Our usual posts here focus on practical, hands-on advice for getting the most out of CenturyLink Cloud and the new capabilities we continuously rollout.
But sometimes, it’s helpful to step back and look at the big picture – particularly if your enterprise is managing scores of cloud apps from dozens of vendors.
Many customers we speak with are feeling the pain of this situation. It’s not quite “Shadow IT,” because IT knows what’s happening. But it’s the pain that comes with a lack of focus or cohesion around a much smaller set of strategic vendors.
Does this sound like your situation? If so, have a look at our top six recommendations for advancing your Cloud strategy. The content is foundational, and may be messages you’ve heard before. But it’s a great refresher as your business seeks to further the competitive advantage gained through cloud adoption.
Just about every software engineer has had the experience of onboarding with a new team and spending a day, a week or more getting their development environments situated so they can actually run the application they signed up to work on and start committing code and being productive. Some teams try to improve upon this by maintaining a team wiki that documents setup instructions and may even include setup scripts. Unless these are actively maintained and curated they may cause more harm than help, leading the new developer down dead ends and on wild goose chases.
The best solution is less narrative and more executable documentation. One tool that many developers use to facilitate this and one we use on the infrastructure automation team at CenturyLink Cloud is Vagrant. Vagrant is a tool that makes it easy to share virtual environments across different virtualization platforms and makes destroying and recreating those environments an easily repeatable process. It also provides a mechanism that allows you to code in your native environment while your app runs in a VM.
In my first few months on the CenturyLink Cloud team, I worked on a Windows machine using Hyper-V for virtualization. Now I’m on an Ubuntu desktop using VirtualBox and we have other team members using VMWare Fusion on a Mac. Despite our different platforms, by using Vagrant we can all work off of the same configuration.
In this post I will share how our team configures Vagrant to handle developer VM provisioning. You can download Vagrant from https://www.vagrantup.com/downloads.html”>https://www.vagrantup.com/downloads.html and install the latest version if you would like to follow along.
Light weight and easy to source control
The key artifact of a Vagrant setup is the Vagrantfile. As long as Vagrant is installed, this simple text file is all one needs to share and consume an environment. Here is an excerpt from our Vagrantfile:
Transparent Corporate Access to the CenturyLink Cloud
Identity and Access Management solutions help enterprise IT integrate multiple systems with existing authentication services. These capabilities play a crucial role in public cloud services, where IT is keen to avoid “shadow IT” and deliver self-service access to resources without compromising important InfoSec policies.
Simplifying this process for our customers via automation is a top priority – that’s why our Control Portal includes APIs and webhooks. We also support SAML for federation, single sign-on (SSO) and multifactor authentication (MFA).
That’s “identity.” So what about “access”?
Today, we released a new permissions model that implements an expanded role-based access control (RBAC) capability. These new features empower administrators to grant more granular access to specific areas of the CenturyLink Cloud Control Portal to users.
We’re rolling out eight roles (below) with varying degrees of access, each specifically designed to align with job functions seen within many enterprises today. The upshot is fine-tuned access control, and enabling a “least-privilege” approach to enterprise cloud management.
Cloud Access that Looks Like Your Current Access
These roles reflect the most frequently requested levels of access, mapping to unique personas. They range from full control (Account Administrators), specialized areas of expertise (Server Administrators, Server Operators, and Network Managers), specific functional jobs (Billing and DNS Managers), all the way to primarily read-only users (Account Viewers and Security Managers). The last –Account Viewer – is a nice boost in ease-of-use for users that just need read-only access.
We’ve also introduced the Server Operator role to enable the management of servers only, without the additional access to other related items like Alerts or Autoscale policies and Blueprints. You may find the majority of your users will fall into this category, as we see the vast majority of Control Portal interactions happening through the servers and groups interface.
One more addition worth highlighting: the Network Manager role. This can be used to segregate access to network-specific functionality from other areas of the Control Portal since many organizations have separate workers who only manage the network components.
You can find plenty of tips on applying this new set of roles to your organization in our Practical Guide for Using Roles as well as our Roles Migration Guide. We’ve also published a Permissions Matrix and FAQ with all the information you need to get started using roles on CenturyLink Cloud right away. Sign up for an account now and try it out today!
When enterprises make decisions on which cloud services to consider, security is the ultimate “table stakes” capability that any cloud provider must prove. There has been great innovation in the industry to assuage mainstream adopters, but not all cloud service providers are consistent in areas of identity management, network security, data security, threat prevention, and more. Organizations and individuals still need to pay close attention to whether cloud service providers are delivering these five main security features:
- Standards-based integration with identity management providers: Integrated identity has become a key enabler to quickly provision and (more importantly), de-provision access to company resources and data. To facilitate this, the service should have an identity solution for their management tools that quickly and easily integrates with existing processes used by the customer through a standards-based mechanism such as Security Assertion Markup Language (SAML) 2.0, OAuth 2.0 with OpenID Connect, etc. This type of integration also provides complete control over password complexity rules, expiration, and the ability to require various forms of multi-factor authentication. In addition to standards-based integration, the service should also provide an easy-to-use, stand-alone multi-factor authentication (MFA) mechanism for those customers who don’t already have an existing identity management solution. This encourages the customer to implement strong authentication measures which can help prevent malicious actors from being able to take over control of their accounts. CenturyLink Cloud provides SAML integration today, and we are currently evaluating support for other standards as well as an integrated MFA solution for access to the Control portal.
- Securing Specific API Calls: Today’s cloud providers regularly provide application programming interfaces (APIs) that allow customers to integrate management of their cloud service into 3rd party management platforms or their own internally built applications. This allows the customer to implement custom workflows or to integrate cloud automations into their existing corporate or customer-facing applications to enhance business agility. While these APIs provide valuable business capabilities for customers, they also introduce an additional attack surface that must be properly protected. Service providers should give customers API authentication mechanisms that are resistant to replay or man-in-the middle attacks and can be used to provide cryptographic validation of the API messages being sent. These authentication mechanisms should ensure that API commands can only be issued by properly authenticated endpoints, and that each message is authentic and hasn’t been tampered with using cryptographically sound techniques. The CenturyLink cloud API uses encrypted transport mechanisms to protect the API transactions from compromise. Future enhancements will focus on implementing additional protections to ensure the authenticity and validity of the transactions.
- Multi-tier User Management and Billing: In order to properly meet the needs of complex businesses, the cloud service should provide a flexible account structure that allows easy rollup of billing and usage information at the top level, while enforcing complete segregation of networks and hosts at the sub-account level. The customer should have complete control over which sub-accounts must be completely isolated, even from the parent account, and which sub-accounts are allowed to exchange data freely. This allows the segregation of production and development/QA, or perhaps meets a regulatory requirement that two different business units are prohibited from being able to share data between their systems. The CenturyLink Cloud platform has a well-designed account hierarchy structure to fully deliver on this requirement today.
- Logging and Reporting: The collection of relevant logging from the cloud environment continues to be a stumbling block for some companies in their adoption of cloud-based infrastructure services. At a minimum, the service should provide detailed logging of all management actions performed through the provider’s user interface or through API calls. Access to this logging data should be provided both in the user interface as a reporting function, and in a real-time publish/subscribe method so it can easily be consumed by the customer’s existing log management system. For those customers who don’t already have a well-developed log management and alerting mechanism, it would be ideal for the service to have an integrated add-on capability to perform log management and alerting within the customer’s cloud environment. CenturyLink has rich capabilities around logging and reporting available in the CenturyLink Cloud platform and a variety of add-on services available to meet the logging and reporting needs.
- Patch Management: Generally service providers will regularly update their templates used to create new machines so they remain relatively current with patches. Once a virtual machine is launched, however, the responsibility to patch the system typically falls to the customer. Cloud environments are not always taken in to consideration for the customer’s existing patch management tools, creating an opportunity for attackers. Customers should look for a cloud service provider that offers an easy, integrated option that provides patch and vulnerability management for the customer environment. This would include regular (monthly) OS and application patching, along with vulnerability scans run at a frequency as required by the customer, and a dashboard where the customer can view up-to-date statistics on security vulnerabilities while trending the environment over time. Leveraging the Managed Operating System or Managed Application services available on CenturyLink Cloud provides standard patch management services. Additional features around dashboards and vulnerability scans are under consideration for future releases.
Security will remain an important consideration for any cloud deployment. As you look to your next deployment, partner with your cloud vendor to discuss whether they have a robust, comprehensive security plan that addresses traditional concerns as well as modern attacks.
The CenturyLink Cloud Platform Team recently spent two weeks together in the city of St George in Southwest Utah. In what’s become an annual event, the team—including developers, testers, product managers and design—stayed in the “Hack House” to work on our Cloud Platform, as well as get to know each other outside the confines of our beautiful new office. By spending the time to connect with each other, we build trust and empathy, which enables us to interact and collaborate at a higher level. We’re firm believers that if you actually like your coworkers, you’ll be happier and do better work because of it. The Hack House is a great way to forge this bond.
At the top of Angel’s Landing
However, just because we went away to sunny and dry Southwest Utah, doesn’t mean we spent the whole time hiking in Zion National Park. The focus of the development iteration centered around new role based access controls and feature flags for individual data centers, which will be released tomorrow. Still, during down time everyone took advantage of what the area had to offer, from hiking, photography, and mountain biking, to fixing that bug that always bothered you but never had time for (while hanging out by the pool).
A little more relaxed than usual during standup
Working late outside by the fire
A well fed team is a happy team
Overall, the hack house was a success. We delivered new features to the cloud platform, had fun hanging out with each other, and everyone made it back home safely. In fact, it was such a success that next year we’ll be doing two separate hack houses, one in Spring and another in late Summer. By the way, we’re hiring.
The Narrows in Zion National Park
Wading up the Virgin River
A few of us like to take photos
Ade, shredding the JEM trail
Feeding 15 people for two weeks requires a lot of trips to the grocery store and some careful planning for scale. We’re fortunate to have some great chefs and bakers on the team, who prepped and cooked every day so that we could break bread together. Special thanks to them!