Leveraging improved efficiency and reduced costs while ensuring availability, cloud native development is a must for complex enterprise modernization projects. Modern cloud native architectures involve applications developed and deployed through cloud service providers such as AWS. These use services like AWS VPC, EC2, S3, Kinesis, DynamoDB, RDS, and others.

While utilizing cloud native architecture can provide impressive operational improvements, maintaining security and compliance standards using manual processes can quickly limit those outcomes. This is a common concern for our agency customers. Applications deployed in federal agencies obtain Authorization to Operate, an ATO. 

Getting an ATO involves categorizing the information system, then selecting, implementing, and assessing the controls. Risks are identified based on this assessment, and final authorization is provided to operate the system. In most cases, this process relies on manual tasks, like copying security control documentation into a  Governance, Risk, and Compliance (GRC) document, then manually updating this documentation on a regular basis. Continuous deployment of new workloads and features in an agile environment being a necessity, manual processes and massive documentation effort adds significant delays to the authorization process.

AWS DevOps and OSCAL Compliance for cATO and Zero Trust

One solution is the Open Security Controls Assessment Language (OSCAL). OSCAL is a set of formats expressed in XML, JSON, and YAML developed by NIST. These formats provide machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results. Govready-q is an open source GRC platform for highly automated, user-friendly, self-service compliance assessments and documentation which supports OSCAL. AWS is the first cloud service provider to provide OSCAL formatted system security plan (SSP). Integrating a GRC tool like Goveread-q part of the DevSecOps toolchain and using OSCAL for documenting all the controls automates most aspects of the ATO process enables us to do continuous ATO (cATO) and alleviates the documentation burden and most manual processes associated with it.

Enabling DevOps with Karsun Solutions 

At Karsun, we promote the adoption of OSCAL for the documentation of security controls and use automated GRC tools like GovReady-q. When applications deploy on AWS, we can leverage OSCAL documentation created by AWS. This enables faster, more accurate authorization packages, decreases customers’ security documentation burden and reduces service authorization timelines.

Working with an experienced cloud solutions partner such as Karsun ensures you do not need to trade security for efficiency. In particular, we are an AWS Advanced Consulting Partner with both a Government Services Competency and a Migration Services Competency. Partner with our experts, modernize with cloud native architecture, and optimize both operations and security.

About the Author

Judewin Gabriel is a Subject Matter Expert and the DevSecOps Practice Lead at Karsun Solutions. An advocate for DevSecOps best practices, he drives Driving CI/CD, security engineering, SRE, pipelines, and observability excellence.

Every summer we embed interns in our Karsun Innovation Center (KIC) to work alongside our technology experts, prototyping solutions to support our customers. Sanjana M Moodbagil’s internship projects ranged from no-code/low-code apps built using Google AppSheet to synthetic data and exploratory data analysis (EDA). In the interview below, she describes how her work improved career development resources, drove insights and contributed to the machine learning (ML) pipeline.

First please tell us about yourself. Where are you going to school? What are you studying? What do you like to do in your free time?

Hi, My name is Sanjana M Moodbagil. I’m a graduate student at University of Southern California, Los Angeles majoring in Computer Science. In my free time, I like to play basketball, badminton or go swimming. I also like to experience new things. Since coming to the US, I’ve gone surfing, paddle boarding, ballroom dancing, skiing, a few hikes, etc.

Could you share a little bit about the project you worked on as part of this internship? What challenges does it solve? What technologies and tools are you using?

Initially, I worked on creating a career path app using AppSheets for KIC Konnect. The purpose of this app is to keep track of career paths and transitions at Karsun.

For most of my internship, I worked on a Data Synthesizer project. I worked with a team to create a web application that generates fake data which is an accurate and scalable replacement for real-world records. The purpose of this is to generate PII anonymized synthesized data for AI/ML use cases. I mostly worked on the backend part of the project using Python, MySQL, Synthetic Data Vault (SDV) library, seaborn and matplotlib. I worked on data collection and preprocessing, created synthetic data models for time series data, automated the generation of metadata for relational databases required for modeling and performed Exploratory Data Analysis to understand and compare the structural and statistical properties of original and fake data. I worked with AWS services like AWS S3 bucket and AWS CLI to test the backend.

Towards the end of the internship, I worked on creating dashboards for the IT department on Google Data Studio. I gained experience working on API integration of Google Admin and EZOfficeInventory with App Scripts.

What is your favorite part about working with the Karsun Innovation Center? Is there a weekly meeting or ritual you enjoy? The opportunity to learn more or get a new certification?

I enjoyed the biweekly ‘show, don’t tell’ meetings where I learned about other ongoing projects at KIC. I was introduced to new ideas and tools. I was given the opportunity to work on a project in my area of interest. Working on the project with a small team allowed me to contribute to the entire ML pipeline. Despite working with people who were highly experienced, I was able to put forth my opinion with ease and I was always heard. Apart from the project, I was given access to many resources on AWS partner network to learn and to get certifications.

What is the biggest takeaway from your experience as an intern at Karsun?

My biggest takeaway from my experience is to be motivated, bold, and have ambition. This pushes you to think creatively, ask more questions, speak up about your ideas, take initiative and be authentic. There was so much research that had to be done initially, I had to define and discuss my own findings, explore alternate approaches and set of requirements based on analysis and results that align with end goals.

Sanjana was advised by Judewin Gabriel, Practice Advocate for the Karsun Innovation Center DevSecOps Practice.