As Seeq has grown and evolved, there are clear trends in both our customers' usage and expectations of Seeq. The need to scale in the face of increasing workloads, the need for high availability in support of business-critical scenarios, and the need to react more quickly to both feature and security changes are just some of the trends we’ve experienced. A Cloud-Native environment is the best way that we can address both these current and future needs.
The Microsoft Windows Server environment is a very effective computing environment for a single server, but there are deep technical challenges with extending that to support scalability and high availability. Because of these limitations, R58 will be the final feature release of Seeq for Microsoft Windows. We anticipate R58 to be available in the fall of 2022, with full technical support extending through the end of 2023.
The purpose of this article is to provide the insight into this decision and provide information to help you and Seeq collectively chart a path forward.
The Move From Windows Server to Cloud Native
Seeq has grown significantly from its humble beginnings. Originally conceived as an application an engineer would use on their desktop computer, the utility and functionality of Seeq quickly outgrew that model. As a server-centric application, Seeq provides critical value to businesses ranging from single plant installations to global-scope deployments serving needs on a 24x7 basis. Along with this growth comes additional expectations for Seeq with regard to scale, security and availability.
Single-server applications are limited in their abilities to meet these needs. Modern cloud-based technologies such as containerized deployments, service-based architectures, and layered security protocols allow Seeq to adapt more fully to the expectations and needs our customers are expressing to us.
In order to deliver the capabilities and features that are enabled by Cloud Native technologies, we have to move away from building Seeq as a single-server Windows application.
What does Cloud Native mean?
The Cloud Native Computing Foundation (CNCF) describes cloud native as deploying software using technologies such as containers and microservices to provide scalable solutions on cloud computing platforms. What does that mean for Seeq?
This means that instead of deploying Seeq in an environment where the entire solution is constrained by the limits of a given server, either a physical server or a virtual machine, the software will be deployed as a set of collaborating components that will be able to scale out as needed, and have the ability to improve reliability and up-time via redundant copies of those services.
What advantages does being Cloud Native bring?
Being a cloud native application will not change Seeq overnight. In fact, the end-user experience will be functionally identical at first. However, being in Cloud Native environment will allow us to bring forward features that include:
Scale critical resources, such as computational nodes, to adapt to workloads dynamically.
Improve reliability by having redundancy of services across multiple cloud “availability zones”, minimizing single points of failure.
Upgrade Seeq without incurring user down-time.
Deliver Seeq more rapidly to respond to both evolving customer needs and a dynamic security environment in a more granular and targeted manner.
What does this mean for on-premise Seeq Deployments?
As we begin to sunset our support for Seeq on Microsoft Windows servers, we recognize that this change is a journey. This evolution will play out over the coming year, and Seeq is committed to making that journey with you. We’re not turning off a light switch. Instead, we are committed to mapping out a transitional plan that addresses your needs, concerns, and expectations.
Timeframe and Support Expectations
R58 will be the last feature release of Seeq that is supported on Microsoft Windows servers. R58 is expected to be released in the fall of 2022. R58 will experience the same degree of support with point fixes and updates as all prior feature releases of Seeq. We will extending support for R58 with bug-fixes and security updates through the end of 2023.
R59 and subsequent releases will continue to be developed and delivered during that time frame, However, beginning with R59, some features of Seeq will only be available in Seeq SaaS, as they will rely on the Cloud Native environment.
What is Seeq SaaS?
We recognize that everyone using Seeq is driven by a common objective: Add business value to each user’s unique contribution, regardless if they are operational, managerial, or scientific. However, administering a business critical application, especially in a secure, resilient, and scalable manner, is a significant I.T. task - one that potentially takes time, effort, and resources away from more impactful activities. Seeq SaaS will bring best-in-class I.T. functions to support your Seeq activities, freeing you up to focus on the operational value of using Seeq. We can also bring I.T. resources to bear across our entire fleet of customers that might not be justifiable on a smaller scale.
Among the core values of Seeq SaaS are:
Active monitoring of Seeq health and performance
Right-sizing of deployed assets
Dedicated Seeq Operations and Support teams responding to both operational and security events
Daily non-disruptive backups to two geographically separated locations with periodic restoration checks and validation
Geographically dispersed Disaster Recovery and Business Continuity Plan
Defense in Depth Security posture with threat monitoring and response planning.
There are many reasons why Seeq considers Seeq SaaS as our primary deployment model. These are more fully described in the white paper Why Seeq SaaS is Best.
To facilitate a move to SaaS, Seeq has a well defined and practiced migration process. We’ve migrated dozens of customers from their On-Premise servers to Seeq SaaS. Our migration consultation process will assess the size of your deployment, deploy assets into the Seeq SaaS cloud, and migrate your server with minimal downtime.
The details of the process will be discussed when the time arrives, but the general steps are:
Commissioning of your Seeq SaaS deployment
Deploying appropriate Remote Agents
Go-Live Migration (typically via an overnight downtime event)
To get more information on migrating to Seeq SaaS, or to request a migration, you can visit the Seeq Support Portal.
Seeq SaaS compared to A Customer’s Private Cloud
A number of Seeq Customers have Seeq deployed in Virtual Machines running in their private clouds on either AWS or Azure. While it might seem equivalent, Seeq can’t truly be “cloud native” in a customer’s private cloud. Let’s explore why.
The cloud technologies that allow Seeq to be more scalable, resilient and secure also come with added complexity outside the Seeq software. At Seeq, we have an entire Cloud Platform team dedicated to designing, testing, implementing and updating the cloud environment around the Seeq Software. There is a very specific relationship between the Seeq software and the Platform on which Seeq runs which places specific requirements on the number and type of cloud assets deployed. There are literally dozens of requirements and touch points that need to align properly.
Since we own the infrastructure in Seeq SaaS, we have the latitude to deploy the assets we need, in the manner we need, and in the quantities we need. Attempting to replicate Seeq’s standards and policies into private clouds would likely not align with established policies, standards, nor even the availability of specific services. As Seeq’s capabilities grow, the needs of the underlying infrastructure can be rapidly adapted to match those needs in SaaS.
Finally, one of the major cloud technologies employed by Seeq SaaS is Kubernetes. While Kubernetes is incredibly powerful for managing large-scale fleets like Seeq SaaS, it is also very complex to deploy and manage and would entail a degree of overhead and cost that is prohibitive when deployed for only a single customer.
Seeq SaaS Technical Overview
To understand how Seeq SaaS is deployed, and how it interacts with your existing on-premise and cloud data sources, we will examine the overall architecture as well as the role of the Seeq Remote Agent.
Seeq SaaS Architecture
The Seeq SaaS Architecture consists of two distinct parts. The Seeq Cloud is the heart of the Seeq SaaS offering. Seeq hosts the Seeq Cortex and Seeq Data Lab products in a highly available, scalable and secure cloud infrastructure. We use encrypted storage to retain customer work products, such as Workbench Analysis, Organizer Topics and Seeq Data Lab projects.
The second part is the Seeq Remote Agent. These agents provide the secure and highly performant connectivity to both on-premise and private cloud-hosted datasources.
The Seeq Cloud also holds the Seeq Cortex cache. Using the cache, Cortex only has to request a given piece of data once in a recent period of time. Once retrieved, that data is retained in an encrypted form for future use. Using this method, we have seen that 95% of data requests are fulfilled via the cache, greatly reducing any possible impact on datasource historians despite high degrees of usage of that data in Seeq.
Seeq Cloud also performs non-distrupive daily backups of all customer data, which is retained in a tiered manner for up to 1 year, including a geographically distributed copy that insure business continuity for our customers in the event of sever natural or regional issues affecting and of the cloud regions.
Seeq Remote Agents
The Seeq Remote Agent is a small footprint windows application that runs either on-premise or in a customer’s private cloud with modest hardware requirements. This agent serves two purposes.
The most important function of the Seeq Remote Agent is that it establishes an outbound, authenticated and encrypted HTTPS link to Seeq Cortex in the Seeq Cloud. Once established, this allows for the bi-directional passage of data to provide connectivity between Seeq Cortex and data sources that reside behind a corporate firewall. Since the connection is initiated from the agent, there is no need to pierce the corporate firewall to allow Seeq to “drill through” to access those data sources; only outbound connections are required.
The second function of the agent is one of performance enhancement. Most historian and datasources have communication protocols that are optimized for short distance, low-latency networks. Attempting to pass data using that protocol all the way to the Seeq Cloud would result in very slow data transfer. Instead, the agent receives requests from Seeq Cortex, and fulfills that request for data over the local company network, before compressing and encrypting the response and sending it to Cortex. We can see up to 10x performance improvements using this method.
Seeq SaaS Security
Seeq places the security of data first and foremost of our concerns. While performance, features, functionality and scale are exceptionally important, none of them trump our commitment to technical and operational security. We have established operational and security controls consistent with SOC 2 Type 2 and verified via third-party audits. We also review and internally assess against additional security standards to determine any additional best practices that we can adopt.
If your organization needs any specific formal certifications, please let us know and we can discuss our specific stance with regard to any of those standards.
Encryption In Flight and At Rest
All data in flight is encrypted using TLS 1.2 or TLS 1.3. This includes all end-user connections between their web browser and the Seeq Cloud, as well as any connections between Remote Agents and the Seeq Cortext server.
All data retained is also encrypted at rest using managed keys. This includes all cached data, derived data, user-generated content and all backups thereof.
Seeq does not require any ports in the corporate firewall to be opened to allow access. All connections to on-premise assets are established as outbound connections using HTTPS on port 443. Additional firewall rules are occasionally needed to allow access to the specific Seeq Cloud URL, as well as to allow the appropriate passage of TLS keys through to the remote agents.
While Seeq has the ability to maintain an internal user account database, we also support and highly recommend the integration of Seeq with your Corporate identify provider. These can be OAuth-enabled vendors such as Okta, Ping, and Azure Active Directory as well as on-premise Windows Authentication and LDAP sources. If your identity provider supports or requires Multi Factor Authentication, Seeq will honor that policy as a result.
Seeq Server on Linux
At this point, Seeq will continue to support those customers currently running Seeq on Linux servers, with some limitations. Seeq SaaS remains the primary and recommended deployment option for Seeq. For the reasons outlined below, Seeq does not recommend migrating from Seeq on Windows server to Seeq on Linux server as a long term strategy.
Technical Requirements for Linux Support
Seeq will be supported on the following Linux environments:
Single server, either VM or physical hardware, running Ubuntu 18.04 LTS or 20.04 LTS.
Challenges and Limitations of Seeq Server on Linux
Seeq running on Ubuntu server will encounter some of the same limitations for scale and reliability that customers encounter with the current Windows server product. Scaling beyond the confines of a single server will not be possible, and high-availability features will not be available on on-prem Linux.
Future deployments of Seeq on Linux will make use of docker containers and deployment via docker compose. Seeq is not supporting on-premise containerized deployments in GCP, OpenShift, Kubernetes, or other container orchestration systems.
New features R59 and later that rely on Cloud-Native technologies will not be available on Seeq Server on Linux.
Challenges and Limitations of Seeq Data Lab on Linux
Seeq Data Lab will continue to be supported on single servers, either VM or physical hardware, running Ubuntu 18.04 LTS or 20.04 LTS.
As with Seeq Server, the scale of Seeq Data Lab will be limited by the resources of the machine.
Unlike cloud-deployed Seeq Data Lab, Linux-based Data Lab notebooks have no guardrails to protect individual notebooks from consuming significant machine resources and impacting all other users of the server.
Data Residency Requirements
If you are a Seeq Enterprise or Strategic Agreement customer with specific Data Residency requirements, Seeq has the flexibility to address those requirements in one of our Seeq SaaS Global Regions (SaaS-Americas, SaaS-EMEA, SaaS-APAC), Please speak with your account representative to make sure these requirements are fully understood.
GMP and other Regulated Industry Requirements
If you are a Seeq Enterprise or Strategic Agreement customer with Good Manufacturing Practice (GMP) requirements, Seeq has features and migration options to meet Data Integrity and 21 CFR Part 11 requirements from your Quality group. Seeq SaaS content can be incorporated in your GMP program as a software platform and reporting solution using Integrated Security, Audit Trail, and Validation Guidelines documentation. Please speak with your account representative to make sure these requirements are fully understood.