sponsor content What's this?
Modernized Apps Need Secure Support
Presented by Rancher Government Solutions
Software supply chain protections can help defend agency systems.
The intersection of cybersecurity and modernized software development can be a potentially dangerous place for government agencies as they move to cloud-native applications. As they make the shift, software supply chain protections can help defend agency systems.
In the last decade, government agencies have been turning to virtual machines, cloud computing and containerization to help speed app deployment and make operations more effective and efficient. Even though containerization — in which everything required to run an app is placed in a virtual container so it can be readily used across enterprises — provides security, that security can be short-circuited if the software running it has been compromised.
Supply Chain Battleground
The 2020 SolarWinds hack, in which attackers tapped into trusted software updates to infect tens of thousands of machines, showcased just how shadowy a path software can forge into federal agency’s IT operations.
Supply chain security is a priority for the federal government. It has pushed new initiatives and regulations to help guard against future incidents, through White House executive orders and the Cybersecurity and Infrastructure Agency (CISA).
“There have already been a number of supply chain attacks on federal agencies,” said Adam Toy, chief architect at Rancher Government Solutions (RGS), which provides secure and certified open source and cloud-native software for federal agencies adopting DevSecOps for their IT environments. “Those attacks will continue to grow in number and complexity.”
Secure Kubernetes Is Key to Modernized Apps
According to Toy, Kubernetes has become the de-facto solution to manage containerized applications at scale for agencies’ increasingly cloud-native, agnostic applications environment. It is an open source system for automating deployment, scaling and management of containerized applications.
“Given that software is critical to daily operations, the need to balance security with innovation is essential,” said Lynne Chamberlain, president and CEO of Rancher Government Solutions. “This is why our team developed Rancher Government Carbide: to simplify Kubernetes management by providing a more standardized way for users to verify and validate software and support federal security compliance requirements.”
Carbide Solution Securely Manages Kubernetes
According to Toy, Rancher Government Carbide’s supply chain security solution streamlines Kubernetes security management by providing a simpler, more standardized way for users to verify and validate the security of their software.
Carbide verifies software supply chain provenance back to a trusted entity using a centralized secure container registry for end users, validated by a secured signing key. Additionally, Carbide’s pipeline uses tools for vulnerability scanning and generating software bills of materials (SBOMs). SBOMs were mandated by the White House in a 2021 executive order to help track down supply chain vulnerabilities. The solution also supports the first and only Kubernetes management platform and distribution with Security Technical Implementation Guides (STIGs) validated and published by the Defense Information Systems Agency (DISA), which provide a more secure operating environment.
The solution also contains a tool called Stigatron to validate that downstream clusters are secure. The tool automatically scans downstream clusters from the centralized Rancher Manager and compares them to the STIG cluster, alleviating obstacles in the validation process, enabling automated compliance with the security standards of the federal government.
Carbide is an add-on support service to the existing Rancher products suite, designed to assist supported customers in their bid to overcome the security challenges associated with application modernization, containers and Kubernetes. It’s included at no extra cost to current customers.
“By offering things like secured artifacts and automation around securing infrastructure, we see Carbide becoming one of those key components for agency leadership, from the agency CIO to the agency director, used to ensure their environments and the data within them is secure,” said Brandon Gulla, vice president and CTO of RGS. Implementing the solution should be part of a “defense in-depth” approach to cybersecurity, he said.
The importance of protecting modernized applications is as critical as the applications themselves. Ultimately, without a secure supply chain for the software that runs them, the modernization applications make possible won’t be easily realized.
This content is made possible by our sponsor. The editorial staff was not involved in its preparation.
NEXT STORY: App Modernization Critical to IT Modernization