Employing DevOps in Classified Environments (Part 3)
This is the third part of a three part blog series focused on employing DevOps in classified environments. As mentioned in the first blog, the solution involves aspects of people, processes and technology, this week we’ll be talking about technology.
DevOps tools are available in a range of offerings from open source to enterprise licenses, XebiaLabs has created a periodic table of DevOps tools, shown on the next page, that nicely lists and categorizes some of the technology available to DevOps engineers today. Tool stacks such as the HashiCorp product suite consisting of Terraform, Vault, Consul and Nomad provide an integrated suite of solutions that work together nicely and are cleared for use on DoD classified networks. Terraform Enterprise provides workspaces, modules, and other powerful constructs for teams to package infrastructure as code into reusable modules enabling developers to quickly provision in a self-service fashion. Likewise, policy-as-code and logging enable organizations to secure, govern, and audit their entire deployment. Vault tightly controls access to secrets and encryption keys by authenticating against trusted sources of identity such as Active Directory, LDAP, Kubernetes, CloudFoundry, and cloud platforms. It also enables fine grained authorization of which users and applications are permitted access to secrets and keys. Consul provides a multi-cloud service networking platform to connect and secure services across any runtime platform and public or private cloud. Nomad is an easy-to-use and flexible cluster scheduler that enables an organization to automate the deployment of any application on any infrastructure at any scale.
Available at xebialabs.com
The ability to develop and test solutions outside of classified networks is greatly enhanced by commercial cloud service providers (CSP) that provide secure cloud environments that meet FedRAMP (Federal Risk and Authorization Management Program) requirements for protecting classified information. The DoD utilizes Information Impact Levels (IL) that consider the potential impact should the confidentiality or the integrity of the information be compromised. There are four levels (note that IL-1 was merged with IL-2 and IL-3 was merged with IL-4):
IL-2: Non-Controlled Unclassified Information or publicly releasable information;
IL-4: Controlled Unclassified Information;
IL-5: Controlled Unclassified Information with additional protections for National Security Systems; and
IL-6: Classified Information up to secret.
Notable CSPs that offer secure clouds (as of April 2019) are Amazon Web Services (AWS) Secret Region at IL-6, IBM Cloud Managed Services for Government (CMSG) at IL-5, and Microsoft Azure DoD at IL-5. The ability to create and package software builds with tools in these clouds allows developers to efficiently and cost effectively develop and package code for delivery on production servers wherever they may reside.
How to overcome these issues: The periodic table of DevOps tools shows there are numerous solutions available. Selecting those that work well together and are available and acceptable for use in classified environments is critical. Ascolta utilized our experience building and maintaining secure cloud-based environments for the Air Force by providing an unclassified but secure CIL in AWS GovCloud as a staging and testing platform for integrating and moving code to classified systems. Having the ability to engineer outside of sensitive classified information facilities (SCIF) in a secure cloud environment reduced the number of cleared DevOps engineers required. Our status as a HashiCorp system integration partner with expertise in their full tool suite provided the underpinnings for the construction of a seamless, functional and secure DevOps environment allowing rapid code integration, testing and deployment.
Reducing the time from concept to capability is becoming increasingly critical in both the public sector and within the IC/DoD. The DevOps paradigm is to deploy small increments to get quick feedback, determine where problems exist in the environment, and identify what should be fixed. DevOps includes all the stakeholders involved in a project from beginning to end, including development and operations personnel, program managers, acquisition staff, and security and quality engineers and others as needed. Developers can also build their applications with a technology stack with DevOps in mind. This process can be automated further to simplify moving applications across environments. This capability is applicable in the defense space where multiple applications must be packaged together to deploy to a classified environment and ultimately to the warfighter.
There are many advantages of being platform and technology agnostic and avoiding vendor lock-in. All these tools can be mixed and matched, and there is some overlap among them. The selected tools should not drive your mission; they only exist to support your workflows, not the other way around. DevOps is a movement that has gained traction for good reason, it demands a keen understanding of best practices and the tools to support them. DevOps continues to bring value to the commercial space and there is no doubt that it can do the same for the classified government space.
Ascolta’s Software Development and DevOps teams have delivered real-world solutions to solve highly complex mission requirements by working closely with our Air Force clients to select the best toolset, design the architecture, write code to integrate disparate algorithms, data sets and technologies where necessary and deliver that solution into a codified, hardened and tested environment. We have worked with clients to deploy solutions, work through the ATO process, and provide user training to ensure mission success. DevOps in classified environments is possible and has been proven to greatly increase speed to deployment, security and functionality.