Mapping and Auditing Your DevOps Systems - bcs.org · ITIL Version 3 Configuration Mgmt System....
28
Mapping and Auditing Your DevOps Systems David Cuthbertson, CEO Square Mile Systems Ltd [email protected] www.squaremilesystems.com
Transcript of Mapping and Auditing Your DevOps Systems - bcs.org · ITIL Version 3 Configuration Mgmt System....
Mapping and Auditing Your DevOps Systems
David Cuthbertson, CEOSquare Mile Systems Ltd
Infrastructure Management Practices
Network Troubleshooting
Cabling and Network Installations
NamingLabelling
VisualizationMapping Methods
Baselining
Change Process
SkillsAwareness Toolsets
Managed ServicesVoice/Data
Personal Experience Industry Groups and Frameworks
Personal Background
Data Center EngineeringData Center Operations ManagementGroup Manager
About Square Mile Systems• We develop technology to make infrastructure management easier
– AssetGen infrastructure database– Visio utilities (free) for data centre / application / services documentation
• Provide methods and processes for site audits, documentation assessment, remediation (compliance) and managing complex infrastructure changes
• Help organizations implement best practices around change management and control in physical and logical infrastructures
– Supporting ITIL, ISO, ISA, TIA, BICSI, NIST, COBIT and others• Typical drivers - data centre migration, identifying vulnerabilities, CMDB
analysis, transformation projects and automated Visio diagramming.
Different Teams, Different Focus
Fixed Infrastructure(Cabling, Power, Cabinets, Buildings)
Hardware InfrastructurePCs, Network, Servers, UPS, Storage, etc
Virtual InfrastructurePCs, Network, Servers, Storage, DBMS
ApplicationsPC, server, mainframe, SOA
ServicesEnd user, infrastructure, supplier
Business ProcessesDepartmental, Company
ServiceManagement
DataCentre
NetworksLAN/SAN
ApplicationsDevelopment
Mid-range Servers
SystemArchitecture
DesktopsIMAC
CustomersUsers
Example - The NIST Cybersecurity Framework
ID.AM Asset Management
Business Environment
Governance
Risk Assessment
Risk Management Strategy
Access Control
Awareness and Training
Data Security
Information Protection Processes and Procedures
Maintenance
Protective Technology
Anomalies and Events
Security Continuous Monitoring
Detection Processes
Response Planning
Communications
Analysis
Mitigation
Improvements
Recovery Planning
Improvements
Communications
ID.BE
ID.GV
ID.RA
ID.RM
PR.AC
PR.AT
PR.DS
PR.IP
PR.MA
PR.PT
DE.AE
DE.CM
DE.DP
RS.RP
RS.CO
RS.AN
RS.MI
RS.IM
RC.RP
RC.IM
RC.CO
Identify
Protect
Detect
Respond
Recover
ID
PR
DE
RS
RC
CategoryUnique
IdentifierCategoryFunction
FunctionUnique
Identifier
ID.AM-1 Physical Inventory
ID.AM-2 Software Inventory
ID.AM-3 Communication and Data Flows
ID.AM-4 External Information Systems
ID.AM-5 Priority Resource and Classification
ID.AM-6 Roles and Responsibilities
Sub-CategorySub- CatUnique
Identifier
1. Baseline your infrastructure
2. Manage the risks
3. Maintain the knowledge
Asset Management Sub-Category
ID.AM-1 Physical Inventory
ID.AM-2 Software Inventory
ID.AM-3 Communication and Data Flows
ID.AM-4 External Information Systems
ID.AM-5 Priority Resource and Classification
ID.AM-6 Roles and Responsibilities
Sub-CategorySub- CatUnique
Identifier ISA 62443-2-1:2009Security For Industrial Automation and ControlEstablishing a security system
ISA 62443-3-3:2013Security For Industrial Automation and ControlSystem Security Requirements and Security Levels
ISO/IEC 27001:2013Information Security Management System
CCSCouncil on Cyber Security- Security Controls
COBIT 5Information Assurance
NIST SP 800-53 Rev. 4Security and Privacy Controls for Federal Information Systems and Organizations
Standards Sections – ID.AM-1Physical Inventory
All IT assets inventoried, managed and maintainedBAI09.01, BAI09.02COBIT 5
Only authorized hardware is permitted on the networkCSC 1CCS
Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained
A.8.1.1ISO/IEC
27001:2013
Assets maintained in the inventory shall be ownedA.8.1.2ISO/IEC
27001:2013
Updated and accurate IS component inventory and configurations contained in centralized database with detection of unauthorized components.
CM-8NIST SP 800-53
Rev. 4
DetailInformativeReferenceStandard
Help communicate entities, dependencies and differences
Mapping Systems – Reason 1
Server
Host OS
Hypervisor
Guest OS
Guest OS
Guest OS
Guest OS
bins /libs
bins /libs
bins /libs
bins /libs
App 1
App 2
App3
App4
Container
Server
Host OS
bins /libs
bins /libs
bins /libs
bins /libs
App 1
App 2
App3
App4
Container
Mapping Systems – Reason 2
If you don’t “understand” your environment and applications you must expect pain – cost, delay, risk, delivery failure.Mapping systems is often part of mature management processes where better “systems” reduce delays and risks.
Change Is Constant
RegulatorsSecurityOperations
Application and Infrastructure Management
Practice and processes have to evolve constantly!
Projects Management
Do it faster
Reduce costs
Consolidate / Optimize
ChangeRecordsCapacityReporting
No Downtime!
Zoning /Partitioning Use of
Partners
Data LossPrevention
1. Physical – location, position and space2. Physical connections and paths
– LAN, WAN, SAN, power3. Logical connections and paths
– LAN, WAN, SAN, power, radio, data flows, firewall rules/endpoints4. Dependency impacts – change and risk communication5. Environment management – Prod, dev, test, pre-prod, DR6. Application development, requirements and versioning7. Customer data mapping – PCI, GDPR, breach management8. Batch process mapping
Mapping Systems – Many Methods
Mapping Systems
Entities (with attributes)
Relationships (with attributes)
Can be achieved using spreadsheets, databases, diagramsand specialist systems - ALM
Container
Mapping Systems
Entities (with attributes)
Relationships (with attributes)
The mapping method will depend on the requirement
Container (with attributes)
Even With A Few Servers – Complex…
ITIL Version 3 Configuration Mgmt System
ProjectDoc
FilestoreProject
Software
DefinitiveMediaLibrary
FederatedCMDBs
DiscoveryAsset Mgmt& Audit Tools
SoftwareConfigMgmt
PlatformConfigMgmt
EnterpriseApps
Portal
Change&Release
View
AssetMgmtView
ConfigLife-cycle
View
TechnicalConfig View
QualityMgmtView
ServiceDeskView
BusinessImpactView
ComplianceView
(Cobit)
Query & Analysis Reporting Performance Mgmt Modelling Monitoring
PresentationLayer
KnowledgeProcessing
Layer
Data &Information
Sources& Tools
InformationIntegration
Layer
Customer/User – Service –Application – Infrastructure mapping
Service Portfolio Service Package Integrated Asset & Config Service Change Service Release
Common Process Reconciliation Synchronisation Extract, Load MiningScheme Meta Data
Search, Browse, Store, Retrieve, , Publish, Subscribe, Collaborate
Data Integration
Some Methods Of Mapping Systems…
ISA PAYMENT REQUEST HANDLING
BACS-IPISA PAYMENT TRANSACT
UK_VWBIRM004
WORKFLOW CLIENT
AUDITTRACK BACPAY
CITRIX SERVER
PAYLOG
UK_BIRM_BLADE-02
UK_VWBIRM001
WORKFLOW
ORACLE FWS_03 SQL FWS_04
SVR-BHAM-010301 UK_BIRM_BLADE_01
UK_VWBIRM002
SW-BHAM-13 SW-BHAM-14 SW-BHAM-19
FW-BHAM01 FW-BHAM02 FW-BHAM04VPN
SW-BHAM-11 SW-BHAM-12
RTR-BHAM-08RTR-BHAM-07
RTR-BHAM-03 RTR-BHAM-04
BT-NTU2 VT-NTU1BT-NTU3 VT-NTU2
Physical Peer to Peer Hierarchical
More Methods Of Mapping Systems… Architecture Blocks
Entity Relationships
Excel / Visio
Mapping Servers / Application
Power Cabling
Building
CustomerBilling
FundsTransfer
ERPLogistics
InternetPortal
VM Ware
The Logical Dependency View
19
The router hasone link to the switch
Easy to Understand!
The Physical Connection View
20
Equipment RacksMDFInter Room ODFInter Room ODFMDFEquipment Racks
E10
Q02
Q03
H06
K23
K24
I02F02 I15
E26
E22
E23
N04
Wing Loft
ODF01ODF12E15
PPF-326-E20-U38 to E10
PPF-336-E22-U40 to I02
PPF-336-E23-U39 to I02
PPF-336/F02-U47 PPF-336/I15-U47 to ODF12PPF-336/I02-U47
to F02
PPF-336-I02-U40 to E22
PPF-326-I02-U39 to E23
PPF-336-I02-U38 to E20
PPF-326-H06-U45 to E10
PPF-326-K23-U46 to E10
PPF-326-K24-U42 to E10
PPF-326-N04-U41 to E10
PPF-326-Q02-U44 to E10
PPF-326-Q03-U43 to E10
PPF-300/ODF12-U42 to 336/I15
PPF-300/ODF01-U47
PPF-326-E15-U47 to 300
ODF01
PPF-326-E10-U46 to K23
PPF-326-E10-U45 to H06
PPF-326-E10-U44 to Q02
PPF-326-E10-U43 to Q03
PPF-326-E10-U42 to K24
PPF-326-E10-U41 to N04
Data Hall 1 Data Hall 2
1009080706BA050403020101
MD
A2
MD
A1
7750
(SR
12)
CFM
1
CFM
2
02 B 080706A050403 09 10
23 4
657 8
19 10
MD
A10
SFP
Em
pty
23 4
657 8
19 10
MD
A10
SFP
23 4
657 8
19 10
MD
A10
SFP
MD
A10
GLW
/LR
1
MD
A10
GLW
/LR
1
Em
pty
Em
pty
test
1009080706BA050403020101
MD
A2
MD
A1
7750
(SR
12)
CFM
1
CFM
2
02 B 080706A050403 09 10
23 4
657 8
19 10
MD
A10
SFP
Em
pty
23 4
657 8
19 10
MD
A10
SFP
23 4
657 8
19 10
MD
A10
SFP
MD
A10
GLW
/LR
1
MD
A10
GLW
/LR
1
Em
pty
Em
pty
test
Comms A
Mapping An Enterprise Application
Logistics CRM Finance
TXOMGGCUK_APPS01 UK_APPS03 UK_IIS05 UK_IIS08
35000 of 90000 tables used
2.2M relationshipswithin the SAP system
Shared Infrastructure and Applications
Logistics CRM Finance
TXOMGGCUK_APPS01 UK_APPS03 UK_IIS05 UK_IIS08
Funds Transfer
CreditScoring
HRSystems
WebOrdering
DispatchControl
PartnerControls
With 100 Servers plus
SAPServers
Service Focused View - 1
“Top Down”Service focused
What supports thisservice?
Service
Hardware/Virtual (133)Host
Component Focused View
“Bottom Up”
What is the potential Impact on services?
Component focused
Services (33)
Host
Steps To Successful Mapping?
1. Define the data requirements and outputs
2. Capture data
3. Analyse / visualise / report as requiredone set of data – produce multiple perspectives
4. Maintain
It doesn’t work like this in practice!
Our Approach
1. Assume all data is inconsistent in naming and accuracy
2. Assume there are no mapping / visual standards
3. Build 2-3 prototypes - most complex applications/services
4. Then do bulk capture and improve dependencies- two spreadsheets
Thank You
Improving Infrastructure change and risk planningHalf day workshops 1st/2nd March (With Networks Centre) Poulton, Glos and Horsham, West Sussex
Websites: videos, downloadswww.squaremilesystems.comwww.assetgen.com
