Cloud Computing for a Smarter Planet - PowerPoint Presentation

Slide1

Cloud Computing for a Smarter Planet

Dr. Chung-Sheng LiDirector, Commercial Systems PI, Research Cloud Computing Initiative IBM Research Division

Outcome Centric Cloud ComputingSlide2

Enterprise Cloud adoption

presents unique challengesIntegration of cloud and traditional ITMigration over time

Security and compliance issuesGlobal business process transformation

In the enterprise cloud is anevolution, revolution and game changer

An evolutionary transformation to cloud is typical for enterprises and provides unique challenges

Virtualize

Standardize

Shared Resources

Automate

Cloud

Traditional ITSlide3

Shared Middleware

Infrastructure

Lifecycle and Business

Support Services

Integrated Service Management

Process services

Collaboration services

...

Industry-specific services

Existing services, third-party services, partner ecosystems

Analytics services

Cloud Framework enables the planning, building and delivery of cloud servicesSlide4

Cloud Computing in an Outcome Centric World

What is Outcome Centric ComputingCost Performance  Risk Adjusted Cost PerformanceWorkload Heterogeneity  Fine-Grained Resource Provisioning & Runtime ManagementCloud OS that Enables Elastic Boundaries Between Private & Public Cloud Infrastructure

Single View of the Public/Private Cloud Environment from the Client SideOutcome Centric  Situation & Context Awareness

 Proactive CloudPerimeter Defense  Fine-Grained Security Cloud + Outcome Centric  Content & Community CentricSlide5

Cloud Computing is becoming the Catalyst for an Outcome Centric WorldWhat is Outcome Driven Business?

Business activities (goods or services) are compensated based on clearly stated, measurable outcomes (of the client) with predetermined goals, and rewards/penalties for over/under-achievement.  (Partial or Fully) Transfer of risk from the client to the vendor Much tighter integration of enterprise and IT of the client into an enterprise systemWhat is Outcome Centric Computing?

Aligning the computing to mission and business outcomeSingle view of enterprise system, continuously and consistently deliver prescribed outcome of the enterprise system with minimal uncertainty Standardized boundaries between layers within an enterprise system in terms of goal specification (enterprise  IT), service delivery (IT

 enterprise, IT  IT), and reward/penalty for deviation from the specified goals.Proactively adapt to changing business environment including unusual and extreme environments (such as product launch, M&A, disasters, cyber attacks) in order to deliver optimal outcome while minimize uncertainty & riskSlide6

Evolution of the Outcome Driven Business and Outcome Centric Computing

e-business

3-tier architecture

SOA+BPM

Enterprise Integration

2015

Outcome Driven Enterprise System

Outcome Centric Computing

2015

2010

2005

2000

1995

Crowd Sourcing

Strategic Outsourcing

Internet advertisement

Outcome centric healthcare

20~25%

40~50%

>60%

50%

5%

Business

IT infrastructure

2005

1995

Business Environment

Modeling + Situational awareness

Measure & Capture

Decision & Impact Model

Command & Control

SW

HW

Svces

PolicySlide7

Outcome based Business Model is Becoming Increasingly Prevalent

Examples

Measurement of Outcome

Current StatusFuture Trend

Strategic Outsourcing

Cost savings, improved productivities

5% of overall SO market is outcome based

40~50% by 2015

Crowd Sourcing

Collaborative Intelligence

Innovation results (e.g. Emergency Response 2.0 on innocentive)

Mostly focusing on scientific innovation and R&D in engineering areas

Likely to cannibalize existing SO areas, including both mission and time critical, will be covered by crowd sourcing (such as call center)

Knowledge/ Information Marketplace

Rating of answers to questions

A few marketplaces exist (e.g. NineSigma, InnoCentive,esipfed)

More prevalent marketplaces are likely to emerge in more areas

Internet Advertisement

Profit from advertisement

Already a dominant mechanism among search engines (google, yahoo)

Likely to be the prevailing (>60%) mechanism for internet advertisement

Smarter Planet Solutions

Outcome of grid efficiency, resilience, etc.

Still in the embryonic stage for outcome centric solutions

~25% of smarter planet solutions will be outcome based.

Outcome centric Healthcare

Patient health

20~25% of hospitals participated in CMS trials

~50% of hospitals will adopt pay for performance by 2015.Slide8

Delivering business outcome is augmenting/replacing traditional fee for service business model

ChallengesRequires buyer have a deep level of trust in the provider -- not only its capabilities but also its continual demonstration of partnering. Measurable outcomes require a level of visibility that one or both parties may not be willing to provide. May not be possible to measure a provider's exact impact on an outcome. Service provider must assume a great deal of risk since it does not have influence over all aspects that impact its ability to achieve the outcome. And the amount of risk increases significantly when the outcome is higher up on the value chain. Implications

Outsourcing is now evolving beyond savings through labor arbitrage and focusing on new and different ways to create value, including synergies between functions as key drivers of value. Providers' investments in developing vertical solutions, platforms, and other enabling infrastructure, thus increasing their ability to impact outcomes The partnering approach to outsourcing relationships will deepen, which will impact trust and collaboration and facilitate the provider's ability to influence outcomes

"Focusing on clients' end-to-end processes, the discussion moves to outcomes pretty fast when considering the advantage of an outsourcer doing a client's work. Over the next five years, this will become a critical differentiator in the way clients and providers work together," he predicts. Don Schulman, IBM MBPS"In the next few years, I think that outcome-based approaches will accentuate polarization in the market between niche providers and mainstream providers."

…. because he believes that buyers can only undertake these sorts of arrangements with larger, more mature, asset-rich providers. Les Mara, HP BPO

“

90-95 percent of outsourcing arrangements today are still based on time and materials or a fixed fee with only five percent tied to outcome-based pricing. within the next five years, 40-50 percent of the contracts will be outcome based.

”

Mohammed Haque, Genpact Enterprise Solution Services

Source: http://www.outsourcing-journal.com/jan2010-outcome.htmlSlide9

Crowd Sourcing & Collective Intelligence is emerging as a methodology for outcome centric innovation managementExamples: Innocentive & topcoderSlide10

Future of Information Retrieval is Becoming Increasingly Outcome CentricInformation Retrieval  Outcome Centric Information/Knowledge Marketplace

Experts-Exchange was the first fee-based knowledge markets using a virtual currency. It provided a marketplace where buyers could offer payment to have their questions answered.NineSigma and Innocentive are web-based open innovation marketplaces. Firms post scientific problems and a choose rewards.Google Answers was another implementation of this idea. This service allowed its users to offer

bounties to expert researchers for answering their questions. The Google site was closed in 2006. Two months later, fifty former Google Answers Researchers launched paid research/Q&A site Uclue.Mahalo Answers, a product extension of the people powered search engine Mahalo.com, launched on December 15, 2008. Mahalo Answers users may ask questions for free or provide a monetary reward, or tip, in the form of Mahalo Dollars, the site's proprietary currency.

Free knowledge markets use an alternative model treating knowledge as a public good.Yahoo Answers, Windows Live QnA, Ask Metafilter, Wikipedia:Reference Desk, StackOverflow, Vark.com, 3form Free Knowledge Exchange, Knowledge iN, and several other websites currently use free knowledge exchange model. However, none of these offer more than an increase in reputation as payment for researchers, often limiting the quality of the answers.ChaCha.comand Answerly.com both offer subsidized knowledge markets where researchers are paid to generate answers despite the service remaining free to the question asker.

Buy-Side Centric Information Marketplace

Data/Info

Provider

Data/Info

Provider

Data/Info

Provider

Service

Provider

Service

Provider

Service

Provider

Data/Info

Consumer

Data/Info

Consumer

Data/Info

Consumer

Source: wikipedia.org on knowledge market

Example: ESIPFED.orgSlide11

Internet Advertisement Evolved Towards Outcome Centric during the past Decade

Pre 2000

2000

2001

2002

2007

Cost per thousand impressions

Cost per click

Cost per action

Revenue sharing

Profit sharing

A PPC (Pay per click) auction is a continuous second-price auction for advertising space on search engine results pages

The auctioneer – a search engine – sorts all of the bids that participants placed for a certain keyword.

Positions are re-calculated continuously throughout the day and participants may change their bids at any time.

Profit sharing model has been proved to be superior for both merchant and PPC marketing companies

Source:

http://www.vinnylingham.com/specialreports/profit-sharing.html

Other examples:

Life Sceince: Gene sequencing

 $/genome,

Financial Services: Core banking  $/transaction, Slide12

Outcome Centric Computing Optimizes Based on Key Performance & Risk Indicators of the Client

Enterprise System

Vendor/Provider

Client

Input based

Time & Materials

Output based

Outcome based

Fixed price

SLA based

e.g. project based service

Managed service, Outsource

e.g. IT desktop managed service, HR call center

KPIs

e.g. IT service contract charged by hourly rate

e.g. Productivity, recruitment, etc.

Outcome Driven Business

Enterprise System

(system, software, services, cloud)

Industry Framework

Business View (CBM)

Process & Data Flow View

Client

KPIs

KRIs

Outcome based

Cost Performance

Cost

Recurrent, one-time, non-functional

TPC-C, SPEC CPU, etc.

Outcome Centric ComputingSlide13

Technology Implication 1:

Cost Performance  Risk Adjusted Cost PerformanceSlide14

Not All Clouds Were Born Equal (as of June 12, 2011)

Pricing

(Small Instance)

Availability &

Penalties for failing to meet SLA

$0.085/VM-HR (Linux)

$0.120/VM-HR (Windows)

1.7GB/160GB

99.95%

Service credit up to 10% of the bill

$0.19/VM-HR

Service credit of 100 times of impacted service feature

0.120/VM-HR

99.5%

Service credit up to 10% for availability < 99.9% , up to 25% for availability < 99%

0.120/VM-HR (Windows)

2.048GB/80GBSlide15

Evolution from Traditional to Outcome-Centric Service Level Agreement

Context

who, why, durationService termswhat service is offered, and how it is offeredGuarantee termsscope + conditions (e.g., time of day)Service Level Objectives (SLOs)

penalties and rewardsClient centric KPIsSingle price function specifies how much the service provider is paid for each possible client outcomeomitting all details of how the outcomes are achieved

Traditional SLA

Outcome Based SLA

Example:

Availability > 99.9%,

service credit will be issued for 10% of the monthly bill if the availability is < 99.9 but > 99% and

25% if the availability is < 99%Slide16

Negotiation of Pricing Function between Service Providers & Buyer in an Outcome Centric Pricing Model

Source: John Wilkes, Keynote, SMDB’08Slide17

Uncertainty (or Variance) in expected outcome results in risk and needs to be accounted for in the pricing. Predictability of outcome is often preferred.

Operation Risk Examples:Unbalanced workload  poor performance, or more resourcescomponent failure  poor availability

lack of resources poor performanceCyber attacks  downtime + information leakagePricing should be derived from value@risk:

outcome variance  price varianceWho takes on the risk if effort required is unknown?cost-plus prices: clientfixed prices: service provider

Source: John Wilkes, Keynote, SMDB’08Slide18

Marketplace mechanisms - buy side centric or sell side centric that has been used for B2B – likely to become prevalent for price discovery in outcome centric models

RFI

Prepare

responseRFP/RFQ

Preparebids

Bid

evaluation

negotiation

contract

Service Buyer

Service Provider

Providers’ capacity is perishable resource, and could leverage various “yield management” to maximum return on available resources

Publish

Offerings

Select

Trading Mechanism

Fixed-Price

Auction

Price

Discrimination

Subscription

Select

Offering

Establish Contract

Offerings

Service Provider

Service Buyer

Resource registry

Yield Management

Buy side is responsible for defining specifications, initiating RFP process, and evaluating proposed bids from potential vendorsSlide19

Operational Risk analysis facilitates understanding of the business exposure when mission critical business operations are disrupted by nature or human

Event Type Category

(Level 1)

Internal FraudExternal Fraud

Employment Practices & Workplace Safety

Clients, Products & Business Practices

Damage to Physical Assets

Business Disruption and System Failures

Execution, Delivery & Process Management

Risk

Market Risk

Credit Risk

Operational Risk

General

Over capacity

Under Capacity

Application Related

Failed transactions

Loss of data due to Virus/Intrusion

Poor business decision due to poor data quality

User Related

Failure of communication systems

Liquidity Risk

Legal/Reputation Risk

Source: Federal Reserve and Basel IISlide20

Enterprise adoption of cloud computing in mission critical areas can be accelerated if operational risk of cloud computing can be properly containedSlide21

Technology Implication 2: Workload Heterogeneity

 Fine-Grained Resource Provisioning & Runtime ManagementSlide22

Data Center Server

Resource Provisioning and Runtime Management for Private, Public, and Hybrid Clouds Need to be Optimized in an Outcome Centric World

Workload heterogeneity

Infrastructure Tier

Data Center Appliance

Dept. & Work Group Server

Edge Server

Edge Appliance

Edge Devices

LOB Servers

Low

High

Smarter Planet: Modeling & Orchestration Platforms

Smarter Planet: Capturing & Measurement Platforms

Smarter Planet: Command & Control Platforms

Candidate for migrating to the cloudSlide23

Case Study – Part 1: Heterogeneous workload is generated from the modeling and orchestration platforms for Smarter Planet Solutions

Command & Control

Centralized;

Distributed; Peer-to-Peer

Control Platform

Actions

Capturing

(Devices, Sensors, Imaging, Cell Phones)

High fidelity, continuous, human assist

Real world

Data & Measurement Platform

Distributed Energy

Buildings

Supply-Chains

Water Systems

Simulation

&

Prediction

(What if Analysis)

Multi-Modal, Multi-domain

Decision Model

(Optimum/ robust action)

Assimilation,

Interpolation and Explanation

Point detection  Field Reconstruction  Connecting

the Dots

Context &

constraints

Potential

Outcomes

Observed

worlds

Modeling & Orchestration Platform

Action(s)

High-Quality

Trusted Data

(Regulation

& Policies)

Orchestrating the Smarter PlanetSlide24

Usage Pattern

Intelligent Utility Network

Behavioral Models

Demand Models

Real-Time Visibility

Environmental Models

Optimal plan & schedule for restoration and reenergize

the Grid after a disaster

Real-time Interaction with ground crew

Optimal dynamic load Shedding and Demand management

A common orchestration platform optimizes outcomes by applying behavior models to real-time information.

Making decision choices to optimize outcomes

Case Study – Part 2: Smart Grid solutions continuously optimize the expected outcome using real-time data assimilation & behavioral models.

Results

Model & Analytics Orchestration

Data & Measurement

Control

Smarter Planet PlatformsSlide25

Technical Computing

CPU intensiveIndustry solutions and business analytics usually consist of heterogeneous workload emphasizing CPU, memory, I/O and network at different levels

CPU intensive

I/O Intensive or

Memory intensive

Technical Computing

I/O & CPU intensive

Business Analytics

I/O & CPU

OLTP

I/O: latency & throughput

OLAP

I/O: throughput

CPU+GPU/accelerator

Development & Test Cloud

Web Server

I/O: latency

Big Data

I/O: throughputSlide26

Fine-grained resource provisioning (CPU, memory, storage, bandwidth) and runtime management for private & public clouds will be required in order to optimize the cloud environment for the heterogeneous workloads

Resource provisioning

Runtime scheduler + load balancer

Computing Resources(HW/SW Platforms, Clouds)

Coarse-grained (image level) workload provisioning & runtime management

Batch

Request/Response

Fine-grained (thread level) workload provisioning & runtime management

Resource provisioning

Runtime

scheduler + load balancer

Computing Resources

(HW/SW Platforms, Clouds)

….

….

Web Service

Deterministic Analytics

Probabilistic Analytics

Warehouse + Decision SupportSlide27

Technology Implication 3: Cloud OS that Enables Elastic Boundaries Between Private & Public Cloud Infrastructure and Single View of the Public/Private Cloud Environment from the Client SideSlide28

Outcome centric management of datacenter resources requires capability for elastic partitioning computing resources among on-premise computing clusters, private and public clouds

HW Platform

HW Platform

HW PlatformCloud Hypervisor/OS ….

On-Premise Server Clusters

Private Cloud

Public Cloud

Ability to provide sufficient isolation for on-premise server clusters, private cloud, and public cloud

Capacity of each “domain” can be dynamically adjusted up and/or down to enable optimal

outcome

for the business through optimal resource allocationSlide29

Separation of control functions will occur in cloud computing, resulting in a transformation similar to VoIP

The effect may be more pronounced for cloud since there is a pressing need to reuse existing data and applications

The control components (Service Management) of the computing services network are moving to the edge

Cloud computing enables clients to keep core computing services (data /applications) and outsource other services to the cloud creating a network of computing services

Industry players are moving towards a paradigm where the control functions of this computing services network are separated out

The control components are bundled in an on-premises system to create a

Client-Controlled CloudSlide30

On-premise business applications & information

Enterprise Infrastructure & Private Cloud

Application Integration,

Monitoring Events,

Identity and Security,

Workload Management

Public Cloud [SaaS, IBM Cloud, other Public Cloud]

Off-premise shared services

Off-premise business applications & information

Governance

Management

Integration

Security

Private shared services

Service Management is required to connect, manage and secure hybrid clouds in order to enable a single view of resources, runtime, system management & monitoring, security, compliance and governance.

Workflow

Manage the process

for approval of usage

Provisioning

Automate provisioning

of resources

Monitoring

Provide visibility

of performance of

virtual machines

Metering and rating

Track usage

of resourcesSlide31

Cloud Services

Internet

Client Premises

Control Component

Emerging solution: Client Controlled Cloud (C3) – separation of control components

Existing Applications & Data

Component on the premises of the enterprise

On premises control of sharing and composition of services and sharing of information

Control components

Clients declare policies for sharing data and services

Selection and secure composition of cloud services from a variety of providers

Client specify how and when to get more IaaS or PaaS resources

C3 ensures secure composition of services, thus reducing data security and privacy issuesSlide32

http://support.rightscale.com/09-Clouds/AWS/02-Amazon_EC2/Designing_Failover_Architectures_on_EC2/00-Best_Practices_for_using_Elastic_IPs_(EIP)_and_Availability_Zones

Achieving Outcome Centric Programmatically: Higher Availability on EC2

(source: support.rightscale.com)Slide33

Technology Implication 4: Outcome Centric

 Situation & Context Awareness  Proactive Cloud Slide34

Proactive Platforms

: Outcome centric computing requires service management of the cloud to be more situational and context aware of the environment and business requirements.

SW/HW Platform

Sense & Response

Static Management

Proactive with Situational Awareness

SW/HW Platform

SW/HW Platform

Platform & Environment

Behavior Modeling + Situational awareness

Monitor

Analyze

Plan & Execute

Policy

Measure & Capture

Decision Model

Command & Control

PolicySlide35

Proactive platforms suggests the formation of mission and outcome aware lockdown hosts within an outcome centric cloud to serve as “community health system” (Darpa Mission Oriented Resilient Cloud Program)

outcome

Theoretical optimum

Critical functionality (mission oriented or business outcome centric)

Resilient system based on proactive platforms

Time

Catastrophic event (crash, cyber attack, etc)

The objective is to sustain outcome (or mission effectiveness).

Different outcome components have different functional and nonfunctional needs and will make different tradeoffs at runtime among security, QoS, or even correctness

Conventional systemSlide36

Increasing use of behavior models of the system platforms and the environment enables those situational aware cloud platforms to be increasingly proactive in responding to potential future events.

Cloud Platforms, Environment, and Users

Simulation

& Prediction(What if Analysis based on behavior models)

Decision Model (Optimum/ robust action)

Assimilation,

Interpolation and Explanation

(Using Behavior Models)

Measurement & Capture

Command & Control

Business Requirements

IT services

Regulatory Requirements

TCO + Operational RiskSlide37

Proactive platforms maximize business outcome and minimize uncertainty of achieving the expected business outcome

outcome

outcome certainty

Situation & Context Aware Level 1

(perception)

Sense & Response

Situation & Context Aware Level 3

(projection)

Situation & Context Aware Level 2

(comprehension)

Behavior models, predictive analytics

Data assimilation against world models

Response automation

Proactive Platforms

Examples of Context & Situation:

What IT services are being enabled?

Who are the business and IT units, and how are they organized?

What are the relevant regulatory and contractual requirements for the business process enabled by virtualization?

What are the technologies and IT processes being used

Are there any high-level risk indicators from the past

Real-time visibilitySlide38

Technology Implication 5: Perimeter Defense

 Fine-Grained SecuritySlide39

Degree of Interconnectivity

Risk

Traditional Enterprise

Security Model

New Enterprise

Model

Workforce Dynamics

Cloud Computing

SaaS

Ubiquitous Workplace

Outsourcing

Mergers and

Acquisitions

Globalization

Smarter Planet

Web 2.0

GIE

Mobility

Business Partners

Suppliers

* Gifs from https://www.opengroup.org/jericho/Respondingtodp_implementation_080929.pdf

Organizational Dynamics

Technology Trends

The Traditional Perimeter Defense Security Model of Enterprises is Changing in Fundamental Ways in an Outcome Centric World for Cloud ComputingSlide40

Evolution of Threats, Escalation of Risks

Nation-level risks

(Cybersecurity)

Sabotage and subversion of the critical infrastructure, espionage and theft of top secret information, cyber warfare (e.g. APT, electricity grid, ghostnet, supply chain)Business level risksFraud, loss of business-critical assets and theft of PII (e.g. payee fraud, theft of credit card numbers)

Existing threats

Exploit vulnerabilities in servers, endpoints and networks directly or remotely (e.g. malware, DDOS,

patch management, unauthenticated access)

Emerging threats

Exploit vulnerabilities created in the infrastructure due to de-perimeterization of business and IT boundaries

(e.g. insider threats, Trojan ICs, managed exploit providers)

Evolution of threats (technological, organizational and workforce changes)

IT Level Threats

Business Level Risks

40

IBM ConfidentialSlide41

Traditional Malware vs. APT*

Traditional Malware

Advanced Persistent Threat

Opportunistic infection (non specific target), uncontrolled distributionMotives: theft of personal info, disruption (DoS)Static code, broadly deployed & once deployed, does not changeOne shot attack; once detected & remediated, attack essentially over

Operational objective: broad distribution scope

Targeted at specific individuals and organizations, controlled distribution

Motives: theft of sensitive, high value information

Dynamic code, customized for each target & altered after infection

Persistent attack. If detected or defeated, alternate methods employed

Operational objective: remaining undetected

*From Eric J. Meyers, Du Pont

41

IBM ConfidentialSlide42

The Internet

Port Scanning

DoS, Anti-spoofing

Known

vulner-

abilities

Pattern-

Based

Attacks

SQL Injection

Cross Site Scripting

Cookie Poisoning

Access Control

And Firewall

IDS/IPS

Enterprise users

Enterprise users

Enterprise users

Lockdown

the management

domain

Strong isolation of guest environment to

contain possibly subverted and/or malicious hosts

Weak isolation of the guest environment entails strong integrity mechanisms

Parameter Tampering

Fine-Grained Cloud Security requires closed-loop end-to-end isolation & integrity management Slide43

Collaboration & Community

SOA, Information

Middleware

(DBMS, App Server)Data Center/Network/Cloud

Platform

Fine-grained containment and monitoring occurs at multiple tiers, each of which provide additional isolation capabilities from both external and internal vulnerabilities.

Game console

Smart phone

Telematics

Server

Client

Data Center

Internet

SCADA

Social & Business Network

Community

SOA

Middleware StackSlide44

Information security starts with critical business assets and processes of an enterprise. Current regulations (e.g. SOX 404, SAS 70, PCI/DSS and HIPAA) have specific requirements on business control/auditing for ensuring information security compliance

General Ledger Corp. Financials

Customer Data

Employee Data

Service Offerings Data

Product Data

eMail archive

IM archive

Surveillance

Other comm. Archive

(e.g. phone)

PCI/DSS

SAS 70

HIPAA

Intranet web pages

Employee directory (e.g. blue page)

Internal Courses

GAAP, IFRS

Document Archives

SOX 404 COBIT

Distributed evaluation of Value@Risk by each business unit and centralized prioritization & policy formulation

IM archive

Customer Data

eMail

Archive

Document Archives

Product Data

Employee Data

Surveillance Data

Intranet web pages

Internal Courses

Employee directory

Service Offering Data

General Ledger

Corporate Financial Data

Source Code

Classifica-tion Data Leakage Detection

Data Masking

Data Loss Prevention

Fine-

Grained

SecuritySlide45

Hardware (Processor)

Enhancements(Platform Layer)

Core Root of Trust(TCG, TPM)

“Thin” HypervisorsStronger Isolation, VerificationExisting Hypervisors (KVM, PHYP)“Hardening”, extensions to support network isolation, MAC, …

Mgmt I/F(libvirt)

Systems Management

(Centralized Isolation & Integrity Mgmt)

High-level security policies

vTPM,

IMA

Attestation

Integrity Management

Configuration Audit,

Verification

Isolation Management

Guests

Storage

Physical Networks

Trusted Network Connect OpenPTS

Traffic Separation

Centralized Management of Isolation & Integrity Assumed

How do these concepts extend to the cyberphysical world?

How can integrity metadata be distributed?

Deploying Fine-Grained Security: Closing the Loop on Isolation & Integrity ManagementSlide46

Example: Provisioning of 3-Tier Web Application Using Host Firewalls

Guest 1

Guest 2

Domain (D1): Apache

Port 80 open for public access

Guest 3

Guest 5

Hypervisor

Management Interfaces

Hypervisor

enforcement

VM group management

(membership, policies

collaborations)

Domain (D2): WAS

Closed from public access

Open for maintenance

Guest 4

Domain (D3): DB2

Closed from public access

Platform Hardening:

Prevent MAC/IP address spoofing, ARP attacks

Block harmful traffic

Connectivity Rules

Incoming/outgoing traffic allowed from the domain

Collaboration allows selected traffic between D1 and D2

Collaboration allows selected traffic between D2 and D3

Trusted Virtual Domain: group of one or more VM instances; instances can be added/removed

Domains can host VMs of a single user (“private”) or multiple users, based on ACLs (“global”)

Physical Network

enforcement

Provisioning

LayersSlide47

Detecting and preventing abuse of authorized access is key to preventing insider attacks.Far Field Detection: Behavior monitoring of users to systems and networks as well as an analysis of user profiles, their business relationships and social networks can provide early warning indicators (in temporal, spatial and spatio-temporal dimensions) of insider attacks.

Maintaining provenance of information and processes can improve auditability and accountability and facilitate information sharing without compromising security and privacy.Mitigate the explosive growth of insider threats by using behavioral analytics and far-field detection techniques.

Time

INCIDENT!!

Far Field Detection

Real-Time Detection

Near Field Detection

Infrastructure compromised;

Information integrity breached

Post-Incident Recovery

Threat/ Attack PlanningSlide48

Technology Implication 6: Cloud + Outcome Centric

 Content & Community CentricSlide49

IaaS, PaaS & SaaS empower users and developers to contribute information insights and innovative services through communities. A positive loop is generated which drives the ecosystem growth.

Contribute code

Checkout code

Self motivated contribution

Open source developers’ community

Open source software users

Free, good enough software supported by free community

Open Source Software

Modify & contribute new data

Open Data

Contribute anchor data

Harvest new data

Anchor data provider

Data user community

Access data and provide feedback, limited data export

Data is openly shared through the platform, community contributions generate positive loop.

Data contributor community

Open Service

Contribute anchor service

Harvest new service

Anchor service provider

Access service and provide feedback, but no access to source code

Modify & contribute new service

Service developer community

Service is openly shared through the platform, community contributions generate positive loop.

Open Source Software

Open Data

Open Service

Service user communitySlide50

Information & Behavior Aggregation Through IaaS, PaaS & SaaS Enables Collaborative Intelligence and Facilitates Outcome Driven Business

WHY JOIN THE COMMUNITY

WHY ADD KNOWLEDGE TO

THE COMMUNITY

WHAT’S THE VALUE OUT

OF THE COMMUNITY

Amazon (things you buy)

Make one stop shop there

Express yourself shopping & usage experience

Community knowledge of the merchandise to guide effective shopping for any user

Salesforce Appexchange (things you do)

Subscribe ready made applications to improve time to value

Let other people use your application and gain insights about how to improve it

Exponential growth of applications developed by the community on the platform

Facebook (people you know)

Connect and know more people there

Promote yourself and create larger social network

You meet and know more people and more people know you more in a very fast waySlide51

Risk/Fraud Cloud facilitates aggregation, anonymization, and predictive analysis with community participation will bring new opportunities to banks

Bank

Bank

Share risk data

Share risk data

ORX report

ORX report

Cloud platform for Risk/Fraud Data Aggregation, Anonymization, Predictive Analysis

Application Developer

Community

Applications

(e.g. risk mgmt for car loan)

Analysis report

Bank

Member Banks Community

(e.g. banks in emerging geos)

Risk Data Provider

Loan Origination/ Servicing

Share risk data

Leverage risk insights

(e.g. delinquency)

Bank Clients

Leverage risk data/insights

*A scenario based on ORX

Strong information security with appropriate isolation between banks required

Analyst

CommunitySlide52

Cloud Computing

in an Outcome Centric World drives in vivo Development

in vivo development lifecycleIterative building and a constant cycle of developing, testing, deployment – not like traditional linear/waterfall modelNo clear distinctions among development, staging (usually in Sandbox concept) and productionin vivo development tool Constraint programming: control damagePerformance issues (ajax and javascript)Community based development e.g. TopcoderNew testing method and tool to support testing in “live” environment

Concept

Refine

Personal use

in Sandbox

Script it

Discover

existing stuff

Ref

a

ctor/

redesign

Discard

Stable

Expand or

change

Refine

Small group use

INFRASTRUCTURE & SYSTEM MANAGEMENT SERVICES

INFORMATION MANAGEMENT SERVICES

COMPOSITION SERVICES

APPLICATIONS

CONTENT

Cloud Platform

Development Environment

Sandbox Publish

Personal use

Refine

App

Group use

Forms, widgets

Workflow, events

Data

Service composition

Quality assurance

Community dev mgmtSlide53

Structure Aware Image Lifecycle Management

Scalable outcome: through managing and direct operation on image content and metadata as opposed to operating on the binaries

Configuration

Operations

Functional

Model

Semantic

Model

file

file

file

file

file

file

file

file

C

B

A

file

file

file

Hash

Reference

Content

Manifest

Derivation

History

Content Store

Image Semantic Metadata

Virtual

Image

Image Content

Approach

Sophisticated store with APIs to directly manipulate images without assembling their disk structure

Semantic rich metadata: self describing Image using software stack topology and functional metadata Slide54

Virtual Client Landscape: Virtual Desktop & Virtual User Session

Connection Broker

End User

Data Center

Platform

KVM, VMware

CCMP (OSS/BSS)

OS

Apps.

Data

VM1

VM2

OS

Apps.

Data

OS

Apps.

Data

VM3

Platform

KVM, VMware

CCMP (OSS/BSS)

Virtualized Apps.

Data

User 1

Virtualized Apps.

Data

Virtualized Apps.

Data

User 2

User 3

OS

Applications

Centralized Virtual Desktop

Virtual User SessionSlide55

Security for Desktop Cloud

Customer LocationService Provider Location

DaaS Portal

DaaS Access Fabric(Connection Broker)

Mobile,

iPad

Desktop Users

RDP

DaaS Admin & Business Manager

HTTPS

Account Management

SLA Management

Service Delivery Agents

Servers

Storage

DaaS Data Center 1

Business Support Services

Rating

Reporting

Services Directory

Account Management

Billing

Contract Management

Order Management

SLA Management

Operational Support Services

Metering

Service Provisioning

Monitoring

Reporting

Infrastructure Provisioning

Capacity Planning

Infrastructure Management

Infrastructure Security

1. Standard Desktop Security Configuration

2. Trusted Enforcement of

Regulatory and IT

Security Policies

4. DLP including

Content Classification and Filtering Sensitive

Information

(e.g., Mobile EISM)

DaaS platform can provide

for trusted and efficient enforcement of

security and compliance policies

compared to standard clients

Traditional

Client

3. Proventia

Virtual Server

Protection

5. Multi-Factor Biometric Authentication and Risk-Based Authorization

Ties to Cybersecurity Grand Challenge and Mobile Strategic Initiative

- Enterprise Information Security Management

- Multi-Factor Biometric Authentication and Risk-Based AuthorizationSlide56

HPC Cloud vs. Traditional HPC

Queue delay is key pain point for users

1000’s of Jobs

Scheduling gymnastics

Long queue times

Constrained usage

HPC Resource

HPC CLOUD

HPC Resource

Customer A

Dynamic partitions

Elastic supply

Industry-standard API’s

Dynamic pricing to control demand

Customer B

Customer C

Traditional HPC Model

HPC Cloud ModelSlide57

HPC Cloud vs. General Purpose Cloud

Integrated (VM, server, storage, and network) systems management with optimized workload and traffic placement capabilities across multiple data center domains (enterprise data center, internet data center, extranet data center, public/private cloud data center)

Unified Switch Fabric(server, storage, HPC, cloud)

Server

Storage

Server Virtualization

(e.g. kvm, xen, VMware..)

Switch Fabric Virtualization

(e.g. FlowVisor)

Storage Virtualization

(e.g. kvm, xen, VMware..)

Single View of Computing Resources

Integrated Management of VM, Server, Storage, and Network

High performance interconnect

Topology/Interconnect aware image placement

Provisioning of large numbers of nodes at a time

High Bandwidth/ High capacity Cluster file system

Batch checkpoint/interrupt capability for background workloads

Support for non-virtualized nodes Slide58

IBM Engineering Cloud Components

The Engineering Cloud solution offers all of IBM’s capabilities to clients as one convenient service

Engineering Servers

– System x / Power / BG

Integrated, Optimized, Extensible

File System & Storage

-

GPFS

SONAS

Storage Cloud

Engineering CAD & Design Analysis Applications

Electronics Design

Integration & Transformation

Product Development

Insight, Integration, Innovation & Transformation

Design & Process Management applications

Enterprise Cloud Management

2D Remote Client, Portal Browser

3D Remote Client

Mechanical Design

Integration & Transformation

Requirements Management & HL System Modeling

SW Development

Integration & Transformation

Other Work Loads

–

Reservoir, Seismic,

Financial Analytics, Digital Media,

Etc.

Engineering Mgt Suite

HPC Mgmt Suite

Engineering Cloud

where solutions will be built to address specific technical & business issues within and across Engineering DomainsSlide59

Summary & RecapOutcome centric computing:

Delivering business outcome is augmenting and/or replacing traditional fee-for-service business model and has become increasingly prevalent in areas such as strategic outsourcing, smarter planet solutions, crowd sourcing, knowledge marketplace, internet advertisements, and healthcare.Risk adjusted cost performance: Outcome centric computing will accelerate adopting outcome-based pricing model within service level agreement. Risk adjusted cost performance, which captures the variation of outcome, for system level metrics will receive increasing focus.Fine Grained Resource Provisioning: Both resource provisioning and runtime management for system cluster, private & public clouds will be optimized for the heterogeneous workloads generated by vertically integrated solution platforms that will become increasingly outcome centric.Emergence of cloud OS: Outcome centric management of datacenter resources requires capability for elastic partitioning computing resources among on-premise computing clusters, private and public clouds, resulting in the emergence of cloud hypervisor/OS (that provides DLPAR like capabilities).

Proactive Platforms: Outcome centric platforms and system management requires the system platform to be more situational and context aware of the environment and business requirements. Increase use of behavior models of the system platforms and the environment enables the HW/SW platforms to be increasingly proactive in responding to potential future events. Slide60

Thank you!

For more information, please visit:

http://www.ibm.com/cloud

Or contact me at:csli@us.ibm.com