Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Get the Exact Identity Solution You Need - In the Cloud - Overview

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Wird geladen in …3
×

Hier ansehen

1 von 28 Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie Get the Exact Identity Solution You Need - In the Cloud - Overview (20)

Anzeige

Weitere von ForgeRock (20)

Aktuellste (20)

Anzeige

Get the Exact Identity Solution You Need - In the Cloud - Overview

  1. 1. HUBCITYMEDIA Get the Exact IAM Solution You Need In the Cloud Containerized IAM on Amazon Web Services (Webcast 1 of 3) HUBCITYMEDIA
  2. 2. HUBCITYMEDIA Introduction – Warren Strange  With ForgeRock Since 2013  Responsible for DevOps Strategy  Previously with Sun Microsystems and Oracle Founded in Norway in 2010, ForgeRock technology is based on Sun Microsystem's IAM products. We are focused on Digital Identity and Access Management. • ForgeRock Access Manager • ForgeRock Identity Manager • ForgeRock Identity Gateway • ForgeRock Directory Services Copyright © 2018 ForgeRock. All rights reserved 2
  3. 3. HUBCITYMEDIA Introduction – Steve Giovannetti  CTO and Founder of Hub City Media  Identity since 2001  Focus on containerized solutions for 2 years Hub City Media has over 18 years of experience implementing IAM solutions, and particularly specializes in ForgeRock deployments in the cloud and on premise. Equipped with full-time, US-Based Professional Services and Managed Support Services teams, we have the ability to partner with clients in any location or time zone. 3Copyright © 2018 HUBCITYMEDIA. All rights reserved.
  4. 4. HUBCITYMEDIACopyright © 2018 HUBCITYMEDIA. All rights reserved. What is Containerized IAM? IAM Infrastructure Vendor Product > Containerize > Deploy Copyright © 2018 HUBCITYMEDIA. All rights reserved. 4
  5. 5. HUBCITYMEDIACopyright © 2018 HUBCITYMEDIA. All rights reserved. 5 Containerized IAM in the Industry The Containerizatio n Boom Deploy Everything Reliable Systematic Repeatable
  6. 6. HUBCITYMEDIACopyright © 2018 HUBCITYMEDIA. All rights reserved. Why Containerized IAM? Settling vs. Success Operationally IDaaS Customization Capabilities of an On-Premise Deployment Operational Functionality of an IDaaS Consistent Software Delivery Method As companies modernize their infrastructure, this strategy is preferred Traditional IDaaS Containerized IAM No need to settle for an OOTB solution Customize to meet all of your needs 6
  7. 7. HUBCITYMEDIACopyright © 2018 HUBCITYMEDIA. All rights reserved. Implications? Support from Vendor Products Containerized IAM 7
  8. 8. HUBCITYMEDIA Old School Deployment Back in the dark ages (before DevOps), there was the Run Book! Documented Procedures How to make changes in production Deployment Cadence Yearly Servers “Pets” (Snowflake Servers) “Mutable” 8Copyright © 2018 ForgeRock. All rights reserved
  9. 9. HUBCITYMEDIA 2015 - The ForgeRock DevOps Journey Begins Demand Clients and Partners were looking for increased deployment velocity Lower deployment cost Public Cloud IaaS The Beginning Started looking at scripted deployments using Ansible frstack project Moderate success Automated complexity, but didn’t fix it Conclusions Significant product changes needed to simplify deployment (solve for complexity – don’t automate) Move from Java war files to containers Kubernetes as the orchestration platform 9Copyright © 2018 ForgeRock. All rights reserved
  10. 10. HUBCITYMEDIA Why Kubernetes? • Cloud agnostic: Any Cloud + Bare Metal • Think of Kubernetes as AWS in a box • Broad Industry Support - CNCF project • The “linux” of container management • The container orchestration wars are over… 10Copyright © 2018 ForgeRock. All rights reserved
  11. 11. HUBCITYMEDIA OpenAMOpenAM AM DJ DJ DS OpenIDM OpenIDM IDM OpenIGIG PV SSD kind: Deployment spec: replicas: 1 template: metadata: name: openig labels: name: openig spec: containers: - name: openig image: forgerock/openig volumes: - name: keystore secret: secretName: openig manifest describes components and their relationships kind: Service name: opendj ports: - port: 389 name: ldap targetPort: 389 persistent volumes abstract storage Kubernetes Manifest Describes a “Virtual” ForgeRock Deployment Architecture The same manifest works on any cloud! AWS, Azure, Google, VMware, etc. 11Copyright © 2018 ForgeRock. All rights reserved
  12. 12. HUBCITYMEDIA Deployment Landscape • Deploy a war file • Bring your own infrastructure • Maximum flexibility • “Build it your way” • Higher operational complexity / cost On-premise • Limited flexibility • Infrastructure is fixed • Lower Operational Costs • Fastest deployment • Hybrid deployment on Kubernetes • Flexibility: less than custom, greater than SaaS • Lower operational costs through automation • Faster deployment • Semi-opinionated infrastructure: o Bring your own cloud 12Copyright © 2018 ForgeRock. All rights reserved
  13. 13. HUBCITYMEDIA Key DevOPs Focus Areas Core Engineering to make products “12Factor” like Prefer Stateless vs. Stateful Kubernetes / Container Friendly Support Infrastructure as Code AKA configuration as an artifact Support for Immutable Deployment No snowflake servers The 12 factors circa 200 BC 13Copyright © 2018 ForgeRock. All rights reserved
  14. 14. HUBCITYMEDIACopyright © 2018 HUBCITYMEDIA. All rights reserved. ForgeRock DevOps The cool stuff Where most of the effort is
  15. 15. HUBCITYMEDIA Current DevOps Enhancements ForgeRock Access Manager Import / Export configuration as json Autonomous servers; AM servers are “cattle” – no server identity Stateless Sessions – improved horizontal scalability Commons configuration – Template json configuration using common expressions. Use environment variables, system properties (12 factor practice) Evaluation docker images available on bintray docker pull forgerock-docker-public.bintray.io/forgerock/opendj:6.0.0 Sample Helm charts / Kubernetes manifests Platform 15Copyright © 2018 ForgeRock. All rights reserved
  16. 16. HUBCITYMEDIA ForgeOps Repository The ForgeOps Repository provides demonstration Dockerfiles and Kubernetes / Helm artifacts ● You will need to modify these files for your environment Open Source - https://github.com/ForgeRock DevOps Reference Examples - https://github.com/ForgeRock/forgeops Yes - ForgeRock supports our products running in Docker / Kubernetes! (*) - ForgeRock provides commercial support for the platform (AM, DS, IDM, IG). We expect our partners / clients to have Kubernetes experience! 16Copyright © 2018 ForgeRock. All rights reserved
  17. 17. HUBCITYMEDIA DevOps Guide Read the Fine Manual! Now with task flowcharts! 17Copyright © 2018 ForgeRock. All rights reserved https://backstage.forgerock.com/docs/ DevOps Guide https://backstage.forgerock.com/docs/platf orm/6/devops-quick-start-guide/
  18. 18. HUBCITYMEDIACopyright © 2018 HUBCITYMEDIA. All rights reserved. Power of AWS with Containerization Maturity Market Leader in Cloud Widely Used Breadth of Services Unparalleled in the Cloud Vendor market Flexibility Can be spread throughout organization 18
  19. 19. HUBCITYMEDIACopyright © 2018 HUBCITYMEDIA. All rights reserved. Containerized IAM on AWS – The Journey Automated Infrastructure Build VPC, Networking, Monitoring, CI/CD System Kubernetes Automated ForgeRock Product Project Configuration Kubernetes Namespace / Product Dependencies Integrated Monitoring and Management Cloud Watch Alerts and Monitors - Elastisearch Continuous Integration / Deployment Templates 19
  20. 20. HUBCITYMEDIACopyright © 2018 HUBCITYMEDIA. All rights reserved. Infrastructure Build Jenkins Kub Master Kub Master Kub Master Kub Node Kub Node Kub Node 1. CF VPC Creation Script • Creates VPC • AZs and Subnets • NAT Gateways • S3 Endpoint • Customer Gateway • VPN Gateway • Internet Gateway • Routing Tables • Cloudwatch • ElasticSearch • Route53 2. CF Jenkins Host Creation • Kicks off Kops Script 3. Kops Script • Creates Master Nodes • Creates Kub Nodes 20
  21. 21. HUBCITYMEDIACopyright © 2018 HUBCITYMEDIA. All rights reserved. Product Configuration ForgeRock IDM 1. Create Dependencies • RDS Multi-AZ 2. Create Namespace 3. Create Deployment • Images / Pods • ELBs – Multi-AZ ForgeRock AM 1. Create Dependencies • DJ 2. Create Namespace 3. Create Deployment • Images / Pods • ELBs – Multi-AZ Jenkins Kub Master Kub Master Kub Master DS DS DS Kubernetes Cluster Multi-AZ RDS IDM Namespace AM Namespace 21
  22. 22. HUBCITYMEDIACopyright © 2018 HUBCITYMEDIA. All rights reserved. HCM – Client Use Case Multiple legacy vendor products High costs to manage and modernize Initiative to go IDaaS No single IDaaS vendor to satisfy all needs Implement ANY use case No constrictions Client controlled Extremely cost effective in comparison to other options REQUIREMENTS COMPLEXITY COST 22
  23. 23. HUBCITYMEDIACopyright © 2018 HUBCITYMEDIA. All rights reserved. Client Use Case ForgeRock Platform Custom, multi-phase IDM, AM, DS, IDG implementation Hub City Media Governance (IDG) HCM Tier 3 Support Managed Cloud Services on AWS $2.61 Per User Per Month 23
  24. 24. HUBCITYMEDIACopyright © 2018 HUBCITYMEDIA. All rights reserved. Containerized IAM on AWS – Roadmap 1.0 GA – May 2017 Released to Internal Team Automated Infrastructure Product / Namespace Config Monitoring Jenkins Templates Client Go Live – July 2017 1.2 – Winter 20181.1 – Fall 2018 Internal Dev Cutover Dockerize Jenkins Addt’l Deployment Strategies Containerization of DS Improved Encryption for Secrets Google Cloud Platform Stackdriver Integration Kube Federation AMI Configuration Tooling Improved Monitoring 24
  25. 25. HUBCITYMEDIACopyright © 2018 HUBCITYMEDIA. All rights reserved. Other Cloud Providers The Future of Software Deployment Considerations for the Future / Documentation FINAL WORDS
  26. 26. HUBCITYMEDIA Questions and Answers HUBCITYMEDIA
  27. 27. HUBCITYMEDIACopyright © 2018 HUBCITYMEDIA. All rights reserved. Webcast Series POSSIBILITIES ARCHITECTURE DEVOPS August 15, 2018 2:00pm-3:00pm EST September 12, 2018 2:00pm-3:00pm EST Thank you for joining us! 27
  28. 28. HUBCITYMEDIA Thank you! HUBCITYMEDIA

Hinweis der Redaktion

  • Founded in 1999 - 18 years implementing and maintaining broad spectrum of IAM solutions
    All Employees located in NJ Headquarters
    80+ Advisory and MSS Employees solely focused on IAM
    No Contractors - Full-time employees only
    U.S. Citizens
    Nationwide IAM Clients
    Dedicated Service Center
    Highly Specialized Support Engineers
    24 x 7 x 365 Resource Availability
    Individually Tailored Support Solutions
  • Definition: Taking a vendor product, containerizing it and deploying it as your IAM infrastructure (e.g. taking FR products and assets and deploying FR as a set of Docker images into a Kubernetes cluster)
  • BULLET 1:
    Containerization as a deployment technology is booming right now
    It’s the way clients are starting to deploy software as a practice

    BULLET 2:
    Identity infrastructure isn’t different – everything can be deployed this way (applications, systems that support these apps –same characteristics)
    Repeatable builds
    Trend of deploying software reliably, systematically using a containerized approach

  • Three Options for deploying your IAM Infrastructure: IdaaS, Deploy traditionally, Containerized

    So WHY containerized IAM?

    1. Get EXACTLY the system that you want – can be customized and there’s no need to settle for OOTB functionality
    2. Operational characteristics of an IDaaS (customization capabilities of an on premise deployment, operational functionality of an IDaaS
    3. Docker / Kubernetes – Extension of what is already being done on the app / dev side – Deploy whole infrastructure this way (needs to be supported by a third party or supported by you) *as companies modernize their infrastructure, they want to use this strategy; consistent software delivery methodology
  • Implications

    Vendor products need to support containerization (not every one can be done this way)
    Need to change thinking about how applications are deployed (DevOps mentaility) or third party;
    What do you need to get here? – transition to Warren
  • Back in the dark ages, before DevOps, there was the Run Book!

    Documented procedures on how to make changes in production
    Deployment cadence: yearly
    Servers were “Pets” (Snowflake servers) and “Mutable”.
  • Demand from customers and partners for increased deployment velocity, lower deployment cost, public cloud IaaS

    Began by looking at scripted deployments using Ansible (frstack project)
    Moderate success
    Automated the complexity. Didn’t fix it

    Conclusions:
    Significant product changes needed to simplify deployment
    Solve for complexity - don’t automate it
    Move from java war files to containers as the delivery vehicle
    Kubernetes as the orchestration platform


  • Cloud agnostic. Any Cloud + Bare Metal
    Think of Kubernetes as AWS in a box
    Broad Industry Support - CNCF project
    The “linux” of container management
    The container orchestration wars are over…
  • Core engineering required to make products “12Factor” like
    Prefer Stateless vs. Stateful
    Kubernetes/Container friendly
    Support Infrastructure as Code (A.K.A configuration as an artifact)
    Support for Immutable deployment models (no snowflake servers)
  • Kubernetes is not magic pixie dust. It enables ease of use, but does not guarantee it
  • ForgeRock Access Manager
    Import / Export configuration as json
    Autonomous servers. AM servers are “Cattle” - no server identity.
    Stateless sessions - improved horizontal scalability

    Platform
    Commons configuration - Template json configuration using common expressions. Use environment variables, system properties (12 factor practice)
    Evaluation docker images available on bintray
    docker pull forgerock-docker-public.bintray.io/forgerock/opendj:6.0.0
    Sample Helm charts / Kubernetes manifests
  • What makes AWS an ideal environment to deploy a containerized model?

    1. Maturity; widely used by most organizations; market leader in cloud

    2. Breadth of services available is unparalleled in the cloud vendor market;

    3. Can be spread throughout organization

    Downside – good environment to run containerized solutions – up until recently, not much native support for Docker and Kubernetes – but clusters can be built on top of their platform
  • REQUIREMENTS / ISSUES
    Multiple legacy vendor products deployed as a result of failed migrations
    Spending a lot of money managing and modernizing their platform
    Wanted to go to an IDaaS solution
    No single IDaaS vendor that would satisfy their needs – proposed to deploy FR in the cloud, in a containerized deployment in a public cloud environemtn using both FR and HCM products – satisfy all sue cases for the cleint (AM, Gov, etc)

    COMPLEXITY
    Can implement any use case required by the client
    Not constrained by a lowest common denominator IDaaS solution
    Nothing off the table
    Client controlled – not dependent on vendor

    COST

  • Break down on a per user basis (what did they spend previously?)
    Custom solution below what Okta can provide

    Fully customized – all software – cloud – multiple stages of implementation (IDM, AM, DS, Governance)

    Price with PS Per user per month – FR products, gold support from fr, PS, Governance Stack, HCM Tier 3 support, Three phase project implementing OpenIDM, OpenAccess and subsequent phases, Managed CloudService on AWS (average)
  • We’ve focused on AWS today, but this solution can work on many other cloud providers.
    That being said, AWS is a strong provider to utilize

    This is the future of how software will be deployed. The individual tech vendor may change, but the concept of containerization and orchestration is the way to get internet scale

    It’s definitely worth moving this direction, especially if you are building something that requires these characteristics
  • Note for following two webcasts and quick summaries

    #2- Deeper dive into the architecture behind running containerized IAM on AWS and what your team needs for a successful deployment
    #3- The benefits and challenges of running containerized Identity systems in the cloud and what it’s like to run and operate

    You can sign up for them now. The links to registration are here and will also be sent out in the follow up email.

×