What is OS Hardening and How Can Developers Implement it
As cyber threats become increasingly advanced and complex, organizations are forced to adopt a military attitude of ‘war footing’ to secure their systems and servers. Although
Imagine having to manually provision and configure every device in a large corporation. Then visualize the upgrade process. How about patching? Then, picture ensuring conformity on every device. Next, add some enterprise-wide IT governance changes that must be implemented. The process would be daunting, to say the least, every time. Instantly you can see why being able to execute all of those tasks globally, instantly, accurately, and securely has profound appeal, particularly when you may have to do it all again next month. Enter Infrastructure as Code (IaC).
IaC is popular. And that popularity is only growing. Empowering scale, security, governance, accuracy, simplicity, and efficiency, IaC is proving to be an essential element in transforming how organizations manage and upgrade their IT infrastructure. Essentially codifying and managing underlying IT infrastructure as software, IaC enables organizations to automatically manage, monitor, provision, configure and upgrade resources previously handled manually.
Though simple in concept—IaC is not dissimilar to programming scripts that automate IT processes–IaC is deceptively powerful in that its enterprise-wide implementation as underlying infrastructure empowers organizations to control and make profound changes to that infrastructure instantly, easily, massively, and securely, much in the same way of a simple, traditional software install or upgrade. And that power only grows in value and importance as more and more organizations transition away from local storage/control and into the cloud. In short, IaC’s time has come.
First, let me tell you what it isn’t: IaC is not cloud computing, but they are complementary, as you will see later. Cloud computing is the delivery of a vast array of computing services—from servers to software—through the Internet, rather than domiciling them more locally. IaC, on the other hand, is the codification and management of underlying IT infrastructure and essentially treating it like software, as its name suggests. So, just like software development, IaC development also follows strict protocols.
“Application code has a defined format and syntax. If the code is not written according to the rules of the programming language, applications cannot be created. Code is stored in version management or source control system that logs a history of code development, changes, and bug fixes. When code is compiled or built into applications, we expect a consistent application to be created, and the build is repeatable and reliable. Practicing infrastructure as code means applying the same rigor of application code development to infrastructure provisioning. All configurations should be defined in a declarative way and stored in a source control system.”
– AWS whitepaper Introduction to DevOps on AWS.
The whitepaper also points out that traditionally the same people who wrote the code are often not necessarily the same people making changes or updates in the field and that updates were not necessarily frequent or consistently applied. “This results in the creation of new environments not always being repeatable, reliable, or consistent.” IaC changes all of that by centralizing, globalizing, and codifying the process. Like they can with software, DevOps teams can carefully control every aspect of IaC, including updates, testing, and deployments. As you might imagine, the benefits are stark, including reliability, scaling, global application, enhanced testing ability, version control, security, cost, speed, and the list goes on.
IaC is usually divided into two categories: declarative IaC or procedural IaC. In Top 10 Infrastructure as Code (IaC) Tools to Know in 2021, Uri Shamay explains that “a declarative definition is a set of parameters that instruct the software on how the system needs to be configured once the process is complete. In contrast, procedural definitions are a set of operations on what the system needs to do to reach the correct configuration.” Now that you know what IaC is, let’s talk about why you should use it.
IaC seems like a natural fit for large corporations and organizations with vast numbers and disparate networks and locations. And that’s true. But IaC also can empower any size and type of company, from the smallest start-ups to multinationals, in a “matter of minutes.”
Developer and leading AWS Advanced Consulting Partner SourceFuse reports that IaC was an integral part of their ability to help “their development team to instantly code on properly provisioned VPCs and provide their clients with immediate compute power to handle growing workloads.” They also report that IaC is key to “reducing go to market time by 88%.”
But start-ups and smaller organizations can also benefit in other ways: IaC provides tremendous stability through uniformity, conformity, and pre-testing before implementation. IaC helps avoid mistakes through accidental deletions or incorrect changes with proper version control software. Scaling, again, is much easier. But IaC also allows the multiple reuse and reapplication of well-written code, avoiding the need to reinvent the digital wheel, as it were. And when it comes to security, IaC ensures that proven, tested security is uniformly distributed enterprise-wide.
Finally, considerable resources support IaC, an abundance that only looks to expand. Numerous IaC tools serve the market, including Ansible, AWS CloudFormation, Azure Resource Manager, Chef, Crossplane, Google Cloud Deployment Manager, Pulumi, Puppet, etc Terraform, and Vagrant. Each has its virtues, and much depends on user comfort and familiarity, though other factors, like open-source desirability, can help influence preferred tools. We’re going to focus on one, AWS and its CloudFormation service, as at present, it’s the most popular and arguably the most successful.
Amazon’s market-leading, comprehensive cloud-computing platform, AWS (Amazon Web Services), combines Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and packaged Software as a Service (SaaS). It provides flexible, reliable, scalable, and easy-to-use computing power, database storage, analytics, networking, development tools, enterprise applications, and content delivery services. Launched in 2006 and built on Amazon’s internal infrastructure, AWS was also one of the first companies to introduce these services on a pay-as-you-go model. It dominates cloud computing for several compelling reasons.
AWS covers 245 territories and countries and provides a vast array of
One of AWS’s most used services is CloudFormation.
“CloudFormation is a service that helps you model and set up your AWS resources to spend less time managing those resources and more time focusing on your applications that run in AWS…CloudFormation takes care of provisioning and configuring those resources for you.”
– AWS Whitepaper Introduction to DevOps on AWS
So CloudFormation is the AWS IaC tool that serves as an automation platform that allows you to implement services or applications without having to set up and configure each one manually, saving you considerable time and avoiding the potential for mistakes and inconsistencies. Given its ease of use and wide-ranging capabilities, CloudFormation has helped make AWS so popular with companies of all sizes and types. Domain registrar and web-hosting company GoDaddy serves as a perfect example.
With more than 78 million domain names under management, more than 19 million daily entrepreneur/users, and handling more than 300,000 DNS queries per second, GoDaddy is the largest domain registrar/web hosting company in the world. And in 2018, they decided to transform their digital architecture from the on-premises, in-house, data-center model and move everything to the cloud. In doing so, they had three core objectives:
They did precisely that when they partnered with AWS and used CloudFormation, AWS Service Catalog and AWS Systems Manager.
As a result, they could onboard and provision more than 200 accounts (more than 500 landing zones) within approximately one year, automatically provisioning each new onboard in under 2 hours. In addition, by automating the process through IaC, they saved approximately 25,000 hours and about $5,000 per account. They’ve saved more than 100 daily compute rotations just from automating the process and eliminating patching in terms of patching and updating. This also freed up GoDaddy staff to spend more time working with and innovating for customers. But GoDaddy is by no means the only organization that benefits from IaC and AWS.
Founded in 1899, Futbol Club Barcelona (FCB) proudly represents its city and Catalan culture in and around Barcelona. Hugely popular, FCB’s relies on technology to help further its fans’ participation and loyalty. For example, the FCB website houses more than 6,000 pages and over 12,000 photographs and is available in six languages. In addition, the site also consolidates the latest information on the team’s games, players, fans, etc. The team’s IT provider, Gnuine, provides custom web and mobile applications as well as system administration services. Gnuine uses AWS CloudFormation to manage Ubiquo Sports, a specialized SaaS content management system. Given the deity-like qualities assigned to football, the team, and its players by its fans, Gnuine’s commitment to serving FCB and its followers is absolute. They needed an effective answer that could help them scale and respond to the dynamic needs of a hallowed sports team.
“AWS provides us with scalable and flexible hosting solutions,” explains Lluí-s Alsina, FCB’s online manager in the AWS Futbol Club Barcelona Case Study. “The elastic cloud solution is ideal for platforms that support traffic peaks. This solution represents a significant saving for us. Scaling, provisioning, and security are very important for us and for our customers. AWS is a natural fit because it allows us to have virtually unlimited capacity while only paying for what we use without upfront investments. AWS also makes it easy to deal with traffic spikes, which are common in sports, thanks to its elastic capabilities.” In the case study, Gnuine CTO Ramon Salvadó adds, “We are very happy with AWS CloudFormation because it means we are able to use ‘one-click’ deployment of our whole infrastructure.”
In 2018, the Expedia Group planned to migrate 80 percent of its mission-critical apps from on-premises to the cloud. One of the world’s largest full-service online travel agencies, Expedia provides leisure and business travel services to customers around the globe. Committed to innovation and technology, Expedia began using AWS in 2010 when it launched its Expedia Suggest Service (ESS), a typeahead suggestion service that prompts customers to enter correction travel information. But ESS was not created solely for convenience. Expedia metrics showed that error pages were the greatest reason for customer site abandonment. But Expedia faced another challenge: time.
On-premises data-center solutions could not compete with decentralized, automated cloud services in terms of eliminating user lag and delays. So, Expedia took to the cloud. In the case study Expedia Group Increases Agility and Resiliency by Going All In on AWS, Expedia Principal Architect Magesh Chandramouli explains, “If an application processes 3,000 requests per second, we would have to configure our physical servers to run at about 30 percent capacity to avoid boxes running hot. On AWS, we can push CPU consumption close to 70 percent because we can always scale-out. Fundamentally, running in AWS enables a 230 percent CPU consumption efficiency in the data processing. We run our critical applications on AWS because we can scale and use the infrastructure efficiently.”
This kind of success prompted the migration of other Expedia services to AWS. For example, to enable continuous deployment and speed, they used a blue-green deployment approach to create parallel production environments on AWS. They also used the deployment to troubleshoot effectively, scale, and develop applications faster. Expedia Principal Software Engineer Jun-Dai Bates-Kobashigawa also highlights the multifold value of IaC for provisioning, “If there are 100 boxes running, you might have to take 20 boxes out to apply new code. Using AWS, we don’t have to take capacity out; we just add new capacity and send traffic to it.”
Infrastructure as Code is no longer just a great idea. It’s a powerful tool that is changing the IT landscape around the globe. By enabling unparalleled efficiency in scaling, governance, provisioning, conformity, security, and so much more, IaC can empower everything from large corporations to start-ups. According to Spectral’s Uri Shamay in Top 10 Infrastructure as Code (IaC) Tools to Know in 2021, “IaC is the future of large-scale computing. Currently, no alternative provisions resources as effectively and consistently as IaC tools. It is crucial to any organization looking to scale up, but it can also be a time-saver for smaller organizations looking to start small.”
Naturally, one of the most critical elements of any conversion to IaC is security. It’s an essential element. Request a free demo at Spectral today to ensure your system is as secure as possible and start securing your IaC conversion.
As cyber threats become increasingly advanced and complex, organizations are forced to adopt a military attitude of ‘war footing’ to secure their systems and servers. Although
DevOps teams are one of the most essential links in the software development chain. It seems like they have a hand in everything that takes place
In 2022, the adoption of infrastructure as code (IaC) soared, with IaC domain specific languages like HCL, Shell and GoLang gaining popularity and momentum across the