How Can Automation Make Your Cloud More Secure?

Hi! David Mortman here. I’m enStratus’s Chief Security Architect and I’ll be periodically blogging here to cover issues related to security and the cloud. One of the themes I’ll be hitting a lot over the coming months is the power of automation and how that makes your organization not only more efficient but also more secure.

Case in point, multiple studies have shown that one of the biggest contributors to downtime at companies is human error (Visual Ops, Visual Ops Security by Gene Kim et al.).  Automation can remove much of the human element from this equation and especially in the case of repeatable actions, ensures that those tasks are done the same way every time. This is hugely helpful during the audit process for compliance regimes. 

Similarly, as we’ve learned from the Verizon DBIR, one of the biggest contributors to security breaches over the years is the failure by organizations to change or revoke access to resources after individuals change or leave jobs. This is yet another place where automatic processes can be very helpful.

Once you have automation in place, you can start doing some really interesting things very efficiently. For example, deployment of patches becomes even simpler, as does the provisioning (and de-provisioning) of users across machines. You can also start automating the handling of encryption keys or other sensitive data. This means that you can now reduce the number of employees who need access to that sort of data even more. And, as an added bonus, all of these actions are logged by default which also helps with audit and compliance concerns be it from customers, partners or regulators.

More on the power of automation in a later post.

 

David Mortman is the enStratus Chief Security Architect and has been doing Information Security for well over 15 years. Most recently, he was the Director of Security and Operations at C3. Previously, David was the CISO at Siebel Systems and the Manager of Global Security at Network Associates. David speaks regularly at Blackhat, Defcon and RSA amongst other conferences. Additionally, he blogs at emergentchaos.com,  newschoolsecurity.com  and securosis.com. David sits on a variety of advisory boards such as Qualys and Igie. He holds a B.S. in Chemistry from the University of Chicago and bakes, cooks and juggles in his spare time.

 

 

Extend LDAP/AD Into Your Cloud Management

Whether you have a public, private, or hybrid cloud, a best-practice includes extending your LDAP or Active Directory (AD) into your cloud management security. This allows you to build on your existing security policies and improve the efficiencies of your cloud infrastructure user management.

1. Delegated Authority: This enables you to set up users in enStratus without the need to set up users and passwords. Here are a couple common tasks that would benefit from directory services integration.

• Add a user to LDAP - enStratus will discover the user and add that user an all group memberships for that user to enStratus.

• Terminate user from LDAP - enStratus will deactivate the user in the enStratus directory as well as remove any Windows and Unix accounts for that user on VMs in the cloud.

2. Automated Management: Remotely manage users and group membership

3. Access Controls: Granular, role-based permissioning managed within enStratus across one or more clouds

Leverage Directory Services to extend security and access controls into private and public clouds

These capabilities will save you time and keep your security policies consistent across clouds.

If you would like to learn more, you can request a copy of our User Management for Private and Public Clouds document.

From Where Should You Govern Your Cloud?

More and more enterprises are moving forward with private/public cloud proof-of-concepts and production deployments.  As the cloud migration ramps, cloud governance is becoming more of a focus. 

Recent CRN and ZDNet articles gave some great points to consider about cloud governance.

• Central authorization  
• ID and access controls
• Policy enforcement and monitoring
• Service level reporting
• Automation and auditing

One new question facing organizations moving to the cloud is how do you deliver this governance and from where?

As the diagram below shows, there are three options to deliver a cloud governance solution.  

1) SaaS solution running in the cloud being managed

In this model, you are running all or part of your cloud governance solution in the cloud that you are governing. This is how several enStratus competitors deliver their solution. In terms of access controls, service levels, disaster recovery and other issues, the risk level seems a little like letting the fox guard the henhouse.

2) SaaS solution running outside the cloud being managed

This model has become popular for companies governing public cloud deployments. This is one option available from enStratus. Governing your public cloud from a SaaS solution hosted outside the cloud provides a better framework for key management, encryption, and auditing.

3) An on-premise deployed cloud management solution

Deploying a completely on-premise version of cloud management software is the preferred option for enterprises with very sensitive data in the public cloud or organizations that have a private cloud. The benefit includes leveraging your policies and procedures and directly integrating with internal infrastructure and management systems. This is also a model delivered by enStratus. This is the best option for organizations with compliance requirements or that are very risk averse.

The key to selecting one of these models is understanding your cloud strategy, governance needs and risk tolerance. 

Cloud OS or Cloud Management Software?

As with any emerging market comes terminology confusion.  The term “Cloud Management” is a great recent example. We want to take a few minutes to help define this important term.

You will hear people refer to various solutions as Cloud Management Software – from Cloud Operating Systems to tools that allow you to manage multiple SaaS solutions.

In the IaaS space, Cloud Management Software sits on top of various public and private clouds and provides the following capabilities:

1)   Allows users to provision, manage and control various public clouds and private cloud platforms

2)   Helps manage users, security, and automation across infrastructures

3)   Protect from single cloud vendor lock-in to allow cross-cloud operations and migration

4)   Manage your service level requirements

5)   Audit and report for compliance

The diagram below shows our perspective of the relationship Cloud OS solutions.

 

VMware has a great definition of a Cloud OS.

“A cloud operating system is a new category of software that is specifically designed to holistically manage large collections of infrastructure – CPUs, storage, networking – as a seamless, flexible and dynamic operating environment.  Analogous to the operating system that manages the complexity of an individual machine, the cloud operating system manages the complexity of a datacenter.”

We hope that this helps clarify the difference.

 

Cross-Cloud Management Today

Over the past few months, more and more organizations have moved toward leveraging multiple cloud providers.  Whether it’s a private/public hybrid model or multiple public providers, this is definitely a trend.

Our vision has always been that organizations will use multiple cloud providers and need one management, governance and automation solution for all of them. 

Security, Provisioning and Financial Controls

Many of our customers have been starting VMs in multiple cloud providers like AWS, Rackspace, Eucalyptus and Cloud.com.  With our granular access controls, enStratus provides you the ability to grant access to each person or group with the access they require for the appropriate clouds.

In addition our financial controls allow you to track spending across clouds including soft and hard spending caps across all the clouds you manage with enStratus.

Cross-cloud dependencies, cloud-bursting, cross-cloud DR, and cross-cloud auto-scaling

Though managing multiple independent clouds from inside enStratus is cool, enStratus also enables you to create managed applications that operate across multiple clouds. For example, you can configure an application to operate entirely within your private data center up to a certain capacity threshold and have enStratus burst part, or all of it, into a public cloud beyond that capacity. The image below shows an example of how to set the bursting to the secondary cloud after 5 servers.

For truly distributed application architectures, enStratus has the capability to automate cross-cloud auto-scaling. enStratus will make sure traffic for your distributed application is balanced evenly across multiple clouds and provide you redundancy even in the face of the complete failure of one of your cloud providers. Even if you don’t want the redundancy, enStratus will optionally backup to a DR cloud.

  

Manage Your Private/Hybrid Clouds from Your Own Data Center

Most companies got their first exposure to cloud computing through public cloud options such as any of the many public clouds supported by enStratus.  When operating a public cloud, it makes a lot of sense to leverage a SaaS tool like the enStratus SaaS solution. You simply visit https://cloud.enstratus.com/page/1/register.jsp, sign up, and immediately begin using enStratus to manage your cloud. No software installation needed.

Running a private cloud? Leverage enStratus on-premise!

Most enterprises these days are looking beyond the public cloud to hybrid and private cloud computing. While our SaaS solution is perfectly capable of managing private and hybrid clouds, we think it makes sense to have an on-premise management tool when managing on-premise clouds. The systems you are deploying in a private cloud are obviously important enough to keep within your data center, so it makes no sense to allow a third-party control that infrastructure from beyond your firewalls.

Same Features, On-premise. The enStratus on-premise solution provides the same exact features as our SaaS offerings, operating in your data center instead of ours. It’s a simple installation and you can plug it into your SSO infrastructure (including SAML 2.0 and OpenID). You can then point enStratus at your private and public clouds.

enStratus is simply the only enterprise cloud infrastructure capable of on-premise deployment for managing public and private clouds.

Most Cloud Platforms, including VMware vCloud. No other cloud management offering provides the same freedom of choice among a cloud platforms and public clouds as enStratus. We natively support vCloud, Nimbula, OpenStack, Eucalyptus, and Cloud.com. In addition, you can leverage all of the public compute clouds we support (AWS, Bluelock, CloudSigma, GoGrid, Rackspace, Terremark) and all of the public storage clouds (AWS, AT&T, Azure, Google, Rackspace) from within your data center.

Operate across clouds: Cross-cloud dependencies, cloud-bursting, cross-cloud DR, and cross-cloud auto-scaling

Though managing multiple independent clouds from inside enStratus is cool, enStratus also enables you to create managed applications that operate across multiple clouds. For example, you can configure an application to operate entirely within your private data center up to a certain capacity threshold and have enStratus burst part or all of it into a public cloud beyond that capacity.

For truly distributed application architectures, enStratus has the capability to automate cross-cloud auto-scaling. enStratus will make sure traffic for your distributed application is balanced evenly across multiple clouds and provide you redundancy even in the face of the complete failure of one of your cloud providers. Even if you don’t want the redundancy, enStratus will optionally backup to a DR cloud.

 

The New Oracle RDS Instances

Yesterday, Amazon launched a new feature for their RDS (Relational Database Services) product that adds Oracle database as a service offerings to their existing MySQL offerings. We've always believed that RDS is one of the more valuable AWS offerings, and you can now leverage Oracle RDS instances in enStratus.

Provisioning an Oracle instance works much the same as provisioning MySQL instances has worked:

You can select either the included license option (selected above) or a "bring your own license" option, depending on whether you are leveraging an existing enterprise Oracle license and the AWS "bring your own license" program.

enStratus then instructs AWS to provision your new Oracle instance and it shows up in your enStratus console:

We'll have an update for a pretty Oracle icon in our next formal release!

At this point, you can leverage all of your normal Oracle tools to interact with your Oracle instance, as well as control network access through enStratus.

Life gets more interesting, however, when you include your Oracle RDS instance in an enStratus automated deployment. Applications managed by enStratus can be configured to point to a data source in your Oracle RDS instance. enStratus will automatically configure those applications to talk to Oracle and configure the network rules for the communications to occur.

To leverage RDS services, you must first sign up for RDS with AWS. enStratus will automatically detect that you have signed up and a "Relational Databases" menu item will appear under your "Platform" top level menu.

 

Extending Cloud Automation with Chef

Earlier this month, we released an important integration with Opscode's Chef, the open source configuration management and integration framework used by thousands of organizations. 

Automation of cloud infrastructure has been a focus of enStratus since our inception.  enStratus can help you scale easily, recover automatically, backup and burst between clouds with confidence.  

In working with our friends at Opscode, we now allow you to take automation to the next level, supporting larger and more complex configurations. When an enStratus customer selects Chef as a configuration management option, a Chef client is automatically installed on new instances brought up by enStratus.

From there, all the power of Chef is available to you. Chef works by allowing you to write recipes that describe how you want a part of your server (such as Apache, MySQL, or Hadoop) to be configured. These recipes describe a series of resources that should be in a particular state – for example, packages that should be installed, services that should be running, or files that should be written. Chef then makes sure that each resource is properly configured, only taking corrective action when it’s necessary. The result is a safe, flexible mechanism for making sure your servers are always running exactly how you want them to be.

In doing so, customers can save time and money by automating new and more complex processes. It also helps companies meet compliance requirements by ensuring policies and procedures are met.

Our latest integration with Chef includes the following capabilities: 

• Easily configure a connection to an Ospcode (or Chef Server) account with enStratus Configuration Mangement

• Automatically perform a Chef run with a custom Chef run list during the start-up of a new server. This allows for the automatic installation and configuration of applications on your server with Chef cookbooks.

• Configuring a Chef run list without having to log on to your server. Just past the run list into the enStratus console and launch the server, everything else will be taken care of by enStratus. 

Figure 1: Configuration Management Page

 

Figure 2:  Configuration Management Tab of the Launch Server- This is where you paste a Chef run list when launching a server. 

 

The enStratus development team is working on deeper integration with Chef to extend the configuration management capabilities. We appreciate your feedback and input to the process. Please let us know what else you would like to see, or if you have any questions. 

 

Deploying a Redundant Cloud Infrastructure

If the latest events in the AWS EC2 cloud east region have taught cloud architects and administrators anything, it is that the requirement for redundancy and disaster recovery cannot be overstated. enStratus enables cloud architects to span architecture across different regions in the same cloud and even across clouds altogether.

Since the AWS East region is the most widely used cloud region, many companies found themselves in a situation where their entire infrastructure was provisioned in that region. Even with redundancy across availability zones, the outage was devastating enough to bring down multiple availability zones, taking with it large portions of applications running there.

 

Using Multiple Regions

enStratus automation features offer an elegant and intuitive process to plan for eventualities such as region failure in a cloud. Using the deployment manager, architects can add another region as needed or balance their application across regions as a matter of procedure. 

When the EC2 East region outage hit, many companies found themselves scrambling to bring up applications in the EC2 West or other region.

The prospect of trying to move data that was "locked" in the East region was very problematic for administrators because in many cases backups were stored in S3 in that same region. enStratus allows for disaster recovery storage in multiple regions and/or multiple clouds. 

 

Backup Management

enStratus disaster recovery options automate the process of exporting backups off-site. What off-site means to the architect is open to a number of configurable options
including private storage such as swift or walrus.

Backups can be encrypted and moved at predetermined intervals, ensuring data is secure in transit and there when you need it.

Also, the enStratus application is hosted outside the cloud by enStratus or on-premise by our customers to ensure cloud governance and reliability.

This past week was a trying week for cloud workers, but tools like enStratus exist to plan for and maintain continuity of operations independent of the cloud used.

Check out our Webinar that we hosted May 4th to learn more: How To Deliver Cloud Infrastructure Redundancy.

 

 

Cloud Computing and the Business Model

Everyday we talk with companies that are evaluating cloud computing capabilities to reduce costs, be more flexible, leverage new technologies or deliver scale. More and more enterprises are looking to cloud computing and are starting proof-of-concepts and migrating real applications to leverage these benefits.

There is a deeper question forming about how business models are impacted by cloud computing and vice-a-versa. Most of the cloud talk to date has been focused around the technical challenges, opportunities and questions. However, not enough has been focused around the business model transformation of the cloud.  

For several years now, software vendors have grappled with business model questions and monetization issues as they transition to a SaaS delivery approach. Now with the barrage of cloud services, Systems Integrators, Hardware Vendors and other types of technology firms also have the same types of challenges.

These points are highlighted nicely in the new Accenture Report titled Where the Cloud Meets Reality: Operationally Enabling the Growth of New Business Models. We recently discussed this new Accenture Report with one of its authors, Tim Jellison, and we agree with the business model topics identified in the report.

The Accenture Report identifies ten different business models (ie Licensed Software, PaaS, Appliance Model) and discusses how organizations should address and plan for the operational model changes and how to get started.

There is no question that the XaaS market is growing rapidly.  The Accenture Report highlights a Gartner study that shows by 2014, enterprises will speind close to $35B annually on SaaS, PaaSm IaaS and other XaaS models combined.  That is up over 300% over 2010.

Explosive growth and disruptive technologies brings more than revenue opportunities to companies like enStratus. It brings questions that finance, technology, operations, legal, marketing and sales leaders need to address.

This is probably the start of the business model conversation, but it is a conversation that has to happen on many fronts.