securing the cloud native stack
TRANSCRIPT
Apcera Confidential
Hector TapiaPrincipal Solutions Consultant
Securing the Cloud-Native Stack
Software as a competitive advantage
Lots of people talk about these companies and use them as examples on how innovation disrupts the marketplace
• What does this innovative companies have in common?• Speed of innovation• Always-available services• Web Scale• Device-centric user experiences• Recover from failures quick
Cloud-native application architectures are key to enable the business model
that allowed these companies to obtain their disruptive character.
2
Why Cloud-Native Application Architectures?
Speed Safety Scale
Cloud Native Applications are Architected Differently
Two common examples of Cloud-Native Applications are:Twelve-factor Applications & MicroServices
• Every integration point will eventually fail one time or another• Be prepared to handle all kind of failures
• All functionality is published and consumed via Web Services
• Designed for Scale Out
• Break down the task, process requests asynchronously • Use messaging to decouple functionality• Eventual consistency model
• Build stateless services that can be scaled out and load balancedStateless Model
Asynchronous Processing
Horizontal Scalability
Handling Failures
Services
Two common examples of Cloud-Native Applications are:Twelve-factor Applications & MicroServices
4
• Codebase: One codebase tracked in revision control, many deploys• Dependencies: Explicitly declare and isolate dependencies• Config: Store config in the environment• Backing Services: Treat backing services as attached resources• Build, release, run: Strictly separate build and run stages• Processes: Execute the app as one or more stateless processes• Port Binding: Export services via port binding• Concurrency: Scale out via a process model• Disposability: Maximize robustness with fast startup and graceful shutdown• Dev/Prod parity: Keep development, staging, and production as similar as possible• Logs: Treat logs as event streams• Admin processes: Run admin/management tasks as one-off process
The twelve-factor app is a collection of patterns for Cloud-Native Application Architectures
5
6
MicroServices
Is a way of designing software applications as suites of
independently deployable services
Wall-E Copyright Disney/Pixar
• New requirements for Developers and Operations
• Fast, tested, fail safe, small changes continuously deployed to production
• Measure, share visibility and provide feedback of users to business, continuously.
• Small experiments, test assumptions, fail fast and learn!
How to get Cloud-Native?
7
8
Most build software for Innovation and Differentiation
75% By 2020, 75% of Application Purchases supporting digital
business will be “Build”, not “Buy”.
Forecast Analysis: Enterprise Application Software, Worldwide, 2Q15 Update
But innovation doesn’t come without riskRecent Hack Attacks
9
Programing languages frameworks and libraries that comprise applications
Code deployment pipelines, automation and configuration management frameworks, container and infrastructure management
Tools which automatically run and manage jobs, containers and hosts in a cluster
Tools enabling an application or service to discover information about its environment and other components needed to form a larger system
Specification and execution engine for operating system level virtualization for running multiple isolated Linux systems
Lightweight operating system to manage compute resources necessary to deploy application in containers
Emulated physical compute, network and storage resources that are the basis for Cloud-based architectures
Physical servers, switches, routers and storage arrays that occupy the Datacenter
Code
Workflow / Management
Orchestration: Scheduling & Cluster Management
Service Discovery
Container Engine
Minimal OS
Virtual Infrastructure
Physical Infrastructure
Tools
Infrastructure
{{
The Cloud-Native Stack - Taxonomy
10
Programing languages frameworks and libraries that comprise applications
Code deployment pipelines, automation and configuration management frameworks, container and infrastructure management
Tools which automatically run and manage jobs, containers and hosts in a cluster
Tools enabling an application or service to discover information about its environment and other components needed to form a larger system
Specification and execution engine for operating system level virtualization for running multiple isolated Linux systems
Lightweight operating system to manage compute resources necessary to deploy application in containers
Emulated physical compute, network and storage resources that are the basis for Cloud-based architectures
Physical servers, switches, routers and storage arrays that occupy the Datacenter
Code
Workflow / Management
Orchestration: Scheduling & Cluster Management
Service Discovery
Container Engine
Minimal OS
Virtual Infrastructure
Physical Infrastructure
The Cloud-Native Stack - Where it has to be secured?
• Authentication mechanism
• Policy changes• Resource usage
(Memory, CPU, IO)• Networking (Ingress &
Egress)• Service user• Data use• Staging pipelines• Package selection• Execution location• Workload deployment
and changes
How Much {
Who {
What {Which {Where {
11
Not everybody is ready, not everything is Cloud-Native
Cloud Native Originated in Customer-facing Tech Companies
12
Customer-Facing Tech
• Spend 20%+ of revenue on R&D
• Employ highly paid developers
• Internet-scale
• Technology is their business
Traditional Enterprises
• Spend 2-4% of revenue on R&D
• Employ “normal” people
• Enterprise-scale
• Thousands of apps
• Technology seen as a tax
There are many places in the New Cloud Native Architecture where Governance is needed
Load BalancerHTTP/S & TCP
Router
Order Management UI
Browse Products UI
Account Management UI
Checkout UI
Customer Profile Service
Catalog Service
Order Service
Payment Service
DB
DB
ESB / ETL
13
There are many places in the New Cloud Native Architecture where Governance is needed
Load BalancerHTTP/S & TCP
Router
Order Management UI
Browse Products UI
Account Management UI
Checkout UI
Customer Profile Service
Catalog Service
Order Service
Payment Service
DB
DB
ESB / ETL
What Users and IP addresses can come
into the Cluster?
What Packages can be used to deploy to
Production?
What Docker images can be used? What
Repositories?
What workload can communicate with other workloads?
Which workloads can egress? What external services?
What services can the workload bind
to?
What resources can each workload have? Where can they be scheduled?
14
apcera.com nats.io kurma.io
docs.apcera.com
We are hiring!