by Nathan Bennett, Sterling Cloud Architect
I’m adopting the acronym GAS to speak to the three requirements for a functioning enterprise infrastructure. The G is for Governance. This speaks to an enterprise’s ability to manage changes to its tech environment in a defined way, with authorizations and proper documentation in place. The A is for Authority and speaks to an enterprise’s compliance obligations — that is, the specific criteria the enterprise complies with in order to maintain the security of its environment and to ensure the continuity of its operations. This is sometimes referred to as the “Authority to Operate,” or, ATO. Finally, the S is for Standardization – or, that which holds the enterprise’s IT environment to specific quality levels, no matter what happens. Each letter of the GAS acronym speaks to the next, and they are not simply parts, but the whole of the operation. Allowing each factor to overlap — flow into the next — helps sustain the infrastructure (and so, the enterprise) through upgrades, patches, new solutions, and more. Each change within the enterprise’s governance must also satisfy its obligations to authority, maintaining compliance with industry security standards. Even with these principles in place, there will always be aspects of the enterprise not covered by standards of security compliance, which must then be standardized to ensure that they are running as designed and in accordance with governance and authorization. These can sometimes be databases or individual tools, or sometimes development and testing that must be maintained to replicate production. Let’s look at some tool sets to help each requirement.
Governance
I personally hate the idea of Change Advisory Boards (CABs). They are purposefully designed to slow down a business’ operational growth needs and to ensure day-to-day operation continues working as designed. Now, this may sound like a great process for many different organizations, and it may be. However, the agility to make changes quickly can also help grow and scale an organization’s services and improve customer estimation of the organization. Commercial tool sets can be brought into organizations to foster a better process for governance. This can be done through approvals on continuous integration/continuous delivery (CI/CD) or even through self-service governance solutions like VMware’s vRealize® Automation, ServiceNow™, BMC® Remedy, and more. The idea here is that when the customer/user requests something, that kicks off the workflow or automation to complete the approval process.
Using vRealize Automation (VRA) as an example: One person in the CAB group can approve a particular solution request or the entire group can. This can be done normally, through an email, or by using other notification tools and without waiting for the weekly CAB meetings. Another level of that governance is what the users can do once the resource is added to the environment. Using vRA as an example again: Users can reboot, power off, and manage a Virtual Machine by default after its deployed.
However, user capabilities can be removed — only letting users perform options permitted in the environment. This again reduces the amount of risk that the CAB might incur but allows dynamic solution sets allowed by governance to be performed directly into the environment by the user. Creating these processes can be time-consuming on the front end. I remember personally spending several weeks facilitating self-service with different groups in an organization. Within the first week of the solution’s being in place, ticket items that went to CAB dropped by fifty percent. So, after the initial weeks we saved time. This allowed for low-risk changes, still approved by CAB, but with little to no time spent by myself or my group.
Authority
Maintaining an organization’s authority is done via compliance. Each compliance setting must be met to maintain that authority. This is done from day-zero onwards, entailing that security for customers as well as for the enterprise is maintained. The many different compliance standards, from CIS to FISMA, work to allow companies to immediately go through specific audits, and once approved, to perform business functions. All of this may sound silly to those who don’t do this type of work, but compliance standards were actually created to help save time for businesses and to ensure a mandatory standard level for each business to stay in operation.
The toolsets here are VMware vRealize SaltStack Secops, vRealize Operations (vROPS). Using vROPS as an example: Once endpoints have been created and scanned in the environment (VMware objects such as hosts/virtual machines and containers), compliance settings can be added to scan those objects and to indicate the status of compliance standards — what is being kept and what is being broken.
SaltStack SecOps works in a similar function but goes a further step in allowing remediation of many out-of-the-box compliance standards. The solution is moved into a new level of compliance standardization where it not only creates reports of the standards being maintained for compliance, but, if any levels are not kept properly, will remediate them as needed. SaltStack is also a configuration manager that can help the move to standardization.
Standardization
Standards are what organizations use to maintain the individual parts of the environment that must be preserved. This is normally found outside of production workloads and can be found in the Dev/Test arena. The biggest standardization solution-set here is to parallel production inside of Dev/Test. This is also a great solution for organizations that do not have compliance standards that need to be maintained. Instead, they look to standards to maintain operations and keep things running. This can be anything from how a Virtual Machine (VM) is built, to how the application is added to the Virtual Machine, or even to how a host can be added to a vSphere cluster and more. There are many different levels of standardization, and they lead to many different parts working together. SaltStack would work in the OS configuration and management of the environments.
Here SaltStack can deploy applications on the Virtual Machines and keep them within the needed standards. SaltStack is a configuration manager that deploys software-defined settings into an environment and then adds self-healing components to the level of configuration. This is like DevOps products such as Puppet or Chef®, which utilize polling queries to ensure that each OS is set to a specific standard and do it with a time-setting to ensure it’s kept. All these products allow day-zero deployment-standardization and maintain that standard going forward.
Conclusion
To say organizations ‘run on GAS’ would, technically, be an understatement. Compliance standards, governance, and standardizations-maintenance are critical to keeping an enterprise in operation. Moving without one of these three solution-sets can lead to outages in which users are not able to consume the organization’s offerings, or to legal issues with the organization when it must be taken offline until its authority can be rebuilt. Each part must work together.
If you are interested in learning more about modern operations, contact us at Sterling. We can help your enterprise utilize these solution sets. These operational constructs can aid in maintaining your organization’s operations while also providing the agility and velocity to meet customer needs.