Dear all,
Wish all of you and families Happy New Year.
NIST SP 800-192 has published standard on Containerization Security. The main points related to auto-scaling ( scale in and out horizontally ) where VMs and containers can be added, destroyed or replaced. Auto-scaling also called as Elasticity.
To achieve this , there are two critical properties - immutability and stateless
Immutability is defined as unchanging over time or unable to be changed. The approach to change is to upgrade the image and deploy this image into a new VM or container. Then shut down the old VM and container.
Stateless - wont retain date in the local storage. This allows for the VM or container to be shut-down. If your application requires data to be retained , then it has to be stored in a persistent database external to the VM or container.
Brgds
Ram
------------------------------
Ram Marappan
Trainer and consultant
Self employed
------------------------------
Original Message:
Sent: Dec 31, 2021 07:00:20 AM
From: Lee Neely
Subject: Immutable workloads
While I believe I had a differing definition of immutable workload Moshe is correct. You need to understand how your application is built and what the impact of auto scaling is.
Good point on lift and shift. Using needs to be carefully considered. I have seen it increase costs and result in a reduction in stability which may undermine efforts to migrate to the cloud, or otherwise derail well intended modernization efforts.
------------------------------
Lee Neely CISSP, CISA,CRISC, CISM, GMOB, GPEN, GPYC, GAWN, G
CSA BOI
Boise ID
Original Message:
Sent: Dec 30, 2021 07:51:04 AM
From: Moshe Ferber
Subject: Immutable workloads
Hi Gaurav,
When you create applications that are built for immutable infrastructure, you need to address this challenges. There are design patterns that needs to be followed. Immutable applications don't store data on local disk, they keep their connections table and application state at 3rd party db for example.
Same design patterns are recommended not only for immutable, similar challenges happen with autoscaling. When the cloud provider start scale down instances you want to make sure no connection is lost, so you need to follow cloud applications design patterns.
This is one of the reasons lift and shift (transfer traditional applications to cloud) has bad reputation and is not recommended.
You can find additional resources about how to design cloud native applications at the cloud provide kb, here is an example:
https://docs.microsoft.com/en-us/azure/architecture/best-practices/auto-scaling
Hope this helps.
Moshe.
------------------------------
Moshe Ferber
Original Message:
Sent: Dec 29, 2021 09:29:12 AM
From: Abhinav Goyal
Subject: Immutable workloads
Interesting question @Gaurav Gupta. To me you destroy the container and implicitly replace. Also, you follow through blue green deployment to minimise any down time. I hope this helps and is in line with what you are looking for?
------------------------------
Abhinav Goyal
Original Message:
Sent: Dec 26, 2021 05:41:42 PM
From: Gaurav Gupta
Subject: Immutable workloads
I have a question on the module - for immutable workloads - if version of image is replaced instead of patching - wouldnt it take away cache of current state of the application or process running on the image?
This came while going through the training module as below: https://knowledge.cloudsecurityalliance.org/certificate-of-cloud-security-knowledge-foundation-exam-bundle/474889/scorm/1tr8waphbm11a
------------------------------
Thanks,
Gaurav
------------------------------