Contents

Heading 1 ....................................................................................................... Error! Bookmark not defined.

Heading 2 ................................................................................................................... Error! Bookmark not defined.

Another Heading ............................................................................................ Error! Bookmark not defined. The Bigger Truth ............................................................................................ Error! Bookmark not defined.

White Paper

Secure Multi-Tenancy
with NetApp, Cisco, and VMware
By Mark Bowker and Terri McClure

April, 2010

This ESG White Paper was commissioned by NetApp and is distributed under license from ESG.
2010, Enterprise Strategy Group, Inc. All Rights Reserved

White Paper: Secure Multi-Tenancy with NetApp, Cisco, and VMware

Contents
A Secure, Virtualized Data Center ................................................................................................................ 3
A New Consumption Model ..................................................................................................................................... 3 NetApp, Cisco, and VMware Secure Multi-Tenancy................................................................................................. 3

Aligning Top IT Priorities with Secure Multi-Tenancy .................................................................................. 4

Challenges and Priorities .......................................................................................................................................... 6

Converged, Secure Infrastructure with NetApp, Cisco, and VMware .......................................................... 8

Cisco.......................................................................................................................................................................... 8 NetApp ...................................................................................................................................................................... 8 VMware .................................................................................................................................................................... 9 What Matters in a Converged Environment?........................................................................................................... 9 Priority Alignment between Top IT and Business Initiatives .................................................................................... 9

The Bigger Truth ......................................................................................................................................... 11

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of the Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at (508) 482-0188.

2010, Enterprise Strategy Group, Inc. All Rights Reserved.

White Paper: Secure Multi-Tenancy with NetApp, Cisco, and VMware

A Secure, Virtualized Data Center

The transformation of the enterprise data center is well underway thanks largely to virtualization technologies. While initial efforts focused on the efficiency and cost savings of consolidating individual servers, advancements in the network, storage, and server layers are unleashing the power of virtualization for the data center and, indeed, the business as a whole. This virtualization platform involves complete abstraction across all infrastructure, creating a cohesive fabric of IT capacity that is supplied to the business as needed. But, as is often the case, great changes bring with them new problems: formerly separate applications and business processes are now sharing the same hardware. How do you keep them secure, private, and confidential? As applications are migrated to a virtualized platform, they must still adhere to security, compliance, and audit policies generated by corporate and industry overseers. Virtualization promises great improvements in resource utilization along with consolidation and operational efficiency, but it must not compromise the security of applications and data. In the physical data center, segmenting applications is simpleeach application has its own dedicated equipment. However, servers and storage devices are chronically underutilized (with typical utilization rates of 5%-10% for server CPU and 30%-40% for storage) and resources are held captive and unable to be shared. Operational overhead is excessive as devices and applications must be managed individually and it is extremely difficult to respond quickly to the changing needs of the business because adding an application requires a series of procurement and configuration tasks that take time. In essence, the physical data center lacks agility. When applications share infrastructure, both security and separation must be guaranteed from the server layer through the network and storage layers. Secure multi-tenancy guarantees the logical separation of virtual resources in a shared physical infrastructure, which includes ensuring that there is no logical crossover of virtual machines sharing a physical server. Organizations in every industry need to isolate various kinds of data, whether that involves maintaining HR, finance, and customer records; separation of data by internal business unit; keeping patient records safe; isolating student enrollment details from commercial research; separating production data from test and QA; and on and on. Service providers that host applications, data, and compute capacity for multiple customers on shared infrastructure have an obvious need to ensure secure isolation. For some application owners, a lack of confidence in ITs ability to keep data secure and isolated has prevented them from taking advantage of the virtualization/consolidation paradigm.

A New Consumption Model

Advancements in virtualization and infrastructure consolidation are changing how technology is consumed. Typically, infrastructure is bought as piece partsservers, network switches, cables, storage devices, disks, etc. and then bolts the pieces together. IT is charged with figuring out how the pieces work, training staff to use them properly, and provisioning them to support applications or business processes. Changes in the consumption model have given rise to capacity that is purchased in pre-integrated units that include compute, network, and storage resources. These units accelerate time to market and make it easier to keep up with rapid growth as capacity can be served up much faster. This model also streamlines IT operations by eliminating the need to pull together disparate resources and integrate them in real time. As organizations add virtualization investments, they rely more and more on reference architectures and application blueprints built for these infrastructure bundles.

NetApp, Cisco, and VMware Secure Multi-Tenancy

Three industry leaders have extended their long-term partnerships to offer an integrated, tested, and fully validated infrastructure solution that includes server, storage, and networking hardware and software. Individually, their technologies are among the industrys best; together, they offer unique synergies that simplify the deployment and management of infrastructure and applications. Their unified solution operates as a serviceoriented architecture and guarantees application isolation with proven, integrated technologies that deliver end-toend security to protect digital assets in flight and at rest. Close collaboration has resulted in a secure multi-tenancy solution with reference architectures, a Cisco Validated Design, and coordinated support.
2010, Enterprise Strategy Group, Inc. All Rights Reserved.

White Paper: Secure Multi-Tenancy with NetApp, Cisco, and VMware

Aligning Top IT Priorities with Secure Multi-Tenancy

According to recent ESG research, increased use of server virtualization is topping the IT priority list (see Figure 1).1 Virtualization is driving up consolidation and efficiency, but organizations are also aware that they need to virtualize in a secure fashion, represented by information security initiatives being a top IT priority. Figure 1. Most Important IT Priorities in 2010 What are your organizations most important IT priorities over the next 12-18 months? (Percent of respondents, N=515, ten responses accepted)
Increase use of server virtualization Information security initiatives Improve data backup and recovery Upgrade network infrastructure Manage data growth Major application deployments or upgrades Data center consolidation Business continuity/disaster recovery programs Large-scale desktop/laptop PC refresh Regulatory compliance initiatives Desktop virtualization Major database deployments or upgrades Mobile workforce enablement Improve collaboration capabilities Deploy unified communications / voice-over-IP (VoIP) Enterprise content management / document management Green initiatives Business intelligence/data warehouse initiatives Deploy unified computing solution Implement IT governance framework (e.g., ITIL, COBIT, ISO 27001, etc.) Increase use of IT outsourcing Increase use of "cloud computing services New data center construction Applications delivered via software-as-a-service (SaaS) model 0% 5%

33% 28% 27% 27% 25% 24% 23% 21% 20% 19% 18% 18% 17% 17% 16% 16% 16% 14% 13% 13% 12% 12% 10% 9%
10% 15% 20% 25% 30% 35%

Source: Enterprise Strategy Group, 2010.

Recognizing the value of virtualization, organizations are looking to expand on their early success. Consolidation, data protection, business continuity, and improved operational processes are all top of mind for these organizations as both the reasons to virtualize and to meet application delivery requirements. The good news for customers is that NetApp, Cisco, and VMware all have existing solutions that deliver in these areas. When these solutions are integrated into one unit, customers benefit from simplified access and accelerated deployment with large-scale solutions that will further their virtualization objectives.

Source: ESG Research Report, 2010 IT Spending Intentions Survey, January 2010. Unless otherwise cited, all statistics come from this report.

2010, Enterprise Strategy Group, Inc. All Rights Reserved.

White Paper: Secure Multi-Tenancy with NetApp, Cisco, and VMware

As Figure 2 demonstrates, consolidation remains a primary reason for server virtualization: 48% of organizations cited consolidating more physical servers onto virtualization platforms as a top initiative. In addition, 37% put improving backup and recovery of virtual machines near the top of the list. Consolidation is efficient, but it can complicate backup. Most backup/recovery applications were built for a single host, not multiple virtual machines, on one piece of hardware. Strides have been made, but virtual machine backup and recovery remain challenging. Also, 36% of organizations say they want to expand the number of applications running on virtual machines, indicating that they are pleased with the results so far and want to broaden deployment to increase the benefits. Tier 1 applications are next on the list, though they are viewed with some trepidation. Figure 2. Top Server Virtualization Initiatives in 2010 Which of the following would you consider to be your organizations top server virtualization initiatives for 2010? (Percent of respondents, N=345, five responses accepted)
Consolidate more physical servers onto virtualization platforms Improve backup and recovery of virtual machines Expand number of applications running on virtual machines Make use of virtual machine replication for disaster recovery Increase security of virtual server environment Improve operational processes for managing virtual environments Move more applications from test/development to production environment Deploy a storage virtualization solution to support virtual server environment Implement virtual machine mobility / HA (high availability) functionality Integrate virtual environments into existing management software frameworks Purchase third-party management software for virtual environments Evaluate alternative hypervisor solutions/vendors
0%

48% 37% 36% 32% 23% 21% 21% 18% 18% 15% 9% 8%
10% 20% 30% 40% 50% 60%

Source: Enterprise Strategy Group, 2010.

2010, Enterprise Strategy Group, Inc. All Rights Reserved.

White Paper: Secure Multi-Tenancy with NetApp, Cisco, and VMware

Challenges and Priorities

As they increase their investments in virtualization, IT operations and application owners note a number of challenges and priorities that they want to address. During consolidation, meeting compliance mandates and retaining the ability to prove out security and compliance measures across the infrastructure become extremely important. This is essential not only for regulatory compliance and corporate governance, but also for building confidence with application owners. Without this confidence, application owners may continue to resist virtualizing. When workloads are running on segregated physical servers, security is easy to ensure and demonstrate; it is more challenging when workloads share a common pool of resources. A consolidation effort should therefore include the business security and compliance teams in order to identify potential areas of risk. As they become engaged in the process and understand the real and perceived risks of virtualization, resistance subsides. Another reason for concern among application owners and risk managers is a lack of end-to-end visibility for deployment, change management, and auditing. When the application resides on its own hardware, identifying changes and compliance details is fairly simple. When multiple applications reside on the same host, applications can play hide and seek with the infrastructure and specific application attributes are not as easy to recognize. Optimizing service levels for a geographically dispersed global workforce is part of ITs joband easier done on application-specific hardware than in a shared environment. Application owners and users must continue to get the performance and availability they require regardless of the deployment. If they do not, the effort is doomed to failure. In a recent survey, ESG asked respondents what business initiatives would have the greatest impact on their organizations IT spending decisions over the next 12 to 18 months. Comparing responses from a similar survey in 2009, its clear that cost reduction is no longer the sole business priority. While it remains among the most important, it has decreased in relative ranking since 2009 while other initiatives have taken its placenotably, business process improvement, security and risk management, compliance, and business intelligence. This is a clear indication that organizations are ready to return to a focus on improving business efficiency, not solely cost reduction, and makes this type of solution timely (see Figure 3).

2010, Enterprise Strategy Group, Inc. All Rights Reserved.

White Paper: Secure Multi-Tenancy with NetApp, Cisco, and VMware

Figure 3. Business Initiatives Expected to Have the Greatest Impact on Spending Decisions Which of the following business initiatives do you believe will have the greatest impact on your organizations IT spending decisions over the next 12-18 months? (Percent of respondents)
Cost reduction initiatives

47% 31% 35% 25% 30% 24% 27% 22% 18% 21% 23% 19% 18% 16% 13% 9% 13%

54%

Business process improvement initiatives

Security/risk management initiatives

Regulatory compliance Business growth via mergers, acquisitions, or organic expansion Improved business intelligence and delivery of realtime business information Green initiatives related to energy efficiency and/or reducing company-wide environmental impact Research and development innovation/improvement

2009 (N=492)

2010 (N=515)

International expansion New collaborative tools and business processes utilizing Web 2.0 technologies such as blogs, wikis, social networking services, etc.
0%

12% 14%
10% 20% 30% 40% 50% 60%

Source: Enterprise Strategy Group, 2010.

2010, Enterprise Strategy Group, Inc. All Rights Reserved.

White Paper: Secure Multi-Tenancy with NetApp, Cisco, and VMware

Converged, Secure Infrastructure with NetApp, Cisco, and VMware

At this point, it should be clear that IT wants to improve service levels to the business and reduce costs by consolidating server infrastructure, maximizing asset utilization, and automating routine tasks. As organizations look to expand server virtualization in the coming year, one challenge will be to take this strategy to critical business applications such as Tier 1 Windows workloads, Oracle, SAP upgrades, etc. For many, the easy applications have already been virtualized and the strategy has proven useful. Now comes the more difficult task of convincing Tier 1 application owners to take the plunge, bringing security to the top of the requirements list. The converged, secure infrastructure offered by NetApp, Cisco, and VMware goes a long way towards delivering secure multi-tenancy that enables an organization to partition shared infrastructure however necessary. Customers or application owners can be assured that data and data access are completely isolated and secure while workload performance is maintained. Each partner contributes proven technology that delivers security and isolation, resulting in a single integrated architecture that securely isolates digital assets in flight and at rest from end to end: at a high-level, virtual machines(VMs) are securely isolated from other VMs with VMwares vShield zoning technology. These VMs are connected to storage systems using a segmented and secured Cisco Nexus network. They are connected to NetApp storage arrays, each of which is securely isolated from other units using NetApp MultiStore technology.

Cisco
Ciscos contribution includes the Unified Computing architecture, unified fabric, and the Nexus series of data center class switches. The Unified Computing System (UCS) seamlessly integrates with Ciscos Nexus series of switches. Because applications can be deployed in minutes, the UCS provides flexibility and agility for the business. The Unified Computing architecture combines compute, network, and storage access, as well as virtualization, into a scalable, modular system that is centrally managed by the Cisco UCS manager, keeping both acquisition and management costs low. Ciscos unified fabric consolidates network traffic into a single, general purpose, highperformance, highly available 10 Gb Ethernet network. Instead of having to run parallel networks for data, storage, server clustering, and management, this unified fabric simplifies network infrastructure and reduces costs. Its intelligence enables it to deliver a higher level of performance while guaranteeing both isolation and security of user and data traffic. The Cisco Nexus 1000V Series switches provide intelligent software switching for VMware vSphere environments. These virtual switches operate inside the VMware ESX hypervisor and support VN-Link server virtualization technology, which provides policy-based virtual machine connectivity and mobile VM security and network policy. In addition, Nexus 2000, 5000, and 7000 Series data center switches deliver advanced capabilities with end-to-and security for all network traffic. Cisco TrustSec creates role-based security including secure access control, a converged policy framework, and pervasive integrity and confidentiality.

NetApp
In the storage layer, NetApp unified storage with MultiStore technology is the security foundation. MultiStore, introduced several years ago as a pioneering solution for securing shared storage, allows IT to create completely isolated logical partitions on a NetApp storage system. These discrete administrative domains, called virtual storage controllers, make a single physical storage controller look like many logical controllers. Each virtual storage controller can be individually managed with its own performance and policy characteristics. MultiStore scales easily and non-disruptively migrates virtual storage controllers across physical resources to aid in both scalability and high-availability. By virtualizing storage controllers, MultiStore enables rapid provisioning and the ability to deploy virtual storage controllers based on workload requirements even as they change. The result is complete security in a shared environment that does not hinder growth or inhibit adjustment.

2010, Enterprise Strategy Group, Inc. All Rights Reserved.

White Paper: Secure Multi-Tenancy with NetApp, Cisco, and VMware

VMware
VMware vSphere provides the platform for infrastructure virtualization, offering centralized tools for monitoring and management across the virtual infrastructure, including role-based access and privileges, audit trail of configuration changes and reports, and real-time performance monitoring and analysis. The vCenter server manages all physical hosts and virtual machines centrally for better control and simpler, less costly management in a dynamic, multi-tenant environment. The vNetwork Distributed Switch maintains a network runtime state for virtual machines as they move between hosts, providing a framework for monitoring and maintaining virtual machine security during movement between physical machines. The switch also extends familiar network features and controls to virtual networks and enables integration with the Cisco Nexus 1000V. In-line monitoring and centralized firewall services add to the systems high security. VMwares vShield Zones takes advantage of ESX host proximity and virtual network visibility to create security zones. These virtual appliances reside on each vSphere host and use virtual inventory details regarding vNICs, portgroups, clusters, and zones to simplify firewall rule management and trusted zone provisioning. Logical zones span all physical resources of the virtual server layer, maintaining the levels of trust, privacy, and confidentiality needed in a multi-tenant environment. With vShield Zones, administrators have better visibility into network activity and have the ability to provide and enforce the required levels of isolation and compliance for each tenant in a shared infrastructure.

What Matters in a Converged Environment?

Pulling together a converged infrastructure brings up numerous concerns, the first being risk mitigation across the infrastructure stack. The same types of protection required with a silo-based architecture matter even more here. Data must be recoverable in case of disaster and it must be protected and isolated. Network security is paramount as the network is virtualized. Security must be built in the solution at every level. Combining components from these companies has enhanced DR and data protection, and new features have been highlighted to demonstrate risk mitigation. In addition, NetApp, Cisco, and VMware offer cooperative services to help customers design, deploy, and operate these secure multi-tenancy environments. Real world blueprints and best practices, including a Cisco Validated Design, reduce the risk of disruption during implementation. The virtualization paradigm is based on efficiencymaking better use of the resources you have by doing more with less and by consolidating management. Here, best-of-breed partnering contributes to the efficiency of the solution. Each company has years of experience building infrastructure solutions and together they essentially define the term best-of-breed partnering. All three are industry leaders in their own right, so joining together is extremely efficient for the customer. Their joint services also offer greater efficiency, eliminating silo-based support by infrastructure layer in favor of cooperative support. Finally, a converged infrastructure can provide the kind of business agility that can be extremely beneficial. With infrastructure services bundled from the server, to the network, to the storage, organizations can leverage a new deployment model that can allow a business to grow and change without the friction and delays from which standard deployment methods often suffer. Rather than planning lengthy projects and downtime to launch a new application, a converged infrastructure can help a company implement decisions quickly and see results faster. For most organizations, this type of operating agility is much more important than the cost of equipment, making it an extremely valuable commodity.

Priority Alignment between Top IT and Business Initiatives

Secure, converged infrastructure demonstrates an alignment of priorities between IT and business initiatives. As internal IT departments start to deliver infrastructure as a service (IaaS), business managers and IT are in agreement on requirements: consolidation of services, operations, resources, and infrastructure that create an efficient and easy to deploy environment, resulting in lower costs across business lines and application owners.

2010, Enterprise Strategy Group, Inc. All Rights Reserved.

White Paper: Secure Multi-Tenancy with NetApp, Cisco, and VMware

10

Consolidation and sharing of services creates efficiency, which never goes out of style regardless of economic climate. This type of service-oriented architecture helps IT deliver on budgeting and cost control initiatives as well. It reduces the costs of both equipment and management as resources are shared and managed centrally. In addition, it enables usage tracking and the ability to implement departmental chargeback if desired, creating an activitybased cost structure. This also delivers a deeper understanding for business managers in terms of exactly what infrastructure services cost per application or activityknowledge that can be used going forward to streamline activities. With 54% of respondents to a recent ESG survey reporting operational cost reduction as a top business initiative, this is an important feature. Security has historically been an important IT initiative, but with converged infrastructure, business managers often take a keener interest. Adequate safeguards must be built in and enterprise-wide policies adhered to, as always. This is more important as concerns arise about separation and isolation between internal departments. Service Providers Secure multi-tenancy is extremely valuable for third party infrastructure service providers. In a service providers data center, multiple companies will share data services on the same infrastructuremulti-tenant security across the infrastructure stack becomes absolutely critical. The full confidence that a system such as the solution offered by NetApp, Cisco, and VMware provides through complete isolation and security is paramount. This converged infrastructure allows service providers to make right-sized capital expenditures rather than building for the worst case scenario. Efficient management and automation are top priorities for service providers building an IaaS offering as their business model depends on delivering services while keeping costs down. Deployment speed and the ability to fulfill requests quickly are equally important. Capacity-on-demand must be immediately deliverable where multiple workloads owned by different companies share the same infrastructure; one customers needs cannot interfere with another customers ability to grow. The business depends on guaranteeing performance, availability, and security to customers as well as audibility for compliance. Application owners must be able to count on service levels and consumption of resources must be transparent. The NetApp/Cisco/VMware solution offers all of that. NetApp storage delivers efficient capacity utilization, with MultiStore creating secure logical partitions for data segmentation. By adding logical resources encapsulated in virtual storage controllers, MultiStore enables cost-effective scaling both horizontally and vertically. Different storage systems are not needed to accommodate different protocols as NetApp offers unified block and file storage connectivity in a single system. High availability and disaster recovery are built-in; Raid-DP (double parity) protects against dual disk failure while Snapshot capabilities protect against accidental deletion or corruption of data with fast restore and rollback. SnapMirror provides data replication for offsite backup and archiving. SnapDrive technology extends control of Snapshot and SnapMirror capabilities to each individual tenants host administrators as well. Storage availability becomes particularly important in a consolidated/shared environment as applications and operations rely on fewer physical resources. Losing access to a single physical storage system could take down a number of virtual machines and associated applications. High-availability configurations can minimize disruption and reduce risk of downtime from operator errors while active-active controller configurations enable failover in case of lost access to a storage controller or to prevent downtime for maintenance and upgrades. VMware and Cisco add their own security and high-availability features, many of which have been discussed. In addition, they are working towards the ability to federate between local data centers and service providers, increasing the value of provider services for business owners. Further convergence of the network infrastructure, particularly with Fibre Channel over Ethernet, will continue to streamline and simplify network access. This secure multi-tenancy solution lets service providers offer rapid provisioning as well as decommissioning of resources to customers, making them valuable partners in IT delivery.

2010, Enterprise Strategy Group, Inc. All Rights Reserved.

White Paper: Secure Multi-Tenancy with NetApp, Cisco, and VMware

11

The Bigger Truth

The secure multi-tenancy solution offered by NetApp, Cisco, and VMware is built on close alliances with tight integration of shared server, network, and storage services. By working together, they can ease acquisition and speed deployment for customers. Vertical integration is delivered via a proven modelcertainly NetApp, Cisco, and VMware are well seasoned in their collective ability to provide full featured products and solutions. This bundle delivers financial, operational, and strategic value that includes cooperative services, reference architectures, and blueprints for fast deployment. Consolidation and efficiency efforts have proven that less is best. More machinery doesnt mean better service. In fact, it may make your business inflexible and it usually means greater cost. But it is important to remember that redundancy is critical for high availability across the stack. You may be streamlining everything, but you still have to keep your services availableand that means redundancy must be part of the picture. Virtualization is making infrastructure layers more tightly coupled and changing the way they are managed. Significant benefits can be achieved for the business through process re-engineering while ensuring the virtualized infrastructure supports the security, risk, and compliance aspects required by the business. What this solution offers is an intelligent allocation of resources based on consolidation efficiency, rather than relying on a bulky silo of compute, network, and storage resources purpose-built for each application. By pre-integrating resources, the solution delivers infrastructure services elegantly and efficiently. Security within each layer, compliance features, and auditability are bottom-line requirements in any infrastructureand even more so as they are converged. Along with its end-to-end security, this solutions modular design makes it fast and easy to deploy for existing applications as well as for new ones. It offers a solution-focused answer to infrastructure services, whether they are being delivered by IT departments to internal customers or by service providers to different companies.

2010, Enterprise Strategy Group, Inc. All Rights Reserved.

20 Asylum Street | Milford, MA 01757 | Tel:508.482.0188 Fax: 508.482.0218 | www.enterprisestrategygroup.com