White Paper

Cloud in a Vault Powered by NEC Nblock Infrastructure: Providing Secure Infrastructure-as-a-Service

By Tony Palmer, Senior Lab Analyst

October 2012

This ESG White Paper was commissioned by NEC and is distributed under license from ESG.
2012 by The Enterprise Strategy Group, Inc. All Rights Reserved.

White Paper: Cloud in a Vault Powered By NEC Infrastructure

Contents
Executive Summary ...................................................................................................................................... 3
Cloud in a Vault (CiaV) Powered by NECs Nblock Infrastructure ............................................................................ 3 NEC Nblock Integrated IT Infrastructure as the Foundation .................................................................................... 4

Growth of IaaS .............................................................................................................................................. 6 Challenges Remaining ................................................................................................................................... 7 Security Challenges ....................................................................................................................................... 7 Third-party Security Services ........................................................................................................................ 8
Internal Skills Gap ..................................................................................................................................................... 8 Global Skills Gap ....................................................................................................................................................... 9

Security Services Offered with CiaV ........................................................................................................... 10 Cost Savings with CiaV ................................................................................................................................ 10
Capital Expense Savings .......................................................................................................................................... 10 Operating Expense Savings..................................................................................................................................... 11 Strategic SLA Benefits ............................................................................................................................................. 11 Retractability .......................................................................................................................................................... 11

The Bigger Truth ......................................................................................................................................... 12

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.

2012 by The Enterprise Strategy Group, Inc. All Rights Reserved.

White Paper: Cloud in a Vault Powered By NEC Infrastructure

Executive Summary
While still not as established as software-as-a-service (SaaS), infrastructure-as-a-service (IaaS) has gained noticeable mindshare in 2012, with 27% of organizations either using or planning to use IaaS, up from 17% in 2011. Many organizations continue to look for alternatives to mitigate the capital and operational expenses associated with traditional IT hardware deployments.1 For the purposes of this white paper, ESG defined IaaS as follows: Iaas is a computing model in which the equipmentincluding servers, storage, and networking componentsused to support an organizations operations is hosted by a service provider and made available to customers over a network, typically the internet. The service provider owns the equipment and is responsible for housing, running, and maintaining it, with the client typically paying on a per-use basis. This white paper concludes:

Acquiring network security through an IaaS offering is a viable strategy for many IT organizations. More than half of the respondents to an ESG survey either currently use or plan to use IaaS. This is a significant increase in visibility and usage for an offering that did not even exist a few years ago. IaaS is a cost-effective approach towards augmenting the network security skill sets. Competent network security personnel do not exist in adequate numbers for the jobs available. These resources are difficult to recruit and train. Significant capital and operating expenses can be saved through use of the right IaaS. The advantages of outsourcing do accrue in the case of IaaS, from the ability to refocus strategy on IT initiatives to the flexibility of optimal tactical resource allocation.

Cloud in a Vault (CiaV) Powered by NECs Nblock Infrastructure

NEC has built a partnership with Cyber Innovation Labs (CIL) to deliver a fully integrated and virtualized server, storage, and networking architecture to the market under the Cloud in a Vault solution based on NECs Nblock integrated IT infrastructure. The Cloud in a Vault solution is hosted in CILs Mount Pleasant, Illinois Data Center which also serves as a disaster recovery facility for NEC. Figure 1. Cloud in a Vault

Source: ESG Research Report, 2012 IT Spending Intentions Survey, January 2012. All other ESG research references and charts in this white paper come from this report, unless otherwise noted.

2012 by The Enterprise Strategy Group, Inc. All Rights Reserved.

White Paper: Cloud in a Vault Powered By NEC Infrastructure

To create a virtual infrastructure, service providers can piece together, test, configure, and deploy different components built by different vendors. This do it yourself (DIY) approach can take advantage of existing hardware and vendor relationships and provide best of breed flexibility. But it may not be best use of time and resources. Reference architectures can simplify the build process and take much of the guesswork and testing out of the equation, but they still require effort from IT and/or system integrators. Also, reference architectures may only operate under documented and certified design specifications. CiaV is a private cloud offering that combines the NEC Nblock integrated IT infrastructure with security, compliance (including PCI, HIPAA, ISO, and HI-TRUST), and monitoring in a hosted environment. CiaV enables organizations to align business projects with infrastructure coststhey can consume infrastructure as needed and incur monthly operational expenses only, without incurring capital expenses for equipment. The CiaV offering provides real market differentiators over other cloud computing offeringsaccountability, real dollar SLAs protection, and retractability (which guarantees that the customer can take possession of the entire infrastructure and their data with 72 hours of notice).

NEC Nblock Integrated IT Infrastructure as the Foundation

IT executives invest in relationships with vendors that they trust and admire. NEC has a long history in IT and a strong reputation to match. Given NECs commitment to their Nblock infrastructure, its reasonable that they would also base an IaaS offering on the same robust storage, network, and server platforms. By combining computing resources, storage capacity, and network bandwidth into consolidated pools that can be dynamically and automatically provisioned as needed, virtualization enables IT to be delivered and consumed by end-users as a service. Figure 2. NEC Nblock Infrastructure

Here are some reasons IT organizations should consider CiaV powered by NEC Nblock infrastructure for IaaS:

NEC Nblock infrastructure offers a hybrid approach to integrated computing for service providers, enabling them to combine various NEC solutions into a single unit using NEC best practices. Since all components are NEC products, they are optimized for tight integration. Additional NEC components can be added or upgraded as requirements change, making the solution more flexible than other integrated stacks. NEC enterprise servers, powered by Intel Xeon E7 Family processors, can accommodate up to 2TB of memory and 160 threads with modular in-box partitioning in a single 7U chassis. Representing the fifth generation enterprise server architecture from NEC, the Express5800/1000 servers provide configuration flexibility, capacity, reliability, and availability. These features and robust performance characteristics

2012 by The Enterprise Strategy Group, Inc. All Rights Reserved.

White Paper: Cloud in a Vault Powered By NEC Infrastructure

exploit the inherent functionality of the Intel Xeon processor series. NEC uses Intels Machine Check Architecture (MCA) to keep the servers running, even in the event of memory module failure.

NEC Fault Tolerant Servers The sixth generation FT series utilizes patented hardware lockstep technology to deliver up to 99.999% continuous uptime and full redundancy in all components. The FT provides availability, virtual CPU performance, and data integrity and preservation in hardware. NEC M-Series SAN Storage Built for reliability, efficiency, scalability, and ease of operation, the NEC MSeries storage provides 8GFC, 10GbE/1GbE iSCSI, and 6G SAS connectivity. M-Series supports enterprise and nearline SAS HDDs and SSDs in the same enclosure for flexible, tiered storage, and scales up to 1152TB with up to 48GB of cache. Enterprise functionality includes snapshots, replication, WORM, thin provisioning and non-disruptive management. MAID technology enables reduced energy consumption as idle disks are powered down. NEC HYDRAstor Grid Storage This third generation scale-out grid storage system is designed to deliver extremely scalable backup and archiving performance, with global deduplication for capacity efficiency and multi-generational hardware compatibility. NEC ProgrammableFlow Software-defined Networking (SDN) Next-generation data networking using open standards and advanced functionality to deliver the scalable, elastic network resources needed for virtualized and cloud environments. The solution leverages OpenFlow technology to deliver policy-based, intelligent data networking to ensure optimal performance and service delivery. It provides simple, centralized network control, and tracks network conditions to optimize performance according to custom policies. 365/24/7 remote monitoring and managed services come directly from NEC. Since NEC provides everything in the infrastructure from soup to nuts, customers have one throat to choke when they need support.

2012 by The Enterprise Strategy Group, Inc. All Rights Reserved.

White Paper: Cloud in a Vault Powered By NEC Infrastructure

Growth of IaaS
ESG asked survey respondents about their current and planned use of IaaS and found that 27% of organizations currently leverage these services in some form, and another 24% plan to do so (see Figure 3). As was the case with SaaS, usage of IaaS has increased noticeably, jumping from 17% in 2011 to 27% in 2012 (see Figure 4). Perhaps more significantly, the number of organizations with no plans or interest in cloud infrastructure services has dropped from 34% at the beginning of 2011 to 19% at the outset of 2012. Clearly a number of organizations feel that IaaS has matured sufficiently to the point that, if theyre not currently using it, its nevertheless a viable option as part of their IT strategy.2 Figure 3. Usage Trends for Infrastructure-as-a-Service (IaaS) Please indicate your organization's usage of or plans for infrastructure-as-a-service (IaaS). (Percent of respondents, N=614)
No use, plans, or interest at this time, 19% Don't know, 2% Currently use, 27%

No use or plans at this time but we are interested, 28%

Do not currently use but we plan to, 24%

Source: Enterprise Strategy Group, 2012.

Figure 4. Usage of Infrastructure-as-a-Service(IaaS) Increases from 2011 to 2012 Usage of infrastructure-as-a-service (IaaS), 2011 vs. 2012. (Percent of respondents)
30% 25% 20% 15% 10% 5% 0%

27%

17%

2011 (N=611)

2012 (N=614)
Source: Enterprise Strategy Group, 2012.

Source: ESG Research Report, Public Cloud Computing Trends, March 2012.

2012 by The Enterprise Strategy Group, Inc. All Rights Reserved.

White Paper: Cloud in a Vault Powered By NEC Infrastructure

The facts are plain to seeIaaS is here to stay:

Year over year spending on IaaS growth is accelerating. According to recent ESG research3, among outsourced offerings, only SaaS is growing more rapidly than IaaS. The marketplace has ratified IaaS as a viable solution. Cost reduction benefits provided by IaaS are manifold. In an age when its already assumed that IT can do more with less every year, the cost reduction benefits inherent in IaaS are hard to ignore. Some other entity owns and operates (and maintains and updates) an infrastructure (i.e., cloud) for a monthly fee, all inclusive. Whats more, if it becomes strategic to do so, it is now eminently possible to take the infrastructure back in house with very little notice. One service provider for an entire platform has numerous intrinsic advantages. Perhaps the single most important advantage of IaaS is having one throat to choke in case anything goes wrong. Any opportunity to avoid the finger-pointing that goes on in many support scenarios is a huge boon to senior managements ability to sleep well at night.

Challenges Remaining
IaaS has things to prove before its universally accepted. One key criterion of success is longevity, and IaaS is a nascent rather than established platform. The exponential expansion of IT into every aspect of modern business has presented plenty of challenges. Here are some crucial features that IaaS must have to become firmly established:

Security is a grave threat to reliability. IT executives are no longer nave about the dangers posed by many well-documented types of security breaches. IaaS vendors need to be at the top of the class in terms of information security, across the board. Scalability is a mountain and no one knows its height. The fact that processing power has doubled every 18 months for three decades has great impact on the expectations of computer users. If an IaaS program lacks documented proof of scalability, it will fail. Resiliency is the antidote to business continuity concerns. Business interruptions strike fear into the hearts of C-level executives. Any IaaS offering that doesnt include resiliency guarantees will not be successful.

Security Challenges
The concept of featuring security features, expertise, and support as the leading edge of an IaaS product produces cloud in a vault solutions. The consensus is that security may be the toughest IT challenge on the horizon. As the notion of the cloud is pervasive, a way to distinguish one from another is to emphasize just how secure its vault is. Here are some aspects of a secure IaaS:

Security-as-a-service is a category of IaaS in which security is central. Compliance is often a component of security-as-a-service. Numerous organizations across countless verticals are required to comply with standards that range from PCI to HIPAA to ISO. Rolling specific compliance auditing into this kind of offering can set it apart from its competition. Reporting on security events provides important transparency. Forensics on threat-handling and other triage of potential security events provides value to IaaS customers. Physical security is an obvious yet vital component. IaaS vendors operate the type of enterprise-class facilities that make physical security a given. With all the other worries on the minds of IT executives, physical security needs to be part and parcel of IaaS. General security services are offered out of the box. A baseline of security services is bundled into IaaS products. Customers can request additional features if they so desire.

Source: ESG Research Report, 2012 IT Spending Intentions Survey, January 2012.

2012 by The Enterprise Strategy Group, Inc. All Rights Reserved.

White Paper: Cloud in a Vault Powered By NEC Infrastructure

Third-party Security Services

Many organizations plan on using third-party security services in 201217% of organizations surveyed by ESG for a recent research report will use professional or managed services extensively this year, while another 45% will use third-party professional or managed services to some extent in order to meet their information security requirements (see Figure 5). ESG also finds it noteworthy that 32% of security management and operations leaders will use third-party professionals or managed services extensively in 2012 as compared to 17% of the overall survey population. Why? ESG suspects that leaders are far more aggressive at finding mundane security tasks to outsource as well as isolating areas where they need external expertise and internal skills may be lagging. 4 Figure 5. Planned Use of Third-party Professional/Managed Services in 2012 Will your organization use third-party professional or managed services to meet its information security requirements in 2012? (Percent of respondents, N=315)

Dont know, 5% Yes, extensively, 17%

No, 33%

Yes, somewhat, 45%

Source: Enterprise Strategy Group, 2012.

Internal Skills Gap

As information security becomes increasingly business-critical, more and more large organizations will be forced to overcome internal skills gaps and hiring challenges with third-party service alternatives. The research data indicates that this is already happening: 16% of enterprises say they will increase their use of third-party managed and/or professional services substantially over the next 24 months, while another 42% will increase their use of third-party managed and/or professional services somewhat (see Figure 6).5

4 5

Source: ESG Research Report, Security Management and Operations: Changes on the Horizon, July 2012. Ibid.

2012 by The Enterprise Strategy Group, Inc. All Rights Reserved.

White Paper: Cloud in a Vault Powered By NEC Infrastructure

Figure 6. How Use of Third-party Professional/Managed Services has Changed How has your organizations use of third-party professional or managed security services changed over the past 24 months? (Percent of respondents, N=196) Dont know / no opinion, 1% Increased Decreased substantially, 16% substantially, 1%

Decreased somewhat, 6%

Remained about the same, 35% Increased somewhat, 42%

Source: Enterprise Strategy Group, 2012.

Global Skills Gap

Why are these organizations consuming more security services? ESGs hypothesis was that security service growth was a result of the growing global shortage of security skills. The data gathered for the survey verifies this theory. Large organizations are increasingly turning to service providers for specialized security skills or to supplement the internal security staff (see Figure 7).6 Figure 7. Reasons for Increasing Use of Third-party Security Services What are the primary reasons for increasing the use of third-party security services at your organization? (Percent of respondents, N=114, multiple responses accepted)
Security service providers can perform certain security tasks better than we can New types of security threats persuaded my organization to seek outside expertise Dont have a large enough security staff to handle all security responsibilities Dont have specific security skills in house so the organization decided to outsource security tasks Security is not core to the business so my organization decided to seek outside expertise My organization experienced a security breach which led us to seek out more security services and expertise Couldnt recruit/hire enough security expertise so we had no choice
0% 10%

39% 34% 29% 28% 27% 24% 20%

20% 30% 40% 50%

Source: Enterprise Strategy Group, 2012.

6

Ibid.

2012 by The Enterprise Strategy Group, Inc. All Rights Reserved.

White Paper: Cloud in a Vault Powered By NEC Infrastructure

10

Given the shortage of security skills, it is not surprising that 62% of enterprises plan on using third-party professional or managed security services in 2012. Additionally, 16% of large organizations say that their use of third-party professional or managed services has increased substantially over the past 24 months while 42% say that their use of third-party professional or managed services has increased somewhat over the same period. Security management and operations leaders are most active here36% say that their use of third-party providers has increased substantially over the past 24 months. The top four security services currently used by organizations are security design (33% of organizations), security/risk management/regulatory compliance assessments (30%), network monitoring (30%), and threat management intelligence (30%). Combined with the security skills shortage, security management complexity and urgency is driving a sharp increase in enterprise use of professional and managed security services in areas such as security architecture design, threat intelligence, and network monitoring.7

Security Services Offered with CiaV

In todays IT world, the provision of security services, whether in-house or by a third party, is a tricky and perilous undertaking. There is a leap of faith required to outsource security services, which requires a deep trust in the vendor partner and the confidence that it will be a true partnership. NEC is the kind of company that has developed the trust of the industry over its long history. CiaV is a private cloud offering that combines the NEC Nblock infrastructure with security and compliance (including PCI, HIPAA, ISO, and HI-TRUST) in a hosted environment. The inclusion of compliance-as-a-service is particularly challenging as there are numerous requirements for each compliance initiative and they are constantly changing. NEC and CIL provide CiaV by combining base services and program services with additional components in the queue. The base services include the physical environment, servers, storage, networking, virtualization (up to the hypervisor), with OS coverage dictated by the customer. Facilities, including the NOC and maintenance, are also part of the base offering. The program services cover general guidance, onsite assessment, compliance-as-a-service, Web application testing, and penetration testing. Additional services to be added cover log management, monitoring and alerting, ASV scanning (11.2 PCI requirement), plus advanced malware and threat protection.

Cost Savings with CiaV

CiaV is positioned to save money in capital and operating expenses for its customers. Its strategic advantage comes in the form of improved service levels: a third party specially trained with the right skills provides security and compliance expertise allowing a refocusing on internal core competencies.

Capital Expense Savings

The savings in capital expenses from CiaV come in these areas:

No upfront investment Opportunity costs One-vendor advantages

With CiaV there is zero capital expense to the customer. Organizations need to factor in the cost for a capital purchase comparable to CiaV. What other strategic initiatives could be addressed with said capital? Because NEC engineers and manufactures every component used in the technology stack, it can deliver it at a price point that cannot be met by multi-vendor offerings. A recent use case was brought to the attention of ESG that illustrates this point well. A customer requested a competitive quote for disaster recovery; the CiaV offering

Ibid.

2012 by The Enterprise Strategy Group, Inc. All Rights Reserved.

White Paper: Cloud in a Vault Powered By NEC Infrastructure

11

(servers, storage, network, and replication appliance) was one-third the price of the storage alone from another vendor.

Operating Expense Savings

The savings in operating expenses from CiaV come in these areas:

Resources Facilities Maintenance

CiaV requires one simple monthly payment. Fostering simplicity in the complex world of IT can be a very good thing. Organizations considering CiaV need to consider the resource costs necessary to support the infrastructure on their own: a 24/7 NOC, engineering and support personnel on staff, plus training to stay current. There are significant costs to operate a data center, including maintenance contracts and services, electricity for power (UPS/CRAC/PDU/emergency systems/security controls/genset/fuel), and cooling. In addition, expenses related to circuit installation and ongoing bandwidth consumption are certainly not optional if you own and manage your own infrastructure. Maintenance contract costs account for as much as 20% of the original capital expenditure annually. Software must be licensed and renewed. Audit and compliance represent additional areas where investments must be made. Failure to comply with PCI, HIPAA, and other standards can have grave financial repercussions. The sheer volume of material management costs money and distracts from more strategic concerns. Whats more, on top of a network operations center, organizations will need a dedicated security team to manage, including 24/7 incident response.

Strategic SLA Benefits

The strategic benefits of improved service levels can have a profound effect on an organization. SLAs translate directly to the bottom line, as businesses who offer their customers SLAs must keep their services and offerings online or pay financial penalties (not to mention risk losing loyal customers). Unless a company is a service provider themselves, providing a CiaV-like service is not their core competency. If a given organization attempts to provide such a service, it will result in higher costs, operational inefficiencies, and greater risks to the business. CiaV offers serious business value in the form of hard dollar SLAs that guarantee uptime service levels will either be met, or the provider will be responsible for losses incurred because of the outage.

Retractability
Organizations that outsource business- or mission-critical applications with highly sensitive data (medical, legal or employee records, for example), must consider the real possibility that they may find themselves in a situation where they must bring those assets back in-house. Migrating tens or hundreds of terabytes of sensitive data from the cloud provider back to the businesss internal data center introiduces a tremendous amount of risk and expense in the form of infrastructure and bandwidth costs as well as the extended time window required to move very large data sets. Retractability is the contractual right of an organization using CiaV to bring the entire infrastructure in-house with 72 hours of notice. This enables organizations to take advantage of the many benefits of outsourcing via a service provider, while retaining control over their outsourced assets. CiaV is the only private cloud service with a 72-hour retractability clause ESG has encountered as of this writing.

2012 by The Enterprise Strategy Group, Inc. All Rights Reserved.

White Paper: Cloud in a Vault Powered By NEC Infrastructure

12

The Bigger Truth

The era of owning and operating your own infrastructure is rapidly coming to an end for many organizations, large and small. There are compelling advantages of focusing on internal strategy and letting third-party expertise provide computing platforms and their support. IaaSas long as its provided by a reputable vendor with a solid list of reference accountslets customers consume infrastructure just like they consume power or bandwidth. As enterprises start to look at infrastructure-as-a-service for their private clouds to reduce costs, the ability to deliver an agile and highly available IaaS solution that meets stringent security requirements for the business will be a differentiator in the market. NECs strong partnership with CIL delivers the kind of solution companies will gravitate to as the need for filling security requirements increases and the ability to fill those requirements in-house diminishes. NEC provides one-stop shopping for all hardware components of an infrastructure stack as well as management software. The common architectural platform enables the NEC Nblock infrastructure to offer the flexibility of a DIY stack with the ease of deployment and management of an integrated computing platform using reference architectures. When a service provider blends NECs products and services with its own program of management, security, and compliance offerings, the results can be compelling. NEC has built a reputation in IT that it is now leveraging to lift significant burdens from its customers and provide them with an alternative to building out and owning multiple production data centers. In addition, NECs experience delivering cloud-based infrastructure services from their own data centers adds to their knowledge; having all support services delivered by NEC doesnt hurt either. Customers looking to the cloud as part of their cost containment strategy will find the CiaV powered by NEC Nblock solution not only fits that need, but also provides a critical component in delivering those services to meet security and compliance requirements.

2012 by The Enterprise Strategy Group, Inc. All Rights Reserved.

20 Asylum Street | Milford, MA 01757 | Tel: 508.482.0188 Fax: 508.482.0218 | www.esg-global.com