Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing IaaS in the cloud

Published byRoy Lyons Modified over 5 years ago

Similar presentations

Presentation on theme: "Securing IaaS in the cloud"— Presentation transcript:

1 Securing IaaS in the cloud
Ansible Alliance Securing IaaS in the cloud Lake Laberge, Yukon Territory, Canada. Shutterstock Greg Cormier, Kevin Dutton, Alex Imray-Papineau

2 Background DFO started their cloud journey in 2017
By volume of data, mostly unclassified data related to science A number of systems at the Protected B level DFO’s cloud strategy is multi-cloud DFO chose Azure as their first cloud service provider to focus efforts, and AWS is the second rolling out in 2019

3 The Problem Cloud requires skills in various domains which are generally maintained by other teams (SSC) Some of these areas are well known to Cloud Service Providers As a result, they offer tailored solutions specific to their cloud offering Infrastructure as a Service (IaaS) has the biggest burden of responsibility for the customer How do we handle IaaS management? - Networking, Storage, Backups, Patching, automation

4 Our first attempt at a solution…
Provider specific tools Azure Update Management Azure Automation DSC (Desired State Config) Fairly good integration into the Azure ecosystem Portal integration was good

5 Were we ready to do this all over again in AWS?
… reality sets in We had to deal with powered-off VM’s Failed updates often caused issues and broke things The solution didn’t feel production ready All of the efforts, and any of the attempted problem solving or customization would take more work Were we ready to do this all over again in AWS?

6 Problem Redefined How do we handle IaaS management, in a cloud service provider agnostic manner? How do we get, at a glance, the status of all our infrastructure in the cloud?

7 “Ansible is an open-source software provisioning, configuration management, and application-deployment tool.”

8 Ansible Lets us maintain the state of a VM
Ansible is agent-less – it talks directly to an operating system (whether it is on the cloud or not) Linux - SSH to talk to the target Windows - WinRM (SSH under development) Playbooks are a YAML file that describes what to do Ansible handles multiple executions of the same playbook against hosts for most modules Ansible provides a simple way to enforce common software installations, or common settings, across multiple hosts

9 Example Windows Playbooks
- name: Install all security, critical, and rollup updates win_updates: category_names: - SecurityUpdates - CriticalUpdates - UpdateRollups - name: Restart a service win_service: name: spooler state: restarted

10 Example Linux Playbooks
- name: Upgrade all Linux packages to the latest version apt: name: "*" state: latest - name: Ensure the httpd service is running service: name: httpd state: started become: true

11 Example Execution - name: This is a hello-world example
hosts: tasks: - name: Create a file called '/tmp/testfile.txt' with the content 'hello world'. copy: content: hello world dest: /tmp/testfile.txt

12

13 AWX adds a web-based user interface, job scheduling, inventory management, reporting, workflow automation, credential sharing, and tooling to enable delegation. AWX is the open source project behind Red Hat Ansible Tower.

14 AWX AWX lets us take simple Ansible playbooks, and apply the management at a much larger scale It supports various sources for the inventory, including Azure, AWS, GCP, VMWare vCenter It can use code repositories as the source for the playbooks, to allow simple updates and deployments We can define schedules to run different playbooks as required - Best of all, it’s the GUI!

15

16 AWX at DFO Hourly compliance playbooks based on the ULL profile
Nightly patching playbooks, with Azure Automation integration for powering on shutdown VM’s We can apply this to any VM, whether it’s on Azure or on AWS, and have a single pane to view the status of our security and patching tasks.

17 Back to Security Ansible let’s us easily define the blueprints on what configurations or changes an OS needs We decided to use this to define our security blueprint Using an existing list of settings from TBS, we converted these to Ansible Playbooks

18

19 Ansible Alliance https://github.com/dfocloud/ansible-alliance
We’re looking for departments to help contribute towards a PBMM hardening profile We can change the implementation of various controls over time as the OS matures For security, the more eyes, the better! Combine our IT expertise for various aspects of hardening

20 Demo and Questions

Download ppt "Securing IaaS in the cloud"

Similar presentations

Lower costs and improve predictability Automation Enable service owners to focus on work that adds business value Reduce error-prone manual activities.

Lower costs and improve predictability Automation Enable service owners to focus on work that adds business value Reduce error-prone manual activities.
Integrate into existing systems with PowerShell integration modules Extend by building PS modules to enable integrating into other systems Optimize.

Integrate into existing systems with PowerShell integration modules Extend by building PS modules to enable integrating into other systems Optimize.
Deployment and Configuration Management Solution

Deployment and Configuration Management Solution
Monitor Linux OS health & performance Monitor log files Monitor JEE app servers Monitor line-of-business applications Monitor databases and web.

Monitor Linux OS health & performance Monitor log files Monitor JEE app servers Monitor line-of-business applications Monitor databases and web.
Worker Role Web Role Web Role VM Role Control Abstraction (i.e. Less IT & Less Plumbing Code) Admin Web / Worker Role VM Role Web / Worker Role.

Worker Role Web Role Web Role VM Role Control Abstraction (i.e. Less IT & Less Plumbing Code) Admin Web / Worker Role VM Role Web / Worker Role.
Automate Microsoft Azure Ross Sponholtz Mark Ghazai.

Automate Microsoft Azure Ross Sponholtz Mark Ghazai.
STIG Compliance and Remediation with Ansible April 2015.

STIG Compliance and Remediation with Ansible April 2015.
Windows Azure Conference 2014 Running Docker on Windows Azure.

Windows Azure Conference 2014 Running Docker on Windows Azure.
Cloud as a Service Chetan Shinde Column Software Technologies Pvt. Ltd.

Cloud as a Service Chetan Shinde Column Software Technologies Pvt. Ltd.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Automating Operational and Management Tasks in Microsoft Operations Management Suite and Azure

Automating Operational and Management Tasks in Microsoft Operations Management Suite and Azure
1 PUPPET AND DSC. INTRODUCTION AND USAGE IN CONTINUOUS DELIVERY PROCESS. VIKTAR VEDMICH PAVEL PESETSKIY AUGUST 1, 2015.

1 PUPPET AND DSC. INTRODUCTION AND USAGE IN CONTINUOUS DELIVERY PROCESS. VIKTAR VEDMICH PAVEL PESETSKIY AUGUST 1, 2015.
Microsoft Management Seminar Series SMS 2003 Change Management.

Microsoft Management Seminar Series SMS 2003 Change Management.
20409A 7: Installing and Configuring System Center 2012 R2 Virtual Machine Manager Module 7 Installing and Configuring System Center 2012 R2 Virtual.

20409A 7: Installing and Configuring System Center 2012 R2 Virtual Machine Manager Module 7 Installing and Configuring System Center 2012 R2 Virtual.
Infrastructure as code. “Enable the reconstruction of the business from nothing but a source code repository, an application data backup, and bare metal.

Infrastructure as code. “Enable the reconstruction of the business from nothing but a source code repository, an application data backup, and bare metal.
BladeLogic Demo. 03/10/09 BladeLogic Demo BladeLogic Who? Automation taking my job? What? No, it’s making it easier. Started by entrepreneurs who understood.

BladeLogic Demo. 03/10/09 BladeLogic Demo BladeLogic Who? Automation taking my job? What? No, it’s making it easier. Started by entrepreneurs who understood.
Copyright © New Signature 2016. Who we are: Focused on consistently delivering great customer experiences. What we do: We help you transform your business.

Copyright © New Signature Who we are: Focused on consistently delivering great customer experiences. What we do: We help you transform your business.
Ansible and Ansible Tower 1 A simple IT automation platform. www.europeanspallationsource.se 20 November 2015 Leandro Fernandez and Blaž Zupanc.

Ansible and Ansible Tower 1 A simple IT automation platform November 2015 Leandro Fernandez and Blaž Zupanc.
Cloud Installation & Configuration Management. Outline  Definitions  Tools, “Comparison”  References.

Cloud Installation & Configuration Management. Outline  Definitions  Tools, “Comparison”  References.
UFIT Infrastructure Self-Service. Service Offerings And Changes Virtual Machine Hosting Self service portal Virtual Machine Backups Virtual Machine Snapshots.

UFIT Infrastructure Self-Service. Service Offerings And Changes Virtual Machine Hosting Self service portal Virtual Machine Backups Virtual Machine Snapshots.

Similar presentations

Ads by Google