Is it difficult to create a virtual machine (VM) in the cloud? No more difficult than making tea. But when it comes to a large corporation, even such a simple action can be painfully long. It’s not enough to create a virtual machine, you still need to get the necessary access to work according to all the regulations. A familiar pain of every developer? In one large bank, this procedure took from several hours to several days. And since there were hundreds of such transactions per month, it is easy to imagine the scale of this labor-consuming scheme. To end this, we upgraded the bank's private cloud and automated not only the process of creating a VM, but also related operations.
Task number 1. Cloud with internet connection
The bank created a private cloud by an internal IT team for a single network segment. Over time, the management appreciated its benefits and it was decided to extend the concept of a private cloud to other environments and segments of the bank. This required more specialists and strong expertise in private clouds. Therefore, the upgrade of the cloud was entrusted to our team.
The main stream of this project was the creation of virtual machines in an additional segment of information security - in the demilitarized zone (DMZ). This is where the bank's services are integrated with external systems outside the banking infrastructure.
But this medal also had a downside. Services from the DMZ were available "outside" and this entailed a whole range of information security risks. First of all, this is the threat of hacking systems, the subsequent expansion of the attack field in the DMZ, and then penetration into the bank's infrastructure. To mitigate some of these risks, we have proposed using an additional protection tool - a micro-segmentation solution.
Protection by microsegmentation
Classical segmentation builds protected boundaries at the boundaries of networks using a firewall. With microsegmentation, each individual VM can be isolated into a personal isolated segment.
This enhances the security of the entire system. Even if attackers hack into one DMZ server, it will be extremely difficult for them to spread the attack across the network - inside the network they will have to break through many “locked doors”. The personal firewall of each VM contains its own rules in relation to it, which determine the right to enter and exit. We provided micro-segmentation using VMware NSX-T Distributed Firewall. This product centrally creates firewall rules for VMs and distributes them throughout the virtualization infrastructure. It doesn't matter which guest OS is used, the rule is applied at the level of connecting virtual machines to the network.
Problem N2. In search of speed and convenience
Deploy virtual machine? Easily! A couple of clicks and you're done. But then a lot of questions arise: how to get access from this VM to another or system? Or from another system back to the VM?
For example, in a bank, after ordering a VM on the cloud portal, it was necessary to open a technical support portal and submit a request for the necessary access. An error in the application turned into calls and correspondence to correct the situation. At the same time, a VM can have 10-15-20 accesses, and working out each one took time. Devilish process.
In addition, special care was required to “clean up” the traces of the life of remote virtual machines. After their removal, thousands of access rules remained on the firewall, loading the equipment. This is both an extra load and security holes.
You can't do that with rules in the cloud. This is inconvenient and unsafe.
To minimize the timing of providing access to VMs and make their management convenient, we have developed a network access management service for VMs.
The user at the virtual level in the context menu selects the item to create an access rule, and then in the form that opens, specifies the parameters - from where, where, types of protocols, port numbers. After filling out and submitting the form, the necessary tickets are automatically created in the user technical support system based on HP Service Manager. They become responsible for coordinating one or another access and, if the accesses are approved, to specialists who perform part of the operations that are not yet automated.
After the stage of the business process with the involvement of specialists has completed, the part of the service that automatically creates rules on firewalls begins.
As a final chord, the user sees a successfully completed request on the portal. This means that the rule has been created and you can work with it - view, change, delete.
Final Benefit Score
In essence, we have modernized small aspects of the operation of the private cloud, but the bank has received a noticeable effect. Users now get network access only through the portal, without having to deal directly with the Service Desk. Required form fields, their validation for the correctness of the input data, pre-configured lists, additional data - all this helps to form an accurate access request, which is highly likely to be considered and not wrapped up by IS employees due to input errors. Virtual machines are no longer black boxes - you can work with them further by making changes on the portal.
As a result, today the bank's IT specialists have at their disposal a more convenient tool for gaining access, and only those people are involved in the process, without whom it is definitely impossible to do without. In terms of labor costs, this is the exemption from the daily full load of at least 1 person, as well as dozens of hours saved for users. Automating the creation of rules made it possible to implement a micro-segmentation solution that does not create a burden on bank employees.
And finally, the “access rule” became the accounting unit of the cloud. That is, now the cloud stores information about the rules for all VMs and cleans them up when deleting virtual machines.
Soon, the advantages of modernization extended to the entire cloud of the bank. Automation of the process of creating VMs and microsegmentation stepped outside the DMZ and captured the rest of the segments. And this increased the security of the cloud as a whole.
The implemented solution is also interesting because it allows the bank to speed up development processes, bringing it closer to the model of IT companies by this criterion. After all, when it comes to mobile applications, portals, client services, any large company today strives to become a “factory” for the production of digital products. In this sense, banks practically play on a par with the strongest IT companies, keeping up with the creation of new applications. And it's good when the capabilities of an IT infrastructure built on the model of a private cloud allow you to allocate the necessary resources for this in a few minutes and as safely as possible.
Authors:
Vyacheslav Medvedev, Head of Cloud Computing, Jet Infosystems,
Ilya Kuykin, Leading Engineer, Cloud Computing Department, Jet Infosystems
Source: habr.com