Recent Blog Posts

8 Ways to Secure Your Cloud Infrastructure

Cloud1.PNG

Clouding Around – A mini-blog series on the Cloud with Arif Mohamed

Part 1: 8 Ways to Secure Your Cloud Infrastructure

 

Cloud security remains a top concern for businesses. Fortunately, today’s data center managers have an arsenal of weapons at their disposal to secure their private cloud infrastructure.

Here are eight things you can use to secure your private cloud.

 

1. AES-NI Data Encryption

End-to-end encryption can be transformational for the private cloud, securing data at all levels through enterprise-class encryption. The latest Intel processors feature Intel® Advanced Encryption Standard New Instructions (Intel® AES-NI), a set of new instructions that enhance performance by speeding up the execution of encryption algorithms.

 

The instructions are built into Intel® Xeon server processors as well as client platforms includingmobile devices.

 

When encryption software utilises them, the AES-NI instructions dramatically accelerate encryption and decryption – by up to 10 times compared with software-only AES.

 

This speedy encryption means that it is possible to incorporate encryption across the data centre without significantly impacting infrastructure performance.

 

2. Security Protocols

By incorporating a range of security protocols and secure connections, you will build a more secure private cloud.

 

As well as encrypting data, clouds can also use cryptographic protocols to secure browser access to the customer portal, and to transfer encrypted data.

 

For example, Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols are used to assure safe communications over networks, including the Internet. Both of these are widely used for application such as secure web browsing, through HTTPS, as well as email, IM and VoIP.

 

They are also critical for cloud computing, enabling applications to communicate over the network and throughout the cloud while preventing undetected tampering that modifies content, or eavesdropping on content as it’s transferred.

 

3. OpenSSL, RSAX and Function Stitching

Intel works closely with OpenSSL, a popular open source multiplatform security library. OpenSSL is FIPS 140-2 certified: a computer security standard developed by the National Institute of Standards and Technology Cryptographic Module Validation Program.

 

It can be used to secure web transactions through services such as Gmail, e-commerce platforms and Facebook, to safeguard connections on Intel architecture.

 

Two functions of OpenSSL, that Intel has contributed to, are RSAX and function stitching.

 

The first is a unique implementation of the popular RSA 1024-bit algorithm, and produces significantly better performance than previous OpenSSL implementations. RSAX can accelerate the time it takes to initiate an SSL session – up to 1.5 times. This provides a better user experience and increases the number of simultaneous sessions your server can handle.

 

As for function stitching: bulk data buffers use two algorithms for encryption and authentication, but rather than encrypting and authenticating data serially, function stitching interleaves instructions from these two algorithms. By executing them simultaneously, it improves the utilisation of execution resources and boosts performance.

 

Function stitching can result in up to 4.8 times performance improvement for secure web servers when combined with RSAX and Intel AES-NI.

 

4. Data Loss Prevention (DLP)

Data protection is rooted in the encryption and secure transfer of data. Data loss prevention (DLP) is a complementary approach focused on detecting and preventing the leakage of sensitive information, either by malicious intent or inadvertent mistake.

 

DLP solutions can profile content against rules and capture violations or index and analyse data to develop new rules. IT can establish policies that govern how data is used in the organisation and by whom. By doing this they can clarify security practices, identify potential fraud and avert accidental or unauthorised malicious transfer of information.

 

An example of this technology is McAfee Total Protection for Data Loss Prevention. This software can be used to support an organisation’s governance policies.

 

5. Authentication

Protecting your platform begins with managing the users who access your cloud. This is a large undertaking because of the array of external and internal applications, and the continual churn of employees.

Ideally, authentication is strengthened by routing it in hardware. With Intel Identity Protection Technology (Intel IPT), Intel has built tamper-resistant, two-factor authentication directly into PCs based on third-generation Intel core vPro processors, as well as Ultrabook devices.

 

Intel IPT offers token generation built into the hardware, eliminating the need for a separate physical token. Third-party software applications work in tandem with the hardware, strengthening the authentication process.

 

Through Intel IPT technology, businesses can secure their access points by using one-time passwords or public key infrastructure.

 

6. API-level Controls

Another way in which you can secure your cloud infrastructure is by enforcingAPI-level controls. The API gateway layer is where security policy enforcement and cloud service orchestration and integration take place. An increased need to expose application services to third parties, and mobile applications is driving the need for controlled, compliant application service governance.

 

WithAPI-level controls, you gain a measure of protection for your departmental and edge system infrastructure, and reduce the risk of content-born attacks on applications.

 

Intel Expressway Service Gateway is an example of a scalable software appliance that provides enforcement points and authenticates API requests against existing enterprise identity and access management system.

 

7. Trusted Servers and Compute Pools

Because of cloud computing’s reliance on virtualisation, it is essential to establish trust in the cloud. This can be achieved by creating trusted servers and compute pools. Intel Trusted Execution Technology (TXT) builds trust into each server, at the server level, by establishing a root of trust that helps assure system integrity within each system.

 

The technology checks hypervisor integrity at launch by measuring the code of the hypervisor and comparing it to a known good value. Launch can be blocked if the measurements do not match.

 

8. Secure Architecture Based on TXT

It’s possible to create a secure cloud architecture based on TXT technology, which is embedded in the hardware of Intel Xeon processor-based servers. Intel TXT works with the layers of the security stack to protect infrastructure, establish trust and verify adherence to security standards.

 

As mentioned, it works with the hypervisor layer, and also the cloud orchestration layer, the security policy management layer and the Security Information and Event Management (SIEM), and Governance, Risk Management and Compliance (GRC) layer.

 

Conclusion

Cloud security has come a long way. It’s now possible, through the variety of tools and technologies outlined above, to adequately secure both your data and your user. In so doing, you will establish security and trust in the cloud and gain from the agility, efficiency and cost savings that cloud computing brings.

 

- Arif

Read more >

Transforming the Workplace: Putting Theory into Practice

This is the final post in my blog series about transforming the workplace. Be sure to read part 1, part 2, part 3, and part 4.


It’s a new year, and for most, it’s a great time for change. And while this often means new fitness programs, new diets, or other personal goals, what if we made a resolution to change the way we work?


This blog series has been exploring the changing workplace, its inevitable challenges, and how technology is key to transformation. At the end of last year, I talked about making it all work by applying an integrated strategy across culture, IT, and facilities. Here, in this final installment, I want to talk about how Intel implemented real change that resulted in happier employees and, truly, a better way to work. 


SMAC: Intel IT’s Phased Approach


As with any resolution, personal or professional, taking a methodical approach with measurable benefits is key to winning the race. Intel IT took a proactive, phased journey to enabling the SMAC stack—and it’s one that is continually progressing as technologies change.

  • Social – As Intel employees became more mobile, social tools quickly expanded to connect the dispersed global workforce to facilitate people working together in the same “virtual room.” Even better, employees are happier because they can easily connect with coworkers. 

JH1.png

 

  • Mobile – With an early start in mobile starting about 17 years ago, Intel IT now supports 90K employees at 143 sites in 62 countries, so supporting a seamless collaboration experience for all employees and refining the mobile app experience are top priorities. 

JH2.png


  • Analytics and cloud – With a start in data management and BI, Intel IT is now moving ahead with advanced predictive analytics, machine learning, and data visualization. Cloud efforts continue to evolve as well, including a mail cloud and personal cloud storage that let employees get what they need, when they need it, on any device.

JH3.png
 


Facilities: The Way We Work


So what about the actual workspace? After all, you can have all the exercise equipment you want, but if you don’t have the right spot to use it, you probably won’t exercise. In other words, poor or less-than-apt conditions can be counterproductive.


When Intel realized its many cubicle spaces were rather underutilized due to employees congregating in meeting rooms and other spaces to simply work together, they sought to strike a balance between collaboration space and personal working space. This manifested in The Way We Work program, based on the premise that any employee will work better in an environment tuned to the way they work. The program’s guiding principles address work style, preferences, company identity, and space.

  • Optimized workspaces foster mobility, collaboration, teamwork, and problem solving. Private phone-booth rooms become virtual offices with network connectivity and HD audio and video.


  • Inviting spaces are modern and make work a place where you want to be; they capture the look and feel of the future, and showcase Intel innovation and technologies.


  • Space efficiency makes optimal use of real estate, including repurposing existing square footage to help offset costs.

JH4.pngIntel takes it a step further, extending these guiding principles to its work groups, or “communities.” Each community is assessed to determine the particular needs for individual work areas, team areas, collaboration rooms, and private phone booths.


The changing workplace marks the end of the “one size fits all” office, but it also reflects a growing union between IT and facilities. For example, the conference room table you sit at today is just a piece of furniture, but in the near term it may come with a touch-screen interface and network connectivity. At this point, is it a piece of furniture or a piece of IT equipment?


There are exciting changes on the horizon. If we resolve to embrace the innovation, we can find a better way to work.

 

Intel’s Vision on Workplace Transformation


Finally, be sure to read the paper that expands on Intel’s vision of workplace transformation. It captures the topic of this blog series in even greater detail.

Has your organization moved on to a better way to work? Please join the conversation and share your experience. And be sure to click over to the Intel IT Center to find resources on the latest IT topics.


Until the next time …


Jim Henrys, Principal Strategist

Read more >

21st Century Nursing Brings Anytime, Anywhere Care

In my days as a practicing registered nurse, technology felt like something that just got in the way of doing the real job of looking after patients. The perception of technology held by my fellow RNs was that it was forced on them by an IT department and that ultimately it was more hassle than it was worth.

 

Today, things have changed. Nurses are truly embracing technology and, in many cases, I’d say they that they are pioneers of its use across the healthcare sector. Just one example is the benefits offered by the flexibility of using tablets and two-in-ones for patient care settings outside of the norm of a hospital or clinic.

 

A couple of years ago we put together a video here at Intel showing a nurse transcribing hand-written notes from a home visit on what would now be deemed to be a bulky laptop. Suffice to say that in just a short space of time mobile solutions have come so far. Writing notes on paper while with the patient then heading back to the office to input them into the appropriate clinical systems on a desktop is, thankfully, a thing of the past.

 

Real-time note-taking

Nurses now captures notes in real-time on a mobile device during a homecare visit in a way that the patient is comfortable with and finds unobtrusive. Where nurses used to hold a pen and paper they now hold a tablet, phablet or two-in-one which helps maintain that all-important, trust-building eye contact with the patient.

 

All of this is possible because of advances in the computing power of mobile devices. To put this into perspective, it’s likely that the tablet carried by a nurse today has more computing power than the desktop of just a couple of years ago. Combine that performance with the anywhere-anytime, security-enhanced access to clinical applications via the cloud and you have nurses who do their jobs more efficiently and reduce the number of errors resulting from duplicating steps to document patient information.

 

Educating patients

We want to see patients engaging more in taking good care of themselves too. Mobile devices are helping patients better understand their condition, whether that be through showing x-rays or illustrating responses to treatment in graphical forms. Education is a crucial part of the modern nurse’s role and I’m happy to say that this part of the job is much easier today than it was when I was practicing.

 

We’ve only scratched the surface though, as when we look ahead to the opportunities presented by wearable technologies which can send information to a care team instantaneously, we start to see the true benefits of virtual care. As the population grows and people live longer, this virtual care will become increasingly important, if not essential.

 

Your future

I’d love to hear how you are using today’s technologies in your role – how are mobile devices helping you care for your patients more efficiently and effectively? What is the one feature that you couldn’t live without? And what capabilities do you need moving forward?

 

Leave a comment below or tweet me via @intelhealth – let’s keep the conversation going so that we can build the future of nursing together.

Read more >

Reaching one million database transactions per second… Aerospike + Intel SSD

        aerospike1mtps.png

 

 

We’ve known  the innovators at Aerospike for a few years now, and today we are announcing more than 1 million transaction per second (TPS) on a single server with Aerospike’s NoSQL database. That might not seem like such a big deal, until you realize we are not using DRAM for this, as you’ve seen on some previous posts about Aerospike doing 1 million TPS. We are trading out DRAM for NVM (non-volatile memory) in the classic form of NAND memory. NAND to database fanatics like us is hot, because you store so much more.  NoSQL innovators have learned how to utilize NVM with breathtaking performance and new data architectures. NVM is plenty fast when your specification is 1 millisecond per row “get”. In fact it’s the perfect trade-off of, fast, lower cost, and non-volatile. The best thing is the price. Did I tell you about the price yet?

 

NVM today and even more so tomorrow is a small fraction of the price of DRAM. Better still you are not constrained by say 256GB, or some sweet spot of memory pricing that always leaves you a bit short of goal. Terabyte class servers with NVM give you so much more headroom to grow your business and not reconstruct and upgrade your world in months.  How does 6 + Terabytes of NVM database memory on a single box sound?


Here at Intel, we say. Be bold, go deep into the Terabyte class of database server!

 

So how did we do this? Well our friends at Aerospike make it possible with a special file system (often called a database storage engine), that keeps the hash to the data in DRAM (a very small amount of DRAM, we set it to 64 GB), and the actual 1k or greater (key,value) row is kept in a large and growth capable “namespace” on 4 PCIe SSDs. Aerospike likes Intel SSD for their block level response consistency, because when you replace DRAM and concurrently run at this level of process threading, consistency becomes paramount. In fact we like to target 99% consistency of reads under 1 millisecond, during our tests. Here are the core performance results.

 

95% read Database Results (Aerospike’s asmonitor and Linux iostat)


asmonitor data

Record Size

Number of clients threads

Total TPS

Percent below 1ms (Reads)

Percent below 1ms
(Writes)

Std  Dev of Read Latency

(ms)

Std Dev of Write Latency (ms)

Database size

1k

576

1,124,875

97.16

99.9

0.79

0.35

100G

2k

448

875,446

97.33

99.57

0.63

0.18

200G

4k

384

581,272

97.22

99.85

0.63

0.05

400G

1k with replication 512 1,003,471 96.11 99.98 0.87 0.30 200G

 

 

iostat data

Record Size

Read MB/sec

Write MB/sec

Avg queue depth on SSD

Average drive latency

CPU % busy

1k

418

29

31

0.11

93

2k

547

43

27

0.13

81

4k

653

52

20

0.16

52

1k (replication)

396

51

30

0.13

94

 

Notes:

1. Data is averaged and summarized across 2 hours of warmed up runs. Many runs executed for consistency.

2. 4k test was network constrained, hence the lower CPU attained during this test.

 

We ran our tests on 1k, 2k and 4k row sizes, and 1k again with asynch replication turned on. We kept the data row-wise small, which is common for operational databases that manage cookies, user profiles and trade/bidding information in an operational row structure. The Aerospike database does have a binning process that can give you columns, but so many usages exist for strings, so we configured for no-bin (i.e. 1 column). This configuration will give you the highest performance for Aerospike.

 

The databases we built were from 100GB to 400GB, but as made the database bigger we did not see any drop in performance. We used a small database to maintain some agility in building and re-working this effort over and over. Our scalability problems came about as we scaled the rows sizes and that was at the network level, and no longer as a balancing act between the SSD and threading levels on  the CPU. We simply need more network infrastructure to go to larger row sizes. Taking a server beyond 20Gbit of networking per server at a 4k row sizes was a wall for us. Supporting nodes that are producing 40Gbit and higher throughput rates can become an expensive undertaking.  This network throughput and cost factor will affect your expense thresholds and be a decision factor on truly how dense of an Aerospike cluster you wish to attain.

 

Configuration and Key Results

We used Intel’s best 18 core Xeon Xeon v3 family servers which support 72 cpu hardware threads per machine. Aerospike is very highly threaded and can use lots of cores and threads per server and with htop we were recording over 100 active threads per monitoring sample, loading the CPU queues nicely. As far as balance to the SSD and queue depths of the SSD we found that achieving  our range of 95% to 100% consistency under 1 ms db record retrieval was most perfected at a queue depths of under 32 on these Intel NVMe (non-volatile memory express)  SSD’s. The numbers in the asmonitor data table shows that we were actually getting mostly 97% of all transactions running under 1 millisecond. A very high achievement.

 

Configuration details is below, for those attempting to replicate this work. All components and software is available on the market today. Try the Aerospike Community Edition free for download here.

 

AEROSPIKE DATABASE CONFIGURATION

 

Description

Details

Edition

Community Edition

Version

3.3.40

Bin

Single Bin

Number of nodes

Two

Replication Factor

One (*Two used with 1k rows and replication)

RAM Size

64 GB

Devices

Two P3700 PCIe Devices per node ( 4 total)

Write block Size

128k

 

 

 

 

 

 

 

 

 

 

 

AEROSPIKE BENCHMARK TOOL CONFIGURATION

Example command used to load the database:

./run_benchmarks -h 172.16.5.32 -p 3000 -n test -k 100000000 -l 23 -b 1 -o S:2048 -w I -z 64

Example command used to run the benchmark from client:

./run_benchmarks -h 172.16.5.32 -p 3000 -n test -k 100000000 -l 23 -b 1 -o S:2048 -w RU,95 -z 64 -g 125000

Flags of Aerospike Client:

-u              Full usage

-b              set the number of Aerospike bins (Default is 1)

-h            set the Aerospike host node

-p            set the port on which to connect to Aerospike

-n            set the Aerospike namespace

-s            set the Aerospike set name

-k            set the number of keys the client is dealing with

-S            set the starting value of the working set of keys

-w            set the desired workload (I – Linear ‘insert’| RU, – Read-Update with 80% reads & 20% writes)

-T            set read and write transaction timeout in milliseconds

-z            set the number of threads the client will use to generate load

-o            set the type of object(s) to use in Aerospike transactions (I – Integer| S: – String | B: – Java blob)

-D          Run benchmarks in Debug mode

 

System

Details

Dell R730xd Server System

One primary (dual system with replication testing)

Dual CPU socket, rack mountable server system

Dell A03 Board, Product Name: 0599V5

CPU Model used

2 each – Intel(R) Xeon(R) CPU E5-2699 v3 @ 2.30GHz max frequency: 4Ghz

18 cores, 36 logical processors per CPU

36 cores, 72 logical processors total

DDR4 DRAM Memory

128GB installed

BIOS Version

Dell* 1.0.4 , 8/28/2014

Network Adapters

Intel® Ethernet Converged 10G X520 – DA2 (dual port PCIe add-in card)

1 – embedded 1G network adapter for management

2 – 10GB port for workload

Storage Adapters

None

Internal Drives and  Volumes

/ (root) OS system – Intel SSD for Data Center Family S3500 – 480GB Capacity

/dev/nvme0n1 Intel SSD for Data Center Family P3700 – 1.6TB Capacity, x4 PCIe AIC

/dev/nvme1n1 Intel SSD for Data Center Family P3700 –  1.6TB Capacity, x4 PCIe AIC

/dev/nvme2n1 Intel SSD for Data Center Family P3700 –  1.6TB Capacity, x4 PCIe AIC

/dev/nvme3n1 Intel SSD for Data Center Family P3700 –  1.6TB Capacity, x4 PCIe AIC

6.4TB of raw capacity for Aerospike database namespaces

Operating System, kernel

& NVMe driver

Red Hat Enterprise Linux Server Version 6.5

Linux kernel version changed to 3.16.3

nvme block driver version 0.9 (vermagic: 3.16.3)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Note: Intel PCIe drives use the Non-Volatile Memory express storage standard for Non-volatile memory, this requires an NVMe SSD software driver in your Linux kernel. The currently recommended kernel is 3.19 based for work such as this, benchmark results.

 

PCIe NVMe Intel drives latest firmware update and tool

Intel embeds its most stable maintenance release support software for Intel SSD’s into a tool we call Intel Solid State Drive Data Center Tool. Our latest release just landed and it important that you use the MR2 release included in the latest version 2.2.0 to achieve these kind of results for small blocks.  Intel’s firmware for the Intel SSD for Data Center PCIe family gets tested worldwide by hundreds of labs many of them directly touched by software companies such as Aerospike. No other SSD manufacturer is as connected both in the platform and in the software vendor collaboration space as Intel is. Guaranteeing you the Solutions level scalability you see in this blog. Intel’s SSD products are truly platform connected and end user software inspired.

https://downloadcenter.intel.com/Detail_Desc.aspx?DwnldID=23931

 

Conclusion

The world of deep servers that dish out row-based Terabytes has arrived, and feeding a Hadoop cluster or vice-versa from these kind of ultra-fast NoSQL clusters is gaining traction. These are TPS numbers never heard of in the Relational SQL world from a single server. NoSQL has gained traction as purpose built, fast, and excellent for use cases such as trading, session and profile management. Now you see this web scale friendly architecture move into the realm of immense data depth per node. If you are thinking 256GB of DRAM per node is your only option for critical memory scale, think again, those days are behind us now.

 

Come see Holly Watson, and Frank Ober at Strata + Hadoop World at the Intel Booth #415. We’d love to talk to you more about our NVMe SSD’s and how open industry standards are changing the future of databases and the hardware you run them on.

 

Special thanks to Swetha Rajendiran of Intel and Young Paik of Aerospike for their commitment and efforts in building and producing these test results with me.

Read more >