Virtualization Technology News and Information
VMblog's Expert Interviews: Calif. Dept. of Water and Arkin Talk SDDC Visibility, Operations and Security


The CDWR is one of the largest departments within the California Natural Resources Agency, with about 3500 employees managing the state's entire water delivery system - meaning massive data coordination across federal, state and local government organizations.  Previously, the CDWR had limited data sharing and recovery abilities, which affected security, operational and decision-making processes.  The lack of flexibility impacted critical functions, including environmental impact studies and customer service, and the CDWR required a data center model able to adapt more easily to evolving business and collaboration needs.

With the goal being an IT infrastructure that acted as an enabler (versus a constraint) the CDWR planned, designed and deployed a flexible data center architecture to optimize their network for applications and cloud access, reduce IT complexity, increase scalability and agility, improve security, and save on overall operational costs.  At its core, CDWR employed Arkin's Security and Operations Platform to provide converged visibility, network operations and security planning and operations for the new data center.

VMblog spoke with the CDWR's CTO, Tony Morshed, and Arkin's CEO, Shiv Agarwal, about the project.

VMblog: Tell us about the software-defined data center the CDWR recently deployed.  What is the installation backstory and what's under the hood? 

CDWR: Our infrastructure modernization effectively happened in three stages: the first was virtualization, the second was the unfurling of a multi-tenant/hybrid cloud solution, and the third - the version we're calling 3.0 - is the software-defined architecture we're switching on now. With all three iterations, our goal has been to simplify processes, reduce the time needed to deploy business systems and workloads, automate as much as possible (including firewalling and other security measures), and improve flexibility, scalability, and productivity. We essentially set out to transform the entire agency's shared IT infrastructure from a traditional, physical data center model to a more flexible, scalable and streamlined SDDC. 

To start, we drafted a comprehensive plan to build the next generation 3.0 cloud-based data center based on our existing 2.0 architecture - one that could leverage software defined networking and automation. The end result was a deployment of virtual machines (VMs) in a multi-tenant, highly scalable, and secure environment, with the agency deploying server and network virtualization software from VMware (ESX and NSX) and security software from Palo Alto Networks.

This is where Arkin played a critical role in the deployment: their Security and Operations Platform enabled east/west traffic visibility, contextual analytics and helped layer granular security across the entire software-defined environment.

Arkin: Our Security and Operations Platform addressed key challenges facing the CDWR:  One was achieving a clear understanding of their application's East-West network behavior, which in turn helped CDWR plan and model out their security posture and move towards a granular and complete zero-trust security model. Second was to ensure CDWR had seamless cross-silo visibility across our compute, networking and security infrastructure, spanning VMware NSX, Palo Alto Networks firewalls, and Brocade physical networks. Arkin helped CDWR achieve this by acting as a single platform able to tie the different infrastructure and application tiers together with seamless visibility. The results: a risk free SDDC deployment and a converged operations experience moving forward.

VMblog: If you could, please talk about your key considerations for moving to the cloud, and some of the challenges you faced along the way.  

CDWR: In California, you might think our biggest challenge is nature, but in reality it was creating an architecturally collaborative ecosystem for all of the government agencies, businesses and citizens we partner with and serve. The California Natural Resources Agency manages the state's natural resources, and we are one of the largest departments within that agency (about 3500 employees). Our mandate is to supply and manage water delivery for all of California -  while simultaneously collaborating with other federal, state and local government organizations, experts and residents. This requires the management of vast data sets to model the effects of the environment on our water supply, which has been seriously tested in the past few years because of the ongoing drought. Information technology plays a critical role in helping us develop and deliver solutions to mitigate the impacts of our drought issues, and to encourage residents and businesses meet the State's goals for water use reduction. And then, of course because we are a public agency, there is always the challenge of budget. 

Arkin: Virtualization is rapidly transforming data center computing, and in turn virtualizing the data center network, most commonly in the form of a server-implemented (overlay) virtual network that uses the physical (underlay) network. This new layered network infrastructure required joint configuration and management of the virtual and physical network. Where it gets really tricky is getting the primary vendors - many of whom compete with each other - to "talk." What we provided the CDWR is a common window, a vendor-neutral and joint virtual and physical approach to data center and cloud management that enables the department to co-opt these competing infrastructure vendors.

Another challenge (as well as advantage) was addressing the need for security in the new data center. Because a virtual network design is much more flexible than legacy physical network design (it's all software) it's possible to build a virtual network that directly reflects the connectivity requirements of a given application. This application-specific network design makes it easier to specify and implement application-specific security (VMware refers to this as "micro segmentation"). Our platform enabled the use of micro-segmentation by the CDWR, first by making the existing data center network traffic more visible (understanding what the virtualized network must do), as well as the modeling and deployment of distributed and granular firewall policies to help secure their infrastructure and applications.

VMblog: What does the partnership with Arkin mean?  How will the deployment of their Security and Operations Platform affect data center administrators and productivity?

CDWR: Like many organizations, we came to the table with a mixed datacenter that includes multiple vendors, which forced us to use multiple tool suites. But we did not want to fall into the trap of restructuring an entire architecture only to then have to figure out how everything would work together, or how we would see across all of the layers and applications. By baking Arkin's search-centric security and operations platform into the project from the beginning, we've been able to effectively troubleshoot along the way, which has been an invaluable timesaver to our network and other operational personnel. We effectively cut down hours of post-deployment troubleshooting time, from days to minutes, as well as enabled us to become proactive when it comes to IT operations. Although the Arkin solution is currently ‘read only' (monitoring and reporting only), it's like having a single pane of glass to plan, implement and troubleshoot the data center. It's also one device instead of many, so everyone has the same view, which significantly improves collaboration. And, in the future, the possibility of ‘read/write' capabilities could position the company as a key player in the self-healing software-defined-datacenter. 

Arkin: The integration of Arkin with CDWR's Cloud 3.0 infrastructure boils down to providing operational efficiency, security and administrative simplicity through visibility into the new SDDC, which features both virtual and physical network, compute, and security infrastructure.  Because we are tightly integrated with widely-used VMware, Cisco, Palo Alto Networks, Brocade and HP products, we were a key catalyst in the move to SDDC.

Most importantly, the CDWR saw value in including visibility from the get-go, and not just considering it once the system was in place. Now, when the system is ultimately switched on, there will be no surprises. That's our biggest contribution: providing much-needed visibility and cross-domain analytics for operations teams to ensure the system is productive from day one.

VMblog: What should other agencies - public or otherwise - think about in terms of successfully migrating to an SDDC?

DWR: Our goal was to achieve and maintain the highest level of overall data center economics and performance. With our 3.0 deployment, we delivered the building blocks for the CDWR's self-service portal - which resulted in significantly increased technology efficiency, agility and capacity. But we know the updates won't end, and in fact we're already looking at stretching into other data centers, like Amazon or Microsoft Azure. 

On a more personal note, my team was credited with championing a new style of IT within the agency that promotes the use of technologies that foster efficiency and innovation. Essentially, and in a large part due to our decision to knock down silos and increase agency agility with a modern architecture that supports 5,500 virtual servers, 11 petabytes of data storage, 2,600 applications and 1,254 networked sites. Today, most of my agency's organizations are being given the support needed to transform the business and serve citizens, all to meet the agency's mission of protecting California's natural, historical and cultural resources.

Arkin: A lot of people are saying 2016 is the year software-defined X (anything) becomes de rigueur, and federal, state and local agencies begin making the shift. Add to this the fact that the maintenance of legacy architecture has become cost-prohibitive. But even with a mandate to update and virtualize, a lot of that legacy technology will have to be maintained and co-opted into new systems. The trick is going to be spending just enough to be able to shift to more cost-effective and scalable platforms that will essentially be recycled back into the budget.

The CDWR designed a highly automated and secure data center that can now be managed holistically, and is scalable. Considering the logistical, inter-departmental and budgetary challenges they faced, this is no insignificant feat, and their work is leading the charge on software-defined security for all departments. It was the collaborative effort of a lot of parties and a lot of vendors. But what the CDWR incorporated -- the key element that makes this deployment so efficient -- was foresight. By baking visibility in, they've mitigated the implementation and operations risk associated with any new technology adoption and have eliminated any guess work in ensuring application security, thus rolling out a software-defined data center that works on day one.


Published Thursday, April 28, 2016 6:31 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<April 2016>