Your address will show here +12 34 56 78
2023 Blog, Blog, Featured, ServiceOne

Automated Patch Management with Dynamic Insights

By on

February, 2023

- 2023 Blog, Blog, Featured, ServiceOne

Relevance Lab helps customers use cloud “The Right Way” with an Automation-First approach as part of our Governance360 solution offering. Customers implementing this solution go through a maturity model covering the following stages:

  • Basic Governance using AWS best practices with Control Tower, Security Hub, Management & Governance Lens
  • Advanced Governance with automation-led approach and deep integration with service management tools, vulnerability assessment, and remediations
  • Proactive and Preventive Governance with integrated end-to-end monitoring
  • Intelligent compliance with remediations

As part of achieving this maturity model, it is important to have proper IT asset management, vulnerability assessment, and remediation models. A critical aspect of addressing infrastructure-level vulnerabilities depends on a smart patch management process. Patch management is a key part of your IT Operations to avoid potential exploitation and to ensure vulnerabilities are addressed on time by patching your systems, which includes operating systems, applications, and network components across your on-premises, cloud, or a hybrid setup.

As shown below, patch management is a pivotal layer of security management and starts with the identification of assets from your asset inventory, followed by vulnerability assessment, patch management, security information & event management (SIEM), and visualization in the form of dashboards/reports.


Let us see the steps to automate the entire lifecycle of patch management as shown in the below picture along with some industry-standard tools/platforms.


  • Step 1: All vulnerabilities pertaining to operating systems and software are captured through periodic scans using agents and analyzed.
  • Step 2: Using patching solutions, identify the missing patches and co-relate this to the vulnerabilities being addressed.
  • Step 3: Based on the criticality of the servers like Dev, Test, Prod, or criticality of the patches, the assets are identified for patching. A Change Request (CR) is raised with the details of what to patch, along with the patching windows, and the asset owners.
  • Step 4: Create a backup/snapshot before the patching activity and check for the patching client/agent availability on the servers planned for patching.
  • Step 5: Patch the servers during the agreed window, and if successful, CR is updated accordingly. In case of failure, CR is updated with a failure status.
  • Step 6: Post the patching activity, re-run the vulnerability scan to ensure all patch-related vulnerabilities are addressed and taken care of. The servers are also validated for the functionality of the applications before the CR can be closed.

Use Case Benefits for Customers
By automating patch management, customers can have near real-time visibility to the security compliance of their infrastructure and ensure an ongoing periodic process of patching is enabled, and having a 360-view of their IT infrastructure using dashboards. Enabling automated patching can save a lot of time and resources.

Compliance Benefits:

  • Secured and centralized way of monitoring dashboard
  • Automated patching
  • Optical consistency across all businesses
  • Providing ease of security auditing
  • Periodic & timely notifications of the compliance/non-compliance status report to IT teams or individuals

The IT team can create their own custom patch baselines and decide which patches to auto-approve by using the following categories.


  • Operating Systems: Windows, Amazon Linux, Ubuntu Server, etc.
  • Product Name: e.g. RHEL 6.5, Amazon Linux 2014.089, Windows Servers 2012, Windows Server 2012 R2, etc.
  • Classification: Critical updates, security updates, etc.
  • Severity: Critical, important, etc.

Use Case of Hybrid Setup Patch Management
As shown in the sample below, there are 2 environments Prod, and Dev, referred to as Patch Groups. This helps to avoid deploying patches to the wrong set of instances. A patch group must be defined with the tag key Patch Group. For example, we have created a patch group tag key called Dev below. A fleet of instances that have these tags can be patched using this approach.


Details of the Architecture

  • AWS Systems Manager gathers asset inventory details and a pre-configured maintenance window automatically scans for the latest patches for the server groups at a scheduled time.
  • The automated patch function lambda is scheduled to run daily to collect the patch group and maintenance window details. It also creates the patch group and maintenance schedule tags on the managed instances.
  • This lambda function then creates or updates the right patch groups and maintenance schedules, associates the patch groups with the patch baselines, configures the patch scans, and deploys the patching task. You can also notify users of impending patches using CloudWatch Events.
  • As per the maintenance schedule, the events will send patch notifications to the application teams with the details of the impending patch operation.
  • Patch Manager then initiates the patching based on the predefined window and patch groups.
  • Details about patching are retrieved using resources data sync in Systems Manager and published to a S3 bucket.
  • Using this data from the S3 bucket, you can build a visualization dashboard about the patch compliance in Amazon QuickSight.

As explained earlier, visualization is an essential layer showing the near real-time security status of your IT infrastructure. These can be a dashboard, as shown below.


Getting Started
Patch Management is available as a professional service offering and also as an AWS marketplace offering under Governance360. Below are the steps to take the customer from discovery to steady state.


Step-1 Discovery Assess the current landscape of Process & Tools/Technology
Step-2 Recommend Present the current gaps and benchmark against industry standards
Step-3 Plan and Implement Design and implement the proposed solution in a phased manner
Step-4 Ongoing Bring the solution to a stable state/BAU (Business As Usual)

Conclusion
In this blog post, we covered the key aspects of automated patch management for enterprises. Relevance Lab has implemented automated patch management solutions, which is part of our Automation Factory Suite for its key customers bringing in better detection, assessment and compliance for their Cloud Governance. The entire solution is available as a re-usable framework that can save new enterprises 6+ months of time, efforts and costs for new deployments.

To know more about our Governance360 offering and its building blocks, including automated patch management, feel free to contact marketing@relevancelab.com.

References
Automated Patch Management for Cloud & Data Centers



0
2021 Blog, AppInsights Blog, Blog, Featured, ServiceOne

RLCatalyst AppInsights Now Available for AWS & ServiceNow Customers to provide Dynamic Application-Centric View of Cost, Health, and Security

By on

September, 2021

- 2021 Blog, AppInsights Blog, Blog, Featured, ServiceOne

Relevance Lab announces the availability of a new product RLCatalyst AppInsights on ServiceNow Store. The certified standalone application will be available free of cost and offers a dynamic application-centric view of AWS resources.

Built on top of AWS Service Catalog AppRegistry and created in consultations with AWS Teams, the product offers a unique solution for ServiceNow and AWS customers. It offers dynamic insights related to cost, health, cloud asset usage, compliance, and security with the ability to take appropriate actions for operational excellence. This helps customers to manage their multi-account dynamic application CMDB (Configuration Management Database).

The product includes ServiceNow Dashboards with metrics and actionable insights. The design has pre-built connectors to AWS services and unique RL DataBridge that provides integration to third-party applications using serverless architecture for extended functionality.

Why do you need a Dynamic Application-Centric View for Cloud CMDB?
Cloud-based dynamic assets create great flexibility but add complexity for near real-time asset and CMDB tracking, especially for enterprises operating in a complex multi-account, multi-region, and multi-application environment. Such enterprises with complex cloud infrastructures and ITSM tools, struggle to change the paradigm from infrastructure-centric views to application-centric insights that are better aligned with business metrics, financial tracking and end user experiences.

While existing solutions using Discovery tools and Service Management connectors provided a partial solution to an infrastructure-centric view, a robust Application Centric Dynamic CMDB was a missing solution that is now addressed with this product. More details about the features of this product can be found on this blog.

Built on AWS Service Catalog AppRegistry
AWS Service Catalog AppRegistry helps to create a repository of your applications and associated resources. These capabilities enable enterprise stakeholders to obtain the information they require for informed strategic and tactical decisions about cloud resources.

Leveraging AWS Service Catalog AppRegistry as the foundation for the application-centric views, RLCatalyst AppInsights enhances the value proposition and provides integration with ServiceNow.

Value adds provided:

  • Single pane of control for Cloud Operational Management with ServiceNow
  • Cost planning, tracking, and optimization across multi-region and complex cloud setups
  • Near real-time view of the assets, health, security, and compliance
  • Detection of idle capacity and orphaned resources
  • Automated remediation

This enables the entire lifecycle of cloud adoption (Plan, Build and Run) to be managed with significant business benefits of speed, compliance, quality, and cost optimization.

Looking Ahead
With the new product now available on the ServiceNow store, it makes easier for enterprises to download and try this for enhanced functionality on existing AWS and ServiceNow platforms. We expect to work closely with AWS partnership teams to drive the adoption of AWS AppRegistry Service Catalog and solutions for TCAM (Total Cost of Application Management) in the market. This will help customers optimize their application assets tracking and cloud spends by better planning, monitoring, analyzing and corrective actions, through an intuitive UI-driven ServiceNow application at no additional costs.

To learn more about RLCatalyst AppInsight, feel free to write to marketing@relevancelab.com.



0
2020 Blog, Blog, Featured, ServiceOne, ServiceNow

Intelligent Automation using Freshservice ITSM and AWS Control Services with RLCatalyst

By on

August, 2021

- 2020 Blog, Blog, Featured, ServiceOne, ServiceNow

AWS provides a Service Management Connector for ServiceNow and Jira Service Desk end users to provision, manage and operate AWS resources securely via ITSM Portal. However, a similar solution does not exist for FreshService. The same maturity of end to end automation for Freshservice customers can be provided by using Relevance Lab’s RLCatalyst BOTs solution. It will provide an Automation Service Bus between ITSM tools and AWS Cloud assets.

Freshservice is an Intelligent Service Management platform, which comprises of all the essential modules like Incident Management, Problem Management, Change Management, Release Management, Project Management, Knowledge Management and Asset Management including Hardware, Software and Contracts. It also provides consolidated reports including analytics.

Many customers are adopting Freshservice as an ITSM cloud based solution and orchestrating self-service requests for organizations. One of the common automation needs is for User and Workspace onboarding and offboarding that involves integration with HR systems, AWS Service Catalog and AWS Control Tower for proper management and governance. Similarly using Infrastructure As Code model, organizations are using Cloud Formation based template models for complex workloads provisioning with 1-Click models.

The Freshservice workflow automator with RLCatalyst BOTs integration helps in automation of simple repetitive tasks like assignment of tickets to the right groups, and setup of multi-level approvals. It is a simple drag and drop interface which can help to automate most of the simple use cases. In addition, the webhook option allows automation of complex workflows or use cases by integrating with the right automation tools. In addition to this, the business rules for forms feature will enable you to describe conditional logic and actions to create complex dynamic forms.

The below diagram illustrates the Integration Architecture between FreshService, AWS and RLCatalyst.


Using the integrated solution, organizations can automate use cases related to both End User Computing (EUC) and other standard Server side workloads provisioning. Two common examples are :

  • User and Workspace Provisioning : Onboard a new user and request for an AWS workspace where the original request is generated by Workday/Taleo.
  • Server Infrastructure Provisioning, Application Deployment and Configuration Updates : Request for provisioning of a complex multi-node workload using Service Catalog item fulfilled with an AWS Cloud Formation template and post provisioning setup.

The below diagram illustrates the following EUC automation.


The steps to Onboard a new user and Workspace in an automated are as follows.

  • RLCatalyst enables Freshservice to create an Service Request(SR) using the file generated from Workday or Taleo.
  • Once an SR is created, the workflow automator of Freshservice triggers the approval workflow for either auto approval, cost based approval or role-based approval.
  • Based on the approval workflow defined, and successful execution of the same, the next step is to request RLCatalyst to trigger the onboarding workflow within RLCatalyst.
  • RLCatalyst, then enables the BOT 1for creation of a user in simple AD.
  • BOT 2 sends out a request for provision of AWS workspace, while the BOT3 looks for the status of the workspace creations.
  • Once the status is received on the successful provision by the BOT3, the workflow instructs the AWS SNS to send out a notification email to the end user with the workspace details and login credentials.
  • Finally, RLCatalyst sends a request back to Freshservice for the successful closure of the SR.
  • In case of failure of workspace provision, RLCatalyst will instruct Freshservice to create an Incident to check for the Root Cause Analysis(RCA).

Similarly, a user can request for a multi-node application stack deployment in AWS using Freshservice service catalog. The below diagram illustrates the following :


  • Create the infrastructure with multiple AWS resources (EC2, S3, RDS etc).
  • Deploy one or more applications on the instances created (Web Tier, App Tier, DB Tier).
  • Configure the application with the run-time information. e.g. DNS endpoint creation, bind the listening IP address of an application to the IP address of the instance created. Then update YAML files with environment variable values etc.
  • Deploy the monitoring agents like Infra health, App health, Log monitoring and Service Registry.
  • Setup network configurations like hosted zones, routes etc and setup security configurations like SSL certificates.

The multi-stage orchestration requires a workflow for state and context management during the lifecycle and this is provided by using RLCatalyst Workflow capabilities.

Relevance Lab is a solution partner of Freshservice. We assist the enterprises to adopt AWS Cloud with intelligent automation using RLCatalyst BOTs. Relevance Lab also offers a pre-integrated solution of ServiceOne with Freshservice.

For a demo video and for more details,  please click here.

For more details, please feel free to reach out to marketing@relevancelab.com



0
2020 Blog, Blog, Featured, RLAws Blogs, ServiceOne

Automate User On-boarding on AWS using Jira Service Desk

By on

July, 2020

- 2020 Blog, Blog, Featured, RLAws Blogs, ServiceOne

As enterprises adopt popular Agile and DevOps tools and solutions from Atlassian, it is essential to create an end to end automation pipeline covering ITSM workflows. Integration of Software Development Lifecycle (SDLC) tools, with cloud infrastructure platforms like AWS, can provide faster software deliveries with CI/CD, infrastructure automation and continuous production monitoring. RLCatalyst Intelligent Automation solutions complement the platform with an enterprise BOTs Automation solution and a mature end-to-end monitoring Command Centre solution. This blog details out an integrated solution between AWS Service Management Connector for Jira Service Desk enterprise workflows of User Onboarding + Asset Provisioning lifecycle.

The AWS Service Management Connector for Jira Service Desk (Jira SD) allows Jira Service Desk end-users to provision, manage, and operate AWS resources natively via Atlassian’s Jira Service Desk. Jira Service Desk Cloud module supports AWS Service Catalog Connector, and the Jira Service Desk Data Centre & Server module supports AWS Service Management Connector.

Jira SD admins can create and provide secured, governed AWS resources to end-users via service catalog, execute automation playbooks via AWS system manager and finally track the resources in a Config Item view powered by AWS config.

On downloading the connector from the Atlassian marketplace for no additional cost, you need to connect it with your AWS account, preferably governed by AWS Control Tower for enhanced security.

The AWS Service Catalog allows you to provision or terminate and centrally manage commonly deployed AWS resources like workspaces. AWS resources like workspaces can be pre-approved, provisioned or terminated based on approval.

Similarly, the AWS Service Management Connector allows Jira SD users to fulfil all the related operational activities. Some of them are listed below.


  • Migrate or Manage CloudWatch Agent.
  • Manage Amazon Inspector Agent.
  • Apply Ansible Playbooks or Chef Recipes on AWS managed instances.
  • Apply Patches from baseline.
  • Change the standby state of an EC2 instance in an auto-scaling group.
  • Attach an additional EBS Volume to the EC2 instance.
  • Attach IAM to an Instance.
  • Install or Uninstall a Distributor package.
  • Configure CloudTrail Logging.
  • Export Metrics and log files from your instances to Amazon CloudWatch.
  • Configure an instance to work with containers and Dockers.
  • Enable or disable live patching on Linux EC2 instances.
  • Configure S3 bucket logging.
  • Enable or disable Windows Updates.
  • Copy Snapshot created.
  • Create DynamoDB backup.
  • Create a new AMI from an EC2 instance.
  • Create an RDS snapshot for an RDS instance.
  • Create an incident in ServiceNow.


As shown in the above diagram, Relevance Lab helps enterprises already on AWS & Jira Service Desk, to integrate the two using AWS Service Management Connector. The integration enables a seamless process to create custom workflows like the creation of auto-approval, cost-based approval and role-based approval. Likewise, raise an incident in case of any failure of the resources provisioned or terminated and create change requests for every update of the workloads.

Benefits of AWS Service Management Connector for Jira Service Desk:

  • Free and Out of Box (OOB) feature without any add-on cost.
  • Support multiple AWS accounts and ensure governance through AWS CT.
  • Provision and Maintenance of AWS resources through one platform (Jira SD).
  • Easy to use by the IT admins without in-depth knowledge of AWS platform.
  • Multiple Portfolios and Service Catalogs for different departments within an Organization.
  • Represent Config Items in a tree structure.
  • Run most of the automated documents in AWS system manager through Jira SD.

The end to end orchestration of User Onboarding and Asset provisioning leverages the out of box features for AWS and Atlassian tools. However, for many real-world scenarios, the complex workflows need integration with other third-party tools like AD, OKTA, HR systems (Workday/Taleo) and compliance solutions. In situations that require more complex workflows and third-party integrations RLCatalyst BOTs solution is integrated with AWS and Atlassian solutions to provide lifecycle automation and observability post provisioning.


Conclusion:
Relevance Lab is a partner of AWS and a DevOps specialist company implementing Atlassian solutions. We help organizations adopt AWS Service Management Connector with ITSM tools like Jira Service Desk and ServiceNow. Integration of AWS Service Management Connector provides a common interface and ease for all L1 and L2 activities for the ITSM users to manage AWS resources. Our RLCatalyst based Intelligent Automation and Command Centre complement these solutions to bring in greater efficiencies.


Click here for a demo video.

For more details, please feel free to reach out to marketing@relevancelab.com

0
2020 Blog, Blog, DevOps Blog, Featured, ServiceOne, ServiceNow

DevOps for ServiceNow with GIT Integration

By on

June, 2020

- 2020 Blog, Blog, DevOps Blog, Featured, ServiceOne, ServiceNow

Using GIT configuration management integration in Application Development to achieve higher velocity and quality when releasing value-added features and products


ServiceNow offers a fantastic platform for developing applications. All infrastructure, security, application management and scaling etc.is taken up by ServiceNow and the application developers can concentrate on their core competencies within their application domain. However, several challenges are faced by companies that are trying to develop applications on ServiceNow and distribute them to multiple customers. In this article, we take a look at some of the challenges and solutions to those challenges.



A typical ServiceNow customization or application is distributed with several of the following elements:


  • Update Sets
  • Template changes
  • Data Migration
  • Role creation
  • Script changes

Distribution of an application is typically done via an Update Set which captures all the delta changes on top of a well-known baseline. This base-line could be the base version of a specific ServiceNow release (like Orlando or Madrid) plus a specific patch level for that release. To understand the intricacies of distributing an application we have to first understand the concept of a Global application versus a scoped application.


Typically only applications developed by ServiceNow are in the global scope. However before the Application Scoping feature was released, custom applications also resided in the global scope. This means that other applications can read the application data, make API requests, and change the configuration records.


Scoped applications, which are now the default, are uniquely identified along with their associated artifacts with a namespace identifier. No other application can access the data, configuration records, or the API unless specifically allowed by the application administrator.


While distributing applications, it is easy to do so using update sets if the application has a private scope since there are no challenges with global data dependencies.


The second challenge is with customizations done after distributing an application. There are two possible scenarios.


  • An application release has been distributed (let’s call it 1.0).
  • Customer-1 needs customization in the application (say a blue button is to be added in Form-1). Now customer 1 has 1.0 + Blue Button change.
  • Customer-2 needs different customization (say a red button is to be added in Form-1)
  • The application developer has also done some other changes in the application and plans to release the 2.0 version of the application.

Problem-1: If application 2.0 is released and Customer-1 upgrades to that release, they lose the blue-button changes. They have to redo the blue-button change and retest.



Problem-2: If the developer accepts blue button changes into the application and releases 2.0 with blue button changes, when Customer-2 upgrades to 2.0, they have a conflict of their red button change with the blue-button change.



These two problems can be solved by using versioning control using Git. When the application developers want to accept blue button changes into 2.0 release they can use the Git merge feature to merge the commit of Blue button changes from customer-1 repo into their own repo.


When customer-2 needs to upgrade to 2.0 version they use the Stash feature of Git to store their red button changes prior to the upgrade. After the upgrade, they can apply the stashed changes to get the red button changes back into their instance.


The ServiceNow source control integration allows application developers to integrate with a GIT repository to save and manage multiple versions of an application from a non-production instance.


Using the best practices of DevOps and Version Control with Git it is much easier to deliver software applications to multiple customers while dealing with the complexities of customized versions. To know more about ServiceNow application best practices and DevOps feel free to contact: marketing@relevancelab.com


0