The B.C. Government Private Cloud Platform as a Service (PaaS) is a reliable and secure application hosting platform for deploying and running government services.
Understanding Red Hat OpenShift
Red Hat OpenShift is a platform that allows you to build and deploy applications in the cloud. It has 3 key characteristics.
Enterprise-level platforms provide the technology and tools required to build multiple applications and integrations across an organization. We evaluated OpenShift’s functionality to make sure it met the needs of product teams across the B.C. government.
OpenShift is a container platform. On this type of platform, all the code and components associated with an application are grouped into a container or unit of software. A container will include everything an application needs to run quickly and reliably from one computer system to another or through multiple deployment environments.
OpenShift is built on Kubernetes, an open-source container platform. Kubernetes helps developers manage the services and workloads associated with managing containers by automating many of the manual processes. OpenShift builds off of Kubernetes to provide additional features and functionality.
Why we chose OpenShift
When looking for a platform to host B.C. government applications in the private cloud, we wanted a solution that leveraged Agile methodology, explored new team structures, improved digital delivery and focused on enabling developers and their teams. Red Hat OpenShift delivers on these requirements and provides opportunities to expand in the cloud space.
Provides a controlled but flexible environment that lets you focus on your build. This allows you to have control over your own applications, have more efficient deployments and deliver services sooner.
Includes a broad set of built-in security features that help protect the platform. It’s also compatible with several vulnerability scanning and monitoring tools to keep the platform secure.
Ability to build and deploy applications without worrying about the limitations of sharing a server. Containers can perform their operations without interfering with other containers. This means your application won’t affect other teams and their applications won’t affect yours.
Allows for building your application to dynamically adjust computing resources and capacity as load requirements change. With automated scaling, you can be confident your application is getting the resources it needs, when it needs them.
Overview of our service
We build and maintain the B.C. Government Private Cloud PaaS. PaaS products let you develop, run and manage your cloud-native applications without having to build and maintain the infrastructure or platform.
The B.C. Government Private Cloud PaaS is powered by the Red Hat OpenShift Container Platform and is hosted in the B.C. government’s data centres in Kamloops, B.C. and Calgary, Alberta. This platform can be used by ministries, agencies and Crown corporations working with the Government of B.C.
As part of the platform, we provide platform administration and shared tools.
Approving and setting up your namespaces on the platform
Running the Platform Product Registry, which automates project provisioning in OpenShift
Maintaining the OpenShift platform
Providing OpenShift training for you and your team
We purchase, build and maintain the platform’s shared tools, which can be used in your environments.
Sysdig Monitor for monitoring your application
JFrog Artifactory and HashiCorp Vault to improve your application security
Rocket.Chat and the platform newsletter for communication and platform updates
The B.C. Government Private Cloud PaaS is offered to B.C. government ministries, agencies and Crown corporations who are interested in building open-source software for internal or citizen-facing applications. Teams who join the platform should be willing to adopt modern technology architecture and development approaches, including DevOps, Agile and continuous delivery.
In order to use the B.C. Government Private Cloud PaaS, your team must be able to meet our requirements.
Product team requirements
It’s important that your application is monitored and maintained throughout its time on the B.C. Government Private Cloud PaaS. For this reason, only fully-funded teams are currently being accepted to work on the platform. To be considered fully-funded, your team must have a sufficient budget to support your application during development and after the initial development is complete.
Your product team must include a product owner, DevOps lead and a technical lead.
You must be able to identify a permanent government employee on your team who will act as the product owner of your application.
The product owner is accountable for keeping your application’s code, libraries and supporting tools functional, current and secure. This includes responding to any changes in the platform service or its related technology or tools that may affect your application’s performance. The product owner is responsible for your application throughout its entire lifetime on the platform, including after it’s deployed.
You’ll be asked to provide the name and contact information for your application’s product owner at your initial onboarding meeting.
Your team must have at least one, or up to 2, technical leads, who can be listed as primary technical contacts for your application. If a problem is detected with your application or a change in the application is required as part of the platform service updates, the Platform Operations team will contact your technical lead. Your technical lead must be able to respond to these issues or changes and update your application as required.
The roles of technical lead and DevOps lead can be fulfilled by the same person, if they meet the knowledge and skill requirements for both roles.
Ideally, everyone on your product team should work in a B.C. government ministry, agency or Crown corporation. However, if needed, you can hire senior-level contract staff to fill DevOps and technical roles on your team. Product owners must be permanent government employees.
Product team success factors
Before building any applications on the platform, you are strongly encouraged to have the following additional recommended skills and knowledge.
The ideal product team for the platform:
Follows an Agile methodology
Uses open-source code
Contributes to the B.C. government’s open-source community
If your team does not have these additional qualifications, you can still join the platform and engage with the platform community. There are many opportunities to learn from others and develop DevOps and Agile skills through community engagement and training. You can also get training on Agile methodology in the Exchange Lab.
You must be able to show that your proposed application is suitable to run within a containerized environment. Your application is considered suitable if:
You plan to build it using cloud-native architecture and technology stacks
You have endorsement from your ministry’s IMB or architecture team to host your application on the B.C. Government Private Cloud PaaS
A cost recovery model may be implemented in the 2023/2024 fiscal year. It hasn’t been determined if there will be a cost for product teams or what that cost would be.
You’re expected to perform resource tuning for your application, like you would with a paid service.
Security and privacy compliance
We prioritize availability, integrity and confidentiality in all aspects of the platform. We work hard to keep the platform secure and privacy compliant with government standards, so you can feel confident deploying your application on the platform.
The B.C. Government Private Cloud PaaS meets government security standards for cloud services.
We securely host all B.C. Government Private Cloud PaaS platform and application data in Canada. Data for applications hosted in the Silver hosting tier is stored in our Kamloops, B.C. data centre. Data for applications hosted in the Gold hosting tier is stored in the Kamloops, B.C. data centre, with a geographic failover to our Calgary, Alberta data centre.
We manage the platform’s operating systems and infrastructure components and regularly update the platform. These updates include new features and functions that improve platform capabilities and fix bugs that are discovered in existing features.
In addition to regular updates, we’re continuously monitoring the platform and proactively patching security vulnerabilities to keep applications secure and compliant.
The platform undergoes a yearly penetration test to evaluate the security of the system and identify any vulnerabilities.
Using a third party vendor, we run simulated attacks in the B.C. Government Private Cloud PaaS. These penetration tests, also known as pen tests, are simulated cyberattacks meant to help us identify and mitigate security risks before they are exploited.
Security Threat and Risk Assessment (STRA)
We review Red Hat OpenShift releases to ensure that they are compliant with the B.C. government’s information security policies. We complete a Security Threat and Risk Assessments (STRA) to meet the B.C. government’s STRA standard. STRAs are also performed on tools hosted on the platform.
In order to meet and maintain STRA requirements, we:
Completed an initial STRA during the planning, development and implementation of the platform
Maintain a review schedule to ensure STRA updates are conducted periodically
STRAs help us identify the platform’s criticality (confidentiality, integrity and availability needs), its information security classification and any gaps or weaknesses that should be addressed. We complete STRA analysis using a combination of tools, including:
Once a STRA is complete, a Statement of Acceptable Risk (SoAR) is completed to capture all identified security risks and recommendations. The SoAR is reviewed and signed off by the business owner, the Ministry Information Security Officer (MISO) and the Ministry Chief Information Officer (MCIO).
Information security classification
The B.C. Government Private Cloud PaaS offers application and information hosting that is suitable for most government services. The platform meets the requirements for hosting information up-to and including Protected B classification.
As a product team on the B.C. Government Private Cloud PaaS, you’ll use GitHub to build your application in an open-source, public environment. Security and privacy assessments were completed for GitHub, as part of the OpenShift STRA and PIA evaluations.
If you’d prefer to start working on your project privately, you also have the option to request a private repository for your OpenShift project in GitHub. However, this arrangement can only be temporary. You must have a plan to eventually move your project to a public repository.
Completed an initial PIA during the planning, development and implementation of the platform
Conduct additional privacy assessments as needed when changes to the platform impact the use, disclosure or collection of information
Critical Systems Standard
We are very close to obtaining Critical Systems Standard compliance. The documentation required to meet the Critical Systems Standard is in the final stages of review for submission.
Meeting the Critical Systems Standard certifies that the B.C. Government Private Cloud PaaS meets higher levels of security and reliability, to deliver critical services to citizens.
The Critical Systems Standard:
Defines what systems are critical
Identifies the roles and responsibilities of system providers
Outlines the requirements for systems that provide a critical service
Provides guidelines on how to minimize the impact of a disruption to a critical system or service
Once the platform is compliant with the standard, it’ll undergo an annual review to ensure that it continues to meet critical service hosting requirements.
Security and privacy tools
You are responsible for ensuring that your application meets security and privacy standards. There are several tools available in OpenShift that you can use to identify vulnerabilities and keep your applications secure.
We also provide a large collection of design patterns on the platform that follow security best practices. You can use these patterns to build secure integrations between your OpenShift applications and external systems. To learn more about design patterns, post a question in the #devops-how-to Rocket.Chat channel.