Author: Joel Krooswyk, GitLab Inc. Federal CTO
Zero Trust may seem like an overused buzzword, but this approach is critical to protecting the focus area of every single government agency: people, devices, infrastructure and applications. As a result, many decision makers within the federal government have recognized its importance and impact and have been busy drafting Zero Trust documents and guidelines for all government agencies.
In January 2022, OMB published a memorandum. M-22-09 Institutions must achieve certain Zero Trust security goals by the end of fiscal year 2024. Institutions must continuously see who is accessing data, where it is being accessed, and how it is being accessed across identities, devices, networks, applications and workloads. The focus of Zero Trust is on access to users and specific devices. That said, it’s important to set the minimum viable roles and permissions through single sign-on.
As the agency attempts to meet the OMB’s mandate and memo, it faces several challenges on how to achieve its key objectives. the country’s critical infrastructure. Solution maturity targeting ongoing proactive security will be important as organizations work to prioritize this mandate in 2023 and years to come. Today, however, it is possible to achieve a robust native Zero Trust configuration with a comprehensive platform for software development that provides a clear view of each step of the software supply chain.
Department of Defense’s Zero Trust Strategy and zero trust ability execution roadmap We describe three key areas of focus to help organizations effectively establish strong Zero Trust baselines. This includes developing application inventories, leveraging software factories, and understanding risk and vulnerability management.
Develop a comprehensive application inventory
Department of Defense Zero Trust Strategy and Zero Trust capability implementation roadmap focuses on applications and workloads, starting with full awareness of what is on the network by leveraging the software BOM.
As mentioned in the feature implementation roadmap, application inventory is a solid and important starting point. To enforce a zero trust state and properly assess the risk of your network and attack surface, you need to understand what is in your network.
Once you know what’s on the network and the baselines are clear, teams can move towards building and configuring software factories. The software factory-generated SBOM provides a standard approach to understanding what is there in an application and why, as well as providing continuous visibility into an application’s creation history, including details about third-party code origins and host repositories.
Additionally, SBOM creation with open source dependencies and vulnerabilities becomes more realistic, helping institutions to be fully application inventory aware. Container-based dependencies and vulnerabilities can also be identified, providing complete zero trust across all platforms.
Established a software factory
As software development practices evolve, newer solutions such as software factories and DevSecOps will change the face of zero trust best practices for code development.
Consistency and protection based on Zero Trust include elements such as protected source code branches, auditable code review, and comprehensive pipeline execution on every commit. Institutions must align with NIST’s secure software development framework, including ensuring the ability to conduct extensive security scans.
Vulnerability identification in software factories is common when there is an appropriate shift left methodology in place. With audit logs of all software factory actions and clear compliance policies for pipeline execution, software factories are well positioned to operate under Zero Trust practices.
Ongoing risk and vulnerability management
This leads to another important focus of DOD’s Zero Trust strategy: risk and vulnerability management inspections. Vulnerability fixing is an important part of the software factory, and its integration continues to grow in importance for all development projects.
Some best practices to keep in mind when performing vulnerability mitigation include identifying new risks for each pipeline run, centralized remediation of findings from all security scanners, and streamlined remediation workflows for identified vulnerabilities. .
It is important to look for suggested fixes for all known vulnerabilities. In the case of a complete zero trust approach, this includes vulnerabilities introduced by individual users. Information and education for users who may not understand the “what” or “why” of a fix is very beneficial. View rollup security trends and status views to help gauge your project’s security posture.
DOD documentation focuses on a timeline with early and advanced target levels of maturity over time. This iterative approach is the right path as threats evolve and solutions mature over the next few years. The timeline is also an indication that Zero Trust is a strategy rooted in an ongoing process rather than a “once and done” concept.
Best practices will continue to evolve in the future. SBOM collection and integration will evolve for large, complex or distributed development applications. We will leverage multiple risk databases to measure risk factors more comprehensively to prioritize vulnerability mitigation and increase visibility into potential exploits.
Continuous scanning of applications that initiate security scans for SBOM changes or advisory updates enhances Zero Trust capabilities. Automated remediation capabilities, risk mitigation streamlined and streamlined will become more common.
Overall, DOD and the federal government’s Zero Trust mandate will lead to a stronger network and more secure IT ecosystem for all involved. The deadline is set, but it is different from the final goal. Zero Trust is a journey that takes time and effort.
About the author
Joel Krooswyk and I are Federal Chief Technology Officers at GitLab Inc. For more information about GitLab Inc., please contact us at press@gitlab.com, call (415) 761-1791 or visit our website at: https://about.gitlab.com/solutions/public-sector/.