Microsoft and Red Hat have certified OpenShift Container Platform to run on Microsoft Azure. This talk steps through the reference architecture and ongoing work to accelerate government ATOs.
The Economic and Organised Crime Office (EOCO) has been advised by the Office...
ย
2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift to Azure)
1. ADD NAME (View > Master > Slide master)
Changing the Open Hybrid Cloud Game
Deploying OpenShift to Azure
Harold Wong
Cloud Architect
Commercial Software Engineering
harold.wong@microsoft.com
2. ADD NAME (View > Master > Slide master)
Red Hat OpenShift Container Platform
30. ADD NAME (View > Master > Slide master)
Accrediting OpenShift On Azure
Shawn Wells
Office of the Chief Technologist
U.S. Public Sector
shawn@redhat.com || 443-534-0130
32. 32
Azure for Government Certifications
โ Allows all DoD and mission
partners to leverage Azure
for โControlled Unclassified
Informationโ
โ aka โFOUOโ
DoD Impact Level 4
ITAR Readiness
FedRAMP High
33. 33
Azure for Government Certifications
โ Store and process regulated
data.
โ Azure facilities and
personnel US-based.
DoD Impact Level 4
ITAR Readiness
FedRAMP High
34. โ Focus for today.
โ GSA-estimated 50% of
$80B Federal IT budget falls
under โFedRAMP Highโ
34
Azure for Government Certifications
DoD Impact Level 4
ITAR Readiness
FedRAMP High
35. โ RHEL 7.1 certified to
EAL4+.
โ 3rd party lab verifies
security functionality.
โ Certified multi-tenancy
capabilities.
35
Red Hat Certifications
Common Criteria
36. Test Suite
Code exercised by test
suite shows no unexpected
errors
Static Analysis Tools
All code is scanned and
important defects are
corrected
Independent 3rd Party
Code reviews are
performed and defects
corrected
Trained Programmers
The staff is trained and
follows procedures
Runtime Protections
The use of stack protector,
FORTIFY SOURCE,
RELRO, and kernel sysctls
are effective
Code Correctness
Discuss different classes of
errors and how they are
detected
Code Physically Secure
The code is kept in a SCC
system with access limited
to essential personnel
Prevention and Detection
Processes are in place, staff
trained, runtime defenses
mitigate latent problems
Coding Defects
There are no
implementation defects that
create vulnerabilities
36
RHEL meets
General Purpose Operating System
Protection Profile
Requirement Deficiencies
There are no missing
requirements
Design Deficiencies
There are no errors of
design that lead to
vulnerabilities
Operational Guidance
The security features are
well explained
37. Test Suite
Code exercised by test
suite shows no unexpected
errors
Static Analysis Tools
All code is scanned and
important defects are
corrected
Independent 3rd Party
Code reviews are
performed and defects
corrected
Trained Programmers
The staff is trained and
follows procedures
Runtime Protections
The use of stack protector,
FORTIFY SOURCE,
RELRO, and kernel sysctls
are effective
Code Correctness
Discuss different classes of
errors and how they are
detected
Code Physically Secure
The code is kept in a SCC
system with access limited
to essential personnel
Prevention and Detection
Processes are in place, staff
trained, runtime defenses
mitigate latent problems
Coding Defects
There are no
implementation defects that
create vulnerabilities
37
RHEL meets
General Purpose Operating System
Protection Profile
Requirement Deficiencies
There are no missing
requirements
Design Deficiencies
There are no errors of
design that lead to
vulnerabilities
Operational Guidance
The security features are
well explained
US Gov. Protection
Profiles
38. Test Suite
Code exercised by test
suite shows no unexpected
errors
Static Analysis Tools
All code is scanned and
important defects are
corrected
Independent 3rd Party
Code reviews are
performed and defects
corrected
Trained Programmers
The staff is trained and
follows procedures
Runtime Protections
The use of stack protector,
FORTIFY SOURCE,
RELRO, and kernel sysctls
are effective
Code Correctness
Discuss different classes of
errors and how they are
detected
Code Physically Secure
The code is kept in a SCC
system with access limited
to essential personnel
Prevention and Detection
Processes are in place, staff
trained, runtime defenses
mitigate latent problems
Coding Defects
There are no
implementation defects that
create vulnerabilities
38
RHEL meets
General Purpose Operating System
Protection Profile
Requirement Deficiencies
There are no missing
requirements
Design Deficiencies
There are no errors of
design that lead to
vulnerabilities
Operational Guidance
The security features are
well explained
FIPS 140-2
Cryptography Certification
39. Test Suite
Code exercised by test
suite shows no unexpected
errors
Static Analysis Tools
All code is scanned and
important defects are
corrected
Independent 3rd Party
Code reviews are
performed and defects
corrected
Trained Programmers
The staff is trained and
follows procedures
Runtime Protections
The use of stack protector,
FORTIFY SOURCE,
RELRO, and kernel sysctls
are effective
Code Correctness
Discuss different classes of
errors and how they are
detected
Code Physically Secure
The code is kept in a SCC
system with access limited
to essential personnel
Prevention and Detection
Processes are in place, staff
trained, runtime defenses
mitigate latent problems
Coding Defects
There are no
implementation defects that
create vulnerabilities
39
RHEL meets
General Purpose Operating System
Protection Profile
Requirement Deficiencies
There are no missing
requirements
Design Deficiencies
There are no errors of
design that lead to
vulnerabilities
Operational Guidance
The security features are
well explained
USGCB, STIGs
41. 41
OpenShift on Azure Reference Architecture
Provides a comprehensive, step-
by-step build of an enterprise
deployment of OpenShift v3.5
on Azure.
โ Public documentation
โ Automation scripts on
GitHub
44. 44
OpenShift on Azure Security Blueprint
โ ATO paperwork required for
all cloud systems
โ We went through the
~300pg GSA SSP template
and pre-populated answers
45. 45
OpenShift on Azure Security Blueprint
Some controls are implemented in whole or in part by Microsoft Azure
46. 46
OpenShift on Azure Security Blueprint
Others are inherently met by use of Red Hat, e.g. FIPS for disk encryption
47. 47
OpenShift on Azure Security Blueprint
For customer responsibilities, we documented what a successful response
would be: