Tim Hearn, Director, UK Government and Public Services, VMware
In my last blog post, I addressed the benefits of – but still the journey that needs to be taken towards – server virtualization in terms of cost savings for the UK public sector. While it has made significant steps to virtualize servers and drive down the cost of computing, taking a much deeper dive into data centre environments – at the network, security and storage level – is the next step which the sector needs to look at in order to achieve further cost savings and make the journey towards ‘Cloud First’ as smooth and efficient as possible.
Network & Security Virtualization – Software-Defined Networks
Traditional networks are based on layers and layers of boxes and wires that are configured in a fixed environment, mostly manually. This approach worked well when users and applications were static and siloed, and predicated on information flows that went solely from users at desktops directly to a server in a data centre. This structure was based on the typical Cisco 3 layer network model, which was an ideal fit at the time, but is no longer fit for purpose, as traffic now moves East / West rather than North / South.
When server virtualization came along to transform server environments into software instances, and Web 2.0 fundamentally changed the structure of data centre applications, traffic profiles in data centres completely changed. Previously the majority of traffic (roughly 80%) ran in and out of the data centre (known as north/south), whereas most traffic (around 80%) now runs within data centres between virtual machines (known as east/west). These changes caused two main problems for the network:
1. The north/south traditional network design became overly complicated (with too many boxes and wires), and incorrectly dimensioned
2. Servers and application instances could now be configured in minutes, yet any corresponding network change could take 90 days or more. This meant that the limitations of the hardware network negated the transformed productivity of the software-defined server and application environments
As a result, in public sector networks there were numerous instances where fast, agile new services which departments had created, sat in long change management queues with the network team, waiting for new VLANs, firewall rules, and router interfaces to be defined, tested and deployed.
Software-Defined Networks (or SDN) have come about to address these issues, but in many cases solutions have been created by hardware companies, who have provided solutions which do not radically address the underlying complexity of layers of boxes, wires, and configurations. In essence, by doing this providers end up with software-defined hardware, rather than the SDN they so desperately desire.
VMware has boldly approached this challenge as a pure software solution by developing NSX. By applying the same logic to the network that we used to virtualize the compute, and applying software rules for networking and security to the application, we can ensure that wherever the application resides, its tailored network and security policy and profile is domiciled with it. These rules are created once relating to the application and then can be provisioned in seconds with the compute, meaning that no elongated change management process or manual reconfiguration is required.
Enabling a move to hybrid cloud
This approach is fundamental to creating hybrid cloud environments in the public sector, as one of the key inhibitors to cloud services is the perceived security risk of moving workloads from the private to the public or semi-public cloud. As outlined by my colleague Andy Tait in his recent blog, 85% of UK public sector organisations are now using public cloud in their IT services portfolio, with more than a third (34 percent) citing affordability as their reason for doing so. So it’s critical that the public sector addresses any issues around cloud services.
By applying network and security configuration to the application, its network, firewall and load balancing policy moves with it from a private to public environment, providing a consistent set of network and security services which are independent of physical location. VMware calls this approach micro-segmentation, and many public sector network and security staff have quickly grasped the importance of VMware NSX in their hybrid cloud and cloud strategies.
Micro-segmentation acts as the network and security services’ wrapper for data centre workloads, increasing the security of the application workload as it moves around. This is a hugely significant development, for it removes the need for multiple physical firewall platforms (often supplied by different vendors) within the data centre. Given this is probably THE most complex and cumbersome part of the data centre, this helps to simplify network security hugely for public sector organisations.
VMware has carried out work on a number of government projects alongside CESG, the Information Security arm of GCHQ, which shows that a robust next generation firewall capability at the network perimeter, such as that provided by Palo Alto or Juniper integrated with a VMware NSX solution, is the right firewall architecture for a public sector hybrid cloud environment. Not only does it protect workloads within the datacentre, but it is also significantly simpler and cheaper.
The clear message here is that deploying multiple layers of physical devices ultimately inhibits the ability of a public sector network to move to a cloud environment. However by moving from a hardware to a Software-Defined network and security model, organisations can achieve a more straightforward, secure and less costly solution.
Storage Virtualisation– Software-Defined Storage
The amount of storage in flash and magnetic disks that gets shipped with each server today is an order of magnitude greater than five years ago, and in most cases this storage is vastly under-utilised. Storage in servers is cheap and can be added incrementally at low cost.
VMware has used its virtualization principles to extended its capabilities and manage all of the flash and magnetic storage across the server farm in one distributed and shared data store – something we call vSAN. The management we use to handle compute virtualization now also manages and optimises the storage within the servers so this becomes an integrated extension of the compute virtualization, not a new standalone solution. This means that access to storage is optimised in terms of performance, availability and utilisation, and public sector customers get the most value from the storage they have bought as part of the server investment.
In the nineties, VMware radically changed the cost structure and productivity of public sector server environments through the virtualization of compute, and as a result we have saved the UK government tens of millions of pounds. What really excites us is that now we can save much more if we can encourage and maximise the use of virtualization across the public sector.
Amongst CTOs and across the GDS, SOCITM, HSCIC, and JISC, as well as other organisations which drive standards and strategy for public services, the ubiquity of virtualization across a Software-Defined Data Center has to be a high priority. By doing this, we can help the government achieve the service improvements and financial savings objectives which it has set out in its digital, ‘Cloud First’ strategy.