Security in Platform One📜
- Secure the DoD
- Security first approach, while keeping timelines in mind.
- Avoid manual processes by automating whenever possible.
- Standards/Continuous Monitoring
- Continuous monitoring of compliance.
- Multi-Party Validation
- Have multiple engineers check products as they come through the pipeline. P1 promotes pair programming to help with this.
For more detailed information see DoD Enterprise DevSecOps Fundamentals
PlatformOne - Security Offerings📜
- IronBank Registry
- IB registry for hardened container images (registry1.dso.mil)
- IronBank VAT
- Vulnerability Assessment Tracker (vat.dso.mil)
- GUI with APIs access to evidence to speed up accreditation of images
Weekly IronBank Onboarding, AMA (Ask Me Anything), and get unblocked sessions
Only vendors can harden vendor images
- Cloud Native Access Point (Advanced perimeter firewall, that enables secure access to IL2, IL4, and IL5 Resources from the public internet, P1 SSO managed by CNAP team)
- Various other services
- Onboarding, pen testing, and more.
- IronBank rebuilds & rescans their images every 12 hours. This ensures fixes to the upstream base image can be added.
Big Bangs releases cycle every 2 weeks, makes it easy to pull in the latest version of images.
~/Desktop/bootstrap/dev/kustomization.yamlthere’s a reference to the version of the Big Bang helm Chart. When you update that it cases a cascading effect that updates the versions of all images maintained by Big Bang.
ATO vs cATO📜
- Based on RMF (Risk Management Framework) and Security Controls and their implementation for an iteration
- Places focus on the system
- Works better with the traditional Waterfall/Spiral SDLC (Software Development Life Cycle)
- Changes to the system might warrant a re-evaluation of the ATO cycle
- Traditionally ATO is issued to the system as whole
- Does not lend to easier Reciprocity across platforms
- Also based on RMF and Security Controls but focused on the development process that spans multiple iterations rather than the system itself
- Better fit for the modern agile methodologies
- Allows teams to develop and deploy continuously without having to re-evaluate ATO for each change
- Swapping out the layers (Infra and Platform) with equivalent ATOs arguably helps preserves cATO and CtF (Certificate To Field) of the Application which lends to Easier Reciprocity across platforms
PlatformOne Security Objectives📜
Security is core to P1’s Mission
“Serve cyber mission application teams in their journey to deliver rapid mission capability with technical expertise and services”
- Provide secure, resilient and robust development environment
- Facilitate CtF - Certificate To Field
- Secure development - focus on high quality code practices, automation, monitoring and compliance
- Secure deployment - rely on the ATO of the infrastructure and platform layers
1.0 Authorize the Platform📜
2.0 Authorize the Platform📜
3.0 Authorize the Process📜
P1 and cATO📜
Big Bang clusters are capable of receiving a cATO.
IronBank, PartyBus, and other P1 services are hosted on top of Big Bang Clusters. P1’s AO was able to sign off on P1 services receiving a cATO, because of people, processes, and technology. In addition to the Big Bang Platform Technology, trained, approved, and vetted people are developing and maintaining the services and are following processes that have been approved by the AO.
EX: PartyBus has a process called CTF (Certificate to Field) through which images are approved to run in production on their cATO’d environment.
What is missing from this list of the Core Tenets for security in Platform One?
Secure the DoD,
What does CNAP stand for?
Cloud Native Access Point
How often does IronBank rebuild & rescan their images?
IronBank rebuilds & rescans their images every 12 hours. This ensures fixes to the upstream base image can be added.
What is the difference between ATO and cATO?
Places focus on the system
Works better with the traditional Waterfall/Spiral SDLC
Changes to the system might warrant a re-evaluation of the ATO cycle
Traditionally ATO is issued to the system as whole
Does not lend to easier Reciprocity across platforms
Better fit for the modern agile methodologies
Allows teams to develop and deploy continuously without having to re-evaluate ATO for each change
What is ChatOps?
ChatOps is project collaboration for real-time interactive coordination among team members