HackerOne is gearing up to run Meltano in production! Because HackerOne has a FedRAMP certification, we need to file significant change requests with the US government for their approval. The Cybersecurity and Infrastructure Security Agency (CISA) has some reservations around container security and k8s due to the lack of security scanning capabilities, as you don’t have full control over the system. At H1, our data architecture is part of our FedRAMP authorization boundary, meaning that we need approval to deploy it. As it stands today, deploying Meltano on k8s has our preference. We were planning to do a risk assessment and go over our compensating controls to convince the CISO that k8s is the way to go – there would be a good amount of work involved in this. Earlier today, the NSA and CISA happened to have released a report about hardening k8s deployments: https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/1/CTR_KUBERNETES%20HARDENING%20GUIDANCE.PDF. Earlier this year, CISA also released an article about it: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-013a. I wanted to flag these docs as they may be useful for anyone that is looking to deploy Meltano within their FedRAMP authorization boundary. The recommendations, particularly in the first doc, are useful and actionable (and generally good advice). We don’t have formal approval from GSA (our FedRAMP sponsor) yet, but it seems like they’re warming up to the idea of k8s and containers.

HackerOne is gearing up to run Meltano in production!

😍

I wanted to flag these docs as they may be useful for anyone that is looking to deploy Meltano within their FedRAMP authorization boundary. The recommendations, particularly in the first doc, are useful and actionable (and generally good advice). We don’t have formal approval from GSA (our FedRAMP sponsor) yet, but it seems like they’re warming up to the idea of k8s and containers.

Thank you, this is great. Glad to see the government slowly but surely finding its way to 2021

Thanks for sharing Jobert.