The Anatomy of Building a Compliant PCF Service in a Limited Connectivity Environment #BoomSauce

Copyright © 2018, Raytheon Company. All rights reserved.
#BOOMSAUCE: THE ANATOMY OF BUILDING A COMPLIANT
PCF SERVICE IN A LIMITED-CONNECTIVITY ENVIRONMENT
Josh Kirchmeier
Garrett Klok
Approved for Public Release
This document does not contain technology or technical data controlled under either the U.S. International Traffic in Arms Regulations or the U.S. Export Administration Regulations.

First – A Disclaimer
 The specifics of what we’re doing are
sensitive, so information cannot be shared
 Regulatory compliance is NOT a destination,
but instead a complex and twisty road full of
shear drops and sudden stops – even if we
had all of today’s answers, what you need to
do will be different tomorrow
10/10/2018 2
THERE IS NO COOKBOOK FOR REGULATORY COMPLIANCE — YOUR MILEAGE WILL VARY

3
RAYTHEON COMPANY – A TECHNOLOGY AND
INNOVATION LEADER SPECIALIZING IN DEFENSE,
CIVIL GOVERNMENT AND CYBERSECURITY
SOLUTIONS THROUGHOUT THE WORLD.
 2017 NET SALES: $25 BILLION
 64,000 EMPLOYEES WORLDWIDE
 HEADQUARTERS: WALTHAM, MASSACHUSETTS

4
GLOBAL PRESENCE
ALWAYS THERE.
DEDICATED TO OUR
GLOBAL CUSTOMERS.
Raytheon Company is deeply committed to
global partnerships, providing solutions and
services to valued customers in more than
80 countries and building upon international
relationships to best meet the national
security and technology needs of nations
around the world.

Raytheon Digital Transformation
10/10/2018 5

DevOps at Raytheon
10/10/2018 6
Images used from: https://commons.wikimedia.org/wiki/
Collaboration
Documentation
Requirements
Agile Planning
Task Mgmt
Development
Design & Arch
Test Mgmt
Static Analysis
Package Mgmt
Artifact Mgmt
Automation
Solution Delivery
Capacity Mgmt
Availability
App Health
Customer Eng/Sat
TOOLCHAINS
SANDBOX DEV/TEST PRODUCTION

PCF as a Service (PCFaaS)
10/10/2018 7
DEFINE SERVICE TENANTS
 Achieve Compliance and Security
Requirements
 Enable Speed and Agility to our
Development Teams
 Provide High Availability and Resiliency
SCOPE SERVICES TO WHAT IS NEEDED AND ALLOWED
CONTROL AND ARTICULATE SCOPES
Keith Rodwell SpringOne 2017 Presentation
AGILE APPROACH TO SERVICE DELIVERY
 Establish a roadmap and service guardrails
 What is in and out of your service
 How to request new capabilities
 Share a near and long term roadmap

PCF as a Service (PCFaaS)
10/10/2018 8
CONSTRUCT A SERVICE MODEL
 Service strategy and responsibilities
 How the service will operate (deploy, scale and
maintain) the platform
 Standard services and capabilities (now and roadmap)
 One stop shop for everything in the service
DEFER COST MODEL /CHARGEBACK
 Wait if you can!
 Focus on building adoption
 Allow the platform team time to understand the platform
 Allow developers and stakeholders to see the value Pivotal Chargeback

Our PCFaaS Service Value Proposition
10/10/2018 9
*https://content.pivotal.io/blog/pivotal-cloud-foundry-s-roadmap-for-2016
https://commons.wikimedia.org/wiki/File:Devops-toolchain.svg
HIGH AVAILABILITY SECURITY & COMPLIANCEDEVELOPER PRODUCTIVITY OPERATOR EFFICIENCY
CUSTOMER
here is what i need
provide me business value
i do not care how
- Garrett Klok (Raytheon)
COMPLIANCE
here are policies
go and make me compliant
i do not care how
- Garrett Klok (Raytheon)
DEVELOPMENT
here is my source code
run it on the cloud for me
i do not care how
- Onsi Fakhouri (Pivotal)*
OPERATIONS
here are my servers
go make them a cloud foundry
i do not care how
- Onsi Fakhouri (Pivotal)*

Compliance?
10/10/2018 10

Compliance Because…
10/10/2018 11
IDS
Headquartered in Tewksbury,
Massachusetts, Integrated Defense
Systems specializes in air and missile
defense, large land- and sea-
based radars, and systems for
managing command, control,
communications, computers, cyber
and intelligence. It also produces
sonars, torpedoes and electronic
systems for ships.
FORCEPOINTTM
Forcepoint is transforming cybersecurity
by focusing on what matters most:
understanding people’s intent as they
interact with critical data and intellectual
property wherever it resides.
Forcepoint’s Human Point System
enables customers to understand the
normal rhythm of user behavior and the
flow of data throughout an organization
to rapidly identify and eliminate risk.
Based in Austin, Texas, Forcepoint
protects the human point for thousands
of enterprise and government customers
in more than 150 countries.
IIS
Headquartered in Dulles, Virginia,
Intelligence, Information and
Services designs and delivers
solutions and services that leverage
its deep expertise in cyber, analytics
and automation. Software, systems
integration, and the support and
sustainment of Raytheon and other
companies’ systems for intelligence,
military and civil applications are
delivered across four domains:
space, cyber, mission readiness,
and multi-domain battlespace
management command and control.
RMS
Headquartered in Tucson, Arizona,
Missile Systems is the premier global
effects provider across broad
addressable markets. The business
designs, integrates, delivers and
supports weapons systems for all
missions spanning all domains,
including interceptors for ballistic
missile defense. It operates at the
forefront of advanced technology
development, including hypersonic
weapons programs and directed energy
systems. International operations
include Raytheon UK, Raytheon
ELCAN, and Raytheon Emirates.
SAS
Headquartered in McKinney, Texas,
Space and Airborne Systems is a
leading provider of radar and sensor
systems on airborne and space-
based platforms. The business also
provides communications, electronic
warfare, high-energy laser solutions
and special mission aircraft for the
network-centric battlefield. Research
advancements range from linguistics
to quantum computing.
INTEGRATED
DEFENSE SYSTEMS
INTELLIGENCE,
INFORMATION AND SERVICES
MISSILE SYSTEMS
SPACE AND
AIRBORNE SYSTEMS
FORCEPOINT
POWERED BY RAYTHEON
OUR BUSINESSES MAKE THE WORLD A SAFER PLACE

Defense Industry Regulations
10/10/2018 12
 International Traffic in Arms
Regulations (ITAR)
– U.S. government export and import of
defense-related articles and services
regulations
BE FAMILIAR WITH THE REGULATIONS THAT YOU’RE DESIGNING TO MEET
ITAR, EAR, CUI and NIST 800-171
 Controlled Unclassified
Information (CUI)
– Data that must be safeguarded
and/or dissemination controlled by
U.S. government regulation
 Export Administration
Regulations (EAR)
– Commercial import and export
regulations
 NIST 800-171
– Protecting CUI in nonfederal
information systems and
organizations

DFARS
10/10/2018 13
 A supplement to the FAR that provides DoD-specific acquisition regulations that DoD
government acquisition officials – and those contractors doing business with DoD – must follow
in the procurement process for goods and services
DEFENSE FEDERAL ACQUISITION REGULATION SUPPLEMENT
NIST 800-53 / 800-171
FAMILIES OF CONTROLS
Access Control Media Protection
Awareness and Training Personnel Security
Audit and Accountability Physical Protection
Configuration Management Risk Assessment
Identification and Authentication Security Assessment
Incident Response System and Communication Protection
Maintenance System and Information Integrity

DFARS: Controls Addressed
10/10/2018 14
 Encryption – System and
Communications Protection (3.13)
– Data at rest/motion/use
 Multi-Factor Authentication –
Identification and Authentication (3.5)
– Something you have/know/are
 Vulnerability Scans –
Risk Assessment (3.11)
– Remediate and mitigate threats

Limited-Connectivity Environment Challenges
10/10/2018 15
 Certificates
– Unable to copy SSL certificates to Concourse runtime containers
 Proxies
– Unable to set proxy on Concourse worker VMs
 Off-line (i.e. Air-Gapped) Pipelines
– Pipelines have assumptions (e.g. internet connectivity, 3 AZs, …)
 Security Constraints
– Images, source code and binaries pulled only from private registries/repos
 Controls on top of GovCloud
– Additional rules and practices enforcing compliance

Encryption: Made Easy
10/10/2018 16
 BOSH Internal/Ops Man
– Encrypt AMI while copying to your AMIs
 AWS Console, or
 AWS CLI
 PAS
– Encrypt EBS Volumes
 Ops Manager Director AWS Config
aws ec2 copy-image --source-image-id ami-xxxxxxxx --source-region us-gov-west-1 --region us-gov-west-1 --name encrypted-ops-
manager-ami --encrypted --kms-key-id arn:aws-us-gov:kms:us-gov-west-1:############:key/<custom-kms-key-id>

Encryption: Made Not So Easy
10/10/2018 17
 Encrypt stemcells
– bosh repack-stemcell
 Modify cloud properties
– Update cpi.yml - type: replace
path: /resource_pools/name=vms/stemcell?
value:
url: file://~/stemcells/encrypted-light-bosh-stemcell-3468.21-aws-xen-hvm-ubuntu-trusty-go_agent.tgz
...
- type: replace
path: /resource_pools/name=vms/cloud_properties?
value:
instance_type: m4.xlarge
ephemeral_disk:
type: gp2
size: ###
encrypted: true
kms_key_arn: "arn:aws-us-gov:kms:us-gov-west-1:<userid>:key/<kms-key-id>"
availability_zone: ((az))
...
- type: replace
path: /disk_pools/name=disks/cloud_properties?
value:
type: gp2
encrypted: true
kms_key_arn: "arn:aws-us-gov:kms:us-gov-west-1:<userid>:key/<kms-key-id>"

Encryption: Gotchas/Tips
10/10/2018 18
 Unknown CPI error 'Unknown' with message 'You are not authorized to perform
this operation.' in 'create_stemcell' CPI method
– Ensure proper CPI version
– Update IAM policy
 "ec2:RegisterImage",
 "ec2:DeregisterImage",
 "ec2:CopyImage"
– Update KMS Key policy to include user
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": […, “user“,…]
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [[…, “user“,…]
 Replace existing stemcells
– bosh upload-stemcell –fix
– Change version number
 From: bosh-aws-xen-hvm-ubuntu-trusty-go_agent/3541.4
 To: encrypted-bosh-aws-xen-hvm-ubuntu-trusty-go_agent/3541.4.1
 Write your own routine for checking encryption status

Multi-Factor Authentication
10/10/2018 19
 Ops Man
– Changing to SAML from internal doesn't allow
for SAML configuration updates
– If you get locked out, manually modify the
installation files
 Locate, decrypt and edit the installation.yml
and actual-installation.yml
 Apps Man/CF
– Leverage SAML/Enterprise Identity
 Custom Applications
– Leverage SAML/Enterprise Identity

Vulnerability Scans: What We Did About It
10/10/2018 20
 Process and collaboration around
application security
 Create and maintain a repository
 Continuous improvement through
feedback and training
 Guideline and template update
EMPHASIS ON BECOMING PROACTIVE

In Conclusion
10/10/2018 21
#BOOMSAUCE
Josh Kirchmeier
Josh.Kirchmeier@Raytheon.com
@jkirchmeier
https://www.linkedin.com/in/joshuakirchmeier
Garrett Klok
gklok@raytheon.com
@gklok
https://www.linkedin.com/in/garrett-klok

The Anatomy of Building a Compliant PCF Service in a Limited Connectivity Environment #BoomSauce

More Related Content

Similar to The Anatomy of Building a Compliant PCF Service in a Limited Connectivity Environment #BoomSauce (20)

More from VMware Tanzu (20)

Recently uploaded (20)

The Anatomy of Building a Compliant PCF Service in a Limited Connectivity Environment #BoomSauce