Government of British ColumbiaGovernment of British Columbia

DevHub

beta

Topic

Platform Services Security

Modern day resources for securing your applications and services.

Developer Guide to Zero Trust Security Model on the Platform

With the addition of new security components BCDevExchange's Platform Services is able to offer product teams the ability to operate in a Zero Trust security model; Zero Trust is a security model where you don't trust anything outside of your own components (pods), even pods don't trust each other!

The model works by using application identities created for each component/Processing Unit/pod (Web, API, Database, etc) of an application and custom network security policies that are added to an application as NetworkSecurityPolicy (NSP) custom resource objects (for more advanced solutions, ExternalNetworks (EN) objects), to explicity allow communication between the components.

☝ Note

  • New namespaces provisioned on the Platform after Oct 9, 2019 come with Zero-Trust Model enabled by default. In order to enable application pods to communicate with Internet, with the Platform, with other namespaces, or among themselves, a NetworkSecurityPolicy must be manually created in the application as described in the Custom Network Policy Development guide below.
  • If your application was deployed to the Platform prior to the secury model install on Oct 9, 2019, 3 base access policies have been already been added to your application namespaces - DEV, TEST, TOOLS and PROD - to keep their communications running without any impact. To modify the application's base access policy, see the Quick Start section below.

🤓 ProTip

  • Assume that the network and platform are insecure and built up robust security practices.

Table of Contents

Quick Start

Custom Network Security Policy Development Guide

Aporeto Zero Trust Security

BC Gov's Zero-Trust Model Implementation

Support

If you've followed the steps in the guides listed above and things aren't working as you expect and you are stuck, reach out for help in these two RocketChat channels:

ChannelDescription
#devops-sosUse this channel when things are on fire 🔥 and you need immediate help to resolve a production problem.
#devops-how-toUse this channel to tap into the top-notch OCP community for help.

Pilot Projects

This is a list of some projects that have already implemented a Zero Trust security model:

The simplifed Network Diagram for the Pilot Projects is available here.

Network Security and Access Policy Hierarchy

The Zero-Trust Security Model supports policy hierarchies as described here. Each step in the hierarchy is a placeholder for security rules that propagate to the children policies downstream. This approach allows putting in effect corporate-level, platform-level, data-center level, etc network security policies that will apply to all applications running on the Platform as well as to the legacy and cloud infrastructure where the Zero-Trust Model has been enabled.

If you need to implement a custom security policy that overrides any of the rules included in the platform-level base policies, use the Rocketchat channels above to get in touch with the DevOps Security team for assistance.

Refer to the Design Decisions page to find out how the control and ownership for access policies is curretnly implemented for the applications hosted on the Platform as well as for the external to the Platform components.

One of the possible future ownership models for the network security policies could look like this:

Policy Hierarchy

  • Create an Issue

Platform Services Security
Content