Security Resilience in EMEA

What makes a successful cybersecurity program and how can organizations improve their resilience in a world that seems increasingly unpredictable? How do we know what actually works and what doesn’t in order to maximize success?

These are the types of burning questions guiding Cisco’s Security Outcomes Study series. In the second edition of the study, Cisco conducted an independent, double-blind survey of over 5,100 IT professionals in 27 countries. This article highlights data from the latest volume to focus on security resilience in the region spanning Europe, Middle East and Africa (EMEA).

The study focuses on a dozen outcomes that contribute to overall security program success. Four of them in particular are crucial for building resilience:

◉ Keeping up with the business (Security should enable, not impede)

◉ Avoiding major incidents (…And their business impacts)

◉ Maintaining business continuity (…Even when disaster strikes)

◉ Retaining talented personnel (You can’t stay on top when top staff won’t stay)

Assessing Security Resilience in EMEA

We calculated an overall resilience score for each surveyed organization based on their ratings for the outcomes listed above. The chart below compares that score across the three global regions. Organizations in the Americas scored a scant 1.7% better than the global average, while EMEA organizations landed about 2% below that mark. And the width of the gray error bars further diminishes those differences. Overall, we simply don’t see huge discrepancies in security resilience at the regional level.

Regional comparison of mean security resilience score

When examining resilience at the country level, however, differences begin to emerge. The next chart shows the proportion of organizations in each country reportedly “excelling” in each of the four outcomes related to security resilience. In other words, about 48% of firms in Saudi Arabia say their security program is doing a great job keeping up with the business. About 37% excel at maintaining business continuity, and so on. So, pick your country of interest and trace its success level across each outcome.

Country-level comparison of reported success levels for security resilience outcomes

Interested in comparing countries in the EMEA region across all 12 security outcomes beyond those shown here for resilience? Download the EMEA spinoff of the Security Outcomes Study, Volume 1.

Perhaps the most interesting aspect of this chart is the comparison it provides among countries. The reported success rates by security professionals in the countries at the top are roughly twice that of those on the bottom. And for the most part, each country maintains its relative position across all outcomes.

The obvious question here is what lies behind these apparent differences in security resilience among countries? Is Saudi Arabia really that much more resilient than Germany? Might German organizations have a more realistic grasp of what it means to be resilient and know there’s a lot of work left to do? Perhaps it’s somewhere between those possibilities or something else altogether.

Whatever the reason, the key takeaway here is that success rates for all countries indicate that organizations aren’t as successful as they’d like to be in the area of security resilience.

Improving Security Resilience in EMEA

How can organizations in the EMEA region improve those outcomes, thereby making their firms more resilient? That’s an excellent question and one we were eager to explore in the Security Outcomes Study. The study revealed five security practices—affectionately referred to as the Fab Five—that boost security program success more than any others. If you’d like a lot more information about the Fab Five and how to maximize their effectiveness, the latest edition of the Security Outcomes Study is the place to go.

The Fab Five: Highly effective practices for achieving security program outcomes

Before we examine how these practices improve resilience, let’s first check how well each country has implemented each of the Fab Five. The chart below mimics the one above for outcomes and is interpreted similarly. Once again, we see Saudi Arabia reporting the strongest implementation of these practices and Germany reporting the lowest. Countries shift around quite a bit beyond that.

Country-level comparison of reported success levels for five leading security practices

As with the outcomes chart, reasons behind these country-level differences are difficult to pinpoint. We suspect there’s a mix of maturity, cultural, and organizational factors at play. But hey, if you have thoughts, we’d love to hear them. Use #SecurityOutcomes on LinkedIn or Twitter to get our attention.

Remember that security resilience score we shared above for the regions? Great, because it’s coming back into play in this next chart. We wanted to test whether practicing the Fab Five actually improved resilience among EMEA organizations participating in our study. As seen in the chart below, that’s a definitive “Yes!”

Organizations that don’t do any of these practices well ranked in the bottom 25% for resilience, whereas those strong in all five reversed that standing and rose into the top 25%!

Effect of implementing five leading security practices on overall resilience score

Resilience has always been critical for cybersecurity. However, the last several years have really driven home the point that organizational defenders must be ready for anything. We hope this analysis demonstrates two things: 1) Organizations in the EMEA region have room for improving security resilience, and 2) It is actually possible to do so.

Source: cisco.com

Continue reading

Cisco Extends Service Discovery to WAN Using Bonjour and Adds App on Cisco DNA Center

Bring Your Own Device (BYOD) is now common in enterprises, especially in vertical industries like education and healthcare. So service discovery―the ability to automatically detect devices and services on networks and to set policies to safeguard networks―has become vital.  

There are many service-discovery protocols and techniques available that have been used for various use cases. Bonjour uses Multicast Domain Name System (mDNS) as its underlying mechanism to discover the services nearby. Apple developed Bonjour in 2002 to replace AppleTalk. Due to its open standards design and wide adoption, Bonjour/mDNS was integrated with Microsoft Windows 10, Google Android devices, and with Cisco Webex, making it a de facto standard. 

Bonjour was designed for use in a single network (with a single subnet or a single VLAN), such as a home network, where consumer devices like Apple TVs and printers could be discovered by Macbook, iPhones, and iPads. 

With many devices making their way into enterprises, Cisco has extended Bonjour functionality beyond single Layer 2 broadcast domains, to scale and avoid bottlenecks across services-rich enterprise networks and to optimize network bandwidth in the core and access layers. Additionally, Cisco Digital Network Architecture (DNA) Service for Bonjour on Cisco DNA Center also introduces a new dashboard application that shows service discovery gateways connected to the controller and the service instances. It allows network administrators to control which services can be shared across specific network segments. 

Local Area Bonjour

Casting an image or a video stream from an iPhone to a TV requires an iPhone to discover the TV using mDNS so that it can send that file or data to be casted on the screen. This deployment is called Local Area Bonjour. As shown in Figure 1, a switch could have multiple virtual LANs (VLANs) and by design each of these VLANs map to a different subnet. In such a scenario, if a service querier (e.g., an iPhone) is present in VLAN A, and a service provider (e.g., Apple TV) is present in VLAN B―which is a typical enterprise scenario―it will be unable to discover the service as the multicast from the querier won’t reach the service provider.  

Figure 1. Local Area Bonjour

Cisco introduced the Service Discovery Gateway feature, which enables mDNS to operate across Layer 2 boundaries or different subnets. An mDNS gateway can provide transport for service discovery across Layer 2 boundaries by filtering, caching, and extending services from one Layer 2 domain (subnet) to another. Prior to implementation of this feature, mDNS was limited in scope to within a subnet due to the use of link-local scoped multicast addresses.   

Wide Area Bonjour 

Wide Area Bonjour extended the concept of service provider and service querier in different closets or service discovery gateways that need to discover each other (Figure 2). The mDNS gateways are connected to and synchronize services with Cisco DNA Center. The service is shared when another gateway requests it.  

Figure 2: Wide Area Bonjour

Cisco’s mDNS gateway solution helps cache services and respond to service queriers on request, enabling the network administrator to configure service policies to control the sharing of services across subnets.  

Using Wide Area Bonjour, network administrators don’t need to bridge these VLANs across network segments anymore, so no service flooding is necessary, thereby reducing the multicast traffic in the core network. This saves a lot of network bandwidth, both in the core and access layers, making the network bandwidth available for other types of traffic while still enabling it to handle service discovery.  

The Cisco Wide Area Bonjour solution eliminates the single Layer 2 domain constraint and expands the scope to enterprise-grade, traditional wired and wireless networks, including overlay networks such as Cisco Software-Defined Access (SD-Access) and industry-standard Border Gateway Protocol (BGP) Ethernet VPN (EVPN) with Virtual Extensible LAN (VXLAN). The Cisco Catalyst 9000 series LAN switches and wireless LAN controllers follow the industry standard, RFC 6762-based mDNS specification to support interoperability with various compatible wired and wireless consumer products in enterprise networks. 

The Cisco DNA Service for Bonjour  

Cisco has now integrated Bonjour service discovery features into Cisco DNA Center. The new Cisco DNA Service for Bonjour features a software-defined, controller-based solution that includes a dashboard that shows the service discovery gateways connected to the controller and the number of service instances in a Wide Area Bonjour topology (Figure 3). It allows network administrators to control which services can be shared across which network segment.

Figure 3. Wide Area Bonjour Application on Cisco DNA Center

The new Cisco DNA Service for Bonjour enables end-to-end service-oriented enterprise networks that augment all the key benefits to zero-configuration mDNS technology. With services and feature-rich user devices proliferating on enterprise networks, Cisco DNA Service for Bonjour can help improve the ability of IT and end-users to access, manage, share, print, and synchronize data regardless of their network boundaries. The seamless integration and security provided by the solution is compelling, providing IT organizations with complete control of access security, role and location-based discovery, and management of devices across the enterprise network.

Source: cisco.com

Continue reading

Cisco UCS Unified Fabric now 100Gb end-to-end for X-Series

Since 2009, Cisco UCS Unified Fabric has been one of the key differentiators between UCS servers and the rest of the industry. Unified Fabric is the combination of data, storage, and management traffic on a single cable. This greatly simplifies your server and networking infrastructure and provides both CapEx (adapters, cables, switches) and OpEx (warranty, power & cooling, management) savings. Cisco’s unified fabric is a single cable that connects the UCS X-Series chassis to the fabric Interconnects

Read More: 700-150: Introduction to Cisco Sales (ICS)

In a redundant deployment, you reduce the number of cables and switches 5:2 – two switches/cables for data and storage and one for management.

12+ years ago, Cisco UCS first shipped with 10Gb when the rest of the industry’s standard was 1Gb. In March, we announced we were leapfrogging the industry again by making 100Gb standard for UCS X-Series vs. 25Gb for other vendors.

The Cisco UCS X-Series Unified Fabric consists of three components: VICs, IFMs, and 6500 Series Fabric Interconnects.

Cisco UCS Virtual Interface Card (VIC) 15000 Series

VICs (Virtual Interface Cards) are more than a NIC or an ordinary converged network adapter (CNA – Ethernet + storage). Other vendors offer NICs or CNAs, but none offer the full functionality of a VIC. The two key differentiators are the inclusion of management traffic and the number of virtual adapter interfaces.

Cisco UCS servers are configured via policies and templates. The VIC receives the configuration from Cisco Intersight and is pushed to the server. This removes the need for a server management network.

Virtual adapter interfaces come in two flavors – data and storage. These virtual adapter interfaces extend the network fabric directly to both servers and virtual machines via end-to-end network virtualization so that a single connectivity mechanism can be used to connect both physical and virtual servers with the same level of visibility and control. Each can have their own quality service, guaranteeing bandwidth and QoS thus providing optimal user experience. Cisco VICs supports more virtual adapter interfaces than any other NIC or CNA giving you the ability to tune and shape traffic to every application.

I’ll leave it to the data sheet to call out all the hardware features like low latency and kernel bypass for performance optimizations among others.

Cisco UCS VIC 15231 mLOM, 2×100 Gbps

Cisco UCS 9108 100G Intelligent Fabric Module (IFM)

An IFM is the connection point between the X9508 Chassis (and servers) and the Fabric Interconnect – either the 6400 or 6500 series. Our 2nd gen IFM ups the speed from 25Gb to 100Gb. Like its predecessor, each IFM has eight ports, and they are always deployed in redundant pairs. The amount of bandwidth is determined by the number of ports used. If you are looking to future proof but don’t need the full 800Gb per IFM, you just use fewer ports. As your needs increase, just use the remaining ports. 

Cisco UCS 9108 100G Intelligent Fabric Module

Cisco UCS 6536 Fabric Interconnect

The 36 port Cisco UCS 6536 Fabric Interconnect supports Cisco UCS X-Series, UCS B-Series, and UCS C-Series servers. It offers line-rate, low-latency, lossless 1/10/25/40/100 Gigabit Ethernet, Fibre Channel, NVMe over Fabric (NVMe/FC, NVMe/TCP, NVMe over ROCEv2), and Fibre Channel over Ethernet (FCoE) functions. The total switching capacity is 7.42 Tbps.

Of the 36 ports, the FI has 32 40/100-Gb Ethernet and 4 unified ports that support 40/100-Gb Ethernet ports or 16 Fibre Channel ports after breakout at 8/16/32-Gb FC speeds. The switch also supports two ports at 1-Gb speed using QSA, and all 36 ports can breakout for 10- or 25-Gb Ethernet connectivity and support FCoE.

Cisco UCS 6536 Fabric Interconnect

Putting Unified Fabric all together

The adage is a picture is worth 1,000 words. To save you reading 1k words, here is a diagram showing Cisco Unified Fabric and the entire UCS portfolio.

Click on me to make full size!

What can 5th Gen Unified Fabric do for you?

Unified Fabric will simplify your infrastructure and save you money. The architecture means there are few components to procure, install, power, and maintain. Less money spent upfront and less time and money spent over their life. This will increase your business agility and allow you to focus on adding value to your business vs. keeping the lights on.

Then add in the performance benefits that 100Gb line rate, low latency end-to-end solution provides for your applications and user experience. You will have increased the reliability, efficiency, and scalability of the network.

Source: cisco.com

Continue reading

An always-on strategy to find extraordinary talent for CX Centers Americas

Cisco is widely recognized for helping companies transform. To give our customers a solid foundation to achieve their digital transformations, we have improved our workplace, services, supply chain and security. Ours is a journey to drive workforce innovation, as part of our own digital transformation.

Recruiting extraordinary talent is essential to fuel our constant evolution. Within Cisco’s CX Centers Americas, our highly specialized Technical Consulting Engineers (TCEs) are our competitive advantage. The TCEs in CX Centers solve our customer’s biggest challenges. We do this through our technical expertise, a customer experience to count on, and innovation that puts intelligence at our customer’s fingertips. And we are constantly looking for team members to join our team.

CX Centers Americas Approach to Hiring the Best

We partner with Cisco’s Emerging Talent Recruiting and CX Academy (CXA) to bring the best talent to CX Centers. Our vision is to deliver an extraordinary customer experience. Our TCEs make that happen. We provide them with the tools and knowledge to excel in their jobs. Our training builds a solid foundation that allows them to have both technical skills and be customer obsessed.

Since our TCEs come from all walks of life, we want to make the best of their talent journey. We have designed two streams of engagement based on the population of the person interested in joining us: emerging talent and professional hires.

Emerging Talent

TCE (Technical Consulting Engineer) Graduate Program: After being recruited from universities and undergoing an interview process, new employees go through a six-month onboarding training supported by CX Academy. The TCE Graduate program runs two times a year, following typical university graduation dates. During their first six months at Cisco, we train the new hires from the macro to the micro level. New TCEs rotate through four different teams within a technology group before being placed on one of the teams to begin their team-specific training. Candidates are also exposed to other experts and leaders through activities including Executive Fireside Chats, Living Cisco’s Principles, Coaching Sessions, and more. We accept around 80 new hires annually with this program.

“CXA provided a challenging and collaborative learning environment that allowed me to expand my soft skills and develop acquired technical skills in the field of networking. I learned how to be a successful TAC engineer thanks to the work that my mentors, my trainers and my cohort put in to develop training materials that allowed me to capture the relevant content.”

—Mariana, TAC (Technical Assistance Center) engineer, TAC Collaboration Team in Richardson, TX.

Co-Op / Intern Program: After undergoing interviews, students are welcomed to the Co-Op for six months on a full-time basis, 40 hours/week. The Co-Op program runs twice a year in US with ~20 co-ops per cohort. 70% convert to the full-time Technical Consulting Engineer role post-graduation. Students start by learning the fundamentals of the TCE role, spending the first three months of the program supporting simple cases, and slowly increasing in number of cases taken and difficulty. All of it under the supervision of a mentor. At the mid-point of the program, the Co-Ops join the Technical Assistance Center (TAC) teams to learn one of the teams’ technologies and begin to support cases in the queue. Pre-Covid, Co-Ops spent the beginning of their experience in CX Labs, learning the basics of the hardware used to recreate cases.

The internship is a three-month summer experience, currently for returning Co-Ops only, in which they will return to the Technical Assistance Center (TAC) team they had previously supported.

At the end of the experience and depending on performance, the Co-Op will receive an offer to return as a future Co-Op, Intern, or receive a full-time TCE offer.

“Being a TCE Co-op was the best professional experience I have ever had and prepared me for taking on the role of a full-time engineer. Everyone I talked to and learned from offered help and wanted to see me succeed in my role.”

—Anthony, TCE (Technical Consulting Engineer) Co-op

Pre-Apprenticeship and Apprenticeship: The Apprenticeship program is the same as the Co-Op program; the difference is the population we source from. These programs are especially designed for those coming from any walk of life. Candidates could be in the process of achieving their Associates degree, switching careers, or exiting the military. We have partnered with Wake Tech Community College in North Carolina and Collin College in Texas to source candidates who are currently enrolled in a Cisco Certified Network Associate (CCNA) certification course. If these institutions have students who are interested in a TCE Apprenticeship, they join the pre-Apprenticeship to receive professional development sessions hosted by Cisco. After attending at least 80% of the professional development sessions and achieving the CCNA certification, candidates are eligible to apply and interview for the TCE Apprenticeship. The end goal for pre-apprentices is to become TCE apprentices and ultimately TCEs.

The apprenticeship pilot started in the Fall of 2021 and is planning to run twice a year. We started with five apprentices, all officially registered as apprentices with the state of North Carolina. There are also currently 30 pre-apprentices, with plans to enter apprenticeships, which started in March.

PEX (Practical Experience Program): PEX is a rotational program that provides individual contributors with their first opportunity to manage people. The Program is designed to give aspiring leaders practical, hands-on people management experience. Managers are responsible for managing a cohort of 5-10 new hires for the first 6 months of the 12- month CX Academy program. Responsibilities include onboarding of new hires, mentoring/coaching throughout the program, performance management of new hires, collaborate effectively with local and global team members, build relationships with stakeholders, and own the planning/delivery of projects.

Professional Hire

This track is for experienced professionals. It was created to standardize the experience of the new employee and includes a diverse range of activities for the new employee, the hiring manager, and the mentor to make the best of all recruiting steps for the first 90 days (about 3 months).

Source: cisco.com

Continue reading

Transforming Customer Experience with Cisco AI Chatbots

Chatbots are a rising support model. With the advent of artificial intelligence and machine learning, chatbots can often provide resolutions to issues faster and more accurately than human support agents. According to Business Insider, 40% of internet users worldwide prefer interacting with chatbots instead of human agents virtually. By 2024, Insider Intelligence predicts that spending on chatbots worldwide for consumer retail alone will reach $142 billion—compared to $2.8 billion in 2019.  It is now common to find chatbots on retail, healthcare, and corporate websites and mobile apps. Chatbots can be designed to provide different types of expertise and functionality. When properly trained, they are very good at providing answers to specific queries. They automate common tasks, reduce time to service, and increase efficiency and customer satisfaction. 

If a person cannot tell whether a response is coming from a machine or a human, then a bot has passed the Turing Test. The biggest challenge for chatbots has been understanding the nuances of human language, especially technical jargon.  With advancements in machine learning and deep learning with transformative algorithms like Bidirectional Encoder Representations from Transformers (BERT), chatbots now sometimes perform better than many humans in understanding written intent.  It’s also easier than ever to create chatbots, with minimal programming necessary. Simply provide examples of interactions and a bot learns for itself how to respond.  

The Cisco Networking Chatbot   

The Cisco Enterprise Networking team foresaw a need for a chatbot to streamline support work and make it more efficient.  The Cisco Networking Bot (cnBOT)  is designed to empower internal support personnel, customers, guests, and partners by providing digitized Cisco product information in an intuitive way. cnBOT has experienced overwhelming growth, with thousands of users and 10s of thousands of queries.  

The cnBOT is available on the web, on product support pages, via the cnBOT Webex Team Space, and via the Cocoa Bot interface. cnBOT is also supported by analytical modules and helps generate leads for product sales and migration services.   

The cnBot (Figure 1) is a cloud-ready product that uses microservices built with scalability in mind. Its features can be prototyped quickly and independently, and its reliability is unmatched because of its distributed processing architecture. As a native cloud application, the cnBOT has built-in resiliency.

Figure 1. Cisco Networking BOT Features

 

For an example of the cnBOT in action, a request for information about Cisco Catalyst 9000 Series software compatibility generates a link to the matrix shown in Figure 2 and other related links. 

Figure 2. Cisco Networking Chatbot Use Case: Cisco Catalyst 9000 Compatibility

Another example of the cnBOT in action is in response to a query about migrating from the Cisco Prime Infrastructure (PI) to Cisco DNA Center. A high-level migration task list is displayed (Figure 3) with a prompt at the end to do a self-guided migration. 

Figure 3. Cisco Networking Chatbot Use Case: Migration from Cisco Prime to Cisco DNA Center

Future Development 

The cnBOT started as an idea to facilitate Tier 2 workflow automation, reduce time to get critical information and provide a tighter integration loop with stakeholders — although the opportunity and scope can be much broader. Diverse use cases and different audiences can be served by the cnBOT.  We are working with multiple groups at Cisco to integrate their workflows into the cnBOT and looking for ways the chatbot can provide services through other bots at Cisco, including the CX Cloud bot, so customers can be provided with seamless support experiences regardless of the questions they ask.    

The cnBOT can be used for other types of communications, including voice input and output, like Apple’s Siri. It can also provide collaborate services like push notifications. Further investment will enable research into how customers use the product and how to mitigate pain points in their interactions. Longer-term, we anticipate developing many additional services for the cnBOT, including offering a standardized platform for easy integration.  

Chatbots are here to stay and will get smarter.  Bots in gaming have beat some of the best human players in the world with just a few hours of training. Machines are getting much better at understanding human language (sometimes better and faster than humans). More interactions with bots await us all, for greater efficiency and faster service that improves customer confidence in Cisco products and services.

Source: cisco.com

Continue reading

New Software Architecture Enables Session-Aware Networking to Massively Scale Authentication and Access Policy Control

As enterprise networks become more complex, the demands and challenges to secure them are increasing. Increased mobility, wireless networks, and Bring Your Own Device (BYOD) initiatives have broadened the attack surface. Access security must be capable of scaling to accommodate the increased access demands of myriad devices.

Session Aware Networking (SANet) is a framework and set of features that provide authentication, access control, and user specific policies. The SANet re-architecture has evolved from being a single core Cisco IOS XE application to a horizontally scalable application adapting to Cisco’s database-centric programming model. The device state is now maintained in the database along with making use of the multicore capabilities of device platforms.

The decoupling of SANet features from the IOS XE daemon allows for much greater authentication scalability and flexibility in addressing various business requirements.

Scaling Access Security

SANet is the session management software on IOS XE-based devices and plays a vital role in Identity Based Networking Services (IBNS). Enterprise wired and wireless networking products that run IOS XE use SANet to handle session management (Figure 1). Having the same control plane software for session management across all Cisco enterprise product families that run IOS XE enables two things:

◉ Higher feature velocity and availability across all the products

◉ A uniform control plane across all Cisco products that enables the deployment of security policies at multiple locations in the network with ease

Figure 1. SANet Architecture and Features

Following the principles of the IOS XE database-centric programming model and horizontally scalable architecture, SANet was designed to address the expanding scalability requirements of wired and wireless networks. For example, wireless LAN controllers may have higher scalability requirements compared to fixed-port switches. It offers a more consistent way to configure features across technologies, easy deployment, and customization of features. Having a single solution to address these diverse requirements simplifies through standardization.

The database-centric programming model, along with the IOS XE infrastructure, provides access to other features like compiler-integrated patching, integrated telemetry, and unified software tracing, to name a few. It also benefits from any future enhancements to the complete IOS XE stack, like process restart-ability, multi-tenancy, etcetera.

Multiple Authentication Methods and Comprehensive Policy Control

SANet provides an extensive list of authentication mechanisms and a robust policy framework that can apply policies defined locally or on an external server. Session insights or attributes are sent during authentication or accounting to a configured external server, like Cisco Identity Services Engine (ISE) or third-party servers, to make network policies flexible, consistent across the network, and easy to manage.

Authentication methods available with SANet include 802.1X, Web Authentication, and MAC Authentication Bypass (MAB). It is possible to use a combination of these methods to address various business requirements. For example, MAB followed by Web-based authentication may be used for various solutions that demand diverse types and combinations of session policies. Security policies like Access Control List (ACL) applied initially to a user session can change as an increased number of user identity details are learned. Or a policy may be applied to a guest user to limit the time that the user is allowed to be connected to the network.

Source: cisco.com

Continue reading

Intersight Workload Optimizer: How to Tame the Public Cloud

In this installment, we’re going to focus on public cloud optimization, which differs slightly from its on-premises counterpart. In an on-premises data center, infrastructure is generally finite in scale and fixed in cost. By the time a new physical server hits the floor, the capital has been spent and has taken a hit on your business’s bottom line. In this context, on-premises optimization means maximizing utilization of the sunk cost of capital infrastructure (while still assuring performance of the workload, of course).

In the public cloud, however, infrastructure is effectively infinite. Resources are generally far more elastic and often paid for out of an operating expenditure budget rather than a capital budget. In this case, cloud optimization means minimizing cloud spend, and the burden of maximizing hardware utilization falls to the cloud provider. Minimizing cloud spend proves to be a daunting exercise for cloud administrators given the public cloud’s vast array of instance sizes and types (over 400 in Amazon Web Services alone, as shown in Figure 1: Amazon Web Services instance types, all with slightly different resource profiles and costs, and with new options and pricing changing almost daily. At scale, selecting the ideal instance type, size, term, etc. for every workload at every moment in order to assure performance and minimize spend is arguably an impossible task for a human, but is an ideal use case for the IWO decision engine.

Figure 1: Amazon Web Services instance types

Taking action in the public cloud

So let’s take a look at the types of real-time actions IWO offers for public cloud optimization. In Figure 2, starting on the Cloud tab of the main Supply Chain screen, we see a number of widgets on the right with actionable information – Pending Actions, Top Accounts, Necessary Investments, Potential Savings, etc.

Figure 2: Supply Chain view of the Public Cloud and Pending Actions widget

Clicking on “Show All” in the Top Accounts widget, we see a list of all our public cloud accounts and subscriptions in a hierarchical table, as shown in Figure 3.

Figure 3: Public cloud account details table

Clicking on one of the green action buttons on the right, we see the current pending actions for a specific account, as shown in Figure 4.  There we see a number of storage volume actions highlighted, some relating to performance needs, others to recoup savings due to over-provisioning (i.e. you can move to a cheaper tier of storage and still assure performance).

Figure 4: Action Center table with details on specific pending storage actions for a given account

In this specific example, a keen-eyed reader might notice something curious about the two performance actions at the top of the list: even though the actions are being taken to provide more IOPS (moving from 160 to 3000 IOPS) to assure performance, the cost impact is actually lower.  That’s right – these actions are providing more performance for less cost! While maybe not entirely common, this example shows just how quirky the plethora of options are in the public cloud, and how difficult it can be for humans to avoid leaving money on the table. (This example is also non-disruptive and reversible, as noted in the table, with the ability to execute immediately with the click of a button.  (What’s not to like?)

Clicking on the Scale Virtual Machines tab in the Action Center list, we see the current pending actions to rightsize our VMs, as shown in Figure 5.

Figure 5: Action Center table with details on specific pending VM actions for a given account

Clicking on the details button in the first row takes us to the Action Details window providing us clear data behind the decision, as well as the expected outcome of the action from both a performance and a cost perspective, as shown in Figure 6. We can also conveniently run the action with a single button click, right from the dashboard interface.

Figure 6: Action Details for a specific VM scaling action

This detailed information is available for every action IWO recommends, across all workloads in all cloud accounts. Choosing the right action, with even just a handful of workloads, is difficult for a human. Getting it right across many tens, hundreds, or thousands of workloads spread across multiple accounts in multiple clouds in real time is a problem that IWO is uniquely positioned to solve.

Reserved instances: rent or lease?

To further complicate matters for a cloud administrator, you have the option of consuming instances in an on-demand fashion — i.e., pay as you use — or via Reserved Instances (RIs) which you pay for in advance for a fixed term (usually a year or more). RIs can be incredibly attractive as they are typically heavily discounted compared to their on-demand counterparts, but they are not without their pitfalls.

The fundamental challenge of consuming RIs is that you will pay for the RI whether you use it or not. In this respect, RIs become more like the sunk cost of a physical server on-premises than the intermittent cost of an on-demand cloud instance. One can think of on-demand instances as being well-suited for temporary or highly variable workloads, analogous to a car-less city dweller renting a car: usually cost-effective for an occasional weekend trip, but cost-prohibitive for long-term use. RIs are akin to leasing a car: often the right economic choice for longer-term, more predictable usage patterns (say, commuting an hour to work each day).

When faced with a myriad of instance options and terms, you are generally forced down one of two paths: 1) only purchase RIs for workloads that are deemed static and consume on-demand instances for everything else (hoping, of course, that static workloads really do remain that way); or 2) pick a handful of RI instance types — e.g., small, medium, and large — and shoehorn all workloads, static or variable, into the closest fit. Both methods leave a lot to be desired.

In the first case, it’s not at all uncommon for static workloads to have their demand change over time as app use grows or new functionality comes online. In these cases, the workload will need to be relocated to a new instance type, and the administrator will have an empty hole to fill in the form of the old, already paid-for RI (see examples in Figure 7).

Figure 7: Changes in workload demand can trigger numerous cascading decisions for RI consumption

What should be done with that hole? What’s the best workload to move into it? And if that workload is coming from its own RI, the problem simply cascades downstream. The unpredictability of such headaches often negates the potential cost savings of RIs.

In the second scenario, limiting the RI choices almost by definition means mismatching workloads to instance types, negatively affecting either workload performance or cost savings, or both. In either case, human beings, even with complicated spreadsheets and scripts, will invariably get the answer wrong because the scale of the problem is too large and everything keeps changing, all the time, so the analysis done last week is likely to be invalid this week.

Thankfully, IWO was developed to understand both on-demand instances and RIs in detail through native API target integrations with popular public cloud providers like AWS and Azure. IWO capabilities are constantly receiving real-time data on consumption, pricing, and instance options directly from the cloud providers, and combining such data with the knowledge of applicable customer-specific pricing and enterprise agreements to determine the best actions available at any given point in time.

Figure 8: Detailed inventory information and purchase actions for RIs

Not only does IWO technology understand current and historical workload requirements and an organization’s current RI inventory (see above), but it also has the capability to intelligently recommend the optimal consumption of existing RI inventory and additional RI purchases to minimize future spending. In Figure 9, we have a Pending Action to buy 13 RIs which would take the RI coverage up to the horizontal black line in the chart.  Most of the area under the blue and turquoise curves, representing the workload resource requirements, would be covered by RIs – everything below the black line.  The peaks above the black line would be covered by on-demand purchases. While you could purchase enough RIs to cover all the area under the curve, this is not the most cost-effective option to meet workload demand.

Figure 9: Details supporting a specific RI purchase action

Continuing with our car analogy, in addition to knowing whether it’s better to rent or lease a car in any given circumstance, IWO can even suggest a car lease (RI purchase) that can be used as a vehicle for ride-sharing. IWO can fluidly move on-demand workloads in and out of a given RI to achieve the lowest possible cost while still assuring performance.

In short, IWO has the ability to understand the optimal combination of RI purchases and on-demand spending across your entire public cloud estate, in real-time.

Cloud Migration Planning

Finally, because IWO uses the same underlying decision engine for both the on-premises and public cloud environments, it can bridge the gap between them. The process of migrating VM workloads from on-prem to the public cloud can be simulated in IWO’s planning module and will allow the selection of specific VMs or VM groups to generate the optimal purchase actions required to run them, as shown in Figure 10.

Figure 10: On-prem to public cloud workload migration planning results

These plan results offer two options: Lift & Shift and Optimized, depicted in the blue and green columns, respectively. Lift & Shift shows the recommended instances to buy, and their costs, assuming no changes to the size of the existing VMs. Optimized allows for VM right-sizing in the process of moving to the cloud, which often results in a lower overall cost if current VMs are oversized relative to their workload needs. Software licensing (e.g., bring- your-own vs. buy from the cloud) and RI profile customizations are also available to further fine-tune the plan results.

Have your cake and eat it too

IWO has the unique ability to apply the same market abstraction and analysis to both on-premises and public cloud workloads, in real-time, enabling it to add value far beyond any cloud-specific or hypervisor-specific, point-in-time tools that may be available. Besides being multi-vendor, multi-cloud, and real-time by design, IWO does not force you to choose between performance assurance and cost/resource optimization.

Source: cisco.com

Continue reading