Keeping your applications Healthy and Secure
In the age of Digital Transformation, applications and the data they generate are the most important assets of your company. The application landscape is diverse. Traditional, client-server apps probably mixed with modern, containers and cloud native apps. And IT has to manage them all, keeping your applications healthy and secure. Without the right tools it’s easy to loose control.
In this post I will discuss the steps and tools to get back and maintain control making use of VMware and Puppet (integrated) software solutions.
Step 1 – Know what you have
Customers can easily have over hundreds of applications running in their environment, deployed across different clouds, not knowing their status, if those applications still run as initially deployed and if they’re compliant to available security standards.
For the correct actions to be taken you first have to discover and know what you have, gather insights and then act upon by bringing them under management.
A tool that can help with discovering your existing cloud resources, applications and bringing it under management is Puppet Discovery.
Puppet Discovery enables users to discover resources across their virtual machines, both on-premises and in the cloud, and inspect running containers. It provides deep insights about that infrastructure, for instance, Puppet Discovery will be able to tell if an organization has seven different versions of SSL running, detect which ones are vulnerable and take action to bring it all under management using Puppet Enterprise and Puppet Tasks.
Puppet Discovery is a SaaS offering and as of today only available as Tech Preview but probably goes GA in first quarter of 2018.
VMware Cloud – Discovery
Another discovery tool is VMware Cloud Discovery. VMware Discovery shows you specific information about the resources in a cloud account, including VMs, hard disks, storage units, CPU usage, billing and other information. The public cloud accounts that you can add to Discovery include AWS and Microsoft Azure. You can also add and discover resources for private cloud accounts, such as a vCenter Server.
Although it has not the ability to discover application specific information and has no tight integration with Configuration Management tooling yet, it certainly is a SaaS tool to watch out for.
Step 2 – Control it and enforce consistency
Once managed, Configuration Management tooling allows you to enforce the desired state of your application configuration and automatically remediate, based on a fixed schedule, any unexpected changes using a prescriptive manifest.
There are a lot of Configuration Management tools available who can deploy applications, manage it and enforce consistency; Puppet, Chef, Ansible, Saltstack. But I prefer Puppet for several reasons, their strategy and vision, rich Enterprise features and off course superb integration with VMware solutions.
Puppet Enterprise is Puppet’s flagship. It delivers a unified platform with a common language that allows you to both enforce the desired state of your configurations and automatically remediate any unexpected changes, and to automate ad hoc tasks (with Puppet Tasks) across applications no matter where it runs.
Puppet Enterprise inspects and reports on packages running across your infrastructure, whether they’re managed by Puppet or not. You can quickly identify packages that are eligible for maintenance updates and security patching.
With rich, interactive graphical reporting, you know exactly how your infrastructure and applications are configured and the relationships and dependencies between each. You now know what has changed in real time, who made the change and what caused it, and whether it was intentional or corrective.
Step 3 – Modernize and secure it
Running the managed applications on a Software Defined Data Center, where Compute, Storage and Networking are virtualized has many benefits. It simplifies automation, creates the ability to unify management and increases agility to accelerate innovation.
And because of virtualization we can now monitor network flows and secure applications, by using micro segmentation, from within the hypervisor.
In contrast to Software Defined Networking (SDN), in which hardware remains the driving force, VMware network virtualization technology truly decouples network resources from underlying hardware.
VMware NSX, enables the creation of entire networks in software and embeds them in the hypervisor layer, abstracted from the underlying physical hardware. All network components can be provisioned in minutes, without the need to modify the application.
VMware NSX embeds security functions right into the hypervisor using Security policies. It delivers micro-segmentation and granular security to the individual workload, isolating sensitive systems and reducing both risk and scope of compliance, enabling a fundamentally more secure data center. Security policies travel with the workloads, independent of where workloads are in the network topology.
Step 4 – Protect and keep it compliant
By analyzing in-guest application behavior and establishing normal operational behavior makes it possible to learn and understand how applications are supposed to work. By constantly monitoring for changes to that intended state, threats are easily detected, and automate a correct response to remediate or disarm the threat in real-time.
VMware AppDefense is a data center endpoint security product that uniquely protects applications running in virtualized environments. Rather than chasing after threats, AppDefense understands how applications are supposed to work and monitors for changes to that intended state that indicate a threat. When a threat is detected, AppDefense automatically responds.
From inside the vSphere hypervisor, AppDefense has an authoritative understanding of how data center endpoints are meant to behave and is the first to know when changes are made. This contextual intelligence removes the guesswork involved in determining which changes are legitimate and which are real threats.
When a threat is detected, AppDefense uses vSphere and VMware NSX to automate the correct response. For example, AppDefense can automatically:
- Block process communication
- Snapshot an endpoint for forensic analysis
- Suspend the endpoint
- Shut down the endpoint
Because AppDefense is installed in the vSphere hypervisor, it has an isolated, protected environment from which to continually monitor data center endpoints. This reduces the chance of AppDefense itself being compromised.
Puppet Enterprise integrates with AppDefense enabling security professionals to easily collaborate with operations teams to make security a priority within the application development cycle, making applications more resilient to attacks and enabling DevOps practices to extend to security teams.
Step 5 – Consistent deployment
Cloud Automation can manage and program all components of the Software Defined Data Center, Compute, Storage and Networking & Security. Integrating it with Configuration Management creates the ability to build consistent and secure application blueprints by design.
Through self-service and policy based governance, application blueprints are easy to consume and delivered on-demand, deployed on the right place with the correct privileges, completely managed and secured from the beginning. Over and over again.
VMware vRealize Automation & Puppet plugin
VMware vRealize Automation enables IT Automation through the creation of personalized infrastructure, application and custom IT services (XaaS) and accelerates the end-to-end delivery and management of those IT services.
It provisions and manages multi-vendor, multi-cloud infrastructure and applications by leveraging new and existing infrastructure, tools and processes. And by policy-based Governance ensures that users receive the right size resources, or applications, at the appropriate service level for the jobs they need to perform.
Through Self-Service and Automation VMware vRealize Automation reduces operational cost by replacing time-consuming, manual processes and gain additional cost savings through automated reclamation of inactive resources.
By integrating Puppet Enterprise using the Puppet plugin, you can create blueprint templates for your VMs using vRealize Automation, automatically enable Puppet to configure your VMs and continually enforce those desired configurations. Your vRealize Automation end users get one-click provisioning of fully configured infrastructure and you get continuous visibility and enforcement of machine state.
Step 6 – Consistent and secure by design
Digital transformation is all about application innovation, make existing ones better or create new ones.
For organizations to be competitive, this needs to be a continuous process using release automation and continuous delivery to enable frequent, reliable releases of new or improved application code.
Because DevOps is hot many software development and automation tooling vendors focus on Continuous Delivery solutions. Xebia Labs, AWS, IBM, RedHat, Microsoft, Chef, Puppet and even VMware, just to name a few.
All these solutions focus on four main principles; deliver Code faster, deliver more reliable Code, leverage existing Tools and Processes and improve Governance and Visibility.
VMware CodeStream is one of those tools and provides Release Automation and Continuous Delivery. It supports the modeling and resolution of code artifacts so that the right artifact versions are automatically retrieved when deploying a particular build version of an application.
Application Delivery Automation and Pipeline modeling with approvals and gates ensure that the correct versions of software flow through your stack fast at each stage in the delivery process while still ensuring the highest level of control.
CodeStream provides a summary view of all active pipelines and an end-to-end view of each pipeline where all users can see which tasks are completed, in progress or have resulted in an error. Out-of-the-box reports help to measure release quality and efficiency over time empowering collaboration between teams to assure higher quality and faster delivery of new software releases.
CodeStream has an Extensibility Framework that delivers Out-of-the-Box support for software lifecycle tools including Jenkins, Microsoft Team Foundation Server 2015, Artifactory, Yum, Git and others. Integrating vRealize Automation, where service blueprints are modeled, with pipeline tasks can trigger infrastructure & application provisioning and deployment.
Do you want to learn more about this topic? On February 8th 2018, VMware and Puppet will organize a joint event in The Netherlands on Configuration Management of applications and the underlying virtual infrastructure.
During this event VMware and Puppet will tell you everything about their latest technology for managing, automating and protecting your applications. There will be presentations and demos of Puppet Discovery, VMware vRealize Automation, Puppet Enterprise, VMware AppDefense and much more. So, do you have to show your management compliancy but you don’t have the right tools, keep your IT infrastructure and applications safe or keep an overview of your total IT landscape? Then this is a session for you!
Keep you posted. See you in February.
Dimitri de Swart
Dimitri is an IT professional with more than 16 years of experience. He now works for VMware as a Cloud Management Specialist SE but started out as a Telecom Engineer and progressed to a experienced and skilled Pre-sales Consultant/Solution Architect with broad and in-depth knowledge of SDDC solutions, Private-, Public- and Hybrid Cloud. Dimitri is VMware VSP, VTSP, VCP and VCAP certified and is vExpert Cloud (2017).