Cloud Foundry cloud-native security compliance PCF pci security

New Tech Papers: Won’t Someone Please Think of the Auditors? Plus, How to do Chargeback & Showback in PCF

You’re not going to production without your auditors giving you the green light. It's a harsh reality that few seem to bring up.

Tinkering with the latest tech makes for fun conference presentations. But if you want better business results through software, get your auditors on-board!

That's what John Field set out to help you do with his recently published paper Pivotal Cloud Foundry: The Auditor’s Guide.

The paper is a tour de force, clearly and concisely summarizing what auditors need to evaluate regarding applications running atop Pivotal Cloud Foundry. The most important thing to know?

Proving the compliance of an application running on Pivotal Cloud Foundry is really no more difficult than proving compliance of an application deployed to a collection of standalone servers or clusters. In fact, in many cases, it is simpler.

That’s because PCF automates many of the technical controls required by regulations and compliance standards. Auditing identity management and permissions is simple too.

Auditors of the world, this one's for you! Download the paper and help your organization build its digital business!

Security and Compliance with Pivotal Cloud Foundry

The flipside of compliance? Security. (BTW, you can’t go to production without your security team signing off, either.)

Ben Bertka and Sujit Mohanty teamed up to write the authoritative paper on Security and Compliance with Pivotal Cloud Foundry. Get the paper here, and read it to understand how Pivotal Cloud Foundry can help you improve your security posture.

 Why are InfoSec teams so interested in Cloud Foundry? Let’s take a look at the headlines:

Cisco and Symantec offer their own grim assessments of the threat landscape.

Given this backdrop, it’s no wonder that security groups are looking for a better approach to protecting systems and data. And that’s just what Bertka and Mohanty explain in this paper. They answer, with authority and extensive detail, how Pivotal Cloud Foundry can help you:

  • Rapidly patch your systems. The longer it takes to apply fixes to your systems, the greater your risk. In fact, if it takes you more than a day to repair your environments, it’s taking too long.

  • Proactively fight against advanced persistent threats (APTs). A popular attack vector? Malware that gains access to a network and stays there undetected for a long period of time. The longer the threat stays undetected, the more data that’s at risk. APTs thrive in stagnant environments. You can deprive them of what they need to do harm when you “repave” your environment often.

  • Reduce the risk posed by leaked credentials. Your organization has thousands of secrets that control access to systems. If a bad actor gets ahold of passwords, certificates, ssh keys, or RSA keys, your critical systems are at risk. What’s a responsible IT team to do? Rotate credentials often, so the value of any given secret plummets.

 There’s plenty of other useful technical details for preventing data loss, devising a disaster recovery strategy, and container hardening. Read the paper, then move your apps to Pivotal Cloud Foundry and sleep a little easier at night!

 Chargebacks & Showbacks in Pivotal Cloud Foundry

 “How do I do chargebacks and showbacks in Pivotal Cloud Foundry?”

 We get this question a lot. And a collection of seasoned architects – led by Rajesh Jain, Raviteja Appalla and Parker Fleming – just published a paper chock-full of best practices. Download it here. The material is sourced from the most successful Cloud Foundry adopters and their techniques.

The “as a service” model has changed how corporate IT thinks about budgeting and how they show the cost of IT to business units. And Pivotal Cloud Foundry is no exception. Especially since PCF is usually selected as the strategic platform for an enterprise.

The art of chargeback/showback comes down to a balance of platform adoption, developer empowerment, and responsible budgeting.

In this paper, you’ll learn about the chargeback/showback strategies of successful PCF customers. Here’s a quick look at some of the wisdom captured by Jain, Appalla, and Fleming:

Don’t Do Chargeback/Showback Right Away.

Businesses adopt modern platforms for good reason. (Namely, to get better at software.) But until application teams – and platform operators – fully experience the benefits of the platform, it’s counterproductive to assign a value to it.

Implement Chargeback/Showback When You’re Mature in Your Platform Usage.

At this point in a PCF deployment, the organization appreciates the full benefits of the platform. That means you can accurately assign value to its usage. How do you know you’re at maturity? It’s easier to assess than you might think. Here are four common strategies used by PCF adopters:

  • Application teams have autonomy. Your developers can ship software via a streamlined path to production. This is typically via a continuous integration / continuous delivery process.

  • You are running at scale. You have several teams shipping code to production often (ideally hundreds of times a week).

  • Your development teams use cloud-native architectures. If teams have autonomy and push code often, you may already have buy-in for cloud-native patterns. But the ultimate tell-tale sign: applications are architected according to 12 Factor principles. Applications that adhere to this thinking take full advantage of Pivotal Cloud Foundry. Several PCF customers drive adoption of these patterns a top priority.

  • Your platform engineers have a mature understanding how to operate PCF. Operators can support high-velocity application teams, apply CVE patches with zero downtime, perform platform upgrades, and manage buildpacks.

Understand Platform APIs and Reports

There’s tons of practical business advice in the paper. (And rightly so – that’s the most important part!) What about the tech parts? You’re going to need to extract usage and consumption data from the platform for your chargeback/showback models. The authors discuss this tooling at length. You’ll want to be familiar with these 3 features:

  • The Usage Service API. The Usage Service provides endpoints for apps, tasks, and service usage data. The Usage Service collects events from the Cloud Controller and calculates app, task, and service instance usage over time.

  • Apps Manager Accounting & Usage Reports. The Apps Manager Accounting & Usage Reports are visual reports populated with data from the Usage Service API. The Accounting Report shows aggregated usage for all orgs.  The Usage Report shows usage for a specific org.

  • Cloud Foundry API. The Cloud Foundry API includes several endpoints that provide useful information on apps, tasks, and services. For example, if you are interested in knowing what buildpacks are used, the “App Usage Events” endpoint can provide that information. Want to know the quota allocated to each space or organization? Just curl the “Organizations” endpoint. (Note: Cloud Controller data is only stored for the most recent 31 days.)

Perhaps the most valuable part of the paper? The “Learning from Your Peers” section towards the end. Here, the authors describe the chargeback/showback journey for various customers, what’s working, what’s not, and why. Happy reading!

Want to read more Pivotal whitepapers? Check out the full catalog here. Ready to start using PCF? Sign-up for a free PWS account and realize the benefits of an app platform today!