 Hello everyone and thank you for coming. My name is Kim in Nart and I work at City Network hosting. And my name is Tobias and I also work at City Network hosting. Who are we at City Network. We started at a small Swedish company based in Kastrona Sweden in 2002 and then it was mainly webb hosting and that's pretty much our legacy. Nowadays we're running data centers at 30 different locations in 2009. We started our service called City Cloud and in 2014 we switched to run that on open stack completely and today we are I think more than half of revenue is based on open stack. Shortly a bit about what we've done in City Network. We made a switch to be more focused on enterprise solutions. That's why we took a lot of ISO certifications. And I'm here to talk a bit about the case we encountered. You might get this question a lot. People tend to say if you're in the health care industry you can't utilize public cloud. If you're government you can't utilize public cloud. If you're in bank and finance you can't use public clouds. And these industries are very interested in scalability flexibility efficiency as well and not to mention the cost efficiency they can get from it. So they are very interested but a lot of people industry experts say you can't use public clouds that's not allowed with your regulations. And that was something we actually encountered at a similar seminar exactly a year ago. So we thought challenge accepted. Let's build a cloud where you can actually have a public cloud that are compliant with all rules and regulations. So. We built compliant ISO service. We're focused on bank and finance health care and government. Our case that we encountered was an insurance company. One of the largest insurance companies in Sweden. So we they have patient records as well as insurance records. So we got the big favor of being regulated both by the bank and finance authorities and by the health care authorities. Since we have patient data in it as well and we provide a complete pay as you go is. But it is completely compliant. Vi kan just quickly go through. We are certified for the bank and finance. Now we are Swedish companies. So we are under Swedish authorities but it's comparable to different standards all over the process of doing this is very much similar. If you're in Europe if you're in Asia or if you have the similar way of authorities you have pretty much similar control mechanism. Patient privacy is protected by law in all these countries. So the process is quite similar there as well. OK. Quick show and introduction on what do we actually provide the customer. Yes. I will start off by describing our infrastructure or the infrastructure of one single data center. Was that direction. Sorry. This is an overview of our infrastructure in one data center. We are running on all nodes. We are running red hat enterprise in the bottom. And we are all in kilo release audio distribution in all the modules. Open stack modules. We have the compute nodes that are running Nova and KVM as hypervisor and the network nodes running neutron and the non distributed version of neutron. We have the control nodes that runs all the other APIs that we are providing there among the keystone. When it comes to keystone we are using version 3 and we are using separate keystone for every single data center for security reasons. Eeeh. Because if one data center is compromised we don't want to risk that another data center will be compromised. Since they share tokens. For storage we are using NFS. That is that has extremely good performance. But even though the performance is very good we are looking in for other solutions as well. SEF for example. Svinns. We see that we can get problems with the scaling and distribution with NFS. We have chosen not to use horizon as cloud management platform so we have built our own. The reasons for that was flexibility. We would like to do whatever the customer need to have and ease of use. We sometimes feels that horizon is a little bit too techy to use for a lot of our customers at least. So yes and I will. Try to do a short demonstration of this management platform. Let's hope that network connection works here. OK so the purpose of this demo is just to get some servers up and be low balance. So let's start by creating a network and please be a little bit patient if we have some latency to Sweden here. OK. I choose data center. We choose Stockholm. Here we have made it a little bit simpler than in. Horizon. We have chosen to summarize everything in one package create network. So we create router and subnet and all kind of all those things automatically for the user. But the advanced options are here if you have that expertise. As I said some latency. The polar bears are in the way. Thanks. Then we have our network and we more forward to just create security groups that have the correct security for our servers from the beginning. And make sure that we edit in the same data center. That was quicker. And we move on to adding a new rule because I was thinking that we were going to show a web page. So we have to allow some web traffic. We have some pre-configured rules here that I'm using. Now the polar bears are in the way again. OK. So now we have our network and security group and rules. So let's start. Creating the servers. We choose which data center to put them in. Even here and even here we have summarized the whole flow of creating a server from Horizon into one interface and have made some things a little bit more simpler. And we also think that is really important for our customers. Since we are running a fully pay as you go kind of cloud, it's important to have the cost visible for the customer all the time. We boot from an image and we choose a bunter for this case. And here we have implemented some packages feature that are using cloud init to post install these packages. And we choose Lemp here. We have also created a little flexible. Flavor shows her that on demand creates up a flavor if the flavor is not there when we create the server. OK, so let's make sure that we have the correct network. And add the correct security group and do some shortcuts here. Show them a bit the cost change, I think. Yeah, that's correct. When we update here, it's automatically updated in the box. So that they. They always has a view of how much their servers are going to cost them. OK, so did I hit? OK, so in a couple of seconds we will have three went to VMs running here. OK, they are on the way up. So let's move on to creating the load balanser. Which is using load balansers as a service. And we also think that we have made this a little bit more easy. Then. It is in horizon. Here we have some advanced options as well if we will like to change anything. Just make sure that we put it on the correct network here and that we are assigning a new floating IP to load balanser. And when the load balanser is created in probably a couple of seconds, we will just add the service that we created on that network so they will be in the load balanser. So let's put them in here to be in the pool and save that list. And hopefully that IP will answer with some kind of web page. Oh yeah, it did. Thanks. So I hope that was just a short demo and I hope it shows that it's possible to do things otherwise than horizon does it. And this was important for us also since we are running separate keystones for each data center and have multiple locations in one interface. So yeah, thanks. OK, and well, you might think that's not something new. Other people, other companies do, of course, public cloud as well. But what we did was that we gave make a guarantee. To our end customers that this is compliant, full compliant with all laws and regulations they face. There is a bit to trickiness to making this, actually. We are right now betting our entire company on the fact that we can provide a full compliant IIS. That's, I think, something that bigger companies have an issue with, because there are a few things you actually need to think about when making this compliant IIS promise to your end customers. It's not you that needs to be compliant as a provider. You need to ensure that you follow the rules that are for them. To say this, we as a public service IIS provider have rules and regulations that rule us. But they are not nearly as tough as the rules and regulations that rule an insurance company. But we need to act as we were an insurance company in order to provide this compliance. Otherwise it wouldn't work. This is why there are a bit of a trick issues, bin the media for instance. This is a phrase I usually say, Yale's Trump's fines. And what do I mean with this? You need to have a certain type of organization. The data needs to be stored because a search warrant from the local police and they can confiscate data. And the local police doesn't really care if the data is from a customer abroad. They can confiscate it. But that's not all. You need to have the legal jurisdiction of the owners as well. Because back to the fact, Yale Trump's fines. So local law that can put you in jail will always grant you access to things abroad, even if you have an agreement. Microsoft has shown that this is a tricky part because a court in the US said you need to provide us with all information you have in Europe. And Microsoft said, but we have a separate company in Europe. And the court said, but you are the ruling body of that company. You need to provide us that information or we hold you in contempt and put you in jail. This is a tricky part. And of course, it's not worry. The risk is very minimal that this happens. But still it's not within the rules to take this risk for these type of companies. You have the same with the legal jurisdiction of administrators. We had a Swedish bank who outsourced administration to South Africa and the South African government said we have a search warrant, give us access to the bank records. And the people said, but we work for Swedish company and they say, we don't care. Give us access or we put you in jail. And then Yale Trump's fines. So losing your job or you losing your freedom. You will choose losing your freedom. Are you losing your job over freedom? So that's pretty much the fact. We have. Then we have another issue that makes it hard for big companies, but that's accountability. If a nurse or a medical professional looks at your hospital records just for curiosity curiosity. They don't have a specific need to look at your record. A medical reason to do it. They will be severely fined or go to Yale personally. There are personally accountable for not looking at medical records that are relevant, not relevant for them. This is a fact that they face a personal risk by breaking confidentiality rules regarding your hospital records. If I am outsourced IT administrator, all I risk personally is that my boss will yell on at me because it's my company that takes all the risk. Not me personally. And this is why health care says that it's impossible to use public cloud. This is why we need to sign a way. A waiver that all employees at city network will face the same personal risk concerning confidentiality. As up employed professional at the client we serve. Otherwise it wouldn't work. We need to have the same risk and liabilities as if we were full time employed. This you can imagine that going to Amazon and Microsoft and saying we want you to take this would be a bit tricky. Lawyers would fight them some time for this, but that's the way. Luckily I am at the top end of the boat. I'm just a security officer. It will be the other one. No. Then we have, of course, something you need to think about more when you make in compliance. And this is the basics of information security, confidentiality, integrity and availability or what all cloud providers do. Värver och väl. Det var excellent. Varier, providerings. This is pretty much why you want to use cloud. What you add on top of it is pretty much a lot of logging, because you need to have this non reputability, this no authenticity. You need to be able to provide audit logs that you can provide a forensically sound record, because when it comes to bank and finance, all rules regarding this has to be that you can prove that who actually said who and what to which individual. What were promised, what were. So what we need to think about in the infrastructure perspective is of course that no one is in and manipulated the records. It's just a sound record. So when the applications say we told this customer this and he acted like that on a financial advice, then they can dispute it from my infrastructure perspective. We didn't make a man in the middle possible. That's what I infrastructure needs to do. So from open stack perspective is pretty much debug equals true on everything and send it to remote log server. So we got this question from them. Is it possible to provide a true multi tenant? Because our business model with pay as you go wouldn't be possible if you can share the hardware between customers. Then difficult. We it won't be very cost effective. We can of course price it very high, but then we would be insanely more pricey than Amazon and the other ones. And that's not the part where you're looking for it as well. They're looking for similar pricing models. So do we really need physical isolation for all this high compliance industries? The answer is in the rules that no, there are nowhere in the rules and I've looked at lot of rules all over the world. I usually say I'm chief security officer means I'm a rare tech guy who's not allowed to do any tech stuff anymore. I'm just allowed to read the rules and regulations from all the world. But there are no rules and regulations to say that you absolutely need to have your own physical hardware for information. It needs to be separated and it needs to be controlled so no unauthorized people can access it. So what do you think? Is it possible to trust the logical separation enough to do it? Would you do it? Well, I usually say my biggest argument is it's always a matter of risk. Now system is full proof and actually the laws and regulations tend to understand this. You cannot build a full proof system. It's always a risk. Everything can be hacked. Everything can be broken. But if we look at the difference in the risk between a logical separated and a physically separated thing. We know that it decreases. KVM is getting better and better on security. Open stack is getting better and better on security. Any members of the open stack security team here? No one. OK, they're doing a good job. They're actually getting a lot better. The all hypervisors are getting better. The thing is the cost of having your own hardware is increasing compared to using cloud. So we have one trend that's steadily increasing and one trend that's steadily decreasing. The most important thing is use the money in a security sense in the right way. I usually compare it to injuries in traffic. The most important thing of reducing injuries in traffic. It's not better roads and it's not airbags, seatbelts and safer cars. It's driver's license. How to reduce personal injuries in traffic. The best way is educating the drivers. By far. It's similar. You gain a lot. It costs really, really much to have separate hardware. And you don't gain that less of a risk. You reduce the risk a lot more by putting that money into educating your stuff, not to save their passwords under the keyboards. That's something but like I said, we are open for that debate actually because it's not been tested in court yet. So that wouldn't say it will be interesting if you look at what are the attack vectors that you need to be aware of. That's actually, well, something that differ if you have separate hardware and the thing you're afraid of is, of course, the breakout hypervisor, the rogue VM, a VM that we don't control that can access other VMs on the machine. You can, of course, attack both connections between other virtual machines and the other virtual machines itself. And you can, if you can gain access from a virtual machine to the hypervisor because we are an infrastructure provider. We don't know what the customers are doing here. So we don't really fully can fully understand what are the customers doing on their own machines. And that's how it's supposed to be. But that doesn't prevent, that's the way that we need to really rely on the security of the hypervisor in order to sleep well at night pretty much. But the thing is what we have done with our high security is to reduce risks by having it semi private. We don't take anyone in just as long as they pay with a credit card. We have a public cloud that's totally public that we do that. But we try to be a bit industry specific. So we tend to group insurance companies together, banking together, because then they share a risk and they have a common goal, not to post web pages that are abusive and will run a lot of DDoS attacks and these things. And they tend to know that they don't want to hack each other because that would be arms race they wouldn't like. So we want to group them, they share a risk. That's how you minimize it. And then we rely heavily on Red Hat and KVM knowing that they have a secure setup. And this is what we use for auditability as well. We use the Red Hat templates for audits. So they provide today a very good way of knowing that you reach a good certification and some way that you actually control this. So it's just a matter of adding extra logging and remote sys logs and keeping track on that you actually log what you need to do. Yeah, thank you. Any questions? So essentially what did you have to do beyond vanilla OpenStack in order to be able to make that commitment to be compliant and go to jail if it breaks beyond segregating your keystone repositories? Actually that's the interesting part in the vanilla OpenStack. It's good enough. OpenStack is good enough today. So that's good. The security groups are doing auditability. They're doing published security vulnerabilities. They're doing penetration testing. So we rely on the community growing and we don't see any trend that it will decrease in people. So no it's good enough. What you need to do is on the organization side. Sure. So you're sleeping well at night and you think OpenStack has your back. I'm sleeping really well at night. Ask our CEO. You might say it's a different thing but no I'm actually quite safe. I think we are in good hands. I think it's recording. Did you do something about patches or something like this? The continuous integration for all the regulations that we have to do for the vulnerability or something like this? Yes, actually you need to look at the operating system on the hardware itself. So that has to be in a specific control mode. Then we rely a lot on the documentation that Red Hat provides us. We're using Red Hat Enterprise all over. And we follow the scheme and regulatory commitment. Because the thing is that bankings and these things. They use this operating system themselves in their own personal infrastructure. So if we follow the same schedule and same processes that they do with that. It's well it's the same. Red Hat, just running OpenStack, is still a Red Hat machine. So the regulations are on the hardware and the software operating system of the machine itself. Not that much OpenStack itself. Anyone else? Do any of your customers have requirements on you to encrypt their data while it's stored in the cloud? And if so, how do you do it? Yeah, actually, we encrypt all traffic. So that's done on the network level of course. And we ensure that encryption. Then it's pretty much up to customer. At the OS level, we leave it up to the customer. We only provide the infrastructure. So then it's to the customer that they want to decide. Is this data regulated or not that you need the encryption? But they are, all APIs are open. So they can put up firewall as a service. We have a firewall image. They can put up a VPN if they want to. But that's, yeah, the customers themselves that needs to decide. But all traffic between our data centers on the layer two level is encrypted by us. Yeah, half and half. At least one big or biggest insurance company, at least dem trusted us enough with this. We are ISO certified, so we have a third party audits checking that we actually live up to all the security standards we try and say we provide. Then of course you need to trust someone. Your outsourcing person is still a matter of trust in the end a bit. So this is very young and this is very untested. But I think a lot of having great flexibility, all these things that they're talking about here at OpenStack and hospitals and banks are crying because they can't take that advantage. I think that motivates them as well. How can you handle efficient packing of virtual machines into the physical host? Or do you maintain a certain ratio when they request a new science? Good monitoring process, actually. Yeah, that's actually how it is. And some flavors are just matched with some nodes. So it's quite now easy as that. I apologize, I was not here in the beginning of the presentation. Can you summarize which security appliances are you using and are you offering all of them to your customers as a service which they can purchase from you? We're actually, what we're offering is not as much appliances. We're offering compliance with banking, health care and government. And then it's up to us to have secure appliances itself. So the customers, they don't, they have no say in hardware. We decide hardware. But you mentioned that they can, you can offer them like a firewall as a service. Yes, and that's the different ways we have one firewall service that's called Clavister and we can offer the APIs in OpenStack like brocade. Yeah, so that's. And the rest of appliances are stuff that you use to be compliant. But can you mention specifically? We use a lot of hardware from Dell and we use Cisco. So that's a lot what we build our infrastructure. Thank you. To just say with hardware. Att. Actuelly, when we looked at this, all the big vendors have good certifications, good documentation, and that's what you need to be able to provide. And no one was a lot worse or a lot better than other one. They had good. De, the big vendors of hardware and service today, there are quite few of them nowadays. De har god dokumentation, så du kan provide det. De usually certified this with third parties as well. Så. Det's god. Ja, folkomplans. Because like I said, we try to build our data center similar like the customer would build their own internal data center, and then we can get by by de compliance rules. En av de kursens. If you come up with more questions, we will be in the. Mingle at the marketplace, I guess, later on. Så just because of them or. Take a card here and contact us whenever you want. Thank you very much. Thank you.