Meeting Security Compliance on AWS

Case Study: FinTech company toughens security while improving agility and solution delivery on AWS

The Client

A FinTech business providing SaaS solutions to an outdated industry. The company’s platform supplies browser- and mobile-based apps to the Real Estate industry to develop and maintain client documents and particulars.

Infrastructure with a Security and Compliance Focus

Making changes to infrastructure can be a daunting task for any company, particularly when a misstep could mean violating the compliance required to serve its customers. Ensuring that SOC 2 compliance was maintained while it improved posture for its infrastructure and applications in AWS, the company turned to Onica, not only for its experience in execution but for its insight in terms of best practices, security, performance and cost optimization.

What is SOC Compliance?

SOC 2 compliance, developed by the AICPA, is a regulation which ensures the systems of service providers which store customer data in the cloud are set up with standardized levels of security, availability, and confidentiality. AWS Cloud Compliance enables users to maintain security and data protection in the cloud.

As a company that handles important financial data, the company is Service Organization Control 2 (SOC 2) compliant, which means it maintains various organizational controls related to security, availability, processing integrity, confidentiality, and privacy. As such, the company must routinely go through SOC 2 compliance audits and is therefore hypervigilant when it comes to data security.

This focus on security and compliance is why the company knew that it needed a partner when deciding to develop solutions for AWS services and infrastructure. While the company had some of the right skills internally, it lacked the depth of knowledge that an AWS Partner was able to offer. The company already had a footprint in an AWS staging account and had developed CloudFormation code to deploy its infrastructure using services such as EC2, ECS, Elasticsearch, ElastiCache, RDS, Route 53, S3, SNS, SQS, and VPC.

A partner with the right expertise

The company had already been experimenting with the AWS Platform and had had some early successes, so the team didn’t consider any other Cloud provider.  When it came to finding a partner to help with the solution and bring a high level of AWS expertise to the project, it looked for an organization that not only had a great reputation for its high-quality work, but provided a strong approach right out of the gate. After first encountering Onica at a conference and recognizing its premier partnership status within the AWS Partner Network, the company invited them to a meeting.

What is Compliance in AWS?

Compliance is taken seriously in AWS, it’s built to be compatible with a variety of compliance programs from around the globe. Across regulated industry, organizations with some of the most highly sensitive data–such as the US Department of Defense, Nasdaq, and Philips–trust AWS compliance measures.

Following that meeting, the company engaged with Onica for several of its services, including Cloud Enablement, Disaster Recovery, Secure Your AWS Tenancy, DevOps Enablement, and DevSecOps. The company wanted to have updates developed for backups, infrastructure automation, encryption, and Docker image deployments. Updating each area would provide faster and more consistent infrastructure and Docker image deployments, as well as greater security for infrastructure, data, and data backups.

From audit to “escrow”

The first phase of the project was to audit and report on the security, reliability, performance, and cost optimization of the current infrastructure. Onica performed an audit against the AWS Well-Architected Framework, as well as security scans using automation tools backed by CIS Benchmarks for AWS. The results were reported and integrated into the overall solution that was implemented thereafter.

Onica used an agile approach for initiating, tracking, and delivering story- and task-based solutions. Known work and work that was discovered from the audits was broken into epics, stories, and tasks, then assigned to users for development, and tracked and managed using Atlassian Jira. This provided an efficient and reliable way of managing work and moving it forward quickly.

The third challenge was to develop a backup solution for S3 objects and RDS databases. To complete this, a new and secured AWS account called “escrow” was created to host data backups for S3 objects and RDS snapshots. An event-driven backup solution was developed, which copied all S3 objects and RDS snapshots from the environment accounts over to their correlating escrow account. This ensured that if an environment account was compromised, the backups would remain secured in the escrow account.

Infrastructure orchestration

Next, Onica reviewed all of the existing CloudFormation code, then updated and integrated it into a new framework and Git repository so that an orchestration tool could be used with the code. This solution improved development times, deployment speed for AWS resources, and execution order.

The Onica team also developed an encryption strategy for both data and data backups. Encryption was a requirement for S3, RDS, and Elasticsearch data, as well as Lambda variables and SSM parameters. Separate customer-managed Customer Master Keys (CMK) for each of the resource types were created to ensure encryption security was unique. Also, during the event-driven backup process of S3 and RDS data over to the Escrow account, the data was un-encrypted using the initial CMK, then encrypted again using the correlating CMK in the Escrow account.

Finally, Onica developed a proof-of-concept solution for a blue-green Docker image delivery using AWS Developer Tools including CodePipeline and CodeBuild. As Dockerfile and application components were updated to GitHub, CodePipeline was triggered to clone the source, build the Docker image, then authenticate and push the image to Amazon ECR. The new Docker image was then deployed to a new Amazon ECS task revision for a correlating “green” labeled service, and an SNS-based approval was sent out for testing. Once the “green” service testing was complete and approved, a Lambda function updated the correlating Application Load Balancer listeners and target groups, they also updated the CodePipeline deployment stage from “green” to “blue” for subsequent deployments.

Different companies, one team

While the engagement did include some formal training, most of the knowledge transfer happened informally, in real time.

Since the implementation, the company now possesses an improved posture for security, reliability, performance, cost optimization, deployments, and infrastructure orchestration. Additionally, the company has enjoyed increased employee efficiency, workflow, and delivery processes through the use of orchestration tooling, as well as event-driven infrastructure processes an improved manageability and flexibility through the use of orchestration tooling and enhanced security through the implementation of customer-managed CMKs and having data backups stored in a separate and secured account.

The company now relies upon the Onica Managed Services Team to deliver monitoring and alerting solutions for the infrastructure. This relationship was described as being very proactive, with the Onica team always providing ideas about what they should spend their time on.

Hidden layer

Share on linkedin
Share on twitter
Share on facebook
Share on email

Onica Insights

Stay up to date with the latest perspectives, tips, and news directly to your inbox.

Explore More Cloud Insights from Onica

Blogs

The latest perspectives on navigating an ever-changing cloud landscape

Case Studies

Explore how our customers are driving cloud innovation in their industries

Videos

Watch an on-demand library of cloud tutorials, tips and tricks

Publications

Learn how to succeed in the cloud with deep-dives into pressing cloud topics

Subscribe to Onica Insights