People, process, and technology for ILM and SLM adoption

Slide 1

Slide 1 text

People, process, and technology for ILM and SLM adoption Rosemary Wang Chief Developer Advocate

Slide 2

Slide 2 text

Circa 2018 Some Concepts for Research API Author i zation (OAuth & OpenID) Testing & Testing-Dr i ven Development (TDD) Continuous Delivery Pipelines-as-Code Infrastructure-as-Code REST API Standards Basic Networking Basic Linux/Windows Systems Basic Secur i ty (Vulnerability Management) Site Reliability Engineer i ng Observability (Monitor i ng, Logging, Tracing) Public Cloud Constructs Container i zation (Orchestrators & Runtimes) Secret Management Code (Python, Ruby, Golang) Chaos Engineer i ng Release & Deliver Software Microservices User Interfaces/APIs DevOps Site Reliability Engineer i ng “Platform”? PaaS which uses patterns like which you which you more easily by applying which has technologies classif i ed as sometimes packaged as which can be runs on All done as securely as possible Philosophy whose practical implementation can be through Physical Devices Pr i vate Cloud Datacenter Infrastructure Public Cloud (IaaS) Network, Systems & More composed of which can be which runs on Trying to put the terms together Confusing Job Descr i ptors Pr i vate Public Cloud Site Reliability Engineer/Developer Platform DevOps Release Infrastructure Systems Network

Slide 3

Slide 3 text

Infrastructure / Secur i ty Lifecycle Management is the practice of changing infrastructure or secur i ty resources.

Slide 4

Slide 4 text

Changes to infrastructure/ secur i ty Create Read Update Delete

Slide 5

Slide 5 text

Chief Developer Advocate HashiCorp She/her @joatmon08 Rosemary Wang

Slide 6

Slide 6 text

Datacenter Public Cloud 1 Public Cloud 2

Slide 7

Slide 7 text

Datacenter Public Cloud 1 Public Cloud 2 Lifecycle management

Slide 8

Slide 8 text

Datacenter Public Cloud 1 Public Cloud 2

Slide 9

Slide 9 text

Infrastructure Lifecycle Management As code Self-service Systems of record Modular i zation Secur i ty Lifecycle Management Ephemerality Remediation Access control Standardization Immutability Delete Update Create Monitor i ng Read Observability Foundations for ILM/SLM Scale

Slide 10

Slide 10 text

Infrastructure Lifecycle Management Modular i zation Secur i ty Lifecycle Management Ephemerality Remediation Access control Standardization Immutability Delete Update Create Monitor i ng Read Observability Scale As code Self-service Systems of record

Slide 11

Slide 11 text

Infrastructure Lifecycle Management Secur i ty Lifecycle Management Did the patch fail? Vulnerability patch management Read Monitor i ng Observability Which machines still need updates?

Slide 12

Slide 12 text

Read Infrastructure Lifecycle Management Monitor i ng Secur i ty Lifecycle Management Observability • Audit changes to infrastructure • Identify dr i ft • Validate policy conformance • Audit system access • Identify vulnerabilities • Validate artifact provenance

Slide 13

Slide 13 text

People & process Encourage self-service of information Build conf i dence for change People Audit and document system evolution Iterate on unif i ed “platform” interface Process

Slide 14

Slide 14 text

Slide 15

Slide 15 text

Slide 16

Slide 16 text

Infrastructure Lifecycle Management Secur i ty Lifecycle Management What gets disrupted when we patch? How do we access machines for patching? Vulnerability patch management Create Modular i zation Access control

Slide 17

Slide 17 text

Create Infrastructure Lifecycle Management Modular i zation Secur i ty Lifecycle Management Access control • Isolate changes to parts of the system • Decouple infrastructure dependencies • Isolate least pr i vilege access • Decouple identity from access policy

Slide 18

Slide 18 text

People & process Identify kebab vs. cake teams Agree on interface over implementation People Balance productivity and secur i ty Support f l exibility Process

Slide 19

Slide 19 text

Slide 20

Slide 20 text

Slide 21

Slide 21 text

Infrastructure Lifecycle Management Secur i ty Lifecycle Management What do we need to do to f i x the vulnerability? How do we roll out the patch? Vulnerability patch management Update Standardization Remediation

Slide 22

Slide 22 text

Update Infrastructure Lifecycle Management Standardization Secur i ty Lifecycle Management Remediation • Develop consistent deployments • Improve predictability of changes and rollbacks • Develop baseline for detecting anomalous behavior • Improve speed of f i xes

Slide 23

Slide 23 text

Datacenter Public Cloud 1 Public Cloud 2

Slide 24

Slide 24 text

Datacenter Public Cloud 1 Public Cloud 2 Remediation without Standardization

Slide 25

Slide 25 text

Datacenter Public Cloud 1 Public Cloud 2 Remediation with Standardization

Slide 26

Slide 26 text

People & process Justify refactor i ng effort Establish evergreen standards Focus on value over technical details People Develop consistency in process Document edge cases Process

Slide 27

Slide 27 text

Slide 28

Slide 28 text

Slide 29

Slide 29 text

Infrastructure Lifecycle Management Secur i ty Lifecycle Management Can we replace machines instead of updating? Are short-lived resources a compensating control? Vulnerability patch management Delete Immutability Ephemerality

Slide 30

Slide 30 text

Delete Infrastructure Lifecycle Management Immutability Secur i ty Lifecycle Management Ephemerality • Change resource by creation and deletion • Support lower r i sk refactor i ng patterns • Change time-to-live of resources to reduce attack surface • Support resiliency patterns for short-lived resources

Slide 31

Slide 31 text

People & process Shift paradigm from static to dynamic Apply immutability to larger use cases People Develop constant rate of change Establish provisioning as remediation Process

Slide 32

Slide 32 text

Slide 33

Slide 33 text

Slide 34

Slide 34 text

As code Self-service Systems of record Scale How often can we push a commit to update the image?

Slide 35

Slide 35 text

Scale Self-service Systems of record As code How often can we push a commit to update the image? How can a developer patch their VM without asking operations?

Slide 36

Slide 36 text

Scale Systems of record Self-service As code How often can we push a commit to update the image? How can a developer patch their VM without asking operations? How do we document exceptions if we can’t patch?

Slide 37

Slide 37 text

As code Self-service Systems of record • Build conf i guration or policy for automation • Enable orchestration across system Scale

Slide 38

Slide 38 text

Scale As code Self-service Systems of record • Build abstraction for complexity of knowledge • Enable anyone to extend system to support business needs

Slide 39

Slide 39 text

Scale Systems of record • Build inventory of infrastructure, secrets, identities, and policies • Enable visibility and orchestration across systems at scale Self-service As code

Slide 40

Slide 40 text

People & process Shift paradigm from clicking resources to selecting systems Offer escape hatches for edge cases People Accommodate rapid rate of change Use systems of record to assess blast radius Process

Slide 41

Slide 41 text

Summary

Slide 42

Slide 42 text

Slide 43

Slide 43 text

Datacenter Public Cloud 1 Public Cloud 2

Slide 44

Slide 44 text

Datacenter Public Cloud 1 Public Cloud 2 Monitor i ng/ Observability

Slide 45

Slide 45 text

Datacenter Public Cloud 1 Public Cloud 2 Everything done as code

Slide 46

Slide 46 text

Datacenter Public Cloud 1 Public Cloud 2 Established systems of record

Slide 47

Slide 47 text

Lifecycle management at scale Design and build for change, which affects process and people.

Slide 48

Slide 48 text

Check out recordings from HashiConf 2024 The building blocks of ILM & SLM developer.hashicorp.com Examples Learn more

Slide 49

Slide 49 text

Thank you @joatmon08