Securing the Cloud Native Stack
-
Upload
apcera -
Category
Technology
-
view
477 -
download
1
Transcript of Securing the Cloud Native Stack
![Page 1: Securing the Cloud Native Stack](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ed9d8e1a28abd47d8b45c9/html5/thumbnails/1.jpg)
Apcera Confidential
Hector TapiaPrincipal Solutions Consultant
Securing the Cloud-Native Stack
![Page 2: Securing the Cloud Native Stack](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ed9d8e1a28abd47d8b45c9/html5/thumbnails/2.jpg)
Software as a competitive advantage
Lots of people talk about these companies and use them as examples on how innovation disrupts the marketplace
• What does this innovative companies have in common?• Speed of innovation• Always-available services• Web Scale• Device-centric user experiences• Recover from failures quick
Cloud-native application architectures are key to enable the business model
that allowed these companies to obtain their disruptive character.
2
![Page 3: Securing the Cloud Native Stack](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ed9d8e1a28abd47d8b45c9/html5/thumbnails/3.jpg)
Why Cloud-Native Application Architectures?
Speed Safety Scale
![Page 4: Securing the Cloud Native Stack](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ed9d8e1a28abd47d8b45c9/html5/thumbnails/4.jpg)
Cloud Native Applications are Architected Differently
Two common examples of Cloud-Native Applications are:Twelve-factor Applications & MicroServices
• Every integration point will eventually fail one time or another• Be prepared to handle all kind of failures
• All functionality is published and consumed via Web Services
• Designed for Scale Out
• Break down the task, process requests asynchronously • Use messaging to decouple functionality• Eventual consistency model
• Build stateless services that can be scaled out and load balancedStateless Model
Asynchronous Processing
Horizontal Scalability
Handling Failures
Services
Two common examples of Cloud-Native Applications are:Twelve-factor Applications & MicroServices
4
![Page 5: Securing the Cloud Native Stack](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ed9d8e1a28abd47d8b45c9/html5/thumbnails/5.jpg)
• Codebase: One codebase tracked in revision control, many deploys• Dependencies: Explicitly declare and isolate dependencies• Config: Store config in the environment• Backing Services: Treat backing services as attached resources• Build, release, run: Strictly separate build and run stages• Processes: Execute the app as one or more stateless processes• Port Binding: Export services via port binding• Concurrency: Scale out via a process model• Disposability: Maximize robustness with fast startup and graceful shutdown• Dev/Prod parity: Keep development, staging, and production as similar as possible• Logs: Treat logs as event streams• Admin processes: Run admin/management tasks as one-off process
The twelve-factor app is a collection of patterns for Cloud-Native Application Architectures
5
![Page 6: Securing the Cloud Native Stack](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ed9d8e1a28abd47d8b45c9/html5/thumbnails/6.jpg)
6
MicroServices
Is a way of designing software applications as suites of
independently deployable services
Wall-E Copyright Disney/Pixar
![Page 7: Securing the Cloud Native Stack](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ed9d8e1a28abd47d8b45c9/html5/thumbnails/7.jpg)
• New requirements for Developers and Operations
• Fast, tested, fail safe, small changes continuously deployed to production
• Measure, share visibility and provide feedback of users to business, continuously.
• Small experiments, test assumptions, fail fast and learn!
How to get Cloud-Native?
7
![Page 8: Securing the Cloud Native Stack](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ed9d8e1a28abd47d8b45c9/html5/thumbnails/8.jpg)
8
Most build software for Innovation and Differentiation
75% By 2020, 75% of Application Purchases supporting digital
business will be “Build”, not “Buy”.
Forecast Analysis: Enterprise Application Software, Worldwide, 2Q15 Update
![Page 9: Securing the Cloud Native Stack](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ed9d8e1a28abd47d8b45c9/html5/thumbnails/9.jpg)
But innovation doesn’t come without riskRecent Hack Attacks
9
![Page 10: Securing the Cloud Native Stack](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ed9d8e1a28abd47d8b45c9/html5/thumbnails/10.jpg)
Programing languages frameworks and libraries that comprise applications
Code deployment pipelines, automation and configuration management frameworks, container and infrastructure management
Tools which automatically run and manage jobs, containers and hosts in a cluster
Tools enabling an application or service to discover information about its environment and other components needed to form a larger system
Specification and execution engine for operating system level virtualization for running multiple isolated Linux systems
Lightweight operating system to manage compute resources necessary to deploy application in containers
Emulated physical compute, network and storage resources that are the basis for Cloud-based architectures
Physical servers, switches, routers and storage arrays that occupy the Datacenter
Code
Workflow / Management
Orchestration: Scheduling & Cluster Management
Service Discovery
Container Engine
Minimal OS
Virtual Infrastructure
Physical Infrastructure
Tools
Infrastructure
{{
The Cloud-Native Stack - Taxonomy
10
![Page 11: Securing the Cloud Native Stack](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ed9d8e1a28abd47d8b45c9/html5/thumbnails/11.jpg)
Programing languages frameworks and libraries that comprise applications
Code deployment pipelines, automation and configuration management frameworks, container and infrastructure management
Tools which automatically run and manage jobs, containers and hosts in a cluster
Tools enabling an application or service to discover information about its environment and other components needed to form a larger system
Specification and execution engine for operating system level virtualization for running multiple isolated Linux systems
Lightweight operating system to manage compute resources necessary to deploy application in containers
Emulated physical compute, network and storage resources that are the basis for Cloud-based architectures
Physical servers, switches, routers and storage arrays that occupy the Datacenter
Code
Workflow / Management
Orchestration: Scheduling & Cluster Management
Service Discovery
Container Engine
Minimal OS
Virtual Infrastructure
Physical Infrastructure
The Cloud-Native Stack - Where it has to be secured?
• Authentication mechanism
• Policy changes• Resource usage
(Memory, CPU, IO)• Networking (Ingress &
Egress)• Service user• Data use• Staging pipelines• Package selection• Execution location• Workload deployment
and changes
How Much {
Who {
What {Which {Where {
11
![Page 12: Securing the Cloud Native Stack](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ed9d8e1a28abd47d8b45c9/html5/thumbnails/12.jpg)
Not everybody is ready, not everything is Cloud-Native
Cloud Native Originated in Customer-facing Tech Companies
12
Customer-Facing Tech
• Spend 20%+ of revenue on R&D
• Employ highly paid developers
• Internet-scale
• Technology is their business
Traditional Enterprises
• Spend 2-4% of revenue on R&D
• Employ “normal” people
• Enterprise-scale
• Thousands of apps
• Technology seen as a tax
![Page 13: Securing the Cloud Native Stack](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ed9d8e1a28abd47d8b45c9/html5/thumbnails/13.jpg)
There are many places in the New Cloud Native Architecture where Governance is needed
Load BalancerHTTP/S & TCP
Router
Order Management UI
Browse Products UI
Account Management UI
Checkout UI
Customer Profile Service
Catalog Service
Order Service
Payment Service
DB
DB
ESB / ETL
13
![Page 14: Securing the Cloud Native Stack](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ed9d8e1a28abd47d8b45c9/html5/thumbnails/14.jpg)
There are many places in the New Cloud Native Architecture where Governance is needed
Load BalancerHTTP/S & TCP
Router
Order Management UI
Browse Products UI
Account Management UI
Checkout UI
Customer Profile Service
Catalog Service
Order Service
Payment Service
DB
DB
ESB / ETL
What Users and IP addresses can come
into the Cluster?
What Packages can be used to deploy to
Production?
What Docker images can be used? What
Repositories?
What workload can communicate with other workloads?
Which workloads can egress? What external services?
What services can the workload bind
to?
What resources can each workload have? Where can they be scheduled?
14
![Page 15: Securing the Cloud Native Stack](https://reader034.fdocuments.us/reader034/viewer/2022051520/58ed9d8e1a28abd47d8b45c9/html5/thumbnails/15.jpg)
apcera.com nats.io kurma.io
docs.apcera.com
We are hiring!