How to Maintain Security in a Fast-Paced DevOps Environment

July 13, 2020

Mehron Latifi
Federal Sales Representative, Goldfinger Holdings, Inc

The DevOps environment is always changing—and changing quickly. Whether an application is designed for general use or is mission critical to an agency, DevOps must be secure. And it’s not enough for the application to be secure; the entire development environment must be secure as well.

Government agencies must comply with security regulations and standards such as the Federal Information Security Modernization Act (FISMA), which deals with security threats, controls, and best practices. In addition, NIST 800-53 defines many security and privacy controls required for federal information systems and organizations. Any security solution must meet these standards. Many government organizations turn to Atlassian solutions to run their mission-critical projects and operations for effective collaboration that complies with federal standards.

Security experts agree that the best defense is a layered defense, where several security controls are in place simultaneously. But some security controls, by their nature, can slow users down. In a DevOps environment, the key is to provide security without compromising speed and agility. That is where Goldfinger’s CAC/PIV Authenticator for Atlassian comes in. The CAC/PIV Authenticator provides secure and quick authentication so government customers can easily access Atlassian solutions.

CAC/PIV for Improving Security

Federal secured facilities often use smart cards to control access. The Department of Defense uses a common access card (CAC) and non-DoD agencies typically use a personal identity (PIV) verification card. Both cards require the user’s personal identification number. They’re quick and easy to use, and they meet two-factor authentication requirements.

Wouldn’t it be convenient to extend smart card access control to a DevOps environment? It’s possible through the use of an authenticator that verifies users before logging them into an application.

Agencies need a robust solution that extends smart card access control to Atlassian tools to ensure only valid CAC/PIV card holders can access the Atlassian systems. The solution must enable secure access to Atlassian tools, without compromising operational ease and speed. Goldfinger’s CAC/PIV Authenticator is an easy-to-install solution that meets these requirements, providing secure access to Atlassian’s DevOps solutions, such as Jira, Bitbucket, Jira Service Desk, Confluence, Bamboo, and Crowd.

How it Works

A validated client certificate is stored on the user’s PIN-protected smart card. When a user wants access to an online DevOps environment, they enter their username and password on the login page. The solution accesses the certificate through the user’s internet browser to authenticate the user. In some cases, the browser prompts the user to select the certificate. Otherwise, the solution automatically validates the default certificate installed into the browser. Once authenticated, the user logs in and gains access to all the permitted features associated with the Atlassian application.

Subsequently, the solution compares the user credentials fetched from the client certificate with Atlassian’s user directory to check if the user is authorized to access the application. Once authenticated, the user logs in and gains access to all the permitted features associated with the Atlassian application. CAC/PIV Authenticator provides a holistic secure solution for environments with Atlassian, a major supplier of DevOps applications.

“Goldfinger’s CAC/PIV Authenticator for the Atlassian Suite equips Atlassian tools with smart card authentication capabilities and protects them from unauthorized access. In fast-paced Agile and DevOps environments, the solution offers a smart way to integrate privileged user authentication – without adding extra complexities or adversely impacting the day-to-day user workflows,” says Timothy Chin, the subject matter expert.

The solution can be easily integrated into an organization’s current environment and infrastructure. By default, when users are attempting to log in to any of the Atlassian applications, the application prompts the users with their Atlassian user ID and password. If the user is a valid CAC/PIV card holder, they automatically log into the Atlassian application on successful user authentication. In fast-paced Agile and DevOps environments, the solution offers a smart way to integrate privileged user authentication – without adding extra complexities or adversely impacting the day-to-day user workflows.

Key Benefits

  • Quick and easy sign-on
  • Easy and quick installation with no hidden costs
  • Advanced compatibility
  • Secure identification with reliability
  • Common authentication for all systems
  • Establishes accountability

The CAC/PIV Authenticator is an ideal security control for busy DevOps environments, providing secure multi-factor authentication without slowing down your operations.

Download Goldfinger's Free Datasheet and learn how to add enterprise-class security and access control across your Atlassian products.