Agile ATO in the Spotlight
The industry is grappling with conflicting network connection paradigms as the proliferation of cloud computing, mobile device use, and the Internet of Things has dissolved traditional network boundaries.
Authentication of users combined with conventional hardened network perimeters alone are no longer effective for providing enterprise security in a world of increasingly sophisticated threats. The challenges of secure connectivity are further compounded when you factor in the dynamic nature of today’s modern applications, software-defined networking and the real-time nature of DevSecOps.
For the Federal Government, it poses huge challenges to established practices such as Authorizations to Operate (ATOs) that need to be exponentially faster due to the adoption of on-demand cloud native services.
To address this, the ATARC Cloud Working Group (Agile ATO) Project Team is focusing on increasing the speed of the Authority to Operate (ATO) for cloud while keeping pace with security requirements in the Government using a Zero Trust approach. Zero Trust is a new strategy and design approach to architecting an information technology environment that could reduce an organization’s risk exposure in a “perimeter-less” world.
The project is creating a dedicated blue-green Agile ATO DevSecOps environment that requires multiple activities and technologies converging to support 1) the goal of enabling incremental and timely releases with fewer risks and 2) the goal of ensuring Zero Trust requirements are addressed in production and across the multi-cloud, multi-environment pipeline systems.
The Agile ATO DevSecOps environment will use containers and VMs such as Docker, and RHEL, to house the applications secured by Waverley Labs open source Software Defined Perimeter to ensure Zero Trust requirements.
This project will also leverage NIST’s OSCAL (Open Security Controls Assessment Language) and ultimately create a pilot that can capture multiple other features as proof of concept (POC).
The Agile ATO POC will demonstrate an automated process that provides testing and visibility of controls that are implemented and operationalized, for systems to receive a viable ATO. Key to this is continuous validation not just a point in time manual review of controls. It will remove previous requirements to manually demonstrate controls, use of probes and system attributes. Instead it will deploy automated discovery of controls, metrics of compliance and non-compliance.