Coding Secure Infrastructure in the Cloud using the PIE framework

1. Coding Secure Infrastructure in the Cloud using the PIE framework Peco Karayanev James Wickett

2. @wickett • Operations and Security for software delivered on the cloud • National Instruments, R&D • Certs: CISSP, GSEC, GCFW, CCSK • Tags: OWASP, Cloud, DevOps, Ruby • Blogger at theagileadmin.com • I do stuff for LASCON (http://lascon.org) • Twitter: @wickett

3. @bproverb • Peco Karayanev • OpNet, Senior Applications Engineer • Tags: APM, Java, DevOps, Big Data • Blogger at theagileadmin.com • Twitter: @bproverb

4. About OPNET Technologies, Inc. Corporate Overview • Founded in 1986 • Publicly traded (NASDAQ: OPNT) • HQ in Bethesda, MD • 600 employees • Worldwide presence through direct offices and channel partners Best-in-Class Solutions and Services • Application Performance Management • Network Performance Management Strong Financial Track Record • Long history of profitability • Annual revenue: $140M • 25% of revenue re-invested in R&D test Broad Customer Base • Corporate Enterprises • Government Agencies • Network Service Providers OPNET Confidential – Not for release to third parties 4 © 2011 OPNET Technologies, Inc. All rights reserved. OPNET and OPNET product names are trademarks of OPNET Technologies, Inc. Rev. 04-01-2011

5. National Instruments • 30 years old; 5000+ employees around the world, half in Austin, mostly engineers; $873M in 2010 • Hardware and software for data acquisition, embedded design, instrument control, and test • LabVIEW is our graphical dataﬂow programming language used by scientists and engineers in many ﬁelds

6. From toys to black holes

7. Cloud @ NI We built a DevOps team to rapidly deliver new SaaS products and product functionality using cloud hosting and services (IaaS, PaaS, SaaS) as the platform and operations, using model driven automation, as a key differentiating element. With this approach we have delivered multiple major products to market quickly with a very small stafﬁng and ﬁnancial outlay.

8. NI’s Cloud Products • LabVIEW Web UI Builder • FPGA Compile Cloud • more to come...

9. ni.com/uibuilder

10. FPGA Compile Cloud • LabVIEW FPGA compiles take hours and consume extensive system resources; compilers are getting larger and more complex • Implemented on Amazon - EC2, Java/Linux,C#/.NET/Windows, and LabVIEW FPGA • Also an on premise product, the “Compile Farm”

11. Our design tools are primitive

12. Our operation tools are primitive

13. Our system engineering challenges are greater < year 2000 the modern era

14. If you want to build a ship, don't drum up people together to collect wood and don't assign them tasks and work, but rather teach them to long for the endless immensity of the sea - Antoine Jean-Baptiste Marie Roger de Saint Exupéry

15. The vision

16. What is Rugged?

17. Adversity fueled innovation • NASA in Space • Military hard drives • ATMs in Europe

18. The Internets is Mean • Latency • Distribution • Anonymity • Varied protocols • People

19. Systems are complex • “How Complex Systems Fail” • Failure at multiple layers • Synonyms in other industries • Defense in Depth

20. Software needs to meet adversity

21. Intro to Rugged by analogy

22. Current Software

23. Rugged Software

25. Rugged Software

27. Rugged Software

29. Rugged Software

31. Rugged Software

33. Rugged Software

34. Rugged Software Manifesto

35. I am rugged... and more importantly, my code is rugged.

36. I recognize that software has become a foundation of our modern world.

37. I recognize the awesome responsibility that comes with this foundational role.

38. I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.

39. I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.

40. I recognize these things - and I choose to be rugged.

41. I am rugged because I refuse to be a source of vulnerability or weakness.

42. I am rugged because I assure my code will support its mission.

43. I am rugged because my code can face these challenges and persist in spite of them.

44. I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.

45. Qualities of Rugged Software • Availability - Speed and performance • Longevity, Long-standing, persistent - Time • Scalable, Portable • Maintainable and Defensible - Topology Map • Resilient in the face of failures • Reliable - Time, Load

46. Security vs. Rugged • Absence of • Verification of Events quality • Cost • Benefit • Negative • Positive • FUD • Known values • Toxic • Affirming

47. DevOps

48. It’s not our problem anymore

49. DevOps is not just making the wall shorter before after

50. -Alex Honor, dev2ops

51. Programmable Infrastructure Environment

52. The PIE vision

53. People that built PIE Peco Karayanev crazy to dream up PIE and foolish to try to build it Ernest Mueller godfather and proponent of DevOps in PIE James Wickett chief evangelist of PIE Michael Truchard ensuring PIE is as much for dev as it is for ops William Hackett evolving PIE from hackery to legit software. Karthik Gaekwad reminding PIE to KISS Kar Meng Chow ensuring PIE is a tool for daily ops Mohd Hafiz Ramly boldly taking PIE to new heights John Hill herding the PIE cats

54. What is PIE? • a a framework to define, provision, monitor, and control cloud-based systems • written in Java, uses SSH as transport, currently supports Amazon AWS (Linux and Windows) and MS Azure • takes an XML-based model from source control and creates a full running system • to define, provision, monitor, and control cloud-based systems

55. What do we like about PIE? • Collaborative system design and development • Automation for building, provisioning and controlling cloud systems • From source to running multi- tier cloud system in minutes • Infrastructure as code

56. What do we use PIE for • Provisioning cloud instances • Creating new environments • Deploying & configuring software • Deploying & configuring applications • Backups • Log aggregation • Auto-scaling roles based on demand • Running tests • Continuous integration • Release workflows • Auditing cloud resource usage • Integrating with revision control & software build

57. can we do better?

58. Security features and use cases • Increase the visibility and auditability of the system • Track dependencies and what code is deployed where • Diff versions of the system and see changes • Role based auth for operators • No manual steps • Passwords able to be changed with a few PIE commands • Keys out of the model • Ports and user/pass changes • App Config • Audit / Running state vs. model diff

59. Architecture o Document based Architecture Definition Language o Command orchestration,dispatch and execution engine o Runtime Registry o Command Line Interface

60. ADL (Architecture Definition Language) • Structural model of the system described in XML documents. • 4 Level Hierarchy - System,SubSystem,Role,Service

61. ADL (continued) Each entity is defined in XML and holds meta-data about resources and commands.

62. Command Execution & Orchestration • The execution engine can dispatch and execute commands to remote machines. • More complex workflows can be created from simple commands. • Commands can be overloaded in different model components.

63. Runtime Registry & Name Service • The Runtime registry tracks the state and dependencies • The Name service keeps a namespace for instances.

64. Command Line Interface Example full command line invocation: Target Query string explained:

65. Demo • On Azure o Provision an environment. o Deploy an app and test. o Update the model and turn off port 80. o Redeploy and test the app. o De-provision the environment.

66. Rugged DevOps Results • repeatable – no manual errors • reviewable – model in source control • rapid – bring up, install, conﬁgure, and test dozens of systems in a morning • resilient – automated reconﬁguration to swap servers (throw away infrastructure) • rugged by design devops by culture

67. Roadmap • Open Source • More security workflows • Azure data management workflows • Add support for external keystores • ADL and model usability features • Port AWS functionality to 2.0 version • New shiny distributed orchestration engine • Add user auth through LDAP or other repos • IDE to simplify design • More powerful script engine

68. PIE now and future (now) (28 years later)

69. Recommended Reading

70. Want the slides? send me a tweet @wickett

Coding Secure Infrastructure in the Cloud using the PIE framework

Du liest eine Vorschau.

Hier ansehen

Coding Secure Infrastructure in the Cloud using the PIE framework

Weitere Verwandte Inhalte

Diashows für Sie (20)

Andere mochten auch (10)

Ähnlich wie Coding Secure Infrastructure in the Cloud using the PIE framework (20)

Weitere von James Wickett (20)

Aktuellste (20)