MSP

The objective of Patch Management is to keep various systems within the network up to date and secure the systems from various kinds of cyber-attacks. Patch Management is the method of installing and managing the latest patches or code changes to fix security vulnerabilities on various systems within a network.

In this blog, lets deep dive into the advantage of AWS Next Generation automated patching over the Traditional Patch management.

Traditional Patch Management

Patch management is critical to the security of computers on a network. But patching is not a one-time process. The security team/ Subject Matter Expert (SME) within any organizations had to create a scheduled scan that will routinely check for missing patches, so that the team/SME can keep the computers on the network up to date.
For example, let’s get back to the good olden days on how Microsoft updates were applied to the systems using WSUS server. The team/SME had to perform a scan to find out which updates are missing from which computers. Each time there is a plan for deploying updates, the team/ SME will have to perform a new scan. Microsoft introduced WSUS server for patch management. The prerequisites were a server running Windows Server 2003 SP1 or greater, IIS 6.0 or greater, .NET 2.0 framework, and Report Viewer 2008 Redistributable 2008. Also, a dedicated team for patch management.
Demerits of Traditional Patch Management:

1. Manual Process
2. A dedicated resource/team to keep track of patches, schedule scans and updates
3. Possibility of human errors (miss out some critical security updates)
4. Decision on the patches to install and which one to ignore and what the optimum order of installation should be
5. Testing of patches before implementation requires a testing environment with spare hardware, software and SME ready adds to additional cost
   As the organizations IT Head wish is to have seamless patch management. The businesses are currently moving towards the transformation journey for continuous delivery, AWS adds incredible value towards on-demand infrastructure resources and tools to empower the Devops practices.

AWS Next Gen Patching using Systems Manager

The automated enterprise patch management tools carry out the patching process by deploying or installing agents on target instances (Windows/Linux). These agents provide a connection between the centralized patch server and the computers to be patched. With AWS System Manager, the business can install and configure the SSM agent that can update, manage, and configure the AWS resources. By using the customized SSM document (part of DevOps) Cloud Comrade can ease the intricacy for the security team by running the patch baselines in the multi accounts and multi regions.

AWS Systems Manager key features:

• Automatic deployment of operating system and software patches.
• View resource groups recent API activity, resource configuration changes, related notifications, operational alerts, software inventory, and patch compliance status.
• Centralized location where operations engineers and IT professionals can view, investigate, and resolve operational issues related to the resources and to have complete control over operations.
• Customizable key insights dashboard, providing key insights and analysis into the operational health and performance of your AWS environment.
• Secure remote management of instances at scale without logging into servers, replacing the need for bastion hosts, SSH, or remote PowerShell.
• Using session manager, the business can control which users can access each instance, including the option to provide non-root access to specified users.
• Option for auto-approve select categories of patches to be installed.
• Maintenance window for patching.
• With Systems Manager, the business can control configuration details such as server configurations, anti-virus definitions, firewall settings, and more.

In Cloud Comrade, we have strong expertise in centralized multi account and region patching using customized Systems Manager document. Connect with us to know more about AWS Next Gen Automation.

In this Cloud Computing world, organizations of all sizes continue to focus on eliminating the need for monotonous tasks and improving processes. However, many organizations still rely on using high valued resources to perform manual tasks. Not only is this a waste of time and money, but it is highly inefficient and will lead to human errors.

Traditional way of AMI:

• Manually create an AMI from the instance.
• Launch the instance for security patching and install required software’s
• Manually share the AMI to other accounts

Currently, many organizations are moving into cloud computing to scale up their business. They spin up more workloads to Amazon Web Services (AWS). But how does the team ensure when a new VM is provisioned: can be scalable, in a reliable manner, error free, with no vulnerabilities.

A golden AMI is an AMI that can be standardized through configuration, consistent security patching, and hardening. It also contains agents to approve for logging, security, and performance monitoring.

AMIs use one of two types of virtualization: paravirtual (PV) or hardware virtual machine (HVM). The main differences between PV and HVM AMIs are the way in which they boot and whether they can take advantage of special hardware extensions for better performance. Windows AMIs are HVM AMIs.

The old saying goes: if you are doing something more than a couple of times, automate it.

Golden AMI Pipeline

This blog is about building a secured, approved Golden AMI image for providing a reliable, scalable, and approved application stack factory that increases innovation swiftness, reduces effort, and increases the confidence of Securiy team to ensure that the teams are compliant.

Automated Golden AMI Pipeline Process Flow

AMI Factory Pipeline:

1. Step 1 (optional): Subscribe to the AWS marketplace product you want to distribute 
2. Step 2: Create a cross-account role in the child account
3. Step 3: Set up the golden AMI pipeline environment
4. Step 4 (optional): Set up a compliance check in the child account(s) 
5. Step 5: Create a golden AMI
6. Step 6: Approve the golden AMI
7. Step 7: Review  the golden AMI metadata
8. Step 8 (optional): Manually trigger continuous vulnerability assessment of golden AMIs 
9. Step 9: Distribute the golden AMI to child account
10. Step 10: Decommission the golden AMI

Once you have shared the base golden AMI with development teams, they can consume the latest golden AMI in the simplest way possible, often through automation. They can customize the OS specific golden AMIs with the required software components, but also ensure that the AMIs continue to meet the organization’s requirements. 

The development teams can repeat the above process. Each team within the business can use the golden OS AMI shared by the Security team and can add their own software and produce a new golden AMI that is secured, scanned, distributed, and consumed as necessary.   

To assess different features of the golden AMI pipeline:

1. Create golden AMI and then distribute the same to a child account.
2. Manually perform a continuous vulnerability assessment of the active golden AMI.
3. Deploy an instance of a golden AMI in a governed manner.
4. Finally, decommission the golden AMI.

Cloud Comrade’s expertise in Automation can help businesses in setting up a consistent template model, which ensures consistency, secured, scalable, and reliable Golden Image pipeline.

With traditional deployment, new versions of an application are released using various tools to pull the code from a repository and push it to a production server. Once the code has been pushed, each application process is restarted manually. While this process works, it is by no means an easy process to switch from running in the development environment to the production environment.

There are various issues with this traditional deployment process, for example different environments (development work and production server), application configuration management, and replication of an application environment.

Every software deployment involves processes and practices for successful execution & deployment of the deployment. The complications also increase in an exponential manner based on the project size. The organization should build an automated pipeline to develop, test, and release the software in a manner so that the release is done in an incremental manner thereby having minimal or no impact to the project deployment.

With CI/CD pipeline, it helps the organizations automate steps in your software delivery process, such as initiating code builds, running automated tests, and deploying to a staging or production environment. Some of the benefits of CI/CD Pipeline are cost effective, easy to make real time decision, early bug recognition remove manual errors, provide standardized development feedback loops and enable fast product iterations.

In this below diagram, lets have a look at how automated AWS Code pipeline with Code Commit, Code Build and Code Deploy integrated with AWS Landing Zone for “maker” and “approver” process along with creation of workload application account using Account Vending Machine from child member account.

Code Commit is to securely store the source codes to make easier for the teams to collaborate on code in a secure and highly scalable ecosystem. CodeBuild compiles your source code, runs unit tests, and produces artifacts that are ready to deploy. CodeBuild eliminates the need to provision, manage, and scale your own build servers. S3 bucket for artifacts is also setup with the first AWS CodeCommit repository and shared across all other AWS CodeCommit and AWS CodePipeline resources. For the AWS CodeCommit, CodePipeline, and CodeBuild it’s a best practice to use CloudFormation templates that allow organizations to automate the creation of accounts and resources.

With strong expertise in Automation, Cloud Comrade has proven examples offering their clients an Automated Account Creation with AWS Service Catalog and Cloud Development Toolkit to enhance the organization’s current Landing Zone. 

The Cloud era has brought a perilous challenge of managing application secrets, encryption, and access to any resource in the Cloud. Securing and rotating secrets regularly and properly, both in the Cloud and on-premise, can have a significant challenge.

As part of traditional method, we love keeping configurations in text files, we store the database credentials or sensitive data, for example securing remote login stored in the ~/.ssh/ directory, the private key might commonly be found in a file called id_rsa, and the public key might be in a file called id_rsa.pub..Then commit, push and everything goes to the code repo.

The traditional concept has its own flaws like changing the passwords, human errors like creating a public repo, publicly available code repo etc.

Amazon Web Service’s Secrets Manager makes it effortless for organizations to store and retrieve the secrets using an API and Command Line Interface.

What is AWS Secrets Manager

AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

API keys and secrets are difficult to handle safely, and probably something we avoid thinking about.

Benefits of AWS Secrets Manager

• Rotate secrets safely
• Manage access with fine-grained policies
• Secure and audit secrets centrally
• Pay as you go

When CI/CD pipelines moved to the public cloud, credential management did not evolve with them. AWS Secrets Manager is a comprehensive solution for secure secret storage. The organizations can define a secret just once for your whole AWS account, then we give our consumers permission to use the secrets.

Steps:

1. The database administrator creates a set of credentials on the Personnel database to use with an application called MyCustomApp(sample application created in my training account). The administrator also configures those credentials with the required permissions to access the Personnel database. 
2. The database administrator stores the credentials as a secret in Secrets Manager named MyCustomAppCreds. Secrets Manager encrypts and stores the credentials within the secret as the protected secret text. 
3. When MyCustomApp needs to access the database, the application queries Secrets Manager for the secret named MyCustomAppCreds. 
4. Secrets Manager retrieves the secret, decrypts the protected secret text, and returns it to the client application over a secureHTTPS with TLS channel. 
5. The client application parses the credentials, connection string, and any other required information from the response and then uses the information to access the database server. 

Kindly note that Secrets Manager can natively rotate credentials for supported AWS databases without requiring additional programming. However, if organizations wants to rotate the secrets for other databases or services,  Cloud Comrade has the expertise in creating custom Lambda function to define how Secrets Manager interacts with the database or service.

How to Centralize The Rotation of RDS Key Using Automation

In this example the RDS credentials on Workload Application Account will be stored in Shared Services Account (Landing Zone). The credentials will be rotated periodically.   

How to Centralize The Rotation of API Key Credentials Using Automation

In this example the API Key credentials from Application Workload Account will be stored in the Shared Services Account (Landing Zone). The credentials will be rotated periodically.   

Secrets Manager lets us manage a secret entry (name and metadata) separately from its value, and it integrates with other AWS services that we already use:

• Secret entry management: Manual (Web console, AWS CLI) or with an infrastructure management tool (Terraform, CloudFormation etc.)
• Secret value management: Manual (Web console, AWS CLI) or automatic (secret rotation Lambda function).
• Access control: AWS IAM policies (for both applications and human operators).
• Secret encryption: Amazon KMS automatically encrypts the secret value. Use either the account’s default KMS key, or a customer-managed KMS key.
• Auditing: AWS CloudTrail and CloudWatch Events.

Cloud Comrade has strong expertise in automating AWS Secrets Manager and allows you to consolidate the secrets into one place, and use them securely from Jenkins.

For the organizations to stay competitive in today’s technology world, have to think of ways to keep their infrastructure automated, highly available, flexible, reproducible, scalable for high productivity and reliability.

In this blog, we will see how the AWS powered NextGen Infrastructure as a code(IaC) helps us to achieve organizations objective compared to the traditional infrastructure as code (IaC).

Traditional Infrastructure as code:

The traditional IaC is to enable and manage the data centers, storage, networking manually. The respective admin will set up the disk, install operating systems and applications. The period required before the launch could be days or weeks. Not only it is time-consuming, but it consumes a big chunk of the workforce plus the higher cost. Imagine of hardware failure, the time required to wait for the manufacturer production, ship, and delivery. What if the hardware malfunctions after all the waiting period. Again the business had to wait for the subject matter expert to handle the situation.

NextGen Infrastructure as code:

With AWS powered DevOps Infrastructure as a code (IaC), we can automate the entire infrastructure setup. How easy does it sound? Simply put, IaC is to manage and provision the infrastructure through the code which pushes into the operational environment. The whole process flow of the development and test can deal with the complexity of the hybrid IT platform. With the NextGen Infrastructure as Code, the MSP can automate, reproduce the systems, and self-document the entire infrastructure. How easy will it be for anyone in the team, different teams, and the developers?

With the traditional IaC, flexibility, elasticity, scalability, reproducibility was a dream for the stakeholders. With the principles of NextGen IaC and AWS DevOps,  it makes it easier for collaboration and automation. It has become easier to build custom templates, configure repeatable changes, deploy as a single service or as a group. We can automate the scaling resources based on the traffic.  

The critical aspect of infrastructure is disaster recovery and backup. The traditional backup runs on fixed time intervals. Imagine, if there is a failure or network latency, it could lead to data loss that could affect the productivity and reliability of the organization. Cloud Computing has made it so simple and flexible for organizations to enhance data protection, easy deployment, and cost efficiency.

With the right back up strategy and predefined templates,  we can implement cross region backups and recovery through automation. Using reliable AWS services like S3 and Direct Connect we can sync the backup solutions at defined regular intervals. For Business Continuity Planning/Disaster Recovery (BCP/DR), we can implement CloudFormation templates for ease of use to make a highly reliable, available, and scalable or upgradeable AWS infrastructure.

It was those old days where were no complex applications, and the servers used to run in the most okay conditions. In this current world, as the technology grows along with the complexity, and the expectation from customers are growing as well. They are looking for one stop automated solution for business as usual.

After the break/fix model became impracticable for business-as-usual, we saw the rise of Managed Services Providers. The objective of the MSP is to increase the productivity of organizations with minimal operating costs.

Then, it was a huge success. All the customers were looking for MSP whom they can rely upon for their entire infrastructure solutions. As days pass by, the complexity of the applications and infrastructure are continuously changing,  and the expectations from the customers as well.

Let’s have a look at Traditional MSP – Manual

• Monitoring, Management, and Security
• Storage, Warehouse Management
• Backup and recovery
• Authentication
• Streamlining the Systems/ Applications
• Reports

Traditional MSP was a manual process, and also the primary concern for clients. The business wanted to have automated systems that can automatically scale up/down, and balance the load with business as usual. As there was an increasing number of customers looking for transparent and automated business technology services, DevOps focused AWS NextGen MSP’s offers enterprises build and deliver applications on AWS.

AWS powered DevOps offers an efficient workflow, that helps businesses automate day to day activities and provide full-lifecycle services to run, and support customers applications and infrastructure. The AWS powered advanced monitoring services which have predictive analysis plus the continuous monitoring, and anomaly detection helps the business to analyze the current facts and predict the future events that the organizations can take proactive measures to increase their productivity and efficiency.  The AWS management reporting helps the business to make data-driven decisions for business performance.

AWS powered DevOps brings remote individuals and in-house teams together and ensures that they are in sync with each other. DevOps focused AWS NextGen MSP help enterprises find the ideal solutions and infrastructure that is cost-effective. It provides efficient business outcomes by continuously assessing and monitoring systems to optimize performance.

Let’s have a look at NextGen MSP – Automated

• Cloud delivery
• Security and daily operations
• 24/7X 365 days IT support
• Backup and recovery
• Access management
• High security
• Compliance
• Advanced continuous monitoring and report management

As a Managed Service Provider (MSP) in the AWS environment, Cloud Comrade is committed to building a sustainable automated business powered by AWS, that will continue to support and grow with our clients on the Cloud.

Operating a business across multiple environments is challenging enough. Organizations transforming in to digitalization are often surprised by the high costs of their Traditional MSP services and struggle to manage frameworks and governance across the organization. Does any of the above situations apply to your business?

We have an answer; Cloud Comrade is passionate and driven by automated DevOps NextGen AWS Managed Services to ensure Companies productivity gained are by automating their security, infrastructure, software development, and rollout to achieve critical mass in a short turn around time.

For example, let’s talk about the Traditional MSP who does lift and shit, installation, maintenance, network security monitoring, remote and onsite support. Some of the processes are reactive, and in the long run, it’s not sustainable for business operations. Some of the organizations lack technical expertise, so they have to rely more on the traditional MSP’s which wouldn’t be a cost-effective plus proactive method of running the business.

As the complexity of systems increases, the customers are looking for more than just an MSP. The customers are looking for strategic partners who instead of using traditional tools and processes, can automate and proactively provide various solutions for higher-performance computing. With AWS powered DevOps methodologies, we can develop the AWS Security Framework to maintain security and data protection in the cloud. The framework includes security strategy, risk, compliance, governance, security assessments, incident response, and automate threat hunting.

The security analytics and reporting presented by the AWS management reporting is for proactively prioritize and take measures to handle the threat.

The new breed of AWS NextGen Managed Service Provider’s is redefining the Traditional MSP business model and the go-to-market strategies. When compared to the Traditional framework, the AWS NextGen DevOps Transformation framework assesses the organization’s current capability and provides a structured approach to a DevOps transition. With AWS Powered NextGen MSP, the organizations can install Amazon Lex – Build Conversation Bots as a communication medium through B2B/ B2C portals. This build conversation bots are adaptable and can be customized based on the requests from the customers.

Machine Learning (ML) and Artificial Intelligence(AI) are two hot catchphrases in the technology arena. ML is the subset of AI, based on the idea of providing data to machines and let them learn for themselves.

With the AWS powered ML and AI, the NextGen MSP can provide scalable infrastructure,  and deploy solutions through machine learning platforms for seamless deployment and consolidated billing.  The ML and AI positioned Enterprise Architecture for the businesses, provides faster analytics, decision making, more interaction between technology and business, reliability, and leverage for creative inexistence services.

We have frameworks for launching Infrastructure, Software, Network, and Applications. The Open Group Architecture Framework is all about the delivery part. Let’s look at the importance of Enterprise Architecture and the comparison between Traditional and NextGen Open Group Architecture.

Enterprise Architecture methodology is critical to align the concerns between IT and Business. Enterprise Architecture is the core behind any organizations productivity, agility, service, growth in revenue and cost efficiency.

The Traditional Enterprise Architecture rely upon one operating model and emphasis interdependency. For an enterprise, there will be a mix of multiple frameworks which is a long term commitment with continuous improvement.

The NextGen Enterprise Architecture methodology is a pluggable architecture comprising of dynamic compute resources, common storage platform, flexible programming, real-time support, and managing deployment. The NextGen Architecture model is a business focused model that combines both enterprise architecture and business architecture, business process management, and decision management.

The core features of NextGen Architecture is Instant customization of Network parser, application of complex rules to live network traffic, unlimited scalability and captures everything in the infrastructure, threat feeds and API

The NextGen Architecture is to communicate in real time, for that 90% of the running applications, software and servers have to be automated completely. It empowers the businesses to have a high level of flexibility, activity monitoring and actionable insights on the cost utilization. It integrates and automates solutions that enable users to plug and play experience.

The AWS powered billing and cost management ensures you pay for what you use. The AWS provides features to monitor the usage, along with the pricing calculator which could be utilized to create price estimates. The AWS has a very transparent pricing model which helps the businesses to allocate the respective budget for cloud computing.