Improving AWS Security Across Large National Not-for-Profit Health System App SaaS Offering
A national not-for-profit health systems primary care scheduling app SaaS offering needed to add infrastructure security. The product in the current state was a significant risk to security and possible compliance violations. The Director of Engineering asked AIM Consulting to implement a security automation solution addressing these concerns while leveraging existing security-specific AWS Managed Services.
AIM Consulting was currently onsite wrapping up a 6+ month long DNS migration and account evaluation project that was successful in providing 90% of AWS resources migrated or archived and over $10k a month in savings. As a “trusted advisor” in the AWS Cloud space, this project’s requirements were in perfect alignment with AIM’s capabilities.
The client had no visibility of their AWS security posture hosting SaaS offerings across more than 15 AWS accounts. AIM was asked to take this on and come up with an end-to-end solution that could be rolled out to all accounts, handed off product operations teams with the implementation CloudFormation templates, and runbooks to deploy and manage the security automation framework.
The project included deploying a collection of AWS Managed Services that addressed the following components for a Cloud Infrastructure Security Topology:
AWS Cloudtrail: Offers environment action auditing and reporting.
AWS Config: This serves as a compliance monitoring engine to monitor the environment.
AWS GuardDuty: This serves as a network anomaly and intrusion detection service.
AWS Inspector: Helps to control the security and vulnerability assessment of the – EC2 (virtual machines) within the environment.
AWS SecurityHub: A single-pane security incident and event monitoring (SIEM) tool for AWS Config, AWS GuardDuty, and AWS Inspector roll-up findings and insights into this service for “single-view” visibility of the environment’s security posture.
CIS-Foundations Compliance Rules: Best-practice compliance rules that the AWS Config compliance service used to monitor and report compliance violations within the environment. Both the compliance and non-compliance items then rolled up as findings in the SecurityHub service.
CIS-Foundations Remediations: AIM provided a collection of AWS CloudFormation templates (Infrastructure-as-Code) assets that addressed the non-compliance items in the environment bring these non-compliance issues into best-practices compliance.
AIM Consulting addressed this project in the following phases, starting with the initial request from the director of engineering on how the company should leverage AWS managed services for end-to-end security visibility and best practices applied to the AWS environment infrastructure. Measurement of success was a consistent loop of interactive feedback from the dev-manager and the Cloud Native Engineering team, ensuring all project components maintained on task.
Requirements Gathering (2-3 weeks): AIM worked with the dev-manager on various managed services that applied specifically to the primary care app.
AWS Security and Managed Service Research (2 weeks): Research conducted into the technical documentation of the managed services along with the CIS-Foundations compliance items and coverage.
Recommendations and Proposed Implementation Strategy (2 weeks): AIM provided recommendations toward the AWS managed services resources to deploy, the best approach to implement in a scalable and repeatable fashion.
Proof of Concept/ Deployment testing (1 month): Deployed managed services using AWS CloudFormation templates in 2 development environments. After resources and CloudFormation templates deploy and run as expected, AIM then checked into the teams Github repository.
Deployment of Security Essentials Version 1.0 (1 month): AIM deployed all 5 AWS Managed Services and created an initial deployment runbook. This initial deployment was applied to all 15 environments.
Deployment of CIS-Remediations – Security Essentials Version 2.0 (3 weeks): After the CIS-Foundation compliance ran through AWS Config – compliance engine for a day or two, a collection of CIS-Foundations compliance violations reports into the finding section of the Security Hub. All issues were collected and created CloudFormation templates that either correct the misconfigurations or deployed AWS resources that will bring these compliance checks from non-compliant to compliant status.
Project completion included an updated section of the companies’ SOP (standard operations procedure) for this SaaS offering that the company is marketing to potential and existing clients.
As a result, the company was able to establish the level of compliance (or non-compliance) that the AWS environments were following security best-practices prescribed by the CIS-Foundation compliance standards. This shined a significant and visible spotlight on some infrastructure security anti-patterns and shortcomings that were not previously noticed and analyzed. After implementation, AIM was able to resolve the non-compliant items and improve the security posture of the AWS environment and infrastructure in a scalable and repeatable fashion. With the peer-reviewed Infrastructure-as-Code assets and runbooks that the client can leverage for all other AWS environments.
The partner is now able to market this feature as an added security of the SaaS offering. AIM’s implementation raised the bar on security visibility for cloud-hosted applications and is a crucial feature for the company as they look to commercialize and market their new Primary Care Scheduling App to other healthcare providers. Moving forward, the organization’s digital innovation group expects this for all other cloud-based innovation initiatives.
ABOUT AIM CONSULTING
AIM Consulting, an Addison Group company, is an award-winning industry leader in technology consulting and solutions delivery. AIM’s differentiation is our collaborative engagement model that provides cross-functional results. We work with clients, shoulder to shoulder, for one goal – their success. Founded in 2006, with offices in Seattle, Minneapolis, Denver, Houston, and Chicago, we are ranked among the fastest-growing private companies and best companies to work for due to a long track record of success with our partners and consultants. Our long-term relationships with the best technology consulting talent allow us to deliver on expectations, execute on roadmaps, and drive modern technology initiatives.