Category: Technology

Tech Leader Summit and ArchConf 2019

Tech Leader Summit and ArchConf 2019

Before we start the actual post, today is the blog’s 1st birthday! <3 (Our first post.) Thanks to anyone who has been reading, or anyone who will read in the future. We blog because we love it, and we appreciate…well, everything related to it.


Last month, we spoke at Tech Leader Summit and ArchConf, which are conferences from the No Fluff Just Stuff tour. We also spoke this summer at UberConf, which is on the same tour. We had an AMAZING time, and we wanted to record and share some of it for posterity.

Read More Read More

Master Data Management Rant

Master Data Management Rant

Foreword by Laine:

If you’ll recall our post entitled, Go: a Grumpy Old Developer’s Review, you might remember that sometimes Josh goes on legitimately amazing rants about technology and architecture. HERE IS ONE, YOU ARE ALL WELCOME.


What is Master Data Management?

Master data management (MDM) is a method used to define and manage the critical data of an organization to provide, with data integration, a single point of reference.”

In other words, MDM tries to create a standard database schema loaded with uniform, processed, “cleaned” data. The data is easy to query, analyze, and use for all application operations. Sounds great!

Most business have a lot of data – and if they could access that data accurately, reliably, and rapidly, it would give them a lot of insight into what their world looks like and how it’s changing. They could unify their understanding of themselves, their customers, and their partners, and become more agile (agile as in, “able to change directions quickly in response to changing conditions,” not Agile as in the development methodology).

MDM is sold as a silver bullet that will enable this master view of data, this easy querying, and this agility. But I haven’t seen that actually happen very often.

MDM Kills Agility

MDM is a tool of consistency – and consistency forces things to exist in specific ways. The real problem with MDM is then reflected when you consider that the data of a business is like the mind of the business. Imagine if your mind could no longer consider something to be valid input unless it had seen it before – as in, you could understand when you found a new variety of orange, but if you had never seen a starfruit before, you literally could not comprehend it. As one of my colleagues said,

“Building a gold data model is like nailing jello to a tree.”

MDM in its traditional, monolith definition, kills agility. Basically, it’s building a perfect utopia in which all changes have to be agreed on by everyone, and no one can move in until it’s perfect, and then no one can change ever again. Our job as technologists is not to stagnate – it’s to “deliver business value at the speed of business” (Gitlab). Businesses need to move fast, and to do that they must be able to adapt – and if IT systems don’t adapt, then IT systems slow the business down

I’ve come across multi-year MDM projects full of ETL and data standardization meetings – and the business is finding data points that matter faster than they can be standardized. An MDM initiative that can’t move as fast as every other part of the business just slows it down, eats resources, and eventual dies a dusty death of forgottenness.

A Possible Solution: Jump-Start with a Purchased Model!

Often companies will sell a partial model of the business’s data that can be adopted more rapidly, which is typically “industry-standard” data – with claims that this will speed time to market for a MDM system. But it doesn’t.

Every organization sees the world slightly differently. This is a good thing.  Individual divisions and teams within each organization will also each see the world differently. These different views mean different schemas

Trying to fit everyone into one data model is like trying to make everyone speak exactly the same English, with no slang, no variations in tone or phrasing, and definitely no new words, connections, or ideas.

The perspective of a business, or any group, changes as the group learns and grows. Locking yourself into an old perception, or attempting to standardize via a process that takes years, is intentionally slowing down your business’s rate of adaptation and growth.

Also, it sets you up for years of arguments between teams that their view of the data – and by extension the world – is correct.

A Recommendation: Agility in Data Access Models, Not Data Storage Models

The need to have some kind of standardization so that a business’s data is useful is real. What we have seen work is more of a blended approach: spend 20% of the effort on making the data sane, and 80% of the effort on providing clear, accurate, scalable data access via APIs, in-memory databases, and occasionally Operational Data Stores (ODS). You can click on the links to learn more about each of those tools/approaches, but the basic idea is to leave the data where it is, in the format that makes sense for the team in charge of it, but provides access and views that make the data usable.

Leave the data where it is, in the format that makes sense for the team in charge of it, but provides access and views that make the data usable.

Microservices with versioned API’s, backed by legacy databases, implemented via request/response or pub/sub application communication models, are the easiest application EVAR. It’s simple to spin them up and scale them using containers and OpenShift.  Using this approach, you can provide multiple data views of the data, and add more as new connections and ways of thinking appear.

If you need to do your own analytics or heavy-duty data processing/lifting, you can use a temporary or semi-permanent (but not the source of truthdata store such as an in-memory database or an ODS. Again, these are faster to set up and and more importantly faster to change than a legacy system of record, and they provide a nice balance between the speed of APIs and the performance of an enterprise database.

Conclusion: MDMs Generally Suck (Relative to Alternatives)

I would love to be wrong. I’d love to hear some new innovation that makes MDM make sense. But I’ve seen too many MDM initiatives rust out and die, and I’ve seen way too many API projects succeed wildly.

Don’t MDM, API.

OpenShift 4 Migration: A sample path

OpenShift 4 Migration: A sample path

The Problem

Moving stuff between Kubernetes clusters can be a pain in the butt. You have to do this when:

  • Migrating between container platforms, such as EKS -> AKS
  • Upgrading clusters when you want to upgrade in parallel (move everything from old to new) as opposed to upgrading in-place (update one cluster from old to new). This would be something like what we’ll talk about in a minute, going from OpenShift 3.x to OpenShift 4.x
  • Moving work/applications between clusters, e.g. two clusters in different datacenters

Migrating work between clusters requires some thought and planning, and good solid processes. Specifically, the migration from OpenShift 3.x to OpenShift 4.x requires a parallel upgrade, because there is no in-place upgrade available for all of the new goodies in RHEL CoreOS (the underlying infrastructure of the cluster). OpenShift 4.2 released recently, so we thought it would be good timing to put our migration thoughts down here. However, the advice below is generally good for any Kubernetes cluster parallel upgrade or other migration.

Read More Read More

Kubernetes/OpenShift Resource Protection with Limit Ranges and Resource Quotas

Kubernetes/OpenShift Resource Protection with Limit Ranges and Resource Quotas

One of the most crucial metrics of success for an enterprise application platform is if the platform can protect: a) the applications running on it, and b) itself (and its underlying infrastructure). All threats to an application platform eventually come from something within that platform – an application can be hacked, and then it attacks other applications; or there could be a privilege escalation attack going after the underlying host infrastructure; or an application can accidentally hoard platform resources, choking out other apps from being able to run.

Read More Read More

Building Alliances – or, Why Security is Awesome

Building Alliances – or, Why Security is Awesome

Time to Go Fast

We work with a lot of people who are implementing Continuous Delivery. We see that when various bumps and boulders get out of the way of delivering software stably and rapidly, there’s a strong push to go very very fast. When this happens, there are often barricades put up in the name of security – because traditionally speed and security have been considered enemies. Traditional enterprise IT security would say, you can’t possibly go fast in a safe way, 

Read More Read More

Applications are Gold

Applications are Gold

We’ve talked previously about how developers drive organizational success: they deliver the applications by which companies deliver their competitive advantages. Because they are a way for companies to deliver products to customers, those delivered applications are critically valuable. Application development is a lot like extracting gold – it creates value out of raw resources.

Application development is a lot like extracting gold – it creates value out of raw resources.

Gold, wealth, needs to have some amount of protection.

Read More Read More

What Happened at Capital One?

What Happened at Capital One?

There have been many words written about the Capital One breach – but a lot of them didn’t explain what actually happened. We care a lot about security in general, and cloud security in specific, so Josh set out to find some words that did explain what happened:

The Krebs article might be the best for this. However, as far as we could tell, no one’s tackled it from a “what can enterprises learn from this?” standpoint, and…that’s what we really care about.

TL;DR: The Event

A hacker named Erratic, who was a former AWS employee, took the following actions:

  1. Owned the Web Application Firewall (WAF) on Capital One’s Amazon Web Services (AWS) Virtual Private Cluster (VPC)
  2. Used the credentials of the WAF to connect to other AWS resources in the VPC, including their storage objects (S3 Object Stores)
  3. Synced (copied) the object store to her own storage

“With this one trick, you can get 100M Credit Card Numbers! The secret THEY don’t want you to know!”
– Best ClickBait Ad Ever

ELI5: The Event

So…there’s a lot about the mechanics of this that’s unclear. But we can explain what seems to be widely accepted as fact. First, some definitions:

  • A Web Application Firewall (WAF) is basically an entry point into a system – it isn’t intended to be entry, though, it’s intended to be a layer of defense.
  • AWS is Amazon’s public cloud.
  • A virtual private cluster (VPC) is a cordoned-off part of a cloud – so, it was an area of AWS that was specifically for Capital One.

So…

  1. Somehow the hacker Erratic was able to log in to one of Capital One’s WAF.
  2. From there, she got to their storage objects that represented information about people – specifically, people who had used the business credit card application…application. Overloaded words are the best!
  3. Finally, she copied those storage objects that represented people to her own area of AWS – like copying a file from someone else’s Google Drive into your Google Drive.

Questions Outstanding

…there are a lot.

It’s not clear to how Erratic did #1, logging in to the WAF. The most likely answer is that the username/password was something not complicated enough – like maybe the default of admin/admin. But there are also other possibilities, and if Capital One has disclosed this piece, we couldn’t find it.

There are a few ways step #2 could have happened – the WAF could have already had access to all of the storage objects, or Erratic could have given the WAF direct access to the storage objects. The J Cole Morrison article above explained one possible scenario: Amazon IAM could have been used to take advantage of the fact that she was already in the WAF and then extended the default trust of “well, you’re in the WAF, so okay” – security people call this a “pivot”.

Step #3 is basically…copy/paste. There are probably some interesting nuances here, like…if she didn’t give the WAF authority to read the objects, why did the WAF have the authority? What business use case would require giving an access point read access to an entire store of customer data? Also she would have had to have given something access to write to her own AWS space, at least temporarily.

The Pain: $100M-$150M

The Capital One press release stated that this incident will “generate incremental costs of approximately $100 to $150 million in 2019.” Capital One was one of the earliest companies to go to AWS/the cloud, and they made a lot of noise about it – here, and here. Explaining technology success is one of our favorite things, but there are trade offs if you could otherwise manage to keep your backing infrastructure a secret.

This has lead to egg on AWS’s and Capital One’s faces, which is unfortunate, because this really doesn’t have much to specifically do with AWS or clouds in general….

…or does it?
– Not Intended to be ClickBait

Clouds in General

This isn’t the first AWS data breach (see end of the blog for a list of others). The list is not small, unfortunately.

Please raise your hand if you are sure you haven’t been hacked?

We’re gonna say this is partially because AWS is the biggest, been around the longest, and had to figure out hyperscale stuffs without anyone to copy from because they were the first.

But still… yikes.

A big part of this is that Amazon makes things super easy. So easy a caveman could do it, right? And…that’s the trick. It’s super easy to type in a credit card (or even an AWS gift card, I (Josh) have one they gave out at a trade show) and spin up some storage and compute. Unfortunately, it isn’t super easy to spin up security tailored to clouds.

We used to have to wait for infrastructure teams in our data centers to (hopefully) handle the security for us. They’d put your request in a queue, and get to it a week later…then they’d ask the storage admins and VM admins for some data and some compute, and that request would go into a queue…and then, several steps later, the firewall admins would get involved…but doggone it, eventually the pros would secure things like they were trained.

VM-based infrastructure has been around a long time, and the kinks have been worked out. Cloud infrastructure is newer, and exponentially faster to use – that’s one of the biggest appeals. Unfortunately, because it’s newer and because it’s so fast, kinks still exist – and one of the biggest is how to make it secure without slowing down the people using it.

Clouds are not all insecure, the sky is not falling – but they do require more deliberate attention to security than perhaps we’re used to in most of IT.

Takeaways and Recommendations

With Infrastructure as a Service that’s as fast and easy as cloud-based, it’s clear that there are often times when the right security-aware folks are not involved. It’s extremely easy to get going with platforms like these, which is…kind of the point. Simply put, you can get insecure systems faster and easier than you can get secure systems – for now, anyway. The industry knows this, and is trying to make it better.

Until security catches up to the speed of IaaS, companies need people who can secure their systems to be involved in setting up new platforms, and setting up best practices for their use. The balance point of that is not removing too much of the speed and agility gains of advances like IaaS because of security – ideally security should be something that everyone agrees is worth the trade.

So…after all of that, here are some recommendations:

  1. Single layers of security are not enough. You need Defense in Depth, and vital areas like customer data need to be strongly protected regardless of the platform trying to access them.
  2. Security practices and implementations should be transparent, at least within a company, and questions should be welcomed and encouraged. Open culture helps with security, too.
  3. Security should be automated as much as possible, and that automation should also be transparent (infrastructure as code).
  4. Enterprises need to choose platforms that are secure, that have people dedicated to the security of that platform as their job.

Other AWS Data Breaches

We’re on Hiatus for a bit – but for a REALLY GOOD REASON.

We’re on Hiatus for a bit – but for a REALLY GOOD REASON.

We really love this blog. We started it almost exactly 6 months ago and it means a ton to both of us. We started with two posts a week – and then Josh started a new job. We downshifted to one post a week – and then Laine got a new job. We’ve managed to keep on keepin’ on at one post a week since then, which… well, we really love this blog.

One of the first things we ever did that made us sit up and realize that maybe we made a seriously effective team was give a nerd presentation – we talked about feature toggles as an architectural concept. A few months after that, we went to UberConf in Denver. That was Laine’s first IT conference, and we had a blast. That’s a pretty good “God does stuff everywhere” story, which we should probably tell at some point…

After that conference, as we adjusted back to normal life, we talked about how seriously amazingly cool it would be to give nerd presentations at a nerd conference of that level – national, and with nerd-famous people like Mark Richards and Neal FordJosh definitely fanboy’d when Mark Richards included him in a demo in a presentation. We also befriended one of the speakers on the tour, who lives nowhere near us. We filed away the plan to some day speak at national nerd conferences in general, and at UberConf specifically, in the “haha, sure, that might happen some day” file.

We called this a goal, but…it was a dream. It was a dream in the way that little kids gleefully dream about being an astronaut when they grow up.

Laine was off work for 6 months. Again, another story for another time. But while she was off work, we started to apply to speak at conferences. Josh’s new job was friendly to the idea, Laine had no job, it was something to think about, so…we sort of figured why not.

We applied to speak at O’Reilly’s Open Source & Software Convention (OSCON), who was having a themed Inner Source day this year. Once Laine understood what on Earth “inner source” meant, we were sort of like, “hey it is us and one of the things we love the most!!” We submitted two talks.

We also started conversations about getting onto a No Fluff Just Stuff stop, semi-local – NFJS organizes UberConf along with a lot of other regional conferences, all throughout the year. The other major conference they organize is ArchConf, in December – which was also on our Nerd/Astronaut Dreams Bucket List.

And then, on a Friday afternoon, we found out the following:

  1. One of our talks was accepted for OSCON.
  2. One of the speakers for UberConf had to drop out, there were some spots open, and we could have them if we wanted.
  3. We were officially in for also Tech Leader Summit and ArchConf.

God does weird, wonderful, lavish, unexpectedly awesome stuff

…you mentioned a hiatus?

Yes! We did.

OSCON and UberConf are the same week, the week of July 15th. We got lucky (jklol pretty sure it was God doing more awesome stuff) and our talk at OSCON is that Tuesday, and our talks (4!!) at UberConf are Wednesday and Friday. So…we decided to do both conferences.

J: Should we do both?
L: Are we really crazy enough to try that? :thinking:
Us: Yep!!

We’re getting ready for those talks now. We are both extremely dedicated, prolific workers, but even we have limits. We have several posts in varying stages of done, but the kinds of thing we write require focus and attention and time and soul – and we pretty much only know how to make any content we produce in that same way.

“A man’s got to know his limitations.” – Harry Callahan, Magnum Force

We will be back. We have so many thoughts and feels and did we mention we love this blog?

Logistics

These are the descriptions and scheduling of our talks:

Please come say hello if you’ll be at either OSCON or UberConf. (If you are not attending and would like to, we have discount codes!) We love these topics, we love talking about them, and we are so stupid excited to be doing this.

Also, we will have stickers. We bought binders for them and everything. 

Quick Hits: Coolest New Stuff In OpenShift 4

Quick Hits: Coolest New Stuff In OpenShift 4

We talked in a previous post about neat stuff that was coming up in OpenShift. We wanted to follow up now that more information is available and 4.1 is GA and quickly break down some of the neatest stuff.

OpenShift 4 is the major version that will bring Kubernetes to being the standard platform: it provides features that let the majority of enterprises build and run the majority of their applications on an open, agile, future-ready platform.

OpenShift 4 crosses the chasm from early adopters to the standard platform for Kubernetes.

Istio (Service Mesh)

What is it: Networking upgrade for OpenShift Applications

Status: Tech Preview as of 4.1

How does it work: Injects a container sidecar to monitor (mostly to say who’s calling who, and how much), secure, and manage traffic. 

Key Features:

  • Transaction tracing, traffic graphs, full-transaction performance monitoring
  • Traffic (outing) control 
  • Rate limiting, circuit breaking

Big Talking Point: OpenShift Service Mesh makes managing all of the services you’re building visual and clear
Business Use Case: Enterprises looking to get visibility into their microservices, AppDynamics and Dynatrace customers.

Red Hat Code Ready

What is it: Containerized Application Development Environment. Tagline is  “cloud-native development.”

Key Features:

  • Single-Click Modern IDE
  • Tight integration with OpenShift
  • Debugging containers on OpenShift is a nice experience

Business Use Case:  Enterprises with poor developer IDES will appreciate CodeReady.

Competitors:  IntelliJ and VSCode

FaaS 

What is it: FaaS/Serverless is an even easier, and more restricted architecture than containers or PaaS. 

Serverless is an alternative to containers. Applications that would be a good fit in a simple container are an easy fit for serverless.

 

Knative

What is it: Kubernetes-based serverless “Application Easy Button” – just write code, forget about packaging. We talked about it in more detail here.

Key Features:

  • An open standard for serverless.
  • Build, scale, and trigger applications automatically
    Big Talking Point: Openshift 4’s Knative solution makes building, running, scaling, and starting applications even simpler.
    Business Use Case: Enterprises looking to turn their long-running (overnight) batch streams into real-time integrations should use Knative and AMQ streams on OCP

Competitors: AWS Lambda, Azure Serverless, Google Cloud Functions. K-Native provides this functionality without vendor lock-in from a single cloud provider.

The Operator Framework

What is it: intelligent automation that can manage an application by defining proper state and automate complicated application operations that using best practices.

Key Features:

  • Kubernetes-native application management
  • Choice of automation: Go, Ansible, Helm
  • Packaged with a Kubernetes application

Business Use Case: managing stateful applications like Kafka and databases, however new use cases show up all the time, such as managing the kubernetes cluster itself (Machine Operators)

Big Talking Point: Operators make managing complex applications in Kubernetes much easier, turning industry-standard practices into automation.

KubeVirt

What is it: Kubernetes-native virtualization. Run VMs on Kubernetes. Basically, this is VMWare for K8s.

How does it work: leverage open source virtualization technology inside a container to run VMs. 

Features: 

  • Run Windows or Linux containers on OpenShift
  • Manage complicated, hard-to-containerize applications alongside the  containerized applications that integrate with them

Business Use Case: ditch proprietary VM platforms and run you containers and VMs on one standard, open platform

What else is neat in OpenShift 4

Cluster Admin is so much easier: 

  • Fully-automated cluster spin-up: AWS install in less than an hour
  • Push-button updates
  • Immutable Infrastructure: RHEL CoreOS are immutable and extremely strong from a security standpoint
  • Nodes as pets: automatic scaling and healing
  • Cluster can automatically add nodes as load increases

Stuff We’d Like to Get Deeper With

Theres’s a lot more coming with OpenShift that we’d like to get hands-on time with:

  • Windows Containers
  • OpenShift Cluster Management at cloud.redhat.com
  • Universal Base Image: https://www.redhat.com/en/blog/introducing-red-hat-universal-base-image
  • Quay and Clair

OpenShift: Still the Best at What it Always was Best At

 

 

 


OpenShift is still the platform we know and love.

  • Secure Kubernetes:  SELinux preventing security problems like the runc vulnerability
  • Fully backed by Red hat, which will be even more stable and well-funded after the IBM acquisition
  • Enabling Digital Transformation: Containers are still the best way to transform IT, and Kubernetes is the best way to enable DevOps and Continuous Delivery
  • Open Hybrid Strategy: Vendor Lock-in sucks. Open standards and great partnerships.

It was recently announced that more than 1000 enterprises across all industries are running OpenShift.