Securing the Cloud Native Stack

  • View
    469

  • Download
    1

Embed Size (px)

Text of Securing the Cloud Native Stack

  • Apcera Confidential

    Hector TapiaPrincipal Solutions Consultant

    Securing the Cloud-Native Stack

  • Software as a competitive advantage

    Lots of people talk about these companies and use them as examples on how innovation disrupts the marketplace

    What does this innovative companies have in common? Speed of innovation Always-available services Web Scale Device-centric user experiences Recover from failures quick

    Cloud-native application architectures are key to enable the business model

    that allowed these companies to obtain their disruptive character.

    2

  • Why Cloud-Native Application Architectures?

    Speed Safety Scale

  • Cloud Native Applications are Architected Differently

    Two common examples of Cloud-Native Applications are:Twelve-factor Applications & MicroServices

    Every integration point will eventually fail one time or another Be prepared to handle all kind of failures

    All functionality is published and consumed via Web Services

    Designed for Scale Out

    Break down the task, process requests asynchronously Use messaging to decouple functionality Eventual consistency model

    Build stateless services that can be scaled out and load balancedStateless Model

    Asynchronous Processing

    Horizontal Scalability

    Handling Failures

    Services

    Two common examples of Cloud-Native Applications are:Twelve-factor Applications & MicroServices

    4

  • Codebase: One codebase tracked in revision control, many deploys Dependencies: Explicitly declare and isolate dependencies Config: Store config in the environment Backing Services: Treat backing services as attached resources Build, release, run: Strictly separate build and run stages Processes: Execute the app as one or more stateless processes Port Binding: Export services via port binding Concurrency: Scale out via a process model Disposability: Maximize robustness with fast startup and graceful shutdown Dev/Prod parity: Keep development, staging, and production as similar as possible Logs: Treat logs as event streams Admin processes: Run admin/management tasks as one-off process

    The twelve-factor app is a collection of patterns for Cloud-Native Application Architectures

    5

  • 6

    MicroServices

    Is a way of designing software applications as suites of

    independently deployable services

    Wall-E Copyright Disney/Pixar

  • New requirements for Developers and Operations Fast, tested, fail safe, small changes continuously deployed to production Measure, share visibility and provide feedback of users to business, continuously. Small experiments, test assumptions, fail fast and learn!

    How to get Cloud-Native?

    7

  • 8

    Most build software for Innovation and Differentiation

    75% By 2020, 75% of Application Purchases supporting digital business will be Build, not Buy.Forecast Analysis: Enterprise Application

    Software, Worldwide, 2Q15 Update

  • But innovation doesnt come without riskRecent Hack Attacks

    9

  • Programing languages frameworks and libraries that comprise applications

    Code deployment pipelines, automation and configuration management frameworks, container and infrastructure management

    Tools which automatically run and manage jobs, containers and hosts in a cluster

    Tools enabling an application or service to discover information about its environment and other components needed to form a larger system

    Specification and execution engine for operating system level virtualization for running multiple isolated Linux systems

    Lightweight operating system to manage compute resources necessary to deploy application in containers

    Emulated physical compute, network and storage resources that are the basis for Cloud-based architectures

    Physical servers, switches, routers and storage arrays that occupy the Datacenter

    Code

    Workflow / Management

    Orchestration: Scheduling & Cluster Management

    Service Discovery

    Container Engine

    Minimal OS

    Virtual Infrastructure

    Physical Infrastructure

    Tools

    Infrastructure

    {{

    The Cloud-Native Stack - Taxonomy

    10

  • Programing languages frameworks and libraries that comprise applications

    Code deployment pipelines, automation and configuration management frameworks, container and infrastructure management

    Tools which automatically run and manage jobs, containers and hosts in a cluster

    Tools enabling an application or service to discover information about its environment and other components needed to form a larger system

    Specification and execution engine for operating system level virtualization for running multiple isolated Linux systems

    Lightweight operating system to manage compute resources necessary to deploy application in containers

    Emulated physical compute, network and storage resources that are the basis for Cloud-based architectures

    Physical servers, switches, routers and storage arrays that occupy the Datacenter

    Code

    Workflow / Management

    Orchestration: Scheduling & Cluster Management

    Service Discovery

    Container Engine

    Minimal OS

    Virtual Infrastructure

    Physical Infrastructure

    The Cloud-Native Stack - Where it has to be secured?

    Authentication mechanism

    Policy changes Resource usage

    (Memory, CPU, IO) Networking (Ingress &

    Egress) Service user Data use Staging pipelines Package selection Execution location Workload deployment

    and changes

    How Much {

    Who {

    What {Which {Where {

    11

  • Not everybody is ready, not everything is Cloud-Native

    Cloud Native Originated in Customer-facing Tech Companies

    12

    Customer-Facing Tech

    Spend 20%+ of revenue on R&D

    Employ highly paid developers

    Internet-scale

    Technology is their business

    Traditional Enterprises

    Spend 2-4% of revenue on R&D

    Employ normal people

    Enterprise-scale

    Thousands of apps

    Technology seen as a tax

  • There are many places in the New Cloud Native Architecture where Governance is needed

    Load BalancerHTTP/S & TCP

    Router

    Order Management UI

    Browse Products UI

    Account Management UI

    Checkout UI

    Customer Profile Service

    Catalog Service

    Order Service

    Payment Service

    DB

    DB

    ESB / ETL

    13

  • There are many places in the New Cloud Native Architecture where Governance is needed

    Load BalancerHTTP/S & TCP

    Router

    Order Management UI

    Browse Products UI

    Account Management UI

    Checkout UI

    Customer Profile Service

    Catalog Service

    Order Service

    Payment Service

    DB

    DB

    ESB / ETL

    What Users and IP addresses can come

    into the Cluster?

    What Packages can be used to deploy to

    Production?

    What Docker images can be used? What

    Repositories?

    What workload can communicate with other workloads?

    Which workloads can egress? What external services?

    What services can the workload bind

    to?

    What resources can each workload have? Where can they be scheduled?

    14

  • apcera.com nats.io kurma.io

    docs.apcera.com

    We are hiring!