At Karsun, we help civilian government agencies prepare for Every Next with mission driven modernization. We encourage experimentation, and facilitation of innovation that produces solutions that use the best suited technology to help these agencies meet their mission. Using the right technology at the right time ensures our solutions are built to last.

When you join Team Karsun, you become part of the team delivering state-of-the-art, long-lasting solutions to these government agencies. Whether applying emerging technology or using proven resources to produce extraordinary results, Karsun is where experimenters and problem solvers Find Your Next. Moreover, when you are here, our team will cheer you on and celebrate as you solve problems and build exciting new solutions!

All Karsun, team members have access to two critical components of the Karsun Innovation Center (KIC). Our in-house research and development team is the first stop for teams ready to try building with emerging technologies. This team receives requests via our Innovation Radar. The R&D team validates the technology and then creates a prototype. Working alongside the customer team, they develop the prototype further to implement the solution.

Each month we share and promote successful implementations at our Innovation Town Halls. If you want to grow your career through experimentation and innovation, these monthly events are your opportunity to shine. Open to the entire company, executives, portfolio leaders, and experts eager to introduce new solutions attend these interactive sessions. Every solution includes a demo and a question-and-answer session. Many Karsun colleagues follow town halls with brown bags to share their findings, process, and expertise.

Fully matured solutions may later be included in our Innovation Center Toolkits. These kits combine robust assessments, data driven analysis, and proven resources with expert guidance from our Innovation Center Practice Areas. Leveraging industry best practices, our toolkits are used by our teams as readymade cloud migration, DevSecOps, microservices, UI/UX, agile, and data solution resources.

Early adopters and those early in their technology careers may not yet feel comfortable participating directly in the R&D process. These toolkits support you as you implement new and powerful tools in your solutions using established guidelines and playbooks, plus support from our subject matter experts. Industry certifications also validate these toolkits. Our Cloud Runways and AWS cloud practice are backed by AWS Government, Migration, and DevOps Competencies. Our GoLean Agile Platform uses our CMMI v2.0 Level 5 DEV appraised software development methodology. That appraisal reflects our data driven approach to development using the visualization tools available with the GoLean toolkits.

As a manner of field testing these toolkits, some Karsun team members also participate in codeathons and challenge teams. These exercises allow our team to experiment with these resources to solve hypothetical problems that our government customers may face. Past challenges include applying new AI-assisted development tools, cybersecurity, and UI/UX resources.

Whether you want to lead new technology adoption or introduce new technology with expert guidance, Karsun has a growth opportunity for you. Resources from our Karsun Innovation Center R&D and Practice Area teams have your back. If you are an innovator or experimenter ready to help government agencies build better technology, join our team and Find Your Next.

Update August 2023: This blog was the second in our series exploring how our problem solvers grow at Karsun while helping our agency customers meet their mission. Check out our previous posts and discover where we find our next, how our teams collaborate with toolkits and how our team champions power possible.

NIST 800-63-3 is a set of guidelines published by the National Institute of Standards and Technology (NIST) for digital identity management and authentication. These guidelines provide recommendations for digital identity proofing, authentication protocols, and federation models. NIST 800-63-3 is widely recognized as a valuable resource for organizations looking to improve the security of their digital identity systems and reduce the risk of fraud and identity theft.

It is also essential for government agencies because it works. For instance, state governments using solutions aligned with NIST Identity Assurance Level 2 (IAL2) standards saw a significant decrease in fraudulent COVID-19 unemployment claims. Whether adapting to changing mandates or incorporating industry standards such as NIST 800-63-3, Karsun has a solution to ease the adoption of security best practices during modernization.

The NIST 800-63-Standard

NIST 800-63-3 was released in June 2017. The guidelines were intended to improve online identity verification’s security and usability while addressing new threats and challenges that have emerged in recent years.

The guidelines are organized into three parts:

1. Digital Identity Guidelines: Guides establishing digital identity proofing and authentication procedures.
2. Authentication and Lifecycle Management Guidelines: Describes implementing and managing identity credentials and authentication.
3. Federation and Assertions Guidelines: Provides guidance for federated identity systems and how to use assertions to share identity information between systems.

Since introducing NIST 800-63-3, these standards have become industry best practices for identity management. In addition to NIST 800-63-3 compliance, agencies are prioritizing Zero Trust as a key component of securing the User and App pillar. For example, the FAA’s 2022 AIT annual report states, “[its] network environment now operates within a Zero Trust security model, which requires users to be authenticated, authorized, and continuously validated to be granted access to a network, system, or application.” The agency’s cybersecurity-related improvement activities support the transition to Zero Trust, as well as its implementation of a new multi-factor authentication (MFA) service for users who would like to access the FAA’s network, systems, and applications.

Complementing Secure By Design Architecture

At Karsun, incorporating NIST 800-63-3 standards is part of designing secure digital architecture. Incorporating these guidelines into a secure by design architecture involves creating systems and applications with security considerations at every stage of the development process, from design to deployment.

The guidelines recommend using risk-based authentication (RBA) to assess the risk associated with each access attempt. We design systems and applications with RBA in mind and implement automated risk assessment tools to make real-time decisions about access requests.

Key to our solutions is NIST 800-63-3 adherent identity proofing. This process involves verifying user identities using multiple sources of data. We incorporate these guidelines into the design process to ensure that user identities are verified before granting access. We also consider federation and assertions. We integrate NIST 800-63-3 standards into the design process if the system or application interacts with other systems or applications.

In addition, NIST 800-63-3’s guidelines on digital identity proofing can help organizations implement identity verification procedures consistent with the zero trust principle of “never trust, always verify.” By using a risk-based approach to identity proofing, organizations can better assess the trustworthiness of each user and device and limit access to sensitive data and applications only to those users and devices verified to be trustworthy.

We design systems and applications with secure coding practices in mind and follow best practices for secure coding throughout development. In our implementation, we automated mobile testing via functional testing tools like Appium. We used code scanning and container image scanning tools to identify and mitigate vulnerabilities earlier and address those issues before deployment.

By incorporating NIST 800-63-3 guidelines and a zero trust framework into a secure by design architecture, agencies can develop systems and applications that are secure by default and can better protect sensitive data and resources.

Complexities to Implementing Authentication

While adhering to these standards is essential to building a secure application, it introduces added complexity to modernization projects. The standards specify appropriate authentication approaches based on different risk levels. Each has extensive rules, and the requirements for various authenticators may be overwhelming, unclear, ambiguous, and conflicting. Addressing each of these Authentication Levels across devices effectively can hinder the successful adoption of the security standards.

Identity Reference Framework

To meet this challenge, Karsun introduced an Identity, Credential and Access Management (ICAM) reference implementation. We customized the Keycloack open source tool via a specific Service Provider Interface (SPI) to address the complex NIST authenticator requirements while accelerating the adoption of those standards. Our team began with a risk based assessment, identifying the authentication workflows and their requirements based on risk level.

Next, using Keycloak, we created custom implementations for each workflow. Using these workflows, we created custom templates for new user sign-up forms. We also adapted these custom templates to adhere to US Digital Services (USDS) standards. This approach created a repeatable identify framework we could implement as a plug-in that can be deployed over an open source Keycloak container. 

Not only does this approach reduce complexity, but it is also a more secure implementation. It allows the user, when appropriate, to use authentication other than a simple password. When using an authentication type such as FIDO2, the user enters a PIN or uses biometrics to authenticate successfully, then the authenticator uses the key in the device to sign the challenge from the identity provider. Thus the key never leaves the device. Using this highest-level-without-password/passwordless approach was more secure while simultaneously providing a better user experience.

Additionally, by using Keycloak to build our own identity reference framework library, we addressed a common concern with implementing open source tools. Using a template library created a clear separation between Keycloak and our ability to update the plug-in. We designed the library to keep the templates up to date and maintain the application’s security rather than relying on Keycloak itself.

Accelerating Identity and Access Management Adoption

Like many Karsun toolkit components, these identity reference framework resources are available to our team members to use through our InnerSource library. Evolving from an Innovation Center research and development project to a validated implementation, it can now be used as one of our readymade toolkits. All Karsun teams now have access to these vital resources and ensure that our teams can accelerate the implementation of emerging identity and ICAM standards in your agency’s modernization efforts. 

Content from this post initially appeared from Pavan Kurkal as part of Karsun’s Monthly Innovation Town Hall series. These events present innovative solutions from our delivery teams across Karsun. Pavan is an engineer with the Karsun Innovation Center specializing in identity and access management.

Spurred by the mounting cyber threats targeting the country, the White House issued an Executive Order mandating agencies enhance and strengthen our nation’s cybersecurity. Hence, government agencies must continuously strengthen their cybersecurity postures when modernizing. Part of that process is the implementation of Zero Trust Architecture (ZTA). As a recent analysis in Nextgov suggests, ZTA structured around a service mesh provides a novel and efficient approach to rapidly implementing cybersecurity in legacy applications. Karsun is at the forefront of delivering these service mesh based solutions. 

Zero Trust Architecture

ZTA is a strategic cybersecurity strategy to secure an organization by eliminating implicit trust and continuously validating every stage of digital interaction by verifying people and devices accessing applications, data, and systems.

Based on our extensive experience in modernization, we strongly recommend that any modernization efforts adopt a zero-trust architecture. At the same time, ZTA can be challenging to implement when compounded by the presence of legacy systems and applications that aren’t made for a distributed, cloud-based environment.

An effective way to manage and solve that problem is using a service mesh. A service mesh offers a dedicated domain-agnostic infrastructure layer (abstraction) that you can add to your services for capabilities like observability, traffic management, and security without adding them to your code. While most commonly used for cloud-native capabilities, such as microservices and containers, a service mesh can be the most efficient way to bring legacy systems into the ZTA fold.

Karsun’s Service Mesh Pilot

Our Innovation Center pilots and validates innovative approaches to enterprise modernization through several pathways, including Innovation Weeks, codeathons and delivery-guided pilot programs. In one such pilot program, we introduced a service mesh in a legacy application system. While common for containerized systems, our implementation went one step further, examining the opportunity for ZTA modernization in a non-containerized legacy application. We found a service mesh based approach provides a compelling alternative to lift and shift methods. 

Most service mesh solutions are designed to be used in a Kubernetes environment. In our proof of concept, using HashiCorp Consul we built a service mesh for a non-containerized legacy app. Using a service mesh allowed us to adapt the legacy application to meet the identity management requirements of a zero trust environment.

A core ZTA tenant requires us to verify the identity of resources accessing the system. Combining HashiCorp Vault allowed us to integrate with Google OAuth2 for identity and access management. Users and applications authenticated happens before their request reaches servers or containers. 

When implementing ZTA, you also should provide the lowest level of privileges possible. In our implementation, the services always start with no trust and no allowed routes. We configured all traffic via policies to ensure only authorized sources get access to the services. We also secured service-to-service communications while controlling outbound communication. With our service mesh, we found we could secure communications between Windows Server hosted applications and Linux based containers operating on Kubernetes through AWS EKS or AWS Elastic Container Service. 

Combining these two tenets ensures a bad actor using compromised credentials does not have the attack surface necessary for great damage to the system. A service mesh like that implemented by our pilot team supports the identity and access management necessary for a true ZTA environment. Moreover, it can be used in both containerized and non-containerized environments. It is a powerful option for agencies looking to build ZTA for greenfield development and legacy application modernization.

Our Zero Trust Architecture Service Mesh is a product of the Karsun Innovation Center (KIC). Want to learn more? Check out the new Getting Legacy Systems Up to Speed With Modern Security report from GovLoop.

Karsun Solutions concluded 2019 celebrating its ten year anniversary. In addition to early enterprise modernization leadership, it cemented a decade-long commitment to innovation through the Karsun Innovation Center (KIC). By combining industry leadership with ingenuity Karsun won multiple $100+ million prime contracts with IT modernization work at agencies including DHS, FAA, and GSA.

Today, the Innovation Center leads teams in researching emerging technologies, forming industry relationships, and developing customer prototypes. Karsun wraps up 2019 celebrating the innovative spirit driving these first ten years. From automation to zombie code the Innovation Center and Karsun leadership teams are IT leaders, lending expert counsel and educating the community on best practices in emerging technology.

ACT-IAC

Karsun Solutions Chief Operating Officer Terry Miller kicked off 2019 as the Industry Chair for the American Council for Technology and Industry Advisory Council’s (ACT-IAC) Partners Program. One of three professional development programs offered by ACT-IAC, the Partners Program pairs senior industry and government leaders together for a series of in-depth sessions throughout the year. This year’s program concluded with a series of panel presentations at the organization’s annual Imagine Nation ELC conference. In addition to the Partners Program, Senior Director of Business Development Juan Robles is an Industry Vice Chair for the Voyagers Program. Participants graduating from both the programs become ACT-IAC Fellows. In total two Karsun leaders became Fellows in 2019, Sudhir Duggineni and Shaunak Ashtaputre. Satish Alluri was selected for the 2020 Voyagers class. The addition of Satish will bring Karsun’s total number of ACT-IAC Fellows to ten.

AI/ML and RPA

In addition to ACT-IAC fellowships, Karsun experts also join the organization’s working groups. Manish Bhatia from Karsun’s Cloud Solutions practice is a member of both ACT-IAC’s Intelligent Automation Working Group and Igniting Innovation Selection Committee. This fall the working group released its Robotic Process Automation (RPA) playbook.  The playbook is designed for government organizations considering RPA pilots or accelerated development.

CMMI Level 5 DEV

In February 2019, Karsun Solutions announced its software development unit was appraised at CMMI Level 5 DEV. At this level, an organization continually improves its processes based on a quantitative understanding of its business objectives and performance needs. At the time of the appraisal, fewer than 50 organizations in the United States were rated CMMI Level 5 DEV.

COMET BPA

The General Services Administration (GSA) announced in November 2019 Karsun Solutions was one of twelve vendors selected for a spot on the CIO Modernization and Enterprise Transformation (COMET) BPA. The vehicle is intended to create a multiple award BPA on GSA’s IT 70 Schedule. It is the successor to 2014’s CAMEO contract.  Karsun’s GSA DMS program also celebrated its first anniversary this year.

DevOps Innovation Practice

The KIC spun off its new DevOps practice led by Samir Bham. It is the second of several practice areas launching from the Innovation Center. An employee-focused research and development unit, it enables the adoption of DevSecOps practices. This practice, along with the Data Practice launched in 2018, hosts weekly Work from KIC workshops held in the new Herndon Headquarters.

Employee Development

Karsun Solutions invested in employee development early in 2019. The firm took the opportunity to train the more than 150 team members impacted by the partial government shutdown. These team members returned to work in February with new skillsets in microservices, domain driven design, web application security and cloud solutions.

FEMA Grants Management Modernization

This year Karsun began work on the FEMA Grants Management Modernization (GMM) program. The Department of Homeland Security (DHS) awarded Karsun Solutions the Agile development contract. The program will streamline grants management across the agency’s 40+ grant programs through a user-centered, business-driven approach. This five-year single award Blanket Purchase Agreement (BPA) with a ceiling value of $80 million was awarded under Full and Open Competition. It was Karsun’s first Full and Open contract win.

Government Competency

Karsun Solutions received its AWS Government Competency in 2019. This designation recognizes that Karsun Solutions has deep experience developing solutions for government customers delivering mission-critical workloads and applications on Amazon Web Services. Leading up to the competency announcement the cloud solutions and DevSecOps practices shared some of their favorite AWS case studies.

Office Opening

In September Karsun Solutions moved into its new 75,000 square foot headquarters in Herndon, Virginia. The new facility supports teams servicing Karsun’s DHS, FAA, and GSA portfolios. It is also home to the Karsun Innovation Center and training facilities.

Records Digitization

Karsun Solutions Co-Founder and Chief Architect Kartik Mecheri appeared on Government Matters TV in April. On the program, he broke down NARA 2022 and the future of records digitization. Tune in to learn more about Karsun’s modernization approach.

SEC One IT

In March, Karsun Solutions announced the Securities and Exchange Commission awarded KHS Solutions, LLC a spot on the SEC One IT contract. SEC One IT is an indefinite delivery-indefinite quantity (IDIQ) contract with a ceiling value of $2.5 billion. KHS Solutions, LLC is an SBA approved 8(a) Mentor Protégé Joint Venture between Karsun Solutions (Mentor) and Mindcubed (Protégé).

Test Automation

Automation Test Lead Aditi Mulay spoke at several industry events throughout 2019 including Agile Testing Days and SeleniumConf London. Fellow automation test lead Ricardo Mediavilla joined her for Agile 2019. A trainer and mentor to QA teams Aditi speaks on Object Oriented Programming approaches to automation frameworks. She advocates for automating in the right manner and ensuring tests are reusable and maintainable.

Zombie Code

In October Karsun Solutions as part of its mentor-protégé JV KHS Solutions shared “Zombie Code,” a look at the importance of dead code analysis. This practice is already part of Karsun’s development methodology. It is also one of many ways the Innovation Center proactively prototypes solutions to common modernization problems while building a roadmap for adoption among Karsun’s delivery teams. The Zombie Code video was a special Halloween release on LinkedIn. Follow Karsun there for the latest on enterprise modernization, corporate growth and award wins.

George Mason University students partnered with the Karsun Innovation Center to develop a rapid prototyping tool for microservices. Joseph Oliver, Artin Malekian and Habib Khalid worked directly with the innovation team on the rapid scaffolding tool. The seniors completed the work as part of their Industry-Sponsored Senior Design Project. Now in its second year, the senior capstone project integrates students’ computer science coursework with hands-on work with their capstone sponsor. The course is a unique opportunity to connect students of the Virginia-based university with the local IT industry. Including Karsun Solutions, eight companies sponsored the work of 28 students as part of the project.

The rapid scaffolding tool developed by the students aids in rapid prototyping for both monolith and microservices applications. Rapid prototyping is of utmost importance to enable human-centered design of software-intensive systems. As organizations build Lean teams, they seek opportunities to build minimum viable products (MVPs) faster with reduced initial cost. Quick set-up, using a rapid prototyping tool, gives teams this power. As an IT modernization firm specializing in modern software development, cloud solutions and advanced analytics, this project supports teams across Karsun

JHipster (https://www.jhipster.tech/) lets development teams generate application code for a variety of frameworks and languages. With this project, the intention was to extend JHipster to include support for additional languages and frameworks, so that the development teams get additional choices for building faster prototypes including polyglot microservices. In particular, the team focused their efforts on enhancing GoLang support for backend services.

The project was mentored by Badri Sriraman and Shanmuga Palanivelu. Badri is Vice President, Karsun Innovation Center (KIC) and the Chief Innovator at GoLean.io.  He is an accomplished Senior IT Architect, with over 22 years in developing solutions to modernize enterprise IT systems. Shanmuga has over 14 years of experience in software development doing software design, architecture and full-stack development. He is currently focused on both developing and deploying microservices at scale and implementing DevOps at scale.

Microservices innovation is one of several areas researched within our Karsun Innovation Center. This research and development unit consists of several prototyping teams and Centers of Excellence. These teams also act as subject matter experts, form vendor partnerships, arrange training and host a yearly internship. The innovation center is part of Karsun’s larger mentorship framework which includes industry associations, academic outreach and the Karsun Academy professional development program. We connect with both students and academics through hackathons, talks, and career fairs. The innovation center is still accepting Developer and DevOps interns into their summer program.