Categories
Project Experience

Vault Enterprise: Aligning the solution for security, scalability

Confidential Client

FORTUNE 100 / GLOBAL INSURANCE CO.

Challenge

Trility has successfully completed previous engagements with this client to assist in the development and evolution of an enterprise cloud security framework. In addition, we helped select and implement HashiCorp Vault Enterprise for storing and managing secrets. Due to attrition, this client had limited capacity to leverage the expanded features and functionality in order to improve security and performance, including more complex requests and managing types and classifications of secrets.

Solution

The client also determined it needed a standalone, automated continuous delivery pipeline for Vault Enterprise that also performed a tier above Terraform Enterprise. The existing implementation was working in parallel and needed several upgrades before the data could be migrated to the new solution for minimal disruption.

Due to the complexity of the project and the existing team’s capacity and limited experience with Vault Enterprise, Trility was invited back to assist in deploying the new pipeline and develop procedures for upgrades and management of the tool, including training and documentation for a seamless handoff to the client’s team. 

Outcomes

A standalone, automated continuous delivery pipeline allowed for:

  • Dynamic credentials 
  • Closed the gaps for areas that were not fully compliant with internal cloud security framework standards
  • Achieved four-nines availability (99.99%) including the implementation of a disaster recovery process using performance clusters
  • Minimal disruption to service as the work and data migration was completed during outage windows
  • Positioned the team to maintain and customize the solution for future needs by providing hands-on training, videos, READMEs, how-to via code, how-to upgrade, how-to scale horizontally, and troubleshooting what-if scenarios

Recommendations

Trility provided several recommendations throughout the project as Vault Enterprise is a hands-on tool that requires version upgrades that are critical for enterprise security. During the project, Trility determined the client’s Vault Enterprise received more than 8 million calls every 30 days. If the pipeline is not kept up to date and highly-available, it could lead to teams across the enterprise coming to a standstill. 

Trility provided recommendations for the level of complexity in building the solution and designed it to align with the client’s best practices for how the client manages failovers and deployment locations. The build is easily adjustable for heavy usage and horizontal growth to ensure Vault Enterprise administrators could confidently own the solution and maintain and customize it for future needs and growth. 

Due to the number of requests Vault Enterprise handles, Trility also recommended different hardware that would more reliably handle the current and future level of requests. The solution also required a smaller footprint for servers using local storage and less AWS resources.

Results

  • Increased automation 
  • Additional scope delivered 
  • Met schedule and budget requirements
  • Provided recommendations
  • Training and documentation 
  • Created reusable patterns 
  • Reduced cost of acquisition, cost of ownership, and technical debt
  • Increased scalability for current usage and across multi-regions

Automate How You Manage Secrets & Protect Data

Trility helps clients improve security and performance that helps companies achieve top- and bottom-line growth across the enterprise through predictable, repeatable, and auditable methods.

Learn how Trility can help your team leverage HashiCorp Vault and other automated, agnostic cloud solutions.

Categories
Project Experience

Policy as Code: Automate Cloud Security Governance with Sentinel

Confidential Client

FORTUNE 100 / GLOBAL INSURANCE CO.

Challenge

Many enterprise companies perform regulatory compliance assessments manually by one-to-many assessors. This client aimed to streamline the entire process and more quickly understand where and how the organization needed to focus by decreasing the preparation, collection, and management of this data, as well as assessing and understanding this data through automation. An embeddable Policy as Code framework would also remove the burden of proof on the project and product teams and allow them accelerate delivery across the enterprise.

Solution

The client and Trility team identified the NIST 800-53 technical controls for automation, monitoring, and management using HashiCorp Sentinel as the Policy as Code solution for the AWS cloud security frameworks. 

Due to limitations with Terraform Enterprise,  the centralized data store to house all implementation and execution events was not feasible. Trility recommended and implemented a process to capture and log events after each test into the existing auditing tool for developers to query using a Terraform Enterprise API.

About HashiCorp Sentinel
Infrastructure as Code automates the four main components of infrastructure — provision, secure, connect, and run – and empowers more users to create and manage infrastructure. This increases risk as less experienced users could make significant mistakes that impact business operations. Sentinel’s Policy as Code limits that exposure by codifying business and regulatory policies to ensure infrastructure changes are safe. When used together, Infrastructure as Code and Policy as Code enables users to safely and quickly provision, secure, connect, and run any infrastructure for any application. 

Outcomes

Using HashiCorp Sentinel, Trility created and mapped a library of policies to the NIST controls and also developed three tiers of compliance using Terraform Enterprise.

Policies were organized for each tier and each tier has its own automated test, delivery pipeline, and test harness for the corresponding Terraform Enterprise workspace, which provides immediate pass/fail results. 

Policy as Code compliance controls are baked into the software-defined cloud infrastructure as the default behavior for all implementations and allows for rapid test and verification.

Results

  • Teams can rapidly test and verify against controls with this Policy as Code solution 
  • Compliance controls are baked into the software-defined cloud infrastructure as the default behavior for all implementations
  • Reduced cost of acquisition, cost of ownership, and technical debt
  • Seamless handoff with training and documentation, which included videos and READMEs
  • Met schedule and budget requirements
  • Increased scalability and security with reusable patterns and code snippets for creating additional policies

Validate Cloud Security from the Start

Trility helps clients securely leverage the benefits of moving business to the cloud with agnostic solutions that save time and validate compliance through reusable patterns.

A Policy as Code solution enables your teams to move fast yet still keep your information secure. If you are interested in learning more, Trility can help.

Categories
Project Experience

Build Lasting Solutions for Customers & Internal Teams

Confidential Client

GLOBAL MEDIA, INFORMATION, AND SERVICES CO.

Challenge

This client had an existing payment application in production that needed additional features and integrations to enhance the customer experience and position them to generate additional revenue. It also desired recommendations for streamlining workflow for internal teams. 

Priority one for the project was hardening security of the payment widget through various integrations. Priority two, if time allowed, was to learn what exists, observe how it is used, and provide recommended opportunities for increased efficiencies in the areas of version control, DevSecOps, and other key services.

Our way of doing business, no matter the contract language, is to share observations and provide options and recommendations.

Recommendations

The Trility team identified ways to re-engineer deployment processes that improved:

  • Performance due to latency issues
  • AWS deployment
  • Monitoring applications and systems and automating alerts  

Outcomes

The client received a working, tested integration between the payment widget and the chosen identity management solution, Apple Pay, Stripe, Magento 2.0, and the existing payment and wallet solution. In addition, our team identified ways to improve latency and speed up processes between the application and customers. 

Trility ensured this client could immediately start working to improve or replace the payment widget itself or work on end-to-end automated testing after the engagement ended.

Reusable Patterns

The recommendations led to an extension to rewrite the backend code and re-engineer AWS deployment. This allowed the internal teams to hit the ground running for future application development and scalability by:

  • Reducing technical debt
  • Organizing code into reusable patterns
  • Reconfiguring AWS resources

Using Terraform, the backend can be iterated and all builds, deployments, and releases are automated – including documentation in the code and READMEs, PDFs, architectural drawings, and cross-training videos with the client developers.

Equipping your team for the future

Our teams help clients rethink their business strategy with HashiCorp and AWS. Whether it’s reducing technical debt with reusable code patterns or building infrastructure that enhances end-to-end automation, Trility seeks to equip your team for the future.

Categories
Project Experience

Increase Market Share with Critical Software Enhancements

Confidential Client

COMPLIANCE SERVICES CO.

Project Outcomes & Results

Overall Summary

This client needed enhancements made to its existing software to retain clients and increase market share. Trility was able to complete the enhancements and pivot to high priority needs identified by the company.

Our compliance services company is better positioned to market its services since engaging with Trility. An added benefit is we now have control of our “digital destiny” as they also helped us achieve a smooth transition to ownership of our accounts, services, and tools.

President & CEO

Software Enhancements

Challenge

Their Software as a Service (SaaS) required necessary features to maintain its client base and adapt to grow market share. The team also needed insight into transitioning from using its existing consulting firm and taking ownership of necessary third-party accounts and tools (cloud provider, Github, etc.) in order to have the flexibility with future vendors.

Outcomes

  • Added critical features to the software based on the priorities set by the client
  • Transitioned ownership of accounts and tools without interruption to customers

Results

  • Retained clients with added features
  • Achieved long-term control of digital assets 
  • Flexibility to contract with other firms

The amount of development Trility accomplished in the three weeks was incredible compared to our previous experience. While their hourly rate might be more than other firms, they are actually a better value because they are efficient, thorough, and accurate in their work. They get it done fast and right, which was essential to our company.

President & CEO

Demo Environment Configuration

Challenge

The company needed a separate, fully functioning, demonstration site to optimally support sales and client training.

Outcomes

  • Completed feature enhancements 
  • Created realistic demo environment with meaningful data for both smaller and larger account types

Through the weekly sprints and reports, I always knew the status of the project. I could easily see what work was completed, what was planned for the following week – all while giving me time to review and prepare to bring up issues and make necessary adjustments during weekly meetings.

President & CEO

Results

  • Added capabilities for customer retention
  • Improved productivity for sales team
  • Achieved the ability to show capabilities by customer segments
  • Completed 13 days early

Our compliance services company doesn’t require a full-time developer, so Trility is able to bring the right expertise for our evolving needs. With each project, Trility has provided us with responsive, qualified team members. And while we are a smaller client to Trility, they have always made us feel equally important.

President & CEO

Technology Stack

Trility continues to work with this client to help improve features and services to its customers using Amazon Web Services: EC2, S3, ECS, ECR, and more, and HashiCorp Terraform.

Full-stack capabilities to scale growth

Our team’s expertise spans the entire stack to help clients rethink their business strategy in the cloud. Whether it’s product design and development or cloud architecture and infrastructure to support long-term automation with security and compliance built-in, Trility can provide the resources to scale business and claim your share of the market.

Categories
Project Experience

Enable Teams Quickly with CloudFormation to Automate Secured Deployments of Resources

Confidential Client

MOBILITY DATA AND ANALYTICS CO.

Project Outcomes & Results
Preceding this engagement, this client's parent company had 50 Amazon Web Service (AWS) accounts spread across the company without centralized security, logging, monitoring and architecture. The parent company hired Trility Consulting® to help develop a secure enterprise cloud architecture strategy and move on-prem workloads to the cloud, build native apps in the cloud, and optimize the cloud for automation, scalability, and auditability. 

The achieved outcome was a Cloud Security enterprise framework  to enable cloud services across the company with reusable patterns that created predictable, repeatable, and auditable results.

Challenge

This client needed to refactor its cloud environment to align with its parent company’s enterprise cloud framework, and using AWS CloudFormation allowed them to quickly enable teams and enforce security controls.

Prior to this engagement, the client hired Trility to help pursue a secure, safe serverless environment across its enterprise, so they turned to our team again to help bootstrap the design, implementation, and operational evolution of AWS operations and implement a data storage solutions using CloudFormation.

Why CloudFormation?
AWS CloudFormation was selected to automate the secure deployment of AWS resources across business units to help the client's teams adapt quickly and automate testing. Using the enterprise cloud framework provided by the parent company, Trility proposed rewriting all IAM roles, permissions, and policies for the entire environment – applications, EC2 instances, CloudFront, security groups, IAM resources, and all networking. 

Solution

Trility conducted architectural assessments, gained understanding of existing processes, procedures, and information security implementations in order to provide next-step recommendations. Trility then facilitated the secured population of the environments according to the parent company’s requirements while cleaning up and simplifying IAM permissions contextually. 

As an extension of the initial project with the parent company, Trility used CloudFormation and CI/CD pipelines to build, evolve, troubleshoot, and provide solutions for cloud architecture, new resource buildouts, and configurations, as well as automate the deployment of IAM permissions, roles, and policies. Trility teams also provided training on S3 and writing IAM policies to equip the client’s team members at the end of the engagement.

Outcomes

  • Continue to facilitate and ensure alignment of the enterprise cloud framework vision between the client and its parent company while helping both be operational and more competently experienced in cloud architecture through operations.
  • Provide coaching and knowledge transfer to client team members for building and managing 100 percent software-defined infrastructure in the cloud with a security-first mindset.
  • New pipelines continue to be built as requested and required using existing enterprise cloud framework patterns.
  • Ensure all new work goes back into the framework.
  • Apply least privilege mindset to all enterprise cloud framework patterns while simultaneously delivering new pipelines for new and old code packages integrating the client’s information safety team.

Reusable Patterns

Trility builds a golden triangle of truth for version control, change management, and continuous delivery pipelines to ensure predictable, repeatable, and auditable results. Long-term, the client’s teams have increased operational performance and reduced time to value by leveraging the power of CloudFormation’s reusable templates:

  • Iterated on a multi-region enterprise cloud framework
  • IAM Permissions and Management 
  • Jenkins Worker Model pattern
  • Patching enforcement pattern for long-running resources
  • Services and group code management 
  • Security-defined role-based access behaviors 

Description of Environment

Implementation included 100 percent software-defined infrastructure and operations into a predictable, repeatable, auditable build, bundle and deploy pipeline pattern for use by any and all organizations in the enterprise. AWS CloudFormation allowed for the following:

  • Mapping, template parameters, AWS pseudo parameters, and AWS specific parameter type
  • Template nesting and cross-stack references
  • Validations of parameter input
  • Templates were split into logical stacks so modules are decoupled, reusable, easier to maintain
  • Use outputs with helpful stack information on resources created

Lessons Learned

Managed policies built in AWS did not allow for the granular controls necessary for this enterprise system. Trility worked with the parent company’s team to create reusable and more granular policies across the environment that could be rolled back up to the enterprise cloud framework, along with all other iterations and lessons learned.

Simplify, Automate, and Secure Your Next Challenge

Trility helps rethink your entire business strategy in the cloud. Learn how you can accelerate your next AWS iniative with us.

Categories
Project Experience

Evolve Build, Bundle, and Deploy Operations into Secured Predictable, Repeatable Delivery Model

Confidential Client

FORTUNE 100 / GLOBAL INSURANCE CO.

Project Outcomes & Results

Challenge

This client is evolving its build, bundle, and deploy operations into a predictable, repeatable delivery model as it moves more of its operations into Amazon Web Services (AWS). As a result, more knowledge and experience is needed in the use of cloud operations tools, processes, and procedures as well as how to fully evolve the use of development behaviors, tools, processes, and procedures in the cloud. 

Prior to this engagement, the client hired Trility to help pursue a secure, safe serverless environment across its enterprise, so they turned to our team again to help bootstrap the design, implementation, and operational evolution of AWS operations and implement a data storage solution using CloudFormation for a secured enterprise framework.

Why CloudFormation?
AWS CloudFormation was selected to automate the secure deployment of AWS resources across business units to help the client's teams adapt quickly and automate testing. 

Solution

In order to scale using CloudFormation, Trility proposed an automated continuous delivery pipeline ecosystem using the client-chosen tools, Terraform and Jenkins, as well as RDS Aurora MySQL and S3 solutions to design, direct, and implement the cloud ecosystem architecture.

Outcomes

Created, implemented, and still evolving a build pipeline ecosystem where:

  • 100% of the stack (all infrastructure, systems, and applications) is deployed and controlled using CloudFormation and Jenkins.
  • No console access or API access exists except for Jenkins, however, a “break glass” process is in place to generate credentials when/if needed.
  • 100% of the stack is managed in a version control system using Git and GitHub Enterprise
  • 100% of the stack is driven by Jenkins, GitHub Enterprise as change management control system, and each source-level change-set is associated to a change request with bi-directional traceability tracked in Jira
  • Before any changes are made to the different environments, mandatory pull requests are required before being merged into main branch 
  • Artifactory is used to store deployable code after it has been fully authenticated, canned for vulnerabilities following general CIS metrics
  • CloudFront, with AWS Regional web application firewall (WAF), is enabled in front of the static website contents and Apigee endpoints with  specific regions whitelisted for access
  • Centralized Splunk logging is used as the destination for all VPC Flow logs, Apigee and Auth0 endpoints, S3 bucket access, and database logs
  • All manual steps are mitigated and/or eliminated with preference to ‘eliminated’, from application management and deployment using Jenkins

Created, implemented, and still evolving a repeatable database solution using automated deployments and provisioning, as well as static asset monitoring and scanning solutions for antivirus, malware, etc., detection in S3 buckets in the different environments.

Collaborating with identified vendors to assess information security aspects of their AWS solutions with respect to information exchanges and flows, ingress and egress needs, internal and external resource access requirements, and data protection requirements.

Reusable Patterns

Trility builds a golden triangle of truth for version control, change management, and continuous delivery pipelines to ensure predictable, repeatable, and auditable results. Long-term, this client’s teams have increased operational performance and reduced time to value by leveraging the power of CloudFormation’s reusable templates:

  • Environment – Serverless applications running within Lambda, RDS Aurora MySQL clusters, and S3 storage utilizing IAM roles and policies to secure the environments, and security groups to maintain secure access to the resources.
  • Initiated/Deployed – Using Jenkins CI/CD pipelines, configuration files per environment, and templates using RBAC for operation
  • Workload – Serverless apps and enforcing security and compliance using RBAC, security groups, IAM roles and policies across the AWS ecosystem deployed to support Digital Footprint.
  • Third-party tools/solutions – NodeJS, Python, CloudFormation, Terraform, Apigee, Splunk, Auth0

Lessons Learned

It was determined an ephemeral solution was desirable as the client did not want to patch EC2 instances due to the time and was not optimal for scaling. Trility provided recommendations to evolve the existing framework to Lambda and NodeJS in a serverless environment, as it was determined early the client would save 12 hours/month on new images and 24 hours/month for new deployments. 

The client made the decision to no longer use AWS API Gateway and instead use Apigee as the API endpoint for service access and reverse proxy. As this application evolved, so did the framework in adjusting and scaling for even larger data sets.

Simplify, Automate, and Secure Your Next Challenge

Trility helps rethink your entire business strategy in the cloud. Learn how you can accelerate your next AWS iniative with us.

Categories
Project Experience

Centralized Automated Vault Solution

Confidential Client

FORTUNE 500 / GLOBAL INSURANCE CO.

Achieved desired outcomes

Challenge

The client requested a long-term Amazon Web Services (AWS) cloud strategy which required a working, tested, proof of concept, and an implementation plan for role-based access that met specific security and performance criteria. The client explicitly requested:

  • Reusable, predictable, repeatable, and auditable deployment patterns for an agile-based delivery model,
  • Automated rotating credentials every N++ days
  • A high-availability architecture – all software-defined, all enterprise deployable

Solution

Working closely with the client, the Trility team provided multiple options and recommendations guiding early architecture iterations leading to the baseline proof of concept. As part of the implementation, Trility continued to work with the client’s team members using HashiCorp’s Terraform to automate and deploy Vault. The system was set up in clusters to achieve high availability with the least amount of human interaction and was deployed throughout four environments: Learning, Development, Pre-Production, and Production.

Outcomes

  • Delivered proof of concept and early roadmapping
  • Seamless transition to integrated implementation teams comprised of both Trility and client teams
  • Built a centralized, automated Vault solution to enable the use of secret role-based access in automated pipelines
  • Achieved four nines (99.995% availability) 
  • Three environments – Development, Test, and Production – use this pattern
  • Provided mentoring on HashiCorp’s Terraform to achieve a repeatable and automated state

Reusable Patterns

  • Role-based access template for the enterprise cloud user base
  • Terraform deployment patterns used for coaching internal cloud engineering teams
  • Reusable enterprise Vault template serves every group in client’s cloud (and more) for authorized based roles

Want to Automate Permissions?

If you need to refactor or automate permissions in a cloud, on-prem, or hybrid ecosystem, we can help you equip your people and your company to build better.

For this client, HashiCorp products were the ideal solution. Learn more about our partnership with HashiCorp or get in touch with us to navigate to a simplified, automated, secured solution.