October 06, 2011

Cloud Pilot Architecture

By: Dan O’Donnell, VP of Business Development at Network Critical

Many Service Providers (SP) are considering plans to provide cloud computing services. This new business model allows SPs to increase ARPU, add to their service offerings, differentiate themselves from their competitors, increase their customer base and become a strategic partner to their large business customers. This move makes perfect business sense and much of the infrastructure is already in place. However, as these Service Providers moves from a model of information transit to comprehensive information management there are many new issues to be addressed.

In the information transit model, the Service Provider SLA includes such guarantees as acceptable delay, network availability, bandwidth allocation and QoS parameters. In the new cloud model, the Service Provider becomes an Information Manger as well. Customer data is now resident on SP servers and located in SP data centers. Access must be managed and secured; the data must be protected and partitioned accurately and absolutely. The provider of cloud services is now responsible for the protection of their customer’s data, not only the transit of that information.

There are high level business process models being discussed in the TM Forum today as well as a wide variety of high level business model issues that need to be addressed. However, time to market will be a key determinant of who will be the leaders and who will be the laggards in this new frontier. In addition to understanding the business practices surrounding this new opportunity, it is important for SP’s to get their feet wet sooner rather than later. It is necessary to find some willing and friendly customers to pilot cloud models and to patiently work through the inevitable hitches and snags that will be present in any new service. When company data is involved, however, it is important that the access to this content is protected and the information flow is understood.

Fortunately, there are many excellent tools available today that can help manage, analyze and protect network data flows. There are three key areas of information flow that need to be closely managed:

1. Ingress information – Access from outside the cloud must be managed and secured to prevent attacks and malicious programs. Specialized tools for this fall into the IPS/IDS category.
2. Egress information – Attacks do not always come from external sources. Many SP and client company employees will have access to the network, the servers and company information for a variety of reasons. These authorized users include, SP service and support technicians, network engineers and managers are a just few. Any one of this group has the potential to maliciously or accidentally compromise confidential and proprietary data. There are tools to prevent data leakage that fall into the appliance group called DLP.
3. Network Forensics – It is important to understand application performance, network performance and overall data flow. There are many sniffers and probes available to analyze and report on network activity and performance. These are the base line appliances necessary for management of any network.

There are other tools to manage such issues as regulatory compliance, consumer experience management, network performance and others. By simply focusing on the three tools above, we can cover attacks from outside the firewall, breaches from inside the firewall, and overall comprehensive network analysis.

There are two primary ways for these tools to connect to network links. First is to directly connect each appliance inline on the link. This is where you connect the tool between the router and the switch directly in the path of the data flow. This allows all the data to flow through the tool. The tool can then analyze the data and perform protective functions when is sees anomalies or rule violations.

However, there are two problems with this method. First, is simply that the more potential points of failure you insert into a link, the higher your probability of failure becomes. Second is that these appliances are very intelligent, software intensive products. With any stacked software product, and with embedded hard drives, “stuff happens.” Further, as rules need to be updated or new versions are released, the product must be taken off-line for updates and reboots. The constant scheduling of network downtime is unacceptable in many of today’s 7/24/365 networks.

The solution is to connect a hardware based tap inline on the network link.Being hardware based products with no software operating system, taps are inherently very reliable. Beyond this, taps have fail-safe technology built in that will maintain the network link even in the event of a power failure to the device.

When you have a tap inserted into a network link you have many options available for connecting appliances or network tools. Depending on the function of the tool, it may need to see the data real time as it flows through the network or it may need to only look at a mirror copy of the data out of band. In either case, the ports needed to connect all these appliances are available using a network tap.

Taps can aggregate the information from many links to a single tool. This provides efficiency and potentially huge savings in the procurement of the necessary network appliances. The use of regeneration features in a tap allow for the same data on a link to be sent to many different appliances. Finally, by using filtering and distribution techniques, the tap can provide only the pertinent information to each tool as needed. This enhances the speed and efficiency of operation for the network tools.

The new leaders in cloud services will jump in quickly with pilots and beta customers to develop and test real product and service offerings. These market leaders will have the advantage of experience, brand awareness and an early customer base as competitive offerings start to crowd the market. In order to become an early leader in this market, the time to develop cloud services and plan for a reliable and secure network infrastructure is right now.

About The Contributor:
Extreme Marketing Team

See My Other Posts