Vblock Solution for Trusted Multi-Tenancy: Design Guide - VCE

More documents

Recommendations

Info

Secure separation Secure separation refers to the effective segmentation and isolation of tenants and their assets within the multi-tenant environment. Adequate secure separation ensures that the resources of existing tenants remain untouched and the integrity of the applications, workloads, and data remains uncompromised when the service provider provisions new tenants. Each tenant might have access to different amounts of network, compute, and storage resources in the converged stack. The tenant sees only those resources allocated to them. From the standpoint of the service provider, secure separation requires the systematic deployment of various security control mechanisms throughout the infrastructure to ensure the confidentiality, integrity, and availability of tenant data, services, and applications. The logical segmentation and isolation of tenant assets and information is essential for providing confidentiality in a multi-tenant environment. In fact, ensuring the privacy and security of each tenant becomes a key design requirement in the decision to adopt cloud services. Service assurance Service assurance plays a vital role in providing tenants with consistent, enforceable, and reliable service levels. Unlike physical resources, virtual resources are highly scalable and easy to allocate and reallocate on demand. In a multi-tenant virtualized environment, the service provider prioritizes virtual resources to accommodate the growth and changing business needs of tenants. Service level agreements (SLA) define the level of service agreed to by the tenant and service provider. The service assurance element of trusted multi-tenancy provides technologies and methods to ensure that tenants receive the agreed-upon level of service. Various methods are available to deliver consistent SLAs across the network, compute, and storage components of the Vblock System, including: • Quality of service in the Cisco Unified Computing System (UCS) and Cisco Nexus platforms • EMC Symmetrix Quality of Service tools • EMC Unisphere Quality of Service Manager (UQM) • VMware Distributed Resource Scheduler (DRS) Without the correct mix of service assurance features and capabilities, it can be difficult to maintain uptime, throughput, quality of service, and availability SLAs. © 2013 VCE Company, LLC. All Rights Reserved. 10
Security and compliance Security and compliance refers to the confidentiality, integrity, and availability of each tenant’s environment at every layer of the trusted multi-tenancy stack. Trusted multi-tenancy ensures security and compliance using technologies like identity management and access control, encryption and key management, firewalls, malware protection, and intrusion prevention. This is a primary concern for both service provider and tenant. The trusted multi-tenancy solution ensures that all activities performed in the provisioning, configuration, and management of the multi-tenant environment, as well as day-to-day activities and events for individual tenants, are verified and continuously monitored. It is also important that all operational events are recorded and that these records are available as evidence during audits. As regulatory requirements expand, the private cloud environment will become increasingly subject to security and compliance standards, such as Payment Card Industry Data Security Standards (PCI- DSS), HIPAA, Sarbanes-Oxley (SOX), and Gramm-Leach-Bliley Act (GLBA). With the proper tools, achieving and demonstrating compliance is not only possible, but it can often become easier than in a non-virtualized environment. Availability and data protection Resources and data must be available for use by the tenant. High availability means that resources such as network bandwidth, memory, CPU, or data storage are always online and available to users when needed. Redundant systems, configurations, and architecture can minimize or eliminate points of failure that adversely affect availability to the tenant. Data protection is a key ingredient in a resilient architecture. Cloud computing imposes a resource trade-off from high performance. Increasingly robust security and data classification requirements are an essential tool for balancing that equation. Enterprises need to know what data is important and where it is located as prerequisites to making performance cost-benefit decisions, as well as ensuring focus on the most critical areas for data loss prevention procedures. Tenant management and control In every cloud services model there are elements of control that the service provider delegates to the tenant. The tenant’s administrative, management, monitoring, and reporting capabilities need to be restricted to the delegated resources. Reasons for delegating control include convenience, new revenue opportunities, security, compliance, or tenant requirement. In all cases, the goal of the trusted multi-tenancy model is to allow for and simplify the management, visibility, and reporting of this delegation. © 2013 VCE Company, LLC. All Rights Reserved. 11
Page 1 and 2: Vbl oc k Sol uti on for Trus ted M
Page 3 and 4: Contents Introduction .............
Page 5 and 6: Design cons iderations for availabi
Page 7 and 8: Introduction The Vblock Solution fo
Page 9: Trusted multi-tenancy foundational
Page 13 and 14: Technology overview The Vblock Syst
Page 15 and 16: Compute technologies Within the com
Page 17 and 18: EMC FA ST Cache EMC FAST Cache is a
Page 19 and 20: Cisco Data Center Netw ork Manager
Page 21 and 22: Figure 3. Trusted multi-tenancy des
Page 23 and 24: Netw ork layers Access layer Nexus
Page 25 and 26: The logical topology represents the
Page 27 and 28: Traffic flow in the data center is
Page 29 and 30: Figure 7. Management cluster and re
Page 31 and 32: Resource groups A resource group is
Page 33 and 34: vSpher e cluster specifications Eac
Page 35 and 36: Security The RSA Archer eGRC Platfo
Page 37 and 38: Design considerations for managemen
Page 39 and 40: Configuration While UIM/P automates
Page 41 and 42: Figure 13 describes the provisionin
Page 43 and 44: Design considerations for secure se
Page 45 and 46: Figure 14 shows an example of how t
Page 47 and 48: UCS organizations The Cisco UCS org
Page 49 and 50: Figure 18 is an example of a UCS Se
Page 51 and 52: Figure 20 shows that VSAN 10 and VS
Page 53 and 54: A service provider may want to view
Page 55 and 56: Figure 25 shows an example of an in
Page 57 and 58: To deploy an organization or vApp n
Page 59 and 60: Figure 29 shows different quality o
Page 61 and 62:
Figure 31. Organization virtual dat
Page 63 and 64:
Element Role User Action Priv ilege
Page 65 and 66:
VMw are vCloud Director Role-based
Page 67 and 68:
VMw are vCenter Server VMware vCent
Page 69 and 70:
Figure 41 shows how port channel 10
Page 71 and 72:
VMware v Cloud Director cells VMwar
Page 73 and 74:
Design considerations for tenant ma
Page 75 and 76:
For example, in vCloud Director, th
Page 77 and 78:
Key Vblock System metrics When dete
Page 79 and 80:
Design scenarios of VSAN and zoning
Page 81 and 82:
Figure 49 is a graphical representa
Page 83 and 84:
Figure 50 shows a physical data mov
Page 85 and 86:
CIFS stack component CIFS Share ABE
Page 87 and 88:
Support for VLAN tagging in iSCSI V
Page 89 and 90:
Design considerations for service a
Page 91 and 92:
EMC FAST VP storage tiering There a
Page 93 and 94:
When a provider virtual data center
Page 95 and 96:
LUN masking component authorization
Page 97 and 98:
Network encryption The Storage Mana
Page 99 and 100:
Local and remote data protection It
Page 101 and 102:
Design considerations for service p
Page 103 and 104:
The following table lists example V
Page 105 and 106:
Use VLANs to achieve network separa
Page 107 and 108:
The traffic flow types break down i
Page 109 and 110:
The following table describes the h
Page 111 and 112:
Deployment recommenda tions Firewal
Page 113 and 114:
Cisco ACE provides a highly availab
Page 115 and 116:
The IPS deployment in the data cent
Page 117 and 118:
Cisco A CE, Cisco ACE Web Applic at
Page 119 and 120:
Figure 70. Data center access layer
Page 121 and 122:
When a network policy is defined on
Page 123 and 124:
Using a different ERSPAN-id for eac
Page 125 and 126:
A VLAN access control list (VACL) i
Page 127 and 128:
Virtual por t channel A vi rtual po
Page 129 and 130:
Design considerations for service p
Page 131 and 132:
Design considerations for secure se
Page 133 and 134:
Design considerations for security
Page 135 and 136:
RSA enV ision RSA enVision helps th
Page 137 and 138:
Conclusion The six foundational ele
Page 139 and 140:
Next steps To learn more about this
Page 141 and 142:
Acronym LACP LUN MAC NAM NAT NDMP N
Page 143:
ABOUT VCE VCE, formed by Cisco and
show all

Vblock Solution for Trusted Multi-Tenancy: Design Guide - VCE

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?