NIST 800-63-3 is a set of guidelines published by the National Institute of Standards and Technology (NIST) for digital identity management and authentication. These guidelines provide recommendations for digital identity proofing, authentication protocols, and federation models. NIST 800-63-3 is widely recognized as a valuable resource for organizations looking to improve the security of their digital identity systems and reduce the risk of fraud and identity theft.

It is also essential for government agencies because it works. For instance, state governments using solutions aligned with NIST Identity Assurance Level 2 (IAL2) standards saw a significant decrease in fraudulent COVID-19 unemployment claims. Whether adapting to changing mandates or incorporating industry standards such as NIST 800-63-3, Karsun has a solution to ease the adoption of security best practices during modernization.

The NIST 800-63-Standard

NIST 800-63-3 was released in June 2017. The guidelines were intended to improve online identity verification’s security and usability while addressing new threats and challenges that have emerged in recent years.

The guidelines are organized into three parts:

  1. Digital Identity Guidelines: Guides establishing digital identity proofing and authentication procedures.
  2. Authentication and Lifecycle Management Guidelines: Describes implementing and managing identity credentials and authentication.
  3. Federation and Assertions Guidelines: Provides guidance for federated identity systems and how to use assertions to share identity information between systems.

Since introducing NIST 800-63-3, these standards have become industry best practices for identity management. In addition to NIST 800-63-3 compliance, agencies are prioritizing Zero Trust as a key component of securing the User and App pillar. For example, the FAA’s 2022 AIT annual report states, “[its] network environment now operates within a Zero Trust security model, which requires users to be authenticated, authorized, and continuously validated to be granted access to a network, system, or application.” The agency’s cybersecurity-related improvement activities support the transition to Zero Trust, as well as its implementation of a new multi-factor authentication (MFA) service for users who would like to access the FAA’s network, systems, and applications.

Complementing Secure By Design Architecture

At Karsun, incorporating NIST 800-63-3 standards is part of designing secure digital architecture. Incorporating these guidelines into a secure by design architecture involves creating systems and applications with security considerations at every stage of the development process, from design to deployment.

The guidelines recommend using risk-based authentication (RBA) to assess the risk associated with each access attempt. We design systems and applications with RBA in mind and implement automated risk assessment tools to make real-time decisions about access requests.

Key to our solutions is NIST 800-63-3 adherent identity proofing. This process involves verifying user identities using multiple sources of data. We incorporate these guidelines into the design process to ensure that user identities are verified before granting access. We also consider federation and assertions. We integrate NIST 800-63-3 standards into the design process if the system or application interacts with other systems or applications.

In addition, NIST 800-63-3’s guidelines on digital identity proofing can help organizations implement identity verification procedures consistent with the zero trust principle of “never trust, always verify.” By using a risk-based approach to identity proofing, organizations can better assess the trustworthiness of each user and device and limit access to sensitive data and applications only to those users and devices verified to be trustworthy.

We design systems and applications with secure coding practices in mind and follow best practices for secure coding throughout development. In our implementation, we automated mobile testing via functional testing tools like Appium. We used code scanning and container image scanning tools to identify and mitigate vulnerabilities earlier and address those issues before deployment.

By incorporating NIST 800-63-3 guidelines and a zero trust framework into a secure by design architecture, agencies can develop systems and applications that are secure by default and can better protect sensitive data and resources.

Complexities to Implementing Authentication

While adhering to these standards is essential to building a secure application, it introduces added complexity to modernization projects. The standards specify appropriate authentication approaches based on different risk levels. Each has extensive rules, and the requirements for various authenticators may be overwhelming, unclear, ambiguous, and conflicting. Addressing each of these Authentication Levels across devices effectively can hinder the successful adoption of the security standards.

Identity Reference Framework

To meet this challenge, Karsun introduced an Identity, Credential and Access Management (ICAM) reference implementation. We customized the Keycloack open source tool via a specific Service Provider Interface (SPI) to address the complex NIST authenticator requirements while accelerating the adoption of those standards. Our team began with a risk based assessment, identifying the authentication workflows and their requirements based on risk level.

Next, using Keycloak, we created custom implementations for each workflow. Using these workflows, we created custom templates for new user sign-up forms. We also adapted these custom templates to adhere to US Digital Services (USDS) standards. This approach created a repeatable identify framework we could implement as a plug-in that can be deployed over an open source Keycloak container. 

Not only does this approach reduce complexity, but it is also a more secure implementation. It allows the user, when appropriate, to use authentication other than a simple password. When using an authentication type such as FIDO2, the user enters a PIN or uses biometrics to authenticate successfully, then the authenticator uses the key in the device to sign the challenge from the identity provider. Thus the key never leaves the device. Using this highest-level-without-password/passwordless approach was more secure while simultaneously providing a better user experience.

Additionally, by using Keycloak to build our own identity reference framework library, we addressed a common concern with implementing open source tools. Using a template library created a clear separation between Keycloak and our ability to update the plug-in. We designed the library to keep the templates up to date and maintain the application’s security rather than relying on Keycloak itself.

Accelerating Identity and Access Management Adoption

Like many Karsun toolkit components, these identity reference framework resources are available to our team members to use through our InnerSource library. Evolving from an Innovation Center research and development project to a validated implementation, it can now be used as one of our readymade toolkits. All Karsun teams now have access to these vital resources and ensure that our teams can accelerate the implementation of emerging identity and ICAM standards in your agency’s modernization efforts. 

Content from this post initially appeared from Pavan Kurkal as part of Karsun’s Monthly Innovation Town Hall series. These events present innovative solutions from our delivery teams across Karsun. Pavan is an engineer with the Karsun Innovation Center specializing in identity and access management.

Governments and corporations alike have adopted fleet electrification as a cornerstone of their plans to curb carbon emissions and head off climate change. As part of a pledge to make the federal government carbon neutral by 2050, an executive order from President Joe Biden targets an all-electric fleet by 2035. That is a fleet of 645,000 vehicles driving a whopping 4.5 billion miles a year

Electric Fleets: Beyond Environmental Impacts

Among our fleet management projects, Karsun supports the modernization of GSA’s Advanced Fleet Platform. Karsun is proud to participate in this vital work preparing our nation for a changing climate. By using an electric fleet, governments can reduce their carbon footprint and help combat climate change. Electric vehicles also produce fewer pollutants than traditional vehicles, which can lead to improved public health. By reducing air pollution, governments can help prevent respiratory illnesses and other health problems associated with poor air quality.  Moreover, electric vehicles can be powered by a variety of sources, including renewable energy sources such as wind and solar power. By using an electric fleet, the government can reduce its reliance on fossil fuels and increase its energy security.

Envisioning the Future: Empowering Local Communities

Fleet electrification is a unique opportunity to provide tangible impacts and community impact while addressing our changing climate. Federal agencies can lead by example and demonstrate their commitment to sustainability by committing to all electric fleets. This can inspire other constituents and localities to follow suit and make similar changes. 

As an expert in both fleet management modernization and grants management, Karsun offers a unique opportunity for agencies to lead from the front on these initiatives. Our fleet and grants experts can help agencies modernize their systems to flow down grants to their constituents to accelerate the adoption of electric vehicles and other initiatives. Connect with us to learn more about our Fleet Management solutions or schedule a conversation with one of our enterprise modernization experts.

Spurred by the mounting cyber threats targeting the country, the White House issued an Executive Order mandating agencies enhance and strengthen our nation’s cybersecurity. Hence, government agencies must continuously strengthen their cybersecurity postures when modernizing. Part of that process is the implementation of Zero Trust Architecture (ZTA). As a recent analysis in Nextgov suggests, ZTA structured around a service mesh provides a novel and efficient approach to rapidly implementing cybersecurity in legacy applications. Karsun is at the forefront of delivering these service mesh based solutions. 

Zero Trust Architecture

ZTA is a strategic cybersecurity strategy to secure an organization by eliminating implicit trust and continuously validating every stage of digital interaction by verifying people and devices accessing applications, data, and systems.

Based on our extensive experience in modernization, we strongly recommend that any modernization efforts adopt a zero-trust architecture. At the same time, ZTA can be challenging to implement when compounded by the presence of legacy systems and applications that aren’t made for a distributed, cloud-based environment.

An effective way to manage and solve that problem is using a service mesh. A service mesh offers a dedicated domain-agnostic infrastructure layer (abstraction) that you can add to your services for capabilities like observability, traffic management, and security without adding them to your code. While most commonly used for cloud-native capabilities, such as microservices and containers, a service mesh can be the most efficient way to bring legacy systems into the ZTA fold.

Karsun’s Service Mesh Pilot

Our Innovation Center pilots and validates innovative approaches to enterprise modernization through several pathways, including Innovation Weeks, codeathons and delivery-guided pilot programs. In one such pilot program, we introduced a service mesh in a legacy application system. While common for containerized systems, our implementation went one step further, examining the opportunity for ZTA modernization in a non-containerized legacy application. We found a service mesh based approach provides a compelling alternative to lift and shift methods. 

Most service mesh solutions are designed to be used in a Kubernetes environment. In our proof of concept, using HashiCorp Consul we built a service mesh for a non-containerized legacy app. Using a service mesh allowed us to adapt the legacy application to meet the identity management requirements of a zero trust environment.

A core ZTA tenant requires us to verify the identity of resources accessing the system. Combining HashiCorp Vault allowed us to integrate with Google OAuth2 for identity and access management. Users and applications authenticated happens before their request reaches servers or containers. 

When implementing ZTA, you also should provide the lowest level of privileges possible. In our implementation, the services always start with no trust and no allowed routes. We configured all traffic via policies to ensure only authorized sources get access to the services. We also secured service-to-service communications while controlling outbound communication. With our service mesh, we found we could secure communications between Windows Server hosted applications and Linux based containers operating on Kubernetes through AWS EKS or AWS Elastic Container Service. 

Combining these two tenets ensures a bad actor using compromised credentials does not have the attack surface necessary for great damage to the system. A service mesh like that implemented by our pilot team supports the identity and access management necessary for a true ZTA environment. Moreover, it can be used in both containerized and non-containerized environments. It is a powerful option for agencies looking to build ZTA for greenfield development and legacy application modernization.

Our Zero Trust Architecture Service Mesh is a product of the Karsun Innovation Center (KIC). Want to learn more? Check out the new Getting Legacy Systems Up to Speed With Modern Security report from GovLoop.

Excellence in all we do, innovation, teamwork, integrity, commitment, and fun are the core values that guide and inspire us. Throughout our journey, our Karsun Innovation Center (KIC) not only empowers innovative work at Karsun, but also connects our teams, advocates for excellence, and strengthens our commitment to our customers and integrity in our work. Of course, they introduce an element of fun too! 2022 was a year that encapsulated all of these qualities at the KIC. From renewed validation of its quality assurance programs to continuing development for experimenters and innovators at all levels.

The KIC breaks its activities broadly into three components: training through Karsun Academy, research and development, and an employee-centered approach to managing excellence through its Practice Areas. This includes the development of best practices at Karsun and ongoing investment in quality assurance programs. This year Karsun was appraised at CMMI v2.0 Level 5 (DEV). At the time of its assessment, Karsun was among a handful of U.S. companies with the updated v2.0 appraisal. Organizations audited under this new system demonstrated their methodology was optimized using a data-driven approach to development. Karsun’s development toolkit features 25+ health and diagnostic visualizations to help teams improve their practices.

This year the Karsun Academy team announced new study groups, remote workshops, and an evolving set of certification opportunities. It also hosted weekly brown bags. This employee-to-employee format invites team members to share personal experiences on topics from coaching to AI/ML. It also expanded programs for future technology leaders and champions.

Karsun’s internship program added a new cohort this year for high school and early career college students. This junior-level internship class focused on applying emerging technology to real-world problems facing government agencies. These students participated in related codeathons and completed a research project that was presented to Karsun’s senior leadership. Meanwhile, the cohort with more experienced students addressed challenges surrounding personally identifiable information when conducting research. Their work on synthetic data was presented at a company-wide innovation town hall.

Those monthly innovation town halls were also the forum to showcase groundbreaking work from teams across Karsun. Showcased ideas are first submitted to the center’s innovation radar. From there, the research and development unit works in conjunction with delivery teams to prototype, build and test the application of those ideas. Successful implementations are presented monthly, bringing fresh attention to experimenters and builders at Karsun. To date, over 100 ideas have been submitted to the radar for inclusion in this process. This is also the forum where the center announces its Karsun Academy training agenda. 

Karsun Practice Areas drive excellence through the establishment of guidelines, industry certifications, and technology partnerships while enabling teamwork and collaboration among employees. In addition to the ongoing development of toolkits and other assets to guide teams toward best practices, the KIC launched new expert tools in the Karsun Konnect workplace app. These help delivery teams solve problems by connecting them with subject matter experts within Karsun. This proactive approach enables collaboration and helps teams not only maintain their commitment to Karsun customers but exceed their expectations.

Through the Innovation Center, teams also accessed industry thought leaders. The center kicked off its Expert Talks series this year. This interactive session brings in external experts on topics like cybersecurity or AI/ML. Practice advocates and leaders also brought new resources into Karsun teams. Senior Director and Data Practice Lead Srikanath Devarajan continued his ongoing blog series on topics including scoping AI/Ml projects and understanding data mesh. Meanwhile, Karsun experts returned to conferences this year and took the stage for panels ranging from procurement innovation to human centered design

Through the KIC excellence and innovation go hand and hand. Entering 2023, the center held its first town hall. Presenters previewed new approaches to microservices and user interfaces and introduced a new brown bag and workshop series. Join us in 2023 to discover what’s next from the Karsun Innovation Center.

Like Peloton bikes and sourdough starters, the pandemic-influenced remote work era might be coming to an end according to a recent Workforce Report from LinkedIn. The report tracked, among other topics, the ongoing conversation around return-to-office initiatives. Using data from LinkedIn’s Economic Graph team, the report found employers’ paid remote work posting dropped from 20% in March 2022 to just 14% in November. 

While enforcing a hybrid schedule with a required number of days in the office per week or month increasingly becomes popular for some employers, we found our flexible approach allows our team members to select the workspace format that’s best for them while creating tangible benefits to our organization. Most roles at Karsun enable our team members to work either entirely remotely or in a hybrid approach if based near our Washington, D.C. region headquarters. This is enabled in part by Karsun’s consistent, ongoing commitment to building digital and in-person workspaces that support collaboration, experimentation, and innovation. 

Karsun supports experimentation and collaboration no matter the location. Prior to the pandemic, our Innovation Center launched an online innovation radar where an employee, regardless of whether they were part of a remote or in-person team, could submit an idea for our in-house R&D team to build, test, and validate. Each month these prototypes were demoed at Innovation Town Halls, featuring presenters from across the organization. After we moved to a work-from-home format during the pandemic, we transitioned these to virtual town halls. We embraced this opportunity to record our town halls, building a library promoting ongoing innovation at Karsun. 

Our new flexible workplace helped us grow in other ways. Karsun Academy, our professional development program, offered more recorded training, hosted virtual certification study groups, and increased our virtual lending library. Our employees’ skills and certifications grew even as the majority of us remained remote. 

The report mentions the loss of tribal knowledge as a potential drawback to remote work. Nevertheless, we grew our open-source InnerSource Library, creating 35+ reusable assets for our team. At the same time, our Practice Advocates added new resources for delivery teams to connect with subject matter experts, research solutions, and hone best practices. We found our flexible, employee-first mindset helped us scale our enterprise and helped our teams grow with Karsun. 

We also recognize connections outside of work encourage us to grow as a team. Virtual happy hours, fitness classes, and other employee groups continue even as we reopened our offices. Coffee with Leadership, a popular program where our co-founders chat with and get recommendations from small groups of employees, continues in a remote format. Our Herndon, Virginia offices also have the same pre-pandemic social spaces where teams can connect to play foosball, work out, brainstorm, or host a professional meetup. In this way, our teams connect in the way that works best for them. 

When we celebrated our 10th anniversary at the end of 2019 and shortly before the pandemic, we reaffirmed our commitment to an employee-centric workplace. For us, that includes building flexible environments where our team members thrive. We’re proud to create a space where our teams can work together, create innovative solutions that transform government, and Do Extraordinary. These teams are still growing and imagining the future together. We are currently hiring for remote and hybrid roles at KarsunCareers.com.

With its eighth Inc. 5000 award this year, Karsun claims more than a decade of continuous, award-winning revenue growth. But financial stability is not the only space where it demonstrates excellence. It has received repeated awards for culture, outlook, and leadership. Together, these awards demonstrate Karsun continues to be the premier enterprise modernization company. A place where its modern software development, cloud solutions, and data solutions teams defy assumptions and do extraordinary.

In addition to its Inc. 5000 award, it received other recognition from other organizations for growth. Reflecting its ongoing role as an industry and regional leader, it also won its fourth Northern Virginia Technology Council Tech 100 award. Additionally, the USPAACC honored Co-Founders Kartik Mecheri and Sundar Vaidyanathan with its Fast 50 award, which recognizes the leaders of the fastest-growing Asian American businesses. 

Award-Winning Culture

To supplement this ongoing growth, Karsun continually invests in the employee experience. This year new investments included its first-ever Chief People Officer, updated recognition programs, and a renewed commitment to building an employee-centric, flexible work environment. As a result, it picked up national and regional awards for culture. 

It kicked off the year with its second Best Company Outlook award from Comparably.com. The employer rating site awards Best Company awards to the small and medium sized companies with the highest rankings from employee reviews. Karsun also won its first Best Perks and Benefits award from Comparably.

The regions with the largest portion of its workforce also honored Karsun as a local leader. In the spring, it was named a Best Company in Washington, D.C by Comparably. Based in nearby Herndon, Virginia, its headquarters reopened for hybrid teams in March 2022. Karsun saw the return of its hybrid innovation town halls, expert talks, all hands and other collaborative activities this year from that location. Meanwhile, based on an independent survey of its Oklahoma City based team, Karsun was also named a Top Workplace by the Oklahoman.

Karsun remains committed to strengthening its employee experience. It anticipates further growth among its teams throughout 2023 and continues nationwide hiring. Most roles are remote, with the option for hybrid in select locations. Interested applicants may view open roles at KarsunCareers.com.

Karsun’s internship program returned this year, adding a second cohort for exceptional high school and early college STEM students. These two cohorts took the next steps in preparing for their future careers with this program that embeds interns inside the Karsun Innovation Center. The summer programs invited students to imagine the future of government, complete technical certifications, dive into AI/ML and collaborate with experts. 

Nurturing Future Technology Leaders

Here careers grow as Karsun grows. This year that included an expansion to our intern program, enabling that experience to start earlier for high school and college students in their freshman and sophomore years of college. These Student Interns also worked directly with the Karsun Innovation Center and were mentored by previous graduates of the intern program. 

A key focus of the program was imaging the future of technology in government. Working in pairs, our Student Interns picked project topics ranging from digital twins to robotic process automation (RPA). The interns researched these technologies throughout their ten-week program submitting a research paper and presentation at the end of the course.

The intern track for advanced college students, recent grads and graduate students also offered opportunities to work with mentors while building their technical skills. These interns were assigned mentors from one of the KIC Practice Areas. These experts from the Development, Lean, DevSecOps, Data and Solution Practices helped these interns assess and select programs from our Karsun Academy professional development courses. As a result, several members of the class ended their internship with AWS certifications and other credentials.   

“Karsun encourages and supports its workers in obtaining cloud certification in Amazon Web Services for the advancement of their careers is another thing I admire.” – Mayank Tamakuwala

Building with Karsun Innovators

In addition to their research projects, the Student Interns worked in teams on two challenge projects. In one project, they developed a prototype to solve a hypothetical challenge for federal government agencies. The second challenge was a code-a-thon designed to demonstrate the application of data science concepts. In this challenge, the teams applied a digital twin to determine if different images contained pictures of a collapsed lung.

The more experienced interns, worked on real projects under development in the Innovation Center’s R&D unit. Their data science project focused on building a synthetic data platform to improve the security of PII in data modeling. This project culminated with the synthetic data team presenting their findings at an organization-wide Innovation Townhall. 

Some members of the intern program also worked with Karsun’s internal digital workplace team. They assisted with the Karsun Kollaborate project. This initiative examines new ways Karsun team members can connect and collaborate outside of their current delivery teams. Some of these projects were also data focused, using tools like Google Data Studio to improve operational efficiency at Karsun. This was also an opportunity to try low-code/no-code development with to add enhancements to the digital workplace experience.

Collaborating and Presenting to Colleagues

They also participated in Show Don’t Tell sessions, a cornerstone of the internship program. In these weekly meetings, attended by Karsun team members throughout the innovation center, interns demoed and presented their accomplishments. This is also an opportunity to receive feedback from other units in the KIC outside of their practice mentors. At the final Show Don’t Tell event, both groups of interns demoed their projects and presented results from their government technology research projects to Karsun leaders.

“I always felt like my opinion was respected at meetings, even in a room full of people that were far more experienced than me. I also had a great time working with the team, everyone was so willing to help each other and it felt like a comfortable, collaborative environment.” – Akhilesh Varanasi

“I enjoyed the biweekly ‘Show, Don’t Tell’ meetings where I learned about other ongoing projects at KIC. I was introduced to new ideas and tools.” – Sanjana M Moodbagil

Our advanced Summer Interns earned professional certifications, imagined new uses for synthetic data and created tools by Karsun Teams. Meanwhile, our Student Interns experimented with the application of AI/ML, development and other technical concepts as they celebrated innovation while bringing visibility to these future leaders and experts. Through the Karsun Innovation Center, Karsun Academy and other resources, we empower our teams to find their next opportunity to grow at any stage in their education or career.

Leveraging improved efficiency and reduced costs while ensuring availability, cloud native development is a must for complex enterprise modernization projects. Modern cloud native architectures involve applications developed and deployed through cloud service providers such as AWS. These use services like AWS VPC, EC2, S3, Kinesis, DynamoDB, RDS, and others.

While utilizing cloud native architecture can provide impressive operational improvements, maintaining security and compliance standards using manual processes can quickly limit those outcomes. This is a common concern for our agency customers. Applications deployed in federal agencies obtain Authorization to Operate, an ATO. 

Getting an ATO involves categorizing the information system, then selecting, implementing, and assessing the controls. Risks are identified based on this assessment, and final authorization is provided to operate the system. In most cases, this process relies on manual tasks, like copying security control documentation into a  Governance, Risk, and Compliance (GRC) document, then manually updating this documentation on a regular basis. Continuous deployment of new workloads and features in an agile environment being a necessity, manual processes and massive documentation effort adds significant delays to the authorization process.

AWS DevOps and OSCAL Compliance for cATO and Zero Trust

One solution is the Open Security Controls Assessment Language (OSCAL). OSCAL is a set of formats expressed in XML, JSON, and YAML developed by NIST. These formats provide machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results. Govready-q is an open source GRC platform for highly automated, user-friendly, self-service compliance assessments and documentation which supports OSCAL. AWS is the first cloud service provider to provide OSCAL formatted system security plan (SSP). Integrating a GRC tool like Goveread-q part of the DevSecOps toolchain and using OSCAL for documenting all the controls automates most aspects of the ATO process enables us to do continuous ATO (cATO) and alleviates the documentation burden and most manual processes associated with it.

Enabling DevOps with Karsun Solutions 

At Karsun, we promote the adoption of OSCAL for the documentation of security controls and use automated GRC tools like GovReady-q. When applications deploy on AWS, we can leverage OSCAL documentation created by AWS. This enables faster, more accurate authorization packages, decreases customers’ security documentation burden and reduces service authorization timelines.

Working with an experienced cloud solutions partner such as Karsun ensures you do not need to trade security for efficiency. In particular, we are an AWS Advanced Consulting Partner with both a Government Services Competency and a Migration Services Competency. Partner with our experts, modernize with cloud native architecture, and optimize both operations and security.

About the Author

Judewin Gabriel is a Subject Matter Expert and the DevSecOps Practice Lead at Karsun Solutions. An advocate for DevSecOps best practices, he drives Driving CI/CD, security engineering, SRE, pipelines, and observability excellence.

Karsun Solutions is an AWS Advanced Consulting Partner. After more than a decade of delivering complex cloud solutions, we are experts in optimizing outcomes for our government agency customers. Not only do we deliver superior solutions, but our Karsun Innovation Center (KIC) in-house research and development team constantly experiments, prototypes and validates technology to ensure the implementation of best practices.

We previously shared one way our KIC brings the latest technologies to our teams, leveraging our AWS partnership to enhance Karsun’s proprietary GoLean platform. In the last five years, Karsun continued to expand our toolkit offerings. Through our technology partners, like AWS, our toolkits allow our teams to jumpstart new projects with readymade resources based on best practices.

GoLean Grows Up

As DevOps matured, so too did our approach. The GoLean platform grew and matured alongside it. 

“DevSecOps is a natural evolution of DevOps,” explains Badri Sriraman, Senior Vice President of the Karsun Innovation Center. “In the same way continuous deployment ensures improved functionally for the user, DevSecOps ensures a hardened security infrastructure is implemented for the successful operation of software in production.”

Our GoLean platform not only includes a robust lean measurement toolkit but also incorporates metrics and automates processes to accelerate the adoption of DevSecOps best practices. Our continuous delivery framework enables DevSecOps teams to decouple a feature deployment from its release so that Developers can self-manage the feature, test it in production and incrementally roll it out to users after validation of its operational performance in a shadow data network. Utilizing a low-code open source data pipeline tool enables fine-tuned data synchronization between legacy and modernized components. Additionally, our Duke Test Automation Framework supports continuous testing at scale.

Karsun Adds Cloud Runways

In addition to GoLean, Cloud Runways built on AWS or other cloud services now provide enhancements to our DevSecOps solutions. The toolkits allow teams to not only migrate legacy applications to the cloud but fully optimize them for DevSecOps. The Replatform Runway introduces DevSecOps automation using Terraform, Ansible, and Packer for Windows containers while migrating Windows apps into AWS ECS or Redhat OpenShift.

In addition to the Replatform Runways, we created nine robust runway toolkits based on best practices. This includes extensive experience delivering on AWS. We achieved both an AWS Government Competency and an AWS Migration Competency, validating our ongoing commitment to delivery excellence. A public sector partner, we are committed to helping agencies modernize to meet their mission.

As modernization requirements evolve, so too has our modernization suite. Karsun’s GoLean platform continuously adapts to the latest security and development approaches. Simultaneously we strengthened and enhanced our migration offering via Cloud Runways to optimize for DevSecOps adoption. Ongoing research and development into automation, CI/CD and DevSecOps are one of many ways Karsun ensures our architecture is built to last.

Whether using as a Platform-as-a-Service, such as Docker, or orchestration through a tool like Kubernetes, the race is on for containerized solutions. In October 2021, the General Services Administration released its Containerization Readiness Guide. Containerized software solutions allow agencies to develop applications rapidly, scale quickly and optimize compute resources. The need is especially pressing for legacy applications which must also remain secure as they modernize. 

Creating Dockerfiles for Containerization

When we think of containerization, the first step is to create a Dockerfile for each application. While the Dockerfile provides flexibility to build an image that is only limited by your ability to script, it also adds overhead on developers to ensure the accuracy, efficiency and security of these images. For example, the developers must ensure that the Dockerfiles are as small as possible by removing any redundant dependencies that can increase the image size, which increases the build time. They must also confirm the files don’t contain any secrets or config keys. Additionally, they should verify that the base image comes from a secure source while actively scanning the images for new security vulnerabilities. If the image contains vulnerabilities that can spread to all containers that use the vulnerable image. Without proper planning and oversight, things can quickly get messy.

Benefits of using Buildpacks over Dockerfiles

Buildpacks allow you to convert application code into a secure, efficient and production ready container image without the need to create a Dockerfile for each application. It examines applications written in Java, .NET, Python and many other languages to determine all the dependencies it needs and then configures them appropriately to run on any cloud. Buildpacks also offer the capability to swap out OS layers without rebuilding an image. This reduces build time by eliminating the need to recreate all the layers when the base image is updated.

Using Tekton for creating CI Pipelines 

Tekton is a cloud-native solution for building CI/CD pipelines. Unlike Jenkins, Tekton was designed to work natively on Kubernetes and incorporates AWS EKS best practices by default. It installs and runs as an extension on a Kubernetes cluster and provides a set of open source Kubernetes resources to build and run CI/CD pipelines, such as parameterized tasks and pipelines. Just like Jenkins uses plugins to extend its capabilities, Tekton has Tekton Hub – a catalog of predefined tasks, you can create custom tasks and scripts to extend the capabilities of these tasks if you can’t find a task that precisely matches your requirements. Tekton’s modularity allows for componentization, standardization and reusability within the CI/CD workflow. Buildpacks project provides tasks that Tekton can leverage to build and deploy applications.

Additionally, Tekton also provides support for Windows containers and an ability to run Linux-only, Windows-only as well as hybrid workflows. Installing Tekton on an EKS cluster means EKS automatically manages the availability and scalability of the Kubernetes control plane nodes responsible for scheduling containers, managing application availability, storing cluster data, and other key tasks. In addition, it allowed us to take advantage of all the performance, scale, reliability, and availability of AWS infrastructure, as well as integrations with AWS networking and security services, such as application load balancers (ALBs) for load distribution, AWS Identity and Access Management (IAM) integration with role-based access control (RBAC), and AWS Virtual Private Cloud (VPC) support for pod networking.

Conclusion

In summary, integrating Tekton with Buildpacks allowed us to containerize applications easily and securely and create an end-to-end CI/CD pipeline with reusable components. Using Tekton and buildpacks we were able to containerize more than 20 .NET applications and move them to the cloud in less than six months. This initiative will reduce the technical debt by reducing application maintenance costs by 50% and increasing technical compliance score by 35% in the next two years. 

About the Author

Prerak Patel is DevOps Engineer from the Karsun Solutions DevSecOps Practice. This practice is responsible for driving CI/CD, security engineering, SRE, pipelines and observability excellence at Karsun.