Taking OpenStack to SaaS and Beyond!
An IBM Story
Dale Bowie, Staff Software Engineer Holly Wright, Graduate Software Engineer About Us
• Based at IBM Security’s Australian Development Lab (ADL) on the Gold Coast
• Holly: ̶ 1 year full-time + 1 year internship ̶ Worked with OpenStack since starting at IBM ̶ Adapted an existing security product to support multi-tenancy in the cloud ̶ This work was then used to create development and testing infrastructure
• Dale: ̶ 4 years full-time + 6 months internship ̶ 2.5 years of OpenStack experience ̶ Led DevOps efforts for critical cloud security components ̶ Driven internal test and development infrastructure architecture for several IBM Security products
2 IBM Security 3 IBM Security Prevalence of cloud
• Gartner predicted in early 2017 that demand for cloud computing would grow 18% to $246.8 billion this year (total worldwide revenue)1
• 48 of the Fortune Global 50 Companies have announced cloud adoption plans2
• IBM Cloud revenue was $15.1 billion over the 12 months to June 30, 2017 3
Saas-ify (verb): to take a product and adapt it to Software as a Service (Holly Wright, 2017)
1. http://fortune.com/2017/02/22/cloud-growth-forecast-gartner/ 2. https://www.forbes.com/sites/louiscolumbus/2017/02/11/global-cloud-spending-predicted-to-reach-390b-by-2020/#6486abd91085 3. https://www.ibm.com/blogs/cloud-computing/2017/07/ibm-as-a-service-revenue/
4 IBM Security Our Mission
• Evolve a single-tenant security inspection appliance monolith to suit a multi- tenanted cloud environment
• Key requirements: ̶ Scalability: easily add support for more tenants as the product grows ̶ Flexible architecture: support the future addition of security components ̶ Multi-tenancy: guarantee one tenant's network traffic is completely isolated from another's, and facilitate per-tenant custom policy for blocking and other security rules
• OpenStack satisfies these requirements: ̶ Create a set of resources for each tenant ̶ Architecture relies on relied on Heat, Keystone and Neutron features
5 IBM Security Scalability
• Production OpenStacks are generally deployed across several bare metal nodes: Controller Node Neutron Node Compute Node ̶ Controller node – most system services, databases, APIs, etc ̶ Neutron node – agents for network operations, routing, etc Management Network ̶ Compute node – running virtual machine instances Internal Network
External Network
• This architecture allows us to easily add: ̶ Neutron nodes to support greater network capacity ̶ Compute nodes to support more instances (each of our nodes can support approx. 33 tenants)
6 IBM Security Flexible Architecture
• Heat – orchestration utility that accepts a template and associated parameters, and deploys: ̶ Networks ̶ Routers ̶ Instances ̶ and more • Our Heat template defines a single tenant's environment • Parameters allow us to customise each environment • All configuration for VMs is stored in a centralised Zookeeper server so that VMs can be discarded • Easy to upgrade versions and add new VMs
7 IBM Security A basic Heat template
heat_template_version: 2014-10-16
parameters: NetID: type: string description: Network ID for the server
resources: server: type: OS::Nova::Server properties: name: "Test server" image: "cirros" flavor: "m1.tiny" networks: - network: { get_param: NetID }
8 IBM Security Multi-tenancy
• Identical tenant environments can be achieved in OpenStack thanks to: ̶ Keystone – projects are the containers of resources for individual tenants ̶ Neutron – overlay / underlay networking with isolated network namespaces
• This meant our software did not need modifications to support multi-tenancy
Neutron Node Compute Node Compute Node Compute Node
Internal Network
9 IBM Security Multi-tenancy
• Identical tenant environments can be achieved in OpenStack thanks to: ̶ Keystone – projects are the containers of resources for individual tenants ̶ Neutron – overlay / underlay networking with isolated network namespaces
• This meant our software did not need modifications to support multi-tenancy
Compute Node
Tenant A network namespace Tenant B network namespace
Neutron Node VM 1 VM 2 VM 3 VM 1 VM 2 VM 3
Internal Network
10 IBM Security The birth of OPTIC
• Extra tooling was built as a Java library around the OpenStack Heat and Keystone APIs
• We called it OPTIC – the OpenStack Project Template Instance Controller
• OPTIC allows automatic provisioning and configuration of a tenant environment in under 10 minutes
11 IBM Security OPTIC for internal testing and development
• We saw the benefits of this architecture and decided to adapt it for our internal testing and development
• An end-to-end automated approach enables a team of engineers to spin up multiple versions of any VM quickly
• VMs didn’t necessarily even have to be cloud deliverables
12 IBM Security IBM Security QRadar
• Security Information and Event Management (SIEM) ecosystem
• A number of different VMs are required to be deployed and connected together
QRadar Network QRadar Incident SIEM Console Flow Collector Flow Processor Insights Forensics
SIEM Console SIEM Console SIEM Console
13 IBM Security IBM Security QRadar
Flow Collector
SIEM Console
14 IBM Security IBM Security QRadar
Flow Collector
SIEM Console
15 IBM Security Demo
16 IBM Security OPTIC for product confidence
• Jenkins build ̶ Unit tests ̶ Component level tests
• Automated pipeline for: ̶ ISO generation ̶ ISO download ̶ Installation ̶ Project creation
̶ In parallel to: regression suite execution
17 IBM Security Future hopes and dreams
• Ironic hardware installs • More cross product integrations • A fancier UI
18 IBM Security Advice
• Requirement setting • Flexibility in design and execution • Build up slowly – make sure you understand the technology before automating the entire process
19 IBM Security OPTIC for everyone!
• Within the space of a year, we adapted this infrastructure for two products ̶ More teams are looking to adopt
• VMs that we support: • Functionality that we can achieve through ̶ IBM Security products extended configuration: ̶ Databases ̶ Single VM ̶ API servers ̶ Multi-VM high availability environment ̶ and more ̶ Scenario-based configuration ̶ Cross-product integrations
20 IBM Security Questions? THANK YOU
FOLLOW US ON:
ibm.com/security
securityintelligence.com xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.