Software-Defined Perimeter provides integrated security controls for ATO

A recent GitLab white paper provides an elegant description of DevSecOps and how proactive security integration reduces an agency’s risk and vulnerabilities.

It accurately outlines a solution based on how moving from a reactive to a proactive security strategy that features continuous security testing in a single, integrated development and testing platform, will improve overall security. It advocates that a single platform leveraging continuous integration, continuous development (CI/CD) processes allows code changes to be automatically tested with every code commit and results are presented to the developer for instant remediation. This significantly improves application security, and helps developers achieve authority to operate (ATO) more quickly.

It also emphasized how early identification and remediation of vulnerabilities and concerns can enable faster Authority to Operate (ATO) for agencies and services. But it did not elaborate on how early detection could be achieved.

For the Federal Government, ATOs are constantly challenged to become exponentially faster due to the adoption of on-demand cloud native services.  The developers at 18F—an internal digital advisory group based out of the General Services Administration—took this challenge head-on, developing an agile ATO process for agencies that puts the security work up front, rather than at the tail end of a project. The goal was to follow Zero Trust principles, a new strategy for architecting an information technology environment that reduced an organization’s risk exposure in a “perimeter-less” world.

While the intentions were good, agencies found out the hard way that for the new Agile ATO process to meet the build and ship timelines, it meant integrating additional security controls that went far beyond the conventional vulnerability scanning and configuration management requirements they had become accustomed to. They learned that achieving a true Zero Trust solution requires integrating a complex layer of additional security controls.

Recently NIST determined that many of those key controls are inherent and delivered holistically as part of the deny-all, authorize-first Software Defined Perimeter (SDP) solution specified by the Cloud Security Alliance. NIST recognized how SDP enables DevSecOps to “shift left” earlier in CI/CD delivery methodologies that is becoming critical to accommodating agile build and ship timelines.

As part of NIST’s OSCAL pilot demonstration to generate system security plans for a truly Agile ATO process, the ATARC cloud working group is demonstrating how SDP can support a Zero Trust implementation of security controls required for the ATO.

Agencies and DevSecOps need to know that the opportunity now exists to holistically integrate the key controls required to not only speed up the Agile ATO process but also truly secure high-risk applications at run time.

The industry is starting to recognize and embrace SDP technologies, with the latest entrants focused on the application layer.  Waverley Labs’ API-based approach  simplifies how agile developers using Kubernetes, as an example, can skip writing error prone and time consuming VPN instructions and write to an API that speaks to a deny all “gateway”. The gateway restricts users from accessing applications based on their authorization and the validation of their devices. The SDP authorizes users BEFORE they can access the network and connect to the application. In addition to providing a per-application VPN. SDP hides applications from would be attackers – applications are literally invisible to the internet. The Waverley SDP implementation provides a separate control and data channel, secures end-to-end connections and uses an internet-scale packet-filter to drop all unauthorized connections per application.

Waverley Labs worked closely with the Cloud Security Alliance (CSA) as the technical lead of the SDP working group and recently co-authored the CSA’s new white paper – Software Defined Perimeter and Zero Trust.