3. Humans can
document ideas
SEPTEMBER 2014 Page 3
Defining Policy
Humans have ideas
Business
Operations
Legal
Security
Audit & Compliance
Policy
Systems don’t understand
human languages
?
5. Virtual Topology
SEPTEMBER 2014 Page 5
Traditional Barriers
1. Device Canonicalization 2. Distributed State Management 3. Topology Independence
?
Lowest Common
Denominator Hard Problem
Physical Topology
Requires Mapping
6. Virtual Networks
SEPTEMBER 2014 Page 6
Cloud / Openstack
ABSTRACTION
Software
Hardware
Virtual Machines Virtual Storage
API
7. Openstack & Software Defined Data Center
ABSTRACTION
SEPTEMBER 2014 Page 7
Policy
Automated
Manual
8. Congress
SEPTEMBER 2014 Page 8
Congress Introduction
An Open Policy Framework for Automated IT Infrastructure
Network Compute Storage Security / Identity
9. Congress
ID Results Time
VM1 Infected 01:13:56
VM2 Clean 18:23:05
VM3 Infected 07:13:09
VM4 Clean 20:21:17
VM Network Ports
Pete Finance 30
VM Memory CPU
Tim Engineering 32
VM1 32GB 4
Martin Finance 33
VM2 64GB 8
Pierre Sales 31
VM3 32GB 12
VM4 128GB 8
Disk Name Owner
Pete Finance 30
Disk Capacity Used
Tim Engineering 32
Disk1 1TB 501GB
Martin Finance 33
Disk2 2TB 237GB
Pierre Sales 31
Disk3 8TB 6.1TB
Disk4 4TB 3.2TB
IP Port Protocol
192.168.10.1 80 HTTP
192.168.3.1 20 FTP
192.168.11.2 25 SMTP
192.168.9.9 443 HTTPS
SEPTEMBER 2014 Page 9
All Data In Tables
• Queries
• Declaration of Policy
An Open Policy Framework for Automated IT Infrastructure
Net Name Owner
Pete Finance 30
Net Router Ports
Tim Engineering 32
Pete Finance 30
Martin Finance 33
Tim Engineering 32
Pierre Sales 31
Martin Finance 33
Pierre Sales 31
Network Compute Storage Security / Identity
10. Use Case Example: 3 People, 3 Ideas, 1 Policy
Application Developer
My Application (2 tier, Web and Database) Can be deployed for test or production
Cloud Operator
• Applications deployed for production must have access to the Internet, must not be
deployed in the DMZ cluster and should scale based on load.
• Applications deployed for test should have 1 VM instance per tier.
• All applications must use VM images signed by an administrator.
Compliance Officer
No VM from a PCI app may be located on the same hypervisor as a VM from a non-PCI app.
SEPTEMBER 2014 Page 10