Mapping and Auditing Your DevOps Systems

Transcription

1 Mapping and Auditing Your DevOps Systems David Cuthbertson, CEO Square Mile Systems Ltd

2 Personal Background Personal Experience Industry Groups and Frameworks Network Troubleshooting Cabling and Network Installations Managed Services Voice/Data Infrastructure Management Practices Skills Awareness Mapping Methods Naming Labelling Change Process Baselining Toolsets Visualization Group Manager Data Center Engineering Data Center Operations Management

3 About Square Mile Systems We develop technology to make infrastructure management easier AssetGen infrastructure database Visio utilities (free) for data centre / application / services documentation Provide methods and processes for site audits, documentation assessment, remediation (compliance) and managing complex infrastructure changes Help organizations implement best practices around change management and control in physical and logical infrastructures Supporting ITIL, ISO, ISA, TIA, BICSI, NIST, COBIT and others Typical drivers - data centre migration, identifying vulnerabilities, CMDB analysis, transformation projects and automated Visio diagramming.

4 Different Teams, Different Focus Customers Users Business Processes Departmental, Company System Architecture Applications Development Service Management Services End user, infrastructure, supplier Applications PC, server, mainframe, SOA Networks LAN/SAN Mid-range Servers Virtual Infrastructure PCs, Network, Servers, Storage, DBMS Hardware Infrastructure PCs, Network, Servers, UPS, Storage, etc Desktops IMAC Data Centre Fixed Infrastructure (Cabling, Power, Cabinets, Buildings)

5 Example - The NIST Cybersecurity Framework Function Unique Identifier ID Function Identify Category Unique Identifier ID.AM ID.BE ID.GV ID.RA ID.RM Category Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Sub- Cat Unique Identifier ID.AM-1 ID.AM-2 Physical Inventory Software Inventory Sub-Category PR Protect PR.AC PR.AT PR.DS PR.IP PR.MA Access Control Awareness and Training Data Security Information Protection Processes and Procedures Maintenance ID.AM-3 ID.AM-4 ID.AM-5 Communication and Data Flows External Information Systems Priority Resource and Classification DE Detect PR.PT DE.AE DE.CM DE.DP RS.RP Protective Technology Anomalies and Events Security Continuous Monitoring Detection Processes Response Planning ID.AM-6 Roles and Responsibilities 1. Baseline your infrastructure RS Respond RS.CO RS.AN RS.MI Communications Analysis Mitigation 2. Manage the risks RS.IM Improvements RC Recover RC.RP RC.IM RC.CO Recovery Planning Improvements Communications 3. Maintain the knowledge

6 Asset Management Sub-Category Sub- Cat Unique Sub-Category Identifier ISA :2009 Security For Industrial Automation and Control Establishing a security system ID.AM-1 ID.AM-2 Physical Inventory Software Inventory ISA :2013 Security For Industrial Automation and Control System Security Requirements and Security Levels ID.AM-3 Communication and Data Flows ISO/IEC 27001:2013 Information Security Management System ID.AM-4 External Information Systems CCS Council on Cyber Security- Security Controls ID.AM-5 Priority Resource and Classification COBIT 5 Information Assurance ID.AM-6 Roles and Responsibilities NIST SP Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations

7 Standards Sections ID.AM-1Physical Inventory Standard COBIT 5 Informative Reference BAI09.01, BAI09.02 Detail All IT assets inventoried, managed and maintained CCS CSC 1 Only authorized hardware is permitted on the network ISO/IEC 27001:2013 ISO/IEC 27001:2013 NIST SP Rev. 4 A A CM-8 Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained Assets maintained in the inventory shall be owned Updated and accurate IS component inventory and configurations contained in centralized database with detection of unauthorized components.

8 Mapping Systems Reason 1 Help communicate entities, dependencies and differences Container Container App 1 App 2 App 3 App 4 bins / libs bins / libs bins / libs bins / libs App 1 App 2 App 3 App 4 Guest OS Guest OS Guest OS Guest OS bins / libs bins / libs bins / libs bins / libs Hypervisor Host OS Server Host OS Server

9 Mapping Systems Reason 2 If you don t understand your environment and applications you must expect pain cost, delay, risk, delivery failure. Mapping systems is often part of mature management processes where better systems reduce delays and risks.

10 Change Is Constant Projects Operations Management Security Regulators Do it faster Zoning / Partitioning Consolidate / Optimize Reduce costs Use of Partners Change Records Capacity Reporting No Downtime! Data Loss Prevention Application and Infrastructure Management Practice and processes have to evolve constantly!

11 Mapping Systems Many Methods 1. Physical location, position and space 2. Physical connections and paths LAN, WAN, SAN, power 3. Logical connections and paths LAN, WAN, SAN, power, radio, data flows, firewall rules/endpoints 4. Dependency impacts change and risk communication 5. Environment management Prod, dev, test, pre-prod, DR 6. Application development, requirements and versioning 7. Customer data mapping PCI, GDPR, breach management 8. Batch process mapping

12 Mapping Systems Entities (with attributes) Relationships (with attributes) Container Can be achieved using spreadsheets, databases, diagrams and specialist systems - ALM

13 Mapping Systems Container (with attributes) Entities (with attributes) Relationships (with attributes) The mapping method will depend on the requirement

14 Even With A Few Servers Complex

15 ITIL Version 3 Configuration Mgmt System Presentation Layer Portal Change& Release View Asset Mgmt View Config Life-cycle View Technical Config View Quality Mgmt View Service Desk View Business Impact View Compliance View (Cobit) Search, Browse, Store, Retrieve,, Publish, Subscribe, Collaborate Knowledge Processing Layer Information Integration Layer Data & Information Sources & Tools Query & Analysis Reporting Performance Mgmt Modelling Monitoring Project Doc Filestore Project Software Customer/User Service Application Infrastructure mapping Service Portfolio Service Package Integrated Asset & Config Definitive Media Library Federated CMDBs Discovery Asset Mgmt & Audit Tools Software Config Mgmt Service Change Service Release Common Process Scheme Meta Data Reconciliation Synchronisation Extract, Load Mining Data Integration Platform Config Mgmt Enterprise Apps

16 Some Methods Of Mapping Systems Physical Peer to Peer Hierarchical ISA PAYMENT REQUEST HANDLING SW-BHAM-13 SW-BHAM-14 SW-BHAM-19 WORKFLOW CLIENT ISA PAYMENT TRANSACT BACS-IP FW-BHAM01 FW-BHAM02 FW-BHAM04VPN WORKFLOW PAYLOG AUDITTRACK BACPAY SW-BHAM-11 SW-BHAM-12 RTR-BHAM-07 RTR-BHAM-08 ORACLE FWS_03 SQ L FWS_04 RTR-BHAM-03 RTR-BHAM-04 CITRIX SERVER UK_VWBIRM001 UK_VWBIRM002 UK_VWBIRM004 BT-NTU2 BT-NTU3 VT-NTU1 VT-NTU2 SVR-BHAM UK_BIRM_BLADE_01 UK_BIRM_BLADE-02

17 More Methods Of Mapping Systems Architecture Blocks Entity Relationships Excel / Visio

18 Mapping Servers / Application Customer Billing Funds Transfer ERP Logistics Internet Portal VM Ware Power Building Cabling

19 The Logical Dependency View The router has one link to the switch Easy to Understand! 19

20 A B A B A B A B The Physical Connection View Data Hall 1 Comms A Data Hall 2 Equipment Racks MDF Inter Room ODF Wing Loft Inter Room ODF MDF Equipment Racks 7750(SR12) MDA2 MDA MDA10SFP MDA10SFP 1 9 test 1 9 MDA10SFP MDA10GLW/LR Empty CFM1 CFM2 Empty MDA10GLW/LR Empty F02 PPF-336/F02-U47 E22 PPF-336-E22- U40 to I02 I02 PPF-336/I02-U47 to F02 PPF-336-I02-U38 to E20 PPF-336-I02-U40 to E22 PPF-326-I02-U39 to E23 I15 PPF-336/I15-U47 to ODF12 ODF12 ODF01 E15 E10 PPF-300/ODF12- U42 to 336/I15 PPF-300/ODF01- U47 PPF-326-E15- U47 to 300 ODF01 PPF-326-E10- U46 to K23 PPF-326-E10- U45 to H06 PPF-326-E10- U44 to Q02 PPF-326-E10- U43 to Q03 PPF-326-E10- U42 to K24 H06 K23 K24 PPF-326-H06- U45 to E10 PPF-326-K23- U46 to E10 PPF-326-K24- U42 to E (SR12) MDA2 MDA MDA10SFP MDA10SFP 1 9 test 1 9 MDA10SFP MDA10GLW/LR Empty CFM1 CFM2 Empty MDA10GLW/LR Empty E23 PPF-326-E10- U41 to N04 PPF-336-E23- U39 to I02 N04 PPF-326-N04- U41 to E10 E26 Q02 PPF-326-E20- U38 to E10 PPF-326-Q02- U44 to E10 Q03 PPF-326-Q03- U43 to E10 20

21 Mapping An Enterprise Application Logistics CRM Finance of tables used 2.2M relationships within the SAP system UK_APPS01 UK_APPS03 TXOMGGC UK_IIS05 UK_IIS08

22 Shared Infrastructure and Applications Logistics CRM Finance Partner Controls Dispatch Control Web Ordering Funds Transfer Credit Scoring HR Systems UK_APPS01 UK_APPS03 TXOMGGC UK_IIS05 UK_IIS08

23 SAP Servers With 100 Servers plus

24 Service Focused View - 1 Service Top Down Service focused What supports this service? Host Hardware/Virtual (133)

25 Component Focused View Services (33) What is the potential Impact on services? Host Component focused Bottom Up

26 Steps To Successful Mapping? 1. Define the data requirements and outputs 2. Capture data 3. Analyse / visualise / report as required one set of data produce multiple perspectives 4. Maintain It doesn t work like this in practice!

27 Our Approach 1. Assume all data is inconsistent in naming and accuracy 2. Assume there are no mapping / visual standards 3. Build 2-3 prototypes - most complex applications/services 4. Then do bulk capture and improve dependencies - two spreadsheets

28 Thank You Improving Infrastructure change and risk planning Half day workshops 1 st /2 nd March (With Networks Centre) Poulton, Glos and Horsham, West Sussex Websites: videos, downloads