Insight By Red Hat

Immutable infrastructure can ease agencies into agile, DevOps

How do we ensure systems on government networks are in a completely known, secure state once they are in production?

This content is provided by Red Hat.

Automation is a key technology helping IT organizations deploy, take apart, and reload technologies into production without human intervention.  But once technology is deployed, federal managers want to make sure that systems can’t be misconfigured and infrastructure components aren’t altered once they have been approved.

Moreover, project management methodologies such as agile and DevOps support the idea of developing software and systems iteratively and quickly. That is fine and good.  But this also raises the question: How do we ensure systems on government networks are in a completely known, secure state once they are in production?

Agencies are going through all types of security accreditation and requirements, such as The Federal Information Security Management Act (FISMA), Federal Risk and Authorization Management Program (FedRAMP), and the Department of Homeland Security Continuous Diagnostics and Monitoring (CDM) program. As systems are being continuously evaluated overtime, IT and security managers discover that what was authorized to go into production doesn’t necessarily have the same configuration six months later, says Shawn Wells, chief security strategist with Red Hat’s North America Public Sector.

“If an agency is hacked and the bad guys attempt to install malware, wouldn’t it be wonderful if the infrastructure can just be fundamentally resilient or resistant to that attack?”  This is the promise that technology such as immutable infrastructure holds for agencies.

Some might think that the concept of an immutable, or unchanging infrastructure, is the antithesis of an agile infrastructure, which is flexible enough to meet changing demands on the fly. But that is far from the truth.  In fact, immutability can be a driver to help government agencies adopt DevOps and agile methodology because it builds trust in your infrastructure, according to Wells.

How it works

Immutable gives agencies a provable way of knowing that nothing has changed beyond what was formally approved. How? Consider a general-purpose operating system like Linux, an open source system that has been around for decades and runs most of the Internet.  Linux must run from the laptop to the mainframe, and everything in between.  Enterprise Linux is designed to run thousands of instances in production and provides flexibility to configure each of those instances as necessary.  That flexibility comes at a cost, though, because management is fundamentally more complex and is handled by a large pile of tools as each instance can be uniquely tailored or configured.

In immutable infrastructure, everything is designed purposefully around a different deployment and management paradigm that makes it manageable at scale or hyperscale scale.   Immutable infrastructure hosts are designed to be configured upon deployment and managed identically.  Thus, one copy of a web server looks the same as another web server and forces a high degree of standardization in managing change.

Since immutable is designed to be configured with automation it is useful in the public cloud or private cloud or even virtual machines on a developer’s laptop.  It is meant to be updated in a transactional way, where it has pretested, preapproved configurations. Additionally, immutable infrastructure is manageable in large, distributed environments where control over any individual host is limited.

Red Hat Linux Atomic is a special variant of Linux optimized to run immutable infrastructure. Atomic is designed to run DevOp workloads or discreet Linux container workloads. If developers want to make a change to the Red Hat Atomic host operating system those changes must go through a configuration management process. The end state being a new image, or a new container.

USCIS Builds Trust

The U.S. Citizenship and Immigration Services (USCIS) is using this technology to build a high-level of confidence in the technology deployed on government networks, Wells says. And, in the process, USCIS has helped build trust between the developer, operations, and security teams.  In the past, if system changes were made, those changes would have to go through a peer review process.  Now, if a developer makes a change and it passes the quality control checks, those changes can go directly to the production system.  The developer doesn’t have to wait two-to-three months going through the configuration management change program.  “They can realize innovation much faster because of this immutability of production.  USCIS is one of the first agencies to truly do DevOps,” Wells notes.

The real perceived risk of agile and DevOps is chaos because things are changing so fast.  Immutable gives federal managers a way of executing on the vision of agile by offering assurance that software settings will be exactly what they approved once the application is in production. There are reports that developers in companies like Amazon and Google make 100 changes a minute.  So, how do you ensure that when you hit the approve button it is what you approved?  Immutable infrastructure is a way to bring about a unified process that can audit the changes and ensure agencies that the blueprint the systems integrators or their own teams approve will be the same in production.

“This helps builds trust from your security team because they know whatever goes into production is what they verified.  It builds trust from the operations guys because they know whatever blueprint they had is what will end up in production. And, it builds trust from the developers because once they create software or that blueprint through automation they can be sure that it is the same as what the DevTest team put out,” Wells explains.  So, it reduces the organizational burden of troubleshooting, or trying to find issues.

That is why it is a big deal.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories