JT s Cloud Service Infrastructure as a Service (IaaS) Service Description Page 1
Contents 1. Executive Summary 3 1.1. Positioning and Context 3 1.2. Market Drivers for Public Cloud Computing 4 2. Service Summary 5 2.1. Infrastructure -as-a-service Concept Overview 5 2.2. Differentiator 5 2.3. Key Benefits 5 2.4. Further Information URLs 5 3. Feature Highlights 6 3.1. Ease of Access and Use 6 3.2. Enterprise Security & Compliance 6 3.3. Enterprise Performance 6 3.4. Enterprise Controls 6 3.5. Commercial Model 7 3.6. Delivery Model 7 4. IT Cloud Service Details 8 4.1. JT IaaS Infrastructure Components 8 4.2. JT IaaS Infrastructure Services 10 Page 2
1. Executive Summary Infrastucture-as-a-Service (IaaS) from JT is an enterpriseclass cloud service provided via the Internet in a scalable, pay-per-usage model, built using industry-leading hardware and software (referred to as the JT Cloud offering). The platform is fully automated and orchestrated via purpose-built software, and comprises of servers, storage and network elements coupled with virtualisation and operating system software. The Channel Island cloud platforms are hosted in secure JT owned and managed data centres located in Guernsey and Jersey, with access to two additional platforms situated in London and Amsterdam. 1.1. Positioning and Context Several service models will exist for cloud computing (see figure above), including Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructureas-a-Service (IaaS). Cloud IaaS can also be segmented by its accessibility. These key segments are public or private clouds. The cloud service from JT addresses the Public Cloud segment offering Infrastructure as a Service including numerous operating systems, SQL and Microsoft SharePoint 1.1. Positioning and Context Page 3
1. Executive Summary 1.2. Market Drivers for Cloud Computing Today organisations of all sizes are facing challenges unlike any they ve experienced before. Globalisation is changing the business landscape, increasing the pressure to expedite time to market with new products and services, while keeping costs down. In addition, constant technology change has resulted in ad-hoc infrastructure build, creating complex IT infrastructures that prevent IT organisations from functioning as service providers to the business. Cloud technology solves this issue and enables IT to be delivered as a service, on demand, and with elastic scalability at a cost effective price point. Cloud computing is a style of computing that provides on-demand, self-service access to servers, applications and software development platforms. JT s IaaS is based on the standard cloud-computing model, which makes infrastructure resources available to businesses over the Internet. Public cloud services are offered on a pay-per-usage scheme with scalability and security to ensure IT services are not compromised. Page 4
2. Service Summary 2.1. Infrastructure-as-a-Service Concept Overview The JT IaaS Cloud service provides JT customers with a secure and segmented hosting environment with server, storage, and network elements that are logically isolated from other customers running on the same infrastructure. With the JT s Infrasructure-as-a-Service, customers can: Deploy virtual servers onto their own Layer 2 cloud networks using OS images provided by JT or by the customers. Deploy as many network segments as they require, allowing servers to remain isolated from each other. Independently customise the firewall and load balancing capabilities of each network. Manage both the cloud networks and servers through an online interface or a REST-based Application Programme Interface (API). Control their users using role-based permissions. JT s IaaS service is deployed in JT owned operated and approved data centres and is available under a variety of usage-based pricing plans. Additionally, the Cloud IaaS service from JT is enterpriseclass grade, built using industry-leading hardware and software. The service is accessible anytime via the Internet from anywhere in the world based on an SLA of 99.95% uptime and is fully automated and orchestrated via purpose-built software. It comprises servers, storage, and network, coupled with virtualisation technology and operating system software. 2.2. Differentiator The JT Cloud IaaS service is a comprehensive set of services and solutions designed to help organisations make the transition to the cloud. JT in conjunction with our partners, has the solution breadth required to solve the cloud migration problem that, to date has left organisations with inadequate and incomplete cloud implementations. 2.3. Key Benefits JT s Cloud IaaS is a pre-integrated and fully managed platform which significantly expedites new product and service introduction to the market and reduces operational risks associated with building a private cloud in-house. Additional benefits include: Pay by the hour and only for what s used, with no additional commitment. Rich online community to share and collaborate with peers. Web interface plus a complete set of APIs. Industry standard technology, including VMware, Cisco and EMC. 2.4. Further Information URLs www.jtglobal.com/cloud Page 5
3. Feature Highlights 3.1. Ease of Access and Use Pay by the hour and only for those resources used (e.g. Random Access Memory (RAM), Central Processing Unit (CPU), Storage and bandwidth) or purchase a monthly plan at a discount Web-based administrative interface plus a complete set of APIs Global import and export for client server images Rich online community to share and collaborate with peers 3.2. Enterprise Security & Compliance Virtual private clouds with user-determined public Internet connectivity Unique customisable firewalls for security Virtual Private Network (VPN) administration of all servers Unique username/password for each administrator Role-based permissions controlling the activities of each administrator Audit logs of all environmental changes made by administrators 3.3. Enterprise Performance Multi-tier architecture Anti-affinity for extra redundancy Industry standard technology, including VMware Hypervisor and Cisco networking Network and Server uptime SLA 3.4. Enterprise Controls Centralised control and billing In-depth usage reporting by asset Audit log reporting by user and department 24x7x365 phone support with ticketing/status tracking Page 6
3. Feature Highlights 3.5. Commercial Model Customers pay for the resources (RAM, CPU, etc.) that they use on an hourly basis. Additionally there are monthly pre-paid plans available where customers can pay in advance each month for a set of resources and receive a discount. The pricing elements that are used to compute charges for customers include: CPU Hours RAM Hours Storage Hours Cloud Networks (per Hour) Additional Public IP addresses (per Hour) Outbound Bandwidth (GB) Sub-Administrator (per Hour) Software units (per Hour) 3.6. Delivery Model JT provides comprehensive, on-going management of the entire JT Cloud infrastructure. This includes responsibility for maintaining the underlying operating systems, VMware software, OS images, network, and storage devices. Management processes address the key elements of implementation, change control, monitoring, patching, and lifecycle management so that cloud availability and performance can be maintained. Customers will have their account created though a JT Global Enterprise sales representative. Once the customer has log in credentials, they can start using the system (creating networks, deploying servers, etc.). They are billed for their usage once a month. JT has implemented a multi-tiered service delivery model for delivering Cloud services. here is also a Cloud Community portal that offers access to a comprehensive knowledge base of Cloud solutions, tips and support related articles, which can act as first port of call for customer queries. JT in conjunction with its partners will be responsible for supporting clients via the JT Service Management Center (SMC). The JT SMC is staffed 24x7x365 to provide support. Page 7
4. IT Cloud Service Details The JT IaaS offering comprises of the following: Infrastructure Components Cloud Networks Cloud Servers Storage for Cloud Servers Open APIs Infrastructure Services Public IaaS Infrastructure Public IaaS Management Public IaaS Security Public IaaS Cloud Support Public IaaS Service Level Guarantee 4.1. Infrastructure Components 4.1.1. Cloud Networks Unlike competing solutions that use flat network architectures, JT s IaaS deploys all cloud servers on customer-specific Layer 2 network VLANs using a Ciscobased switching fabric. Customers can deploy as many of these network segments as they require, allowing servers to remain isolated from each other from a network perspective. Each network includes firewall and load balancing capabilities and can be independently customised based on specific needs. Customers can build multi-tier network architectures to separate data tiers from front-end web tiers, thereby providing an additional layer of firewall rules to protect sensitive data. Cloud Networks are deployed and managed either through the Administrative User Interface or through corresponding functions of the Open API. Each Cloud Network has its own private IP address space that isolates the customer s Cloud Servers from the public Internet. Cloud Servers are assigned private IPs when they are deployed and only become accessible to the public Internet when administrators specifically enable such access through a Network Address Translation (NAT) or Virtual IP Address (VIP). With this approach, Cloud Servers are completely isolated from the public Internet unless the Network Administrator establishes connectivity to them. Page 8
4. IT Cloud Service Details 4.1.2. Cloud Servers JT s Cloud IaaS deploys virtual servers using VMware s industry-leading vsphere virtualisation platform, and supports popular operating systems including RedHat Linux, Microsoft Windows, CentOS, and Ubuntu. While most competing services force a selection from a list of pre-defined server types, the cloud solution provides granular control over the configuration of a customer s virtual servers, including the number of virtual CPUs, the amount of RAM, and the amount of local tiered storage allocated to the virtual server. Furthermore, servers are deployed and managed either through the Administrative UI or through corresponding functions of the Open API. Additional features include: Licensing for the underlying Operating System is included with the service, allowing automated patch updates through Red Hat Network and Microsoft Windows Update Services. Full server management capabilities including start, shutdown, reboot, power off, restart, delete, add local storage, or change CPU/RAM. Static private IP address are assigned to all servers and accessible via VPN, and are mapped to static public IP addresses only as required. Role-based administration control over which administrators can manage servers, networks, images, and reports. Cloning ability to duplicate virtual servers to create customer images which can be used to deploy copies of a server configuration. Capability to import/export server images worldwide which can be used to transfer virtual machines to and from a customer s own infrastructure. Anti-Affinity capability to isolate virtual machines on separate physical infrastructure for extra redundancy. 4.1.3. Open APIs Open APIs provide customers with easy-to-use RESTbased APIs, designed to allow seamless control over all aspects of a customer s Cloud Servers and Cloud Networks. The Open API mirrors almost all functions available through the Administrative UI, including: Full management capabilities over servers including start, shutdown, reboot, power off, restart, delete, add local storage, or change CPU/RAM. Ability to clone a server to create a customer image (virtual copy). Creation, deletion, and control of networks (including ACL rules, NAT, VIP, and public IP addresses). Creation, deletion, and management of Cloud Files accounts. Import and Export of Customer Images as well as ability to copy Customer Images between different locations. 4.1.4. Routable Private IP Addressing Addressing provides customers with the ability to establish secure communications between Cloud Servers located on different Cloud Networks through routable Private Internet Protocol (IP) addresses. Private IP addresses within the Cloud are routable, allowing Cloud Servers on different Cloud Networks to communicate with each other, subject to the firewall rules of each Cloud Network. This functionality allows customers to establish secure communications on different VLANs in the environment without exposing public IP addresses to the public Internet. Page 9
4. IT Cloud Service Details 4.2. Infrastructure Services The infrastructure is designed to be a reliable, highavailability platform. It incorporates N+1 redundancy into the network, compute, and storage layers to ensure a resilient solution capable of recovering from a component failure. 4.2.1. OS License Management JT provides the operating system licensing entitlements for all JT Cloud Server deployments from OS Images within the Cloud infrastructure as part of the service and at no additional charge. These operating system licenses include Microsoft Windows Server, SharePoint and RedHat Enterprise Linux. 4.2.2. Management JT through its partner Dimension Data, maintains and monitors its entire cloud infrastructure, including the underlying VMware software, OS images, network, and storage devices. The management processes address the key elements of implementation, change control, monitoring, patching, and lifecycle management so that cloud availability and performance can be maintained. These processes are audited yearly through the SSAE- 16 attestation, which is based on an in-depth series of documented controls covering the operational management of the JT Cloud infrastructure. Multipoint monitoring systems scrutinise key system parameters, system availability, network, and the overall customer experience 24x7x365 to ensure the highest possible uptime and performance. Nimsoft Monitoring Software is leveraged to provide comprehensive monitoring coverage of the Cloud including the underlying network, VMware vcenter, ESX hosts. Should issues be detected by monitoring, the 24x7x365 Cloud Support team coordinates the response. Page 10
4. IT Cloud Service Details 4.2.3. Security Addressing provides customers with the ability to Security in a Cloud environment requires a multi-pronged approach. In IaaS service offerings, much of the overall security burden rests with the customer, as the customer is responsible for their network configurations and maintenance of the underlying virtual servers. However, JT plays an important role in securing both the overall infrastructure and the cloud management software layer. 4.2.4. Customer Security Features The JT Cloud service is designed to provide customers with the flexibility to configure the environment to their needs. A full definition of the requirements of securing a cloud environment is beyond the scope of this document; much depends on the customer s application design and underlying requirements. However, it s important to point out some of the unique features described in the product sections above: Cloud Servers are deployed with private IP addresses that isolate them from the public Internet. Connectivity with the public Internet occurs only when a customer maps public IP addresses on the Cloud Network to the Cloud Server using VIP or NAT functions. The VIP functionality is particularly powerful, allowing customers to isolate allowed traffic to specific public IP ports. The service includes Client-to-Site VPN connectivity that allows the customer s administrators to access the private IP addresses of the Cloud Servers through a secure, encrypted tunnel. This solution avoids the most common security problems associated with Cloud deployments where direct access to the Cloud Server through SSH/RDC occurs over public IP networks, leaving the sessions open to potential brute-force or sniffing attacks. Customers have full control over the login credentials on the Cloud Servers themselves, and can configure their own user-authentication environments on these servers. Private IP addresses are routable between Cloud Networks, allowing customers to configure multi-tier network architectures with separate layer 2 VLAN for each layer. This allows each application tier to be isolated by separate firewall policies, allowing customers to lock down traffic to the specific ports and servers expected by their design. The private IP address space is also routable between different cloud locations, with traffic flowing across a secure site-to-site VPN tunnel. This allows Cloud Servers in different data centres to securely communicate with each other. The Cloud Management software allows customers to assign role-based permissions to different administrators on their account; ensuring users only have the capabilities assigned to them. The system also provides audit logging of all administrative actions taken through the Cloud Management Admin UI or API. Fully licensed Operating Systems for servers deployed from our OS Images provide customers access to the latest security patches from our vendors. Page 11
4. IT Cloud Service Details 4.2.5. Infrastructure Security Features JT takes an extensive, in-depth approach to securing the public cloud environment itself. At the infrastructure and multi-tenant application layers, JT is guided by a Dimension Data defense-in-depth security strategy, in which a series of security layers are implemented so that no single solution is relied upon to provide security. 4.2.5.1. Data Centre Security Highly secure 24x7x365 monitored hosting centre 24x7x365 Live Monitored CCTV Internal and External Surveillance covering all critical areas including all entrances and exits customer racks and Data Centre infrastructure External security gates and internal doors fitted with Host-based Intrusion Detection System HID Card + Pin access system. A 4 digit pin code is required which is changed on a weekly basis. HID cards are assigned with limited access to customer based areas only. 3GS intruder detection system which forms part of the HID card access system. Intrusion detection is monitored 24x7 by a dedicated UK call centre which is in operation 365 days a year. The Intruder alarm system also forms part of our internal Building Management System which controls the data centre Mechanical and Electrical (M&E) systems, it is monitored 24x7x365 by fully trained dedicated staff. Syncro AS (EU: EN54-2:1997 and EN54-41997) Fire Alarm System. The Fire Alarm system is monitored by a call centre which is in operation 365 days a year. The Fire Alarm system also forms part of our internal Business Management System which is monitored 24x7x365 by fully trained dedicated staff. VESDA (Very Early Smoke Detection Apparatus) monitors the Data Centre environment. VESDA is an air sampling device which uses a class 1 laser to detect up to 1 part per million. FM-200 waterless automated fire suppression system able to discharge in less than 10 seconds and suppress a fire immediately. All visitors to the JT Data Centres, including customers, JT Staff and contractors are subject to constant CCTV monitoring. Access to customer racks by internal customer staff, JT staff or sub-contractors has to be approved by the customer in writing. Our approved security contractor provides on-site guarding for maximum security. Our Data Centres are subject to two external evening patrols by our security contractor guards, 365 days a year and an additional two visits on weekends and Bank Holidays during the day time. All incoming mains power supplies, internal power switching equipment, UPS, generators and computer room air conditioning units are fully maintained by our approved contractor and monitored by our dedicated building management system and fully trained Data Centre certified members of staff 24x7x365. Page 12
4. IT Cloud Service Details 4.2.5.2. Cloud Management Software Security JT s Cloud software enforced multi-tenant security across all Cloud functions, which also supports rolebased permissions allowing customers to define which functions can be managed by which users within their organisation. Fully managed Intrusion Detection System (IDS) utilising signature, protocol and anomaly-based inspection method provide around-the-clock monitoring of the Cloud Management software. This includes both a Network Intrusion Detection System (NIDS) and a Hostbased Intrusion Detection System (HIDS) to ensure our multi-tenancy controls are not compromised. No customer passwords stored in clear text in any code or on any system. 4.2.5.3. Infrastructure Security The entire Cloud Platform network (including customer s Cloud Networks) is defended using Networks Peakflow solution for edge-to-edge security, visibility and carrier-class threat management and remediation. JT s Cloud Management software and infrastructure is protected by additional security layers including: Intrusion detection and threat identification using Alert Logic s Threat Manager and ActiveWatch services, which provide 24x7x365 monitoring, detection and response to network incidents affecting the Cloud Management layer. Host-Based Intrusion Detection agents to monitor OS and application-level issues affecting the Cloud Management layer. JT and or its partners also regularly review vendor and third party security bulletins and patch updates to identify and recommend patches necessary for the infrastructure systems. This approach ensures both the infrastructure and OS images remain up-todate with the latest security fixes from the underlying vendors. Dimension Data s Security Incident Response Team (SIRT)handle reports of security incidents. The SIRT will escalate the incident to law enforcement and/ or executive management as prescribed in security policies. 24x7x365 Firewall and VPN support and maintenance. Page 13
4. IT Cloud Service Details 4.2.5.4.1. Change Control Process and Procedures The objective of the change management process is to ensure the proper planning and co-ordination of the implementation of all changes to the form, fit, or function of a given system, device, or configuration. This in turn allows the coordination and planning of changes in order to provide a stable production environment, minimising the impact of necessary changes and ensuring adherence to Service Level Agreements. The purpose of change management is to ensure the contemplated change is fully planned, documented and tested and that all affected parties understand and approve of the change prior to implementation. Change management also includes the establishment of standard and emergency maintenance windows, as well as authorisation levels and processes. 4.2.6. Cloud Support JT s monitoring systems report to a central aggregation engine that drives JT Cloud customer care and technical support for all emergencies or after hour s client-to JT Support. The Service Management Center has the tools, technology, and administrative expertise to effectively support customer environments, including: 24x7x365 staffing with experienced technicians. Level 1 industry expertise to resolve Severity 1 and Severity 2 issues immediately. In-depth domain knowledge. Escalation management expertise. Page 14