ABSTRACT

Australian Defence projects spend considerable time and resources to achieve accreditation. Across US DoD, this process is known as "Authority to Operate", or ATO. Accreditation and ATO are both time consuming processes that need to be regularly revisited and re-verified to ensure security controls are in-place - at huge cost to projects and often delaying project timelines. Traditional approaches to accreditation and ATO are designed for static environments, and don't hold up in a DevSecOps world. Ephemeral workloads and rapidly changing environments - essential components of DevSecOps release workflows - make accreditation even more difficult. This session looks at an open approach to continuous accreditation, across cloud, edge and on-premises Defence systems. Using DevSecOps workflows, NIST standards and open-source technologies and platforms, continuous ATO and accreditation can be supported across Defence projects. We'll also showcase a demonstration of a continuous ATO process, including the standardised artifacts that can be used by project teams to validate and verify accreditation against Australian security baselines.

BIOGRAPHY
Shane Boulden is a Security Strategist at Red Hat, enabling Australian and New Zealand organisations to better manage risk across their hybrid cloud environments. He supports bringing open source innovation to security challenges. Shane regularly supports and contributes to security-focused open source projects, including collaborating with the "Compliance as Code" project to automate Australian and New Zealand security baselines. He also recently led the certification of the Keycloak open source identity project