANAGE SIMPLIFY

Desktop Service

App Catalog Service

Data Service

Secure Universal Access

Users, Desktops, Apps, Data

Policies

End Users

Universal Services Broker

28

Big Data

My Apps, My Files, Native Device Experience

29

Application Modernization Platform goes virtual

Data Services

Other Services

Msg Services

Micro Clouds

Public Clouds

Private Clouds

Deploy and Scale with PaaS

Create Agile Data Fabric

Modernize Applications

30

Back to why you care

31

Virtualization doesn’t change everything – but it does change IT

Process Project management methodology and SDLC to leverage virtualization

and cloud technology

People Staff trained in virtualization

and cloud computing

Technology Service-based architecture

with “cost arbitrage”

32

The Next Breakthrough in Datacenter Economics

Labor

Software

Hardware Facilities + Fabric

5 4 7

17

67

Legacy

100

Telecom

Source: TMT Value Migration Database, Gartner IT Key Metrics Data 2009; McKinsey

Decrease labor cost through self service,

policy based automation and post-ITIL management

33

Roles will changed - End-User Experiences Evolve

Cloud: Flexible, efficient, scalable

Task Workers Knowledge

Workers Mobile Users

Power Users

Infrastructure Administrators

Security & Architects

Service Managers

Software Developers

Library Administrators

34

Lessons Learned in Virtualization at Scale

Multi-Tenancy Establishing an organizationally

driven hierarchy and ensuring logical separation throughout the stack

Automation Cloud leverages automation from

both automatic and scripted sources

Maintaining security and compliance when users have access to and control

over the environment

Security and Control

Strategy Not all clouds are created equal – and not all applications behave the

same in the cloud

Standardization Software

products and versions must

be standardized, integrated and deployed on

standard infrastructure

blocks

Management Integrating the management of

multiple resource pools, environments, and clients within change processes

Virtual Infrastructure

Achieving benefits from the cloud requires an evolution of skills and

expertise

Expertise

Transformation Cloud requires transformation of

both architecture and organization

35

Data as-a-Service A DoD Example

36

Data as a Service

vFabric Mission Enablement

37

New Mission Apps SaaS Apps Existing Analytics

Private DaaS Infrastructure

Putting it all Together: Mission Enablement

Existing Data Sources

SOCOM DISA NAVSOC SOF Community

Cloud

38

Now What?

39

Learn and Benefit from others - Accelerated Project Strategy

Days per phase of Implementation

Cus

tom

er A

ppro

ach

to S

ervi

ces

§ Quick and seamless implementation • Learning during implementation impacts user satisfaction and

puts the entire project at risk • Lessons learned in early services shorten subsequent phases

40

Just a thought! DoE Hanford Federal Cloud (HFNet)

§  Initial projections over the next four years indicate about $12 million in total cost saving, DOE officials said. •  The savings include: • Reducing CO2 emissions by 3 million pounds.

• Reducing power by 2 million kilowatt hours. •  30 percent reduction in the total cost of ownership.

•  48 percent reduction in operating expenses.

The Energy Department has forged a partnership with Lockheed Martin to increase energy efficiency through data center consolidation and IT enhancements.

The partnership is the first use of a federal Energy Savings Performance Contract to reach sustainability goals through improved IT practices, DOE and Lockheed Martin officials said. ESPC contracts let agencies embark on energy-savings projects without upfront capital costs and without special congressional appropriations.

41

Thank you!

Questions?