System and method for secure cloud service delivery with prioritized services in a network environment

What is claimed is: 1. A method, comprising: receiving, at an Internet Key Exchange (IKE) processing node in a cloud, a request for a cloud capability set comprising cloud capabilities associated with at least one of a plurality of service tiers, each service tier in the plurality of service tiers being associated with a different cloud capability set, the cloud capability set being selectable at a self-service portal of a cloud orchestration framework, the request being associated with a virtual private network (VPN) tunnel between a subscriber and the IKE processing node; selecting particular cryptographic modules from a plurality of cryptographic modules located in the cloud based on the request, wherein different cryptographic modules support different cloud capability sets, wherein the particular cryptographic modules support the requested cloud capability set; offloading, by the IKE processing node, the VPN tunnel to the particular cryptographic modules in the cloud; and configuring, by an orchestration engine in the cloud, network resources in the cloud to channel services according to the at least one service tier through the particular cryptographic modules. 2. The method of claim 1 , further comprising: receiving, at the IKE processing node, a service catalog from the orchestration engine, the service catalog indicating available cloud capability sets associated with the subscriber according to a Service Level Agreement (SLA) with the subscriber; identifying the requested cloud capability set in the service catalog; and provisioning the requested cloud capability set across the particular cryptographic modules. 3. The method of claim 2 , further comprising: denying the request if the requested cloud capability set is not included in the available cloud capability sets for the subscriber. 4. The method of claim 2 , wherein the service catalog is provided by a business service management portal in the cloud. 5. The method of claim 2 , wherein the service catalog includes an application programming interface (API) to facilitate generating the request for cloud capabilities. 6. The method of claim 2 , wherein different subscribers are associated with different service level catalogs. 7. The method of claim 1 , wherein some cloud capabilities overlap between more than one service tier. 8. The method of claim 1 , wherein the cloud capabilities are differentiated into the plurality of service tiers according to criteria, including at least one selected from a group consisting of demand, infrastructure cost, and arbitrary differentiation. 9. The method of claim 1 , where each service tier is associated with a different price for the subscriber. 10. The method of claim 1 , wherein services offered in the cloud are differentiated into pre-defined service tiers. 11. The method of claim 10 , wherein each service tier includes different support features including virtual machine resources, storage features, application tiers, stateful services, bandwidth control, quality of service (QoS) agreements, and services. 12. The method of claim 10 , wherein each service tier is based in a separate vittual local area network (VLAN) in the cloud. 13. Non-transitory tangible media that includes instructions for execution, which when executed by a processor of a network element, is operable to perform operations comprising: receiving, at an IKE processing node in a cloud, a request for a cloud capability set comprising cloud capabilities associated with at least one of a plurality of service tiers, each service tier in the plurality of service tiers being associated with a different cloud capability set, the cloud capability set being selectable at a self-service portal of a cloud orchestration framework, the request being associated with a VPN tunnel between a subscriber and the IKE processing node; selecting particular cryptographic modules from a plurality of cryptographic modules located in the cloud based on the request, wherein different cryptographic modules support different cloud capability sets, wherein the particular cryptographic modules support the requested cloud capability set; offloading, by the IKE processing node, the VPN tunnel to the particular cryptographic modules in the cloud; and configuring, by an orchestration engine in the cloud, network resources in the cloud to channel services according to the at least one service tier through the particular cryptographic modules. 14. The media of claim 13 , further comprising: receiving, at the IKE processing node, a service catalog from the orchestration engine, the service catalog indicating available cloud capability sets associated with the subscriber according to a Service Level Agreement (SLA) with the subscriber; identifying the requested cloud capability set in the service catalog; and provisioning the requested cloud capability set across the particular cryptographic modules. 15. The media of claim 13 , wherein some cloud capabilities overlap between more than one service tier. 16. The media of claim 13 , wherein services offered in the cloud are differentiated into pre-defined service tiers. 17. An apparatus located in a cloud, comprising: a memory element for storing data; and a processor, wherein the processor executes instructions associated with the data, wherein the processor and the memory element cooperate, such that the apparatus is configured for: receiving a request for a cloud capability set comprising cloud capabilities associated with at least one of a plurality of service tiers, each service tier in the plurality of service tiers being associated with a different cloud capability set, the cloud capability set being selectable at a self-service portal of a cloud orchestration framework, the request being associated with a VPN tunnel between a subscriber and the IKE processing node; and selecting particular cryptographic modules from a plurality of cryptographic modules located in the cloud based on the request, wherein different cryptographic modules support different cloud capability sets, wherein the particular cryptographic modules support the requested cloud capability set; offloading the VPN tunnel to the particular cryptographic modules in the cloud, wherein an orchestration engine in the cloud configures network resources in the cloud to channel services according to the at least one service tier through the particular cryptographic modules. 18. The apparatus of claim 17 , further configured for: receiving a service catalog from the orchestration engine, the service catalog indicating available cloud capability sets associated with the subscriber according to a Service Level Agreement (SLA) with the subscriber; identifying the requested cloud capability set in the service catalog; and provisioning the requested cloud capability set across the particular cryptographic modules. 19. The apparatus of claim 17 , wherein some cloud capabilities overlap between more than one service tier. 20. The apparatus of claim 17 , wherein services offered in the cloud are differentiated into pre-defined service tiers.