DISA: New STIGs Include Ubuntu, an Embedded Operating System. Because the Best OS is the One You Don’t Have to Worry About.

August 14, 2018 Jared Ruckle

How much value do you get from managing an operating system? For a growing number of IT pros, the answer is “zero.”

We’ve heard that answer across companies in the Fortune 500. And today, it seems that the Defense Information Systems Agency (DISA) came to the same conclusion.

Agency leaders realized that the role of an OS has changed, so they decided to update the guidelines that govern operating systems. The end result: the certification of a new Linux distribution, Ubuntu from Canonical.

The certification of Ubuntu is a small change that’s having a big impact. Let’s start with the news of the day.

DISA STIG: Ubuntu is Now Certified for Use. Here's Why that Matters.

DISA updated its Security Technical Implementation Guides (STIGs) to certify Ubuntu for use.

Why is this a big deal? There’s an entire category of products that use Ubuntu. Previously, these tools were off-limits to government agencies. Now that Ubuntu is certified, agency teams can evaluate these products for many scenarios. Many of the most popular solutions that are now eligible for consideration have their roots in Cloud Foundry (CF).

In the world of Cloud Foundry, the operating system is embedded as part of the platform. It works like this:

  • The OS is packaged as a stemcell. The stemcell includes the OS, release software, and a manifest file.
  • The stemcell runs on the VMs that power Cloud Foundry.
  • Stemcells are hardened, and patched on a regular basis. For more details, read “How We Harden a Cloud Foundry Stemcell (So You Don’t Have to).”
  • Layers of automation manage the stemcell and underlying cloud infrastructure. The platform also gathers logs, provides high availability features, and handles scaling.

Let’s focus on Pivotal Cloud Foundry (PCF), the top commercial distribution of Cloud Foundry.

Developers like the automation and the bundled features of Pivotal Cloud Foundry. With PCF, their apps “just work.” And they don’t have to spend time managing the guts of their software stack.

Developers also like the choice PCF offers when it comes to getting code to production. Cloud Foundry gives you two choices:

  • Use a platform-built container. This is the flagship Pivotal Application Service (PAS), where developers push their code using the magical cf push command. The app platform builds the container for you, using buildpacks.

  • Bring your own container. Here, you use Kubernetes and the Pivotal Container Service (PKS) to push a Docker image. You are responsible for updating and managing dependencies in the container image. You do the patching as well. (PAS supports developer-built containers as well.)

Both options remove toil and grunt work for the developer. But there’s a larger organizational benefit that federal teams are realizing with these tools. They help engineering teams achieve continuous (daily) Authority to Operate (ATO).


Continuous ATO with Pivotal Cloud Foundry

Highly automated platforms - with an embedded OS - automate much of the undifferentiated work away for the engineer. That’s a productivity benefit. There’s also a significant security benefit. Which brings us to ATO.

What’s “Authority to Operate”? Nick Sinai, a former White House deputy CTO, wrote up a wonderful post summarizing the process. Key excerpt:

“...an Authority to Operate (ATO) is the security approval to launch a new IT system in the federal government — a senior official grants an ATO based on a risk-based assessment documented in a security plan. This well-meaning process is a result of legislation and a resulting standards-based federal framework, generally coupled with additional agency-specific requirements.”

Sinai continues:

“In practice, in many federal agencies, it takes a year or more to get an ATO...The idea of reducing this down to a single day is an interesting business process challenge.”

Authorities grant ATO when applications meet a well-defined set of NIST controls. The controls are several hundred different checks and rules. Auditing procedures for each process is included as well. Audit instructions are documented in a “System Security Plan.” Said plans often run to hundreds of pages! (The instructions for writing such a plan is 48 pages by itself).

Navigating the ATO process is no small task with a traditional approach.

When something is difficult, the best idea is often to automate it. That’s precisely what Pivotal Cloud Foundry does: it automates the ATO workflow for application teams.

With Cloud Foundry, the vast majority of the required controls are met by the platform itself. Application teams have shaved months off the ATO process as a result.

Now, the app owner need only account for a small subset of controls (say 10%). Agencies can quickly grant ATO without having to review the entire package each time.

There’s even guidance published on what makes an app “Rapid ATO” eligible:

  1. Inherit more than 80% of controls from a common control provider.

  2. Leverage a microservice architecture.

  3. Built with a CI pipeline.

  4. Use APIs exclusively for all data calls.

Pivotal Cloud Foundry covers the first item, and helps a great deal with the second. Any number of open-source CI tools will do for #3. (We recommend Concourse.) And finally, “API-first” calls are a best practice pattern for modern apps.

At Pivotal we like to say “go fast while you go secure.” The experience here with federal agencies is a classic example of this in action.

What opened the door to this innovation? The simple certification of the OS that powers Pivotal Cloud Foundry!

Once You See It, the Embedded OS is Everywhere

Of course, no platform lives alone. Every credible platform has an ecosystem to help developers extend apps. The magic of the embedded OS is evident here too.

The Pivotal Cloud Foundry ecosystem gives developers plenty of choice and flexibility. And now federal agencies can consume these add-on services.

Consider Crunchy Data, a Pivotal partner with one of the top PostgreSQL distributions. Crunchy achieved ATO status inside a highly regulated federal agency in a mere 17 days. That means developers can use Crunchy’s tech in a frictionless, self-service fashion. What’s at the heart of Crunchy’s PostgreSQL add-on? You guessed it, the Ubuntu embedded OS.

We Look After the Operating System (So You Don’t Have to)

The OS no longer matters to modern development and operations teams. Their time and attention is now spent up the stack, at the application level.

Of course, someone still needs to tend to the embedded operating system. (It just shouldn’t be you.) For cloud-native workloads, Canonical, the firm behind Ubuntu, is leading the charge.

The drudgery of managing an OS is invisible to Pivotal customers through our relationship with Canonical. The embedded OS within Pivotal Cloud Foundry (Ubuntu) is regularly patched and updated. If someone discovers an issue, Pivotal works with on-call engineers from Canonical. Our teams jointly remediate the situation.

The deployment toolchain Cloud Foundry BOSH manages the entire rollout, including the embedded OS. Planned updates are highly automated and effortless. CVEs can be patched by operations teams quickly, with zero downtime. We described our process for patching Spectre and Meltdown in a recent blog post. The image below helps explain the flow as well.

The Embedded OS and Next-Generation Immutable Infrastructure

Organizations are unleashing new waves of creativity and value just by using an embedded operating system. This simple change brings modern platforms into the fold, unlocking the power of higher abstractions.

The main questions we hear today: “How do I scale this model?” “I keep reading about these security breaches. How does cloud-native help me reduce risk?”

Here’s how. Platforms powered by an embedded OS help engineering teams automate and scale with high control.

What do we mean by control? It’s “The Three Rs of Enterprise Security”:

  • You can repair your systems as soon as a fix to a CVE is identified with zero downtime. You have the power to drop your mean-time-to-repair. In a world where patching is now a CEO and board-level concern, this is invaluable.

  • You can redeploy your platform from a known good state any time you want, with zero downtime. When you repave systems often, you mitigate the risk from advanced persistent threats. This class of malware thrives on stagnancy. You have the power to deny APTs the conditions they need to inflict damage. (One highly regulated bank repaves their entire environment weekly, during business hours. That’s not something you can do with a traditional OS.)

  • You automate the rotation of credentials and other secrets in your systems. This reduces the risk posed by leaked credentials.

And that’s why the future is bright for embedded operating systems.

Today’s immutable infrastructure practices ease server wrangling and streamline configuration management. Tomorrow’s leaders will adopt cloud-native security models atop many abstractions, specifically: containers, application platforms, and functions.

Now is when things get interesting. Just take a moment to think about how an embedded OS makes it all happen.

And then never think about an OS ever again.

Want to try out Pivotal Cloud Foundry? Sign-up for a free trial of Pivotal Web Services. Of course, the operating system is included.

Want to learn more on how to balance security and productivity? Join us at SpringOne Platform in Washington, D.C., September 24 to 27, 2018. Register now! Use discount code S1P200_JRuckle for $200 off the registration fee.

About the Author

Jared Ruckle

Jared works in product marketing at VMware.

Follow on Twitter Follow on Linkedin More Content by Jared Ruckle
What We Did on Our Summer Internship at Pivotal: Discovery and Framing
What We Did on Our Summer Internship at Pivotal: Discovery and Framing

Pivotal interns Vishnu Kumar and Rhea Manocha share their experience developing a new getting started guide...

Why Starting With End-to-End Customer Journeys Isn't Good For The Customer
Why Starting With End-to-End Customer Journeys Isn't Good For The Customer

SpringOne at VMware Explore 2023

Learn More