Take a systematic and disciplined approach to Invest in security and application compliance lifecycle Acquire cloud management development skills Architect core infrastructure components for Define criteria for cloud integration: moving to or • Identity starting Catalog existing • Networking applications in • Security applications (i.e. the cloud first 20) SaaS
Microsoft Dynamics CRM Taking advantage of productivity workloads Windows Intune 1 provided in the cloud is a first step for many enterprise organizations. Azure PaaS
New development and modern applications move Your PaaS application 2 Your business logic, and code to PaaS. Web and mobile backend Compute and integration New applications are optimized for cloud computing. Data and advanced analytics Media and content delivery Focus is on functionality rather than infrastructure. Event streaming and messaging App (build, deploy and manage)
Existing applications move to IaaS 3 Existing applications are moved to IaaS virtual Azure IaaS
machines using one of two approaches: Your virtual network . Lift and shift—existing virtual machines are shifted Cloud Service Cloud Service to the cloud. Active Directory & DNS Your Line of Business application . Build in the cloud—applications are prebuilt in Azure and traditional methods are used to backup and restore data. Public cloud SaaS Office 365, OneDrive, Yammer, Dynamics Online, ... Efficiency increases PaaS
New development
IaaS
IaaS virtual machines – traditional applications
Private cloud Private cloud datacenter Microsoft IT’s hybrid cloud infrastructure Core network services remain on premises: Active Directory Domain Services (AD DS) Even though a complete migration to the Domain Name System (DNS) public cloud is the goal, retaining core Windows Server Update Services Microsoft System Center 2012 Configuration Manager network services in traditional datacenters for the near future results in a hybrid cloud. 37,000
Azure Legacy
EOL 60% Private cloud
0 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Current state Future (Legacy) 2013 2014 2015 2016 2017 2018 state
180K+ end users Simplification Servers, 29K devices with Presence in over Migration Using big data to efforts reducing user PC's and Intune, 400 apps 119 Countries planned for 73 secure the app portfolio mobile devices in company portal organizations company at 5% per year 120K+ 1.3K+ 1.2M 150K 513 80K+ 7B Employees Line of Business Devices hit the Devices enrolled in IT supported Users on CRM Online Security monitoring applications Microsoft network Exchange Active Sync Site locations over next 24 months events recorded daily
All new 170K Windows 8.1 65% Virtualized Migration pace of 40K active in over Online sites Sales team works development managed devices server 3K users 700 external growing 4% 60% mobile + next gen environment per month networks monthly On-Prem apps in PaaS declining at 25% 22% 40K 330K 220K 90K 270K 7.9M LOB apps using Managed System Center Users on Office 365 Employees 97% SharePoint Lync calls/month IaaS or PaaS, hybrid Windows 10 managed devices Exchange participate on sites in the cloud cloud environment Systems Yammer each month
300000
250000
200000 150000 On-Prem 100000
50000
0 FY13 FY14 FY15+ Rethink our Experience in the Cloud Create Shared Utility Sites Custom Understand the Drive Cloud Services Cloud Migration to Workload Ecosystem Adoption Foundation Cloud Migration Post-migration MOVE TO CLOUD MOVE TO CLOUD NOW LATER High
Low Mission Regulatory Security Cross- Monitoring Custom App Database Critical Exposure Requirement Premises Needs Integration Storage
BUSINESS FACTORS TECHNICAL FACTORS Cloud-strategy approach
CLOUD STRATEGY (Cross Discipline Team)
SaaS Hybrid cloud New development BusinessSaaS-architecture led IaaSIaaSlift and shift; LeveragingPaaS all cloud paradigms IaaS and PaaS new deployments
FY12-FY13 Infrastructure Line of business (LOB) • Microsoft Bing • Dynamics CRM • Xbox Live • Third-party solutions VMs IaaS PaaS SaaS • Windows Live • Yammer, Skype PaaS • Office 365 Engineering and operations • SharePoint Online enabling HW IaaS IaaS PaaS SaaS IaaS • Exchange Online • Windows Intune Connectivity • SkyDrive Pro • Team Foundation Service Building on FY12 destination SaaS strategy {Engineering} Moving Microsoft IT apps to the
Vast majority of Microsoft IT’s LOB apps 3% are moving to the cloud
• 90% of Microsoft IT’s 1,100+ production apps meet requirements to move to IaaS or private cloud environments • 7% of apps are migrated to the PaaS environment • 3% will remain on dedicated hardware
IaaS and Private Cloud PaaS Dedicated Hardware
NETWORKING, COMPUTE, STORAGE, APP SERVICES, NETWORKING & AUTOMATION SERVICES AUTOMATION, DISASTER RECOVERY, DEV, TEST, UAT, etc. Virtual Availability Azure load Auto- Traffic Automation CDN … as a SERVICE network Set balancer scale Manager
COMPUTE SERVICES DATA SERVICES
On Premises Private Cloud storage storage storage Health Monitoring Automation Virtual Azure TFS or Machines Mobile VS Online + blob table queue Services GIT APPLICATIONS & Site-to-Site VPN SERVICES Point-to-Site VPN
Azure web worker StorSimple VHD VHD data Gallery Web roles roles Cloud Integrated Storage disk OS images Site
Express Route APP SERVICES VIRTUALIZATION COMPUTE, StorSimple Backup Azure Site STORAGE & Virtual Service Recovery NETWORKING Azure Multi-Factor Azure Server Group #1 Server Group #2 Appliance AD Auth Cache
Storage Access BizTalk Media SQL SQL MySQL SAN Spaces/SMB Control Services Services Database Data database Provisioning Sync DEVICES & Monitoring FACILITIES Automation & Self Service Service Notification Scheduler HDInsight Physical Infrastructure Bus Hub (Hadoop) (Servers/Storage/Networking Application Insight
IT Service Management * Not meant to be a comprehensive list of all services, for a complete list please visit azure.microsoft.com Azure Security and Compliance Azure’s certification process is ongoing Secure development, operations, and threat with annual updates and increasing breadth of coverage. mitigation practices provide a trusted Clients / End Users foundation INTERNET • No internet access by default • Intrusion detection and DoS prevention Azure manages measures • Customer can deploy additional compliance with: THREAT DETECTION: DoS/IDS Layer DoS/IDS measures within their virtual • ISO 27001 Private fiber connections to networks • SOC1 / SOC2 access compute, storage and • Penetration testing • HIPAA BAA more using ExpressRoute Microsoft Azure • DPA / EU-MC • UK G-Cloud / IL2 Cloud Access & Firewall Layer ExpressRoute 443 • PCI DSS Peer • FedRAMP
Customer Environment Azure provides a number of options for 443 DOS/IDS Layer encryption and data protection. Azure Storage Application Tier
DOS/IDS Layer VPN Logic Tier SQL Database DOS/IDS Layer
Computers Database Tier Behind Firewalls Isolated Virtual Network
Enables connection from customer sites and remote workers to Azure Virtual Azure Platform Networks using Site-to-Site and Point-to-Site VPNs Remote Workers • Logical isolation for customer environments and data • Centralized management via SMAPI or the Azure Portal Heritage of security and compliance
Federal Desktop Trustworthy Core Configuration Office 365 for Microsoft Security Computing Government Response Center Initiative Malware Protection First Microsoft Active Center Datacenter Directory SAS 70 SOC 1 SOC 2 CJIS
1989 1996 2000 2005 2010 2012 2014
FISMA Windows Windows Security IRS 1075 Digital ATO C2 Update Development Crimes Unit Lifecycle Defense HIPAA/ FedRAMP Messaging HITECH ATO System ISO/IEC Operations 27001:2005 Security Assurance HYBRID CLOUD SAMPLE ARCHITECTURES Hybrid Cloud Scenarios
Encrypted Backup VPN Recovery Windows Backup Microsoft Azure SC Data Protection Manager
Site B Site A Replication System Center Virtual Machine Recovery Manager Microsoft Azure Health Monitor Hyper-V Manage Site A Site B Microsoft Azure System Center Replica System Center Recovery Virtual Machine Virtual Machine plan Manager Manager
Orchestrated Recovery in case of outage
VPN
Remote Users Admin Hybrid Cloud Scenarios
Developers VPN Tier 1 Tier 2 Tier 3 Microsoft Availability Set Availability Set Availability Set Azure SDK
Microsoft Azure Microsoft Azure AD Azure VPN Load Auto Web Virtual VHD Auto SharePoint Mobile Analytics SQL HDInsight Balancing Scaling Site Machines Scaling Service & Reporting Azure Storage (Hadoop)
Microsoft Azure Microsoft Azure Storage Storage Notification Hub CDN Cache BLOB Table
Users Storage Queue On Premises
INGRESS NODES ANALYTICS NODE CONSUME Collect / Decode Record Filter / Analyze / Aggregate Reporting / BI
Azure Microsoft Azure Load Auto Worker Azure Auto Worker Analytics SQL Connected Devices Balancing Scaling Roles Storage Scaling Roles & Reporting Azure Storage Hybrid Cloud Scenarios
Enterprise Mobility Suite • Hybrid Identity Management • Mobile Device Security& Management • Mobile Application Management • Strong Authentication & Access based Information Protection
Encrypted Synchronization Microsoft apps
Custom ISV/CSV Microsoft Azure AD Consumer LOB apps apps identity providers PCs and devices 3rd party clouds/hosting
• Built-in .NET, Java, PHP, … • SDK for integration Multi-Factor ADFS / SAML • Strong multi Factor Authentication Authentication Server Microsoft Azure AD • Real Time Fraud Alert • Reporting, Logging & Auditing Multi-Factor • Enables compliance with NIST 800- Authentication BYOD / Personal 63 Level 3, HIPAA, On Premises Server devices PCI DSS, and other regulatory Applications requirements Corporate devices SQL Server Hybrid Cloud Scenarios
Publish Management Portal Compare Sync Import / Export VPN Register / Unregister Dispersed Teams Microsoft Azure
Management Portal SQL Backup tool for legacy Manual Console Backup Managed Backups VPN / Encrypted Data
Microsoft Azure
Primary Asynchronous Commit Secondary Disaster Recovery Backup VPN Availability Groups Periodic Snapshots Powering BI Apps Console 2014 / Scripts 2012 Geo Replication Microsoft Azure SAP on Microsoft Azure
On-Premises SAP certifications Microsoft Azure is certified for the following SAP products, with full support from Microsoft and SAP. Windows http://azure.microsoft.com/en-us/campaigns/sap/ Server .vhd file Guest Virtual On-Premises & SAP (C:) SAP Product Operating RDBMS Machine Servers System Types Shared SQL .vhd file SAP Business Suite Software Windows A5 Pool (D:) Server SQL SAP Business All-in-One Windows A5 Server On-Premises Azure VPN SAP NetWeaver Application Server SQL VPN Device Gateway 1 Windows A5 Windows ABAP Server Server (C:) .vhd file
Shared .vhd file SAP HANA Developer Edition Pool (D:) (including the HANA Client software comprised of SQLDBC, SUSE, Linux N/A A7, A8 SQL ODBO (Windows only), ODBC, AND .vhd file JDBC drivers), HANA Studio, and Server (E:) HANA Database) 2
Virtual Network 1 Only NetWeaver 7.00 and later SAP releases of NetWeaver are supported for deployment in Azure. 2 Customers can try SAP HANA Developer Edition on Azure using the SAP Cloud Appliance Library. ATM Manufacturer Quickly Creates ATM Management Solution Using Cloud Resources. Headquartered in North Canton, OH, Diebold is a financial self-service, security and services corporation that is engaged primarily in the sale, manufacture, installation and service of self-service transaction systems, electronic and physical security products, and software and integrated systems for global financial and commercial markets. Diebold is the largest U.S. manufacturer of ATMs. Their top products and services include ATMs and Self-Service, Electronic Security, Assisted Transactions and Barrier, Managed Services, Maintenance Services, and Professional Services. They are using Azure for their smart banking initiative. The Washington Post Builds "Truth Teller" App with Cloud-Based Speech-to-Text Service. One way that The Washington Post is driving innovation on the Internet is through Truth Teller, a software-based, political fact-checker that uses Microsoft Azure Media Services Indexer speech-to-text service. With Indexer, The Post can more easily share its political expertise, has saved hundreds of thousands in development costs, and has made search results more useful to website visitors.
SAT is In charge of all of Mexico’s tax-related transactions and needed to transform to receive and validate electronic invoices, as well as deploy new portals for taxpayers to manage their electronic bills & electronic billing, an on-premises solutions was quoted to take a full year & cost US$1 million which was too much for SAT at the time. We built in 4 months a solution that manages 2 Billion+ documents annually, with 200+ documents/sec and avoided a large investment associated with redundant datacenters setup, storage, bandwidth, hardware, software. NBC provides continuous coverage for live events on mobile devices Reimagining global media and entertainment delivery
April 9, 2013, Microsoft Corp. and NBC Sports Group announced they are “We are pleased to be working partnering to use Microsoft Azure Media once again with Microsoft, and Services across NBC Sports’ digital we are confident that Microsoft platforms, including NBCSports.com, Azure Media Services will help NBCOlympics.com and GolfChannel.com. us provide the most robust streaming experience ever for a Goal Winter Olympics.” Deliver more than 1,000 hours —Richard Cordella, Senior Vice president & General Manager of Digital Media, NBC of live streaming sports to Sports Group millions of viewers on multiple devices and operating systems
Tactics Results 100+ MILLION FANS Uses the Microsoft Azure • First in history to provide continuous live streaming footage AND GUESTS cloud platform to encode, entirely from the cloud transcode, and stream live THROUGH footage from the Olympics • The largest-ever audience on an authenticated stream for SOCHI2014.COM ON (and other high-profile events) any sporting event to its customers • Enabled access to all 98 sporting events online through a Microsoft Azure platform that scales up and down to meet actual demand Platform Application Capability Applications Architecture Networking Platform / Front End Access / / Access Facilities Security Storage Servers Data OS SegregatedPlatforms SegregatedStorage Monolithic Monolithic OS Platform Silos Multiple ID’s Monolithic Availability Data Silos AdHoc Multiple MB/GB 0.9999 Distributed Processing Storage Management Data Warehouse Data Integration Load BalancingLoad Consolidation Virtualization Virtualization Server Farms Managed Distributed Colocation Clustering Web Enterprise Content Management Public Cloud ( Consolidation Integration/ On On Premise Private Cloud Metering Aggregation+ Massive StorageScaling Network Virtualization Integration & Scaling Evolving Modular to Service Service Oriented Resource Pooling Resource Pooling Commoditization Federation Container Dynamic Big Data IaaS , SaaS, , PaaS ) Architectures On Premises Silo Legacy App 1 - ed Current Application Infrastructure Infrastructure Private Cloud Catalogue On Premises Leveraged Leveraged App 2 IaaS Off Premises Oriented – Service App 3 SaaS - PaaS Objectives Scenarios Build Deploy Triggers Needs Architectural Design Build Deploy • New Application Project / • Discovery of capabilities Business Initiative • Selection of potential scenarios: • Application / Workload • Pilot Architecture • Deployment guidance • Tech Refresh Architectural Design • Checklist: Identity, Security, • Deployment resources & • Workload Capacity Growth • App/Workload Consolidation • Compute, Storage, Networking, Compliance, team • Hosting • Disaster Recovery / Backup Networking, DevOps • Promotion to production with • Enhanced SLA • Storage / Archiving Applications Services • Test Identity, Security, Compliance • High Availability / Disaster • Cloud Identity • Identity • Validate with Data and DevOps considerations Recovery • Content Delivery • Security • Continuous Enablement • Lower Operational Costs • Media Hosting • Validate Scaling and Resiliency • Databases • Networking / Connectivity • Service Management • Cloud cost management • BI • Compliance • Self Service • Cloud Reference Model and • Web Hosting • Data Archival Standard Setting • Infrastructure Hosting • SLA • E-Commerce • DevOps • Scaling • HPC • Build • Resiliency • Test • Cost evaluation • Configure • Deploy • Measure Consumption • Monitor / Manage • Scale • Common Process • Patterns & Practices