Pivotal Cloud Foundry 2.4 Boosts Security With Compliance Scanner

EXCLUSIVE: Pivotal is updating its Cloud Foundry cloud-native application delivery and management platform with zero downtime upgrade capabilities and is also introducing a new compliance scanner to improve security.

Pivotal Cloud Foundry

Pivotal is releasing version 2.4 of its Pivotal Cloud Foundry (PCF) platform on Dec. 20, providing organizations with a host of new capabilities to manage and deploy cloud-native applications.

PCF is Pivotal's commercial distribution, based on the open-source Cloud Foundry project, which provides platform-as-a-service (PaaS) capabilities for applications. In the PCF 2.4 update, Pivotal is adding zero downtime updates for application deployments, enabling organizations to roll out upgrades without downtime. PCF 2.4 also introduces a new compliance scanner in beta that will enable organizations to validate that the configuration of PCF deployments meets best practices.

"We now have the ability to have zero downtime updates for the applications and the platform, and we're doing that everywhere, whether you're running vSphere or in OpenStack, GCP or AWS," Richard Seroter, vice president of product at Pivotal, told eWEEK. "We're highlighting the idea that you should be able to really go fast for all workloads on any infrastructure without sacrificing operability or security."

The PCF 2.4 release follows the PCF 2.3 update that was announced on Sept. 25 at Pivotal's SpringOne Platform developer conference, alongside new updates for the Pivotal Container Service (PKS).

How Zero Downtime Updates Work

In the past, updating applications or an underlying platform typically involved some form of maintenance window where a system or platform became unavailable for a period of time. The promise of a zero downtime update is just that—even while an application or platform is being updated, users are not impacted.  

So how does zero downtime actually work in production? Seroter explained that, for example, an organization could deploy an application (v1) with Cloud Foundry and then perhaps a second app (v2). After the v2 application is deployed, an administrator could then just simply switch the network route to enable the new version. The same basic method is now being scaled in an automated approach.

"Let's say I have five instances of my app and when I deploy the next version, under zero downtime deploy, as each instance of that app comes up in that same bucket, one of the old one comes out," Seroter said. "I always have five running and I may be in a state where both versions are serving traffic, but at no point is there any disruption because in that same sort of app container, across all the different VMs [virtual machines] and Cloud Foundry, the application instances are swapping out for each other automatically."


PCF 2.4 also marks the beta debut of a new compliance scanner that will help organizations check the configuration and hardening posture of a PCF deployment. The scanner is based on the open Security Content Automation Protocol (SCAP) standard.

"What the scanner does for the customers is basically ensure that the configuration of the OS matches the best practice recommendations for a cloud-native deployment," John Field, security architect at Pivotal, told eWEEK.

PCF relies on the open-source Ubuntu Linux operating system as the core. Field commented that deploying Ubuntu as a stand-alone server is somewhat different from the configuration required for a cloud-native deployment, where applications are brought up and down in a rapid manner.

"What we're looking to do is at scale is be able to manage the configuration scanning of the entire deployment and do that from the ops man [operations management] interface," Field said. "So what really needs to happen here is that we need to run a scan of each of the VMs in the deployment and then do that to some configuration standard that is appropriate for cloud."

The initial beta release of the compliance scanner specifically looks at best practices for the operating system layer to meet compliance needs. Field said that the roadmap for the compliance feature is to continue to move up the stack in the future to enable other compliance needs for things that run on top of the OS. Field said that the compliance scanner effort comes from the Pivotal Compliance Innovation Team, which has a clear mandate for future development.

"Our focus is to try to essentially change the way the world proves their compliance," Field said. "That kind of goes hand in hand with the way we're changing the way people build software."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.