This week I was reminded of that great Wayne Gretzky quote,
“I skate to where the puck is going to be, not where it has been”.
How is that relative to the Software Defined Data Center (SDDC)? Well, because things are moving so fast! That virtualization infrastructure you have today (thank you for my paycheck!) is introducing new challenges in IT and Security management. What was once a few servers, some network and storage and a firewall is growing into hundreds, if not thousands of VM’s, hybrid clouds, tiered storage and stretched networks. There are new tools to learn and new innovative capabilities to leverage.
But it’s getting very complex!
Yes. It is. Every new technology seems complex at first. Every new technology brings benefits and challenges. (Remember the pre-PC era? I do!) But, here’s the good, no, AWESOME part, it’s becoming increasingly easier to automate, validate and assess. However, if you are still managing and securing this new infrastructure using your old methods, you may find yourself skating to where the puck was and not where it’s going.
Here’s a slide that I’ve been using in my current deck for a while now.
Eliyahu Goldratt, who I recently discovered after I built the slide, was a business management guru. In one of his books, he had two guys talking about some new technology that was being installed. In it, one of the characters says
“…technology is a necessary condition, but it’s not sufficient. To get the benefits we must, at the time that we install the new technology, also change the rules that recognize the existence of the limitation. Common sense.”
If you are applying your existing rules, which WILL impose limitations, how can you be assured of getting the benefits of this new technology? The software defined datacenter is changing the rules. Virtualization already has. Have you re-examined your rules? Are you doing security any differently? Don’t worry, you’re not alone, many haven’t.
Existing rules. a.k.a. How NOT to do it
Let’s take, as an example, changing a setting on all your VM’s. Let’s say you want to disable the ability to have vCenter auto-install VMware Tools (for whatever reason). Now, according to some security folks, that would mean doing the following steps:
- Un-register the VM from vCenter
- Connect via the Datastore Browser
- Download the .VMX file
- Edit the file and make the change
- Upload the .VMX file
- Re-register the VM to vCenter
That’s not what I would define as a software defined anything. That is a process that is fraught with potential errors and security issues. Plus, from a compliance and general security standpoint, how do you assess if it was done or done right? Really, it’s crazy and makes my brain hurt. If the rules have the potential to make you less secure, the rules are broken!
Unfortunately, something like this is called out in a government standard (surprise!) as the required way to do a similar task. Obviously, they have not yet recognized the existence of the limitations.
New rules can benefit everyone
Is there a better way? Yes, you can leverage an IT tool to do this. vCenter has a VERY rich API. In the example above, those steps can be done in a couple of lines of PowerShell thanks to my teammate Alan Renouf and the vSphere Hardening Guide! Note that you can do similar scripting with other scripting languages as well.
# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name "isolation.tools.copy.disable" -value $true
Want to assess what the setting is across all VM’s?
# List the VMs and their current settings
Get-VM | Get-AdvancedSetting -Name "isolation.tools.autoInstall.disable"| Select Entity, Name, Value
No editing. No de-register/re-registering of VM’s. No leaving copies of VMX files on a desktop. Easy to control, assess and audit. Plus, it’s all done in seconds against all virtual machines rather than days of cumbersome clicking. Want a report on what VM’s are set? Outputting the results to a .CSV file is as simple as adding
“| out-csv filename.csv”.
This kind of information becomes valuable to the security guy! Not only that, it can be easily baked into how you do business and even better, put under version control for further alignment with compliance objectives. This is the software part of SDDC. The ability to lessen the time it takes to get things done and do it more efficiently and in an easily measured and assessed fashion.
Find a way to change the rules together
When I meet with customers, I’ll ask if the IT and Security teams have the resources (e.g. developers) that can assist them with automating the datacenter. Unfortunately, many don’t. It’s not on their radar because they are so wrapped up in fighting fires that process improvement and redefining the rules fall by the wayside.
I would urge both IT and Security to find a way out of that loop. Skate to where the puck is going.
Leveraging the infrastructure capabilities is KEY to a software defined datacenter. This means it’s time to consider having a person or persons on your IT team dedicated to writing code will allow you to enjoy the benefits of the technology. Become knowledgeable about the growing DevOPS movement. I’m exploring it through the lens of security and I’m really, really excited! I’ll share what I find with you in the coming year.
Remember, working with your security team and introducing them to a more efficient way of helping them get their job done not only helps them, it helps IT and gets you both in a better place to get the most out of the technology you purchased.
The payoff of better IT Operations and in turn, MUCH better security, will be well worth it. Position yourself to benefit from technology. Change the rules and start skating!