Convenience and compliance
Personally, I prefer to give live demonstrations whenever possible. However, live demos always carry risk, so for a recent three-minute demo slot during an executive keynote to 1000 people, I decided to go with a pre-recorded demo. After all: What Could Go Wrong?
My demo was near the end of the pitch, and my laptop and demo were all set up on stage ready to go. I turned off my screensaver so everything would be ready when my turn came. When I took the stage to do my demo, I looked at my laptop and promptly saw a message from our IBM security utility about a policy violation for disabling my screensaver.
What a stark reminder of the processes and procedures a company establishes to verify IT policy compliance.
Companies place restrictions on what they permit on systems, requirements for mandatory software, and guidelines for the configuration of those programs -- not to mention mandates for what those programs can and cannot do. I’m sure you aren’t surprised that IBM has our share of processes in this area, but I know many of you have similar and possibly even more stringent requirements than IBM. Some of you are also responsible for establishing and enforcing these guidelines.
So, how does cloud computing fit with your existing processes and procedures? Does a cloud help? How much do you need to change?
From working with clients adopting IBM WebSphere CloudBurst, we are seeing the adoption of a private cloud using WebSphere CloudBurst bringing benefits in compliance control, along with traditional cloud computing benefits, such as lowering hardware and administration costs and increasing agility. Companies achieve these benefits through staged implementation of cloud computing, and with reuse of many existing assets.
Controlling your cloud using WebSphere CloudBurst
Our goal with WebSphere CloudBurst is to make it easy for you to adopt WebSphere CloudBurst to create, deploy, and manage your WebSphere environments as an on-premise, private cloud. Achieving this goal means not forcing an unacceptable level of change. From the start, we made design decisions to help you integrate WebSphere CloudBurst within your existing processes. For example, our bring-your-own-cloud design point is in place to enable you to use your existing hardware resources, rather than require a large, new capital outlay. Our design supports multiple levels of customization, including customizing images, constructing your own multi-image patterns, and bringing in your existing scripts. Our WebSphere CloudBurst V184.108.40.206 (Oct 2010) release added additional deployment control with the environment profiles feature.
Let’s take a look at how these capabilities can be used to provide control over your cloud deployments, along with some examples of the benefits of moving to a private cloud.
There are a number of different areas of control that can be established either for IT policy compliance, or simply to cut costs through consistency and repeatability. These include controlling content, controlling configuration, controlling deployment, and controlling users.
The content of deployments is easy to control by creating custom images stored in the WebSphere CloudBurst catalog. You add content, such as monitoring agents and security compliance-checking utilities, using the extend and capture option. This feature enables you to ensure every image deployed into your cloud contains particular content. WebSphere CloudBurst provides a comparison for you to view the files changed between the parent and the extended image.
Extend/capture provides an easy way to customize the content of IBM-supplied hypervisor images. Even within IBM, we cannot deploy the "vanilla" IBM WebSphere Application Sever Hypervisor Edition image in our intranet because out-of-the-box it does not meet all IBM specific security criteria. IBM only performs testing of the out-of-the-box hypervisor edition image on isolated networks, behind multiple firewalls. However, because the WebSphere Application Server test team wanted to leverage WebSphere CloudBurst to function test and system test the application server without the extra firewall restrictions, they use the extend/capture capability as one of the techniques for injecting the required compliance.
Our clients are using extend/capture for similar reasons, which include injecting their various monitoring agents into the images. We also have clients using the extend/capture capability to remove content from images that they do not want in their environment.
To control deployment configurations, you create patterns using the WebSphere CloudBurst pattern editor. You specify the image (or images) you want to deploy and specify the configuration parameters. You can completely control the configuration by specifying the configuration values in the pattern and using the "lock" on the parameters to prevent modification. For additional control, you can add custom scripts to the pattern that WebSphere CloudBurst will execute during each pattern deployment. These scripts can also contain parameters that you can lock down for consistency.
Patterns provide a powerful way to create a self-service environment for your custom deployment patterns. The WebSphere Application Server test team defines a set of patterns corresponding to their standard test topologies, and includes scripts as part of their patterns to deploy applications onto the topologies. The team also has scripts to register VMs into IBM’s compliance database as they are created and, equally important, to deregister the VMs upon deletion.
Our clients are standardizing patterns, designing for a limited number of common patterns across their environments. Pattern scripts and parameters are being used to configure pre-installed software to specific databases or directory servers, as well as to register and deregister VMs from enterprise monitoring servers.
You control deployments in WebSphere CloudBurst by establishing different cloud groups, thereby providing a physical separation of underlying hardware resources. This enables the control (optionally) to separate different organizations onto physically distinct resource pools, to separate development or test, and, of course, to separate different hypervisors, such as VMware ESX and PowerVM™.
The WebSphere Application Server test team partitioned their cloud resources into three pools, one for self-service test access, one for automated regression tests, and a separate pool for special activities, such as performance testing. Additionally, the team automated a process for adding and removing hypervisors from the cloud, sharing these hardware resources across the physical and virtual test bed.
Our clients use similar techniques for their development and test clouds; however, many requested additional control over deployments, particularly for production environments. For example, some users wanted to specify the exact IP address for each virtual machine, instead of letting WebSphere CloudBurst choose the IP address from their pre-established pool. The environment profiles capability provides this additional control.
Environment profiles (optionally) provide deployment time control of the specific IP address assigned to a virtual machine, and also of the naming conventions used to name the virtual machines. Different profiles can be established and applied for different environments, such as development, test, and production. Additionally, environment profiles provide a more flexible networking configuration, enabling you to deploy a single pattern across different cloud groups.
Figure 1 shows an example environment profile specification for a test environment, where virtual machine names start with "uat," IP addresses are provided by the pattern deployer at deploy time, and patterns are able to span multiple cloud groups.
Figure 1. Example environment profile
In addition to the need to control image content, configuration, and deployment, is the need to control who can do what. In support of this, WebSphere CloudBurst provides a combination of roles and fine-grained access control.
First, WebSphere CloudBurst roles establish who can do specific tasks at the macro-level. For example, there are predefined roles for administration, creating catalog content, creating patterns, and deploying patterns. This enables you to establish users who can only deploy patterns, with no permission to add content to an image, add scripts, or modify patterns. This is very effective in restricting what someone can deploy into the cloud. In addition, you can apply fine-grained access control distinctly to each image and each pattern, controlling who can read the asset and who can edit it. This further enables strong control over what specific users can do. You can also apply access controls to who can deploy to different cloud groups.
Our clients take advantage of both role-based permission and fine-grained access control. Most also configure WebSphere CloudBurst to use an existing LDAP directory for user authentication. The WebSphere Application Server test team grants only a very small number of users permission to create content and patterns. Testers using the self-service environment only have permission to deploy patterns, and fine-grained access control restricts visibility to a small subset of the defined patterns explicitly created for their use. This ensures repeatable, compliant deployments from the test community.
So, does it work? The WebSphere Application Server test team story is a well-documented success. First, the team no longer has security compliance violations. The automation implemented and provided via WebSphere CloudBurst provides compliant deployments each and every time. Beyond compliance, the team is greatly benefiting from WebSphere CloudBurst. They achieve much faster deployments (three hours reduced to 18 minutes) with far fewer problems. They have raised hardware utilization from under 10% to an average of 60%, thereby reducing costs for both administration and utilities. The first year savings are $500,000 direct savings and $2.1 million in agile benefits. See the Resources section for additional information.
IT compliance processes are an important part of the business, and moving to cloud computing does not eliminate its importance. When you adopt cloud computing using WebSphere CloudBurst Appliance, you can leverage features that include extend/capture, patterns and scripts, access control, and the 220.127.116.11 environment profiles to provide the control you desire over the who, what, and where of deployments. You get the control you need along with the benefits of reduced administration costs and improved agility.
Meanwhile, back on stage...
By the way, in case you are wondering, I was able to get rid of the security warning before displaying my demo to the audience. And I didn’t get in trouble for turning off my screen-saver -- at least not yet.
- Innovations within reach: How an IBM test organization uses WebSphere CloudBurst to improve efficiency and agility
- Cloud computing for the enterprise, Part 3: Using WebSphere CloudBurst to create private clouds
- WebSphere CloudBurst (including a video interview with the WebSphere Application Server test architect, Robbie Minshall)
- Series: Customizing with WebSphere CloudBurst
- Video: WebSphere CloudBurst demos
- Customize deployment behavior using WebSphere CloudBurst environment profiles
- IBM developerWorks WebSphere