batCAVE for CNCF Security Con 2023.pdf

1、Delivering Secure Healthcare Applications with OSSRobert Wood-CMSGedd Johnson-Defense UnicornsWhat is CEnters for medicare and medicaidCMSs mission is to serve Medicare&Medicaid beneficiariesWe provide medicare and medicaid benefits to 133 Million People NationwidePrimary recipients are over 62 year

2、s old,or those with low/no income and are most at risk.The CMS vision is to become the most energized,efficient,customer friendly Agency in the government.CMS will strengthen the health care services&information available to Medicare&Medicaid beneficiaries&the health care providers who serve them.Wh

3、at is Centers for Medicare&MedicaidCMSs mission is to serve Medicare&Medicaid beneficiariesWe provide medicare and medicaid benefits to 133 Million People NationwidePrimary recipients are over 62 years old,or those with low/no income and are most at risk.The CMS vision is to become the most energize

4、d,efficient,customer friendly Agency in the government.CMS will strengthen the health care services&information available to Medicare&Medicaid beneficiaries&the health care providers who serve them.4ChallengesSecurity,Governance,Risk,and Compliance have become large resource drains on the software d

5、evelopment cycleCloud technology and cloud native applications are numerous and difficult to stay up to date onWaterfall and water-scrum-fall software development processes used in the government are still slowGreater than 6,500 contracted engineers support our systems in comparison to 46 ISPG staff

6、 and 423 OIT staff members that manage the services delivery.Due to this,there is a lack of integrations and automation with numerous data silos that make managing and keeping CMS secure difficult.SolutionThe batCAVE aims to be CMSs devsecops platform as a service(PaaS)that accelerates the time to v

7、alue for mission owners by automating away a significant portion of the security,infrastructure,and project startup workloads.Our GoalsReduce the time spent on CMSs ATO and SIA processesReduce the security and infrastructure burden on teams allowing them to focus on the software.Ensure true continuo

8、us monitoring and security compliance all while providing continuous updates of the softwareReduce the cost of an end to end application development and from idea to deployment at CMSProvide the ability to capture user feedback in a timely manner in order to improve and add featuresReduce the cost o

9、f hosting apps on CMS cloud by enabling dynamic scaling of apps through the power of Kubernetes.Provide a simple onboarding process for ADOs that want DevSecOps and dont want to manage their infrastructure and associated security burden.Allow continuous delivery.Get value to the American people fast

10、er.THE FLYWHEEL13Built On Open SourceBatcave is built on exclusively open-source software and partnerships in the open-source communityAccelerated development by leveraging Big Bang by Platform One“Contribute-First”CultureSecure,declarative baseline configuration for a K8s-based platform“Marketplace

11、”of secure,cloud-native apps and servicesProvides OSCAL control mappings to NIST 800-53Open source!Big BangUpstreamApplicationBig BangBatcavePlatform GitOpsAWS EKSDeployed in all batCAVE environments for security control inheritanceUtility BeltAdmissions ControllerService MeshIstioMetrics Monitoring

12、Logging StackS3Visualization and dashboardsBackup and Disaster RecoveryRuntime securityApplication GitOpsDistributed tracingService mesh console and visibility15Single-Tenant PAASDelivery ModelsMulti-tenant paasADo owned/operatedSingle ADO per clusterFully managed by Batcave teamMultiple ADOs runnin

13、g on the same clusterApps separated by namespace and nodeFully managed by Batcave teamADO deploys and operates a Batcave cluster Managed by ADO,Batcave team provides codePrimary ConcernsBalancing developer freedom and platform opinionationMaximizing security control inheritanceQ4-22Full&Independent

14、ATOQ4 -22Production-levelMulti-tenancyQ1-23Enterprise ServicesDeployment(Secrets,ZT,GRC)Q2 -23Security Data Lake IntegrationQ2 -23CMS CloudAutomationOngoing Marketing&EducationConstant Cloud Product Owner CollaborationContinuous UserResearch and ValidationOnboarding of early adoptersMajor Milestones

15、1.80%control mapping of CMSs NIST 800-53 implementation2.Codification of key strategic policy moves into the batCAVE(SBOM,zero trust,etc.)that shift past checkbox compliance work3.Multiple layers of value proposition for different stakeholders(cost,speed,security,standardization)4.Deployment of CMSs

16、 first purple team working full-time inside of the batCAVE from day 1Major AccomplishmentsSuccess StoryMohan GowdaEPPE highlighted the following benefitsIntegration is better and the timeline to production is a lot shorterAbility to focus on our application code requirementsbatCAVE works with us clo

17、sely to update our work integrations to better suit the pipeline and how we can benefit from our continuous standing and ATO that is part of the pipelineThe security aspect and compliance is keySr.Computer Systems ArchitectEPPEFeatures of batCAVE that exceeded your expectationsThe pipeline and the u

18、tility belt that takes the pressure off the ADOCollaboration&CultureCollaboration and boundary pushing1.Anchored in human-centered designa.Open learning and engaging sessions internally and cross agenciesb.Design insights fed into broader tech ecosystem at the agency(and HHS)2.Open code,controls,process,and policya.Open access internallyb.Lead in to a curated open source ecosystem of security,privacy,and compliance resourcesThank you!Session Link+FeedbackConnect on LinkedIn!