Which golden image solution is best for you?
What is a golden image?
A golden image is a repeatable master image that can be applied across an organisation’s virtual machines (VMs). It is essentially a hardened template that, once set, can ensure consistency and security across devices and eliminate the need for configuration changes, reducing risk of failure.
Managing the lifecycle of an image entails the full software delivery process, from scripting and building the image, hardening, maintenance, and ensuring security and compliance updates.
Solution 1. Open source
There are various free, open source tools available for processing images. These are really just basic building blocks. Businesses need to be able to invest a lot of time (and budget) setting up automations, testing, creating definitions, and customisations. And then they need additional hardening tooling. Out of the box, open source tools don’t offer anything in terms of customisation or security.
To build on top of the open source tooling, a business needs a strong, diverse team of DevOps, software and system engineers. They need the capacity to develop and automate a complete golden image solution, often across multiple cloud environments. The business should be fully aware of the pitfalls of doing so. You can find out more about these here.
It’s these operational needs that are sometimes overlooked. It’s not just about the initial installation. Essentially, open source is totally unmanaged – you take the scripts and use them, but there’s no technical support, no policies or documentation, no audits or compliance help.
Businesses should also be aware of the security element. If any security vulnerability is exposed, you have to monitor it and fix it. If something goes wrong with any code or releases, you have to fix it. And with poor quality of documentation available, it’s easy to misconfigure and expose systems to security issues without knowing. This can lead to exposing images publicly.
Solution 2. Public cloud tools
AWS and Azure both have solid offerings for building, testing and deploying images: AWS EC2 Image Builder and Azure Image Builder.
In some instances, going with these tools is enough. They have some basic built-in automation and security settings and are pretty straightforward to implement for basic needs.
However, if there is any additional layer of customisation or complexity, this is often outside a standard cloud architect’s skill set. Also, to fully maintain and optimise a full golden image lifecycle, the best practices need to be in place. It’s not just a one-click solution.
There is a level of provisioning needed, and where multi cloud or on-premise configurations are needed a specific skill set is required that overarches purely AWS or Azure cloud architecture.
You’ll need people skilled in the specific cloud, but also good experience across multiple cloud environments. Another layer of expertise is needed to code on top of multiple environments, and solve the complexity of services that arise from each cloud provider. This is a very specific skill set, a mix of engineering across clouds with the overarching multi-cloud vision, with the technical expertise to know what’s under the hood and tie it all together.
And these public cloud tools still aren’t that commonly used. Many companies aren’t aware these services are out there. Even if they do, they don’t fully understand how to utilise them.
Another point to consider is that – even though these services have the levels of support, documentation and policies you’d expect from the hyperscalers – there’s still a level of risk to security if they’re not configured correctly.
Solution 3. Marketplace
You can purchase legitimate, out-of-the-box images from online marketplaces, which still require an amount of work to develop the full lifecycle – if running in-house, you’d then apply open-source or public cloud solutions.
If going down this route, you need to make sure you’re using a trusted, certified vendor. Third-party solutions are sold on these sites, and it has been known for ‘legitimate’ images to be infiltrated with malicious hardware.
Businesses need to understand that these images can’t be modified for their needs. It’s not possible to add a subset of hardening, or request any customisation or development support. So you’ll need a good level of in-house expertise to maximise your investment. And remember, whilst there’s a level of compliance, you’re probably only ticking the box for the short-term, and future upgrades will be needed.
Also remember to calculate the total operational costs. Many of these vendors make up huge margins on the running costs. The accumulative cost of running an instance per hour, per a few thousand VMs, means the total cost can become quite significant.
Businesses should also scope the need for future integrations, as sometimes these solutions aren’t compatible. For example, we’ve seen instances where businesses have tried to implement a cybersecurity system, but it couldn’t be installed as the server was already hardened without any adaptability. This ends up in a long, costly process of opening the image, finding the blocking control, installing software, and hardening again.
Solution 4. Fully-managed
If you have stringent compliance, security or reporting needs, or customisation and automation requirements, a fully-managed solution gives you the peace of mind you need.
A solution like ImageFactory provides 2 levels of security, and is continuously maintained for all public clouds, so you’re completely covered. It means you’re automatically getting updated images delivered to all your accounts and subscriptions in a secure way.
And, whilst the managed service costs need to be considered, the total costs of a solution like ImageFactory is actually cheaper than building your own solution in-house or using marketplace solutions. It’s also faster to implement – and flexible to meet a range of needs.
But be careful. Whilst some providers claim to offer a full lifecycle solution, it has been known for some to only offer the consultancy and script you need to get started, leaving you with a script that’s unmanaged or underdeveloped, and then paying more to fix. Or, a provider might offer some managed development, scripts, or tools to deploy, without offering a fully-managed SaaS product – like ImageFactory. You need to make sure your provider has the advisory level, product, and ongoing support to make sure you’re fully covered.
And make sure they comply with ISO standards, as you’re entrusting this provider with an important layer of security and compliance. The provider needs to prove their credentials across ISO and cloud partner certifications are at a high level – like Nordcloud Klarity.
This kind of service is prone to risk, known as supply chain attacks. Cyber threats attack providers as a way to infiltrate larger companies. The product and provider should be able to demonstrate automated security checks, stringent testing protocols and compliance reporting, to fully protect businesses from supply chain attacks.