Cisco Cisco Intercloud Fabric for Provider White Paper
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 3 of 8
What You Will Learn
This white paper describes the security features of the Cisco Intercloud Fabric
™
solution and how it helps users
create a secure hybrid cloud infrastructure.
For most organizations, security is a critical concern when using public clouds. Cisco Intercloud Fabric provides
users with the same level of security in the public cloud they have in their own data center. The solution lets users
build secure hybrid clouds that extend their existing data center infrastructure to public clouds as needed and on
demand, take advantage of flexible capacity, and achieve lower costs and faster delivery of resources.
Introduction
Hybrid clouds are quickly becoming the new normal. National Institute of Standards and Technology (NIST) defines
hybrid cloud as a composition of two or more distinct cloud infrastructures (private, community, or public) that
remain unique entities, but are bound together by standardized or proprietary technology that enables data and
application portability (e.g., cloud bursting for load balancing between clouds).
Cisco Intercloud Fabric enables customers to build highly secure hybrid clouds and transparently extend their
private cloud to public cloud environments, while keeping the same level of security across both environments.
Cisco Intercloud Fabric provides complete end-to-end security between public and private clouds, using the
following capabilities:
●
Secure site-to-site communication
●
Cisco Intercloud Fabric secure shell
◦
Trusted cloud VMs
◦
Encrypted VM-to-VM communication
◦
Controlled cloud VM access through cloud security groups
●
Role-based access control (RBAC) on cloud resources.
●
Zone-based firewall using Cisco Intercloud Fabric firewall (Cisco
®
Virtual Security Gateway [VSG])
Secure Site-to-Site Communication
Cisco Intercloud Fabric creates a cryptographically isolated and encrypted tunnel to securely communicate
between private and public clouds (Figure 1). It uses two VMs, a Cisco Intercloud
™
Extender VM in the enterprise
cloud, and a Cisco Intercloud Switch VM in the public cloud to create a secure tunnel between the two VMs as
endpoints. This helps ensure that all network communications between private and public cloud sites are secure
and encrypted.
The tunnel can be configured to be a Datagram Transport Layer Security (DTLS)/Transport Layer Security
(TLS)/Hypertext Transport Protocol Secure (HTTPS) tunnel depending on customer choice of UDP/TCP/HTTP as
the tunnel data transport protocol.
Key and certificate management is performed by the Cisco Intercloud Fabric Director software running in the
private cloud. It is also possible to periodically refresh the keys from the director.