Security in Platform Oneπ
Core Tenetsπ
- Secure the DoD
- Security first approach, while keeping timelines in mind.
- Automation
- Avoid manual processes by automating whenever possible.
- Standards/Continuous Monitoring
- Continuous monitoring of compliance.
- Multi-Party Validation
- Have multiple engineers check products as they come through the pipeline. P1 promotes pair programming to help with this.
For more detailed information see DoD Enterprise DevSecOps Fundamentals
PlatformOne - Security Offeringsπ
- IronBank Registry
- IB registry for hardened container images (registry1.dso.mil)
- IronBank VAT
- Vulnerability Assessment Tracker (vat.dso.mil)
- GUI with APIs access to evidence to speed up accreditation of images
-
Weekly IronBank Onboarding, AMA (Ask Me Anything), and get unblocked sessions
Note
Only vendors can harden vendor images
-
CNAP
- Cloud Native Access Point (Advanced perimeter firewall, that enables secure access to IL2, IL4, and IL5 Resources from the public internet, P1 SSO managed by CNAP team)
- Various other services
- Onboarding, pen testing, and more.
Automating Securityπ
- IronBank rebuilds & rescans their images every 12 hours. This ensures fixes to the upstream base image can be added.
-
Big Bangs releases cycle every 2 weeks, makes it easy to pull in the latest version of images.
- In
~/Desktop/bootstrap/dev/kustomization.yaml
there’s a reference to the version of the Big Bang helm Chart. When you update that it cases a cascading effect that updates the versions of all images maintained by Big Bang.
- In
ATO vs cATOπ
ATOπ
- Based on RMF (Risk Management Framework) and Security Controls and their implementation for an iteration
- Places focus on the system
- Works better with the traditional Waterfall/Spiral SDLC (Software Development Life Cycle)
- Changes to the system might warrant a re-evaluation of the ATO cycle
- Traditionally ATO is issued to the system as whole
- Does not lend to easier Reciprocity across platforms
cATOπ
- Also based on RMF and Security Controls but focused on the development process that spans multiple iterations rather than the system itself
- Better fit for the modern agile methodologies
- Allows teams to develop and deploy continuously without having to re-evaluate ATO for each change
- Swapping out the layers (Infra and Platform) with equivalent ATOs arguably helps preserves cATO and CtF (Certificate To Field) of the Application which lends to Easier Reciprocity across platforms
Continuous Authorizationπ
PlatformOne Security Objectivesπ
Security is core to P1βs Mission
βServe cyber mission application teams in their journey to deliver rapid mission capability with technical expertise and servicesβ
- Provide secure, resilient and robust development environment
- Facilitate CtF - Certificate To Field
- Secure development - focus on high quality code practices, automation, monitoring and compliance
- Secure deployment - rely on the ATO of the infrastructure and platform layers
Processπ
1.0 Authorize the Platformπ
2.0 Authorize the Platformπ
3.0 Authorize the Processπ
Continuous Monitoringπ
P1 and cATOπ
Big Bang clusters are capable of receiving a cATO.
IronBank, PartyBus, and other P1 services are hosted on top of Big Bang Clusters. P1’s AO was able to sign off on P1 services receiving a cATO, because of people, processes, and technology. In addition to the Big Bang Platform Technology, trained, approved, and vetted people are developing and maintaining the services and are following processes that have been approved by the AO.
EX: PartyBus has a process called CTF (Certificate to Field) through which images are approved to run in production on their cATO’d environment.
Quiz Questionsπ
What is missing from this list of the Core Tenets for security in Platform One? Secure the DoD
, Automation
, Multi-Party Validation
Standards/Continuous Monitoring
What does CNAP stand for?
Cloud Native Access Point
How often does IronBank rebuild & rescan their images?
IronBank rebuilds & rescans their images every 12 hours. This ensures fixes to the upstream base image can be added.
What is the difference between ATO and cATO?
ATO
-
Places focus on the system
-
Works better with the traditional Waterfall/Spiral SDLC
-
Changes to the system might warrant a re-evaluation of the ATO cycle
-
Traditionally ATO is issued to the system as whole
-
Does not lend to easier Reciprocity across platforms
cATO
-
Better fit for the modern agile methodologies
-
Allows teams to develop and deploy continuously without having to re-evaluate ATO for each change
What is ChatOps?
ChatOps is project collaboration for real-time interactive coordination among team members