On-Prem and Kubernetes: A fragile relationship

In cloud safety, context is all the things.

Within the earlier two installments of our Prospects Care Chronicles, we wrote about how a safety vendor must be a real enterprise companion and the potential complications when migrating instruments within the cloud. On this installment, we sort out one other non-security idea that occurs to be essential for safety: atmosphere. 

The tempo and velocity of innovation within the cloud is unprecedented – and companies are embracing it as quick as attainable. However all transitions have their challenges, particularly on the enterprise stage. Switching over from on-premises (on-prem) to a extra versatile infrastructure may be complicated, prolonged, and generally even undesirable. That is why many companies go for hybrid environments, retaining some on-prem companies, whereas additionally having fun with the advantages of Kubernetes. That is good for enterprise, however undoubtedly provides safety challenges.

From base structure to deployment

Our buyer was a authorities group with a sturdy infrastructure and (as most authorities organizations) various particular person safety necessities. We knew from the start that this might imply a variety of out-of-the field considering and customization.

The settlement we had been part of included provisioning of bodily {hardware} (servers), set up of the Kubernetes cluster over these servers after which set up of the Sysdig backend on the newly created Kubernetes cluster.

We knew that the atmosphere we needed to create was going to take a variety of effort and could be sophisticated. This was one thing which had by no means been completed earlier than.

With a undertaking of this magnitude, we knew we needed to deal with the:

  • Deployment design: Creating the bottom stage structure for an infrastructure of this complexity is its personal undertaking.
  • Sysdig backend: We needed to make it possible for our product backend may very well be safely put in excessive of the shopper’s atmosphere.
  • Infrastructure complexity: A authorities establishment must be purposeful and safe — this meant that opening even a single port took days.
  • Air-gapped atmosphere: We needed to get all our photographs into an inner registry and make it possible for it was accessible from the shopper’s clusters.

As soon as we understood the task, we instantly fashioned a Sysdig job pressure — together with our infra and assist groups — to ensure we had all our geese in a row.

A Buyer Success Engineer on the highway

The undertaking wanted a Managed Buyer Success Engineer to be based mostly on the buyer’s web site. I’ve been there since we began the deployment, personally overseeing all the things from design to implementation, and iteration.

We agreed to provision the shopper with 5 servers. We needed to set up them throughout two information facilities. As well as, the shopper requested us to make the Kubernetes cluster right into a stretch cluster spanning throughout each information facilities. This meant we needed to create the bottom stage structure and design for this deployment. Our major targets had been excessive availability and catastrophe restoration. 

As soon as the Kubernetes cluster was prepared, we put in the Sysdig On-Premises backend over it and related the shopper’s clusters by putting in the Sysdig brokers on them.

The entire deployment course of took almost three months and it was completed remotely with me facilitating onsite. It concerned a number of groups working in coordination, steady communication with the shopper’s safety and government crew, and plenty of iterating.

The client has totally different distributors for safety, vulnerability administration, and utility improvement. This additionally included their identification groups who managed the SSO/PAM entry to the functions, and the SOC crew who’re chargeable for managing the safety incidents which Sysdig would ahead to their SIEM. Getting our resolution onboarded meant collaborating with all these groups and stakeholders.


On this story, we supplied Sysdig’s On-Premises companies. On-premises customers set up and handle the Sysdig backend elements as they see match. This may very well be in a knowledge heart, or in an enterprise’s cloud-provider area, akin to Azure, AWS or GKE.

Conclusion

It’s clear that efficiently navigating the complexities of cloud safety requires extra than simply technical experience—it calls for meticulous planning and context consciousness. 

From designing a sturdy and versatile infrastructure to overcoming distinctive challenges, the deployment course of concerned designing structure, guaranteeing Sysdig on-premises companies seamlessly built-in with the shopper’s complicated infrastructure, and a variety of DevSecOps collaboration. The three-month undertaking underscored the worth of ongoing communication and teamwork.

The effectiveness of any resolution is deeply intertwined with the atmosphere it’s designed to guard. For organizations with complicated and high-stakes necessities, having a tailor-made and safe setup is essential. Staying conscious of the technical, environmental and enterprise context is pivotal when guaranteeing that your infrastructure is able to shield your information — and finally your prospects.

DSC 0743 1

Sulav is a Sr. Buyer Options Engineer at Sysdig. He manages the India area and is chargeable for the shoppers’ journey all through their contract with Sysdig — which incorporates onboarding, resolution designing, implementation, expertise adoption and upsell.

Recent articles