Ensuring platform security with Windows Bosh Add-ons and Runtime-Config at Boeing

SpringOne Platform 2017 James Coppock, Boeing; Brad Schaefbauer, Boeing; Sheryl Maris, Boeing """We did it! InfoSec said “Not a chance you’re deploying Ubuntu and Windows on Pivotal Cloud Foundry unless you meet our highly stringent requirements!”. We were told – “You must implement virus protection and reporting; you must monitor about 100ish security controls, check them daily, and report anomalies daily; you must force multi-factor authentication for the opsman UI and SSH connections to opsman, and you must not allow direct access to any servers – all access must come from only the load-balancers and go-routers”. What? Really? Um, okay, I see we have no choice. Under immense time pressure, we found a way. We added some fairly simple Bosh Add-ons to the runtime config and applied via Concourse to all of our foundations. How easy was that? Maybe your InfoSec team is as hard as ours (pretty likely). If you’re an operations/infradev person focused on security and want to learn an eloquent and technically simple way to meet their requirements, please come by and hear from our off-the-wall team. Cooperating daily with our InfoSec lead E.J., our stressed out Service Manager Brad was, well, stressed out. Our tech leads, James and Sheryl saved the day (with the help of our Pivots of course). You’ll walk away learning some simple custom Bosh Add-ons applied via Runtime Config that met InfoSec’s tough requirements. Probably similar requirements at almost any company I would hazard a guess. We would love to talk to you anytime about our journey. We have implemented Windows on PCF quite successfully (how did we do this with the MS licensing restrictions?) and are hosting .NET Framework applications and .NET Core on Linux, we plan to implement Windows 2016 Core this year, Developers use SteelToe for the .NET Core and Framework applications to take advantage of Spring framework, we use SAML federation via PingFed to our Active Directory, Multi-Factor Authentication via smart card for Opsman, and probably a hundred other interesting topics. Attend this talk to learn some simple, custom BOSH add-ons applied via Runtime Config saved the day, using Concourse to deploy to all foundations."