Gagner en sécurité et en efficacité opérationnelle dans le Datacenter

Présentation au sujet: "Gagner en sécurité et en efficacité opérationnelle dans le Datacenter"— Transcription de la présentation:

1 Gagner en sécurité et en efficacité opérationnelle dans le Datacenter
Laurent PETROQUE Responsable Avant-Ventes F5 France

2 En cinq ans, plus des trois quarts (76%) des intérrogés s’attendent à ce que le Cloud Hybride soit au coeur de leur stratégie, dépassant le Cloud Privé et Public. La majorité des intérrogés (55%) attendent que le Cloud Hybride ou que le fournisseur Multi-Cloud apparaissent dans les 2 ou 3 ans pour concurrencer les solutions Cloud actuelles. Initial uptake of IaaS providers was slow for large enterprises largely due to security and data protection concerns. And this lead to the popularity of a Hybrid cloud model allowing organisations to select which apps and services were suitable for cloud providers while still maintaining control of what data would where. Source: 2013 Future of Cloud Computing Survery, North Bridge / Gigaom

3 Répondre aux changements
! Now take that environment and consider how easy it is to scale your application – not just more application servers but additional ADC’s or firewalls or WAF’s. How quickly can you respond to change? Increases in users, the number of services, backend application servers or increase security profiles all add to the complexity of scaling an application. All the while application and business owners expect and increase in performance and availability over time!

4 Availability, Security, Access Control
Migrer vers le Cloud Devices Applications éligibles Applications ne tombant pas sous des règles strictes de protection des données Applications virtualisées supportant la migration depuis leur infrastructure courante Application et services moins critiques moins sujettes à des SLAs contraignant Data Center Load Balancing, Availability, Security, Access Control DEMAND Competition for finite computing resources Physical Virtual Applications Applications Not all applications are suitable for migration to cloud providers. Many organizations have issues related to governance and data protection. Applications suitable for IaaS providers are often defined or identified by the following criteria: Applications that don’t fall under strict data protection policies. Non-legacy applications that are able to migrate from existing infrastructure. Typically this means virtualized applications. Non-mission-critical applications and services that aren’t governed by tight SLAs.

5 Cohérence entre les toutes les Applications et Services
Data Center Agility Workload Prioritization Automation/ Orchestration Customer Scenarios Any Device Internal and External Services Centralized Management Consistent Delivery Cloud Migration Replicated Policy Core Functionality IaaS Acceleration Context Services Reporting iApps On the left we have the many different device types and numerous connectivity methods to deal with. Each with unique behavior and requirements. And on the right we have the different applications and services that we want to deliver from different locations and providers. However to ensure a consistent user experience, which requires consistent: performance, availability and security services, - we call these application delivery services – we must ensure that these application delivery services exist everywhere the application can exist. Both in the private data center and in the cloud environment. The work done by application architects and network architects mustn't be sacrificed as part of the journey to the cloud. Extensibility Integration Availability Any Location Cloud Providers Professional Services and Support

6 Gestion de la Politique de Cloud
Services Applicatifs Modélisés Intégrés Orchestrés Accélérés Sécurisés Cloud Portal Cloud Manage-ment Provider Portal Cloud Portal App Lifecycle Management Cloud Connectors Third-Party Cloud Orchestrators (VMware vCloud Director) Tenant Portal Public Cloud (Amazon Web Services) Cloud Management REST API A lot of this capability hinges on policy management. Whether you are using physical BIG-IP’s or Virtual Editions, both are all running F5’s TMOS, and the speed at which Application Services can be deployed within a private DC or an IaaS provider hinges on the ability to create/define reusable policies that can follow applications wherever they run go. And these policies need to be deployed in minutes, not hours or days. F5’s BIG-IQ management platform, handling both individual F5 Device requirements, including flexible licensing models, and F5 Cloud delivery requirements, the delivery of application service templates as tested and managed within private datacenters, is the solution. It ensures consistent delivery. Data Center 1 Data Center 2 Data Center 3 Data Center 4

7 Architecture de Migration dans le Cloud
On-Premises Infrastructure Global load balancing Infrastructure monitoring Advanced reporting Administrators Business Unit Application Manager Load balancing Custom business logic Application health SSL management DNS Line of Business Applications Business Unit Application Manager Application User Cloud Administrator Cloud Management Beta User Automated Application Delivery Network Health/performance monitoring vADC deployment With this capability, the ability to rapidly deploy application specific delivery and security policies in minutes, comes the application delivery flexibility required to migrate applications to cloud providers without sacrificing on Application Availability, Performance and Security. Delivering replication of: Optimized connectivity Consistent application delivery services Security policy Here we have an Architecture Diagram and at in the top of this diagram, you can see the private data centre with its DNS Services, and its application services: things like SSL management, load-balancing, application health monitoring – and then, within that private DC we also have the Cloud Management services. This cloud management takes the configuration, all the tested and validated Application Delivery services and deploys them to a F5 virtual edition running in the cloud provider. This isn’t just a case of spinning up a Virtual Edition, its about also deploying all of the required configuration for ensureing the application behind it is running fast, highly available and secure. This type of hybrid deployment has been very popular for development teams, QA testing, those kind of business functions. There is a demand for compute resource but there is no sensitive data. This is an excellent way of freeing up private DC resources. Load balancing Custom business logic Application health SSL management Line of Business Applications Application Strategic Point of Control Cloud Hosting Provider

8 Optimiser Globalement le Service Applicatif
DMZ Data Center On Premise Clients Internet LDNS DMZ Cloud Orienter les utilisateurs vers le meilleur DataCenter Vérification continue du Service Applicatif Routage de Services Applicatifs basé sur la logique business Permet la géolocalisation IP et la répudiation Sécuriser l’infrastructure DNS GTM directs traffic to the best available data center – if one isn’t available, all traffic is redirected to the next best available DC. RelayHealth, a SaaS platform connecting patients, providers, pharmacies, payers, and financial institutions, operates two major data centers—one in Atlanta and one in Sacramento—plus several smaller ones. Manage 12 billion financial and clinical transactions a year. Load balancing was handled by host software on each server. Some servers had none, requiring developers to write custom software. This approach led to many variations of application delivery software all trying to operate within the same data center, resulting in intermittent downtime and slow response times. 75% of enterprises have experienced a major disaster or business disruption. Are you prepared? Nearly 75% of all U.S. businesses have experienced a business interruption NOTE: If desired/necessary, can enumerate: 72% of the time suffered from power outages 52% of the time dealt with hardware problems 46% of the time suffered telecommunications failures 43% of the time dealt with software problems Source: Because, things happen! Floods, Fires 9/11 DDoS – even the target of WikiLeaks’ Anonymous DNS DDoS attack! (See DNS Express section) What would happen if a catastrophic event hit your data center? How would users be re-directed to their applications in another datacenter? How long would it take to redirect them? How much business would it cost in the meantime?

9 Protéger les applications du DoS/DDoS
Service de protection DoS/DDoS hébergé dans le Cloud Defense.net SaaS Internet Data Center Public Cloud

10 Firewall Applicatif Web - WAF Identifier, Patche-virtuel, et bloquage des vulnérabilités
Auditer les applications avec: Cenzic Hailstorm QualysGuard Web App. Scanning IBM Rational AppScan WhiteHat Sentinel Configurer une politique de protection avec BIG-IP ASM Bloquer les attaques sur les Applicatifs Web Hacker Data Center BIG-IP Application Security Manager Clients Scanner scans applications to identify vulnerabilities and directly configures BIG-IP ASM policies to implement a virtual patch that blocks web app attacks BIG-IP ASM is now importing vulnerabilities – not patches, it effectively becomes a Vulnerability Management Tool along with being WAF.  Obviously, the net effect is enabling very rapid response, particularly in the instance where you're waiting for the third-party vendor to patch the vulnerability. Internet Web 2.0 Apps Private Cloud Apps BIG-IP Application Security Manager

11 Gérer globalement les Accès et l’Identité des utilisateurs
Authentification, Autorisation, et SSO pour toutes les applications, partout (On-Prem ou Cloud) Secure Web Gateway (URL Filtering / Internet App Control) Web Apps Internet Cloud based web security Cloud Apps Web Access management Internet Public Cloud Remote Access & Application Access Web Access Management Enterprise Apps Cloud based IAM Public Cloud Hybrid Cloud Cloud, SaaS, and Partner Apps Identity Federation SAML Private/Public Cloud Directory Services

12 Disposer d’une architecture de protection Anti Fraude
Local alert server and/or SIEM Online Customers A Man-in-the- Browser Attacks Copied Pages and Phishing Web Fraud Protection Online Customers B Network Firewall Application C Security Operations Center Account Automated Transactions and Transaction integrity Amount Highlight the multi tenancy of the F5 SOC, webGUI, reports,… Referenz Architecture Fraud detection and protection components are stored and configured on BIG-IP Transfer Funds Online Customers Scénarios Détection et protection contre Malware Anti-phishing Analyse des Transactions A B C

13 Administration Centralisée
SSL DDoS DDoS Traffic Management Administration Centralisée SSO LTE LTE Acceleration Administration Centralisée WAF Anti-fraud Whether you are managing a local datacenter, applications in a public or private cloud or some hybrid model, your applications – and the services they require should work seamlessly. The vision behind BIG-IQ is to allow automated, programmatic provisioning of applications and services to support applications – wherever they reside Click Your network provides applications – sometimes hundreds of different applications, and they services they require Need to add a service to an existing application – say traffic management or security, BIG-IQ can do that Want to add a service? BIG-IQ can do that too Want to move an application from one data center to another, or to a cloud? That should be simple to do as well. BIG-IQ provides the orchestration behind Software Defined Application Services - it is the glue that holds Synthesis together. ADC Data Center Hybrid Cloud Public Cloud ADC

14 Qu’est ce que ça signifie pour l’IT ?
Plus de d’Innovation Meilleur alignement Réduction de coûts

15 Et qu’est ce que ça signifie pour le business ?
Go to Market plus rapide Engagement Client plus fort Meilleur ROI applicatif

16 Solutions for an Application World.