Taking OpenStack to SaaS and Beyond! An IBM Story Dale Bowie, Staff Software Engineer Holly Wright, Graduate Software Engineer About Us • Based at IBM Security’s Australian Development Lab (ADL) on the Gold Coast • Holly: ̶ 1 year full-time + 1 year internship ̶ Worked with OpenStack since starting at IBM ̶ Adapted an existing security product to support multi-tenancy in the cloud ̶ This work was then used to create development and testing infrastructure • Dale: ̶ 4 years full-time + 6 months internship ̶ 2.5 years of OpenStack experience ̶ Led DevOps efforts for critical cloud security components ̶ Driven internal test and development infrastructure architecture for several IBM Security products 2 IBM Security 3 IBM Security Prevalence of cloud • Gartner predicted in early 2017 that demand for cloud computing would grow 18% to $246.8 billion this year (total worldwide revenue)1 • 48 of the Fortune Global 50 Companies have announced cloud adoption plans2 • IBM Cloud revenue was $15.1 billion over the 12 months to June 30, 2017 3 Saas-ify (verb): to take a product and adapt it to Software as a Service (Holly Wright, 2017) 1. http://fortune.com/2017/02/22/cloud-growth-forecast-gartner/ 2. https://www.forbes.com/sites/louiscolumbus/2017/02/11/global-cloud-spending-predicted-to-reach-390b-by-2020/#6486abd91085 3. https://www.ibm.com/blogs/cloud-computing/2017/07/ibm-as-a-service-revenue/ 4 IBM Security Our Mission • Evolve a single-tenant security inspection appliance monolith to suit a multi- tenanted cloud environment • Key requirements: ̶ Scalability: easily add support for more tenants as the product grows ̶ Flexible architecture: support the future addition of security components ̶ Multi-tenancy: guarantee one tenant's network traffic is completely isolated from another's, and facilitate per-tenant custom policy for blocking and other security rules • OpenStack satisfies these requirements: ̶ Create a set of resources for each tenant ̶ Architecture relies on relied on Heat, Keystone and Neutron features 5 IBM Security Scalability • Production OpenStacks are generally deployed across several bare metal nodes: Controller Node Neutron Node Compute Node ̶ Controller node – most system services, databases, APIs, etc ̶ Neutron node – agents for network operations, routing, etc Management Network ̶ Compute node – running virtual machine instances Internal Network External Network • This architecture allows us to easily add: ̶ Neutron nodes to support greater network capacity ̶ Compute nodes to support more instances (each of our nodes can support approx. 33 tenants) 6 IBM Security Flexible Architecture • Heat – orchestration utility that accepts a template and associated parameters, and deploys: ̶ Networks ̶ Routers ̶ Instances ̶ and more • Our Heat template defines a single tenant's environment • Parameters allow us to customise each environment • All configuration for VMs is stored in a centralised Zookeeper server so that VMs can be discarded • Easy to upgrade versions and add new VMs 7 IBM Security A basic Heat template heat_template_version: 2014-10-16 parameters: NetID: type: string description: Network ID for the server resources: server: type: OS::Nova::Server properties: name: "Test server" image: "cirros" flavor: "m1.tiny" networks: - network: { get_param: NetID } 8 IBM Security Multi-tenancy • Identical tenant environments can be achieved in OpenStack thanks to: ̶ Keystone – projects are the containers of resources for individual tenants ̶ Neutron – overlay / underlay networking with isolated network namespaces • This meant our software did not need modifications to support multi-tenancy Neutron Node Compute Node Compute Node Compute Node Internal Network 9 IBM Security Multi-tenancy • Identical tenant environments can be achieved in OpenStack thanks to: ̶ Keystone – projects are the containers of resources for individual tenants ̶ Neutron – overlay / underlay networking with isolated network namespaces • This meant our software did not need modifications to support multi-tenancy Compute Node Tenant A network namespace Tenant B network namespace Neutron Node VM 1 VM 2 VM 3 VM 1 VM 2 VM 3 Internal Network 10 IBM Security The birth of OPTIC • Extra tooling was built as a Java library around the OpenStack Heat and Keystone APIs • We called it OPTIC – the OpenStack Project Template Instance Controller • OPTIC allows automatic provisioning and configuration of a tenant environment in under 10 minutes 11 IBM Security OPTIC for internal testing and development • We saw the benefits of this architecture and decided to adapt it for our internal testing and development • An end-to-end automated approach enables a team of engineers to spin up multiple versions of any VM quickly • VMs didn’t necessarily even have to be cloud deliverables 12 IBM Security IBM Security QRadar • Security Information and Event Management (SIEM) ecosystem • A number of different VMs are required to be deployed and connected together QRadar Network QRadar Incident SIEM Console Flow Collector Flow Processor Insights Forensics SIEM Console SIEM Console SIEM Console 13 IBM Security IBM Security QRadar Flow Collector SIEM Console 14 IBM Security IBM Security QRadar Flow Collector SIEM Console 15 IBM Security Demo 16 IBM Security OPTIC for product confidence • Jenkins build ̶ Unit tests ̶ Component level tests • Automated pipeline for: ̶ ISO generation ̶ ISO download ̶ Installation ̶ Project creation ̶ In parallel to: regression suite execution 17 IBM Security Future hopes and dreams • Ironic hardware installs • More cross product integrations • A fancier UI 18 IBM Security Advice • Requirement setting • Flexibility in design and execution • Build up slowly – make sure you understand the technology before automating the entire process 19 IBM Security OPTIC for everyone! • Within the space of a year, we adapted this infrastructure for two products ̶ More teams are looking to adopt • VMs that we support: • Functionality that we can achieve through ̶ IBM Security products extended configuration: ̶ Databases ̶ Single VM ̶ API servers ̶ Multi-VM high availability environment ̶ and more ̶ Scenario-based configuration ̶ Cross-product integrations 20 IBM Security Questions? THANK YOU FOLLOW US ON: ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions © Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party..