Step one in launching a robust DevSecOps (Development, Security, and Operations) effort is moving to the cloud, a State Department expert recommended July 8.
During FedInsider’s “DevSecOps Sharpens the Tip of the Spear” virtual event, David Vergano, systems development division chief for the Bureau of Information Resource Management at the U.S Department of State, said his agency moved to the cloud over the last few years, which allowed it to “more easily bridge what were these previously separate environments.”
“That cloud backbone has started to make it… technically, what’s possible. Now we have to think about how we can change our groups, our Dev, our Operations, and our Security, really to work together on these solutions in a more cohesive manner,” Vergano said.
“[DevSecOps] was possible before the cloud, but it was a larger technical effort, and a larger security effort because you had differences between environments,” he added. “The cloud backbone is helping to make things smoother and now we can really try to change how we do things because we have the tooling.”
However, before racing to move to the cloud, Vergano urged agencies to first have a clear idea of why they are adopting cloud services, and to become familiar with the General Services Administration’s FedRAMP program to make the process easier.
For the State Department, Vergano said the impetus to adopt cloud services was to “take advantage of defense and depth offered by the cloud [and] put some responsibility for some controls onto the cloud platform.” Additionally, cloud adoption allowed State to pay for servers only when they were running them, instead of all day long.
As for FedRAMP, he advised agencies to “be incredibly familiar with FedRamp” and to look for tools that are FedRAMP certified, which Vergano said would “smooth out the path to acquiring things in the cloud.”
While moving to the cloud and rolling out DevSecOps can seem like a daunting task, Vergano told agencies that they can have success with it if they keep an open mind.
“Be ready to make more changes than you plan for, and possibly be ready to share control over functions that may be previously you had control over,” Vergano said. “Really go into it expecting it to be a partnership, and I think you can find success with it [DevSecOps].”