Appgate FederalSeptember 17, 2021
Federal Government: How Zero Trust Security Powers Agility for DevSecOps
In cybersecurity, new terms and techniques come into play regularly. But there’s never been a bolder call to action for federal government cybersecurity standards than Zero Trust as cyber warfare increases, more use cases emerge and executive orders and U.S. Office of Management and Budget (OMB) memos are published.
Yet one thing that hasn’t changed is the desire for agility when it comes to speed of delivery. So, how do Zero Trust security principles power the desired DevSecOps agility? Let’s talk about it.
What is DevSecOps? DevSecOps is security and operations at the speed, automation and scale of development (i.e., security as code). Its benefits are simple: increasing amounts of automation in the software delivery process increases agility, eliminates mistakes and reduces attack surface and downtime.
Agile is a term introduced by the commercial industry to speed up processes and development. While the federal government was not immediately on the agile bandwagon due to purchasing issues and embedded legacy process, it is now a Department of Defense (DoD) priority thanks to the leadership of the U.S. Air Force. In fact, in May 2021, the DoD published DoD Enterprise DevSecOps Fundamentals, “an informative review of agile and agile principles” that includes a section titled, “The Agile Manifesto.”
In addition, with the White House executive order, Zero Trust is now a federal government mandate. All agencies and departments were required to submit their plans to the Office of Management and Budget (OMB) for how they are going to transition their users and applications to Zero Trust. The answer is simple: agile DevSecOps.
Bottom line, when you stop treating cybersecurity as separate from your code and integrate it into the very fabric of your processes, it changes your mindset and allows you to create automation and response scenarios for previously siloed worlds.
And the key to success for Zero Trust vendors is standards. Specifically, federal government agencies must insist on the following from their vendors:
- A robust two-way sync restful API framework (often referred to as a bi-directional API), allowing dynamic calls to and from sources of truth
- Full policy creation and management via automation tools (i.e., GitOps)
- Ability to work across all major cloud vendors and hypervisors (ability to work in a hybrid model)
- Auto scaling (ability to grow and shrink your footprint automatically with the needs driven by the users and needs of the platform at that point in time)
- End user multi-platform (i.e., iOS, Android, Mac, Windows, Linux, etc.)
- Container integration (ability to support the dynamic development process driving more and more container usage)
- Meta data tag support (allow for the use of tags to drive policies, eliminate the IP/URL)
In summary, DevSecOps is an automation framework that allows you to drive faster and achieve better results. Zero Trust is a framework allowing users to seamlessly connect to only the workloads they are allowed access to at that moment in time and reduce the attack surface. By blending these frameworks and goals together with the standards described above, you can achieve a highly scalable, automated and dynamic solution that literally treats your security as part of the code.
Learn more about DevSecOps with Appgate SDP, an industry-leading Zero Trust Network Access solution here.
Additional resources:
Appgate named a ZTNA Leader: Forrester New Wave: Zero Trust Network Access, Q3 2021
About Appgate Federal Division
Cyberthreat landscape heats up federal focus on Zero Trust security blog