How to Balance Speed and Security for Agile and DevOps Adoption in Government

Posted by Maritess Goellnitz on

As more and more government organizations turn to Agile and DevOps methodologies, it is clear that status quo security strategies aren’t up to the task of addressing federal information security requirements in fast-paced environments. A comprehensive approach to identity, credential, and access management should be a central component in complex development settings to prevent unauthorized access to mission-critical applications and a potentially disastrous security breach. However, some security controls, by their nature, can slow down users. Since the primary goal of Agile and DevOps is to eliminate bottlenecks and improve the velocity and efficiency of software delivery, any security control that stifles the workflow of users or adversely impacts operational speed and agility can be viewed as being overbearing to the process.

Why CAC/PIV Authenticator is a good solution for improving security

U.S. government security policies require encrypted and two-factor authenticated access methods to be used with high value assets such as computers, networks, and facilities. Common Access Cards (CAC) and Personal Identity Verification (PIV) cards, the latest advance in “smart card” identification, are used by the United States Department of Defense and other US Federal Government Agencies not only for general identification purposes but also to access highly-controlled facilities and information systems.

Smart card technology ensures quick authentication, and  robust physical and logical security. Both CAC and PIV cards require the user’s personal identification number, and are designed to meet two-factor authentication requirements: what the user has (the physical card) and what the user knows (the PIN). It is possible to extend smart card access control to Agile and DevOps environments through the use of an authenticator.

Goldfinger’s CAC/PIV authenticator is one such solution that ensures secure access to Atlassian’s Jira, Confluence, Bamboo, Bitbucket, Jira Service Desk, and Crowd DevOps tools. It is designed to verify users before logging them into an application. When a user wants access to an online Agile/DevOps environment, for example, they browse to the login page and enter their username and password. The authenticator reads a digital certificate stored on the user’s smart card and compares it to information in an authentication database. If the credentials match and the user has permission to use the application, login is granted, quickly and easily, without compromising security. 

A CAC/PIV authenticator is an ideal security control for busy Agile and DevOps environments, providing a smart way to integrate user authentication – without adding extra complexities or adversely impacting the day-to-day user workflows.


The stereotype of the government as a slow operation when it comes to technology and software development is no longer as true as it may have been in decades past. As Agile and DevOps approaches continue to gain steam in agencies, balancing speed with security might well be the difference between failure and success. With complicated and demanding security needs in the federal sector, the key to success will be to take deliberate steps towards dealing with both security and compliance concerns in complex development environments, while preventing bottlenecking along the way. 

To learn more about ways to effectively implement secure authentication for Agile and DevOps teams in the government sector, download our latest eBook.