Home

A Partially Complete IT Framework Analysis

Print
IWIWSatartlapGoogle bookmarkDel.icio.usTwitterLinkter.huvipstart.huFacebookDiggUrlGuru.huBlogter.hu
Category: Uncategorised
Published on Wednesday, 11 January 2012 Written by Chris Bake

Goal: Make a recommendation for a worthwhile and “productive” IT Framework, along with an OS stack offering high availability and full redundancy.

Framework Comparisons

Option 1: The ITIL Framework - http://itsm.certification.info/itilv3quals.html

  1. Pros:
    1. Normalizes terminology (although conflicting)
    2. Provides transparency into IT operations
    3. Doesn’t advocate reinventing the wheel
  1. Cons - http://itsm.certification.info/itildisads.html
    1. Only focuses on a very small area of IT
    2. Terminology conflicts majority of industry
    3. Tendencies to over complicate
    4. Potential for extreme cost and time required, if not implemented properly

Option 2: Val IT Framework v2.0 - http://en.wikipedia.org/wiki/Val_IT

  1. Pros:
    1. Combines & extends principles from both ITIL and COBIT
    2. Introduces some Tangibility (balancing the apples & oranges)
      1. Utilizes the http://en.wikipedia.org/wiki/Value_Measuring_Methodology
    3. Introduces full life-cycle management of IT investments.
      1. Covers a full scope of IT
    4. Presents value delivery practices
      1. Categorizes investments
      2. Assigns accountability
      3. Largely proactive by nature
    5. Streamlined approach  
    6. Introduces Portfolio management and presentation
    7. Is versatile enough to be applied to non-IT governance as well

Option 3: COBIT - http://www.isaca.org/Knowledge-Center/cobit/Pages/FAQ.aspx

  1. Pros:
    1. Attempts to balance risk and control in a cost-effective manner
    1. Supports compliance certifications (HIPAA, PCI, EDI, SOX)
    2. Good internal auditing support
    3. Very methodical - helps alleviate resistance, confusion or anxiety during implementation
    4. Known improvements to business strategy
    5. Value creation through effective governance, management enterprise information and technology (IT) assets
    6. Business user satisfaction with IT engagement and services by enabling business objectives
    7. Compliance with relevant laws, regulations and policies
  1. Cons:
    1. ONLY presents high-level information, often rendering hidden, efforts to evaluate the advanced technical details of IT.
    2. Requires a merged approach of an additional framework to support all IT areas.
    3. Focuses more on execution & delivery qualities

Option 4: The Risk IT Framework

  1. Pros:
    1. Based on COBIT (yet attempts to cover all areas)
    2. Introduces Risk Governance, Risk Evaluation and Risk Response
    3. Clear definition of execute, business and IT roles
    4. Always connects to business objectives
    5. Aligns the management of IT-related business risk with overall ERM if applicable
    6. Balances the costs and benefits of managing IT risk
    7. Promotes fair and open communication of IT risk
    8. Establishes the right tone from the top while defining and enforcing personal accountability for operating within acceptable and well-defined tolerance levels
    9. Is a continuous process and part of daily activities

Option 5: Utilize a combination of multiple frameworks, (like most companies have ended up doing), to provide support for all areas of IT relations.



# Customized (high-level) suggestion of merged governance  



IT Framework Consultants & Training


Archived Webinars - http://www.isaca.org/Education/Online-Learning/Pages/webinars.aspx

On-Site IT Audit Training Courses - http://www.isaca.org/Education/On-Site-Training/Pages/On-site-Training-Course-Descriptions.aspx




IT Infrastructure Requirements


  1. Load Balancing All Resources for high-availability
    1. Maintain a geographically disperse configuration of Elastic load balancers
    2. Handle all SSL termination on the balancers
    3. Load Balance additional TCP traffic
      1. MySQL
      2. Solr
      3. Outgoing SMTP
  1. Web server farm
    1. Setup a group of servers to handle application processing
    2. Use an efficient webserver software supporting the application architecture
      1. Nginx
      2. Apache Passenger/Phusion
    3. Install one or more Ruby frameworks to assist in rapid application development
      1. Sinatra
      2. Rails
      3. RVM
  1. Shared Storage Cluster
    1. Utilize a group of instances to offer a redundant storage array for hosting static content over SSL.
    2. Utilize AWS CloudFront to white-label non-SSL content under images.domain.com subdomain
    3. Use a proven solution for storage volume management such as:
      1. GlusterFS - http://www.gluster.org/
      2. OpenStack Object Storage - http://openstack.org/projects/storage/
      3. CEPH - http://ceph.newdream.net/
    4. Maintain an n+1 redundancy to minimize IT risk
    5. Perform EBS snapshots at regular intervals for content backups
    6. CDN Synchronisation
      1. S3Cmd file system mounts (evaluate latency)
      2. AWS API
  1. Database Cluster
    1. Maintain a Master-Master replicated PostgreSQL cluster
      1. Use a replication management tool such as:
        1. PGPool
        2. PGCluster
    2. Setup off-site replication and backups
    3. Snapshot & test database volumes at regular intervals, for quick-recovery
    4. Maintain a Read-Only slave cluster for application reads

  1. Route53 DNS Hosting
    1. Use AWS’s DNS hosting to provide redundant & scalable DNS

  1. Solr Search & Cron Servers
    1. Maintain a group of “balanced” Solr servers for application search functionality
    2. Use internal load balancing to provide the application with failover capability
    3. Run additional cronjobs for reporting and email functionality

  1. Mail servers - Options:
    1. Provide a “round-robin” balanced Postfix cluster for high deliverability throughput
      1. Acquire a white-listed IP address from Amazon
    2. Configure the application to use SendGrid’s PHP API.
    3. Configure the mail server to use SendGrid’s SMTP API

  1. Puppet Server - Configuration Management & Application Control
    1. Use Puppet to template all server clusters & manage configuration release
    2. Support IT Framework principles
    3. Ensure server cluster redundancy & stability
    4. Ensure high-availability via the puppet service (watchdog) functionality

  1. Reporting / BI Servers
    1. Provide an adequate web server and replicated database for running company reporting tools and analysis.
  2. Helpdesk Ticket System
    1. Support IT Framework Decision
      1. BMC (supports Business Service Management)
    2. Support company-wide collaboration on QA and support tickets
    3. Helpdesk Solutions
      1. BMC - Waiting on sales rep to return a phone call today
        1. http://www.marketwatch.com/story/bmc-remedyforce-exceeds-100-customers-in-300-days-2011-11-28
        2. http://www.bmc.com/solutions/bsm




A Do-It-All Attempt at IT Framework & Governance

Print
IWIWSatartlapGoogle bookmarkDel.icio.usTwitterLinkter.huvipstart.huFacebookDiggUrlGuru.huBlogter.hu
Category: ErrorBlog
Published on Wednesday, 11 January 2012 Written by Chris Bake



Top Framework Requirements:

  1. Incident Management (Helpdesk Software)
    1. The objective of Incident Management is to restore normal operations as quickly as possible with the least possible impact on either the business or the user, at a cost-effective price.
      1. Processes Include:
        1. Identifying the incident’s root cause
        2. Develop & document a peer reviewed & approved action plan
          1. Consult Change Management
        3. Calculate required implementation time
        4. Execute action plan & prove it’s completeness via QA
        5. Catalog documentation for future incident reference
          1. Support Problem Management
      2. Provide a helpdesk ticket request system to centralize & track bug reports


  1. Problem Management (Proactive QA & Application Review)
    1. To minimize the impact of problems on the organisation. Problem Management plays an important role in the detection and providing solutions to problems (workarounds & known errors) and prevents their re-occurrence.
      1. Regular review of application & infrastructure operation
      2. Application dependent server software upgrades
        1. Testing software package migrations
        2. QA evaluation of application before & after
        3. Documenting the software’s changelog & reason for upgrade


  1. Configuration Management (Puppet)
    1. Provide information on the IT infrastructure to all other processes and IT management. Enabling control of the infrastructure by monitoring and maintaining information on all the resources needed to deliver services
      1. Utilizing Git to manage a versioned repository of server configurations
      2. Administering configuration deployment & synchronization.
      3. Restricting Access to critical configuration files for servers & applications
      4. Support Problem Management
        1. Evaluate legacy configuration deprecation & newly implemented functionality advantages


  1. Change Management
    1. Ensure that standardized methods and procedures are used for efficient and prompt handling of all changes, in order to minimize the impact of Change-related incidents upon service quality, and consequently to improve the the day-to-day operations of the organization.
      1. Document required changes
        1. Include any related research data
        2. Consult Release Management
      2. Testing & relative QA approval of ALL changes on development/staging servers.
      3. Committing changes to production configuration repository.
      4. Determine usability impact of business services during configuration deployment
      5. Deploy configurations
      6. Ensure new software configurations are updated & active in production
      7. Testing & relative QA approval of ALL changes on all production servers affected.
      8. Append document with results & lessons learned

  1. Release Management
    1. Implement changes to IT services which consider all aspects of a change including planning, designing, documenting, building, continuous integration, unit testing, training, communications and deployment activities.
      1. Utilize Continuous Integration and application unit testing
        1. Identify & resolve potential application bugs prior to QA review
      2. Establish a proven & stable method of deploying approved application builds for release.
      3. Document procedures for each release
        1. Puppet configuration changes
          1. Required webserver configuration changes
          2. Application global config changes
        2. Configuration deployment in sync with application releases
        3. Document complete Roll-Back procedures
          1. Support Incident Management
        4. Perform adequate QA evaluations of application post-release
          1. Maintain a checklist evaluating all application functionality
            • Newly implemented functionality
            • Known related legacy functionality
            • Review remaining unknown functionality
          2. Append to a collection of any release related incidents
            1. Future support of Incident Management


    1. Service Desk
      1. Provide a strategic central point of contact for customers and support the Incident Management process by providing an operational single point of contact to manage incidents to resolution.
        1. Manage bug reports
        2. Identify levels of incident criticality supporting Incident Management
        3. Graph & Report on incident trending
        4. Support Capacity Management requirements to meet expected service levels

    1. Service Level Management
      1. Plan, coordinate, negotiate, report and manage the quality of IT services at an acceptable cost.
        1. Providing & maintaining a highly-available, high demand infrastructure on the Amazon Cloud supporting
        2. Combine aspects of Capacity Management & Service Desk to evaluate regular review of IT resource availability.


    1. IT Financial Management
      1. Provide budgeting, accounting and charging services to control, manage and recover IT cost and spend.
        1. Evaluate different operational cost comparisons
          1. Support cost effective decisions for IT purchases
        2. Estimate & evaluate application & traffic resource demands
          1. Establish padding for a potential business growth factor
            1. Growing storage needs
            2. Customer traffic demands
            3. Application dependencies for high-availability
            4. Legacy hardware end-of-life cycles

    1. Capacity Management
      1. The discipline that ensures IT infrastructure is provided at the right time in the right volume at the right price, and ensuring that IT is used in the most efficient manner.
        1. Maintain current IT employee workload padding for unexpected event handling
          1. Developers - Identifying Incident extent, development and deployment of application hot fixes
          2. QA Team - Provide and extent of on-demand availability for unexpected incident testing and release.


    1. Availability Management
      1. Optimize the capability of the IT infrastructure, services and supporting organization to deliver a cost effective and sustained level of service availability that meets business requirements.


    1. IT Service Continuity Management
      1. Support business continuity management functions by ensuring that IT services can be recovered in the event of a major business disruption within required timescales.




    1. IT Security Management
      1. To prevent the occurrence of security-related incidents by managing the confidentiality, integrity and availability of IT services and data, inline with business requirements at an acceptable cost.
        1. Regularly update server & application software
          1. Apply software security patches
            1. Vulnerabilities as discovered & released
            2. Maintain forward compatible application code
        2. Restrict SSH access to Public Key authentication only
          1. Maintain a repo & puppet template for authorized_keys
          2. Restrict SSH to non-standard port (i.e. 2222)
            1. To reduce brute SSH probe password attempts
          3. Maintain STRICT firewall configurations, for only necessary services.
        3. Utilize centralized authentication management, such as
          1. LDAP Authentication
        4. Utilize AWS Route53 for ultimate DNS stability
        5. Perform regular external vulnerability evaluations
          1. PCI Compliance scans
          2. McAfee HackerSafe audits
          3. XSS Scripting Vulnerabilities
          4. SQL Injection Vulnerabilities




Google Android - AppInventor

Print
IWIWSatartlapGoogle bookmarkDel.icio.usTwitterLinkter.huvipstart.huFacebookDiggUrlGuru.huBlogter.hu
Category: ErrorBlog
Published on Monday, 28 February 2011 Written by Chris Bake

Well, we knew this day would come. Our friends at Google have finally developed a WYSIWYG GUI for Android Development that runs in your browser!

I've already built and tested 4 Apps for my phone. I've also registered for the Android Developer Network, and I'm all set to publish meaningless apps to the Android Marketplace. 

Check out these screenshots of the interface:

Simple drag n' drop interface for adding controls and elements to the view port. 

The Blocks Editor provides an additional drag n' drop, puzzle-like interface for constructing logical flows and event handlers in your app. 

alt

Is it me, or does it seem like SkyNet is only a few months away at this point?

Cisco ACE 4710 Load Balancer - CLI Integration

Print
IWIWSatartlapGoogle bookmarkDel.icio.usTwitterLinkter.huvipstart.huFacebookDiggUrlGuru.huBlogter.hu
Category: Custom Developed Applications & Platforms
Published on Saturday, 26 February 2011 Written by Chris Bake

Managing hundreds of websites will stretch almost any piece of hardware to it's limits. Combining that with SSL's and IP address configurations on the load balancer level, makes it an even bigger ballpark. One of the greatest tools I've ever stumbled-upon (Thanks Clark) was Expect.

Expect, is a great tool for compiling action scripts for your server to execute. In most other methods of CGI initiated shell execution, commands are cut and dry. You can send a command and buffer the standard out returned.

This method is very limited, because it doesn't allow you to do anything that involves an interactive shell, such as entering a password to SSH to another server, etc.. Expect allows you to write logic into these "Expect Scripts" that you write.

For example,

spawn ssh  # open the new ssh session within the script executeion

send "root\n"  # send the username

expect "Password: "  # expect the following prompt to be returned from the server

send "mypasswd\n" # send the password

expect "root@web01:/root# " # expect the shell prompt

And you can continue from there.


After inheriting the vast riches of Cisco, our new ACE Balancers required numerous actions to configure new domains and their SSL proxies. I believe we cataloged 35 different actions needed to correctly install a new domain/ssl for our platform. Since we had to do multiple per day, this quickly shaped up to be a fulltime job.

And rightly so, if anyone remembers back to the original Coyote Point balancers? They foolishly did reverse DNS lookups for every cluster configured, on EVERY PAGE LOAD of the gui, because they were all displayed in an html frame on the left hand side. When we finally hit our limit of 500 clusters, and the system started refusing to run, the gui page loads took soo long, the browser window often timed out.

Not that that would be the case with these new Cisco boxes, since we were able to import the original 500+ sites initially, and since added another 250 more, we only needed to worry about the administrative time required for each setup.

Anyone who knows Cisco, knows it always provides a command line interface to configure it's hardware. Basic and Enabled access over SSH. When we were first introduced to the new hardware, and a mass confusion of code developed by the former Soviet Union of Vladulence, we found out just how NOT to do things!

These guys, a team of outsourced cyber-mafia-outcasts, came up with the spectacular idea to use PHP's fsockets() and create Telnet sessions to the balancers! TELNET! Of all things, when SSH was readily available. To make a long story short, the sessions almost ALWAYS dropped or timed out. This usually occurred right in the middle of creating a domain cluster, and as a result would trash the master config file of the balancer, and Down Came The Wall!

We had the great idea to use PHP to generate the Expect script, which was then executed to create the SSH tunnel & perform all of the CLI commands needed to setup each cluster, including generating the SSL Key, CSR, and utilizing the Comodo API to actually submit the CSR, purchase the Certificate, download it, and install it in the balancer.

This was very tricky, thanks to Comodo's validation service. CSR's submitted would often NEVER return the certificate immediately, in time to maintain script execution. To compensate this, we developed a queue of actions pending execution. Things such as generateKey, generateCSR, purchaseSSL, collectSSL, importCert, createVirtualServers, etc..

Each one of these actions had it's own modularized dynamically parsed Expect Script. This allowed each action to be completely independent of one another. All of these were based on a framework controller written in PHP that checked statuses of each domain being configured. Each one was configured with prerequisite actions requiring completion before it's execution was allowed. (Can't buy the cert, if the CSR was never generated, etc..)

A cron service would constantly check the table and query Comodo's API for issuance of each pending Cert purchase. Once the cert was made available, it would be downloaded and instantly configured into the balancers.

After a year passed by, it became apparent that alot of "junk" clusters existed and they were not only slowing down the balancer resources, (regex & cpu threads) but they were also holding our IPv4 addresses for ransom. Think it would be easy to just log in and click delete on a cluster to remove it, and unbind the IP ? Think Again!

Cisco's software required us to perform EVERY SINGLE COMMAND required to create the entire domain configuration, IN REVERSE, in the order that it was entered! Mainly due to the complex nesting that took place with the associations of server farms, policies, proxies, etc..

Needless to say, it took 4 TIMES longer to remove a domain, than it did to add it!

Expect To The Rescue!

All it took was to have php dynamically compile one more Expect action script, and send it off to the balancer for processing. The cron queue action used to identify it was called "bleachDomain". The name says it all.

Sorry, but I no longer have the ability to provide any screen shots of this system, since the hardware has all been decommissioned, after we migrated the entire datacenter to the Rackspace Cloud.

Thanks for reading....

MySQL Based Apache Config Generator

Print
IWIWSatartlapGoogle bookmarkDel.icio.usTwitterLinkter.huvipstart.huFacebookDiggUrlGuru.huBlogter.hu
Category: Custom Developed Applications & Platforms
Published on Saturday, 26 February 2011 Written by Chris Bake

In an industry where websites are built from scratch, pumped into a home-brewed e-commerce/content management system and tore back down 3 months later, an ever increasing burden existed to constantly be modifying Apache configurations. Anytime more than one person is involved in modifying a file, there's potential for integrity corruption.

After scouring the internet for some such existing solution, (and lacking the ability to switch to another web server), I quickly found the need to develop a managed and "idiot proof" method of configuring Apache Virtual Hosts.


The Back End:

A database table of "vhosts" was created to store all the individual host configurations such as ServerName & Alias, DocumentRoot, Logging Levels & Locations, and the ability to perform trackable redirects to other sites/domains. A lot of instances existed where upper management and/or clients would decide to buy 50 different misspelled versions of their product's name, and ask on a Friday afternoon, if they could be ALL setup, tracked independantly, and redirected to the original website, in time for distributed media ads that were scheduled to run the next morning. 

A template file was used to set the basic layout of the vHost config block.

Tags such as {DOCUMENTROOT} and the like, were used to define the layout positions in the file. The database was queried for all active records and the config file rebuilt and reloaded each time qualifying changes were made to the database. Servers each ran independently of each other on 15 minute crontab entries. Each server would query the queue for a "RUN NOW" flag identified by their hostname. If found, the script would then begin creating the new config file from the entries returned from the database query.

After the content for the new config file was built, the parent processor would then backup the original file, and perform an "apache2ctl configtest" on the new one. Standard Out was buffered and parsed via string comparison to determine Apache's test results. If any error messages were detected, the new config would be abandoned, the old restored, and the admins notified of the issue and offending vhost record. This allowed a fully automated solution, while still protecting the web server from Apache failing to start due to config file errors.


The Front End:

We also quickly discovered the need for an easy interface to enter all these configurations. Ultimately our goal was to start training other "less technically inclined" people to use it and "share" the programming workload. (Especially since they were the ones who procrastinated and dumped it on the programmer at the last minute anyway!)

I built this visual tool to view all the domains in the database, and added Aplha filtering for easy sorting and view. Over 1000 domains passed through this system over the course of the years in operation.

alt

Modifying the individual Virtual Host config.

alt


More Articles...

  1. PowerDNS GUI
  2. Affiliate Management System
Joomla Business Templates by template joomla