Modernizing government IT requires adherence to specific and rigorous public sector cybersecurity standards.
While the private sector is rapidly adopting cloud technologies to modernize their systems and meet the demands of today’s customers, the public sector is still catching up. Though government agencies and organizations face the same digital transformation demands as the private sector, they have additional security concerns surrounding classified data that can slow cloud adoption.
To combat these concerns, the U.S. government created FedRAMP (Federal Risk and Authorization Management Program), a program that has developed a rigorous set of standards for cloud security and risk assessment. By providing a standardized approach to cloud security, the FedRAMP Program Management Office hopes to encourage and accelerate the adoption of secure cloud services across the government IT sector. The first set of FedRAMP standards was released in 2011, with the program adding requirements for the highest sensitivity level in 2016.
How Salesforce Built a FedRAMP-Compliant Solution
Salesforce built Government Cloud Plus, a FedRAMP-compliant instance of its industry-leading cloud infrastructure.
Companies need to be mindful of FedRAMP standards when providing SaaS/PaaS solutions to public sector partners. For example, Salesforce was able to receive FedRAMP's High Authority to Operate designation when it launched Government Cloud Plus, a multi-tenant cloud infrastructure specifically isolated for government usage at the federal, state, and local levels. It was also granted Impact Level 2 Provisional Authorization from the Department of Defense.
Receiving such authorizations from the appropriate government entities ensures that your data and infrastructure are secure and helps to increase trust in your services, leading to a wider customer base and greater success for your products.
So what did Salesforce do to comply with FedRAMP? And how can you ensure FedRAMP compliance for your own business?
The company built its platform on Amazon Web Services GovCloud — an AWS product built specifically for public sector partners (e.g. U.S. government agencies, educational institutions, contractors, and other U.S. customers) to run sensitive workloads in the cloud. Salesforce also assists continuous monitoring efforts administered by the FedRAMP Joint Authorization Board.
In their adoption of AWS GovCloud, Salesforce took a security-first approach. When your technologies have compliance built directly into their platforms, you’re enabled to move faster while staying secure. But what happens when you need to expand that security not only from your user-facing applications, but also through the development lifecycle? That’s where DevSecOps comes in.
How DevSecOps Can Help Your Company Achieve Tighter Security
DevSecOps — short for development, security, and operations — refers to the integration of security into the software development and IT operations processes.
Traditionally, security operations have been distinct and separate from other stages of the software development life cycle (SDLC). Programmers would write code and infrastructure teams would deploy the code to production environments without much consideration to security. After this, security engineers would go in and assess the code and environments for vulnerabilities.
The DevSecOps philosophy centers on introducing security early on in the SDLC instead of saving it for the very end.
There are two major principles that support a robust DevSecOps culture:
- The development team participates in security testing. Moreover, there is an emphasis on developing secure code to begin with.
- Any security issues discovered by developers are managed and resolved by the developers themselves.
In short, DevSecOps encourages software engineers and developers to take responsibility for secure code and vulnerability detection from the very start of the development life cycle.
Common DevSecOps best practices include, but are not limited to:
- Secure coding — As mentioned above, it is critical to build software that adheres to standards that ensure it isn't prone to vulnerabilities in the first place.
- Automated security testing — Security checks need to match the pace of code delivery, especially in a fast-moving CI/CD environment. Static Application Security Testing (SAST) tools are used to continually scan code and identify security issues early on.
- Shift Left — "Shift Left" testing refers to the concept of moving tasks "to the left" — i.e. testing as early as possible in the SDLC.
- Host hardening — Host hardening is the practice of restricting access to vulnerable hosts by way of implementing firewalls, requiring authentication, limiting network access to a system, or ensuring that services are only available to certain users at certain times.
It's important to remember that DevSecOps does not refer to a particular tool, technology or platform — instead, it is a mindset, culture, and general set of practices that prioritize security at every single stage of the SDLC.
DevSecOps for Salesforce Development
The right tools can take your DevSecOps processes to the next level.
The right tools can make or break your business's DevSecOps processes. If you're a government agency, platforms like Copado Compliance Hub can help you monitor and enforce compliance rules when you make any metadata changes in your Git branches or environments. Copado is the #1 Native DevOps solutions for Salesforce, and Copado GovCloud and Compliance Hub were built specifically to support DevSecOps and extend Salesforce security across every development environment.
With growing customer service demands from constituents and increased pressures from COVID-19, digital transformation is more important than ever for the public sector. But agencies cannot overlook compliance in order to speed up their transformation. That’s where tools like Copado come in. When you use Compliance Hub, you can enforce specific policies and ensure that all metadata changes adhere to your compliance policies. For example, say you want certain objects on a profile to be selectively visible. To achieve this, you can define a rule that only allows authorized profiles to view those objects. Once the rule is defined, it will be enforced across every scratch org, sandbox and production environment.
In the spirit of DevSecOps and Shift Left principles, it's best to identify non-compliant code and metadata changes before they are deployed to higher environments. Failing to do so can lead to frustration down the line and having to do the extra legwork to revert those changes.
With Copado Compliance Hub, you can run compliance scans in a number of different places across your development environment, including user stories, Git snapshots, org credentials, and deployments. You can also take advantage of Copado webhooks to run scans from a particular deployment step, user story task, process builder, or scheduled job.
Maintain Compliance Without Compromising Delivery
A combination of the right mindset, tools, and methodologies can fortify your DevSecOps processes and help your company ensure data security and compliance with FedRAMP regulations — all while accelerating your delivery speed and helping you take your digital customer experiences to the next level. By maintaining compliance, Salesforce and Copado help accelerate the public sector’s journey to digital transformation and modern, robust IT infrastructure.
Want to learn more about how government agencies benefit from DevSecOps? Watch this webinar to learn how the Department of Veterans Affairs leveraged Copado to accelerate Salesforce deployments while maintaining federal compliance standards.