CASE STUDY

Addressing Complexities While Maintaining a Stringent Level of Security

This large United States federal agency provides an extensive portfolio of applications and capabilities that are responsible for safeguarding the personally identifiable information (PII) and protected health information (PHI) of millions of Americans. 

The agency’s applications must adhere to a number of federal requirements as part of the broader Risk Management Framework (RMF), including the Federal Information Security Modernization Act (FISMA) and an internal customized baseline of NIST 800-53 Rev. 5 that contains more than 350 controls and 750 control elements.

With hundreds of applications in its portfolio, the agency sought to reduce duplicative efforts, time to authorization, and compliance overhead for each of these systems while maintaining the stringent level of security required for applications safeguarding PII and PHI. 

Furthermore, the agency was actively promoting the adoption of microservice architectures, containers, and cloud infrastructure in an effort to enhance scalability, flexibility, and efficiency in their applications.

Left unaddressed, the applications would continue to drain resources and operate with reduced efficiencies — spending money, time, and effort to meet compliance, security, and privacy requirements in a non-uniform manner or without proper support and lessons learned from consolidated development environments.

Building a Secure and Cost-Effective PaaS for Agency Applications 

The agency identified the need to build a PaaS that would provide a robust shared development environment for its applications that maximizes security control inheritance, shifts security left via security tooling and pipeline automation, facilitates emerging GitOps practices, and drives down application costs while expediting the delivery of value for stakeholders. 

Having already developed a large presence on Amazon Web Services (AWS) across the agency’s portfolio of applications, building the PaaS on AWS was the clear choice. Doing so aligned with many parallel teams and efforts, and positioned the platform to best suit application needs and desires. 

With extensive experience in AWS, Aquia was uniquely positioned to support the agency in this mission. In addition, Aquia had supported agency leadership with their digital transformation efforts in the past and possessed the skills necessary to ensure this effort would be a success, including expertise spanning compliance, security engineering, application security, and purple teaming. 

Leveraging AWS Services to Implement Secure Functionality 

By leveraging insights gained from past platforms and programs in the federal sector and adopting a user-centric approach, Aquia took charge of the platform's security right from the initial design and discovery stage to the development of a minimum viable product (MVP) and its delivery to various agency applications.

Aquia identified core security functionality and chose tooling to fulfill those functions, mapped the full platform infrastructure to all 352 security controls, and provided implementations to offer 74% control inheritance to applications. 

In addition to ensuring compliance, Aquia implemented several key security measures such as detections-as-code, threat models, and security engineering efforts. These proactive actions played a crucial role in obtaining the platform's authority to operate (ATO). Notably, the platform achieved a significant milestone as its system security plan became the first to receive a flawless evaluation with no findings.

Applications within the agency are now onboard to the PaaS and experience faster authorization times with lower compliance overhead. 

The agency leveraged a range of AWS services to build its solution. Amazon GuardDuty was utilized for threat detection and alerts in each environment, while AWS Identity and Access Management (IAM) played a crucial role in managing identities and access for accounts and services. Amazon Simple Storage Service (Amazon S3) served as the storage solution for logs, while AWS CloudTrail facilitated logs and monitoring. Amazon CloudWatch was used for generating alerts, and network access control lists (ACLs) and security groups were employed to control traffic. 

Amazon Virtual Private Cloud (VPC) enabled the segregation of workloads, and VPC Flow Logs were utilized for monitoring and capturing IP traffic information. Amazon Elastic Kubernetes Service (EKS) was chosen for efficient Kubernetes management, while Amazon Elastic Compute Cloud (Amazon EC2) provided the necessary compute resources. Amazon Relational Database Service (RDS) was utilized as the database solution, and Amazon Elastic Block Store (Amazon EBS) served as a storage and backup solution. AWS Shield offered protection against distributed denial-of-service (DDoS) attacks, and Amazon Route 53 fulfilled Domain Name System (DNS) service requirements. AWS Secrets Manager was used to manage secrets, and AWS Web Application Firewall (AWS WAF) played a vital role in safeguarding web APIs.

Gaining Efficiencies and Streamlining Processes

Initial adopters of the PaaS have seen a decrease in costs, authorization time, and compliance overhead. 

Specifically, applications using the PaaS have benefitted from a 74% reduction in compliance overhead for their system security plans, a 30% decrease in authorization time for ATO (from 9 months to 6 months), and a 50% reduction in onboarding time (from 2-3 months to less than 1 month). 

The 74% reduction in compliance overhead also directly ties to the applications’ inherited controls from the platform which are abstracted from the application team leading to less engineering overhead. 

Overall, users have recognized a more secure and streamlined development process while taking advantage of the efficiencies of cloud-native services.

Aquia’s success with the agency’s PaaS has laid the foundation for automation efforts which are currently in progress for each of the benefits of the platform. These efforts include detections-as-code, compliance-as-code, and transitioning manual compliance processes to automated checks.