CREATING A CLOUD STRONGHOLD: Strategies and Methods to Manage and Secure Your Cloud Ted Brunell Principal Solution Architect, DoD Programs tbrunell@redhat.com @DoDCloudGuy
AGENDA Overview of Current Security Risks Security In the Hybrid Cloud Governance in Hybrid Clouds Ansible CloudForms Hybrid cloud computing refers to policy-based and coordinated service provisioning, use and management across a mixture of internal and external cloud services. - Gartner IT Glossary 2
TOP IT SECURITY RISKS What is the greatest security risk to your organization? 3 Source: TechValidate survey of 385 users of IT Security
BUSINESS CONCERNS ON SECURITY What is the top business concern for your organization related to security? 4 Source: TechValidate survey of 373 users of IT Security
5 OTHER INTERESTING STATS
THE THREAT DoS - Termination of Guest Activity within an individual guest or host that impacts the ability for the host to effectively run virtual machines Memory Corruption/Leakage Ability to corrupt or access guest memory from outside the constraints of the virtual machine Guest to Host Escape Executing code outside the constraints of a guest virtual machine directly on the host hypervisor on which it s running
7 SECURITY IN THE HYBRID CLOUD Look at the whole picture and integrate existing management systems
SECURITY IN THE HYBRID CLOUD Look at the whole picture and integrate existing management systems Security cannot exist solely at the platform level - but is should still exist Deploy diverse tools that can interoperate Design for diverse and distributed environments Work with existing physical and virtual resources Tools implemented based on requirements and capabilities Able to handle emerging technologies, threats and vulnerabilities 8
9 TAKING ADVANTAGE OF APIs
10 TAKING ADVANTAGE OF APIs
GOVERNANCE IN HYBRID CLOUDS Governance is a set of policies applied to cloud computing services with the goal of securing applications and data. Policy enforcement and remediation through the use of APIs Segmentation of users and resources Tenants and groups within tenants Hardware classification Configuration tracking, auditing and drift-analysis Enforced quotas Shadow IT discovery View relationships between resources and workloads 11
ANSIBLE
WHAT IS ANSIBLE It s a simple automation language that can perfectly describe an IT application infrastructure in Ansible Playbooks. It s an automation engine that runs Ansible Playbooks. Ansible Tower is an enterprise framework for controlling, securing and managing your Ansible automation with a UI and restful API.
WHAT IS ANSIBLE SIMPLE POWERFUL AGENTLESS Human readable automation No special coding skills needed Tasks executed in order Get productive quickly App deployment Configuration management Workflow orchestration Orchestrate the app lifecycle Agentless architecture Uses OpenSSH & WinRM No agents to exploit or update More efficient & more secure
PLAYBOOK EXAMPLE --- - name: install and start apache hosts: all vars: http_port: 80 max_clients: 200 remote_user: root tasks: - name: install httpd yum: pkg=httpd state=latest - name: write the apache config file template: src=/srv/httpd.j2 dest=/etc/httpd.conf - name: start httpd service: name=httpd state=running
CONFIG MANAGEMENT Centralizing configuration file management and deployment is a common use case for Ansible, and it s how many power users are first introduced to the Ansible automation platform. APP DEPLOYMENT When you define your application with Ansible, and manage the deployment with Tower, teams are able to effectively manage the entire application lifecycle from development to production. PROVISIONING Your apps have to live somewhere. If you re PXE booting and kickstarting bare-metal servers or VMs, or creating virtual or cloud instances from templates, Ansible and Ansible Tower help streamline the process. CONTINUOUS DELIVERY Creating a CI/CD pipeline requires buy-in from numerous teams. You can t do it without a simple automation platform that everyone in your organization can use. Ansible Playbooks keep your applications properly deployed (and managed) throughout their entire lifecycle. SECURITY & COMPLIANCE When you define your security policy in Ansible, scanning and remediation of site-wide security policy can be integrated into other automated processes and instead of being an afterthought, it ll be integral in everything that is deployed. ORCHESTRATION Configurations alone don t define your environment. You need to define how multiple configurations interact and ensure the disparate pieces can be managed as a whole. Out of complexity and chaos, Ansible brings order.
ENTERPRISE IMPACT TEAM IMPACT ENTERPRISE IMPACT + Save time and be more productive + Overcome complexity + Eliminate repetitive tasks + More resources for innovation + Fewer mistakes & errors + Increase accountability and compliance + Improve collaboration and job satisfaction + A culture of success
CLOUDFORMS
CLOUDFORMS DELIVERS SERVICES ACROSS HYBRID ENVIRONMENTS SERVICE AUTOMATION Streamline complex service delivery processes, saving time and money. POLICY & COMPLIANCE Draws on continuous monitoring and deep insights to raise alerts or remediate issues. OPERATIONAL VISIBILITY Complete lifecycle and operational management that allows IT to remain in control. UNIFIED HYBRID MANAGEMENT Deploy across virtualization, private cloud, public cloud and container-based environments. 19
AN EVOLUTIONARY PATH TO HYBRID CLOUD Service Automation Policy & Compliance Operational Visibility Unified Hybrid Management CONTAINERS Red Hat Atomic OpenShift by Red Hat VIRTUALIZATION PRIVATE CLOUD PUBLIC CLOUD VMware Microsoft Hyper-V Red Hat Virtualization Red Hat Openstack Platform Amazon Web Services Windows Azure Google Cloud Platform SOFTWARE DEFINED NETWORKING 20
CLOUDFORMS FEATURES AGENTLESS, VIRTUAL APPLIANCE WEB-BASED, SELF-SERVICE, ADMIN AND OPERATIONS MULTI-TENANT AND MULTI-LOCATION NON-INVASIVE, EASY MAINTENANCE ACCESS FROM ANY BROWSER SECURELY SHARE INFRASTRUCTURE PLUGABLE API FRAMEWORK HORIZONTALLY SCALABLE, LOAD-BALANCED ROLE-BASED ACCESS CONTROL AND ENTITY TAGGING EASY TO INTEGRATE AND EXTENSIBLE TO OTHER PLATFORMS HIGHLY SCALABLE, HIGHLY AVAILABLE WITH FAILOVER AND FALLBACK SEGMENT USER ACCESS AND DRIVE COMPLIANCE, CONTROL AND REPORTING 21
ADVANCED VIRTUALIZATION MANAGEMENT Service Automation Policy & Compliance Operational Visibility Unified Hybrid Management CONTAINERS Red Hat Atomic OpenShift by Red Hat VIRTUALIZATION PRIVATE CLOUD PUBLIC CLOUD VMware Microsoft Hyper-V Red Hat Virtualization Red Hat Openstack Platform Amazon Web Services Windows Azure Google Cloud Platform SOFTWARE DEFINED NETWORKING 22
SELF-SERVICE DELIVERY Create service delivery catalogs for users to choose the services the services that they need to deploy. Shopping cart functionality allows multiple services to be requested at one time. Service requests can be routed for approval. 23
AUTOMATED PROVISIONING Automatically deploys and configures requested services on any infrastructure platform. Automation steps can be codified in Ansible playbooks or natively in CloudForms. Integration to external IT systems allows CloudForms to automate all process steps. 24
TRANSFORMATION TO PRIVATE CLOUD Service Automation Policy & Compliance Operational Visibility Unified Hybrid Management CONTAINERS Red Hat Atomic OpenShift by Red Hat VIRTUALIZATION PRIVATE CLOUD PUBLIC CLOUD VMware Microsoft Hyper-V Red Hat Virtualization Red Hat Openstack Platform Amazon Web Services Windows Azure Google Cloud Platform SOFTWARE DEFINED NETWORKING 25
LIFECYCLE MANAGEMENT Ongoing tracking of virtual instances ensures continual visibility. Complete operational control over virtual instances, including power operations and virtual console access. Automated lifecycle policies for scheduled retirement and archiving. 26
ROOT CAUSE ANALYSIS View instance performance and resource usage over time to pinpoint problem initiation. Quickly compare system state against known good state or other systems. Navigate across relationships and drill down infrastructure layers to identify underlying causes. 27
PERFORMANCE AND CAPACITY MANAGEMENT Continuous data gathering for both greenfield and brownfield deployments. Resource utilization tracking and right-size recommendations. Projection and what if tools aid in future planning. 28
PERFORMANCE AND CAPACITY MANAGEMENT Service Automation Policy & Compliance Operational Visibility Unified Hybrid Management CONTAINERS Red Hat Atomic OpenShift by Red Hat VIRTUALIZATION PRIVATE CLOUD PUBLIC CLOUD VMware Microsoft Hyper-V Red Hat Virtualization Red Hat Openstack Platform Amazon Web Services Windows Azure Google Cloud Platform SOFTWARE DEFINED NETWORKING 29
POLICY ENFORCEMENT Continuous discovery and deep SmartState inspection of virtual instances. Policy violations can raise alerts or be remediated automatically. Policy can be applied uniformly or based on virtual instance criteria. 30
QUOTAS AND CHARGEBACK Rate schedules per platform and per tenant with multi-tiered and multi-currency support. Quota set by user, role and tenant and apply to compute, memory and storage resources. Monitor resource usage and report based on workload or tenant. 31
CONTAINER AND CLOUD NATIVE WORKLOADS Service Automation Policy & Compliance Operational Visibility Unified Hybrid Management CONTAINERS Red Hat Atomic OpenShift by Red Hat VIRTUALIZATION PRIVATE CLOUD PUBLIC CLOUD VMware Microsoft Hyper-V Red Hat Virtualization Red Hat Openstack Platform Amazon Web Services Windows Azure Google Cloud Platform SOFTWARE DEFINED NETWORKING 32
VIRTUALIZATION MANAGEMENT Provision from clone of existing VM instance or template. View VM genealogy and track VM drift from established configurations. Execute VM power operations and retire VM instances. 33
CLOUD MANAGEMENT View virtual instance inventory and manage across regions and availability zones. Provision virtual instances, storage and networking. Monitor and respond to events. 34
CONTAINER MANAGEMENT View connections from the container all the way down through the underlying infrastructure in one interface. Apply automation rules and enforce policies for deployed containers. Scan containers for known vulnerabilities with OpenSCAP. 35
OPS HAS CHANGED. The next I.T. is never static. Collaboration is now a requirement. Security is non-negotiable. The platform is hybrid. Digital innovation is the goal. HOW YOU MANAGE OPS HAS TO CHANGE, TOO.
THANK YOU plus.google.com/+redhat facebook.com/redhatinc linkedin.com/company/red-hat twitter.com/redhatnews youtube.com/user/redhatvideos