DevOps, Architecture, and Security in a Cloud

Similar documents
Agile & DevOps Security & Audit

MQ on Cloud (AWS) Suganya Rane Digital Automation, Integration & Cloud Solutions. MQ Technical Conference v

Building a Secure, Approved AMI Factory Process Using Amazon EC2 Systems Manager (SSM), AWS Marketplace, and AWS Service Catalog

Bitnami Stacksmith. What is Stacksmith?

Cloud Security at Scale via DevSecOps

Visit California Digital Solutions, Drupal Development Website Experience. ITRS Case Study.

CI in the cloud. Case Talend & Nordcloud Ilja Summala, Group CTO, Nordcloud Anubhav Sharma, Senior Software Architect, Talend Deutschland

Customer Challenges SOLUTION BENEFITS

Tackling Tax-time Woes with a Robust and Secure Compliance Solution

Berlin.

Application & Data Modernization enabling your Digital Transformation. Dennis Lauwers European Technical Leader Hybrid Cloud

The AWS Mission. Enable businesses and developers to use web services to build scalable, sophisticated applications.

Scalr empowers enterprises to safely and rapidly deploy to the cloud by addressing the four major problem areas:

Infrastructure Management

Leveraging the benefits of the cloud with transparency and control

SKF Digitalization. Building a Digital Platform for an Enterprise Company. Jens Greiner Global Manager IoT Development

The Oracle DevOps Portfolio

IBM Case Manager on Cloud

AWS MSP Partner Program Validation Checklist v3.2 Mapping

Financial Services Industry in AWS

Comprehensive Cost and Security Management for C2S Environments

DevOps architecture overview

Hybrid Container Orchestration for a UK based Insurance Solutions Software Provider Company ATTENTION. ALWAYS.

AMSTERDAM. 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

Continuous Integration and Delivery. Services Catalog

Leveraging the benefits of the cloud with transparency and control

Meeting the New Standard for AWS Managed Services

Definition. Are we doing them the right way? right things? Cloud Governance Framework 26-nov-17 2

AWS Case Study Building a Bridge for India s Skills Gap, Right Across the Cloud. Abstract

Hybrid Cloud Adoption: Transforming to Hybrid Cloud with DevOps, Microservices, Containers and APIs

IT Strategic Plan Portland Community College 2017 Office of the CIO

2013 AWS Worldwide Public Sector Summit Washington, D.C.

Container Native Application Development

webmethods Migration Case Study

JOURNEY TO AS A SERVICE

MS Integrating On-Premises Core Infrastructure with Microsoft Azure

Wandel der IT im Kontext Digitalisierung

Microsoft FastTrack For Azure Service Level Description

EBOOK: Cloudwick Powering the Digital Enterprise

Enabling Self-Service for Data Scientists with AWS Service Catalog

BARCELONA. 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

Implementing Microsoft Azure Infrastructure Solutions

Mit Werkzeugen den DevOps Konflikt auflösen

Oracle Cloud for the Enterprise John Mishriky Director, NAS Strategy & Business Development

IMPLEMENTING MICROSOFT AZURE INFRASTRUCTURE SOLUTIONS

IT Strategic Plan Portland Community College 2017 Office of the CIO

Software Product Development Company Reduces Go-To-Market time by 52% through Nitor s DevOps Implementation

CloudShell Pro. Self-Service Sandbox Environments for Physical, Virtual, and Hybrid-Cloud D ATA SHEET. The Need for Cloud Sandboxing

Implementing Microsoft Azure Infrastructure Solutions 20533B; 5 Days, Instructor-led

HEALTHCARE CASE STUDY

Nuances of managed services in a cloud economy

DevOps Solution for today and tomorrow!

A CONTAINER-PLATFORM APPROACH TO DIGITAL TRANSFORMATION AND DEVOPS. Diógenes Rettor Principal Product Manager, OpenShift

Oracle Cloud Blueprint and Roadmap Service. 1 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

Enterprise DevOps with Plutora

AppAgile Cloud DevOps Journey with Docker and PaaS

Migration To the Cloud Using AWS

Module: Building the Cloud Infrastructure

How to build and deliver an Intelligent Orchestration Platform

AWS Life Sciences Competency Consulting Partner Validation Checklist

Software Development

3.30pm. A sneak peek at Veeam 2018 releases Veeam for VMware Cloud on AWS technical deep dive Veeam Availability Console Update pm. 2.

"Web Age Speaks!" Webinar Series. Introduction to DevOps

Making the most of your SRE Toolbox

Integrating Configuration Management Into Your Release Automation Strategy

A guide to ZNetLive Support Services for

Architecting Microsoft Azure Solutions

Jenkins. The coded business. open source

Container Crash Course. Bob Familiar Director, National Practice BlueMetal, An Insight Company

Enterprise cloud control plane planning

What s new on Azure? Jan Willem Groenenberg

UForge AppCenter 3.8. Introduction March Copyright 2018 FUJITSU LIMITED

Development Operations in the Cloud: A Use Case and Best Practices

Demand & Requirements Management Software Development QA & Test Management IT Operations & DevOps Change Management Agile, SAFe, Waterfall Support

Realizing the Value of Cloud

Koen van den Biggelaar Senior Manager, Solutions Architecture Amazon Web Services

Service Description Cloud Expert Services

Exam C Foundations of IBM DevOps V1

ANS Frameworks Overview. Further detailed information on Frameworks can be found in the internal FAQ available on SharePoint and in Teams

Course 20535A: Architecting Microsoft Azure Solutions

SOFTWAREONE PYRACLOUD PLATFORM

SaaS Under the hood. Craig Taylor (Director - Cloud Transition & Enablement) Daniel Sultana (Director - Cloud Services & Experience) 10 May 2018

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved.

The innovation engine for the digitized world The New Style of IT

Applicazioni Cloud native

NTT DATA Service Description

IBM Cloud Operating Environment

Architecting Microsoft Azure Solutions

Building a Data Lake on AWS EBOOK: BUILDING A DATA LAKE ON AWS 1

Managed Cloud / Microsoft Azure

Mastering the Microservices, Fast Data & Hybrid Cloud Trifecta

CUSTOMER PROFILE. Care Analytics - TEAM International Copyright 2017 All rights reserved.

Oh No, DevOps is Tough to Implement!

Quality Application Development with ALM Octane November 21, 2017

The Hybrid Enterprise: Working Across On-premises, IaaS, PaaS and SaaS

Intelligence, Automation, and Control for Enterprise DevOps

Puppet Enterprise. The shortest path to better software. Greg Larkin Professional Services

An End-to-End Platform for Global DevOps

HP Operations Orchestration 10.00

On the Radar: nclouds' nops solves cloud change management challenges

Transcription:

DevOps, Architecture, and Security in a Cloud Greg Shevchenko Paul Dudeck, UPMC Enterprises DevOps, Architecture, and and Security Security in a Cloud in a Cloud 2017 UPMC UPMC Enterprises Enterprises 1

UPMC at a Glance $14 billion integrated global health enterprise More than 25 academic, community, and regional hospitals UPMC Health Plan: 3.1 million members; network of 125+ hospitals, 11,500+ physicians Affiliated with the University of Pittsburgh 317,100 inpatient admissions, 200,000 surgeries performed annually 3.9 million outpatient visits, 870,000 emergency visits 650 transplants annually Pennsylvania s largest employer: 65,000 employees 2

UPMC (Clinical) Data Sources Inventory UPMC at a Glance 3

Introduction to UPMC Enterprises UPMC Enterprises roles in UPMC: Health care innovation and development center Partnerships with existing and emerging companies Delivering new models of care to UPMC UPMCE s four focus areas: Translational science Improving outcomes Infrastructure and efficiencies Consumer 4

UPMC Enterprises: Portfolio & Strategic Partners Member management software and services for health plans Oncology diagnostics and precision medicine Reducing avoidable hospitalizations from nursing homes Value-based care and IDFS development Automated clinical interpretation of genomes Clinical decision support and data acquisition Comprehensive HIM and revenue cycle services Health care supply chain Supply chain efficiency Medication adherence on behalf of health plans Cost management 3D computational pathology Risk adjustment transformation Neurocognitive/concussion assessment Clinical pathways decision support for cancer Centralized control over decentralized payments Online mental health wellness tool Remote patient monitoring 5

SATURN 2017 Project Voltron at UPMC Enterprises 6

Initial State in Jan 2016 Baseline: Extensive experience in SCRUM process Architecture standards consistently maintained by the Architecture team Infrastructure dependencies on UPMC ISD Successful completion of POC projects in AWS and Azure Pilot projects built in AWS Growing expertise in Docker Some knowledge of Kubernetes Use of Jenkins, Artifactory, GitHub, SVN Variety of collaboration tools including MS SharePoint, 2 Wikis Issue tracking in JIRA and MS SharePoint Operations performed by development teams Client Services team focused on pilot software implementations inside UPMC and externally Client Services team has no representation in sprint planning and stand-up meetings 7

DevOps Initiative Planning Phase Main emphasis on the transition of operations to Client Services team to increase the velocity of the development teams and start migration towards DevOps model Formulated collaboration between operations, architecture, and software engineering Initial plan included 5 areas: Application Infrastructure Management Infrastructure Monitoring Application Lifecycle Management Cloud Infrastructure Optimization Information Management, Security, and Governance 4 levels of task priorities Proposed services, required tools and solutions, mapped technical and soft skills Gap analysis Planning phase took 4 iterations and approximately 4 weeks 8

DevOps Initiative Planning Phase Top priorities in Application Infrastructure Management: Infrastructure planning Configuration management tools Template development, testing, deployment Provisioning and decommissioning processes Managing infrastructure in environments including storage, databases, middleware components, networks and VPN gateways User accounts, roles, privileges, and key management Collecting operational data and its visualization Dashboards and reports describing daily operations, workloads, and environment status Environment migration, promotion processes and procedures 9

DevOps Initiative Planning Phase Top priorities in Infrastructure Monitoring: Service monitoring and SLA enforcement Event management and intrusion detection Maintenance of a knowledge base Incident management and change management Security management in application environments 10

DevOps Initiative Planning Phase Top priorities in Application Lifecycle Management: Assistance in change management and code deployment Help in definition of application security and compliance Top priority in Information Management and Governance: Perform data transition to the cloud, propagation to higher environments, secure data distribution to end-users Maintain data access roles and policies Manage HIPAA log files Report discrepancies between security standards and their implementation and uphold BAA requirements No cloud infrastructure optimization goals 11

Proposed Roles and Responsibilities Project: DevOPS and Infrastructure Automation PROCEDURE Automated Infrastructure Provisioning DEPARTMENT Client Services UPDATED 5/9/2016 Entity 1 2 DESCRIPTION Infrastructure/Compute environment in AWS (EC2, Docker containers) Infrastructure/Storage (S3, Glacier) and Content Delivery (data import/export, data migration) Cloud Infrastructure Engineer Architect Dev Engineer QA Engineer TPM CS Mgmt A/R C/I/R I I A C/I R I I 3 Infrastructure/Database (RDS) A C/I R I I 4 5 6 7 8 Infrastructure/Networking (private and public networks, VPN, DNS, ELB) DP & OPS/Dev Tools( Artifactory, Git, EMMI?, testing and automated testing frameworks, deployment tools) DP & OPS/Management Tools( configuration and deployment management, CloudWatch, CloudTrail, automation tools) DP & OPS/Security and Identitiy( directory services, KMS, identity management) DP & OPS/Application Svcs (SNS, Queue services, search service) A/R C/I I I I C/I A/R C C/I I A/R C/I I C/I A/R C/I R C/I I I I C/I A/R C C/I I 9 Platform Services (ALL) I C/I A/R C C/I I 10 DevOps tool support I C/I C/I C I A/R 12

SATURN 2017 Development and DevOps collaboration 13

Development Process 1. Project initiation and resource planning 2. Planning user stories in sprint 0 3. Development, unit tests, container build in subsequent sprints; code versioning and sharing via locally installed GitHub and Artifactory 4. Container deployment in Dev/Test 5. Automated functional and integration testing using Cucumber, Protractor + Jasmine framework, Supertest API testing 6. Container deployment in QA (optional), manual user acceptance testing 7. Automated minimal viable product deployment in Stage; automated volume testing using scripts, JMeter, Locus 8. Release deployment in Production 14

Automated Deployments Configuration management based on CloudFormation and bootstrap scripts for propagation of infrastructure components Custom build scripts for building Kubernetes clusters Jenkins jobs for building Docker container images for continuous integration ECR as a container repository Docker container deployments at scale on Kubernetes clusters Minor footprint of Elastic Container Service Key quality attributes for selection of container management tool: Non-functional requirements: elasticity, load balancer triggers, triggers based on utilization of VM resources, local high availability, support for multi zone deployment, disaster recovery, cloud portability, software maintenance, support services, deployment process, cluster performance Functional requirements: port management, health checks, storage management, integration with AWS AIM roles and policies, service recovery, load balancing, management UI 15

Client Services Contribution Infrastructure as Code 1. Participating in the infrastructure resource planning 2. Building infrastructure offerings and their maintenance in Service Catalog 3. Automated deployment 4. Support services to UPMCE development teams as well as portfolio companies Managing accounts, roles, and policies Event management Monitoring resource utilization with CloudWatch metrics during volume testing 24x7 monitoring of application and infrastructure Incident response and change management Managing non-production costs by parking unused compute instances 16

Event and Incident Monitoring Monitoring all AWS administrative events i.e. building EC2 instances, managed services, network and security groups changes via CloudTrail Application and managed services log files stored in S3 buckets with restricted access for further processing Filtering major application events in CloudWatch sending error notifications via SMS to 1 st level support Reporting on resource utilization with CloudWatch dashboards and charts as well as ELK stack Regular updates of knowledge base maintained as private pages in Confluence Work in progress: outsourcing the analysis of security related events 17

Security Considerations AIM user accounts, roles, access policies on all resources Weekly account reports and reviews Network security and access controls in compliance with AWS best practices based on NIST SP 800-53 and SP 800-171 standards Bastion servers for accessing resources on private subnets with SSH tunneling User access keys and 2048 bit RSA keys to log in to EC2 instances Centralized key management in KMS Encrypted EBS volume, S3 buckets with server side encryption Limited access to queue, CloudWatch, CloudTrail, and database services AWS Shield services deployed on public endpoints TLS encryption enabled on data in transit Endpoint protection on EC2 instances HIPAA log files being processed daily 18

Example of supported environment 19

Challenges Vulnerability analysis and penetration test on Docker containers deployed on Kubernetes clusters and CoreOS Single sign on in heterogeneous cloud-based environment integrating multiple open source and vendor products Some cloud services are not HIPAA compliant that pushed our development toward PaaS based solutions and increased the scripting work Organization culture and concerns about data privacy demanded additional efforts to secure data, applications, and services Event correlation, alerting, and incident response 20

Benefits of new DevOps practices Configuration management practices reduced operator s errors, operational and infrastructure costs up to 60% Configuration management practices make it easy to replicate the production environment in Stage Automated deployments reduced infrastructure provisioning and application deployment time Rationalized collaboration and change management tools reduced the support costs by 5% Improved continuity planning, capacity planning, and services availability in the cloud Delineation of application development and operations increased the developers productivity 21

SATURN 2017 Current State and Roadmap for 2017 22

Current State Strong commitment to agile processes GitHub is single code repository for source code Artifactory is a repository for 3 rd party and reusable libraries ECR includes all container images that can be deployed in Stage and PROD All documentation and articles are maintained in Confluence Wiki JIRA is used for all types of Requests For Change including user access requests, configuration changes, new development, enrollment of service candidates in Service Catalog, code progression, and issue tracking 24x7 monitoring is based on CloudWatch metrics and alerts Slack is a standard collaboration tool with SSO based on AD accounts 23

Current State Client Services team : Provides continuous delivery of infrastructure components tightly integrated with the technology stack Maintains Service Catalog and develops new offerings in collaboration with development teams Facilitates continuous deployment of applications by automating container and services deployment in Stage and Prod environments Maintains user accounts, roles, policies, and data access rules Participates in capacity planning as consultants Conducts environment optimization reviews based on automated metrics collection and analysis of resource utilization Generates reports and decommissions unused resources Coordinates building VPN gateways with UPMC ISD Provides automated deployments of Kubernetes clusters and Docker container Facilitates all data governance processes and internal audits, meeting with stakeholders, and coordinate meetings with AWS and MS solution architects 24

Roadmap for 2017 Improve security by introducing Web Application Firewall in all application environments Harden our security posture for container defense by implementation of a product similar to TwistLock Complete PoC project and implement log analytics Conduct penetration testing and automate it Turn on AWS Inspector to capture user errors in configuration of roles, privileges, security groups, and other service configurations Collect requirements for establishing dedicated network connections to UPMC data centers via AWS Direct Connect Complete evaluation of WSO2 Identity server as SSO solution integrated with Health and Insurance Services Explore Terraform as alternative tool for composing infrastructure resources independently from cloud providers Introduce new cloud service provider in order to be more platform agnostic 25

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback