Hybrid Cloud for Architects Build robust hybrid cloud solutions using AWS and OpenStack Alok Shrivastwa BIRMINGHAM - MUMBAI Hybrid Cloud for Architects Copyright © 2018 Packt Publishing All rights reserved No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews Every effort has been made in the preparation of this book to ensure the accuracy of the information presented However, the information contained in this book is sold without warranty, either express or implied Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals However, Packt Publishing cannot guarantee the accuracy of this information Reviewers: David Duncan, Ganesh Raja Commissioning Editor: Gebin George Acquisition Editor: Rohit Rajkumar Content Development Editor: Nithin Varghese Technical Editor: Mohit Hassija Copy Editors: Safis Editing, Laxmi Subramanian Project Coordinator: Virginia Dias Proofreader: Safis Editing Indexer: Rekha Nair Graphics: Tom Scaria Production Coordinator: Nilesh Mohite First published: February 2018 Production reference: 1220218 Published by Packt Publishing Ltd Livery Place 35 Livery Street Birmingham B3 2PB, UK ISBN 978-1-78862-351-3 www.packtpub.com mapt.io Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career For more information, please visit our website Why subscribe? Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals Improve your learning with Skill Plans built especially for you Get a free eBook or video every month Mapt is fully searchable Copy and paste, print, and bookmark content PacktPub.com Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy Get in touch with us at service@packtpub.com for more details At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks Contributors About the author Alok Shrivastwa is a technologist from India, currently working as the director of special projects for Microland in the CMD's office He currently runs special projects on cloud technologies Having worked at multiple enterprises of varied sizes, designing and implementing solutions, public and private clouds, and integrations, he has created a myriad number of tools and intellectual properties in the operationalization of emerging technologies He has authored two books on OpenStack alongside several white papers and blogs on technology, in addition to writing poems in Hindi We as humans need contrast, without which we cannot perceive Because of this, to show something in a good light, something has to be made the villain This book is about being pragmatic when looking at the cloud I thank God for the perspective, and my family—my mother, father, sisters and my niece, Aarya—who helped me see it I am thankful to each and every person who I meet and learn from Common controls As we have already looked at HIPAA controls in the previous section, if we notice carefully, the administrative controls are something that are common to both the clouds The policies will have to be made for the systems Hence, we are adding that here If the organization already has HIPAA compliance policies for the in-house data centers, the process for the public cloud can be appended and that should take care of it The technical controls are also common, as they might have a different implementation on different clouds For example, we may use AWS Directory Service instead of Active Directory on the private cloud, but the concept remains the same Implementing the controls on AWS – public cloud Since the administrative controls have been taken care of in a common fashion, we will deal with physical controls Since the public cloud is technically AWS's data center, the physical controls fall under the responsibility of AWS itself AWS has certification on HIPAA for a list of services, which can be used and will clear the HIPAA requirements At the time of writing this book, 43 services out of hundreds of AWS services are eligible for HIPAA compliance Refer to the updated list at http s://aws.amazon.com/compliance/hipaa-eligible-services-reference/ We can use these services and architect the application, and they can still be HIPAA-compliant FAQs on HIPAA on AWS: https://aws.amazon.com/blogs/security/frequently-asked-questions-about -hipaa-compliance-in-the-aws-cloud/ https://aws.amazon.com/blogs/security/frequently-asked-questions-about -hipaa-compliance-in-the-aws-cloud-part-two/ Security – shared responsibility model AWS and every other public cloud provider works on the principle that security is a responsibility shared by us and the public cloud provider: The responsibility of the security of the services in the Enterprises area belongs to us The part under the AWS belongs to AWS While all of the physical controls of HIPAA fall under AWS's purview, the technical controls are under our purview Refer to the whitepaper for more information https://d0.awssta tic.com/whitepapers/compliance/AWS_HIPAA_Compliance_Whitepaper.pdf Implementing the controls in private cloud Implementing the controls is not very different from implementing the controls on a traditional data center Hence, in order to implement the controls, deploy the appropriate tools that were mentioned and configure the policies as required Security – best practices Let's take a look at some of the best practices that can be considered while architecting the hybrid cloud environment Implementing a CMDB/asset list It's a good idea to implement a configuration management database (CMDB) or an asset list with details as to what is running in each of the systems to ensure proper security controls can be put in place User accounts and authentication We need to have best practices for user accounts and authentication policies The best practices in this realm are as follows: Multi-factor authentication: We should enable multi-factor authentication, using products such as SecureID, or even some kind of a Time-based One Time Password (TOTP) such as Google Authenticator Strong password policies: We should set strong password policies for users in relation to password reuse, force password changes, length of passwords, and so on Different privileged and normal accounts: We should have different accounts for administrative users for performing administrative tasks; we should not provide administrative access to the normal user account that is created for them Different directories/users for different environments: We should ensure that different user accounts are used in different environments, so that even if one environment is compromised, the others remain unaffected Provisioning and postprovisioning controls In the hybrid cloud, we will be provisioning servers on both the private and the public cloud, hence some controls with regards to provisioning the systems are also to be taken into consideration: Naming convention: A naming convention allows us to find out information about the server without logging into it; for example, consider the following naming convention and the details that it can provide without having to log in: —LHRWPSHPWEB01: [LOC][O][E][APP][FUN][#] —location (LHR—London Heathrow) LOC —operating system (W—Windows) O —environment (P—production) E —application (SHP—SharePoint) APP —function (WEB—web server) FUN —server number (01—first server) # IPAM: Have an IP Address Management System (IPAM) in order to help map the addresses that are being used In the private cloud, this can be integrated into the provisioning process Templates/Configuration management systems: Ensure that the templates that are being used are patched and ensure that they point to the appropriate servers (WSUS server in the case of Windows) for patching when they come to life Ensure that the templates have appropriate antivirus, HIDS, and so on, systems installed on them, or ensure that the provisioning process connects to a configuration management system to install these Disable unwanted services: We will need to ensure that any service that is not required is switched off, as doing this will reduce the attack surface Root/Administrator accounts: Protect the root/administrator access, and don't allow direct access using the accounts remotely Encryption: Encrypt the data in rest where applicable This can be done by protecting the data drive with an encryption system Networks The best practices for the network to be considered are as follows: Using VLANs: Create virtual networks where possible Virtual networks not only divide the broadcast domain, but also help segment the network from a security standpoint VLANs or Layer-2 networks can be easily created in a hybrid cloud mechanism Using perimeter security: Implement the perimeter security devices, as discussed in the previous sections, with stringent policies as applicable to your environment Disabling unused ports: Disable any unused ports on the network as they may be used to plug in and gain access to the network, which may not be suitable Performing network scans: Perform network vulnerability scanning at defined intervals and perform remediation where necessary Other practices Several other security best practices can be followed, some of them are enumerated here: Use a remote access VPN to provide access to remote workers Log everything in an immutable manner in a centralized location, and review the logs periodically Set up tape rotation for backup, and restrict access to the tapes Ensure the backups are encrypted and tested regularly Deploy the mail filtering application to protect from phishing, malware, and so on Use a central NTP server to synchronize the time everywhere Provide access with the Least Privilege mode, which simply means implicitly deny until the access is explicitly given Summary The preceding security principles and controls are merely guidelines that will help you get started on your security journey The subject is vast, and hence you should follow the recommendations for further reading that have been provided Note that the snippets pertaining to security, which must be followed in every product we have used in the book, is mentioned in an information box or as a tip This brings us to the conclusion of our journey of architecting a hybrid cloud and some concepts in operating it I sincerely hope that you enjoy reading it as much as I have writing it, and that it proves to be helpful to you Other Books You May Enjoy If you enjoyed this book, you may be interested in these other books by Packt: Building Hybrid Clouds with Azure Stack Markus Klein, Susan Roesner ISBN: 978-1-78646-629-7 Gain a clear understanding of Azure Stack design Set up storage, network and compute services in Azure Stack Implement and run a hybrid cloud infrastructure with PaaS, SaaS, and IaaS services Get an overview of the automation options in Azure Stack Integrate Azure public services such as multi-factor authentication and Azure AD with Azure Stack Learn about the services available in the future Azure for Architects Ritesh Modi ISBN: 978-1-78839-739-1 Familiarize yourself with the components of the Azure Cloud platform Understand the cloud design patterns Use enterprise security guidelines for your Azure deployment Design and implement Serverless solutions See Cloud architecture and the deployment pipeline Understand cost management for Azure solutions Leave a review - let other readers know what you think Please share your thoughts on this book with others by leaving a review on the site that you bought it from If you purchased the book from Amazon, please leave us an honest review on this book's Amazon page This is vital so that other potential readers can see and use your unbiased opinion to make purchasing decisions, we can understand what our customers think about our products, and our authors can see your feedback on the title that they have worked with Packt to create It will only take a few minutes of your time, but is valuable to other potential customers, our authors, and Packt Thank you! .. .Hybrid Cloud for Architects Build robust hybrid cloud solutions using AWS and OpenStack Alok Shrivastwa BIRMINGHAM - MUMBAI Hybrid Cloud for Architects Copyright © 2 018 Packt Publishing... the hybrid cloud Who this book is for This book is targeted at cloud architects, cloud solution providers, DevOps engineers, or any working stakeholder who wants to learn about the hybrid cloud. .. and its examples Chapter , Hybrid Cloud – Why Does It Matter?, starts with adoption statistics of the hybrid cloud and moves on to drivers for cloud adoption, public cloud benefits, and its shortcomings