Working with dozens of financial services organizations, we understand first-hand the need for security and scalability as every minute of downtime has direct customer satisfaction and bottom-line repercussions. As a result, our DevOps assessment is focused on helping financial services firms plan and build systems with AWS cloud architecture best practices to ensure security and high availability of systems. In today’s article, we’ll examine the story of a financial services SaaS who sought help planning its cloud migration and DevOps automation, to ensure it created the best possible AWS cloud foundation.
Our customer, a financial services SaaS, was working with a private hosted provider that worked well for some time. However, as the firm and its technology needs grew, the company realized it was outgrowing the provider’s capabilities. It was most challenged by its inability to scale effectively. Aware of the hosting provider’s limitations, the firm made the decision to move to AWS for its ability to scale, provide advanced security, and offer cost optimization. The firm also needed to make sure its solution moving forward assured compliance to PCI, FFIEC, and GLBA.
Yet, the company’s application configuration is specific to each customer. As a result, it had a need to refactor code for ease of deployment automation, requiring work to make it “cloud-friendly”. At the same time that the firm was making its AWS cloud migration, it wanted to teach its growing team how to be more flexible and agile while giving the team more cloud skills.
Working with the CISO and CTO, the DevOps consulting team began the project with our proprietary assessment. It provides the company with a recommended roadmap of best first steps that would help it reap the greatest benefits from its DevOps transformation process. Within five business days, we conducted a full assessment, comprised of four meetings that covered business, architecture, NetOpsSec, and DevOps requirements and opportunities.
The outcome of the assessment was a final recommendations presentation where the DevOps consultants shared:
- Scoring of what the firm has in place compared to its desired state, and
- How to address areas where they lost points on scoring, recommending specific actions alongside a prioritized list of what should come first.
AWS Cloud Foundation recommendations
We made several recommendations broken into three distinct areas:
- Work to begin immediately that addresses important security issues and/or serves as a foundation for future work.
- Work that the customer can address. This customer is actively hiring new staff and is able to take on portions of the prioritized list as new hires are on-boarded.
- Future work that is of a lower priority and/or is dependent upon foundational work before it can begin.
High on the list was the creation of an AWS landing zone, which is where services deploy and as a result is focused on catching service agnostic components as they are delivered via pipelines. To address the company’s low scores in this area, and ensure it built a cloud foundation for extreme scalability, we recommended the account hardening of several AWS accounts with customized IAM roles, and CIS level 2 best practices and alerting framework, CloudTrail, S3, and Route53.
Given that this SaaS works with sensitive, personally identifiable information and is subject to several regulatory standards, security was also high on the list. Specifically, we recommended the use of Security Inspectors in its new environment that integrated with the firm’s existing inspectors and suggested the setup of an ELK cluster where logs (SysLogs, AuthLogs, AppLogs, etc.) could be forwarded.
In addition, the use of AWS IAM and AWS Config for governance and maintaining a consistent known, good state was also viewed as highly important. Last, we recommended the use of Amazon GuardDuty for threat intelligence and continuous AMI vulnerability assessment. Together these technologies form a framework for security as code and continuous compliance.
Injectors in the form of HashiCorp Vault were prioritized highly as was foundational pipeline work. We suggested the company setup TeamCity, and the creation of a TeamCity Image Pipeline, as well as an Infrastructure Pipeline.
The customer was tasked with setting up its own WAF, managed key store, and code pipeline. While the original plan was to migrate the actual applications later, in the middle of the engagement, the firm learned that its hosted provider would be losing its PCI accreditation in short order. As a result, the customer work also quickly included migrating systems to AWS in order to maintain PCI compliance.
The initial focus was to get the firm’s infrastructure in a solid position with effective account hardening. Once that was in place, the DevOps consulting team recommended that the company create a testing framework, create a Bitbucket repository for established best practices, adopt Amazon ElastiCache, and create an autoscaling group for its EC2 web tier.
Benefits and outcomes
Starting off with systems of innovation allowed the two teams to understand what was needed to establish a solid footing for the firm’s new architecture. Systems of innovation-focused thinking led to the suggestion of a CI/CD tool that integrates with Teamcity, and the use of the HashiCorp Vault secret store.
Ultimately, the CISO and CTO saw how the benefits outlined by the assessment came to life, delivering their desired value through scalability, cost optimization, and security, which will enable this financial services SaaS to continue growth unabated. All while adding a great deal of value to its processes with the assurance of a secure, compliant infrastructure certain to create ongoing customer satisfaction and consistent bottom-line results.
*This was originally written by Flux7 Inc., which has become Flux7, an NTT DATA Services Company as of December 30, 2019
Post Date: 12/20/2018