Cloud Seeding

Editor's Notes

• #2: Good Morning and thank you for taking your time to be here today… NEWS For the next 40 minutes or so, I would like you to consider that you have tuned into a your favorite local weather station. The accuracy of this forecast or presentation may vary depending on where you live. And I think it is safe to say, in the context of the CSAsummit, that today it will be mostly “cloudy”.  We will review traditional IT/Network Infrastructure, that if implemented right, can enable successful hybrid cloud initiatives. With the short time we have, I hope the “sound bytes” presented stir your interest and inspire further discussion and reading in the area of cloud computing.
• #3: This presentation represents my opinions and thoughts and not that of my employer… Slides are available on the CSAcolorado.org website…or contact me… Lets have a conversation…please do ask questions during the presentation. Many of the themes in this presentation are backed up by third party references—not just joe’s opinions.
• #4: “Cloud Seeding…” == nuggets of information…I hope you are able to refer back to this presentation… Information in this presentation is a combination of my own experiences, attending conferences, experience shared by my peers, general white paper, blog reading and webinars. Hopefully will have saved you some time collecting this information… All this ties back to the quest for great craft beer.  SnowFROC (Front Range OWASP Conference) is Denver's premier application security conference and is taking place Thursday March 8th 2018. The location of this event is The Cable Center on the University of Denver campus near I-25 and University. 
• #5: Let’s talk Hybrids; Operational challenges when implementing Hybrid Cloud is the focus of this presentation, yet not exclusively…some aspects do touch on PaaS and SaaS Traditional Companies: Unless your company was born in the cloud, we are all dealing with Hybrid environments.
• #6: Sold for a fee-inclusive price of $483,400 at the Bonhams Amelia Island sale on Thursday, March 10, 2016… This presentation is mainly from the perspective of established enterprises. Comments tend to focus on Hybrid cloud initiatives. There are new manufacturing techniques that enable us to build better hybrid cars and clouds… 1912 Cadillac was the first car manufacturer to offer electric starter in their cars.. Wiki: First clouds… AWS EC 2006 Azure 2010 Nasa Nebula 2008 – open source
• #7: Usually silver iodide “smoke” is dispensed from planes. What industries care about cloud seeding…other than ski resorts…Energy Companies and Water Districts Statistics show that Cloud Seeding improves snow production ~5-10% ; Cloud seeding is still more theory than fact. Dr Jeff French has a project to change that…last week. SNOWIE project University of WY Dr. Jeff French ATMOSPHERIC SCIENCE http://www.9news.com/weather/this-project-could-answer-if-changing-the-weather-through-technology-is-possible/488620797 As snow and rain need a nucleus of dust to be productive; digital clouds need “networks” of some flavor to be productive. I will be inserting “Cloud Seeds” or quotes and information I hope you will find useful in these slides. Source Google: Science. According to the World Meteorological Organization's International Cloud Atlas, over 100 types of clouds exist! But although there are so many variations, each one can be divided into one of ten basic types depending on its general shape and height in the sky. Dust” is necessary to create rain/snow…ice begin forming when water vapor condenses on micrometer-sized particles of dust floating in the atmosphere. The dust particles grow to millimeter-sized droplets, which are heavy enough to begin falling. As they fall, the droplets accumulate more and more moisture, until they become the large snowflakes or raindrops that we see here on the ground.
• #8: Prototyping tends to move quickly, but moving Clouds initiatives to production operations can be frustrating. Successful cloud initiative are challenging to get right. Weather forecasters have tools and experience to help with accuracy in forecasting. As the tools improve , like weather satellites etc…the weather forecast accuracy has improved. As Cloud management and orchestration tools improve it should help forecasting successful cloud initiatives.
• #9: Ask the audience for show of hands… Scale 1-5 who has a 5, who had 3 or 4 and I wont ask how the rest went. What worked and what still needs work…? No two cloud initiatives are the same, even within a company. They likely have different compliance and regulatory issues to deal with.
• #10: This slide is somewhat data or oversimplified…there really is no dotted line… ;-) One theme, consider if we still need traditional skill sets like network architecture to enable cloud. Add multi-cloud to the hybrid definition… Add on prem private cloud provided by Azure and others… Rarely is it an either or; normally both. The key tends to be--what data is involved, governance, compliance and regulatory restrictions.
• #11: Cloud projects tend to come from two direction… How do Cloud initiatives get started? Top down: $$$$$ TCO; project that suggested moving 100+ apps to the cloud. After vetting the apps for cloud about two dozen were actually candidates for the cloud and performance issue limited which could move out of the 25. Some with true agile environments might chuckle at the 18month time frame… ;-)
• #12: This is typically new techniques and applications vs. legacy apps… Bottom up: pressures form the business to move quickly to market with new products and mobile products; later we will dive into the network architecture that will enable Cloud Center and CAM—from CenturyLink Want to use CliQr aka Cisco Cloud Center or CAM Cloud App Manager -- CTL PaaS DevOps; look mom no OS to manage ;-) SAP Hana PaaS & other SaaS gateways or API connectors
• #13: No matter which direction the cloud initiatives come from, like most IT projects, things tend to be over simplified…$$$ savings??
• #14: Example of a contrasting view that cloud can save you $; Like VMware, if not managed correctly, cloud “sprawl” will create budget overruns. Corp Governance to keep costs in check vs. allowing for development creativity… http://lumecloud.com/ as an example of an AWS competitor’s view on cloud; not going to go into these hidden costs in this presentation but a tickler/seed for further reading
• #15: The first request that IT/Network operations will receive from folks is simply build us a VPN… The VPN is straight forward enough to create… Opening Pandora's box if you do not have supporting infrastructure deployed. We need the supporting IT infrastructure to make sure we are meeting InfoSec and Governance policies regarding Data, Access, Logging etc… Are the DevOps teams following tradition DMZ governance and policies?
• #16: Dev-Sec-Ops ? Few things to consider… How much can we enable our development teams to take on? No matter who is tasked with providing or managing the security at your company, cloud security is a Shared Security Model. SIEM security information and event management  DevOps owning Security? Still a struggle for the industry as it is still not part of a developers DNA. Many traditional development teams do not make network, firewall or load balancing infrastructure decisions… IT, Network and Security architects are still needed to design the cloud enclave or DMZ--or you need really expensive talented highbrow SecDevOps folks
• #17: Remember “We have been here before…”; be methodical in approaching your cloud projects and initiatives and you will likely save yourself from struggling with pitfalls.
• #18: Point out that this is a well known and standard applications…and it is still a challenge, what about portability… Using SharePoint today…what is involved if you move to Google tomorrow… How do we improve our operations teams, so they and the infrastructure are ready for cloud?
• #19: On the topic of planning…if it were easy, there would not be CSBs Hybrid Cloud for established IT shops is not trivial…there is a lot to learn and a lot to be gained by a successful cloud deployment. Security and Visibility need to have parity with traditional corporate governance, compliance, policies and controls. Traditional MSPs like AT&T just announced Cloud Services Broker offerings in Q4 2017.
• #20: XaaS folks have some other typs of “aaS”? Anyone using FedRAMP? Can you share? PCI: Payment Card Industry; SPI == SaaS PaaS IaaS, LAMP == Linux Apache Mysql, Php; HIPAA; Health Insurance Portability and Accountability Act Platform, Infrastructure; Platform as a Service -- Azure, Software as a Service – SalesForce; Infrastructure as a Service -- AWS, Environment as a Service – IBM SkyTap; EaaS == Enterprise as a Service; IDaaS; BDaaS BigData as a Services; LaaS: Lab as Service; Just because the cloud has a compliance rating like PCI does not mean your app does…you still own that part of PCI. Capped apps? DevOps considerations? Hadoop? LAMP? Big Data, AI etc… Governance & Compliance considerations, PCI, HIPAA, FedRAMP etc
• #21: Top cloud providers from Forbes hot off the press…MS#1 and IBM#3 IBM highly successful emphasis on transforming its vast array of software expertise and technology from the on-premises world to the cloud. … helping big global corporations convert legacy systems to cloud or cloud-enabled environments
• #22: Think of this in some ways as if you were opening your own new private datacenter…that is a well known activity.
• #23: Product can also be discontinued… Clouds are changing at an unprecedented rate; offering new products and techniques to solve complex IT challenges. What happens when a CSP discontinues a product?
• #24: Do you select the apps you want to move to the cloud before you select a cloud??? Network latency is often overlooked… “Answer: The First…” from an infrastructure perspective, you need to have your ducks in a row, security parity between on cloud and private on prem etc… Data is king of the cloud… If you don’t do a good job of vetting your apps for the cloud…next slide General Data Protection Requirements How is your data going to get to the cloud, SSH, SFTP, TLS, IPSEC VPN or dedicated circuit? How are you going to create your corporate standard system images in the cloud? Can it be automated or how much can be automated? Consider PaaS or SaaS…? What if some apps live in one cloud or even another cloud, but no master account to help control “cloud sprawl”? CliQr is good at managing the apps but not he cloud infrastructure. How does moving to the cloud impact your current operations processes, like change control? How do you grant access to cloud resources private/public? Corporate vs. Customer How will you keep track and audit data that is in the cloud?
• #25: What happens if you don’t get the planning right…based on this stat, this is more common than we would like All apps don’t fit in the cloud…this is not because the cloud didn’t work but the apps were not vetted well. Also, things like cloud licensing structures and response times to on prem my be counter productive to cloud.
• #26: The goal is to shed light to increase the success of hybrid cloud projects… Data point 70% …Forbes Likely moving to a 60% Cloud 40% on premise private Hybrid Cloud…these numbers may vary based on where you live ;-)
• #27: Two major approaches to cloud are to extend the data center and enable the edge…you might do some of both. Fog ( Cisco ) IoT related streaming data
• #28: VPN connectivity is a good place to start extend the datacenter to the cloud…if you have supporting infrastructure… Companies have done a good job of providing for services in an on premise DMZ…I would encourage your next DMZ to be in the cloud. Stretch or drag the DMZ from a network perspective to a cloud provider. Parity: Purchase DDoS protections from your ISP for your traditional DMZ and IGW…does Cloud DDoS offer parity? How and can they be integrated? Does it matter?
• #29: Read this slide…excellent points!
• #30: So what does “dedicated” connectivity look like… This is fine for “private”…but will you consume “public” same as folks outside the organization.
• #31: Leverage DIA and traditional infrastructure… Still need tradition infrastructure or networks for the SD-WAN overlay…SD-WAN includes VPN/DIA SD-WAN Generic white box hardware Layer 7 routing decisions Services chaining, LB or FW IPSEC is its first language
• #32: Be mindful, networks can be a source of problems;
• #33: Still need IT/Network operations to build the initial underlying infrastructure… Wait, I don’t need network admins anymore its all in the cloud…you mean my app team gets to manage the FW in the cloud via DevOps? Yikes? European Union Agency for Network and Information Security (ENISA) is a centre of expertise for cyber security in Europe. The Agency is located in Greece with its seat in Heraklion Crete and an operational office in Athens. Update (7/13/2017): Since this post was published, IPv6 supported has been extended and now supports 15 Regions and Multiple AWS Services.
• #34: How do we enable the business to be more agile…Setup an environment to enable DevOps and get out of the way. ;-) Two major approaches to cloud are to extend the data center and enable the edge…you might do some of both. Fog ( Cisco ) IoT related streaming data Building blocks & Visibility – think back to enabling the DMZ Authentication Security Logs IT processes, trouble tickets, trouble shooting, change control etc… Governance –translate our on premise processes to the cloud…?
• #35: “Be the Cloud…” Everyone should get started building a “hello mom…” app in the cloud. This will highlight all the governance, compliance and InfoSec challenges that need to be dealt with before you have a Top down move 100+ apps initiative. SaaS in “your” DMZ…get back into the application proxy business…CASB,(cloud access security brokers) We are all good at exposing things to our customers via a traditional DMZ…websites and apps… CASB tries to fill the gap to empowering seem less hybrid cloud environments—changing quickly… Key architecture…compare web proxy and xml proxy for exposing “internal” APIs Consider exposing APIs, securely in your DMZ…API proxy, API or XML gateways and API connectors….owned, enable, empower the DevOps initiatives. Why? Consider the time to create a network path between you and your partner…VPN, dedicated circuit, FW changes…change control. Now consider if the DevOps team had a proxy…say XML gateway of sorts to securely expose data apps outside the traditional datacenter…you may be your own consumer of this… Use SIEM logs as another example.
• #36: How Hybrid Clouds Connect to Your Network; Understanding and Mitigating the Risks of VPN-to-Cloud and Cloud Application Gateways – Michael Beesley https://go.skyportsystems.net/2017-09-21-webinar-uws-2lp.html
• #37: Lastly, clouds are evolving and are very dynamic. New features are added quarterly…
• #38: Cloud technology is changing so fast I am not sure traditional books are the best place to get current information. If anyone has some good Cloud book titles to share please to send them along… Underscore the VPN-less architecture of API gateways in the DMZ.
• #39: Tarball  Docker  Kubernetes; Kubernetes allow for infrastructure scheme designs…like load balancers and firewall rules. The next level of Orchestration…. Anyone using Cisco ACI in their datacenter today? Note the Cisco Announcement above… Cisco ACI = Application Centric Infrastructure https://blogs.cisco.com/news/aci-anywhere
• #40: Who needs a car like this…? Who wants a car like this…? SUV NetFlix is the “cloud” supercar…most companies will never need this car…but by being diligent and methodical in analyzing your needs your hybrid/car/cloud will be productive. Most companies will end up with a more practical form of car/cloud such as a truck/van or SUV. The dust particles that the moisture formed on were delivered in the rain drops to your car. Car tip, don’t try and save water, and wash your car while it has rain drops on it…as it will scratch the paint finish ;-) Always rinse the car first and always use a high quality soap…never use dish soap to wash you car as it will remove the wax.
• #41: If you are not yet involved with the CSA, I was sitting where you were a year ago… Colorado CSA CCSK study groups…mention Mohamed Malki CCSK was a bit more on policy side vs. technical or implementation guide.