Summary
A major Saudi government agency successfully moved from VMware to Red Hat OpenShift Migration to modernize their digital services while meeting strict data protection and security requirements. Using a compliance-first approach, the team mapped controls to PDPL and NCA ECC, established secure platform patterns, and rolled out in waves achieving no major incidents, a successful external audit, and higher operational efficiency across teams.
Introduction — Meeting compliance while modernizing
The Government agency was facing challenges with rising VMware costs, inconsistent operations, and new data privacy regulations. They needed a secure, flexible cloud solution that could run both their existing virtual machines (VMs) and new containerized applications. Migrating to Red Hat OpenShift provided a single, unified platform to achieve this modernization without compromising on data sovereignty, security, or audit readiness.
Context & Objectives (Public Sector, KSA)
- Data Security: Must comply with strict national regulations for data residency, encryption, and access control.
- Operational Goals: Achieve compliance with the Personal Data Protection Law (PDPL), standardize security across all applications, speed up the delivery of new services, and reduce dependency on a single vendor.
- Technology Model: Implement a hybrid cloud that works across their on-premise data center and a regional cloud, with consistent security rules for both new and existing applications.
The Journey — Compliance → Security Mapping → Controlled Rollout
1) Foundational Compliance
First, we conducted a thorough review of their existing VMware systems to understand data flows and dependencies, classifying all data according to PDPL rules. This analysis identified gaps in security, access control, and disaster recovery. Based on this, we created a clear business case and a phased migration plan, starting with low-risk, high-impact services.
2) Security Mapping
We translated the legal requirements of PDPL and NCA ECC into automated security policies on the new platform. This included:
- Integrating a Single Sign-On (SSO) system for secure, role-based access.
- Encrypting all sensitive data and securing software components.
- Centralizing monitoring to track performance and security, creating automated reports for audits.
- Securing network traffic and storage with encryption and access controls.
3) Controlled Rollout
We began with a pilot project, moving a low-risk internal service and one public-facing application. This allowed us to test the process of importing existing VMs and deploying new applications using automated, code-based pipelines (GitOps). Before each stage of the migration, we performed rigorous checks for security, disaster recovery, and operational readiness. We then migrated the remaining applications in managed waves, ensuring a smooth transition.
Why Red Hat OpenShift Was the Right Choice
- One platform for VMs + containers: It runs both existing VMs and modern container-based applications, allowing the agency to modernize at its own pace.
- Security baked in: Offers robust, out-of-the-box features for access control, encryption, and automated policy enforcement that align with national security standards.
- Operational consistency: Enabled standardized, automated processes for deployment, monitoring, and audit reporting.
- Vendor risk reduction: Moving to an open-source-based platform provides greater flexibility and avoids dependency on a single proprietary vendor.
Architecture Snapshot
- Platform: Red Hat OpenShift (clusters across on-prem + regional cloud)
- Identity: SSO (IdP) + fine-grained RBAC; privileged operations gated and logged
- Networking: Service mesh (mTLS), network policies, private ingress/egress, optional SR-IOV where needed
- Storage & Data: CSI classes (RWO/RWX), encryption at rest, snapshots, backup integration, lifecycle policies
- Observability: Central dashboards (metrics/logs/traces), synthetic checks, automated evidence export
- Resilience: Multi-AZ where available, tested runbooks, regular DR drills with pass/fail criteria
Security, Compliance & Governance (KSA)
- PDPL: Data classification/residency, consent and logging, encryption in transit/at rest, audit preparedness.
- NCA ECC: Baselines for hardening, vulnerability management, change control, and incident handling.
- Governance: CAB approvals, “four-eyes” reviews on high-risk changes, monthly evidence packs for internal/external auditors.
Metrics & Outcomes
- Zero major incidents across pilot and wave rollouts due to gating, rehearsed rollback, and SRE runbooks.
- Audit pass: External assessment confirmed PDPL-aligned controls with evidence-backed findings.
- ↑ Operational efficiency: Faster provisioning (weeks → hours/minutes), cleaner handoffs via GitOps and templates.
- Availability: “Three-nines” (≈99.9%) platform availability with multi-AZ design and tested failovers.
- Cost posture: Reduced licensing exposure and improved right-sizing through OpenShift requests/limits and storage policies.
Outcomes are anonymized and directional, consistent with public-sector disclosure norms.
Key Lessons for Leaders
- Lead with Compliance: Translate legal and security requirements into technical controls before you start migrating.
- Prove, then Scale: Use a pilot project to validate your approach and create reusable templates for the rest of the organization.
- Modernize Pragmatically: You don’t need to rewrite everything at once. Use a flexible platform that supports both old and new applications.
- Automate Audit Evidence: Build a system where compliance reports are generated automatically and continuously.
- Foster New Skills: Invest in operational excellence (SRE) and cost management (FinOps) to sustain long-term performance and budget control.
Conclusion — A compliant platform for continuous innovation
By migrating from VMware to Red Hat OpenShift, the agency built a secure, compliant hybrid cloud that meets national data laws. This strategic move resulted in no major service disruptions, a successful audit, and significant efficiency gains. The agency can now deliver updates faster, with stronger governance and the clear, automated evidence needed to satisfy stakeholders.
