SpringOne Platform 2018
The Anatomy of Building a Compliant PCF Service in a Limited Connectivity Environment #BoomSauce
Joshua Kirchmeier & Garrett Klok, Raytheon
2. First – A Disclaimer
The specifics of what we’re doing are
sensitive, so information cannot be shared
Regulatory compliance is NOT a destination,
but instead a complex and twisty road full of
shear drops and sudden stops – even if we
had all of today’s answers, what you need to
do will be different tomorrow
10/10/2018 2
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
THERE IS NO COOKBOOK FOR REGULATORY COMPLIANCE — YOUR MILEAGE WILL VARY
3. 3
RAYTHEON COMPANY – A TECHNOLOGY AND
INNOVATION LEADER SPECIALIZING IN DEFENSE,
CIVIL GOVERNMENT AND CYBERSECURITY
SOLUTIONS THROUGHOUT THE WORLD.
2017 NET SALES: $25 BILLION
64,000 EMPLOYEES WORLDWIDE
HEADQUARTERS: WALTHAM, MASSACHUSETTS
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
4. 4
GLOBAL PRESENCE
ALWAYS THERE.
DEDICATED TO OUR
GLOBAL CUSTOMERS.
Raytheon Company is deeply committed to
global partnerships, providing solutions and
services to valued customers in more than
80 countries and building upon international
relationships to best meet the national
security and technology needs of nations
around the world.
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
5. Raytheon Digital Transformation
10/10/2018 5
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
6. DevOps at Raytheon
10/10/2018 6
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
Images used from: https://commons.wikimedia.org/wiki/
Collaboration
Documentation
Requirements
Agile Planning
Task Mgmt
Development
Design & Arch
Test Mgmt
Static Analysis
Package Mgmt
Artifact Mgmt
Automation
Solution Delivery
Capacity Mgmt
Availability
App Health
Customer Eng/Sat
TOOLCHAINS
SANDBOX DEV/TEST PRODUCTION
7. PCF as a Service (PCFaaS)
10/10/2018 7
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
DEFINE SERVICE TENANTS
Achieve Compliance and Security
Requirements
Enable Speed and Agility to our
Development Teams
Provide High Availability and Resiliency
SCOPE SERVICES TO WHAT IS NEEDED AND ALLOWED
CONTROL AND ARTICULATE SCOPES
Keith Rodwell SpringOne 2017 Presentation
AGILE APPROACH TO SERVICE DELIVERY
Establish a roadmap and service guardrails
What is in and out of your service
How to request new capabilities
Share a near and long term roadmap
8. PCF as a Service (PCFaaS)
10/10/2018 8
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
CONSTRUCT A SERVICE MODEL
Service strategy and responsibilities
How the service will operate (deploy, scale and
maintain) the platform
Standard services and capabilities (now and roadmap)
One stop shop for everything in the service
DEFER COST MODEL /CHARGEBACK
Wait if you can!
Focus on building adoption
Allow the platform team time to understand the platform
Allow developers and stakeholders to see the value Pivotal Chargeback
9. Our PCFaaS Service Value Proposition
10/10/2018 9
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
*https://content.pivotal.io/blog/pivotal-cloud-foundry-s-roadmap-for-2016
https://commons.wikimedia.org/wiki/File:Devops-toolchain.svg
HIGH AVAILABILITY SECURITY & COMPLIANCEDEVELOPER PRODUCTIVITY OPERATOR EFFICIENCY
CUSTOMER
here is what i need
provide me business value
i do not care how
- Garrett Klok (Raytheon)
COMPLIANCE
here are policies
go and make me compliant
i do not care how
- Garrett Klok (Raytheon)
DEVELOPMENT
here is my source code
run it on the cloud for me
i do not care how
- Onsi Fakhouri (Pivotal)*
OPERATIONS
here are my servers
go make them a cloud foundry
i do not care how
- Onsi Fakhouri (Pivotal)*
10. Compliance?
10/10/2018 10
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
11. Compliance Because…
10/10/2018 11
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
IDS
Headquartered in Tewksbury,
Massachusetts, Integrated Defense
Systems specializes in air and missile
defense, large land- and sea-
based radars, and systems for
managing command, control,
communications, computers, cyber
and intelligence. It also produces
sonars, torpedoes and electronic
systems for ships.
FORCEPOINTTM
Forcepoint is transforming cybersecurity
by focusing on what matters most:
understanding people’s intent as they
interact with critical data and intellectual
property wherever it resides.
Forcepoint’s Human Point System
enables customers to understand the
normal rhythm of user behavior and the
flow of data throughout an organization
to rapidly identify and eliminate risk.
Based in Austin, Texas, Forcepoint
protects the human point for thousands
of enterprise and government customers
in more than 150 countries.
IIS
Headquartered in Dulles, Virginia,
Intelligence, Information and
Services designs and delivers
solutions and services that leverage
its deep expertise in cyber, analytics
and automation. Software, systems
integration, and the support and
sustainment of Raytheon and other
companies’ systems for intelligence,
military and civil applications are
delivered across four domains:
space, cyber, mission readiness,
and multi-domain battlespace
management command and control.
RMS
Headquartered in Tucson, Arizona,
Missile Systems is the premier global
effects provider across broad
addressable markets. The business
designs, integrates, delivers and
supports weapons systems for all
missions spanning all domains,
including interceptors for ballistic
missile defense. It operates at the
forefront of advanced technology
development, including hypersonic
weapons programs and directed energy
systems. International operations
include Raytheon UK, Raytheon
ELCAN, and Raytheon Emirates.
SAS
Headquartered in McKinney, Texas,
Space and Airborne Systems is a
leading provider of radar and sensor
systems on airborne and space-
based platforms. The business also
provides communications, electronic
warfare, high-energy laser solutions
and special mission aircraft for the
network-centric battlefield. Research
advancements range from linguistics
to quantum computing.
INTEGRATED
DEFENSE SYSTEMS
INTELLIGENCE,
INFORMATION AND SERVICES
MISSILE SYSTEMS
SPACE AND
AIRBORNE SYSTEMS
FORCEPOINT
POWERED BY RAYTHEON
OUR BUSINESSES MAKE THE WORLD A SAFER PLACE
12. Defense Industry Regulations
10/10/2018 12
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
International Traffic in Arms
Regulations (ITAR)
– U.S. government export and import of
defense-related articles and services
regulations
BE FAMILIAR WITH THE REGULATIONS THAT YOU’RE DESIGNING TO MEET
ITAR, EAR, CUI and NIST 800-171
Controlled Unclassified
Information (CUI)
– Data that must be safeguarded
and/or dissemination controlled by
U.S. government regulation
Export Administration
Regulations (EAR)
– Commercial import and export
regulations
NIST 800-171
– Protecting CUI in nonfederal
information systems and
organizations
13. DFARS
10/10/2018 13
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
A supplement to the FAR that provides DoD-specific acquisition regulations that DoD
government acquisition officials – and those contractors doing business with DoD – must follow
in the procurement process for goods and services
DEFENSE FEDERAL ACQUISITION REGULATION SUPPLEMENT
NIST 800-53 / 800-171
FAMILIES OF CONTROLS
Access Control Media Protection
Awareness and Training Personnel Security
Audit and Accountability Physical Protection
Configuration Management Risk Assessment
Identification and Authentication Security Assessment
Incident Response System and Communication Protection
Maintenance System and Information Integrity
14. DFARS: Controls Addressed
10/10/2018 14
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
Encryption – System and
Communications Protection (3.13)
– Data at rest/motion/use
Multi-Factor Authentication –
Identification and Authentication (3.5)
– Something you have/know/are
Vulnerability Scans –
Risk Assessment (3.11)
– Remediate and mitigate threats
15. Limited-Connectivity Environment Challenges
10/10/2018 15
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
Certificates
– Unable to copy SSL certificates to Concourse runtime containers
Proxies
– Unable to set proxy on Concourse worker VMs
Off-line (i.e. Air-Gapped) Pipelines
– Pipelines have assumptions (e.g. internet connectivity, 3 AZs, …)
Security Constraints
– Images, source code and binaries pulled only from private registries/repos
Controls on top of GovCloud
– Additional rules and practices enforcing compliance
16. Encryption: Made Easy
10/10/2018 16
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
BOSH Internal/Ops Man
– Encrypt AMI while copying to your AMIs
AWS Console, or
AWS CLI
PAS
– Encrypt EBS Volumes
Ops Manager Director AWS Config
aws ec2 copy-image --source-image-id ami-xxxxxxxx --source-region us-gov-west-1 --region us-gov-west-1 --name encrypted-ops-
manager-ami --encrypted --kms-key-id arn:aws-us-gov:kms:us-gov-west-1:############:key/<custom-kms-key-id>
17. Encryption: Made Not So Easy
10/10/2018 17
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
Encrypt stemcells
– bosh repack-stemcell
Modify cloud properties
– Update cpi.yml - type: replace
path: /resource_pools/name=vms/stemcell?
value:
url: file://~/stemcells/encrypted-light-bosh-stemcell-3468.21-aws-xen-hvm-ubuntu-trusty-go_agent.tgz
...
- type: replace
path: /resource_pools/name=vms/cloud_properties?
value:
instance_type: m4.xlarge
ephemeral_disk:
type: gp2
size: ###
encrypted: true
kms_key_arn: "arn:aws-us-gov:kms:us-gov-west-1:<userid>:key/<kms-key-id>"
availability_zone: ((az))
...
- type: replace
path: /disk_pools/name=disks/cloud_properties?
value:
type: gp2
encrypted: true
kms_key_arn: "arn:aws-us-gov:kms:us-gov-west-1:<userid>:key/<kms-key-id>"
18. Encryption: Gotchas/Tips
10/10/2018 18
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
Unknown CPI error 'Unknown' with message 'You are not authorized to perform
this operation.' in 'create_stemcell' CPI method
– Ensure proper CPI version
– Update IAM policy
"ec2:RegisterImage",
"ec2:DeregisterImage",
"ec2:CopyImage"
– Update KMS Key policy to include user
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": […, “user“,…]
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [[…, “user“,…]
Replace existing stemcells
– bosh upload-stemcell –fix
– Change version number
From: bosh-aws-xen-hvm-ubuntu-trusty-go_agent/3541.4
To: encrypted-bosh-aws-xen-hvm-ubuntu-trusty-go_agent/3541.4.1
Write your own routine for checking encryption status
19. Multi-Factor Authentication
10/10/2018 19
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
Ops Man
– Changing to SAML from internal doesn't allow
for SAML configuration updates
– If you get locked out, manually modify the
installation files
Locate, decrypt and edit the installation.yml
and actual-installation.yml
Apps Man/CF
– Leverage SAML/Enterprise Identity
Custom Applications
– Leverage SAML/Enterprise Identity
20. Vulnerability Scans: What We Did About It
10/10/2018 20
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
Process and collaboration around
application security
Create and maintain a repository
Continuous improvement through
feedback and training
Guideline and template update
EMPHASIS ON BECOMING PROACTIVE
21. In Conclusion
10/10/2018 21
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.
#BOOMSAUCE
Josh Kirchmeier
Josh.Kirchmeier@Raytheon.com
@jkirchmeier
https://www.linkedin.com/in/joshuakirchmeier
Garrett Klok
gklok@raytheon.com
@gklok
https://www.linkedin.com/in/garrett-klok