Leveraging DevSecOps to Support Efficient Authority to Operate (ATO)
Current software deliveries are characterized by slow deliveries, long accreditation cycles, lack of innovation, and limited utilization of emerging open source and commercial capabilities. This results in deliveries that regularly fall short of meeting mission needs and can be “too big to fail” because of high upfront investment. There is also a high cost associated with each development team building their own DevOps pipeline and related security methodology.
The customer is utilizing a DevOps pipeline to speed initial and ongoing delivery and accreditation of software solutions. Mission capabilities are delivered to end-users much faster by utilizing a common pipeline, unclassified development, open-source libraries, and the delivery of minimum viable products. Rapid delivery of initial capabilities allows for early user feedback. This has long been a tenant of Agile development methods but has been difficult to realize within the Intelligence Community.
Our methodology relies heavily on several native AWS capabilities and open source software deployed on Amazon Elastic Compute Cloud (EC2) instances. It begins with building security hardened and regularly updated Amazon Machine Images and utilizes Cloud Formation to ensure a repeatable, consistent infrastructure deployment. Our deployments heavily leverage EC2 autoscaling and load balancers to ensure consistent performance and availability under load. We then deploy and maintain industry standard DevOps and DevSecOps tools to create a flexible and powerful DevOps platform.
Leveraging Amazon Web Services and a standardized DevOps pipeline has resulted in a significant increase in operational efficiency and cost savings. The DevOps tools have been instantiated on three different security environments, speeding time to mission for development teams across the enterprise.
The DevOps pipeline and development processes have been planned and released in conjunction with the customer’s security and risk management organizations, and this has drastically decreased lead time for Authorization and Accreditation activities. Involving security in the planning phase has enabled ATO in less than two weeks for several development teams.
DevOps-Enabled Cloud Migration
Our customer required us to migrate a monolithic, mission-essential system into AWS as efficiently and rapidly as possible, while maintaining its core feature set and security posture. Compounding the challenge, the cloud-based solution had to support growth in both data ingestion and users, meaning the new architecture had to be able to scale dynamically to support growing mission demands.
The program team instantiated a DevOps pipeline – featuring AWS Technology Partners GitLab, Jenkins, and Puppet – that supported completion of the rehosting effort in less than nine months. Since transitioning to the new environment, the team has leveraged additional funding to re-architect the entire application to be cloud native. The new microservices-based architecture utilizes Elastic Load Balancing to distribute user traffic across web servers and has multiple instances running across Availability Zones supporting increased availability while expanding mission capability.
With the successful migration and cloud-native architectural updates, the program team created a more efficient and reliable system, and was selected as an early adopter for a new AWS region. We deployed successfully in the new region, allowing us to add new customers to our mission portfolio. In aggregate, the team has realized significant cost efficiencies and increased operational capabilities since its transition to the new AWS environment.
While challenging at the outset, rearchitecting for the cloud has enabled a more efficient and resilient operational tempo. Further, our ability to instantiate a DevSecOps methodology that supports continuous integration and continuous delivery has allowed our user base to grow, supporting more mission-essential environments. We continue to innovate our program by establishing an automated recovery process that maintains mission resiliency in the event of a failure.