Security Features

MCaaS and the GSA OCISO DevSecOps program are working together to provide many security tools and features that fast track your application for ATO and beyond. However, there are some tools and configurations that require attention and participation from new tenants.

The sections bellow will highlight the various inherited and required tools and security integrations.

Inherited Security Tools and Features

Below is a list of security requirements and solutions provided by MCaaS platform. Therefore, when a tenant’s application is deployed on the MCaaS Platform, the application inherits these security features without any additional work from the tenant.

• Logging and Auditing (Cluster, node and AWS platform)

  • Achieved by collecting Cluster Audit logs, CloudTrail and Rsyslog, and shipping them to Enterprise Logging Platform (ELP)

• Micro segmentation and network security policy

  • Achieved by Calico

• Encryption in transit between pods via mTLS

  • Achieved by Istio

• Container runtime security and container configuration compliance

  • Achieved by Anchore CVE and compliance scans within jenkins pipeline during container image build time
  • Achieved by StackRox CVE and compliance scans during container image deployment time and runtime

• Host/Worker node hardening and Endpoint Security agents

  • Achieved by hardening host/Worker node against CIS benchmark
  • Achieved by installing Endgame Antivirus at host/worker node
  • Achieved by installing FireEye Endpoint Security at host/worker node
  • Achieved by running Nessus Vulnerability and Compliance Scanning

• Secure Github branching and promotion

  • Achieved by using standard GitOps flow from MCaaS platform

• URL Scanning

  • Achieved by running Netsparker- Scanning of your application URLs