Why the DoD Should Add DevSecOps to Its Playbook

In December 2020, SolarWinds, a software company known for its systems management tools, experienced a supply chain attack that dramatically impacted the security of companies’ and contractors’ around the world. The reason? SolarWinds has more than 300,000 customers, including the Department of Defense and other federal agencies. In other words, it was a severe breach.

This attack comes at an intriguing moment. The pandemic has changed the way we work, shutting down offices and increasing network access points. Unsurprisingly, the rise in remote work has increased network attacks at DoD, and in general, 2020 saw 37 billion records compromised by data breaches, a 141% increase compared to 2019. So today, the need for a closely monitored and secure development process is even more vital for federal agencies tasked with protecting some of the world’s most confidential data.

The Importance of Segregation of Duties (SoD)

Today’s rapidly evolving tech environment has led to the rise of DevOps as an operational model. Short for “development and operations,” DevOps is a set of practices that combines software development and IT operations. The ultimate goal of the DevOps model is to accelerate the systems development lifecycle. It’s undeniably a popular model, with the global DevOps market set to grow at a CAGR of 22.9% over the next several years.

Existing DevOps processes don’t sufficiently monitor changes and ensure appropriate segregation of duties (SoD) between developers and operational staff. Segregation of duties – designing a workflow so that more than one person is required to complete or sign off on a task – relies on workflow roadblocks to increase security. 

In software development, SoD takes a particular shape. Ensuring that individual workers or organizations don’t perform multiple tasks in the software development life cycle – like design and development or inspection and approval – is crucial to reducing risk. In addition, proper SoD practices monitor and control software & data changes.

How Does SoD Reduce Risk?

Why is that so valuable? For one thing, promoting lousy code can lead to security vulnerabilities and potential data loss. According to the DHS, roughly 90% of cybercrimes result from vulnerabilities discovered in a software’s code or design. Working to fix these problems in a later stage of development can be difficult and costly, which is why an approach that bakes in security from the start is so valuable. 

Understandably, SoD methodology can put it at odds with DevOps, which relies on integration. That’s why most experts agree it’s critical to find a balance between security and availability, even in the federal sector, where the emphasis tends to lean more towards security rather than speed. This emphasis is understandable; federal contractors and subcontractors often deal with highly-sensitive data, so making sure it’s secure is critical.

Complying with strict federal regulations and documenting compliance proves to be challenging for federal agencies. Implementing a full DevSecOps lifecycle that integrates SoD helps provide the necessary evidence of change management, testing, and approval while optimizing performance. But how does it do this?

Modern identity solutions understand that machine identities (such as bots, IoT devices, and workloads), much like human identities, need to be secured. Therefore, finding a way to extend the access control process to them is critical. Enterprise identity solutions function by creating secure digital identities for users and applications, allowing the access process to be safely automated. In addition, some solutions offer out-of-box SoD rulesets mapped to applications and compliance regulations to make things even simpler.

Emphasize Security Over Speed

The Defense Industrial Base (DIB) includes more than 100,000 companies and subcontractors working for the Department of Defense. Understandably, these companies must interact with several compliance regulations aimed at increasing security, including newer standards like the Cybersecurity Maturity Model Certification (CMMC). 

By design, existing DevOps processes prioritize speed over security, which can present problems in the federal space, where these compliance standards are crucial. At the same time, federal agencies must achieve efficiency and leverage new systems, while working within a clear budget. How can they do this without compromising on security measures mandated by regulations?

Balancing Competing Demands

The DevSecOps approach resolves these competing demands. It does this through a comprehensive identity solution, which can extend data access and governance into continuous integration and continuous delivery (CI/CD) pipelines. Traditionally, CI/CD pipelines automate the software delivery process by iteratively building, testing, and deploying code. In other words, they offer a nonlinear way of developing and managing code. 

On their own, CI/CD pipelines can offer convenience and agility, but they can also present security problems. Toxic combinations – when mismatched permissions combine to allow actions above an intended access level – can spring up, and compliance can be harder to track. With new CMMC standards redefining how defense contractors go about their work, more complex solutions are needed. 

Integrating CI/CD pipelines with an enterprise-level identity solution offers several benefits. Federal agencies that take this approach can: 

• Identify inappropriate access or toxic access combinations that lead to SoD violations 
• Verify continuous compliance by adding tracking of access requests 
• Create an agile, quick, and secure development environment 

Increase Security the Smart Way

It’s unlikely remote work is going anywhere anytime soon. Combine this with the growing importance of cloud infrastructures – some estimate an average annual growth rate of 15% for cloud computing services over the next several years – and it’s clear security should be on everybody’s mind. Enterprise-level identity solutions can help meet the changing demands of the modern workforce and the increased security risks they bring with them. And they can do this without sacrificing the speed and agility that come with DevOps processes.