Delivering Policy & Trust to the Hybrid Cloud

June 10, 2015

Derek Collison Founder and CEO, Apcera

What is Policy?

A JOKE Really In today’s increasingly complex world

A Tale of “4” Worlds

• Non-Existant

• Manual and Disconnected

• Semi-Automated, with Loose or No Enforcement

• Security Focused Only - The world on NO!

What should it look like?

What it should look like• Systemic - Complete - Pervasive

• Enforceable

• Changeable - Adaptable - Pluggable

• Understandable - Approachable

• Auditable

Why do we need it?

Risk

Governance Compliance

Risk

Governance Compliance?

We need TRUST!

Do you Trust?

• Your systems?

• Your processes?

• Your people?

They trusted me!

They trusted me! WHY??

- Do you Trust?

• Your systems? YES!

• Your processes? YES!

• Your people? Uh.. NO.. (But we don’t care)

Why Now?

Three Things

Three Things Three major things!

MicroServices

DevOps Hybrid Cloud

Increasing COMPLEXITY!

Complexity

Dawn of MicroServices

Complexity - Dawn of MicroServices

• Want to build faster? Build LESS!

• Services will WIN the Hybrid CLOUD!

• Systems will NEVER be simpler than TODAY!

Things Will Never Be Simpler Than Today

+

Data: Always growing and changing (44X in 2020 from 2014 level)

API’s: We are living in the “API Economy” — constantly growing, constantly evolving

Services: Always growing and adding new capabilities

+

24

Policy in the Hybrid Cloud

Hybrid Cloud

Private Cloud

Public Cloud

Year of Hybrid

Delivering Policy and Trust for the Hybrid Cloud

27

Connecting all clouds, with a single,

policy-driven system

Let’s go under the Hood

This could be complex

• RBAC vs ABAC vs ACL/DAC

• XACML vs Datalog

• PCI, SOX, HIPPA, ISO 27001, FISMA

KISS Principle

Keep it Simple

I like Simple

Let’s start

• What are we describing?

• What do we want to control?

System Datamodel

Simplified System Datamodel

• Packages (bag of bits)

• Jobs -> Instances

• Links -> Channels

Basic Policy Realms

Simplified System Datamodel

• Packages (bag of bits) • What’s allowed? How do we find vulnerabilities?

• Jobs -> Instances • CPU, Memory, Disk, Network?, Placement

• Links -> Channels • Access, QoS, SLAs

What Else?

Also Needed• Additional Realms

• Identity, Authorization, Audit, etc • Policy itself - the system turing test

• Simple Policy Language

• Namespaces

Example

Architecture

Bi-Directional Graph

Secure Message Bus

Distributed Policy Evaluation & Enforcement

What really Matters?

Service Access Change Mgmt

Service Access Example

APCERA CONFIDENTIAL

49

Service Access in a Hybrid World

Private Cloud

RDS

APCERA CONFIDENTIAL

50

Service Access in a Hybrid World

Private Cloud

HTTP

RDS

APCERA CONFIDENTIAL

52

Service Access in a Hybrid World

Private Cloud

HTTP

RDS

APCERA CONFIDENTIAL

53

Service Access in a Hybrid World

Private Cloud

HTTP

RDS

State of the Policy World

The Policy World Today• People and Paper based

• BMC, CA, IBM • Legacy

• OpenStack Congress • OpenStack centric in a Hybrid World

Summary

A single, policy-driven, system — a connective fabric — that sits above all clouds, private and public

Purpose built for the Hybrid Cloud

Reduces complexity and invites change, all while enabling enterprise-wide governance and maximum

agility

“System of Trust”

The Right Approach to Policy

Thank You!

Questions?