Security risk is one of those nebulous, abstract and terrifying ideas that can keep a person up all night obsessing about the “what ifs.” Do the wrong people have access to confidential information? Can someone inadvertently bring down one of our applications? Who has access to the certificates and keys we use? Well, feel free to sleep like a baby tonight – CliQr’s managing those risks for you AND adding value to the overall business.
For those that don’t know, CliQr has already put a massive investment into ensuring that the CloudCenter management platform complies with the strictest of security requirements – but CliQr is not a company to simply just sit around. As you may know, CliQr improved security yet again in the latest release of 4.2 earlier this month. I’m going to take a minute to talk to what each of these means and how you can use the new functionalities to your benefit
Full multi-tenancy has been a feature from the very start, but improvements have recently been made so that across tenant objects can be shared while maintaining tenancy restrictions everywhere else.
There are a few different ideas and definitions of tenancy, so let’s start there. Tenancy in CliQr CloudCenter means that everything within an installation of the product can be sectioned off so that organizations or groups of users cannot interact with each other or each other’s objects. The primary use for something like this would be for companies that have divisions that need to remain completely separate (defense companies, banking, and large conglomerates come to mind), but at the same time, use the same installation of a tool to better manage operational costs. The comparison here is that if you go to a hotel, everyone gets their own bathroom and doesn’t know who is staying in the room next door. This is just the tip of tenancy in CloudCenter – if you’re interested in taking a deep dive, here are resources to learn more.
The 4.2 release extends the tenancy concept to now add the ability to share certain objects across tenants. To use the same analogy of the hotel room, it’s like having one of those adjoining rooms, but with a bouncer who oversees and manages the space (let’s say that you’re OK with friends watching TV, but you want them to stay out of your bathroom).
This means that an admin can create other tenants underneath theirs in a hierarchy model (called a sub-tenant), and then share things like application profiles, application services, tags and security profiles. The result is that users within sub-tenants would be completely sectioned off from the parent tenant and would be free to do as they please (add clouds, create application profiles, etc.), but would still be required to use approved, tested and already existing content, rather than building it from scratch (i.e. duplicating work).
Containers for System Callouts:
Containers are all the rage in the technical community. They deploy fast, use fewer resources than a virtual machine and are isolated from a container host. If you’re interested in learning more about containers, I’ve been doing a lot of research in this field and have found the below articles to be informational:
With all of their benefits, CliQr decided to use containers to let users run commands to external systems. By deploying a Docker container on the fly and running the command inside the container, it keeps user from being able to do something silly/harmful directly on the CloudCenter orchestrator machine (real funny people could try an “rm –r” command and bring the system down). Once the command is complete, the container is terminated.
The security aspects brought by using isolated containers allowed CliQr engineering to add a new service type to extend the services functionality to any external service. For example, while at AWS re:Invent this year, I had a prospective customer ask me if they could deploy an application with an AWS service that wasn’t yet public — a beta service that they were participating in. With the external callout, the answer is YES! The external service callout would allow them to:
- Create the callout to the AWS beta service
- Provide CliQr with the location of the callout
- Model application, using the newly created service
AWS STS and IAM role support:
Management platforms aside, security when using the public cloud is still a huge concern, as illustrated by a Bitglass survey conducted earlier this year. Luckily, AWS has been working on connection security by providing functionalities like Identity and Access Management (IAM), and Security Token Service (STS) to match.
To utilize these secure methods of connections to AWS resources, CloudCenter now allows the CCO to connect to AWS using STS tokens. This allows more complex and secure processes, like regularly changing out authentication certificates to keep those that want in, out.
CliQr’s been busy making the CloudCenter cloud management platform the most secure platform on the market for deploying your applications and getting your products to market faster. Look for more improvements in releases to come, and if you would like any further information, or to schedule a demo, please visit us at www.cliqr.com.