Modernising government IT requires adherence to specific, rigorous public sector cybersecurity standards.
The private sector is rapidly adopting cloud technologies to modernise systems and meet the demands of today’s customers. However, the public sector is still catching up. Government agencies and organisations face the same digital transformation demands as the private sector. They also have additional security concerns surrounding classified data.
To address this, the U.S. government created FedRAMP (Federal Risk and Authorization Management Program): a rigorous set of standards for cloud security and risk assessment.
By standardising cloud security, FedRAMP encourages and accelerates the adoption of secure cloud services across the government IT sector. FedRAMP released its first standards 2011, with added requirements for the highest sensitivity level in 2016.
How Salesforce Built a FedRAMP-Compliant Solution
Companies must be mindful of FedRAMP standards when providing SaaS/PaaS solutions to public sector partners. Salesforce received FedRAMP’s ‘High Authority to Operate’ designation when it launched Government Cloud Plus. This is a multi-tenant cloud infrastructure specifically isolated for government use at the federal, state, and local levels. It was also granted Impact Level 2 Provisional Authorization from the Department of Defense.
These authorizations ensures that data and infrastructure are secure. They help increase trust in services, leading to a wider customer base and greater success for products.
So, what did Salesforce do to comply with FedRAMP? And what are the FedRAMP compliance lessons?
Salesforce built its platform on Amazon Web Services GovCloud, an AWS product built specifically for public sector partners to run sensitive workloads in the cloud.
Salesforce also took a security-first approach. When technologies have compliance built directly into their platforms, enterprises move faster while staying secure.
But what happens when a business needs to expand that security from user-facing applications into the development lifecycle? That is where DevSecOps comes in.
How DevSecOps Can Help Achieve Tighter Security
DevSecOps — short for development, security, and operations — refers to the integration of security into the software development and IT operations processes.
Traditionally, security operations have been distinct and separate from other stages of the software development life cycle (SDLC). Programmers would write code and infrastructure teams would deploy the code to production environments without much consideration to security. After this, security engineers would go in and assess the code and environments for vulnerabilities.
The DevSecOps philosophy centres on introducing security early in the SDLC instead of saving it for the very end.
Two major principles that support a robust DevSecOps culture:
- The development team participates in security testing. There is an emphasis on developing secure code from the very beginning.
- Developers resolved security issues themselves.
In short, DevSecOps encourages software engineers and developers to take responsibility for secure code and vulnerability detection from the very start of the development life cycle.
This is seen in:
- Secure coding — Building software that adheres to standards ensures it’s not prone to vulnerabilities in the first place.
- Automated security testing — Security checks must match the pace of code delivery, especially in a fast-moving CI/CD environment. Static Application Security Testing (SAST) tools are used to continually scan code and identify security issues.
- Shift Left — This refers to the concept of moving tasks “to the left” — i.e. as early as possible in the SDLC.
- Host hardening — Host hardening is the practice of restricting access to vulnerable hosts by using multiple technologies. This includes firewalls, authentication, limiting network access, or ensuring that services are only available to certain users at certain times.
DevSecOps does not refer to a particular tool, technology or platform. Instead, it is a mindset, culture, and general set of practices that prioritise security at every stage of the SDLC.
DevSecOps for Salesforce Development
There are growing customer service demands from constituents and increased pressures from COVID-19. It means digital transformation is more important than ever for the public sector. But agencies cannot overlook compliance to speed up their transformation. That is where tools like Copado come in. They make it possible to enforce specific policies and ensure that all metadata changes adhere to compliance policies.
If you are a government agency, platforms like Copado Compliance Hub can help monitor and enforce compliance rules when changes are made to Git branches or environments.
For example, a business may only want certain objects on a profile to be selectively visible. To achieve this, they can define a rule that only allows authorized profiles to view those objects. Once the rule is defined, it will be enforced across every scratch org, sandbox, and production environment.
In the spirit of DevSecOps and Shift Left principles, it is best to identify non-compliant code and metadata changes before they are deployed to higher environments. Failing to do so causes frustration down the line at having to revert those changes.
This necessitates compliance scans in several different places across the development environment, including user stories, Git snapshots, org credentials, and deployments. Businesses can also take advantage of webhooks to run scans from a particular deployment step, user story task, process builder, or scheduled job.
Maintain Compliance Without Compromising Delivery
A combination of the right mindset, tools, and methodologies can fortify DevSecOps processes and help a company ensure data security and compliance with FedRAMP regulations. All this while accelerating delivery speed and helping businesses to take digital customer experiences to the next level. By maintaining compliance, Salesforce and Copado help accelerate the public sector’s journey to digital transformation and modern, robust IT infrastructure.
Copado is the leading DevOps platform enabling the world’s largest digital transformations on Salesforce. Copado accelerates Salesforce deployments, simplifies the release process, increases developer productivity and maximizes return on cloud investments. Copado DevOps 360™ includes Agile Planning, Continuous Delivery, Automated Testing and Compliance. Backed by Insight Venture Partners and Salesforce Ventures, more than 500 of the world’s largest digitally transformed companies run on Copado including Boston Scientific, Coca-Cola, Fair Trade, Linde, MassMutual, Schneider Electric and Shell. Copado processes over 50 million DevOps transactions per month and is rated with a 100% score on the Salesforce AppExchange.