1 [email protected]Sera4 Protecting Critical Infrastructure in Kubernetes and Rancher Secure access control is an important part of every company’s security strategy, regardless of sector. The market is evolving and demand for high-level, digitized security for critical infrastructure (assets of national, public and economic importance) is accelerating. The access control market for critical infrastructure, alone, is worth more than $10 billion (TAM). Adoption is coming from a host of sectors. Early interest came from telecoms and utility companies (energy and water), but appetite is growing in other areas (finance, education and healthcare). Its popularity is easy to understand. By automating and mediating access to property and assets, companies can dramatically simplify security management, improve overall estate security and ensure observance of local data protection laws. Headquartered in Waterloo, Ontario, Sera4 Ltd. is a leading expert in keyless access control for critical infrastructure. It provides Introducing Sera4
Sera4Protecting Critical Infrastructure in Kubernetes and Rancher
Secure access control is an important part of every company’s security strategy, regardless of sector. The market is evolving and demand for high-level, digitized security for critical infrastructure (assets of national, public and economic importance) is accelerating. The access control market for critical infrastructure, alone, is worth more than $10 billion (TAM).
Adoption is coming from a host of sectors. Early interest came from telecoms and utility companies (energy and water), but appetite is growing in other areas (finance, education and healthcare). Its popularity is easy to understand. By automating and mediating access to property and assets, companies can dramatically simplify security management, improve overall estate security and ensure observance of local data protection laws.
Headquartered in Waterloo, Ontario, Sera4 Ltd. is a leading expert in keyless access control for critical infrastructure. It provides
Introducing Sera4
2
cyber-resilient site access automation and identification at scale, solving real operational challenges while reducing losses. Founded in 2014, Sera4 engineers its technology from the ground up via hardware and cloud datacenter experts with backgrounds at RIM and IBM. On a growth trajectory, the company now has hundreds of enterprise customers in North, Central and Latin America, Africa, Europe and its home country of Canada.
Sera4 has created a portfolio of keyless smart locks and controllers that connect to Teleporte, its innovative control and monitoring platform. The company connects and manages tens of thousands of access points, connected to many users across the world.
Working in the critical infrastructure space, security and resilience are of obvious importance to VP of Engineering, Cloud and Security Specialist, Jeff Klink, and his team. To help the company meet its goals, the team has put Kubernetes containers—and Rancher Labs—at the heart of its success strategy.
Sera4 has patented its own highly secure, low-energy security framework, with Bluetooth at its core, which connects hardware to devices and the cloud-based Teleporte management platform. With ultra-tight security baked in, Sera4 has quickly gained traction with security-conscious organizations.
Immediate interest came from telecoms and utility providers tasked with managing thousands of individual access points in several separate regions. In just one country, an operator may manage thousands of individual base stations, local exchanges and junction boxes—replicated in multiple territories—each monitored and accessible by engineers 24/7.
Because of its diverse international footprint and need for reliable internet connectivity, Sera4 has always run on bare metal and virtual machines
The Journey to Containers
3
(VMs) in IBM cloud. The team wanted to be able to scale the service up and down depending on demand, and they knew that cloud enablement, and strategic placement of datacenters were of utmost importance. Preserving data sovereignty in individual territories was (and continues to be) a major priority. Over time, the team started to investigate the benefits of containers as a way to manage its virtualized infrastructure more efficiently and drive agility and increased security into management processes.
The team knew the OpenShift community well, but the overhead was too high for this growing startup. Still in the ‘nitty-gritty’ phase of development, the team tried Docker Swarm but found it clumsy and lacking features. Furthermore, Kubernetes offered a more mature platform and was winning the war with Docker. However, with a small team and an extremely fast-growing base of clients, the team needed something to help manage the scalability, upgrades and deployments on many servers and containers per day. That’s when they discovered Rancher. They found it easy to get started—no barrier to usage and no cost. Plus, Rancher was a powerful, feature-rich platform that could control their Kubernetes clusters.
“ It was love at first sight. Rancher has a great UI and the platform was improving quickly. Rancher allowed us to deploy QA, staging and production environments right off the bat – which is rare.” Jeff Klink, VP Engineering, Cloud and Security Specialist, Sera4
To get to where they are today, the team spent more than a year rewriting its architecture, transforming Sera4’s access control platform into a microservices environment. In 2018, Klink carried out a PoC, spinning up a couple of raw Kubernetes clusters to see how Sera4’s virtualized environment would fare. The original cluster designs certainly had their shortcomings. When trying to spin the Sera4 service mesh up in more than one territory, the cluster struggled. For example, the battle of geographic resilience versus high latency imposed its own set of issues on the cluster. Having multiple instances of etcd too far apart caused synchronization issues and thus, continued instability.
However, with time, perseverance and some heavy cluster and container design modifications, the team overcame its original issues, hastened development and moved its core services
4
into production in Rancher, and out of VMs. Since May 2019, the company has been running more than 95 percent of its development, beta and production infrastructures on Rancher.
Security and Stability
For organizations securing high-value assets at scale, Sera4 is a boon. Utility companies, for example, can manage access to high-value sites such as local power stations and, more importantly, gather vital activity data. Managers can see how many times locks have been opened during select time periods and who accessed them. They can see, in granular detail, the access behaviors of their field technicians and control access accordingly—ensuring sites are secure when work is complete. Most importantly, they can spot anomalies early, preventing unauthorized access and loss.
To meet these particular needs, the highest levels of security and resilience are of utmost importance. The team at Sera4 had to be sure that putting its core services into Rancher would enhance its service to its customers and build an additional layer of security into its offering. Rancher automates a host of processes (role-based access control [RBAC], namespace-as-a-service [NaaS], authentication, application catalog, etc.) that hasten deployment, simplify management and improve security.
Rancher has enabled Sera4 to migrate its virtualized, cloud-based environment into Kubernetes where multiple customers can coexist, side-by-side, operating completely securely and
What were the problems Sera4 was trying to solve?
5
independently of one another, managed via one interface. After creating an entirely new microservices architecture, the DevOps team at Sera4 started migrating clients into containers on Rancher—one-by-one at first. In 2019, via Rancher, the team released a single sign-on (SSO) feature for their customers. For the first time, customer projects could be viewed, managed and debugged together via a single interface. This meant no need to create separate entities for each customer and a smoother, more-intuitive management experience. By May 2019, almost 95 percent of the infrastructure was running on Rancher.
Rancher brings an additional layer of security to the cluster. Developers can respond to important issues in real-time, which has boosted overall security. On the technical front, logging and alerting features in Rancher allow them to act before issues arise.
For example, when disks are reaching capacity, the team receives an alert. While the team had some legacy alerting in place, it would often trigger too late. Now, issues are reported in real time through Slack and PagerDuty before they happen. Outages are preempted and, therefore, far less likely. Finally, working in containers in Rancher means it doesn’t matter as much when things break—issues are easily managed in isolation.
Data Sovereignty
When Sera4 works with organizations responsible for managing mission-critical infrastructure, the security of the access control platform and the idea of data sovereignty are of critical importance. This makes sense, considering that many of these companies are the custodians of sensitive assets or information (treasuries, federal reserve banks, correctional facilities and high-security medical facilities). What’s more, each of these institutions are bound by regional data protection laws.
“ With our read-only containers, we feel that we have a sea of stateless, isolated, highly secure services. When issues arise, we know they’re always contained.” Jeff Klink, VP Engineering, Cloud and Security Specialist, Sera4
6
New legislative frameworks, such as GDPR, have changed the way companies think about and handle data. They have also driven the design of Sera4’s cloud and container strategy. Having always had extensive international cloud coverage, Sera4 could always guarantee compliance. As more customers joined Sera4’s platform, in more territories, Klink was looking for a more consistent and coordinated management approach.
With four data centers in North America, Latin America, Europe and Asia, consistency is key for Sera4. Rancher is the team’s single, unified management platform for all four data centers—upgraded once and maintained centrally. By running each customer’s micro-cluster side-by-side in Rancher, Sera4 ensures consistency of service across the network—maintaining tight control over sensitive customer data while providing frictionless compliance with local data laws.
“ As we expand, it’s critical for our team to have both a fast and automated rollout process for each customer environment. In the end, each of our user’s access experience must be identical, from Canada all the way to South Africa. Rancher is one product that’s critical to that strategy.” Jeff Klink, VP Engineering, Cloud and Security Specialist, Sera4
Cost and Time Savings
Overall, Rancher has given the Sera4 team a streamlined and intuitive way of managing its 100 percent virtualized environment by containerizing in the cloud. Rancher is reducing the complexities inherent in Kubernetes—making cluster management easier for even the most junior developers on the team.
Automation tools for basic set up and management processes have significantly reduced development time. Permissions-based access and a smart, unified interface allows every developer to spin up new clusters, scale up existing ones and move clients over without touching sensitive customer data or needing to grant command-line access. By democratizing access to the cluster, Klink can spread responsibilities throughout the team, keep senior engineering costs to a minimum and allocate experienced resources where they’re needed most.
7
“ Rancher helps us keep our costs down as we’ve simplified the role of DevOps and reduced our management overhead as a result. Even our QA and development teams run their own cluster once it’s set up – no gory networking or storage knowledge needed.” Jeff Klink, VP of Engineering, Cloud and Security Specialist, Sera4
Importantly, in preparation for rapid growth, Klink has made sure he has enough compute capacity to meet growing and changing needs. By simply adding one server to the overall number needed, or doubling the number needed plus one, Klink knows he has enough capacity to manage a rapid growth spike. Coupled with better alerting in Rancher, this is helping Klink build more resilience into the service.
8
Sera4 is priming itself for international growth in the next few years. The company already provides Teleporte to hundreds of customers, all with special requirements and 24/7 access control needs. Collectively, the Sera4 platform handles millions of connections, processing terabytes of data on bare metal and virtual machines out of data centers on all continents.
With sights on fast-paced global growth, scale is, naturally, a major preoccupation for and the team at Sera4. With Rancher, Sera4 has the power to scale a virtual estate quickly as its international footprint grows, while remaining sensitive and performant to local businesses.
Journey
1. Early adopters of containers; began experimenting early 2018
2. Evaluated a number of different options; chose Rancher for scalability, agility and flexibility
3. Rancher running on top of 100 percent cloud-based bare metal and intuitive UI and tooling
4. Three-month initial PoC carried out in mid-2018; slow migration commences
5. 95 percent of systems now running seamlessly in Rancher
What was the migration timeline?
What’s next for Sera4
9
• Cost to customers of managing key locks dramatically reduced: customers now have a single URL to manage all of their instances, possible because of Ingress management in Rancher and API layer.
• Centralized logging was simple with Fluentd and Rancher plugins: RBAC is a huge factor to allow operations teams, developers and QA to manage resources without having direct system access.
• Auditing and monitoring technologies boost compliance: Rancher has best-in-class monitoring and integration with Prometheus and Grafana for even deeper monitoring of the cluster and its resources.
• Data sovereignty intact: Rancher allows Sera4 to span major geographies and securely/privately transmit data (including logs) between instances.
• Seamless, zero downtime update rollouts: All features are now upgraded without notice to customers -- a true cloud experience.
• 20 percent reduction in outages: Rancher reduces micro-outages and allows Sera4 to spin up highly available containers and balance load on machines with available space.
