Zero Trust in a DevOps World

By Joel Krooswyk, Federal CTO, GitLab Inc.

Although zero trust may seem like an overused buzzword, the approach is critical to securing people, devices, infrastructure, and applications – all of which are focus areas for every single government agency. As a result, many decision-makers within the federal government recognize its importance and impact, and have been busy producing zero trust documentation and guidance for all government agencies.

In January 2022, the OMB published memorandum M-22-09 requiring agencies to meet specific zero trust security goals by the end of the 2024 fiscal year. Agencies will need to continually verify who is accessing data, from where they are accessing it, and how they are accessing the data across identity, devices, networks, applications, and workloads. Zero trust’s focus is on the user and their access on a specific device, which means that establishing minimally viable roles and permissions via single sign on is key.

As agencies attempt to meet this mandate and memo from OMB, they are bound to run into some challenges on how to meet the primary objective, which, in short, is about never trusting and always verifying any data and activity that has a presence within our nation’s critical infrastructure. Solution maturity aimed at continuing proactive security will be important to watch as organizations work to prioritize this mandate in 2023 and the years ahead. However, a strong baseline zero trust configuration can be achieved today using a comprehensive platform for software development with a clear view into each stage of the software supply chain.

The Defense Department’s Zero Trust Strategy and Zero Trust Capability Execution Roadmap outlines three key focus areas that will help organizations effectively set a strong zero trust baseline – this includes developing an application inventory, the utilization of a software factory, and understanding risk and vulnerability management.

Developing a Comprehensive Application Inventory

The Defense Department’s Zero Trust Strategy and Zero Trust Capability Execution Roadmap include a focus on application and workload, beginning with full awareness of what’s on the network utilizing a software bill of materials.

As cited in the capability execution roadmap, application inventory is a solid–and crucial–starting point. We need to understand what’s on our network in order to enforce zero trust posture and to be able to adequately assess the risk in our network and on our attack surfaces.

Once we know what’s on our networks and have a clear baseline, teams can move toward establishing and configuring software factories. SBOMs produced by software factories provide a standard approach to understanding what is in an application and why, as well as provide ongoing visibility into the history of an application’s creation, including details about third-party code origins and host repositories.

Additionally, SBOM generation with open-source dependencies and vulnerabilities will become more realistic, helping agencies achieve full awareness of their application inventories. Even container-based dependencies and vulnerabilities can be identified, providing complete zero trust on every platform.

Establishment of Software Factories

As software development practices evolve, newer solutions like software factories and DevSecOps will change what zero trust best practices look like for code development.

Consistency and protections based in zero trust include elements like protected source code branches, auditable code reviews and comprehensive pipeline execution on every commit. Agencies will need to align with NIST’s Secure Software Development Framework, including ensuring their ability to conduct broad-base security scans.

In a software factory, vulnerability identification is commonplace when a proper shift left methodology is in place. With audit logs for all software factory actions and clear compliance policies for pipeline execution, software factories will be well-positioned to operate in alignment with zero trust practices.

Ongoing Risk and Vulnerability Management

That leads to one more important focus of the DOD’s Zero Trust Strategy: examining risk and vulnerability management. Vulnerability remediation is a crucial piece of the software factory, and its integration across all development projects continues to rise in importance.

Some top-of-mind best practices when performing vulnerability mitigation include identifying new risks on each pipeline execution, centralized remediation of findings across all security scanners and streamlined remediation workflows for identified vulnerabilities.

It’s crucial to look for suggested fixes for all known vulnerabilities. For a full zero trust approach, this also includes vulnerabilities introduced by individual users. Providing information and training to users who may not understand the “what” or “why” of the fix is highly beneficial. Viewing rollup security trends and status views help gauge project security health.

The DOD documents focus on a timeline, with early and advanced target levels of maturity over time. This iterative approach is the correct route as threats evolve and solutions mature over the next few years. The timeline is also a signifier that zero trust is not a “one and done” concept, but a strategy rooted in continuous process.

Looking forward, best practices will continue to evolve. SBOM ingestion and consolidation will evolve for large, complicated, or distributed development applications. Multiple risk databases will be utilized to gauge risk factors more comprehensively, leading to better prioritization of vulnerability mitigation and better visibility to exploitability.

Constant scanning of applications, which kick off security scans on SBOM changes or advisory updates, will improve zero trust abilities. Automated remediation functions, streamlining and simplifying risk mitigation will become more common.

Overall, the zero-trust mandate from the DOD and federal government will lead to strengthened networks and a more secure IT ecosystem for all agencies involved. Although it is a timed deadline, that is not the same thing as an end goal – zero trust is a journey that requires time and effort.

About the Author

Joel Krooswyk and I are the Federal Chief Technology Officer at GitLab Inc. For more information on GitLab Inc. please reach out to [email protected] or call (415) 761-1791, and visit us online at https://about.gitlab.com/solutions/public-sector/.