HP Cloud Reference Architecture Enhanced With Cloud Protection

HP Cloud Protection Highlights

• Its delivery model outlines differences between Private, Virtual Private and Public Clouds
• Its Cloud reference architecture has Demand, Delivery, Supply and Infrastructure layers
• Its Cloud Protection functions are built into the architecture
• Is applying security functions from legacy systems to cover and integrate with the Cloud.
• The Bristol Business Lab hosts multiple visits from governments, 3-star generals and police forces
• The G-Cloud demonstrator separates Infrastructure from Service Provider access and views
• Is working on Forensic VMs ‘Forensic VMs’, where small ‘detectors’ investigate Virtual Machines, checking their memory for signs of infection.
• Security resources include 1,400 staff from the acquisition of Fortify, Arcsight and Tippingpoint and 1,500 in HP Enterprise Security Services

We caught up with HP in the Bristol Labs recently to look at its new Business Lab and discuss Cloud Computing and security. You’ll be interested in the subject if you were one of the many who looked at our review of IBM’s approach some time ago.
We’ve already covered HP’s Cloud Computing strategy by looking at its services for Cloud builders. We’re sure you’ll also want to know how HP ties its reference architecture and security together.

HP’s Classification Of Clouds Is Based On Delivery Models

HP naturally looks at the Cloud Computing market from the point of view of a major systems vendor with strong technical capabilities – if the modern Turing test separates the user from the technology, it’s definitely behind the curtain with the machines. It has a clear view of the different types of Cloud and how customer, management, payment method and workloads differ (see Figure 1). We think it’s worth looking at in some detail. From HP’s point of view:

• Private Clouds are built in a single ‘dedicated’ organisation, with management provided by the customer itself or via a Service Provider (we note here are a number of other companies such as Virtustream who offer to manage Clouds on customer premises in addition to HP); this type of implementation differs only in technology from traditional IT and is paid for and owned as an asset; due to the relative immaturity of Cloud Computing, these are often the types of system set up to run mission Critical workloads
• Virtual Private Clouds (not ‘hybrid’, perhaps because HP talks about ‘Hybrid Delivery’) our outsourced systems belonging to a single or a number of organisations and are managed by the customer or Service Provider; they are paid for either on a utility ‘pay as you go’ basis, or via a monthly outsourced service contract; they typically run High Availability applications; we believe some of government resources are housed in HP data centres on these kinds of contract
• Public Clouds are by nature multi-tenancy (or multiple ‘unrelated’ organisations in HP’s nomenclature), are always hosted by a Service Provider and offer services on a utility ‘pay as you go’ pricing model; typical applications are software development and test, or productivity applications; we note that the current trend towards vertical market ‘Business Process as a Service’ applications are run from such locations and that HP’s own pharmaceutical authentification business in Ghana is one such; salesforce.com is perhaps another

We note that HP’s classification comes from a Cloud builder point of view. For end-users of applications the differences are in where the applications are run from – whether their own organisation, a hosted service (where customised or standard), or from a Cloud service provider.

HP’s Cloud Reference Architecture

Before detailing HP’s Cloud Protection security approach, we should first take a look at its Cloud reference architecture (Figure 2). It’s done some deep thinking about the need to address a number of Cloud platform layers separately. In particular:

• Portals and Service Access sits at the top of the architecture involve allowing users to access the services using a variety of client devices
• Demand is the layer in which the services are offered and subscribed to by the user and includes the service ‘offer’ management, as well as the demand modelling; it also includes the service catalogue and repository for the user to choose from
• Delivery is the layer in which the service delivery modelling and design takes place and contains the service model repository, as well as the monitoring of the service and system health; capacity issues are also dealt with here
• Supply is the layer in which the resource template is designed, containing the resource pool catalogue and repository; the health of the resources as well as the workload management are also contained in this part of the reference architecture
• Infrastructure sits as a layer at the base of the architecture, containing the hardware elements HP sells, including power and cooling, servers, storage systems, network devices, software, information and the physical Cloud; this is where HP’s Converged Infrastructure is based, which packages the various other components into an optimised system

To the right of the diagram HP has included what it calls ‘spanning functions’ – common issues for which policies need to drawn up including governance, management, business processes and security.

Extending The Architecture With Cloud Protection Features

Many claim that Cloud services are inherently insecure in comparison with traditionally delivered applications. However it’s a long time since applications could be built and physically protected against the outside walls of an organisation. Many HP’s ‘Cloud Protection’ features are needed for all corporate computing, irrespective of their underlying architecture, although the Cloud definitely increases the number of attack surfaces for hackers and others to try to exploit. Cloud Protection links with other layers of the architecture (coloured in yellow in Figure 3). In particular:

• It includes user and service management and security and compliance reporting to the ‘Demand’ layer
• Service security and service security health are part of the Delivery layer
• Resource security, configuration and administration as well as resource security health monitoring are included in the Supply layer

Cloud Protection also widens the reference architecture with a number of security functional areas, including Governance, Risk and Compliance, IT Management, Services with Security, Security Management Services, Security Program, Identity Management, Application Security, Information Security, Infrastructure Security and Security Monitoring. These functions are typically shared between legacy and Cloud infrastructure in most organisations – HP is taking on the big challenge ofextending them to cover and integrate with the Cloud.
While reference architectures are not in themselves products, they are used for identifying the areas in which users need to buy software and services. In the security area HP’s model allows partner solutions from Symantec, Microsoft, VMware and Microsoft as partners alongside its own offerings.

HP’s G-Cloud Demonstrator And Forensic VMs Show Its Research Commitment To Cloud Protection

The new Business Lab in Bristol has opened itself up to delegations from large organisations, hosting 57 meetings in 2011 and planning 80 in 2012, including governments, 3-star generals and police forces. In on meeting it translated all discussions into Chinese.
The G-Cloud is a UK government initiative to combine the separate IT resources of various departments, increasing the number of suppliers to the government, reducing the contract length and cost of IT (which we size as £20 billion in total for central and local government).
Presumably HP designed the G-Cloud demonstrator for the recent visit of UK coalition government ministers. As well as showing advanced virtualisation in which virtual systems made up of compute, storage and networking appear as ‘cells’ managed graphically, it has separated the service provider and infrastructure provider functions, hiding the applications run on the system from the latter and the underlying hardware infrastructure from the former. In the demonstration it shows how these 2 functions inter-react alongside end-users and cyber attackers. When attacked the system is able to delete and rebuild cells and application stacks quickly.
Looking further out HP Labs are working on what they call ‘Forensic VMs’. Here multiple small ‘detectors’ investigate Virtual Machines, checking their memory for signs of infection.

Some Conclusions – Cloud Security Is Becoming A Vital Issue

HP has deep resources, adding 1,400 staff from the acquisition of Fortify, Arcsight and Tippingpoint to the 1,500 in HP Enterprise Security Services – and not forgetting the handful of scientists looking into Forensic VMs and the like.
Increasing numbers of applications will be run on Clouds: the European Commission for instance has the objective of making the Cloud ‘active’, rather than just ‘capable’ and the governments delegations visiting HP are not the only ones looking to reduce costs and extend performance.
HP has tied security and Cloud Computing together in an impressive architectural approach, which should prove very helpful for large organisations.
We enjoyed the demonstrations and are impressed at its attention to the non-technical needs of the delegations who pass through the Business Lab.
Over time it should be able to reduce security concerns, unlocking modern architectures for mission critical workloads and in the process increasing its revenues.