VMworld 2014
Well, I'm just back from attending the conference in Barcelona and I was taking particular interest in Security & VVols during the event. With Cloud taking off there's an increase in awareness of how vulnerable this infrastructure is to attack. Azura has had a few hiccups affecting many of their customers as they made changes to their networking stack earlier this year. Code Spaces is also of course in everyone's mind as they were held ransom and the criminal deleted their data forcing them to close. As we layer up the automation, how easy would it be to power down 20,000 VMs instead of powering them up?!
I'll list the main things I found out below throughout the Conference:
- Do I put my VMs in the Cloud? If they are Core - Stay on Floor (In House), if they are Non-Core - They go out the door (Cloud). Keep the apps you run your business on in house!
- Incident Management: Preparation, Identification, Containment, Eradication, Recovery, Lessons
- 2 Man Rule - get two people to make all changes especially after 4pm on a Friday. It's called the "weekend saver"!
- Is there any regulation around Cloud Providers themselves, to help ensure they are not just ramping up an insecure solution? FedRAMP is one strategy, the EU is working on another but it might be 2 years before they bite. Link below.
- VVols - saw a few sessions on these. There's a VASA 2.0 network link to the Array that controls creating new VMs, snapshots, cloning etc. If this link is down, existing VMs are ok, you just can't create new ones etc using VVols, bit like HA! It won't support SCSI-3 so no windows clusters. I asked if it's possible to insert a windows CD into a VMware Host and install windows into the Storage Container directly and wipe everything and they said no, this is not possible! As you are removing the LUN construct, you will end up with fairly large Storage Containers, great if someone tramples all over it! It won't support vSAN, I think you can pass UNMAP direct to the array now from the VM O/S so that will be great for space management. You can control features like replication per VM but there's no SRM integration in the initial release. You can deploy up to 256 Storage Containers, each supports a single protocol (NFS/iSCSI/FC). Backup Providers should be onboard and ready to support too (Veeam & Commvault mentioned). You can see the VVol Container in vCenter to use for Datastore Heartbeating & HA. HP 3PAR will run a PE on each Controller from what I saw and is a Firmware Upgrade. Licensing costs still to be decided by VMware of course! Enterprise Plus Plus?!!
- More Security: Designing a way to escape out of a VM is highly complex and costly. It's much easier to go after the admin / operational security threats, scripts are cheap and it's low cost and much easier to walk onto a site and do the deed. Secure your Management plane off the rest of the network. Don't use common accounts, give admins a separate super user account to use for changes so you can track them. Check Host Uptime and patch, patch, patch. With vMotion there's no reason not to. vRealise Air Compliance is in Beta to give you a Hardening guide / PCI scorecard. It uses the cloud however which I'm not too keen on. Consider introducing vCAC / vCO workflows for deleting VMs and archive them to nearline and ecrypt for security. Integrate Approvals into the workflow. Remove Browse Datastore permissions from most admins. $375 to build a laptop sized device that can scan an employee badge for later duplication has been demoed elsewhere!
- Veeam v8: Has a web gui you can use to delegate individual SQL DB restores for Devs. AD comparison tool - find out what changed then fix it. Can replicate from Array snapshots. Now has SRM like features for orchestrating failovers. Snapshot hunter to find them even if vCenter says there aren't there!
- vCenter Best Practices - watch out for the Inventory Service, it acts as a cache for the web interface to speed it up but it stores tags and storage profiles, you need to be backing these up! The XDB can grow to 60GB is worst cases, requires a reboot and tweaking to fix if this happens. Enable 8.3 paths if installing vCenter to Drive other than C:. Next version: supports upgrade from 5.0+ to 6.0 and up to 64 hosts per cluster. Linked mode with appliance possible. Still no HTML 5.0 support and switch to Chromium if using Linux.
I won €500 for Charity throwing a paper plane which was unexpected!
Still working on my home lab, had network issues earlier this week, turns out landlady crushed my main network cable to downstairs. Stuck now until I get a replacement. Got my LSI 9271-8i working correctly with SSD now (Went Raid 0, 1 per drive instead of JBOD which disables cache) and a Samsung 850 Pro to boot! Retired my oldest SSD drives and hope to get the CloudSystem 8.1 up and running soon! Plus try the VMware Beta one aswell!
Links:
http://cloud.cio.gov/fedramp