OpenShift & SCAP

Red Hat have been releasing OpenSCAP as part of RHEL since 5.7 and it's been in Fedora longer as a development tree. I'd like to think alongside sVirt and SELinux and our ever vigilant guys in Mark Cox's Security Response Team who I work with a lot it's right up there as part of our commitment to understanding and remaining vigilant about security.

OpenSCAP is an open standards based framework allowing you to implement SCAP (Security Content Automation Protocol). SCAP is of course maintained by NIST. Their original and overarching concept was to document and provide a catalogue of standards and capabilities and OpenSCAP takes on where SCAP leaves off to provide that functional set of controls. Understanding alongside paper based controls that we need to arm administrators and developers out the box with the ability to be able to protect themselves but also to be able to report and log against deployed security controls and to query that data in order to have a living breathing management piece around security as a business as usual process. Just having the controls and deploying against them in staging or live isn't enough. In Cloud and multitenant virtualised environments this could not be more critical so doing this work for you ahead of time is part of our go to market.

Tim Kramer who I have now worked with for nearly thirteen years in the Linux community, originally at VA Linux back in the day has put a detailed brief together on OpenSCAP and OpenShift which is a primer for all those thinking of yet another reason as to why OpenShift should be your defacto goto PaaS environment of choice, especially during Q1 2013 when we release on premise solutions around OpenShift.

I urge you to go and read it as it's a belts and braces approach to understanding security around PaaS but also shows just how much effort and thought / steering goes into every aspect of our Cloud platform architecture. Here's the first opening paragraphs for the rest follow the link below.

"I wanted to give a little insight as to the type of security automation that happens in the background of OpenShift. As a provider, it's always a little scary to talk about what is behind the scenes or isn't. I have blogged in the past about OpenShift's use of cgroups, poly-instantiation and SElinux. There are many great web pages that explain what each offers to a multi-tenancy platform so I will dig in on the other non publicized tools. If you are building an OpenShift Origin infrastructure, this would be a good addition to your build out.

In a world of agile development and the ever changing layered build, one must really be careful that security remains at the level that the policy and product demands. At the end of this post, you will have tools that you can implement to help assure security controls stay within your specified policy.

With developers and operations staff that can change a layered build real time, how do you assure that it is still in a safe and secured state since it's impossible to keep up with every code check in? The biggest thing that comes to mind for me is automation. You will need tools that can check your security policy across all the various instances."

You can read the full article here