DevOps, DevSecOps, and varmour

Similar documents
Conclusion.

Cisco Intelligent Automation for Cloud

Red Hat Open Shift Container Platform

DevOps Journey. adoption after organizational and process changes. Some of the key aspects to be considered are:

BMC - Business Service Management Platform

How to build and deliver an Intelligent Orchestration Platform

ORACLE CLOUD MANAGEMENT PACK FOR MIDDLEWARE

HyperCloud. IT s Cloud Dilemma

RELEASING HIGH-QUALITY APPLICATIONS AND INFRASTRUCTURE FASTER WHITE PAPER OCTOBER 2017

Application Lifecycle Management (ALM) Octane

Five DevOps CM Practices

I D C M A R K E T S P O T L I G H T. S i l o s a n d Promote Business Ag i l i t y

Dell Advanced Infrastructure Manager (AIM) Automating and standardizing cross-domain IT processes

Understanding the Business Value of Docker Enterprise Edition

Microsoft FastTrack For Azure Service Level Description

SOLUTION BRIEF CA MANAGEMENT CLOUD FOR MOBILITY. Overview of CA Management Cloud for Mobility

MANAGING SERVICES WITH RED HAT CLOUDFORMS AND ANSIBLE

Learn How To Implement Cloud on System z. Delivering and optimizing private cloud on System z with Integrated Service Management

IBM ICE (Innovation Centre for Education) Welcome to: Unit 1 Overview of delivery models in Cloud Computing. Copyright IBM Corporation

Automation Testing and the DevOps Pipeline presented by Randy Spiess (Jan 18)

Accenture Architecture Services. DevOps: Delivering at the speed of today s business

HPE ITSM Automation and Containers Accelerating Deployment and Time to Value February 23, 2017

Using IBM UrbanCode Deploy to automate the migration and deployment of on-premise WebSphere application and configuration to IBM Bluemix

Accelerating Your DevOps Journey

"Charting the Course... MOC A: Architecting Microsoft Azure Solutions. Course Summary

AUTOMATED TESTING: THE GLUE THAT HOLDS DEVOPS TOGETHER

Oracle Cloud Blueprint and Roadmap Service. 1 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

What s New in SRM 6.1 December 15, 2017

Enabling digitization at the pace of business. Achieve connected DevOps tool chain through Release Orchestration

API Gateway Digital access to meaningful banking content

Avoid the Hype and Find Real Value in Devops and PaaS ABDUL KHALIQ GAFFAR

Cloud Management Market Survey and Analysis: A New Business Imperative Emerges

NFV Orchestrator powered by VMware

Extreme Workflow Composer

Oracle Enterprise Data Management Cloud

BRINGING THE MODERN SOFTWARE FACTORY TO LIFE

D5.1 Inter-Layer Cloud Stack Adaptation Summary

Benefits of Deploying Oracle E-Business Suite on Oracle Cloud At Customer O R A C L E W H I T E P A P E R D E C E M B E R 2017

White paper Accelerating the Digital Transformation With Atos alien4cloud and Cloudify

Dell EMC XC and Nutanix: Overview and Demo of One-Click Simplicity for Infrastructure Upgrades, Capacity Expansion and How To Search

Embedded Analytics: Turning Data-Driven Apps into Actionable Insights

Course 20535A: Architecting Microsoft Azure Solutions

INTEGRATING SECURITY WITH DEVOPS TOOLCHAINS

UForge AppCenter 3.8. Introduction March Copyright 2018 FUJITSU LIMITED

Application-centric Infrastructure Performance Management (IPM)

DevOps: Accelerating Application Delivery. DevOps on IBM i: Barriers, Techniques, and Benefits to the Business

ONAP Architecture Overview

So#ware-Defined Security Services Working Group Ini;a;ve

HP Cloud Maps for rapid provisioning of infrastructure and applications

Infrastructure Efficiency Yields Significant Cost Savings

Steve Bryant-Brown Technology Mayank Nayar Program Manager, Azure Site Recovery. Will Rowley Cloud

Richard Seroter Integration MVP. Moving to Cloud-Native Integration

Cloud Automation a beginner s guide

Network Automation: Do I Need Expensive Vendor Tools To Do Meaningful Automation? NANOG 72 February 20, 2018

Bringing a New Level of Simplicity to ITSM System Administration

HokuApps. Create a new class of enterprise apps STEPS TO ENSURE YOUR LEGACY SYSTEM MODERNIZATION PROJECT GENERATES. hokuapps.com

DevOps. Bringing agility all the way up to Production

OpenShift Dedicated: An Inmarsat Story

The AWS Mission. Enable businesses and developers to use web services to build scalable, sophisticated applications.

Enabling FinTechs for Success through Business-Driven Cloud Security

Effectively Managing Amazon Web Services in Hybrid IT Environments

DATASHEET COLLABNET TEAMFORGE

Multi-Containers Orchestration with Live Migration and High-Availability for Microservices

Take a Tour of Native Hybrid Cloud & Neutrino. Modern, cloud native platforms

MICROSERVICES. Prabavathy Arumugam Software AG. All rights reserved. For internal use only

Split Primer. split.io/primer. Who is Split?

NSO in an ETSI NFV Context Carl Moberg Technical Director, Tail-f Engineering January 7, 2015

PERSPECTIVE. Microservices A New Application Paradigm. Abstract

Why You Should Take a Holistic Approach

Cisco ONE Enterprise Cloud Suite Automates Infrastructure, Cloud, and Application Lifecycles

Secure information access is critical & more complex than ever

Welcome to this IBM Rational podcast, What's. New in the Cloud, Rational Application Developer and

Architecting the Future with IT Infrastructure for the Cognitive Era. 26 April, 2017 Arif Kaleem Executive Architect Technical Sales Manager, MEP

IBM BPM on zenterprise

Faizer Feroz Director Enterprise Applications Herbalife. Scott Haaland Product Strategy Director Service Integration Product Management

IT Service Management for DevOps

An Overview of the AWS Cloud Adoption Framework

Cisco ONE Enterprise Cloud Suite

Zero to Federated at the Speed of Jenkins. A Case Study of Success in DevOps

Optimize the Performance of Your Cloud Infrastructure

DevOps Guide: How to Use APM to Enhance Performance Testing

Building a Hosted Statistical Computing Environment: Is it Possible?

THE DEVOPS MATURITY CURVE. Justin Vaughan-Brown CA Technologies

Introducing the Next Generation of ALM March 22, Copyright 2016 Vivit Worldwide

Welcome to this IBM Rational podcast, Leverage. IBM's PureApplication System to Jump-Start DevOps. I'm

A 7 step strategy for successful DevOps in the Evolving Enterprise

Microsoft moves IT infrastructure management to the cloud with Azure

WorkloadWisdom Storage performance analytics for comprehensive workload insight

COMPUTE CLOUD SERVICE. Move to Your Private Data Center in the Cloud Zero CapEx. Predictable OpEx. Full Control.

Achieve Competitive Advantage with IBM DevOps

WHITE PAPER. CA Nimsoft APIs. keys to effective service management. agility made possible

Azure Infrastructure for SAP

Your Enterprise Cloud-Native App Platform: An Introduction to Pivotal Cloud Foundry Richard August 31, 2017 #CNA3430BU CONFIDENTIAL

How Cisco IT Developed a Self-Service Model for Build and Deploy

Creating an integrated plug-and-play supply chain with serverless computing

Five-Star End-User Experiences Require Unified Digital Experience Management

FlashStack For Oracle RAC

InterConnect. InterConnect

Dell EMC Consulting Ingo Strutz

Viewpoint Transition to the cloud

Transcription:

WHITE PAPTER DevOps, DevSecOps, and varmour DevOps and DevSecOps Supporting DevSecOps with New Tools varmour DSS Distributed Security System varmour in 4 Common DevOps Scenarios 1. Rolling out a New Application 2. Promoting Applications from Dev/QA to Prod 3. Expansion of Original Application 4. Quarantine of Workloads

DevOps and DevSecOps DevOps has become a well established practice within many organizations. It aims to improve the efficiency of the software development and delivery process through increased collaboration between teams, as well as automating the many stages of the process. The increased collaboration and use of automation helps the teams move faster in delivery and results in several changes to typical application development, testing, release, operations, and maintenance. The increased pace of operations results in much more frequent releases, using a diverse set of tools at each stage of the process such as source code management, platform builds, infrastructure monitoring, and orchestration engines. As DevOps introduces several changes to the application development workflows, infrastructure, and culture at an organization, traditional security practices start becoming impediments to achieving the desired goals. A security program practices, culture, and tooling built around the traditional software development model of relatively staggered, waterfall product releases and relatively immutable internal infrastructure will not be able to keep pace with the accelerated pace of DevOps changes, be they new applications, new code releases, or elastic infrastructure. Enter DevSecOps. Similar to the mindset change that resulted in DevOps, DevSecOps is a rethinking of the role that security plays in the IT life-cycle. Specifically, the key tenets for security in a DevSecOps culture include elements such as: Everyone is responsible for security. The cooperation between Dev and Ops teams now includes Security as well. This means, for example, that security controls are built being keenly aware of specific application requirements, and that the infrastructure where the application runs will be highly elastic. Security as Code. This means that the contributions from the security organization be they compensating controls, security reviews, tactical information about threats, or security response processes have to be offered and deployed as code, to be integrated into the DevOps pipeline and final product.

Supporting DevSecOps with New Tools As DevSecOps introduces a new approach to deploying security to a multitude of environments, there are new requirements for the security tooling used. Poor support for any of these DevOps requirements translates directly into poor outcomes in terms of security coverage, agility, or adoption of adequate security controls. The key requirements are: Be designed for a modern infrastructure The modern data center or cloud infrastructure is not static: workloads are added and deleted programmatically, new code updates are pushed out multiple times per week or even per day, workloads move between hypervisors, and so on. A security design based on the traditional perimeter model will not be able to keep up with this level of dynamics: as an example, as workloads move between environments, a traditional security solution built on a perimeter mindset will have difficulty maintaining the state of connection. Be a software only architecture, not relying on hardware components In order to support the agility and elasticity of the modern environment, security controls have to be deployable as software, able to be quickly scaled up or down, or be reconfigured to support changes in the environment. A security architecture design that relies on hardware components will fare poorly on all these categories. Support orchestration via a robust and open API Lastly, it is critical that the tooling support easy configuration and orchestration via a robust API. The new application development and operations pipelines include significant amount of automation, orchestration, and use of standard design patterns. Any security component that cannot be completely deployed, configured, and managed programmatically will introduce unacceptable levels of friction to the DevOps cycle.

varmour DSS Distributed Security System IT leaders are transforming their data center architectures at unprecedented rates to harness the value of speed, moving from a reactive, inflexible organization to one that is a more proactive, agile part of the business that can respond quickly to changing business requirements. Research indicates that 86% of workloads will be processed by cloud data centers by 2019. Cloud services are based on simplicity, scale and economics. These same tenets should hold true for security. With that in mind, varmour created the varmour DSS Distributed Security System. varmour DSS provides application aware the micro-segmentation, coupled with advanced security analytics of networks, applications, and users. With its patented software, varmour DSS moves security controls down next to each asset, wrapping fine grained protection around each workload, regardless of where the workload resides. varmour DSS is an all software solution, independent from underlying infrastructure, with distinct components that work as a unified security system. These components are: varmour Fabric, composed of two types of elements: Director. The Director is varmour s central point of orchestration (REST API) and management (via WebUI or CLI). It offers a highly available and scalable controller for the rest of the varmour Fabric. Enforcement Points. varmour Enforcement Points ( EP s and EPi s) are distributed security processing nodes, offering L2-L7 visibility and access control to network traffic to/from the workloads. The Enforcement Points offer attractive performance, scalability, and availability characteristics that make them suitable for the elastic nature of virtualized and cloud workloads. varmour Analytics. varmour Analytics provides application-layer visibility into east-west-type traffic flows, which in some cases constitutes 80% or more of the total traffic in virtualized data centers and cloud deployments. It also provides analytics/insight capabilities related to common patterns associated with more sophisticated attacks against data center / cloud resources.

varmour can help DevOps build security awareness into all stages of application design and deployment with its key features: Being a software-only component, designed from the ground up to support modern environments, varmour DSS has unmatched performance, scalability, and sizing characteristics than traditional perimeter approaches. By being application-aware, it can perform more granular inspection of traffic, which results in stronger protection and better definition of policy that can be aligned with development or operations requirements. Finally, varmour has a robust, REST based API that allows for full automation and orchestration of all aspects of operations and management, from policy creation, software configuration, and ongoing monitoring. For more information about varmour DSS, please refer to https://www.varmour.com/product/how-it-works

varmour DSS in 4 Common DevOps Scenarios One of the key characteristics of DevOps type deployments is that even though they share some broad design and operations patterns, each one is actually quite unique. Each organization that has embraced DevOps does it in a slightly different manner: similar but different workflows, deliverables in each stage, tooling being used, and others. The security tooling has to be flexible enough to meet these demands. This section illustrates how varmour DSS can fit into these patterns, without specific requirements on tooling. Customers may use whichever tools they best see fit for the DevOps workflow, and rely on varmour s open API for integrating the security policies provided by varmour DSS. 1. Rolling Out a New Application 2. Promoting Applications from Dev/QA to Prod 3. Expansion of Original Application 4. Quarantine of Workloads

1. Rolling Out a New Application In this scenario, as a new application is being built, the Dev team works alongside Security and Ops to define what the network security requirements will be. These requirements are then coded into the playbook for the deployment. Depending on the tooling used, this can be an Ansible Playbook, a Puppet/Chef Recipe, or a Docker Dockerfile. In any case, the customer can use varmour s API to orchestrate that new policy into the varmour Director. In the example below, a typical workflow might be: 1. The Development and Operations teams define the application requirements into the tooling used for orchestration, maybe a Playbook or a Recipe. 2. The workload management component, such as Puppet, Chef, or Ansible, uses the varmour REST API to create the appropriate security policy. 3. varmour Director creates the policy and makes it available to the Enforcement Points on the environment. 4. (Not shown in diagram) As the workload manager creates the actual workloads, security policies are already available to be applied. WORKLOAD MANAGER 2 4 DIRECTOR 3 1 DEVELOPMENT TEAM WORKLOADS SECURITY POLICY

2. Promoting Applications from Dev/QA to Prod There are many ways for a DevOps-focused organization to organize its processes for promoting workloads from dev/qa to production. One common approach is called the Blue-Green Deployment : two identical workloads exist, Blue and Green, and traffic is directed to the one defined Prod. After all work for the new release is done on the other environment, the traffic is redirected to the new environment. If there is an issue in the new environment, the workload can be easily redirected back. varmour DSS can easily support this by automating the application of security policies to workloads given their status ( dev/qa versus prod ). As the release management process instructs the external router to switch between Blue/Green, that information can be passed to varmour as well, and Production security policies (such as more stringent access control rules) can easily be applied. 1 t=0 RELEASE MANAGEMENT BLUE GREEN WEB WEB APP APP DB DB SECURITY POLICY (includes Micro-seg) 2 1 DIRECTOR From Dev to QA: Allow All From Dev to Prod: Deny All

Sample workflow is as follows: At t = 0 the external router is pointing to blue as the production system. At t = 1, release management instructs both external router and varmour to treat green as production. At t = 2, varmour updates the security policies, be they broader zone-based segmentation or micro-segmentation policies on specific workloads. At that point, production-level security controls are already applied to the chosen environment. There s several ways varmour can be notified of the change in dev/prod state, including: Changing tags on workloads. As the organization chooses to promote a subset of the workload from QA to Prod, all that it needs to do is tag the workload as such on the System of Record (CMDB, IPAM, VM tags,...). varmour DSS detects the change in information related to the workloads and automatically applies the new security policies. Directly changing address group and/or information on varmour. The REST API includes full support for managing address groups and policies.

3. Expansion of Original Application DevOps environments are generally elastic: new workloads are created and removed based on near real-time demand. This combines the efficacy of elastic infrastructures such as private, public, or hybrid clouds, with the efficiency of controlling operational costs. In this scenario, an existing workload needs to be expanded (new instances added). As the new workload is instantiated, varmour Director is able to read workload metadata and automatically assign the appropriate address group membership to new workloads. This can be done leveraging information from VM tags, IPAM systems, CMDB repositories, ticketing systems, or other sources of data. SOURCE OF RECORD (SOR) CMDB IPAM VCENTER... 2a DIRECTOR 2a WORKLOAD MANAGER 2 3 1 SECURITY POLICY RESOURCE MANAGER 4 WEB APP DB WEB APP In the example above: 1. The Resource Manager, typically an orchestration layer, detects the need for additional instances. 2. The Workload Manager, possibly a tool such as Puppet, Chef, or Ansible, instructs varmour that additional workloads will be created, either directly (via REST API) or through leveraging the Source of Record system and the ongoing varmour connection (option 2a above). 3. The Workload manager creates the new workloads. 4. varmour automatically applies policy to the workload as defined.

4. Quarantine of Workloads One common design pattern on the operations side of DevSecOps is the use of quarantine effectively blocking all communications to and from a workload. This is easily achievable using varmour DSS. The typical scenario here is that the Security Monitoring tooling or even the Application Performance Management component of the DevOps environment has determined that a particular workload should now be blocked off from the rest of the environment. This might be a response to a host or application-level security incident, or just that the software component on the application is not producing the right results and should not affect the rest of the environment. At that point, any component can leverage the varmour API to instruct varmour DSS to effectively block all communications to/from that workload. This can be achieved in a number of ways, including: Adding the workload to a predefined blacklist of quarantined workloads. Changing the workload information in Source of Record (IPAM, CMDB,...) to indicate it should be quarantined. SOURCE OF RECORD (SOR) CMDB IPAM VCENTER... 2a DIRECTOR 2b SECURITY POLICY 3 2a APP PERF. MONITORING SECURITY MONITORING WEB 1 APP DB

Sample workflow is as follows: 1. Performance or Security Monitoring is monitoring individual workloads. 2. The need for a quarantine is detected. Two key approaches are possible: a. Tag the workload as to be quarantined in SoR, and varmour can pick up the change. b. Directly instruct the Director to place a workload in quarantine via dedicated policy or address group membership. 3. varmour applies policy to the workloads to enforce quarantine, keeping the workload in an operational state, but preventing further potential damage.

Conclusion As a 100% software-based security solution, varmour DSS enables the agility required by DevSecOps processes to build security into new workloads and their supporting applications, as well as ongoing policy updates, and quarantine capabilities. Learn more at www.varmour.com. For more information about the broader tenets of Dev[Sec]Ops, you can refer to http://www.devsecops.org/.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback