Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Governance for your Modern Application Platform - November 4, 2020

Slides from the Northeast Fall Webinar Series on November 4, 2020. Presented by Andrea Samuel & Chuck D’Antonio, VMware

  • Login to see the comments

Governance for your Modern Application Platform - November 4, 2020

  1. 1. Confidential │ ©2019VMware,Inc. Governance for Your Modern Application Platform Visibility, Trust, and Control Chuck D’Antonio Andrea Samuel November 2020
  2. 2. Confidential │ ©2019VMware,Inc. Agenda 2 Characteristics of Modern Application Development Initialsteps and common challenges Succeeding with Modernization Evolving your applicationsand platform Visibility Understandingyour modern applicationenvironment Trust Increasing independencewithout increasing risk Control Maintainingstabilityas velocity increases
  3. 3. Confidential │ ©2019VMware,Inc. 3 The Goal of All Software Development Ship code faster at lower costs with no outages, ever Idea Code Build & Test Deliver Accept Learn Observe Maintain Deploy
  4. 4. Confidential │ ©2019VMware,Inc. 4 Need more resources Need to move faster Need more control over their environments Need to maintainstability Need to control resources Need to limit blast radius Developers Operators Conflicting Needs and Incentives VELOCITY STABILITY
  5. 5. 5Confidential │ ©2019VMware,Inc. “Agile, as it’s currently being implemented in most companies, has become a ‘dumb’ process. It doesn’t have a brain. The feedback loops originally intended to inform next steps have instead become checkpointsto ensure we’ve completed what we agreed to 2 weeks earlier.” Jeff Gothelf, Agile Doesn’t Have a Brain
  6. 6. Confidential │ ©2019VMware,Inc. 6 Five Ss of Software Development Speed Go from idea to values as quickly as possible Stability Minimize downtime and optimize MTTR Scalability Dynamically respond to demand without incident Security Limit exposure react quickly to vulnerabilities Savings Reduce cost while improving outcomes
  7. 7. Confidential │ ©2019VMware,Inc. 7 The Scariest Time in Software Development Idea LearnCode Build & Test Deliver Accept ObserveMaintainDeploy Risk The time between idea and feedback is the scariest time in software development… …and yet we often make speed subordinateto the other 4 Ss
  8. 8. Confidential │ ©2019VMware,Inc. 8 Our experience Platform Focus on Developer Experience is the BiggestDriver of Success An opinionated platform helps teams gain speed without losing out on the other 4 Ss Our heritage was a single platform with a strongset of opinions The answer isn’t necessarily those opinions, it’s having the right opinions for you Opinions where it matters, options where it doesn’t
  9. 9. Confidential │ ©2019VMware,Inc. 9 Deliver the velocity developers need, with the stability operators demand Manage your modern application environment with a consolidated control plane and a single pane of glass with full stack observability. Increase independence through automated pipelines and developer self-provisioning without increasing risk. Maintain consistency, resiliency, and security across clusters, teams, and clouds with centralized access control and automated policy enforcement. Supporting Modern Developers with a Modern Platform Visibility Trust Control
  10. 10. 10Confidential │ ©2019VMware,Inc. Visibility Understanding your modern application environment
  11. 11. Confidential │ ©2020VMware,Inc. 11 Security IAM $$ Security IAM $$$ Security IAM $$ Security IAM $$$ Security IAM $$$ Kubernetes Adoption Reality: Growing Fragmentation Amazon Web Services VMware vSphere Microsoft Azure Google Cloud Platform Amazon Web Services Manualconfigurationand management, siloed by environment Access, networking, security policies applied cluster-by-cluster Lack of cost visibilityand control Confidential │ ©2019VMware,Inc. 11
  12. 12. Confidential │ ©2019VMware,Inc. 12 All Your Clusters in One Place TanzuMissionControl • Cluster Lifecycle Management • K8s Cluster attachment • Centralized policy management • Cluster Inspection • Data Protection Integrations • Observability& Diagnostics • App & service management • Connectivity& traffic management
  13. 13. Confidential │ ©2020VMware,Inc. 13 End-to-End Observability Metrics Traces Histograms Span Logs Full-Stack Collection Real-Time Ingestion Absolute Data Resolution & RetentionIntelligent Routing 4D Data Processing High Performance Analytics, AI/ML Automated Insights Applications Microservices Serverless AnyCloud Containers Infrastructure loT Alert Visualize Troubleshoot Predict Automate Wavefront Ingestion Wavefront Cloud Wavefront UX
  14. 14. Confidential │ ©2019VMware,Inc. 14 Trust Increasing independence without increasing risk
  15. 15. Confidential │ ©2019VMware,Inc. 15 Questions that Reduce Trust in a System Where did that image come from? Who owns that app? Are we running the latest…? Did we run the security scans? Who deployed that? What’s in that container? Is all the traffic encrypted? Did you patch that CVE? Is there a single point of failure?Was this tested? Where did that image come from? Who owns that app? Are we running the latest…? Did we run the security scans? Who deployed that? What’s in that container? Is all the traffic encrypted? Did you patch that CVE? Is there a single point of failure? Was this tested? Where did that image come from? Who owns that app? Are we running the latest…? Did we run the security scans? Who deployed that? What’s in that container? Is all the traffic encrypted? Did you patch that CVE? Is there a single point of failure? Was this tested? Where did that image come from? Who owns that app? Are we running the latest…? Did we run the security scans? Who deployed that? What’s in that container? Is all the traffic encrypted? Did you patch that CVE? Is there a single point of failure? Was this tested? Did we run the security scans? Is there a single point of failure? Who owns that app? Who deployed that? Did you patch that CVE? Did you patch that CVE?
  16. 16. Confidential │ ©2019VMware,Inc. 16 Compliant Kubernetes objects Scanned and signed container images Approved application dependencies Increasing Trust in Your Production Workloads Consistent container construction Build Time Run Time
  17. 17. Confidential │ ©2019VMware,Inc. 17 Automation for a Trusted Supply Chain Certify your CI/CD process and require it for all production deployments Incorporatestatic and dynamic security scans Validatepoliciesfor Kubernetes artifacts Trigger on source code, buildpack, and OS stack changes
  18. 18. Confidential │ ©2019VMware,Inc. 18 Sourcing Containers You Can Rely On Tanzu BuildServices uses buildpacksfor repeatable, consistent containerbuilds for multiplelanguages and frameworks. Tanzu ApplicationCatalog combines validatedOpen Source packages and hardenedbase images for backings services you can trust. Harbor Registry Notary Third party NFVOServices Kubernetes Cluster In-House NFVOApplications Tanzu Build Service Tanzu Application Catalog
  19. 19. 19Confidential │ ©2019VMware,Inc. Control Maintaining stability as velocity increases
  20. 20. Confidential │ ©2020VMware,Inc. 20 Managing Access through Unified Identity and Access Policy Cluster Namespaces Cluster Namespaces Cluster Namespaces ns ns ns Import Users / Groups Auth Token kubectl WorkspacesCluster Groups Tanzu Mission Control PolicyEngine Developers Identity VMware CloudServices Active Directory 1 Define Access Policies 2 PlatformOperation Teams define user access to multiple Clusters ONCEwith Cluster Groups and Role Mappings Developers get self-serviceaccess to Clusters Define Access Policies Platform Operations/IT
  21. 21. Confidential │ ©2019VMware,Inc. 21 Assuring Workload Security and Compliance Multiple layers of controls provide defense in depth against untrusted and vulnerable workloads: Integrated images scans prevent push and/or pull In-cluster enforcement limits source registries and enforces other constraints. Internal Harbor Registry Registry Notary Kubernetes Cluster Trustworthy Image Developers Vulnerable Image Developers Tanzu Mission Control Image Policy Custom Policy Operators Policy Docker Hub ⚠️
  22. 22. Confidential │ ©2019VMware,Inc. 22 Namespaces Cluster Namespace Namespace Cluster Namespace Namespace Robust Policy Environment Cluster Groups Cluster Groups Cluster Groups Tanzu Mission Control • ClusterGroups • Clusters • Workspaces • Namespaces PodSecurityPolicy= Restrictive Security Policy Role Binding= namespace.admin AllowedRegistries=* EgressPolicy= deny-all Access Policy Registry Policy Network Access PolicyOperators Harbor Pull Google Registry Pull Docker Hub Pull Ingress Egress Developers Cluster Namespace Namespace kubectl Quota Policy CustomPolicy CPU and memorylimits
  23. 23. 23Confidential │ ©2019VMware,Inc. Demo
  24. 24. Confidential │ ©2019VMware,Inc. Thank You Chuck D’Antonio Solution Engineer, TeamTanzu Andrea Samuel Solution Engineer, TeamTanzu
  25. 25. Confidential │ ©2019VMware,Inc. 25 VMware Tanzu Northeast Fall Webinar Series October 21: Hardening the Container Application Lifecycle Newer architectures and patterns have developed alongside the evolution of containers and Kubernetes. Your container platform can help you avoid many of the challenges teams face when attempting to build, run, and manage these workloads. Learn how to build and maintain operational consistency via centralized visibility and management across multiple clouds and platforms, including edge applications. November 4: Governance for Your Modern Application Platform Containers give teams more flexibility to declare their dependencies and include them in a deployment. This flexibility can improve their velocity and accelerate time, but also shifts control and accountability among teams, sometimes in ways that are outside of your current governance controls. Learn how to maintain robust governance as roles and responsibilities shift with containers and Kubernetes. November 12: Delivering Off-The-Shelf Software with Kubernetes All organizations mix software they build with software they “buy”. The notion of “buying” software has changed to include not only traditional commercial software products but also mission critical open source and “as-a-service” packages. This session addresses the new world of “off-the-shelf” and how it impacts your work provisioning, monitoring, and supporting your overall software portfolio. October-November 2020 Join the solutions engineers fromyour local VMwareTanzu team for a series of informal. Each session focuses on capabilities you’llneed to give developers the velocity they need while maintaining the stability your business requires. Sessions areled by two local solution engineers who you’ll havethe opportunity to meet and work with them as part of your journey VMwareTanzu. Register: