Introducing DevOps to the US Government – Part 2

In the first post in this series, I talked about the challenges for the US Government sector when attempting to introduce DevOps. The sector lags behind others such as Financial Services on every measure, yet the technical obstacles like a disruption to workflows and a lack of appropriate skills are the same.

Beyond those hurdles, we looked at the issues that are particular to the Government sector like how hard it is to embrace a DevOps culture, coping with cybersecurity threats, and addressing data privacy concerns.

Fortunately, there has been a lot of work going on behind the scenes in the US Government, which present opportunities to overcome them by:

  • Establishing a DevOps culture
  • Strengthening the cybersecurity framework
  • Introducing a data privacy framework

Establishing a DevOps culture

We discussed in the first post how it was more likely for the Government sector to have a bureaucratic culture which hinders DevOps, rather than a generative culture which encourages it.

That said, there is already a wide understanding across the US Government of DevOps and the associated Agile development practices which aim for smaller releases, more often. As far back as 2012, the US General Accountability Office (GAO) recommended agencies share their experience and knowledge of Agile in its report, Software Development: Effective Practices and Federal Challenges in Applying Agile Methods.

Guidance on what those methods are has also been elaborated on in many other publications like the Ten Commandments of Software, published by the Defense Innovation Board in April 2018. It does, indeed, have 10 commandments, the fourth of which is: Adopt a DevOps culture for software systems.

It should also be noted that even in organizations that may not yet have a generative culture across all of their operations, it can be created within the IT team. Different cultures can exist in different parts of the same organization, so one part can encourage a generative culture even when others are bureaucratic.

To achieve this, leaders need to build trust with their people, empower them with autonomy and rely on strong communication to ensure that everyone understands their role and overall objectives. That way, siloes can be removed and collaboration encouraged. Conversely, once DevOps is introduced, it will become the new norm and take its place in the bureaucratic rulebook.

Strengthening the cybersecurity framework

Since 2013, the National Institute of Standards and Technology (NIST) has been working behind the scenes with industry leaders on a framework to help both federal and private sector organizations better manage and reduce cybersecurity risk by establishing a set of standards, guidelines, and practices.

Federal CIOs will already be familiar with the Framework for Improving Critical Infrastructure Cybersecurity, which provides a common approach for understanding, managing, and expressing cybersecurity risk to internal and external stakeholders. Designed to help identify and prioritize actions for reducing cybersecurity risk, it provides a tool for aligning policy, businesses, and technological approaches for managing that risk. This is based on five core security functions:

  • Identify: Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
  • Protect: Develop and implement appropriate safeguards to ensure delivery of critical services.
  • Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
  • Respond: Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
  • Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore capabilities or services that were impaired due to a cybersecurity incident.

Under each of these functions are categories that go into further detail about areas like asset management and access controls, data security, and information protection processes and procedures.

Following the framework typically involves building a profile that describes how current cybersecurity efforts help to mitigate risk. This profile can then be used to identify where improvements need to be made in each core function.

Introducing a data privacy framework

The top priority in the Government sector is cybersecurity and this, in turn, leads to concerns about data security and putting sensitive data at risk. While federal agencies don’t need to comply with data privacy legislation like the California Consumer Privacy Act (CCPA), they do need to demonstrate a willingness and an ability to prioritize the protection of sensitive data. As far back as 2016, the National Science and Technology Council released its National Privacy Research Strategy, in which the introduction states:

“The vast increase in the quantity of personal information that is being collected and retained, combined with the increased ability to analyze it and combine it with other information, is creating valid concerns about privacy and about the ability of entities to manage these unprecedented volumes of data responsibly.”

Recognizing this, NIST published a Privacy Framework in January 2020 to help organizations take privacy into account as they design and deploy systems. Like the Cybersecurity Framework, it provides a route map for organizations to build a profile of their current privacy practices and highlight where and how they can be updated.

While the Cybersecurity framework largely focuses on infrastructure and systems, the Privacy framework is about risk to privacy and the steps that can be taken to protect it. The core functions of this framework are therefore similar but turn the spotlight onto how data is managed and processed:

  • Identify: Develop the organizational understanding to manage privacy risk for individuals arising from data processing.
  • Govern: Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities.
  • Control: Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
  • Communicate: Develop and implement appropriate activities to enable organizations to engage in a dialogue about how data is being processed and the associated privacy risks.
  • Protect: Develop and implement appropriate data processing safeguards.

The Privacy Framework follows the Cybersecurity Framework in having categories under each of these functions that concentrate on specific areas. The Identify function, for example, looks at areas like inventory and mapping, the Control function goes deeper into data processing procedures and de-identification techniques such as data masking, and the Protect function talks about practices like keeping development and test environments separate from the production environment.

Once again, the key is to create a profile outlining how the current state of privacy activities compares to the desired state. Areas that need to be addressed will then be clear, as will the steps required to move forward.

How Redgate solutions can help

Redgate offers a full portfolio of solutions that already enable businesses, large organizations, Fortune 100 companies, and federal agencies extend DevOps to the database in four key areas:

  • Standardizing team-based development
  • Automating database deployments
  • Monitoring performance and availability
  • Protecting and preserving data

In each of these areas, Redgate solutions can help federal agencies demonstrate that they are following the Cybersecurity and Privacy Frameworks.

In standardizing team-based development and automating deployments, for example, the audit logs provided by solutions like SQL Source Control and SQL Change Automation can help fulfil the requirements of the Respond and Recover functions in the Cybersecurity Framework.

Similarly, SQL Monitor helps spot anomalies and events by providing a baseline of expected data flows, and having a wide range of configurable alerts to meet the Detect function of the same framework.

The Identify function of the Privacy Framework, meanwhile, is covered by SQL Data Catalog which meets the inventory and mapping, and risk assessment requirements by classifying data across your SQL Server estate.

And finally, Data Masker satisfies both the Control and Protect functions of the same framework by masking personal data, enabling disassociated data processing to take place, and separating development and testing environments from production environments.

Summary

The advantages of introducing DevOps to software and database development are now well known. Every sector has challenges when introducing it and, perhaps surprisingly, while the Government sector lags behind, the willingness to embrace it already exists, and the Cybersecurity and Data Privacy Frameworks provide a method of identifying which areas need to be focused on.

The key, as with any digital transformation initiative, is to start small, perhaps with one team or one project, demonstrate that it works, and build out from there.

If you missed the first post in this series, you can read it online.

If you’d like to find out more, you can also download our whitepaper, How DevOps will transform the US Government.