Wednesday, February 25, 2015

Blueprint: The Role of Policy in the Hybrid Cloud

by Harsh Karmarkar, Director, Solutions Consultants, Alliances & Channels at Apcera

Enterprises today are looking to hybrid cloud to achieve a range of goals: to cut costs; enable a more flexible workforce; offer better customer service; and achieve greater scale. But in an era of “Big Data”, escalating security concerns, and an ever more fragmented set of technology functions being moved to the cloud, fulfilling those goals requires an IT management approach that offers holistic visibility into all resources being used, both on- and off-premise—and a way to consistently govern their use.

This is where policy comes in. But all too often, enterprises are trying to apply traditional, domain-specific policy approaches to a hybrid IT landscape that is defined by an inordinate amount of complexity—and which stubbornly resists being tamed by cobbled-together point solutions.

Defining Policy

Policy in general has been a catch-all term, and one with many definitions. Policy is seen as covering everything from defining explicit corporate rules for employee interactions with customers, to ensuring compliance with legal and regulatory constraints like HIPAA, to defining basic firewall rules—and everything in-between.

As a result, traditional policy approaches unfortunately often define rules through sweeping documents, or are specific to a granular domain. So what happens is that every network utility and access control system, and every subsystem and service, has its own set of implemented policies that may or may not conform to the overarching enterprise business goals, and which may not talk to each other, let alone be holistically manageable by IT.

Fortunately, there is an increasing acceptance of the fact that existing policy approaches are inadequate, and that the more there can be a consistent language and construct for identity and location of both users and data, the easier it is to have an overarching view of what the data is, where it is and who’s looking at.

Ultimately, the goal of any holistic policy approach must be to implement the rules that have been put in place by the business itself and by regulatory bodies for governing data and data access. That policy engine should use an automated rules framework to fulfill those rules, by allowing or disallowing any given action at any given time by any given employee on any given system, across both cloud-based and on-prem IT environments.

Challenges of a Hybrid Architecture

The hybrid cloud has mostly been the playground of development and testing—but that’s beginning to change. Now that many enterprises are moving into hybrid production environments, and the data perimeter is being extended into third-party domains, there’s concern about how to understand what’s being housed where, how to safeguard sensitive data and how to maintain performance in a complex environment, without adding overhead to the process.

Generally speaking, enterprises have been taking two approaches for managing the hybrid IT environment.

For one, IT can clearly separate within their management systems what’s on-premise and what’s not, and build a few links to gain elastic scale and the ability to move workloads around. But more often than not, there’s no unified tooling or governance, so it results in two management structures, a lack of overall visibility and unevenly applied operational rules.

The other approach is to treat all of the data and functions as though they were on-premise. But that gives administrators less control over the remote environment, and if organizations have sensitive information housed remotely, data sovereignty issues can arise.

Policy in both cases can lend value.

Best Practices for Hybrid Implementations

A key place to begin building a policy framework is to ask what, ultimately, are the business goals that policy should enable? Is it effective resource allocation? Is it achieving certain performance or SLA-related benchmarks? Does the enterprise need a geographic view of, say, software licensing term compliance? Is cyber security the main focus? Or is it all of the above and more?

From there, the policy engine must have a grammar that dovetails with the business’ operational language. For instance, an enterprise may define security levels by color. But to third parties, what’s contained in, say, the purple or orange zones is completely unfamiliar. So policy engines for hybrid architectures have to map how enterprises internally view their assets and information to any third-party widely accepted language and processes.

Today’s approaches are also often defined by what employees can’t do. But that blacklist approach is not very extensible in terms of adapting to evolving enterprise realities. For instance, accessing social media may have been a prohibited activity two years ago—but now tweeting and updating Facebook may be critical for an employee to do his or her job.

IT administrators can instead take a white list approach, which explicitly allows each and every approved activity. This ensures that people are only performing actions that IT understands and can manage. Often, the evaluation of one policy rule drives the next policy decision within the situation’s specific context. So, the idea of identity—a sense of who has the right to do what—becomes critically important.

Approaching policy this way may take a bit more time up front to set up, but it helps optimize the IT environment in the long run.

Another basic implementation issue has to do with how policy is enforced. Many enterprises use a centralized engine that evaluates policy compliance, which is then enforced in a distributed way, out in a remote cluster. But whenever there is distributed enforcement and centralized evaluation, it allows for gaps in rules application and inconsistencies.

A better approach is to ensure that every actor within the system is governed locally by the set of policies that can specifically affect him or her. So, the policy engine for both the evaluation and enforcement of compliance is distributed to all of the agents in the system, both in on-premise and remote environments.

That means that there’s no queue for a central engine to make decisions. So whether the infrastructure has 10 actors or 10,000, scaling doesn’t result in a bigger drain on the central IT management structure.

This type of implementation is a fundamentally different approach to architecting the policy brain than what we typically see emerging in the hybrid cloud. But for forward-thinking enterprises, taking steps now to accommodate the complexities of unstructured data, multiple user types and a hodgepodge of domains will give them the ability to programmatically control what an app or workload does, without requiring the IT staff to write code or resort to other manual practices. Thus, they will find themselves delivering better customer service, driving efficiencies and safeguarding operations across the board, for now and in the future.

About the Author

Harsh Karmarkar leads the Alliances pre-sales team for Apcera.

About Apcera
Based in San Francisco, California, Apcera has deployed the world's first policy-driven platform for global 2000 companies. Continuum, Apcera's flagship product is a PaaS++ that deploys, orchestrates and governs a diverse set of workloads, on premise and in the cloud. In September 2014, Ericsson purchased majority interest in Apcera, though Apcera remains an independent company.

#MWC15: Innovating with Hybrid Cloud OS - @Apcera

Mobile World Congress will showcase lots of innovation in radio access technologies, says Derek Collison, founder and CEO of Apcera. But once the flood of data arrives on the network, how do you trust it and how do you know which clouds services can tap into it. Apcera is introducing its Hybrid Cloud Operating System as a trusted platform to run anywhere.


Ericsson's 5G Radio Test Bed Tops 5 Gbps

An Ericsson 5G radio test bed has topped 5 Gbps throughput.  The company will demonstrate fundamental 5G technologies at next week's Mobile World Congress, including 5G-LTE Dual Connectivity and 5G Multipoint Connectivity. Ericsson's 5G radio test bed features 5G devices and 5G radio base stations operating at in the high frequency 15 GHz band.

  • 5G-LTE Dual Connectivity:  The 5G mobile device moves between LTE and 5G radio access coverage areas, establishing simultaneous connections with both networks before seamlessly handing over.  5G-LTE Dual Connectivity will enable 5G networks to provide multi-standard and multi-band support in both devices and radio access.
  • 5G Multipoint Connectivity:  The 5G mobile device connects to two 5G base stations simultaneously, improving bit rate performance through multiple downlink streams, as well as signal strength and resilience.  5G Multipoint Connectivity will be key to supporting multi-layer networks consisting of both macro and small cell coverage.

"The Ericsson 5G radio test bed is where innovation meets implementation.  It certainly is a reflection of our commitment to 5G technology leadership but it's also where we test and expand the limits of how mobility will transform society," says Arun Bansal, Senior Vice President, Head of Business Unit Radio, Ericsson.

Ciena Debuts New Wavelogic Chipsets and Coherent Select Architecture

Ciena announced significant additions to its portfolio, including two new chipsets to power its next-gen optical transport systems, along with a new 100G photonic architecture. These innovations are aimed at solving the web-scale dynamics caused by cloud computing, network virtualization and openess.

The two new Ciena WaveLogic 3 coherent optical chipsets, the WaveLogic 3 Extreme and WaveLogic 3 Nano,  are designed for the massive bandwidth requirements of web-scale networks.

WaveLogic 3 Extreme -- a new coherent optical chipset that incorporates four programmable coherent modulation formats: QPSK, BPSK second generation 16QAM coherent modulation for high-bandwidth metro/regional applications, and a new patent-pending 8D-2QAM modulation for extreme long distance submarine applications.  16QAM enables 200G wavelengths in the same amount of spectrum as current 100G links (50GHz). The new 8D-2QAM modulation format enables enhanced 100G performance. When combined with flexible grid technology, capacity increases of 85% have been realized on trans-Pacific links when compared to today’s BPSK modulation format.  The WaveLogic 3 Extreme is currently available and has already been deployed in a regional scenario with Verizon and in multiple submarine scenarios announced last month.

WaveLogic 3 Nano -- the next generation of Ciena's WaveLogic 3 technology for metro and data center applications.  WaveLogic 3 Nano targets 100G metro density by reducing the footprint and power consumption of the coherent 100G design. Innovations include shrinking the electro-optics to enable lower power consumption, taking advantage of new ASIC integration technologies, and tailoring the chipset’s chromatic dispersion compensation characteristics for metro distances. The new WaveLogic 3 Nano chipset is being implemented across Ciena’s portfolio of converged packet-optical and packet networking products, including the 6500 and 5430 converged packet optical platforms. It doubles capacity of metro and regional networks and combined with Flexible Grid technology has enabled up to 85% greater capacity in submarine networks.

Coherent Select photonic architecture -- a flexible metro architecture for high-capacity user-to-content connectivity. By combining software with the native receiver tunability of WaveLogic chipsets, Coherent Select enables service providers to cost-effectively bring 100G closer to the metro. Ciena sees this as a third alternative next to passive fixed optical filters or ROADM architecture. Ciena's Coherent Select consists of a wavelength broadcast and select architecture which leverages WaveLogic coherent receivers to tune to the frequency (wavelength) of interest. Ciena said this also retains much of the operational benefits associated with ROADMs, including automatic real-time power balancing, full photonic topology visualization, and remote wavelength reconfiguration with colorless, directionless and flexible grid capabilities.

In addition, Ciena expanded its Packet Portfolio with the additions of the 3904 and 3905 Service Delivery Switches aimed at both indoor and outdoor small cell mobile backhaul. The 3905 is an environmentally hardened Ethernet platform for that can be deployed in a variety of mounting options.  The 3905, as well as its indoor variant 3904, is purpose-built to provide next-gen Gigabit Ethernet (GbE) connectivity from the small cell to the macro tower or Mobile Telephone Switching Office (MTSO). Both feature an advanced Ethernet control plane, sophisticated VLAN encapsulation and tagging, hierarchical QoS for strict SLAs, carrier-grade Ethernet OAM capabilities, flexible power options including Power over Ethernet Plus, WiFi console port, automated and error-free Zero Touch Provisioning, and MEF Carrier Ethernet 2.0 compliance.

“Networks are now facing the realities of the ‘web-scale effect.’ Cloud services, on-demand networking and virtualization are becoming more ubiquitous and businesses expect connect, compute and storage services to be available 24/7. With Ciena’s new coherent chipsets, metro architecture and backhaul solutions, our customers can arm their networks with the bandwidth, efficiency and agility that is required in today’s web-scale world,” stated Steve Alexander, Senior Vice President and CTO, Ciena.

Mavenir Intros VoWiFi Calling for MSOs

Mavenir Systems introduced an NFV-based Voice over Wi-Fi (VoWi-Fi) solution for cable operators.

Mavenir’s offering includes session control, application/messaging servers, access/border gateways, subscriber management/activation systems, and clients. It integrates with an operator’s existing IMS core network or can be deployed as a greenfield network to offer voice, video, and messaging applications using Wi-Fi access. Mavenir is engaged with multiple cable operators to plan VoWi-Fi as a part of their MVNO strategies or as a standalone offering paired with the standard video and content distribution offer.The solution is based on Mavenir’s mOne Convergence platform including the IP Multimedia Subsystem (IMS) Core and Application Servers and cross-platform mobile clients.

“We believe that VoWiFi changes the competitive landscape for cable operators,” said Pardeep Kohli, President and Chief Executive Officer, Mavenir Systems. “Mavenir’s converged IMS solution provides cable operators the benefit of seamless mobility between Wi-Fi and cellular networks, as well as proven interoperability and a native user experience on the latest Wi-Fi Calling enabled devices, such as Apple’s iPhone 6.”

IDT, NVIDIA and Orange Silicon Valley Develop

Integrated Device Technology (IDT), NVIDIA and Orange Silicon Valley are developing a supercomputing platform that uses clusters of low-power NVIDIA Tegra K1 mobile processors with IDT’s RapidIO interconnect and timing technology to analyze 4G to 5G base station bandwidth data in real time.

Specifically, the Supercomputing at the Edge platform uses IDT’s 20 Gbps interconnect technology to connect a low-latency cluster of NVIDIA Tegra K1 mobile processors. It’s suitable for micro base station deployment along with larger computing clusters in the C-RAN, a new cellular network architecture. Each computing card is based on connecting up to 4 GPU units per processing card connected with RapidIO low-latency NIC and switching products on board.  The companies said the platform can support up to 12 teraflops per IU RapidIO server blade.

Allot to Acquire Optenet, a Security-as-a-Service Solution Provider

Allot Communications agreed to acquire the operations of Optenet, a global IT security company providing high-performance Security-as-a-Service (SECaaS) solutions to service providers and large enterprises worldwide, for approximately $6.5 million in cash plus a deferred payment of approximately $5.5 million to be paid over two years following closing.

Optenet is a pioneer and global leader of enabling SECaaS. The company is based in Madrid, Spain and was founded in 1997.

Allot said Optenet's products complement its existing security offerings, especially in the market of DDoS protection and anti-malware. The acquisition is based on an existing successful partnership that has already resulted in ten service provider customer wins, half of which are large tier-1 mobile operators.

"Our acquisition of Optenet will help Allot become a leading player in the consumer Security-as-a-Service market," said Andrei Elefant, President & CEO of Allot Communications. "We have been working with Optenet since 2013 and during that time we have won more than 10 service provider customers together, half of which are large tier one operators. In addition to bringing value to stockholders, this strategic move augments our position in the security market, strengthens our network operator value-added services approach, and complements our cloud and enterprise vision."

Telstra Selects Metaswitch to Interconnect International Voice Network

Telstra has selected Metaswitch Networks to upgrade and enhance its TDM and IP voice network in response to the company’s growth throughout Asia-Pacific, Europe and the Americas.

Telstra’s Global Enterprise and Services (GES) business provides telecommunications services and solutions to carriers and multinational enterprises globally. It is a leading carrier in Asia-Pacific and facilitates access to more than 2,000 points of presence (PoPs) in 230 countries and territories.

Metaswitch products now used in the network include the MetaSphere Call Feature Server (CFS), the Metaswitch Universal Media Gateway and Perimeta Session Border Controller.

According to Stuart Warwick, SVP of support services, Metaswitch completed the cutover of Telstra’s international voice network at the end of 2014, just six months after the contract was signed.  He highlighted that “during the project, Metaswitch replaced TDM network elements with IP interconnect solutions in Sydney, Hong Kong, London and New Jersey, completing the work during one of the busiest times on Telstra’s network.”

Dell'Oro: Microwave Transmission Outlook

Jimmy Yu, Vice President of Optical Transport Research at Dell'Oro Group, discusses key trends in the microwave market. including geographic variations in backhaul, the growth in packet microwave, and the impact of small cells.  The video also discusses the use of new spectrum bands for small cell backhaul.

ADVA Posts Q4 Revenue of EUR 87 Million, up Nearly 14% YoY

ADVA Optical Networking reported Q4 2014 revenue of EUR 86.7 million, in the upper half of guidance between EUR 83 million and EUR 88 million. The figure is up a significant 13.8% vs. Q4 2013 at EUR 76.2 million and slightly down 0.4% vs. Q3 2014 at EUR 87.1 million. The IFRS operating income in Q4 2014 was EUR 5.1 million, up significantly from EUR 1.9 million in Q4 2013.

"We are extremely pleased with our 2014 revenues which are at a record high of EUR 339.2 million, up a sound 9.2% compared to 2013. Q4 2014 revenues at EUR 86.7 million are in the upper half of guidance. This marks the fourth consecutive quarter with year-on-year growth. In addition, our pro forma gross margin at 36.6% in Q4 2014 improved from 35.3% in Q3 2014," stated Ulrich Dopfer, chief financial officer of ADVA Optical Networking.