A large security provider wanted to offer its threat detection, incident response, and compliance management solution to government agencies in the cloud. However, Federal government agencies are required to use FedRAMP authorized products; FedRAMP is mandatory for federal agency cloud deployments and service models at the low, moderate, and high-risk impact levels. As a result, the security firm turned to the cloud consulting team at Flux7 to help it prepare its solution for AWS GovCloud FedRAMP certification in the AWS cloud.
According to FedRAMP, or the Federal Risk and Authorization Management Program, the program is a government-wide effort to provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. In this way, all agencies can assure that the cloud technologies they use meet a strict security standard. As more organizations — from state agencies to defense contractors and educational institutions — start adopting FedRAMP as a security standard, the business importance of being FedRAMP Authorized continues to grow.
Refactoring for FedRAMP
With this clear business driver in hand, Flux7 and the security provider got to work. We started by refactoring parts of the firm’s security solution, an advanced process that involved re-architecting and re-coding to take advantage of AWS Cloud native functionality. (Note that AWS GovCloud is for agencies that want–or need–a U.S.-persons-only cloud environment. Agencies not beholden to this requirement can use commercial AWS regions, which provide FISMA-Moderate controls.)
Building a Secure Foundation
As part of our refactoring process, we took the solution’s “building blocks”, separated them, and created base layers with common Amazon Machine Images (AMIs) that we hardened with CIS Level 1 benchmark-advised security controls. In addition, all AWS GovCloud AMIs were configured to meet FIPS-140 encryption requirements and all AMIs, regardless of AZ, are built to run on nitro hypervisor instances to ensure consistent performance.
Per requirements set by the customer, we used an Ubuntu 18.04 image from the AWS marketplace as the base layer, hardened with CIS Level 1 controls. Offered as both an appliance and a managed service, the next and final step in baking is the product-specific AMIs for different role types:
- SaaS common AMIs have agents installed for monitoring and configuration management, SSH configuration, and more, while
- On-premises sensors include remote access capability for the firm’s support team. The sensor AMIs are delivered in several formats for both AWS commercial and AWS GovCloud.
Building It Up Securely
The current process for product builds required staff to manually build dependency packages and upload them to Artifactory for consumption by downstream processes or deployment pipelines, bringing with it a nightmare of dependency management. Additionally — per the company’s historical thought process, due in part to its business model — the product was built as a single AMI with all application code and dependency packages deployed at run time. Different role types were also configured at run time and provisioned during production using a multitude of scripts. Yes, dear reader, we cringed, too.
To end the dependency management nightmare, we broke the work down into several pieces with each of the following addressing a customer pain point. Specifically, we:
- Established configuration management of the OS during AMI build vs environment-specific during provisioning,
- Deployed coding best practices,
- Updated toolsets,
- Broke the single product AMI into different role-type AMIs, and
- Employed Bamboo build pipelines for dependency packages.
In addition to the role-type AMIs, we also delivered a base CIS AMI that was used in deployment of secure and hardened production Kubernetes clusters for their microservices needs.
With the foundational layer complete, we had built a solution as code with fully-automated VM configuration and fully-hardened AMIs that had all the needed system utilities and configurations. And, with Atlassian’s Bamboo CI/CD server, we were able to build and distribute the images across both commercial and the AWS GovCloud.
As everything from the OS down is now hardened, we are able to fulfill our goal to provide the application teams with configuration, coding, tool updates, role-based AMIs and Bamboo build pipelines where they can work with their application–all without the need for any further packages or system configuration.
Continuous Security Testing
The solution was turned over to the application teams once the foundation and application building blocks were refactored securely for AWS Commercial and GovClouds. The teams, in turn, use these AMIs and should they need to modify any configurations, have another Flux7 solution on hand: Molecule test-driven development. When a change is made — e.g. a configuration is modified, or an application is placed on the hardened layers — the Flux7 Molecule test solution allows application teams to re-test to ensure the entire system remains CIS hardened. Should it fail, the team is notified and remediation action is taken.
Offered as both an appliance and a managed service, the company now has a solution that features advanced AWS security best practices with:
- Build pipelines that create role-specific images that are consistently and repeatably created with FedRAMP security controls built-in;
- Role-specific images created using Ubuntu 18.04 LTS so that the solution is certified on the latest Ubuntu OS version; and
- AMIs that are hardened to CIS Level 1 and continuously tested for compliance until the final image is created, thereby ensuring AMIs meet FedRAMP compliance.
Our security customer is now in the process of obtaining its FedRAMP authorization for AWS GovCloud. With thousands of customers, this firm is combining its business success with Flux7 agile cloud security experience to create a solution that will soon be ready for federal agencies to purchase. Not stopping there, it is also expanding its solution for Microsoft Azure. Stay tuned as we share that story in an upcoming blog.
Post Date: 11/07/2019