ASSYST COO Joe Anderson and VP of Technical Solutions Vijay Narasimhan reflect on the remarkable growth in delivering capabilities to customers in the areas of DevSecOps, containers, and microservices.
Vijay Narasimhan leads service delivery across Federal Civilian and DoD and is the principal architect of ASSYST’s Green Accelerator Program. The Green Accelerator Program is our innovation lab and incubator program where we perform customer-focused applied research utilizing open technology in the cloud infrastructure. Vijay’s focus includes native architectures, cloud-agnostic development, cloud hopping, collaborative coding, interoperability, and automation.
In addition to his role as the COO, Mr. Anderson leads several prominent programs in the Federal marketplace, providing consultation for IT and business leaders on several leading-edge technology areas, including multi-cloud, AI/ML, microservices, shift-left implementation approaches, robotic process automation, and zero-trust architecture implementation.
Joe Anderson: Hello Vijay. I find it promising to see the Federal sector embracing DevSecOps, and I know our engineering teams are excited about this transformational shift. I’m seeing a strong correlation between Agile, DevSecOps, and cloud migration within our customer base, and the number of opportunities is growing. I think the advancements in open technology and new approaches to security have helped fuel the growth in opportunities for businesses like ours. The growth certainly provides better opportunities for our UCD/UXD designers, DevSecOps engineers, cloud architects, and Pipeline engineers. I’m noticing that our customers who are truly committed to the practice are becoming more interested in using cross-cloud platforms and/or cloud-native approaches for their applications because of a greater emphasis on portability. I’ve also noticed that our engineers are becoming more adept at writing code and developing applications to run on or are portable to any cloud environment. In this way, DevSecOps and open-technology are really delivering on the promises.
Vijay Narasimhan: What I like about transforming our delivery teams to DevSecOps is how collaborative our Agile teams have become. In the past, the interaction between UCD/UXD, infrastructure, pipeline, configuration, back-end engineers, and front-end developers occurred when there was a major release or at a defined phase gate. With DevSecOps, the collaboration between the team members is happening hourly and daily across these areas of responsibility. Anyone can be brought into a daily standup or a huddle, and barriers and/or roadblocks are resolved almost instantaneously, keeping the development process moving forward. I’m also noticing how quickly the DevSecOps team comes together and socializes, and you can see how it is more engaging and rewarding to the team members.
Joe Anderson: I continue to be impressed by the maturity and sophistication of the DevSecOps tools, especially in the area of automation with respect to security, CI/CD pipeline activities, configuration and branching strategies, and Agile processes. The ability to monitor and measure all of the activities in the environment and present the information in a single window pane or dashboard is an elegant solution for tracking performance. Additionally, the emergence of process automation in the DevSecOps environment results in faster time to market and a significant reduction in errors and defects. The ability to automatically identify, categorize, and prioritize incidents and vulnerabilities, automate and enforce the code branching strategy, or automate the test, build, and deploy process are accelerating Sprint cycles.
Vijay Narasimhan: That’s right Joe. The number of processes you can automate in the DevSecOps environment continues to grow and mature. Also, many of these technologies come with built-in analytics capability, which is very helpful. One of the areas I am focused on is working with our customers to aggregate and present the analytics utilizing the DevSecOps tool-chain for infrastructure, pipeline, configuration, back-end, front-end, and UCD/UXD activities into a customer-specific dashboard to capture and display the most important metrics for measuring performance and the business impact. The other positive outcome we are experiencing on our delivery teams is a heightened awareness across the different areas of responsibility amongst team members. For example, if the infrastructure is performing security patches or upgrading CI/CD tools, the backend and front-end engineers are immediately aware, and if there is a potential impact to a Sprint cycle, they’ll huddle, walk through any issues, resolve any potential roadblocks, and pivot resources to keep the build on schedule.
Joe Anderson: I see more of our customers’ environments are supported remotely and most of our DevSecOps teams are working in a virtualized infrastructure environment in the cloud. It’s become apparent to me that for the mission and enterprise systems we are supporting, and especially those systems with high availability and high volume requirements that Kubernetes container orchestration is becoming an increasingly more important service and skill provided by our cloud architects and administrators. What I find both empowering and inspiring is how our DevSecOps teams are utilizing Kubernetes for deploying and managing containerized applications and we have fully integrated Kubernetes with our CI/CD processes.
Vijay Narasimhan: Yes, continuing to expand our capabilities in Kubernetes container orchestration and utilizing Infrastructure as Code (IaC) for provisioning virtualized computing resources to support our DevSecOps teams and customers is a primary focus of mine. The speed at which we can set up development, quality control, and production environments and deploy Agile teams for our customers is unparalleled. The performance improvements we are seeing with Kubernetes in AWS and/or Azure are significant, and our ability to integrate Kubernetes with our other CI/CD pipeline tools and development environment has reduced delivery schedules significantly. The ease of provisioning and configuring the technologies you need to develop, enhance or modernize a system is a major factor in improving delivery schedules and quality.
Joe Anderson: ASSYST is fortunate in that the partnerships we have established with AWS, Azure, RedHat, and GCP, and the investments we have made in DevSecOps, containerization, and microservices enable us to provide our customers with innovative approaches specific to their systems, applications and operating environment. Our customers have difficulty keeping up with technology changes impacting tool selection, adoption, and new technologies, and sometimes struggle to understand how it fits into their existing operating environment. These distractions are resulting in activities that deviate from the core business. I think deviations away from the core business because of technology changes is a key driver behind the importance of UCD/UXD/IXD design activities within the DevSecOps team. When the user experience is integral to the DevSecOps team, you can begin to achieve frictionless services and faster paths to a Minimum Viable Product (MVP). Then, based on the user experience patterns and metrics, we enhance the product's features using low-code approaches and microservices. More and more this is what our customers are expecting.
Vijay Narasimhan: I’m glad that you are bringing up the importance of frictionless services and how we are approaching this with customers. I think you have succinctly outlined the DevSecOps path to frictionless services and digital transformation. An area I am focusing on is how to utilize the DevSecOps toolchain to provide customers the ability to measure the business impact of the DevSecOps team. For example, analyzing real-time interactions of UCD/UXD/IXD, front-end, back-end, pipeline, configuration, and infrastructure activities. This is currently an initiative of our Green Accelerator Program with interest from the Department of Homeland Security, Department of Defense, Centers for Medicare & Medicaid Services, Food and Drug Administration, Health Resources and Services Administration, and the Equal Employment Opportunity Commission. Our customers need DevSecOps to provide frictionless services, and for them to transform and succeed using this new delivery model, then we as service providers need to provide solutions where customers can easily measure our performance based on the user experience.
The present decade has seen Cybersecurity breaches across Government, Private, and Non-Profit systems. Needless to mention how it is impacting individual privacy and personal information. Many of us have been the victims of information breaches due to failed Cybersecurity approaches. Agencies and businesses have managed Cybersecurity as ad-hoc reactionary projects, and many government agencies lack a coherent acquisition strategy that aligns with the organization’s Cybersecurity strategy. This ad-hoc approach is not working in today’s environment, especially when considering the massive amounts of data and transactions occurring in areas of Defense and Intelligence, Homeland Security, Healthcare, Regulatory Compliance, Census Information, and Digital Commerce.
We are covering this OnPoint blog in multiple parts. The first part has perspectives on the relevance of Project Portfolio Management, Risk Management, Managing Vulnerabilities, Policy, and Compliance in an Enterprise level Cybersecurity Program.
Portfolio Management for the CISO - The constant attention that Cybersecurity demands is changing the role of the Chief Information Security Officer (CISO). Given today’s cyber-threat landscape, evolving Cloud adoption strategies, and edge security requirements, CISOs have multiple simultaneous projects occurring within their portfolio that are necessary for protecting sensitive information and the organization’s high-value assets. CISOs are operating with a shortage of skilled cybersecurity professionals; they're inundated with new requirements, experiencing difficulties balancing resources, and struggling to determine what Cybersecurity services to outsource. CISOs are establishing a portfolio approach to managing Cybersecurity programs to improve some of these operating difficulties. Some benefits include improvement in the project prioritization and selection process, better visibility across the Cybersecurity portfolio, and improved alignment of projects with the organization’s business goals. Other benefits include more efficient use of resources, improvements in the accuracy of performance metrics, timelier project deliverables, decreases in project risks, and more informative decision-making.
Risk Management - Today’s CISO faces several types of intangible and tangible risks with potentially negative consequences to the Cybersecurity program and the organization, its employees, customers, and stakeholders. The types of risks include project related risks, information security risks and threats to the organization’s systems, engineering and technology risks, risks related to a lack of knowledge or skill gaps, and risks to productivity. Identifying, evaluating, and prioritizing risks to the Cybersecurity program helps the CISO organize projects and allocate resources. Strategies include identifying and evaluating the risks and threats with the highest negative consequences, the highest probability of occurring as the topmost priority, and risks and threats with lesser negative consequences or lower probability of occurring as less important priorities. Every CISO requires a disciplined approach to identifying, assessing, and prioritizing risks and threats, as well as well-defined mitigation strategies and problem management plans that include impact analysis, risk tracking, root cause analysis, lessons learned, and risk reduction plans. Effective risk management for the Cybersecurity program creates value for the organization because the resources expended mitigating risks is less than the consequences of inaction.
Policy and Compliance - An established portfolio and project management approach for the Cybersecurity program provides the CISO with the capability to define and maintain policies and the necessary processes and procedures to comply with and adhere to those policies. The policy management activities involve developing, updating, communicating, and maintaining the policies and procedures for the Cybersecurity program and are integral in developing more detailed standard operating procedures and project deliverables. Complying with internal and regulatory policies consumes a large percentage of the CISO’s resources, so integrating the compliance requirements within the project plan, work breakdown structure, and task schedules is required to streamline compliance activities. As the CISO’s policy and compliance requirements expand beyond the Assessment & Authorization (A&A), Authority to Operate (ATO) process, complying with and adhering to the organization's internal approach for Project Life Cycle Management (PLCM), and Systems Development Life Cycle (SDLC) will determine the level of maturity of the Cybersecurity program. Applying portfolio and project management principles to Cybersecurity related projects supporting the Security Information and Event Management (SIEM) system, the Security Operations Center (SOC), and the Network Operations Center (NOC) allows the CISO to comply with internal processes and regulatory policies and procedures more effectively.
Managing Vulnerabilities - The CISO owns the organization’s vulnerability management process, and is responsible for the design and implementation of the process. The vulnerability management activities involve services that continuously assess system vulnerabilities, and the process is more effectively implemented using portfolio and project management principles. Establishing a project management approach allows the CISO to organize and schedule resources to prepare and execute vulnerability scans, define remediation activities, and perform rescans. The CISO defines the scope of the vulnerability management process, which systems are included or excluded, and determines the type of scans and schedule. The security engineers execute the initial vulnerability scans, the results are recorded, and visualization tools are used to review the results and prepare reports. The CISO and asset owner are briefed on the number of vulnerabilities detected, the severity level and risk rating of the identified vulnerabilities, and the risk remediation plan. The CISO establishes clear deadlines for remediation activities, and the time frame is aligned with the level of risk detected. Once a vulnerability is remediated, a rescan is required to verify the remediating actions were implemented. The vulnerability management process is part of the organization’s effort to control Cybersecurity risks. The process allows the CISO to continuously review vulnerabilities occurring in the operating environment and assess the level of risks associated with each vulnerability. Managing vulnerabilities utilizing project management best practices provides the CISO with a mature approach to identifying and mitigating vulnerabilities.
Continue to Part 2