Coding Secure Infrastructure in the Cloud using the PIE framework
-
date post
19-Oct-2014 -
Category
Technology
-
view
2.236 -
download
1
description
Transcript of Coding Secure Infrastructure in the Cloud using the PIE framework
Coding Secure Infrastructure in the Cloud using the PIE framework
Peco KarayanevJames Wickett
@wickett• Operations and Security for software
delivered on the cloud
• National Instruments, R&D
• Certs: CISSP, GSEC, GCFW, CCSK
• Tags: OWASP, Cloud, DevOps, Ruby
• Blogger at theagileadmin.com
• I do stuff for LASCON (http://lascon.org)
• Twitter: @wickett
@bproverb
• Peco Karayanev
• OpNet, Senior Applications Engineer
• Tags: APM, Java, DevOps, Big Data
• Blogger at theagileadmin.com
• Twitter: @bproverb
test
OPNET Confidential – Not for release to third parties © 2011 OPNET Technologies, Inc. All rights reserved. OPNET and OPNET product names are trademarks of OPNET Technologies, Inc.
Rev. 04-01-2011
4
Corporate Overview• Founded in 1986• Publicly traded (NASDAQ: OPNT)• HQ in Bethesda, MD• 600 employees• Worldwide presence through direct offices and
channel partners
Best-in-Class Solutions and Services• Application Performance Management• Network Performance Management
Strong Financial Track Record• Long history of profitability• Annual revenue: $140M• 25% of revenue re-invested in R&D
Broad Customer Base• Corporate Enterprises• Government Agencies• Network Service Providers
About OPNET Technologies, Inc.
National Instruments• 30 years old; 5000+ employees
around the world, half in Austin, mostly engineers; $873M in 2010
• Hardware and software for data acquisition, embedded design, instrument control, and test
• LabVIEW is our graphical dataflow programming language used by scientists and engineers in many fields
From toys to black holes
Cloud @ NIWe built a DevOps team to rapidly deliver new SaaS products and product functionality using cloud hosting and services (IaaS, PaaS, SaaS) as the platform and operations, using model driven automation, as a key differentiating element.
With this approach we have delivered multiple major products to market quickly with a very small staffing and financial outlay.
NI’s Cloud Products
• LabVIEW Web UI Builder
• FPGA Compile Cloud
• more to come...
ni.com/uibuilder
FPGA Compile Cloud• LabVIEW FPGA compiles take hours and
consume extensive system resources; compilers are getting larger and more complex
• Implemented on Amazon - EC2, Java/Linux,C#/.NET/Windows, and LabVIEW FPGA
• Also an on premise product, the “Compile Farm”
Our design tools are primitive
Our operation tools are primitive
Our system engineering challenges are greater
< year 2000the modern era
If you want to build a ship, don't drum up people together to collect wood and don't assign them tasks and work, but rather teach them to long for the endless immensity of the sea
- Antoine Jean-Baptiste Marie Roger de Saint Exupéry
The vision
What is Rugged?
Adversity fueled innovation
• NASA in Space
• Military hard drives
• ATMs in Europe
The Internets is Mean
• Latency
• Distribution
• Anonymity
• Varied protocols
• People
Systems are complex
• “How Complex Systems Fail”
• Failure at multiple layers
• Synonyms in other industries
• Defense in Depth
Software needs to meet adversity
Intro to Rugged by analogy
Current Software
Rugged Software
Current Software
Rugged Software
Current Software
Rugged Software
Current Software
Rugged Software
Current Software
Rugged Software
��
4�����.�����)�����������"�����,���
Current Software
Rugged Software
Rugged Software Manifesto
I am rugged... and more importantly, my code is rugged.
I recognize that software has become a foundation of our modern world.
I recognize the awesome responsibility that comes with this foundational role.
I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.
I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.
I recognize these things - and I choose to be rugged.
I am rugged because I refuse to be a source of vulnerability or weakness.
I am rugged because I assure my code will support its mission.
I am rugged because my code can face these challenges and persist in spite of them.
I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.
Qualities of Rugged Software
• Availability - Speed and performance
• Longevity, Long-standing, persistent - Time
• Scalable, Portable
• Maintainable and Defensible - Topology Map
• Resilient in the face of failures
• Reliable - Time, Load
Security vs. Rugged
• Absence of Events
• Cost
• Negative
• FUD
• Toxic
• Verification of quality
• Benefit
• Positive
• Known values
• Affirming
DevOps
It’s not our problem anymore
DevOps is not just making the wall shorter
afterbefore
-Alex Honor, dev2ops
Programmable Infrastructure Environment
The PIE vision
People that built PIEPeco Karayanev crazy to dream up PIE and foolish to try to build it
Ernest Mueller godfather and proponent of DevOps in PIE
James Wickett chief evangelist of PIE
Michael Truchard ensuring PIE is as much for dev as it is for ops
William Hackett evolving PIE from hackery to legit software.
Karthik Gaekwad reminding PIE to KISS
Kar Meng Chow ensuring PIE is a tool for daily ops
Mohd Hafiz Ramly boldly taking PIE to new heights
John Hill herding the PIE cats
What is PIE?• a a framework to define, provision,
monitor, and control cloud-based systems
• written in Java, uses SSH as transport, currently supports Amazon AWS (Linux and Windows) and MS Azure
• takes an XML-based model from source control and creates a full running system
• to define, provision, monitor, and control cloud-based systems
What do we like about PIE?
• Collaborative system design and development
• Automation for building, provisioning and controlling cloud systems
• From source to running multi-tier cloud system in minutes
• Infrastructure as code
What do we use PIE for
• Provisioning cloud instances• Creating new environments• Deploying & configuring software• Deploying & configuring applications• Backups• Log aggregation• Auto-scaling roles based on demand• Running tests• Continuous integration• Release workflows• Auditing cloud resource usage• Integrating with revision control & software build
can we do better?
Security features and use cases
• Increase the visibility and auditability of the system • Track dependencies and what code is deployed where• Diff versions of the system and see changes• Role based auth for operators• No manual steps• Passwords able to be changed with a few PIE commands• Keys out of the model• Ports and user/pass changes• App Config• Audit / Running state vs. model diff
ArchitectureoDocument based Architecture Definition LanguageoCommand orchestration,dispatch and execution engine oRuntime RegistryoCommand Line Interface
ADL (Architecture Definition Language)• Structural model of the system described in XML
documents.
• 4 Level Hierarchy - System,SubSystem,Role,Service
ADL (continued)
Each entity is defined in XML and holds meta-data about resources and commands.
Command Execution & Orchestration• The execution engine can dispatch and execute
commands to remote machines.• More complex workflows can be created from
simple commands.
• Commands can be overloaded in different model components.
Runtime Registry & Name Service• The Runtime registry tracks the state and
dependencies • The Name service keeps a namespace for
instances.
Command Line Interface
Example full command line invocation:
Target Query string explained:
Demo
• On Azure oProvision an environment.
oDeploy an app and test.oUpdate the model and turn off port 80.oRedeploy and test the app.oDe-provision the environment.
Rugged DevOps Results
• repeatable – no manual errors
• reviewable – model in source control
• rapid – bring up, install, configure, and test dozens of systems in a morning
• resilient – automated reconfiguration to swap servers (throw away infrastructure)
• rugged by design devops by culture
Roadmap• Open Source
• More security workflows
• Azure data management workflows
• Add support for external keystores
• ADL and model usability features
• Port AWS functionality to 2.0 version
• New shiny distributed orchestration engine
• Add user auth through LDAP or other repos
• IDE to simplify design
• More powerful script engine
PIE now and future
(28 years later)(now)
Recommended Reading
Want the slides?
send me a tweet @wickett