Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift to Azure)

96 views

Published on

Microsoft and Red Hat have certified OpenShift Container Platform to run on Microsoft Azure. This talk steps through the reference architecture and ongoing work to accelerate government ATOs.

Published in: Government & Nonprofit
  • Be the first to comment

  • Be the first to like this

2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift to Azure)

  1. 1. ADD NAME (View > Master > Slide master) Changing the Open Hybrid Cloud Game Deploying OpenShift to Azure Harold Wong Cloud Architect Commercial Software Engineering harold.wong@microsoft.com
  2. 2. ADD NAME (View > Master > Slide master) Red Hat OpenShift Container Platform
  3. 3. ADD NAME (View > Master > Slide master)
  4. 4. ADD NAME (View > Master > Slide master)
  5. 5. ADD NAME (View > Master > Slide master)
  6. 6. ADD NAME (View > Master > Slide master)
  7. 7. ADD NAME (View > Master > Slide master)
  8. 8. ADD NAME (View > Master > Slide master)
  9. 9. ADD NAME (View > Master > Slide master)
  10. 10. ADD NAME (View > Master > Slide master)
  11. 11. ADD NAME (View > Master > Slide master)
  12. 12. ADD NAME (View > Master > Slide master)
  13. 13. ADD NAME (View > Master > Slide master)
  14. 14. ADD NAME (View > Master > Slide master)
  15. 15. ADD NAME (View > Master > Slide master)
  16. 16. ADD NAME (View > Master > Slide master)
  17. 17. ADD NAME (View > Master > Slide master)
  18. 18. ADD NAME (View > Master > Slide master)
  19. 19. ADD NAME (View > Master > Slide master)
  20. 20. ADD NAME (View > Master > Slide master)
  21. 21. ADD NAME (View > Master > Slide master)
  22. 22. ADD NAME (View > Master > Slide master)
  23. 23. ADD NAME (View > Master > Slide master)
  24. 24. ADD NAME (View > Master > Slide master)
  25. 25. ADD NAME (View > Master > Slide master)
  26. 26. ADD NAME (View > Master > Slide master)
  27. 27. ADD NAME (View > Master > Slide master)
  28. 28. ADD NAME (View > Master > Slide master)
  29. 29. ADD NAME (View > Master > Slide master)
  30. 30. ADD NAME (View > Master > Slide master) Accrediting OpenShift On Azure Shawn Wells Office of the Chief Technologist U.S. Public Sector shawn@redhat.com || 443-534-0130
  31. 31. 31 March ‘16 OpenShift on Azure Reference Architecture May ‘17 June ‘17 OpenShift on Azure FedRAMP Security Blueprint Microsoft & Red Hat Government Partnership July ‘17 Azure receives FedRAMP High, DoD Impact Level 4, FBI CJIS certifications RHEL7 + Containers Common Criteria Certification Oct. ‘16
  32. 32. 32 Azure for Government Certifications ● Allows all DoD and mission partners to leverage Azure for “Controlled Unclassified Information” ● aka “FOUO” DoD Impact Level 4 ITAR Readiness FedRAMP High
  33. 33. 33 Azure for Government Certifications ● Store and process regulated data. ● Azure facilities and personnel US-based. DoD Impact Level 4 ITAR Readiness FedRAMP High
  34. 34. ● Focus for today. ● GSA-estimated 50% of $80B Federal IT budget falls under ‘FedRAMP High’ 34 Azure for Government Certifications DoD Impact Level 4 ITAR Readiness FedRAMP High
  35. 35. ● RHEL 7.1 certified to EAL4+. ● 3rd party lab verifies security functionality. ● Certified multi-tenancy capabilities. 35 Red Hat Certifications Common Criteria
  36. 36. Test Suite Code exercised by test suite shows no unexpected errors Static Analysis Tools All code is scanned and important defects are corrected Independent 3rd Party Code reviews are performed and defects corrected Trained Programmers The staff is trained and follows procedures Runtime Protections The use of stack protector, FORTIFY SOURCE, RELRO, and kernel sysctls are effective Code Correctness Discuss different classes of errors and how they are detected Code Physically Secure The code is kept in a SCC system with access limited to essential personnel Prevention and Detection Processes are in place, staff trained, runtime defenses mitigate latent problems Coding Defects There are no implementation defects that create vulnerabilities 36 RHEL meets General Purpose Operating System Protection Profile Requirement Deficiencies There are no missing requirements Design Deficiencies There are no errors of design that lead to vulnerabilities Operational Guidance The security features are well explained
  37. 37. Test Suite Code exercised by test suite shows no unexpected errors Static Analysis Tools All code is scanned and important defects are corrected Independent 3rd Party Code reviews are performed and defects corrected Trained Programmers The staff is trained and follows procedures Runtime Protections The use of stack protector, FORTIFY SOURCE, RELRO, and kernel sysctls are effective Code Correctness Discuss different classes of errors and how they are detected Code Physically Secure The code is kept in a SCC system with access limited to essential personnel Prevention and Detection Processes are in place, staff trained, runtime defenses mitigate latent problems Coding Defects There are no implementation defects that create vulnerabilities 37 RHEL meets General Purpose Operating System Protection Profile Requirement Deficiencies There are no missing requirements Design Deficiencies There are no errors of design that lead to vulnerabilities Operational Guidance The security features are well explained US Gov. Protection Profiles
  38. 38. Test Suite Code exercised by test suite shows no unexpected errors Static Analysis Tools All code is scanned and important defects are corrected Independent 3rd Party Code reviews are performed and defects corrected Trained Programmers The staff is trained and follows procedures Runtime Protections The use of stack protector, FORTIFY SOURCE, RELRO, and kernel sysctls are effective Code Correctness Discuss different classes of errors and how they are detected Code Physically Secure The code is kept in a SCC system with access limited to essential personnel Prevention and Detection Processes are in place, staff trained, runtime defenses mitigate latent problems Coding Defects There are no implementation defects that create vulnerabilities 38 RHEL meets General Purpose Operating System Protection Profile Requirement Deficiencies There are no missing requirements Design Deficiencies There are no errors of design that lead to vulnerabilities Operational Guidance The security features are well explained FIPS 140-2 Cryptography Certification
  39. 39. Test Suite Code exercised by test suite shows no unexpected errors Static Analysis Tools All code is scanned and important defects are corrected Independent 3rd Party Code reviews are performed and defects corrected Trained Programmers The staff is trained and follows procedures Runtime Protections The use of stack protector, FORTIFY SOURCE, RELRO, and kernel sysctls are effective Code Correctness Discuss different classes of errors and how they are detected Code Physically Secure The code is kept in a SCC system with access limited to essential personnel Prevention and Detection Processes are in place, staff trained, runtime defenses mitigate latent problems Coding Defects There are no implementation defects that create vulnerabilities 39 RHEL meets General Purpose Operating System Protection Profile Requirement Deficiencies There are no missing requirements Design Deficiencies There are no errors of design that lead to vulnerabilities Operational Guidance The security features are well explained USGCB, STIGs
  40. 40. PUTTING IT TOGETHER: OpenShift On Azure Reference Architecture + Security Blueprint
  41. 41. 41 OpenShift on Azure Reference Architecture Provides a comprehensive, step- by-step build of an enterprise deployment of OpenShift v3.5 on Azure. ● Public documentation ● Automation scripts on GitHub
  42. 42. 42
  43. 43. 43
  44. 44. 44 OpenShift on Azure Security Blueprint ● ATO paperwork required for all cloud systems ● We went through the ~300pg GSA SSP template and pre-populated answers
  45. 45. 45 OpenShift on Azure Security Blueprint Some controls are implemented in whole or in part by Microsoft Azure
  46. 46. 46 OpenShift on Azure Security Blueprint Others are inherently met by use of Red Hat, e.g. FIPS for disk encryption
  47. 47. 47 OpenShift on Azure Security Blueprint For customer responsibilities, we documented what a successful response would be:
  48. 48. 48
  49. 49. 49
  50. 50. 50 *click*
  51. 51. THANK YOU

×