Integrating cloud-native security and DevSecOps workflows
- By Hayden Smith
- Aug 31, 2021
In March 2021, the Federal Risk and Authorization Management Program issued requirements for container security giving cloud service providers one month to develop a plan and six months to transition into full compliance with the new guidance. With the deadline looming, plenty of agencies and CSPs are still wrestling with cloud-native security issues and processes.
Working with FedRAMP-compliant providers is just the first step to achieving compliance as an agency. What are the next steps agency IT manager need to take to integrate cloud-native and DevSecOps workflows?
Here are six issues public sector IT managers and agency CIOs must address:
1. The real challenge of cloud-native security. Everyone is looking for solid “how to” instructions when it comes to cloud-native security, but FedRAMP doesn’t offer them. The controls spell out requirements but not how to meet them. That’s both a challenge and an opportunity. IT managers have to answer questions for their agency -- what’s acceptable to use, what’s the vulnerability threshold, how can staff be encouraged to use new tools? That’s a tall order, and it’s why FedRAMP initially gave a deadline that was months long. The journey to get there will look different inside each organization.
2. You’ll need a wingman. It’s clear that FedRAMP is not a comprehensive list of container security controls -- there’s much more to DevSecOps when using containers -- but it’s a start. FedRAMP talks about specifics, like using hardened images and building test and orchestration pipelines, but putting that into place takes fairly specialized expertise. That’s why it’s important to work with a very experienced vendor that can smooth the path. Bringing on a partner can help agencies who are pressed for time or who lack the expertise to address cloud-native security issues.
3. Mark your calendar. Some agencies may think FedRAMP gave them an out on the deadlines and will try to skirt the dates with an exception – and that’s really dangerous. These software cyberattacks aren’t fake. There’s a reason that this guidance and mandates have been issued through executive orders. Not having budgeted for security can’t be a reason to push this off. A plan of actions and milestones (POA&M) won’t protect an agency from being compromised by an attack. IT managers should be sure the deadlines are read and deploy the security they need.
4. SBOMs and executive orders. A software bill of materials is a big piece of the security solution, but SBOMs aren’t even mentioned in FedRAMP. Instead, agencies received direction via an executive order.
SBOMs are used to create a complete inventory of software used to build a certain image for a container. It lists all the build packages and dependencies, their size, the licenses associated for each of those packages and which contributing developer or developers are attached to that. These lists are super useful for detecting malicious action.
As agencies determine their FedRAMP compliance strategies, they should incorporate SBOMs. This is important because many recent attacks used unauthorized dependencies or unauthorized malware to get into an image where it quickly spread throughout an environment. By incorporating SBOM, a team will have the tools to help them discover any malware in the image or a package that’s not supposed to be in there -- so it can be removed.
5. Plan for audits from the beginning. Just like CSPs, agencies must complete an audit. A third-party assessment organization is tasked with validating the CSPs the agency is working with, but the agency also has responsibilities in meeting FedRAMP’s security requirements. That process involves doing security checks with automated tooling such as vulnerability scans. Choosing a tool that creates security scan artifacts can be a huge efficiency booster during an assessment. It can tell not only indicate what controls an agency is failing but also map to exactly where the issue is located.
6. It’s not too late. Don’t be discouraged. Container security programs -- and FedRAMP response -- can be addressed through choosing the right vendor and procuring the right tools.
There are solutions and tools that can help with containerized security controls out of the box -- in as little as a week, if needed. Plus, container security is easier to implement once an agency has adopted a security-first mindset so that new technologies are accepted by the team and respected once in place. It will take leadership, new processes and staff education.
FedRAMP is just the beginning. Building in security will continue to be an operational challenge for all agencies, and programs will need to keep pace with evolving threats to keep systems, sensitive information and mission-critical data safe.
Hayden Smith is a senior engineer with Anchore U.S. Public Sector.