Blog

Case studies, strategies, and ideas shaping modern technology.

Case Studies

Automated Security Enforcement Case Study

Automated Security Enforcement Case Study

This blog is on the importance of automated compliance enforcement and will discuss how Mesoform implemented it despite facing challenges. Making use of multiple technologies to secure your IT.

 

The Challenge

When running a very large cloud implementation, it is important to ensure that all applications, services and other resources meet the company's security and compliance policies, like software patching, at all times.

Often when teams are not following good development practices, this isn't always the case.

 

The solution

  • Mesoform designed and built a microservices app which used violation data, to enforce polices automatically if resources persisted to violate after multiple reminders to owners.
  • One microservice was a management app, written in Python, which read data about persistent violations from a database pre-populated by a monitoring app. It analysed which action was required and sent messages to other microservices using a message bus service (Google Pub/Sub, Amazon SNS/SQS).
  • The apps enforcing compliance actions were also small pieces of Python code which implemented a common interface for general engagement into the system (i.e. how to receive messages, handle errors and record actions).
  • Each one had specific enforcement actions, like performing operations on compute instances. They subscribed to their dedicated topic and performed the required action (e.g. shutdown an old instance) whenever a message was received.
  • All micro services were deployed to an event-driven, serversless service (Amazon Lambda, Google Cloud Functions) for simple interaction to process messages.
  • Each enforcement action was recorded for analysis and presented on a compliance dashboard for review.

The results

  • A simple Gitflow process we applied around making changes to the management app's config, allowed many changes to be easily tested and deployed with vert little human involvement.
  • As each app was a serverless microservice we were able keep running and development costs low, and easily add, update and test enforcement services automatically with our CICD pipeline.
  • Using IAM services at all layers allowed controlled access to sensitive violation data in the database for the management app only, and event messages only to the apps which were supposed to process them.
  • Using service like SNS and Pub/Sub for topic-based events helped to keep each service small, simple and easy to manage.
  • Overall, we were able to implement a solution that, given a set of policies and exceptions, was able to enforce high-risk compliance rules without manual intervention.
  • As all violation policies were owned and managed by a dedicated security and compliance team, changes to business logic could be made without involvement of the engineering team.

As IT specialists, Mesoform can help your business overcome similar challenges and provide efficient solutions in comparison to competitors.

If you would like to discuss any of these topics in more detail, please feel free to get in touch