Using a “host factory” to deliver secure hybrid and multi-cloud instances…and then…secure container management

For those of us that track AWS – last week was pretty welcome update that includes a bunch of great new features – announcement here.

One of the key challenges that I see over and over again for large enterprise tech is trying  to get the best of AWS without complete lock-in to Amazon (multi-cloud) while  at the same time supporting their mix of on-prem and cloud systems infrastructure (hybrid).  Hybrid AND multi-Cloud is hard – but possible imho if you select a small number of key elements of your architecture that are independent of AWS (or any PaaS cloud provider for that matter).

One of the most important elements to protect as independent is your core authentication/authorization/secrets infrastructure – but where do you start – it’s such a complicated, tangled mess.

Try this….it can be very useful to provide a service that is essentially a “host factory” to assign dynamic identity to VMs.  The host factory provides a single, independent identity for the VM so that services such as secrets management, ssh, service authorization, PKI, etc can all be delivered independently of the physical location of the vm and/or the cloud provider.

For example – in AWS, your instances authenticate to the “host factory” using it’s AWS IAM role. IAM roles are the bridge between AWS instances and their “host factory” identity. This host factory identity can be used to deliver all of the services mentioned above regardless of the provider – on-prem or any cloud service provider.  This essentially provides a “line in the sand” where your intimacy with any given cloud provider is going to stop and where your control of your own machines identities starts.

Now that AWS has brought IAM roles to containers. The same bridge from ec2 instances to your “host factory” identity can be used to manage container identities.

So whether your app is VM based or containerized, it registers in the same way with the “host factory” and uses all the same core features (except ssh of course; which is not really a for containers 😉

IMHO – this approach is possible to implement quickly if you use a great system like Conjur.

There was a similar dynamic a few years back with networking identity and access management – along came a great product – Illumio – which has been adopted broadly to solve this problem.  Conjur is doing for the app layer – what Illumio delivered for network layer.

Give it a try and let me know what you think.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s