SUSE has just released the third prototype of ALP, named “Piz Bernina” (the highest mountain in the Swiss Alps).  The new prototype has a strong focus on security and demonstrates an innovative concept with confidential computing and a zero-trust approach. 

ALP stands for SUSE’s Adaptable Linux Platform, providing a new approach to enterprise Linux for evolving use cases in a cloud-native world – from core to cloud to edge. ALP is an application-centric, secure, and flexible platform designed to focus on workloads while abstracting from the hardware and the application runtime layers. Every three months we publish a new prototype with newly implemented features, approaches, and significant changes. 

Credits: Xavier von Erlach on Unsplash

SUSEs newly published ALP “Piz Bernina” consists of two separate prototypes which are momentarily close to each other, but will in the future deviate according to different use-cases and as more services are added: 

• the server-oriented version (codename “Bedrock”) 
• the cloud-native oriented version (codename “Micro”) 

Major changes in Piz Bernina 

The new SUSE ALP Piz Bernina focuses on security and provides many enhancements from our previous December prototype (Punta Baretti):  

• Confidential Computing: provides a Trusted Execution Environment that protects data in use by isolating, encrypting, and executing virtual machines. 
• Hardware and runtime attestation to verify the integrity of workloads and together with FDE (Full Disk Encryption) mark the starting point for end-to-end data security. 

• Foundation for future extended Confidential Virtual Machine support (CVM), covering support for more hardware vendors and making use of the most recent hardware for confidential computing.  
• Integration of NeuVector: to support a secure ecosystem, ALP-users can run NeuVector to identify malicious behaviors and prevent those affecting the underlying host OS or potentially other containerized workloads.  
• Support for s390x architecture: in addition to the already supported x86_64 and aarch64 architectures. 
• FDE (Full Disk Encryption) with TPM can now be selected at installation-time to support data security at rest. 

With NeuVector running on Piz Bernina, SUSE secure software supply chain gets stronger than ever, starting with source code analysis, a certified build system environment producing the distributions and artifacts like packages and containers, and now a runtime scanner for malicious workloads. Once installed and enabled on ALP system, NeuVector will automatically scan all running containers on the system, detect potential vulnerabilities and other threats. It will learn how containers behave and allow users to put some additional restrictions based on this learning. 

Enhanced Full Disk Encryption and Data Security 

The previously introduced FDE (Full Disk Encryption) with TPM (Trusted Platform Module ) is now available to be selected at installation-time to support data security at rest.  

What has changed from the previous December prototype Punta Baretti is that everything works equally with both LVM (Logical Volume Manager) and plain partition. An important change for usability is now there is no need to enter the passphrase on the first boot. As an engineer in you may wonder: “how can you do that?”. The non-interactive first boot is possible because we have the temporary passphrase hardcoded in the Grub2 configuration – which, of course, is fully erased (from both the encryption device and the Grub2 configuration) during the first boot and, soon after that, the TPMv2 is configured and fully utilized for all subsequent boots.  

With new support for FDE with TPM and confidential computing, ALP “Piz Bernina” provides an all-in-one security solution for all types of data, from data-at-rest to data-in-transit to data-in-use. 

Finally, Piz Bernina is adding support for the s390x architecture on top of the already supported x86_64 and aarch64 architectures. 

Useful links: 

• Documentation:  https://documentation.suse.com/#alp
  

• Sam Varghese at iTWire in conversation with Vojtech Pavlik on confidential computing and zero-trust: https://itwire.com/business-it-news/open-source/suse-claims-new-era-of-confidential-computing-through-its-adaptable-linux-platform.html 

SUSE steps up its focus around data protection and trust with a strong commitment to preserving data integrity from core to cloud to edge.  SUSE is happy to announce we have joined Linux Foundation’s Confidential Computing Consortium, a community focused on projects that deal with securing data in use and accelerating the adoption of confidential computing through open collaboration.

Customers and partners rely on SUSE to deliver a secure, open source platform that fully protects data regardless of its state.  Confidential Computing safeguards data in use without impacting business-critical workloads.  Joining the Confidential Computing Consortium enables SUSE to collaborate with open source leaders to advance these security technologies for our customers.

Why confidential computing?

Security is a top concern for enterprises today with threats of cyberattacks and data breaches increasing.

“82 percent of enterprises would be very concerned if their cloud provider had the ability to access their data.”[1]

Cloud adoption is challenged due to the lack of trust with public cloud vendors, providing motivation for Confidential Computing solutions.  Protecting data-in-use, held within CPU registries and memory, is the focus of the “Confidential Computing” movement.  Confidential Computing encrypts data during processing. In recent years CPU vendors have started to integrate features which allow to setup isolated and trusted execution environments that are inaccessible to the rest of the system.

SUSE’s commitment to security and confidential computing

A “data in use” solution is needed across the entire OS-based software infrastructure stack for workloads migrating into and/or running within cloud environments.  In direct correlation to confidential computing, what SUSE delivers today provides the building blocks for our future investments in this very important endeavor.  This includes:

• A complete software stack that is cryptographically signed including BIOS, Bootloader, OS, and Hypervisor
• Remote measurement and attestation to verify the integrity of a remote system running SUSE Linux Enterprise
• SUSE Linux Enterprise support for Confidential Virtual Machines on Google Cloud Platform and Microsoft Azure (coming soon) using AMD-SEV chipsets (includes Linux kernel, LibVirt, and KubeVirt)
• SUSE Linux Enterprise supports Confidential Computing on IBM zSystems and LinuxONE
• Working with Intel and Arm in delivering Confidential Computing solutions

More resources

• Read our blog post ”SUSE Secure VM Service Module for Confidential Computing”
• Read our blog post ”SAP Security: 5 Critical Considerations to Protect Your Infrastructure”
• Read our blog post “Another Orchestrated Attack: How Do I Protect Myself?”
• Check out our Adaptable Linux Platform project, which helps raise the bar on confidential computing and remote attestation.

Jeff Reser, SUSE

[1] Futurum Research “Confidential Computing: The Future of Data Security and Digital Trust”

Blog published on behalf of Joe Gerkman 

SUSE One Partner Program Receives 5-star rating by CRN Partner Program Guide for third year 

SUSE has been recognized by CRN®, with a prestigious 5-star rating in its 2023 Partner Program Guide, for the third year running, in recognition of our SUSE One Partner Program. 

The CRN Partner Program Guide provides valuable insights to solution providers such as managed service providers (MSPs), value-added resellers (VARs), systems integrators, and strategic service providers who are looking to find vendors with partner programs that best support their business needs. 

5-Star Rating in CRN Partner Program Guide 2023

What does the 5-star rating mean? 

CRN awards the 5-star rating to companies that have gone above and beyond in their commitment to nurturing strong, profitable, successful channel partnerships. 

In the 2023 CRN Partner Program Guide, vendors were evaluated based on program requirements and offerings such as partner training and education, pre- and post-sales support, marketing programs and resources, technical support, and communication. 

We understand partners have a choice of vendor and want to understand the breadth and depth of the partner programs that vendors offer before committing, including what’s available in terms of financial incentives, sales and marketing assistance, training and certification, technical support and more.

Why the SUSE One Partner Program was recognized 

This 5-star rating is the highest possible rating in the CRN Partner Program Guide, and one that we are proud to achieve for the third year running.  It validates our partner-first philosophy and our commitment to evolving the program to meet our partners’ needs while they are adapting their business models to changing market conditions in order to provide the best possible solutions to their customers.  

Our consistent recognition in this category shows that we have maintained this level of commitment to our partner community.  

Impactful Partner Benefits 

The SUSE One Partner Program provides partners with the resources they need to grow their business with SUSE, including free persona-based training, and sales, marketing and technical support.  

As partners move up the tiers of the program, they unlock additional financial incentives and rewards that provide predictable profitability amongst other benefits. 

One of the key benefits of the SUSE One Partner Program is our commitment to ensure that partners have access to training and education for free. Partners have access to a range of training resources, including online courses, Partner Academies (hybrid of online learning and instructor-led training), and certifications.  

This training provides partners with a means to differentiate themselves in the marketplace, by demonstrating they have the skills in the latest technologies, such as containers, that are much sought after by enterprises today.  

We will continue to invest in our partners who are making the difference in bringing innovative solutions to solve the most challenging customer problems. 

The 2023 Partner Program Guide will be featured in the April 2023 issue of CRN and online at www.CRN.com/PPG. 

Introduction to Secure SAP Side-by-Side extension

Keeping up with SAP platform updates and custom ABAP code can be challenging for companies. To overcome this, many customers and even SAP itself opt for a well-known approach called Side-by-Side for SAP functional extension. This approach keeps SAP’s own modules as standard as possible while placing outside customizations, extensions, and integrations with third parties.

This is made possible thanks to API connection points and integration protocols that SAP offers, from traditional ABAP applications to newer S4/HANA or managed cloud service offerings like SAP RISE.

While SAP has long provided those APIs for interacting with its platform, two recent developments have made Side-by-side a more attractive choice for extending SAP: the adoption of standardized APIs, such as REST and oData, and the rise of microservices as a way of architecting software solutions. Microservices are particularly useful for extending existing applications, like SAP, as they allow developers to create small, independent services that interact through APIs. Together with SAP’s powerful APIs and existing cloud-native middleware, microservices make for an ideal extension model.

The next important milestone when defining an extension approach is a platform where all those microservices and integrations will run. Fortunately, we have a winner in Kubernetes, the standard operating environment for modern microservices-based applications. This means that we now have a clear set of methodologies, standards, and platforms that offer a solid foundation for both extending our SAP applications and integrating them into a wider ecosystem.

While this approach makes sense from a software architecture perspective, it also opens up potential security concerns. By placing business code outside of SAP and interacting with SAP through APIs, companies need to ensure that their systems remain secure in a scenario with a wider attack surface. Fortunately, SUSE offers a robust and secure operating environment for both SAP’s traditional software stack and for the Side-by-side microservices software layer that runs on top of Kubernetes.

How do we secure the Kubernetes environment?

Kubernetes has become a popular choice for container orchestration due to its flexibility and scalability. However, securing a Kubernetes environment can be challenging. In this article, we’ll cover two stages of securing a Kubernetes environment: securing the platform itself and securing the application layer.

Securing the Kubernetes Platform

There are several tools available for securing the Kubernetes platform, but Rancher and RKE2 stand out as the most secure solutions in the market. Both are STIG-certified and have native support for FIPS encryption and other key security features.

Rancher Prime and RKE2 can be deployed over a wide variety of Linux OS, but SUSE Linux Enterprise Server (SLES) is the perfect match when security comes into play. SLES is the only EAL4+ certified general-purpose OS, and it’s also STIG certified, making it a top choice for securing the Kubernetes platform foundation.

Hardening for SLES and hardening for SLES for SAP use the same approach, and security-related tooling, like SUSE Manager, can work and manage together both SLES flavors for a unified security management experience at the OS level.

Securing the Application Layer

SUSE NeuVector is a Kubernetes-native security suite that can cover the full application lifecycle. With its plugins, SUSE NeuVector can integrate with Git vendors and CI tools like Jenkins to perform security scans over software artifacts as early as possible in the build processes.

Once microservices applications are compiled, tested, and packaged as containers, SUSE NeuVector can also scan the created containers on the container registries they are stored. For containerized applications running on a Kubernetes environment, SUSE NeuVector can monitor the runtime application behavior, learn about processes, files, network connections, and any application interaction to model a security context. A behavioral approach to security can be implemented to control, audit, and reject new suspicious behaviors.

SUSE NeuVector provides protocol-aware deep packet inspection for inspecting all the traffic that container applications generate while communicating with each other and the outside world. Additionally, SUSE NeuVector offers Data Loss Prevention and L7 firewalling capabilities to control the connection points between our SAP environment and the microservices it interacts with.

Figure 1: SUSE’s view of a secure SAP Side-by-side environment

In conclusion, securing a Kubernetes environment requires a multi-layered approach that starts with securing the platform and its dependencies and continues with securing the application layer. With tools like Rancher Prime, RKE2, SLES, SLES for SAP, SUSE Manager and SUSE NeuVector, organizations can implement a comprehensive security strategy to protect their SAP environments. Additionally, this approach allows organizations to safely explore the side-by-side extension paradigm for evolving their SAP landscape while maintaining a secure and reliable environment.

A little more than 6 months ago, SUSE launched SUSE Manager 4.3.  It was an exciting launch because for the first time, we rearchitected the solution so that you could implement the SUSE Manager Proxy as a set of containers.  Hub architecture and reporting capabilities were also improved for better scalability.  Client automation got a big boost by introducing the salt bundle.  In case you don’t know, salt provides much of the automation tasks for SUSE Manager.  Providing a salt bundle means you now have a consolidated, single-binary package that includes all the Python dependencies and everything the client needs to communicate with the SUSE Manager server.  This makes the deployment of agents a lot easier to do and maintain.  You can learn all about the launch here and the salt bundle here.

SUSE Manager really is the solution you need to keep your systems secure and compliant – almost like magic.

6 Months Later: What’s New?

You might know that about every 5 weeks, SUSE Engineering puts out a minor release of SUSE Manager.  What does that mean for you?  It means that our team is constantly innovating to make the product even better and more usable.  And today we are on 4.3.4 – the fourth such release since 4.3.

SUSE Manager has always been able to manage multiple Linux distributions.  In fact, we have some customers who have yet to switch to SUSE Linux offerings but choose SUSE Manager as their management solution for all their Linux installed base because of its power and adaptability. Now that’s saying something!

We are expanding SUSE Manager’s reach with this latest minor release.  We now support RHEL 9, SUSE Liberty Linux 9, Rocky Linux 9, Alma Linux 9, and Oracle Linux 9. In addition, SUSE Manager 4.3.4 provides full support for SUSE Linux Enterprise Micro clients.  And these are in addition to the more than 15 distros that SUSE Manager already supported.  SUSE Manager is the only management tool that supports all these disparate distros from a single console – anywhere – and in exactly the same way. As we like to say, we aspire to manage “Any Linux, anywhere, at any scale”.

Additionally, SUSE Manager has undergone several improvements related to monitoring, usability, and security making it an even more powerful and user-friendly system administration tool.  One noted update is to help users with their compliance so that they will be notified of SUSE subscriptions about to expire in near future or have already expired.  SUSE Manager will show this alert on the Overview page as well as provide a notification under the notification tab.

For more information, on all these updates you can check out the documentation and release notes here.

The best part:  To get all these updates and enhancements, you simply need to perform a simple in-place update from SUSE Manager Server 4.1, 4.2, or 4.3.

The Road Ahead

If you’ve been following SUSE Manager for any length of time, you know that we’ve been launching a major release yearly along with the new Service Pack of SUSE Linux Enterprise Server.  Well, this year we’re doing things a little bit differently.

While we will be announcing a new version in the upcoming months alongside SLE 15 SP5, it will not be a major release.  What does this mean?

We will continue to bring you innovative new features, such as:

• SUSE Manager will be including the planned new features steadily in every 4.3 maintenance update.
• The version we launch in the upcoming months will indeed support SLE 15 SP5.
• The update to the new version will be an in-place migration. Simple as following the documentation here.
• SUSE Manager 4.3 will have a longer supported lifecycle. That means that you will continue to have access to SUSE’s stellar technical support team until June 2025.

For SUSE Engineering, this brings also good news.  We will be spending the next year cooking up some significant changes to SUSE Manager.  After all, your business is transforming; we want SUSE Manager to transform with you.

Stay tuned!

Introduction

Why should I enable malware scanning in SAP applications?

How does the SAP antivirus stack work?

Installation and configuration

Conclusion

Introduction

Ransomware is a well-known threat to your IT and business continuity that needs to be evaluated from many angles.

We recommend you go through this series of blog posts from my colleague Raúl Mahiques to get a better understanding of what Ransomware is and how to protect your IT against them:

• Ransomware attacks – part 1 (Introduction)
• Ransomware attacks – part 2 (Traditional IT)
• Ransomware attacks – part 3 (Kubernetes)

Once we have detailed how those attacks unfold and which are the best practices to make our IT more resilient against them, we’ll focus on how Ransomware can impact SAP-related services and the SAP-specific tools and recommendations that SUSE offers to mitigate them.

Why should I enable malware scanning in SAP applications?

SAP services play a critical role in managing uploaded files in many businesses. Those services can become entry points for the uploaded malware and it can later spread to other systems and services within your company.

Even if the malware may not directly affect SAP applications running on SUSE Linux Enterprise Server for SAP, once compromised files are uploaded and stored on SAP applications, they may look trustworthy. As a result, subsequent movements and transfers of those files may not be properly controlled.

How does the SAP antivirus stack work?

To ensure that all external files that are processed in your SAP environment are properly scanned is important to secure the most common malware entry points:

• SAP GUI based applications
• File upload on SAP Web applications
• Inbound email
• Web Services

The virus scan function is available for all SAP solutions that rely on SAP’s Java API, ABAP and HANA XS through the SAP NetWeaver Virus Scan Interface (NW-VSI).

The core antivirus scanner and virus definitions are based on the well know ClamAV scanner, whereas the ClamSAP package bundles the Virus Scan Adapter interface that connects to NW-VSI.

Those are the only two components that need to be installed on each NetWeaver server. SUSE provides supported packages for both ClamAV and ClamSAP through its SUSE Linux Enterprise for SAP subscription. The version of ClamSAP shipped with SUSE Linux Enterprise Server for SAP supports NW-VSI version 2.0.

SAP virus scanning layers

Installation and configuration

Setting up the virus scanner for SAP only needs five simple steps:

1- Install ClamAV and ClamSAP packages in SUSE Linux Enterprise Server for SAP

2- Create a virus scanner group in SAP NetWeaver

3- Set up the ClamSAP library

4- Configure the default virus definitions location

5- Start ClamSAP

The process is well documented on both SAP and SUSE documentation.

If you have several NetWeaver servers where you want to deploy ClamAV and ClamSAP, you can do it in one shot with SUSE Manager. You just need to create a “System Group” with all your NetWeaver servers deployed on SUSE Linux Enterprise Server for SAP.

Once all the NetWeaver servers are in the group, you can create a simple custom state that will take care of installing both ClamAV and ClamSAP packages. If more NetWeaver servers are added to the group in the future, they’ll also get both packages automatically installed without any operator intervention.

You can find more info about custom states in the SUSE Manager documentation.

Conclusion

It’s essential for all IT stakeholders to adopt a security mindset and protect applications that are vulnerable to malware attacks, including Ransomware. Linux servers should not be underestimated as potential targets. Even if SAP applications running on a secure Linux system have a lower risk of being affected by Ransomware, they can still act as a medium for malware to spread within your IT environment.

As we have explained, by using SUSE Manager together with SUSE Linux Enterprise Server for SAP, you can mitigate those threats and have all your SAP services secured, no matter the scale and no matter where they are deployed.

Check all the additional benefits you may get by choosing SUSE for your SAP migrations, and get in touch with our consulting experts to assist you on your transformational journey.

Table of Contents

1. Introduction

2. How do we protect Kubernetes environments?

3. Why use Zero-Trust policies to stop the spread of malware?

4. The importance of having a secure software supply chain?

5. Why must we automate security in Kubernetes environments?

6. How can we scale these measures when we have multiple clusters?

7. Summary

Introduction

In the third part of this series dedicated to ransomware, I am going to explore how we can protect Kubernetes environments.

How do we protect Kubernetes environments from ransomware attacks?

As containers adoption grows, containerized software is increasingly targeted by ransomware attacks, and the dynamic nature of the Kubernetes environment presents unique challenges. The spread of ransomware can be rapid, potentially infecting the image registry or other parts of the software supply chain and leading to the compromise of all pods in Kubernetes clusters. Attackers may also take control of the Kubernetes clusters, making it difficult to stop the attack once it has started.

As mentioned in the first post of this series, prevention is essential for protecting Kubernetes environments from attacks, which can occur through application vulnerabilities in running software, stolen credentials for the Kubernetes cluster/s, malware planted in the software supply chain, etc.

Some of these potential attack vectors can be only addressed by using specific security software and predefined processes.

To prevent attacks to come through an application vulnerability there are a few strategies we can use:

• Keep software up to date with the latest bugfixes, if we want to make sure no vulnerable software gets deploy on the clusters, we can implement admission control rules with SUSE Neuvector which extends the capabilities of Kubernetes by allowing you to define rules that, for example, can prevent an image with vulnerabilities or from a non-trusted registry, from being deployed in your cluster.
• Proactively block known attack at the network level before they reach the application, SUSE NueVector is especially suited for this task, as it not only looks at network layer 3 and 4 protocols, which other security solutions focus on, but also at the network layer 7 containing application protocols.
  This means it can identify attacks carried over the application layer, thanks to its Deep Packet Inspection (DPI) technology, and it can block these malicious network packets before they reach the application.
• Limit application privileges. We can further prevent ransomware attacks by using Kubernetes security mechanisms, such as Seccomp, AppArmor and SELinux. As previously discussed in this series, SELinux and AppArmor can be effective in preventing applications from accessing certain files or running certain processes. These are available only on Kubernetes nodes running on top of Linux distributions which have these features enabled, such as SLES and SLEmicro.
  These powerful tools are worth a dedicated article in their own right.

Why use Zero-Trust policies to stop the spread of malware?

All these measures may fall short, especially if the attackers use a Zero-Day to gain access.

To protect from Zero-Days we need to implement behavioral-based Zero Trust policies that can observe and block any attempt at deviating from the expected behavior applications show at the network or system levels. This means that even if the attacker gains control of the application, they can’t use it to reach other applications in the cluster/s. Usually most backend applications aren’t exposed to the outside world and have weaker security protections, some also have greater system privileges, and network or data access thus controlling them would grant the attacker even more opportunities to spread further.

In this scenario we can use SUSE NeuVector’s Zero-Trust security policies because we are looking at the behavior of the application and not only at known attacks. This requires us to define a security policy which may sound a complicated task but, thanks to NeuVector behavioral learning capabilities, we can easily create them for each running application, in this article I show how we can use NeuVector behavioral learning capabilities to create Zero-Trust security policies.

Not only we can use SUSE NeuVector for implementing system and network level Zero-Trust polices, but also to visualize and detect suspicious activities within the Kubernetes environment by looking at the connections that each pod establishes using its DPI technology.

The importance of having a secure software supply chain in a cloud native environment?

The software supply chain is a critical component of cloud-native environments. It is the end-to-end process that ensures that all applications and components used in a cloud-native environment are secure, from the hardware and OS where Kubernetes runs on to the smallest library used on the end application.

To have it secure we should verify the authenticity of software, for example against signatures from a regulated third party, regularly patching any vulnerabilities, using secure delivery methods and controlling who can modify the code and when, making sure every change is subject to peer review.

This is where certifications such as SLSA4 and Common Criteria EAL4+ show their value, ensuring that the SUSE processes for developing and maintain its products, passed the rigorous security evaluation required to be awarded these certifications.

Unfortunately, we cannot always work with certified software, in which case we need to resort to the use of security platforms like SUSE NeuVector, or Kubernetes cluster managers like Rancher, to scan the images on the registries for vulnerabilities, validate compliance with security regulations, run security benchmarks on the infrastructure, etc. It is vital that these checks can be repeatable and automated so that they are not a one-off.

Why must we automate security in Kubernetes environments?

Automating security in Kubernetes environments is essential for ensuring that the environment is secure, compliant and up to date, reducing the attack surface by patching and configuring software resources in the supply chain securely.

Since security in a cloud-native environment is not static, new vulnerabilities and patches appear every day, and criminals automate their attacks to quickly find and attack victims we need to match their methods.

Automation also brings other benefits such as helping to eliminate manual errors and ensuring that security policies are consistently enforced across the environment.

It also can drastically reduce the time it takes to restore a system that has been attacked to its original state. However, it is important to note the system must be patched prior to restoring it; and for that we also need to simplify and automate the updating process.

To make this possible and easier to implement, security platforms like SUSE NeuVector, and Kubernetes management tools like Rancher, are designed with automation in mind. With Rancher we can automatically deploy and upgrade workloads across clusters using Fleet or your own external CI/CD system which eases the adoption of Infrastructure-as-Code.
With SUSE NeuVector API and using CRDs we can load security policies the same way we do with other resources in Kubernetes, making it very easy to implement Security-as-Code using an existing CI/CD platform.

How can we scale these measures when we have multiple clusters?

We need software that has a low footprint and is able to perform reliably, high resource consumption will impact application performance making it impossible to meet the increased demand, this is one of the key aspects of production ready software.

We can make use of Rancher’s security capabilities I have mentioned earlier to ensure that all Kubernetes clusters are properly configured and secured. Rancher can help with access control, security policy enforcement, and vulnerability scanning.

With SUSE NeuVector we can also manage the security posture on multi-cluster and multi-cloud deployments by pushing federated rules to each cluster and sync the results of registry scans across multiple clusters.

This approach will enable us to scale our security measures, even when we have multiple clusters, and NeuVector architecture, which works completely without side cards or similar, makes it easy to scale protection along side the application workloads

Summary

We have seen that having a secure software supply chain and implementing behavioral-based Zero-Trust security policies at the system and network level can help protect against malicious attacks, such as ransomware, and Zero Day threats used by criminals. SUSE products are designed to prioritize security and work at scale, our team constantly innovates in the area of security to ensure your business remains stable and resilient.

If you want to learn more about Zero-Trust you can download our free Zero Trust Container Security for Dummies ebook, or please feel free to request a demo of NeuVector.

For more information about our products and services, please contact us.

For other articles in this series please visit:

Ransomware Attacks – Part 1, Introduction

Ransomware Attacks – Part 2, Traditional IT Security

How to protect your SAP applications from Ransomware attacks

Background:

The Hammerhead Consortium leveraged its Ampere Computing-powered cluster in its latest test iteration showcasing a ScyllaDB environment in an all-Arm cluster. The results will be made available in a joint session between Ampere Computing and ScaleFlux at the upcoming ScyllaDB Summit 2023.

The objective was to show the ability to deliver high performance numbers with lower power consumption due to the higher CPU density available with Ampere’s Altra and ScaleFlux’s embedded intelligent computational storage technology.

The Hammerhead Consortium consists of technology and business professionals from Ampere Computing, Arm, Micron, NVIDIA, and SUSE working together to expand the ARM64 application eco-system by testing and validating select compute workloads while holistically improving their overall performance leveraging the product components brought by the consortium.

In other words: “We show a path to what’s possible”.

Test Configuration:

A subset of the Hammerhead III cluster was used for the testing.  3 nodes were configured to act as Scylla Cluster Servers with ScaleFlux Storage Accelerators added to them.  Another 3 nodes (without the Storage Accelerators) were used to act as client test units.

(Illustration provided by Ampere Computing)

Tests, Results and Findings:

To test the performance of our cluster we used cassandra-stress benchmark utility. Three different workload profiles were tested – 100% Read and 75%/25% Read/Write across 10 Billion records to demonstrate performance from disk and 50%/50% Read/Write across 1 million records to show performance when accessing data in memory.

For each of these tests the three node cluster performed very well, serving over 1 million requests/sec and maintaining P99 write latencies under 8 milleseconds. The 75/25 R/W test serviced 1.1 million requests/sec and the other two tests served 1.4 million requests/sec.

Key Takeaways/Call To Action:

• The Hammerhead consortium continues to demonstrate the benefits of the combined product ecosystem.
  • A complete arm64-based, hardware and software stack ready to support applications at-scale.
  • High-performance, density, and efficiencies are reachable with the combined product ecosystem.
• ISVs and Developers alike who want similar benefits can take advantage of the Ampere Developer Access Program. Gain remote access to bare metal servers, trial systems shipped to you or access to partner cloud resources – depending on your requirements.
  • https://amperecomputing.com/where-to-try
• ISVs looking to gain access to all the elements of the SUSE stack and certify their applications can join the SUSE One Partner program.
  • https://partner.suse.com/s/

The Covid pandemic has taught us has brought us a lot of new phrases in the workforce. First, there was “quiet quitting” – the desire to do “just” what’s in your job description and no more.  Then there was the “great resignation” where it seemed like everyone was looking for their next opportunity.  That led to “quiet hiring,” where the people left in positions took on additional work — with no (or minimal) extra pay.

With all that being said, workplace churn is real.  So, what is a savvy manager to do to retain their top employees and keep their businesses running?

One answer that keeps coming up is the opportunity for continuous learning.  As the technology landscape changes, your technical professionals want to keep their skills both sharp and current.  But can you afford to send your top employees away for a week or more to satisfy their desire for technical knowledge?

Announcing SUSE eLearning for the Enterprise

SUSE has heard the requests from our customers and has expanded our eLearning offering to address the Enterprise needs.  Differing from our Individual eLearning tiers, the Enterprise tier addresses the modern workplace by providing:

• Up to 5 eLearning subscriptions that you can swap amongst employees
• Up to 1000 hours of lab time for hands-on experience
• Up to 10 Certification exam vouchers

The best part – an eLearning subscription provides access to every SUSE technical training course.  And with new courses rolling out frequently, your team will be the first to learn about new technology as it happens.  Getting access to the latest information as soon as it’s released is not only good for your team but also for your business.

But What Is SUSE eLearning?

SUSE eLearning is training designed for today’s workforce.  It’s literally training your way: anywhere, anytime. With just one subscription, you get access to all the technical training for every SUSE product.

Interested in SUSE Manager, NeuVector, or Rancher Prime?  Take the appropriate courses to learn more.  Interested in Harvester?  We’ve got courses for that too.  Whether you are looking for a bite-sized video to solve a specific problem or a defined learning path that leads to certification, SUSE eLearning has exactly what you need to satisfy your employees and move your business forward.

SUSE eLearning has been in the market for over a year for your individual learners, but now there’s a tier defined specifically for the enterprise.

*Includes 200 hours of live labs per user with a maximum of 1000 hours during the subscription period. 10 certification exams per subscription; not per user.

So, while the market is churning, keep your employees engaged with continuous learning.  Make eLearning part of your plan to increase job satisfaction.  After all, your business is only as good as your people.  And your people are only good if they are engaged.  It’s up to you to stop the churn.

Learn more about SUSE eLearning Subscriptions and all the training offerings that SUSE offers by clicking here.