Our customer, a financial services SaaS, was working with a private hosted provider that worked well for some time, but as the firm and its technology needs grew, the company realized it was outgrowing the provider’s capabilities and were most challenged by its inability to scale effectively. Aware of the hosting provider’s limitations, the firm made the decision to move to AWS for its ability to scale, provide advanced security, and offer cost optimization. The firm also needed to make sure its solution moving forward assured its PCI, FFIEC, and GLBA compliance.
Yet, the company’s application configuration is specific to each customer and hence there is a need for them to refactor code for ease of deployment automation, requiring work to make it “cloud friendly”. At the same time that the firm was making its AWS cloud migration, it wanted to teach its growing team how to be more flexible and agile while giving its team more cloud skills. The CISO at this company had worked with the AWS consulting team at Flux7 at a previous company and knew that Flux7’s skills and knowledge transfer focus would be a fit for this project.
Working with the CISO and CTO, the Flux7 DevOps team began the project with Flux7’s proprietary assessment which provides the company with a recommended roadmap of best first steps that would help it reap the greatest benefits from its DevOps transformation process. Within five business days, Flux7 conducted a full assessment, comprised of four meetings that covered business, architecture, NetOpsSec, and DevOps requirements and opportunities.
The outcome of the assessment was a final recommendations presentation where Flux7 AWS consultants shared:
- Flux7 scoring of what the firm has in place compared to its desired state, and
- How to address areas where they lost points on scoring, recommending specific actions alongside a prioritized list of what should come first.
AWS Expert Recommendations
The Flux7 teams made several recommendations broken into three distinct areas:
- Work to begin immediately that addresses important security issues and/or serves as a foundation for future work;
- Work that the customer can address. This customer is actively hiring new staff and is able to take on portions of the prioritized list as new hires are on-boarded.
- Future work that is of a lower priority and/or is dependent upon foundational work before it can begin.
Using the Flux7 Enterprise DevOps Framework, high on the list was the creation of an AWS Landing Zone, which is where services deploy and as a result is focused on catching service agnostic components as they are delivered via pipelines. To address the company’s low scores in this area, and ensure it built a foundation for extreme scalability, Flux7 recommended the account hardening of several AWS accounts with customized IAM roles, and CIS level 2 best practices and alerting framework, CloudTrail, S3 and Route53.
Given that this SaaS works with sensitive, personally identifiable information and is subject to several regulatory standards, security was also high on the list. Specifically, Flux7 recommended the use of Security Inspectors in its new environment that integrated with the firm’s existing inspectors, and suggested the setup of an ELK cluster where logs (SysLogs, AuthLogs, AppLogs, etc.) could be forwarded.
In addition, the use of AWS IAM and AWS Config for governance and maintaining a consistent known, good state was also viewed as highly important. Last, flux7 recommended the use of Amazon GuardDuty for threat intelligence and continuous AMI vulnerability assessment. Together these technologies form a framework for security as code and continuous compliance.
Injectors in the form of HashiCorp Vault were prioritized highly as was foundational pipeline work, with Flux7 suggesting the setup of TeamCity, and the creation of a TeamCity Image Pipeline, as well as an Infrastructure Pipeline.
The customer was tasked with setting up its own WAF, managed key store, and code pipeline. While the original plan was to migrate the actual applications later, in the middle of the Flux7 engagement, the firm learned that its hosted provider would be losing its PCI accreditation in short order. As a result, the customer work also quickly included migrating systems to AWS in order to maintain PCI compliance.
While the initial focus was to get the firm’s infrastructure in a solid position with effective account hardening, once that was in place, Flux7 DevOps team recommended that it create a testing framework, create a Bitbucket repository for established best practices, adopt Amazon ElastiCache, and create an autoscaling group for its EC2 web tier.
Benefits and Outcomes
Starting off with systems of innovation allowed the Flux7 team and customer to understand what was needed to establish solid footing for the firm’s new architecture. Systems of innovation- focused thinking led to the suggestion of a CI/CD tool that integrates with Teamcity, and the use of the Hashicorp Vault secret store.
Ultimately, the CISO and CTO saw how the benefits outlined by the Flux7 assessment came to life, delivering their desired value through scalability, cost optimization and security, which will enable this financial services SaaS to continue growth unabated. All while adding a great deal of value to its processes and the assurance of a secure, compliant infrastructure sure to create ongoing customer satisfaction and consistent bottom line results.