Conduit Accredited in Iron Bank DoD Centralized Artifacts Repository

By  Kevin Marsh

 28 Aug 2023

In our ongoing efforts to support the U.S. Department of Defense (DoD) with high-performing products and services, we were confronted with an operational challenge. Each time we started a new project, Conduit, our open-source data integration tool had to undergo a thorough security review process, a requirement dictated by the DoD's stringent security standards for all vendors. This caused considerable delays to the start of each new project we were involved with and hindered our ability to secure new projects within the department.

We needed a solution to expedite the availability of Conduit and make project initiations more efficient. Therefore, we decided to submit Conduit to a trusted repository run by Iron Bank, a government contractor.

Having successfully gone through the rigorous testing by Iron Bank, Conduit has bypassed the lengthy and recurring security review processes that would happen on individual engagements with different groups in various agencies. As a result of Conduit's full compliance by Iron Bank, Meroxa can now give the DoD access to this essential tool right away, significantly speeding up project operations.

Read on to learn more about Iron Bank’s security clearance process and what it says about the security of Conduit.

What is Iron Bank?

Iron Bank is a DoD repository of digitally signed, binary container images including both Free and Open-Source Software (FOSS) and Commercial Off-The-Shelf (COTS) software. It is a centralized repository for container images that have been hardened and evaluated for security. This makes it easier for DoD organizations to find and use secure container images, and to quickly and easily deploy applications. Approved containers in Iron Bank have DoD-wide reciprocity across all classifications, accelerating down to weeks a security process that can otherwise take months or even years.

Why Go the Iron Bank Route?

The DoD was interested in using Conduit to build connections within the Department of the Air Force (DAF) Data Fabric and between disparate systems to bridge gaps. However, Conduit had not been through the specific group’s software review and compliance process, which could have taken months to complete…months we didn’t have. To move forward rapidly and to set Meroxa up for success in the future, placing Conduit in Iron Bank made the most sense. By going the Iron Bank route, we were quickly able to get Conduit in Iron Bank and subsequently scanned and approved for use with flying colors in under a week.

Another benefit of having Conduit in Iron Bank is accessibility - being able to direct other DoD teams to an approved version of Conduit that they can download and use the same day without issue is a game changer. Long gone are the days of us going through various different approval processes for different projects to get the same outcome.

In addition to what was mentioned above, here are some other benefits to having your software in Iron Bank for the purpose of working with the DoD:

  • Increased security: Iron Bank container images are hardened and evaluated for security, which helps reduce the risk of vulnerabilities being introduced into DoD applications.
  • Increased efficiency: Iron Bank centralizes the process of finding and using secure container images, which saves DoD organizations time and resources.
  • Reduced risk: Iron Bank helps reduce the risk of DoD applications being compromised by vulnerabilities.
  • Improved compliance: Iron Bank helps DoD organizations comply with security regulations.

With those benefits in mind, you can see how having our offerings in Iron Bank would bring our customers peace of mind and allow both parties to not spend huge amounts of time and money on software reviews and testing.

Strengths of Conduit

We’ve touched a bit on how we’re using Conduit in the DoD to build data pipelines with the DAF Data Fabric, but I wanted to list out some other reasons why the DoD has opted to use Conduit in lieu of other products.

  • Efficient Binary Protocol - Uses a binary encoding format that is smaller and faster to serialize and deserialize compared to other formats. This makes it an efficient choice for transmitting large amounts of data.
  • Bi-directional Stream Support - The client and server can read and write messages in any order, as the two streams are independent.
  • Resilient Connectivity - Conduit is able to provide and maintain an acceptable level of service in the face of faults and challenges to normal operation.
  • Rate Limiting/Traffic Shaping - Controls the flow and distribution of traffic from the internet so your infrastructure never becomes overloaded and risks failing.
  • End-to-End Encryption - Keeps communications secure.
  • Lightweight - Can be compiled down to a binary that’s single-digit megabytes and connectors use megabytes of RAM. In comparison, Kafka Connect is roughly 500 - 600 megabytes for all of the packages, connectors, etc. For example, a single Postgres, can consume close to a gigabyte of RAM on its own.

With all of the benefits of Conduit plus the assurance of knowing that it’s a secure and compliant piece of software, it’s clear why the government has opted to use us.

If you are a developer working for the Department of Defense and need access to Conduit, you can download it from Iron Bank and install it right into your development environment. Federal government agencies and DoD DevSecOps teams always have access to the latest, accredited version of Conduit, which has been fully vetted and approved for deployment by the DoD Iron Bank DevSecOps team. For those outside of the DoD who are interested in Conduit, visit conduit.io here to download and view documentation on how to use Conduit.

     Conduit

Kevin Marsh

Kevin Marsh

Project Manager @ Meroxa