Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

The Anatomy of Building a Compliant PCF Service in a Limited Connectivity Environment #BoomSauce

92 visualizaciones

Publicado el

SpringOne Platform 2018
The Anatomy of Building a Compliant PCF Service in a Limited Connectivity Environment #BoomSauce
Joshua Kirchmeier & Garrett Klok, Raytheon

Publicado en: Software
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

The Anatomy of Building a Compliant PCF Service in a Limited Connectivity Environment #BoomSauce

  1. 1. Copyright © 2018, Raytheon Company. All rights reserved. #BOOMSAUCE: THE ANATOMY OF BUILDING A COMPLIANT PCF SERVICE IN A LIMITED-CONNECTIVITY ENVIRONMENT Josh Kirchmeier Garrett Klok Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
  2. 2. First – A Disclaimer  The specifics of what we’re doing are sensitive, so information cannot be shared  Regulatory compliance is NOT a destination, but instead a complex and twisty road full of shear drops and sudden stops – even if we had all of today’s answers, what you need to do will be different tomorrow 10/10/2018 2 Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations. THERE IS NO COOKBOOK FOR REGULATORY COMPLIANCE — YOUR MILEAGE WILL VARY
  3. 3. 3 RAYTHEON COMPANY – A TECHNOLOGY AND INNOVATION LEADER SPECIALIZING IN DEFENSE, CIVIL GOVERNMENT AND CYBERSECURITY SOLUTIONS THROUGHOUT THE WORLD.  2017 NET SALES: $25 BILLION  64,000 EMPLOYEES WORLDWIDE  HEADQUARTERS: WALTHAM, MASSACHUSETTS Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
  4. 4. 4 GLOBAL PRESENCE ALWAYS THERE. DEDICATED TO OUR GLOBAL CUSTOMERS. Raytheon Company is deeply committed to global partnerships, providing solutions and services to valued customers in more than 80 countries and building upon international relationships to best meet the national security and technology needs of nations around the world. Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
  5. 5. Raytheon Digital Transformation 10/10/2018 5 Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
  6. 6. DevOps at Raytheon 10/10/2018 6 Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations. Images used from: https://commons.wikimedia.org/wiki/ Collaboration Documentation Requirements Agile Planning Task Mgmt Development Design & Arch Test Mgmt Static Analysis Package Mgmt Artifact Mgmt Automation Solution Delivery Capacity Mgmt Availability App Health Customer Eng/Sat TOOLCHAINS SANDBOX DEV/TEST PRODUCTION
  7. 7. PCF as a Service (PCFaaS) 10/10/2018 7 Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations. DEFINE SERVICE TENANTS  Achieve Compliance and Security Requirements  Enable Speed and Agility to our Development Teams  Provide High Availability and Resiliency SCOPE SERVICES TO WHAT IS NEEDED AND ALLOWED CONTROL AND ARTICULATE SCOPES Keith Rodwell SpringOne 2017 Presentation AGILE APPROACH TO SERVICE DELIVERY  Establish a roadmap and service guardrails  What is in and out of your service  How to request new capabilities  Share a near and long term roadmap
  8. 8. PCF as a Service (PCFaaS) 10/10/2018 8 Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations. CONSTRUCT A SERVICE MODEL  Service strategy and responsibilities  How the service will operate (deploy, scale and maintain) the platform  Standard services and capabilities (now and roadmap)  One stop shop for everything in the service DEFER COST MODEL /CHARGEBACK  Wait if you can!  Focus on building adoption  Allow the platform team time to understand the platform  Allow developers and stakeholders to see the value Pivotal Chargeback
  9. 9. Our PCFaaS Service Value Proposition 10/10/2018 9 Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations. *https://content.pivotal.io/blog/pivotal-cloud-foundry-s-roadmap-for-2016 https://commons.wikimedia.org/wiki/File:Devops-toolchain.svg HIGH AVAILABILITY SECURITY & COMPLIANCEDEVELOPER PRODUCTIVITY OPERATOR EFFICIENCY CUSTOMER here is what i need provide me business value i do not care how - Garrett Klok (Raytheon) COMPLIANCE here are policies go and make me compliant i do not care how - Garrett Klok (Raytheon) DEVELOPMENT here is my source code run it on the cloud for me i do not care how - Onsi Fakhouri (Pivotal)* OPERATIONS here are my servers go make them a cloud foundry i do not care how - Onsi Fakhouri (Pivotal)*
  10. 10. Compliance? 10/10/2018 10 Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
  11. 11. Compliance Because… 10/10/2018 11 Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations. IDS Headquartered in Tewksbury, Massachusetts, Integrated Defense Systems specializes in air and missile defense, large land- and sea- based radars, and systems for managing command, control, communications, computers, cyber and intelligence. It also produces sonars, torpedoes and electronic systems for ships. FORCEPOINTTM Forcepoint is transforming cybersecurity by focusing on what matters most: understanding people’s intent as they interact with critical data and intellectual property wherever it resides. Forcepoint’s Human Point System enables customers to understand the normal rhythm of user behavior and the flow of data throughout an organization to rapidly identify and eliminate risk. Based in Austin, Texas, Forcepoint protects the human point for thousands of enterprise and government customers in more than 150 countries. IIS Headquartered in Dulles, Virginia, Intelligence, Information and Services designs and delivers solutions and services that leverage its deep expertise in cyber, analytics and automation. Software, systems integration, and the support and sustainment of Raytheon and other companies’ systems for intelligence, military and civil applications are delivered across four domains: space, cyber, mission readiness, and multi-domain battlespace management command and control. RMS Headquartered in Tucson, Arizona, Missile Systems is the premier global effects provider across broad addressable markets. The business designs, integrates, delivers and supports weapons systems for all missions spanning all domains, including interceptors for ballistic missile defense. It operates at the forefront of advanced technology development, including hypersonic weapons programs and directed energy systems. International operations include Raytheon UK, Raytheon ELCAN, and Raytheon Emirates. SAS Headquartered in McKinney, Texas, Space and Airborne Systems is a leading provider of radar and sensor systems on airborne and space- based platforms. The business also provides communications, electronic warfare, high-energy laser solutions and special mission aircraft for the network-centric battlefield. Research advancements range from linguistics to quantum computing. INTEGRATED DEFENSE SYSTEMS INTELLIGENCE, INFORMATION AND SERVICES MISSILE SYSTEMS SPACE AND AIRBORNE SYSTEMS FORCEPOINT POWERED BY RAYTHEON OUR BUSINESSES MAKE THE WORLD A SAFER PLACE
  12. 12. Defense Industry Regulations 10/10/2018 12 Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.  International Traffic in Arms Regulations (ITAR) – U.S. government export and import of defense-related articles and services regulations BE FAMILIAR WITH THE REGULATIONS THAT YOU’RE DESIGNING TO MEET ITAR, EAR, CUI and NIST 800-171  Controlled Unclassified Information (CUI) – Data that must be safeguarded and/or dissemination controlled by U.S. government regulation  Export Administration Regulations (EAR) – Commercial import and export regulations  NIST 800-171 – Protecting CUI in nonfederal information systems and organizations
  13. 13. DFARS 10/10/2018 13 Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.  A supplement to the FAR that provides DoD-specific acquisition regulations that DoD government acquisition officials – and those contractors doing business with DoD – must follow in the procurement process for goods and services DEFENSE FEDERAL ACQUISITION REGULATION SUPPLEMENT NIST 800-53 / 800-171 FAMILIES OF CONTROLS Access Control Media Protection Awareness and Training Personnel Security Audit and Accountability Physical Protection Configuration Management Risk Assessment Identification and Authentication Security Assessment Incident Response System and Communication Protection Maintenance System and Information Integrity
  14. 14. DFARS: Controls Addressed 10/10/2018 14 Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.  Encryption – System and Communications Protection (3.13) – Data at rest/motion/use  Multi-Factor Authentication – Identification and Authentication (3.5) – Something you have/know/are  Vulnerability Scans – Risk Assessment (3.11) – Remediate and mitigate threats
  15. 15. Limited-Connectivity Environment Challenges 10/10/2018 15 Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.  Certificates – Unable to copy SSL certificates to Concourse runtime containers  Proxies – Unable to set proxy on Concourse worker VMs  Off-line (i.e. Air-Gapped) Pipelines – Pipelines have assumptions (e.g. internet connectivity, 3 AZs, …)  Security Constraints – Images, source code and binaries pulled only from private registries/repos  Controls on top of GovCloud – Additional rules and practices enforcing compliance
  16. 16. Encryption: Made Easy 10/10/2018 16 Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.  BOSH Internal/Ops Man – Encrypt AMI while copying to your AMIs  AWS Console, or  AWS CLI  PAS – Encrypt EBS Volumes  Ops Manager Director AWS Config aws ec2 copy-image --source-image-id ami-xxxxxxxx --source-region us-gov-west-1 --region us-gov-west-1 --name encrypted-ops- manager-ami --encrypted --kms-key-id arn:aws-us-gov:kms:us-gov-west-1:############:key/<custom-kms-key-id>
  17. 17. Encryption: Made Not So Easy 10/10/2018 17 Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.  Encrypt stemcells – bosh repack-stemcell  Modify cloud properties – Update cpi.yml - type: replace path: /resource_pools/name=vms/stemcell? value: url: file://~/stemcells/encrypted-light-bosh-stemcell-3468.21-aws-xen-hvm-ubuntu-trusty-go_agent.tgz ... - type: replace path: /resource_pools/name=vms/cloud_properties? value: instance_type: m4.xlarge ephemeral_disk: type: gp2 size: ### encrypted: true kms_key_arn: "arn:aws-us-gov:kms:us-gov-west-1:<userid>:key/<kms-key-id>" availability_zone: ((az)) ... - type: replace path: /disk_pools/name=disks/cloud_properties? value: type: gp2 encrypted: true kms_key_arn: "arn:aws-us-gov:kms:us-gov-west-1:<userid>:key/<kms-key-id>"
  18. 18. Encryption: Gotchas/Tips 10/10/2018 18 Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.  Unknown CPI error 'Unknown' with message 'You are not authorized to perform this operation.' in 'create_stemcell' CPI method – Ensure proper CPI version – Update IAM policy  "ec2:RegisterImage",  "ec2:DeregisterImage",  "ec2:CopyImage" – Update KMS Key policy to include user "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": […, “user“,…] "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": [[…, “user“,…]  Replace existing stemcells – bosh upload-stemcell –fix – Change version number  From: bosh-aws-xen-hvm-ubuntu-trusty-go_agent/3541.4  To: encrypted-bosh-aws-xen-hvm-ubuntu-trusty-go_agent/3541.4.1  Write your own routine for checking encryption status
  19. 19. Multi-Factor Authentication 10/10/2018 19 Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.  Ops Man – Changing to SAML from internal doesn't allow for SAML configuration updates – If you get locked out, manually modify the installation files  Locate, decrypt and edit the installation.yml and actual-installation.yml  Apps Man/CF – Leverage SAML/Enterprise Identity  Custom Applications – Leverage SAML/Enterprise Identity
  20. 20. Vulnerability Scans: What We Did About It 10/10/2018 20 Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.  Process and collaboration around application security  Create and maintain a repository  Continuous improvement through feedback and training  Guideline and template update EMPHASIS ON BECOMING PROACTIVE
  21. 21. In Conclusion 10/10/2018 21 Approved for Public Release This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations. #BOOMSAUCE Josh Kirchmeier Josh.Kirchmeier@Raytheon.com @jkirchmeier https://www.linkedin.com/in/joshuakirchmeier Garrett Klok gklok@raytheon.com @gklok https://www.linkedin.com/in/garrett-klok

×