Coding Secure Infrastructure in the Cloud using the PIE framework

Peco KarayanevJames Wickett

@wickett• Operations and Security for software

delivered on the cloud

• National Instruments, R&D

• Certs: CISSP, GSEC, GCFW, CCSK

• Tags: OWASP, Cloud, DevOps, Ruby

• Blogger at theagileadmin.com

• I do stuff for LASCON (http://lascon.org)

• Twitter: @wickett

@bproverb

• Peco Karayanev

• OpNet, Senior Applications Engineer

• Tags: APM, Java, DevOps, Big Data

• Blogger at theagileadmin.com

• Twitter: @bproverb

test

OPNET Confidential – Not for release to third parties © 2011 OPNET Technologies, Inc. All rights reserved. OPNET and OPNET product names are trademarks of OPNET Technologies, Inc.

Rev. 04-01-2011

4

Corporate Overview• Founded in 1986• Publicly traded (NASDAQ: OPNT)• HQ in Bethesda, MD• 600 employees• Worldwide presence through direct offices and

channel partners

Best-in-Class Solutions and Services• Application Performance Management• Network Performance Management

Strong Financial Track Record• Long history of profitability• Annual revenue: $140M• 25% of revenue re-invested in R&D

Broad Customer Base• Corporate Enterprises• Government Agencies• Network Service Providers

About OPNET Technologies, Inc.

National Instruments• 30 years old; 5000+ employees

around the world, half in Austin, mostly engineers; $873M in 2010

• Hardware and software for data acquisition, embedded design, instrument control, and test

• LabVIEW is our graphical dataflow programming language used by scientists and engineers in many fields

From toys to black holes

Cloud @ NIWe built a DevOps team to rapidly deliver new SaaS products and product functionality using cloud hosting and services (IaaS, PaaS, SaaS) as the platform and operations, using model driven automation, as a key differentiating element.

With this approach we have delivered multiple major products to market quickly with a very small staffing and financial outlay.

NI’s Cloud Products

• LabVIEW Web UI Builder

• FPGA Compile Cloud

• more to come...

ni.com/uibuilder

FPGA Compile Cloud• LabVIEW FPGA compiles take hours and

consume extensive system resources; compilers are getting larger and more complex

• Implemented on Amazon - EC2, Java/Linux,C#/.NET/Windows, and LabVIEW FPGA

• Also an on premise product, the “Compile Farm”

Our design tools are primitive

Our operation tools are primitive

Our system engineering challenges are greater

< year 2000the modern era

If you want to build a ship, don't drum up people together to collect wood and don't assign them tasks and work, but rather teach them to long for the endless immensity of the sea

- Antoine Jean-Baptiste Marie Roger de Saint Exupéry

The vision

What is Rugged?

Adversity fueled innovation

• NASA in Space

• Military hard drives

• ATMs in Europe

The Internets is Mean

• Latency

• Distribution

• Anonymity

• Varied protocols

• People

Systems are complex

• “How Complex Systems Fail”

• Failure at multiple layers

• Synonyms in other industries

• Defense in Depth

Software needs to meet adversity

Intro to Rugged by analogy

Current Software

Rugged Software

Current Software

Rugged Software

Current Software

Rugged Software

Current Software

Rugged Software

Current Software

Rugged Software

��

4�����.�����)�����������"�����,���

Current Software

Rugged Software

Rugged Software Manifesto

I am rugged... and more importantly, my code is rugged.

I recognize that software has become a foundation of our modern world.

I recognize the awesome responsibility that comes with this foundational role.

I recognize that my code will be used in ways I cannot anticipate, in ways it was not designed, and for longer than it was ever intended.

I recognize that my code will be attacked by talented and persistent adversaries who threaten our physical, economic, and national security.

I recognize these things - and I choose to be rugged.

I am rugged because I refuse to be a source of vulnerability or weakness.

I am rugged because I assure my code will support its mission.

I am rugged because my code can face these challenges and persist in spite of them.

I am rugged, not because it is easy, but because it is necessary... and I am up for the challenge.

Qualities of Rugged Software

• Availability - Speed and performance

• Longevity, Long-standing, persistent - Time

• Scalable, Portable

• Maintainable and Defensible - Topology Map

• Resilient in the face of failures

• Reliable - Time, Load

Security vs. Rugged

• Absence of Events

• Cost

• Negative

• FUD

• Toxic

• Verification of quality

• Benefit

• Positive

• Known values

• Affirming

DevOps

It’s not our problem anymore

DevOps is not just making the wall shorter

afterbefore

-Alex Honor, dev2ops

Programmable Infrastructure Environment

The PIE vision

People that built PIEPeco Karayanev crazy to dream up PIE and foolish to try to build it

Ernest Mueller godfather and proponent of DevOps in PIE

James Wickett chief evangelist of PIE

Michael Truchard ensuring PIE is as much for dev as it is for ops

William Hackett evolving PIE from hackery to legit software.

Karthik Gaekwad reminding PIE to KISS

Kar Meng Chow ensuring PIE is a tool for daily ops

Mohd Hafiz Ramly boldly taking PIE to new heights

John Hill herding the PIE cats

What is PIE?• a a framework to define, provision,

monitor, and control cloud-based systems

• written in Java, uses SSH as transport, currently supports Amazon AWS (Linux and Windows) and MS Azure

• takes an XML-based model from source control and creates a full running system

• to define, provision, monitor, and control cloud-based systems

What do we like about PIE?

• Collaborative system design and development

• Automation for building, provisioning and controlling cloud systems

• From source to running multi-tier cloud system in minutes

• Infrastructure as code

What do we use PIE for

• Provisioning cloud instances• Creating new environments• Deploying & configuring software• Deploying & configuring applications• Backups• Log aggregation• Auto-scaling roles based on demand• Running tests• Continuous integration• Release workflows• Auditing cloud resource usage• Integrating with revision control & software build

can we do better?

Security features and use cases

• Increase the visibility and auditability of the system • Track dependencies and what code is deployed where• Diff versions of the system and see changes• Role based auth for operators• No manual steps• Passwords able to be changed with a few PIE commands• Keys out of the model• Ports and user/pass changes• App Config• Audit / Running state vs. model diff

ArchitectureoDocument based Architecture Definition LanguageoCommand orchestration,dispatch and execution engine oRuntime RegistryoCommand Line Interface

ADL (Architecture Definition Language)• Structural model of the system described in XML

documents.

• 4 Level Hierarchy - System,SubSystem,Role,Service

ADL (continued)

Each entity is defined in XML and holds meta-data about resources and commands.

Command Execution & Orchestration• The execution engine can dispatch and execute

commands to remote machines.• More complex workflows can be created from

simple commands.

• Commands can be overloaded in different model components.

Runtime Registry & Name Service• The Runtime registry tracks the state and

dependencies • The Name service keeps a namespace for

instances.

Command Line Interface

Example full command line invocation:

Target Query string explained:

Demo

• On Azure oProvision an environment.

oDeploy an app and test.oUpdate the model and turn off port 80.oRedeploy and test the app.oDe-provision the environment.

Rugged DevOps Results

• repeatable – no manual errors

• reviewable – model in source control

• rapid – bring up, install, configure, and test dozens of systems in a morning

• resilient – automated reconfiguration to swap servers (throw away infrastructure)

• rugged by design devops by culture

Roadmap• Open Source

• More security workflows

• Azure data management workflows

• Add support for external keystores

• ADL and model usability features

• Port AWS functionality to 2.0 version

• New shiny distributed orchestration engine

• Add user auth through LDAP or other repos

• IDE to simplify design

• More powerful script engine

PIE now and future

(28 years later)(now)

Recommended Reading

Want the slides?

send me a tweet @wickett