Judgment Day Cometh with the Rise of the Machines, or What I Learned at PuppetConf 2016
October 24, 2016 | DevOps | Toffer Winslow
“In the future, all software will be installed, configured, and managed by software.”
So said Luke Kanies, Puppet’s founder, during his keynote at his company’s annual conference in San Diego last week. Puppet is a leading configuration management and server automation software company, and they’re an awesome partner of ours here at Conjur.
That vision that Luke laid out is one that we share. But it also conjurs up (groan!) dystopian paranoia embodied by the future envisioned in the Terminator movies where software (in the form of Skynet) is taking over the world and eliminating humanity in the process. Last week’s massive DDoS attack on Dyn that featured hacked web cams, baby monitors, and home routers feels like it might be the first step down a slippery slope. How do we ensure we don’t go there?
The trend towards code managing code is nothing new, but the transformation of the way we are building and deploying applications these days is causing that trend to accelerate. One of the most impactful slides from Luke’s keynote was this one:
The key point he was making was that as we move from physical servers to virtualized machines to containers, there is an exponential increase in complexity driven by the growth in the number of “entities” that need to be managed and the dramatic decrease in the life span of these entities. With bare metal servers, there is a single entity to be managed and it typically lasts for three years. Assuming you have 100 servers to manage, there are 100 “things” or “entities” to be managed over a 3-year period. With VMs, assume there are 10 VMs per machine, and each one lasts 1 year. Do the math, and you’ll find that means there are 3,000 entities to be managed over a 3-year period. As we move to the container era, the life span of those entities can be on average a single second according to a recent survey released by New Relic. And when you layer in the much greater density of containers (10 per VM, and 10 VMs per machine), the resulting number of entities that need to be managed over a 3-year period explodes to almost 16 billion. It seems obvious that the ways in which we’ve managed servers — both the processes and tools — will need to be radically overhauled given the massive increase in complexity brought on by the container era.
Only software-based automation can keep pace with a management challenge of this magnitude, and that’s why companies like Puppet are seeing such dramatic growth in their adoption. But as we increasingly delegate the management of code to code, questions of trust must be answers. While we’re still far from the dark future envisioned in Rise of the Machines, how can we be sure that our approaches to security keep pace with the massive expansion in management complexity we are facing?
Part of the answer will come from automated management of the secrets that code relies on to stay secure while accomplishing its mission. Security policies defined by people in products like Conjur can be used to automatically and continuously manage secrets across huge numbers of entities, all the while providing the necessary logging, alerting, and reporting needed to provide transparency to managers.
Beth Cornils, Puppet’s Senior Product Manager and Verne Lindner, Senior UX Designer, delivered a great Puppet security roadmap session at the conference during which she described how Conjur and Puppet can be used in conjunction to fuse high levels of automated security management with automated management large scale infrastructure.
If you’re interested in learning more about integrating automated secrets management with devops efforts, check out our white paper on the topic (registration required) or read up on Conjur’s integration with Puppet. Or ping us for a demo if you’re interested in moving beyond hiera-eyaml and seeing how Puppet and Conjur work together in the real world to deliver a stronger security solution for our joint customers. We were blown away by the positive energy at PuppetConf and the enthusiasm of many larger, more mature Puppet customers for what Conjur has to offer. Let’s keep the machines in their place by working together.