Private cloud hosting 101
Use this guide to learn about private cloud hosting in the B.C. government and determine if it’s the right option for your product or service. If you are not sure about the right hosting platform learn more about the capabilities and features of the application hosting services.
Last updated on
What is the Private Cloud OpenShift Platform
The B.C. Government Private Cloud Platform as a Service (PaaS) is a reliable and secure application hosting platform for deploying and running government services.
Understanding Red Hat OpenShift
Red Hat OpenShift is a platform that allows you to build and deploy applications in the cloud. It has 3 key characteristics.
Enterprise-level platform
Enterprise-level platforms provide the technology and tools required to build multiple applications and integrations across an organization. We evaluated OpenShift’s functionality to make sure it met the needs of product teams across the B.C. government.
Container platform
OpenShift is a container platform. On this type of platform, all the code and components associated with an application are grouped into a container or unit of software. A container will include everything an application needs to run quickly and reliably from one computer system to another or through multiple deployment environments.
Kubernetes system
OpenShift is built on Kubernetes, an open-source container platform. Kubernetes helps developers manage the services and workloads associated with managing containers by automating many of the manual processes. OpenShift builds off of Kubernetes to provide additional features and functionality.
Why we chose OpenShift
When looking for a platform to host B.C. government applications in the private cloud, we wanted a solution that leveraged Agile methodology, explored new team structures, improved digital delivery and focused on enabling developers and their teams. Red Hat OpenShift delivers on these requirements and provides opportunities to expand in the cloud space.
Platform advantages
Self-serve
Provides a controlled but flexible environment that lets you focus on your build. This allows you to have control over your own applications, have more efficient deployments and deliver services sooner.
Secure
Includes a broad set of built-in security features that help protect the platform. It’s also compatible with several vulnerability scanning and monitoring tools to keep the platform secure.
Independent
Ability to build and deploy applications without worrying about the limitations of sharing a server. Containers can perform their operations without interfering with other containers. This means your application won’t affect other teams and their applications won’t affect yours.
Scalable
Allows for building your application to dynamically adjust computing resources and capacity as load requirements change. With automated scaling, you can be confident your application is getting the resources it needs, when it needs them.
Overview of our service
We build and maintain the B.C. Government Private Cloud PaaS. PaaS products let you develop, run and manage your cloud-native applications without having to build and maintain the infrastructure or platform.
The B.C. Government Private Cloud PaaS is powered by the Red Hat OpenShift Container Platform and is hosted in the B.C. government’s data centres in Kamloops, B.C. and Calgary, Alberta. This platform can be used by ministries, agencies and Crown corporations working with the Government of B.C.
As part of the platform, we provide platform administration and shared tools.
Platform administration
We take care of administration services that allow you to onboard and work on the platform.
This includes:
- Approving and setting up your namespaces on the platform
- Running the Platform Product Registry, which automates project provisioning in OpenShift
- Maintaining the OpenShift platform
- Providing OpenShift training for you and your team
Shared tools
We purchase, build and maintain the platform’s shared tools, which can be used in your environments.
These include:
- Sysdig Monitor for monitoring your application
- JFrog Artifactory and HashiCorp Vault to improve your application security
- Rocket.Chat and the platform newsletter for communication and platform updates
Requirements
The B.C. Government Private Cloud PaaS is offered to B.C. government ministries, agencies and Crown corporations who are interested in building open-source software for internal or citizen-facing applications. Teams who join the platform should be willing to adopt modern technology architecture and development approaches, including DevOps, Agile and continuous delivery.
In order to use the B.C. Government Private Cloud PaaS, your team must be able to meet our requirements.
Product team requirements
Funding
It’s important that your application is monitored and maintained throughout its time on the B.C. Government Private Cloud PaaS. For this reason, only fully-funded teams are currently being accepted to work on the platform. To be considered fully-funded, your team must have a sufficient budget to support your application during development and after the initial development is complete.
Team roles
Your product team must include a product owner, DevOps lead and a technical lead.
Product owner
You must be able to identify a permanent government employee on your team who will act as the product owner of your application.
The product owner is accountable for keeping your application’s code, libraries and supporting tools functional, current and secure. This includes responding to any changes in the platform service or its related technology or tools that may affect your application’s performance. The product owner is responsible for your application throughout its entire lifetime on the platform, including after it’s deployed.
You’ll be asked to provide the name and contact information for your application’s product owner at your initial onboarding meeting.
DevOps lead
You must have at least one person on your team with DevOps skills when you join the platform, who will act as the DevOps lead. The DevOps lead is responsible for ensuring that your application is designed for resiliency and high availability and has monitoring and alerting functionality.
Technical lead
Your team must have at least one, or up to 2, technical leads, who can be listed as primary technical contacts for your application. If a problem is detected with your application or a change in the application is required as part of the platform service updates, the Platform Operations team will contact your technical lead. Your technical lead must be able to respond to these issues or changes and update your application as required.
The roles of technical lead and DevOps lead can be fulfilled by the same person, if they meet the knowledge and skill requirements for both roles.
Hiring contractors
Ideally, everyone on your product team should work in a B.C. government ministry, agency or Crown corporation. However, if needed, you can hire senior-level contract staff to fill DevOps and technical roles on your team. Product owners must be permanent government employees.
Product team success factors
Before building any applications on the platform, you are strongly encouraged to have the following additional recommended skills and knowledge.
The ideal product team for the platform:
- Follows an Agile methodology
- Uses open-source code
- Contributes to the B.C. government’s open-source community
If your team does not have these additional qualifications, you can still join the platform and engage with the platform community. There are many opportunities to learn from others and develop DevOps and Agile skills through community engagement and training. You can also get training on Agile methodology in the Digital Office.
Application requirements
You must be able to show that your proposed application is suitable to run within a containerized environment. Your application is considered suitable if:
- You plan to build it using cloud-native architecture and technology stacks
- You have endorsement from your ministry’s IMB or architecture team to host your application on the B.C. Government Private Cloud PaaS
You must also be able to build your application in an open-source environment. Your underlying code will be stored in the public bcgov organization repositories in GitHub and will be visible to everyone on the internet.
Community requirements
We follow a community-based support model that relies on the participation of all platform product teams. If you join the platform, you are expected to engage with the platform community.
Whenever possible, you should:
- Use Rocket.Chat to ask and answer questions and provide support to other teams
- Attend platform community meetups to watch demonstrations from other teams, present progress or express lessons learned from your own application
Costs
To help your team estimate hosting and budgeting costs, review the maintenance costs for digital products on the Private Cloud OpenShift platform.
Also, consider this:
- Silver and Gold hosting tiers are free in the 2024/2025 fiscal years
- A cost recovery model may be implemented in the 2025/2026 fiscal year. It hasn’t been determined if there will be a cost for product teams or what that cost would be
- You’re expected to perform resource tuning for your application, like you would with a paid service
Security and privacy compliance
We prioritize availability, integrity and confidentiality in all aspects of the platform. We work hard to keep the platform secure and privacy compliant with government standards, so you can feel confident deploying your application on the platform.
Security compliance
The B.C. Government Private Cloud PaaS meets government security standards for cloud services.
Data hosting
We securely host all B.C. Government Private Cloud PaaS platform and application data in Canada. Data for applications hosted in the Silver hosting tier is stored in our Kamloops, B.C. data centre. Data for applications hosted in the Gold hosting tier is stored in the Kamloops, B.C. data centre, with a geographic failover to our Calgary, Alberta data centre.
Platform updates
We manage the platform’s operating systems and infrastructure components and regularly update the platform. These updates include new features and functions that improve platform capabilities and fix bugs that are discovered in existing features.
In addition to regular updates, we’re continuously monitoring the platform and proactively patching security vulnerabilities to keep applications secure and compliant.
Penetration tests
The platform undergoes a yearly penetration test to evaluate the security of the system and identify any vulnerabilities.
Using a third party vendor, we run simulated attacks in the B.C. Government Private Cloud PaaS. These penetration tests, also known as pen tests, are simulated cyberattacks meant to help us identify and mitigate security risks before they are exploited.
Security Threat and Risk Assessment (STRA)
We review Red Hat OpenShift releases to ensure that they are compliant with the B.C. government’s information security policies. We complete a Security Threat and Risk Assessments (STRA) to meet the B.C. government’s STRA standard. STRAs are also performed on tools hosted on the platform.
In order to meet and maintain STRA requirements, we:
- Completed an initial STRA during the planning, development and implementation of the platform
- Maintain a review schedule to ensure STRA updates are conducted periodically
STRAs help us identify the platform’s criticality (confidentiality, integrity and availability needs), its information security classification and any gaps or weaknesses that should be addressed. We complete STRA analysis using a combination of tools, including:
- ISO 27001:2013 control areas
- The Defensible Security Framework
- STRIDE threat modeling
Once a STRA is complete, a Statement of Acceptable Risk (SoAR) is completed to capture all identified security risks and recommendations. The SoAR is reviewed and signed off by the business owner, the Ministry Information Security Officer (MISO) and the Ministry Chief Information Officer (MCIO).
Privacy compliance
Information security classification
The B.C. Government Private Cloud PaaS offers application and information hosting that is suitable for most government services. The platform meets the requirements for hosting information up-to and including Protected B classification.
Open-source development
As a product team on the B.C. Government Private Cloud PaaS, you’ll use GitHub to build your application in an open-source, public environment. Security and privacy assessments were completed for GitHub, as part of the OpenShift STRA and PIA evaluations.
Private projects
If you’d prefer to start working on your project privately, you also have the option to request a private repository for your OpenShift project in GitHub. However, this arrangement can only be temporary. You must have a plan to eventually move your project to a public repository.
Learn more about working in the open with GitHub.
Privacy Impact Assessment (PIA)
A Privacy Impact Assessment (PIA) was completed for Red Hat OpenShift. In order to meet and maintain PIA requirements, we:
- Completed an initial PIA during the planning, development and implementation of the platform
- Conduct additional privacy assessments as needed when changes to the platform impact the use, disclosure or collection of information
Critical Systems Standard
We’re very close to obtaining Critical Systems Standard compliance. The documentation required to meet the Critical Systems Standard is in the final stages of review for submission.
Meeting the Critical Systems Standard certifies that the B.C. Government Private Cloud PaaS meets higher levels of security and reliability, to deliver critical services to citizens.
The Critical Systems Standard:
- Defines what systems are critical
- Identifies the roles and responsibilities of system providers
- Outlines the requirements for systems that provide a critical service
- Provides guidelines on how to minimize the impact of a disruption to a critical system or service
Once the platform is compliant with the standard, it’ll undergo an annual review to ensure that it continues to meet critical service hosting requirements.
Security and privacy tools
You are responsible for ensuring that your application meets security and privacy standards. There are several tools available in OpenShift that you can use to identify vulnerabilities and keep your applications secure.
We also provide a large collection of design patterns on the platform that follow security best practices. You can use these patterns to build secure integrations between your OpenShift applications and external systems. To learn more about design patterns, post a question in the #devops-how-to Rocket.Chat channel.