The biggest concern for many people running their application in the cloud is security. Considering OpenShift for hosting your application in the the public cloud? The OpenShift PaaS security and patch management process goes above and beyond what other vendors are offering since we employ best of breed standards and transparency.
One of the largest issues for consumers expecting PaaS security is patch management. As an informed consumer, you expect your PaaS vendor to use the latest and greatest software versions and security techniques to protect your application. Public code reviews aren’t available for many products on the market today and you’re only able gain confidence knowing what versions of software they are currently running. OpenShift is open source. You can examine OpenShift’s base source code and see the RPM versions running in a gear. We belive a transparent secure model like this gives developers a higher confidence level.
Close cooperation and coordination with Red Hat’s internal Security Response Team (SRT) ensures OpenShift receives high level guidance and strategic insight into any challenge or concern that may need to be addressed. This relationship allows us to perform proof of concepts, test fixes as they are being developed, and explore work-arounds while waiting for the official, signed packages.
Taming a Zero Day Exploit While Watching Out for You
I work on the OpenShift Online Security team. Recently we encountered some kernel issues that could have caused potential data loss. The OpenShift Online team developed a work-around solution the same day the exploit was announced. Next it was tested in our pre-production environment with all of the available reproducers and finally it was it was reviewed in our regression and performance testing environment before deployment to production. We only kept the work-around in place for a few days while the official kernel was undergoing quality engineering testing.
During this time, our system flagged every user that attempted to run this exploit so we could take proper action. OpenShift Security and the internal Red Hat Security Team worked together to keep our environment and our customers secure. This stellar group also oversees all Red Hat products including Red Hat Enterprise Linux and JBoss. And since OpenShift is built on these technologies you receive their expertise as part of the OpenShift experience.
Patch Testing and Deployment
OpenShift uses Ruby and Java, languages with a reputation for the amount of time and effort needed to maintain them. OpenShift maintains their Ruby packages in RPM format which eases the upgrade process, ensures that the current version is deployed everywhere, and installed binaries are verified as genuine. After being fully tested in our pre-production testing environment (Jenkins) and signed off by our Quality Engineering team, packages are signed with a unique key and ready for even deeper testing. OpenShift quality processes clearly have our customer’s security as the highest priority.
Another potential concern of using patch management is utilizing a solid monitoring tool. By incorporating IPTables, CGroups and SELinux, we are administrating very large rule-sets. Sometimes we’ve seen cases where a newer version of these packages causes platform performance regressions. Knowing the product deeply, OpenShift has developed very robust monitoring checks. Using our regression testing and monitoring tools we find potential issues in pre-production before they ever hit our production environment. In addition, we run SCAP tests to monitor for these types of issues.
Many PaaS providers must determine if a kernel or glibc patch is worth the system reboot. This is always tough because it takes time out of their availability and uptime reports. OpenShift makes this determination for a node by migrating the gears to another already-updated node or rebooting the node to enable the updated kernel or glibc.
Move your application to OpenShift with confidence, know that security and patch management is of the hightest importance to us. We believe in being as transparent as possible so that you can be confident that our product and service is of the highest quality.
If security is key component of the requirements in your PaaS provider keep what I’ve shared above in mind. You’ll be hard pressed to find another provider with the exerperience and expertise Red Hat has. As a developer, you can focus on what’s most important to you. Your applications and your customers.