The VMware Multi-Cloud Briefing is an online quarterly series, in its fifth iteration, that brings vision, technology, and customer stories to the table. The briefing series has evolved through cloud platform, operations, and application development since its introduction in the summer of 2020. Both cloud technology and cloud adoption is advancing at a fast pace, and this April briefing provides an opportunity to see what’s new directly from VMware engineering, independent industry experts, and customers.
The latest session is opened with Joel Neeb, VP Execution and Transformation, VMware, and former F-15 pilot. Joel will talk through the history of aviation and the advancements in the cockpit, from having limited technology to running over 300 different instruments. With so many new features and capabilities, there comes a tipping point where it cannot be practically managed by a single operator, or it takes more time than it offers value. These instruments are now streamlined into a handful of features, displayed on screens instead of through switches and dials, with the computer systems surfacing what’s important to the operator at a given time.
We can learn from this approach, and apply similar models to be able to abstract and simplify multi-cloud complexity across different environments and locations. VMware Cross-Cloud Services can remove complexity, whilst enabling the agility of different cloud providers and the freedom to choose the right target environment for each application. Offering standardisation and consistency at the infrastructure layer allows scale and flexibility. Then, as requirements change and new use cases are uncovered, IT teams and developers can move quickly to accelerate overall business transformation.
The session continues with quick fire customer stories around streamlining operations with VMware technology, and a customer interview with S&P Global covering their approach to solving multi-cloud complexity. Later, we’ll also hear a partner perspective from DXC Technology, on how they work with customers to deliver multi-cloud outcomes, and what trends they are seeing across the market.
Next is a technology deep dive, starting out with examining how we’ve arrived at the complexity of running environments across public cloud, private cloud, and the edge. You can then expect to see:
How easy it is to add a new VMware environment to a hyperscaler, using vRealize Automation. In this demo we’ll start with an on-premises hosted environment, and scale out by spinning up new environments in the cloud, with the same management tooling and policies.
How to manage multiple cloud environments from a single tool, using vRealize Operations. In this demo we’ll look at a consistent way of managing and optimising resources, performance, capacity, and costs, with a unified troubleshooting interface.
How to add Kubernetes clusters in different hyperscalers to a common management plane, using Tanzu Mission Control. In this demo we’ll see how you can standardise the management of Kubernetes services, which will likely compliment your existing virtual machine infrastructure. Furthermore, we’ll find out how Tanzu Service Mesh can secure the communication of micro-services between environments and across clouds. Tanazu Service Mesh is able to bring micro-services under the same security umbrella, and automate features like mutual TLS encryption across all services.
The final segment is an industry interview with IDC and VMware, talking about what it means for customers to standardise their infrastructure and cloud platforms. There are multiple layers of abstraction and standardisation, covering the likes of management, optimisation, and security. IDC will detail where you can start, and what they see as good first steps.
The April 2022 VMware Multi-Cloud Briefing, and associated launch blog, is now live and available on YouTube. The video is embedded below. You can watch the current and previous briefings on the VMware Multi-Cloud Briefing page, each video is between 30-40 minutes long.
Skyline Advisor Pro is a cloud-based, pro-active, support technology that helps VMware customers avoid issues before they occur. It automates the capture and analysis of configurations, support bundles, and trend telemetry, and provides granular visibility throughout the global environment with predictive and prescriptive recommendations.
As well as proactive avoidance of downtime, Skyline also monitors and provides remediation guidance for security risks across the VMware estate. IT staff can spend less time fixing issues or manually searching through security vulnerabilities, and more time improving services and aligning to strategic initiatives. If an issue does occur; Skyline also helps speed up the support request resolution, since VMware Global Support Services (GSS) already have visibility into the VMware logs through the Log Assist feature.
How Does Skyline Advisor Pro Work?
Skyline Advisor Pro is setup in the VMware Cloud Services portal. You need a Cloud Services Organisation to activate Skyline, and any other VMware Cloud services. You can create a new org or use an existing one to group your VMware Cloud services together. The Cloud Services Organisation acts as a logical container where you will manage features like identity and access management, subscriptions, billing, and support. Skyline Advisor Pro is included at no extra cost for VMware customers with production and premier support, or vRealize Cloud Universal and Customer Success 360 consumers.
The Skyline Advisor Pro intelligence and user interface is all provided and hosted as a cloud service, known as Software-as-a-Service (SaaS). The Skyline Collector is a small virtual appliance, it is deployed in the customers VMware environment and facilitates the secure connection back to the SaaS control plane. The collector appliance is a standard OVA deployment, and will allocate 2 vCPU, 8 GB RAM, and 1.1 GB thin provisioned disk (or 87.1 GB thick provisioned).
Once the collector is deployed, endpoints for vCenter and other products can be added. Skyline Advisor Pro is able to provide proactive intelligence for vSphere, vSAN, NSX, VMware Cloud Foundation, Horizon, vRealize Automation, and vRealize Operations. After registering endpoints, the Skyline collector automatically and securely collates product usage data. Skyline then analyses the data to identify patterns, events, trends, design-compliance, and cross-product interaction.
Data collected is encrypted both at-rest and in-transit (transmitted back to the Skyline platform using the TLS 1.2 encryption protocol). Access is limited to VMware employees in customer support roles that have undergone full training. Although object names and IP addresses are included in the product usage data, there is no personally identifiable information collected. Skyline is GDPR compliant and certified in SOC2, Cyber Essentials Plus, and others. You can find out more in the VMware Cloud Trust Centre and VMware Skyline Frequently Asked Questions, see also VMware Skyline Data Collection Examples.
Proactive findings and recommendations are presented back to users through the Skyline portal in the VMware Cloud console, or through the vRealize Operations Cloud integration. The availability of the Skyline collector is critical in ensuring visibility into the environment from the Skyline portal. Depending on the size and scale of the environment, you may have multiple collector appliances. You can learn more about the high level architecture in the Skyline Architecture Documentation.
What’s New in Skyline Advisor Pro?
Just before VMworld 2021, VMware announced Skyline Advisor Pro. This latest iteration provides a major step forward in user experience from its predecessor, and it’s not just dark mode either. Both functional and operational improvements have been made to the product.
Skyline Advisor Pro significantly accelerates data processing and insights; now surfacing issues and inventory changes within 4 hours. With Skyline, this process was previously taking 48 hours. Further environment insights have been added to Skyline Advisor Pro, such as end of life notifications and historical insights. The Skyline Advisor Pro API now allows users to interrogate findings data with other tools, or trigger events to be sent to collaboration tools or ticketing systems. You can read more about these features in the VMware Skyline Advisor Pro is here blog.
Getting Started With Skyline Advisor Pro
The easiest way to enable Skyline Pro is to follow the Get Started link on the VMware Skyline product page. This will direct you to log into the VMware Cloud Services portal, use your corporate/work account that has an active support subscription aligned. Once logged in you will be invited to create or select a Cloud Services Organisation and activate Skyline, the Skyline administrator role is assigned to your account as part of the process.
The onscreen instructions will allow you to download and link the collector appliance. You can also download the VMware Skyline Collector from the Customer Connect downloads site. When you deploy the OVA to your environment you will be prompted for configuration such as network settings and endpoint registration. For more detailed information see the Skyline Planning and Deployment section of the VMware Skyline Documentation.
After setup is complete the Skyline Advisor Pro panel is added to your available services in the VMware Cloud Services portal:
Within the Findings and Recommendations tab you’ll be able to see findings with affected objects, risk, recommendations, and historical data. You can click into each finding for more information, context, and fixes or links to KB articles if applicable.
It isn’t a secret that the overwhelming majority of data hosted by enterprises in the cloud is with US-owned cloud providers. But a study by the Centre for European Policy Studies in 2021 found that a whopping 92% of the western worlds data is currently stored in the US. In principal that has been fine with organisations based in other countries, since the scale of these cloud providers was such that data locality was not a problem. The relevant security controls and technologies also exist to protect the data from unauthorised third parties.
Politically however, the landscape is changing. The majority of the worlds population has privacy regulations inline with GDPR. The number of countries implementing data privacy laws has been increasing annually, for both personal and enterprise data. Furthermore, the very definition of personal information is evolving with our online presence, and it’s only going to get more complex over time.
Thanks to the US Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018, courts can instruct US companies to collect data on systems they manage, not just on US soil, but in theory anywhere in the world. Separately, in July 2020, the Court of Justice of the European Union (CJEU) made judgement on a case that essentially invalidated the EU/US Privacy Shield framework for transferring data outside of the EU.
This isn’t just a European concern either, it’s on the radar across other regions on a global scale. Legal cases and fines are starting to arise for organisations incorrectly interpreting GDPR, and there are still open questions about how legislation will be enforced internationally.
These are not isolated instances, and in conjunction with an increased risk of data breaches and more sophisticated cyber attacks, companies are starting to seriously consider repatriation of data stored overseas. Through the global network of VMware Cloud Provider Partners (VCPP), and the VMware Sovereign Cloud framework, VMware have the means to implement data sovereign solutions locally across any region.
What is VMware Sovereign Cloud?
VMware Sovereign Cloud is a framework of guiding principles and best practices to help partners deliver cloud services that adhere to the data sovereignty requirements of a specific jurisdiction. A sovereign cloud framework does not replace public cloud, nor does it replace industry compliance. In fact the opposite is true, the sovereign cloud framework seeks to augment existing platforms and regulations, with a specific focus on putting the customer in complete control of their data.
This control is derived by providing both data residency and data sovereignty with full jurisdictional control. Data residency relates to where the data is physically and geographically stored and processed. Due to the extreme scale of the main public cloud providers, this is something they are usually able to provide. Often though, metadata (data about the data) can leak out into other regions, typically the US. In some cases, data residency alone is not sufficient to ensure compliance with data privacy laws. Data sovereignty relates to law, specifically data being subject to the governance structure, and more importantly jurisdiction, of the nation where the data is processed and stored.
Data still needs to be accessible, and this is a really important point. A sovereign cloud solution needs to not only protect critical data, but also unlock its value. Data can be extracted in a meaningful way, for both private and public sector organisations, whilst providing transparency around architecture and operations.
As an example, both my banking and health records are stored extremely securely in a data centre, with a bunch of regulatory and audit processes in place. However, I can access these records on-demand using my mobile phone, which is a device my bank and my healthcare provider has no control over. Equally, there may be times when others need to access the same records, either anonymised or with personal identifiable information. Like if I applied for a credit-based financial service, or if I was referred to a healthcare specialist for a specific condition. Data sovereignty isn’t about locking up data and making it inaccessible.
Clearly, data still needs to be accessible to the right people through an end client, device, or system, whilst maintaining the integrity of the data. It is important therefore, to have an example architecture for how data can be exchanged, or act as a landing platform for data collected from member states and repatriated from other regions. In implementing such an architecture, a national capability for the digital economy can be achieved, whilst securing data with audited security controls, and ensuring compliance with data privacy laws.
The basis of a VMware Sovereign Cloud is the VMware reference architecture, in the form of VMware Validated Solutions (VVS) and the VMware Cloud Provider Partner (VCPP) stack. There is no need for a dedicated sovereign cloud reference architecture. Instead, an overlay is being introduced to organise the infrastructure into different security classifications and domains. This separation of security domains ensures there is no data leakage, of either primary data or metadata, outside of the required locality and jurisdiction.
The VMware Sovereign Cloud framework uses transparent, standardised, software-defined architectures along with a number of key principles and best practises:
Data sovereignty and jurisdictional control
Control, authority, and operations are fully managed within the jurisdiction of the nation state where that data was collected
Data access and integrity
Cloud infrastructure is resilient across at least 2 data centre locations within the jurisdiction, with secure and private connectivity options
Data security and compliance
Information security management system controls are audited and applied inline with industry recognised standards
Data independence and mobility
Data and application portability with modern application architectures to prevent lock-in
These key principles deliver benefits such as increased security, improved control, and continuous compliance, whilst future proofing services and unlocking the power of data. National and sovereign digital capabilities can be developed, with national data pooled together to fuel economic innovation and growth.
How Does VMware Sovereign Cloud Work?
The VMware Sovereign Cloud provider sets up an audited and approved cloud architecture for the customer in the relevant locality and jurisdiction. Each sovereign cloud must have at least 2 security domains within it. A typical example of a security domain will be built in software, with every IT system or data classification representing one or more security domains.
Security domains provide a common authentication and authorisation boundary. The perimeter is typically protected by things like firewalls, access control, and application filters, whilst services like micro-segmentation can provide further optional security inside the security domain itself. You can think of a security domain as a logical network connectivity area with a common security posture, they can be built specifically to house top-secret data, secret data, restricted data, and so on . The 2 types of security domains are as follows:
Used to connect out to other services, similar concept to a DMZ, this security domain features the highest level of security and risk mitigation
Stores and processes data, will only accept connections from its parent sovereign domain or other trusted resident domains in the same jurisdiction, this security domain features the highest level of trust and confidence
Security domains can be used to make secure connections out to other environments, such as the customers private cloud, or a commercial public cloud provider. The sovereign cloud architecture ensures that if the service is paired with commercial clouds, then no data or metadata is leaked or escapes the sovereign cloud boundary.
The screenshot below is taken from the VMware Sovereign Cloud Technical Whitepaper, which provides a technical deep dive into the aspects and examples of sovereign cloud architectures and integrations. It shows how a sovereign cloud provider can host an application, whilst still consuming the benefits of public cloud services from AWS, Azure, Google, etc.
In this example, the data is encrypted and replicated between the sovereign cloud compliant provider and the public cloud, with the encryption keys only stored on the KMS server with the compliant provider. Other methods can also be used to integrate with third party tooling, such as anonymising data, or replacing sensitive data with specific key pair values that can then be mapped back on the sovereign cloud compliant provider.
You can find a local VMware Sovereign Cloud provider, from the likes of Telefonica, UK Cloud, and OVH, on the VMware Cloud Provider Services page. Further reading material that may be of interest around sovereign cloud and the Gaia-X project in Europe is listed below.
Gaia-X is a broader project beyond sovereign cloud, that attempts to build a federated cloud ecosystem of data, infrastructure, and service providers. The aim is to deliver European digital sovereignty with a future cloud architecture, whilst controlling the flow of data for an overarching state through different legislation boundaries.
Data assets should be able to move freely between approved providers, with both parties providing tools to assist with the migration process to prevent lock-in. Access permissions and data usage controls will travel with the data as it moves through the ecosystem. As with sovereign cloud, the hyperscalers are not excluded and can still participate, providing data sovereignty remains intact. VMware are contributing to the development of the Gaia-X reference architecture as a day 1 member.