Runecast Predictive Analytics
With many MSPs branching out into multi-cloud solutions to provide a plethora of customer services it is important to be able monitor your infrastructure to maintain uptime and availability for your customers. This challenge becomes exponentially more difficult when you have workloads and infrastructure across services such as AWS, Azure, on-premises vSphere stacks across multiple supported versions and validated vendors, and Kubernetes, to name a few.
This challenge though goes beyond just the normal SLAs of uptime and availability. MSPs must ensure all their platforms and services are built to best practices, compliant with CVEs, and comply with security standards used in Australia.
A break down of typical Australian security standards are:
- Essential Eight – a Government Cyber Security mitigation strategy[1].
- HIPAA – Health Information Privacy[2].
- ISO/IEC 27001 – a specification for information security management systems (ISMS)[3].
- PCI DSS – security policies for financial institutions and payment processing solutions[4].
So, to be able to monitor, review, remediate, and report on all these requirements is going to be a challenge both in time and human cost.
I have been fortunate to be able to evaluate a product called Runecast Analyzer[5] in my lab. This allows proactive audits across all your environments to provide visibility on Vendor KBs, Best Practices, Vulnerabilities, Security Compliance and Hardware Compatibility.
Even though I am running this in a lab I do try to stick to best practices as much as possible with the limited infrastructure I have. I was absolutely blown away (and a little shocked) at what was analyzed.
For the testing I was analyzing vCenter vSphere version 7.0.2.00100, NSX-T 3.1.1.0.0.1748.185, VMware Cloud Director 10.2.2.17855680 and Rancher Kubernetes 1.19.10. Frankly, it appears all is not well in my lab.
Main Dashboard Compliance
Main Dashboard Configurations
Inventory ViewSo, let’s break down what we are seeing here in slightly more detail, starting with Config KBs discovered.
Config KBs DiscoveredEach KB is broken down classed on severity, with the ability to expand the severity to provide more detail such as the impacted infrastructure, a detailed description of the severity, and a reference link to the VMware KB to resolve the issue. It is important to note that while the detail of the analysis is impressive, application of the KBs to infrastructure is depended on your platform. An example is VMware VCF has stringent requirements around its deployment and applying KBs without consulting the vendor is not recommended and generally would overwritten by SDDC drift packages anyway.
Let us move onto best practices.
Best Practices
Best Practices are ordered by Severity and the component which has been analysed, and in this example, there is recommendations on vSphere, Kubernetes, VCD and NSX-T. Expanding each of the Severities provides detailed information on the best practice and a URL link to the appropriate knowledge base article depending on the product. In Best Practices you will also note that Security, Availability, Manageability, and Recoverability are all analysed on a per product basis.
Now for Vulnerabilities … and I am looking a lot better-ish with some green Pass Results! (I know that “better-ish” is not a word, but it is my word).
Vulnerabilities
This is a very similar layout to KBs where you can see the related Severity, Issue ID and what product it applies to . Noted is the relevant CVE and advisory range which is important when MSP SLAs are involved. Personally I like this component as I usually rely on Qulays updates for this type of information and in this situation I don’t have to troll through infrastructure that may not be not applicable to my environment, or since I am a middle aged gentleman I just don’t see it in the particular report due to Stigmatism of the eyeball.
Third Floor: Men’s Apparel and Security Compliance.
Security ComplianceI will not go through all the sections in Security Compliance in each of the sections as the analysed report is the same layout and to be honest nobody wants to see around 100 Security Compliance failures against Essential Eight, HIPAA ISO etc as SSH is enabled on my infrastructure. I can feel the judgement already. An important thing to note is that with PCI DSS Security Compliance virtual machines are also getting analysed.
For transparency, the Security Compliance that I have enabled in this lab is not the complete set, only what I deem in my mind as applicable for Australian workloads. I could have included NIST as it covers US[6] and Australia[7] however the specifics are beyond the scope of this article.
Other Security Compliance standards available include DISA STIG[8], BSI IT-Grundschutz[9] and GDPR[10].
Overall, I am quite impressed with Runecast’s ability to completely analyse just not on-premises VMware and Kubernetes environments, but also tenancies in AWS, Azure and Horizon as well, while making many Architects / Engineers cry at what they thought were secure compliant platforms.
Once the crying is over these analytics can also provide a baseline for where MSPs can leverage automation for the deployment of infrastructure consistency that meets Hardware Compatibility, Best Practices for Infrastructure, and Security Compliance across multiple platforms. Unfortunately, vulnerabilities are a constantly moving goal post, however with Runecast you can run schedule daily analytic reporting of your multi-cloud world allowing you to be on the front foot and proactive with your customers.
From an MSP Operational perspective, to be able to stay on top across multiple platforms is not an easy feat and when you throw multi-cloud and a diverse customer base into the mix you need every bit off assistance you can get. This at times can mean multiple application and reporting sets to get visibility of this data and I think Runecast ticks the box from a single reporting point.
I would like to thank Andre Carpenter at Runecast for the opportunity to test their product and providing me with a trial license. You can follow Andre at https://www.linkedin.com/in/andrecarpenter/ or @andrecarpenter on Twitter, and Runecast at https://www.linkedin.com/company/runecast/ .
[1] https://www.cyber.gov.au/acsc/view-all-content/publications/essential-eight-explained
[2] https://compliancy-group.com/hipaa-australia-the-privacy-act-1988/
[3] https://www.iso.org/isoiec-27001-information-security.html
[4] https://www.pcisecuritystandards.org/pci_security
[5] https://www.runecast.com/
[6] https://www.nist.gov/about-nist
[7] https://www.cyber.gov.au/acsc/view-all-content/referral-organisations/national-institute-standards-and-technology-nist
[8] https://public.cyber.mil/stigs/
[9] https://www.bsi.bund.de/EN/Topics/ITGrundschutz/itgrundschutz_node.html
[10] https://gdpr.eu/data-protection-officer/