Proxmox in a US Federal environment?
- Thread starter dpearceFL
- Start date
I'm curious, what would you need to comply with to run it? [In a US Federal setting. It might also bring others out of the woodwork as a thought exercise.]
Are you looking to offer your "cloud" solution to the US Federal govt? I would start at: https://www.fedramp.gov/cloud-service-providers/
Frankly this US government agency is looking for alternatives to Red Hat OpenShift. Broadcom/VMware has taken themselves out of consideration. We're a Linux shop so Hyper-V is a no go. I've been using Proxmox for internal projects very successfully. But unfortunately there are many requirements for using SW from other countries, even Austria.
If anyone has tried to use Proxmox in this environment, I'd like to hear from you.
If anyone has tried to use Proxmox in this environment, I'd like to hear from you.
I think one of the hurdles is that Proxmox would need to significantly expand their presence in the US (specifically support hours. For Enterprise you really need 24/7 with a 3-hour response time SLA.)
/ wouldn't mind being hired on to do that sort of thing myself, I'm loving PMVE
/ wouldn't mind being hired on to do that sort of thing myself, I'm loving PMVE
Getting sued in a US jurisdiction for breach of SLA by a third party subcontractor, what's not to like. That's why they leave it to "partners" ... which you can be.
Would be interested in future plans in this as well.
US clearance based enterprises would benefit if Proxmox (Company) offered US-Based Support with better SLA options.
US clearance based enterprises would benefit if Proxmox (Company) offered US-Based Support with better SLA options.
Proxmox Server Solutions GmbH doesnt need to be in the GSA; the provider does. I am not aware of any limits precluding the use of pve within any US government applications as Austria is not on any restriction list, and even if it were, one could theoretically fork it to make an "American" version.
It's not just about the country per se, one would need to - as you implied - fork the sources and maintain them up to the standards required, this is simply not the case with this open source project. It's a bit like if Red Hat was offering nothing other than Fedora and then suggested whoever wants is free to fork it and maintain to the required standard.
And that's not going to change, so PVE is simply not the solution to go for with the use case, it's not on the roadmap either, that's about it.
I think everyone is missing the real point. In order to achieve an "authority to operate" or ATO in the federal space, all IT system owners must complete a "system security plan" based on the Privacy and Cybersecurity Framework as defined in NIST 800-53r5.
Now, if a service provider (like any system owner) has built a service using PVM and it has been "ATO'd" and adopted into the FedRAMP catalog following NIST 800-37, then any consumer of that service can inherit the security of the underling service. The question is, what are the requirements detailed in "Federal Information Security Management Act of 2002" or FISMA which drive all of the need for NIST?
Well this is where the conversation concerning foreign ownership and open/closed source code are relevant. There is no reason why PVM can't be a viable solution for hypervisors in US federal environments. But someone needs to build a system with PVM and go through the security assessment process to see what the issues are and find solutions for them. This has been the case for thousands of software and hardware products over the last couple of decades; with those products worth their merit surviving the assessment. Usually, much better for it.
Now, if a service provider (like any system owner) has built a service using PVM and it has been "ATO'd" and adopted into the FedRAMP catalog following NIST 800-37, then any consumer of that service can inherit the security of the underling service. The question is, what are the requirements detailed in "Federal Information Security Management Act of 2002" or FISMA which drive all of the need for NIST?
Well this is where the conversation concerning foreign ownership and open/closed source code are relevant. There is no reason why PVM can't be a viable solution for hypervisors in US federal environments. But someone needs to build a system with PVM and go through the security assessment process to see what the issues are and find solutions for them. This has been the case for thousands of software and hardware products over the last couple of decades; with those products worth their merit surviving the assessment. Usually, much better for it.
I believe ProxMox is already approved for gov use.
With that being said, the challenge is still adhering to the compliance. What this really boils down to is encryption support. Specifically, encryption support at the FIPS 140-3 level supported by the vendor for both data-at-rest and data-in-transit. So if Proxmox (or Debian) can provide the appropriate cyptographic libraries and the underlying volumes can be encrypted, and also network traffic encrypted, and also to to meet all of the other requirements than I don't think there would be issue with using the product. STIG the system as if it were vanilla Debian. I have personally STIG'ed Ubuntu to meet compliance; which is just another variant of Debian. Th most challenging part of the process was getting FIPS140-2 working. It required a license from Canonical and then to register that license with their online servers in order to gain the necessary libraries. I would think that getting enterprise support through ProxMox would be the best way to get this working... and with the issues VMWARE is having with the Broadcom takeover, it would behoove ProxMox to step in with that support at the enterprise level.
This was discussed here multiple times, Proxmox does not intend to serve the enterprise segment (e.g. support hours alone [1]).
I wonder, at times, how many Broadcom customers actually end up migrating to a solution like PVE, it does not appear to be a natural migration path, at all.
[1] https://forum.proxmox.com/threads/n...to-post-this-support-hours-of-proxmox.137394/
in the smb space, quite a few. I am seeing a ton of interest; one of my customers is actively migrating their whole production environment, and I am in discussion with at least two more. in the larger space... your points are well taken.