Cloud Engineering
Communications & Media

Policy as Code: Compliance Gate Integration

To help retain government contracts with security requirements, Trility helped this client establish verifiable compliance by building a gate in the existing CI/CD deployment pipelines by integrating tests. In addition, the team helped centralize application logging to verify and report access permissions, and demonstrate compliance with ICD503.

Problem Statement

To retain critical government contracts with high security requirements, this client needed to achieve verifiable compliance with P2020 for services using Commercial Cloud Services (C2S) and destined for Secret Commercial Cloud Services (SC2S) in AWS GovCloud.

The client also needed functionality for application notifications and alerts within SC2S, demonstrate compliance with ICD503, and delivery management support to accelerate the security operations team with critical deadlines.

Solution Approach

To achieve verifiable compliance, Trility build a gate that integrated compliance tests into the existing CI/CD deployment pipelines. The team wrote pre-deployment and post-deployment tests for everything that could leverage integrated testing using Aqua Security’s tfsec, which scans Terraform Infrastructure as Code created by developers. 

In addition to the compliance gate, Trility:

  • Centralized application logging by collected all logs generated by infrastructure applications in one location to simulate logging in SC2S. Identity and permissions were built into the testing functionality and utilized resource tagging for report functionality. 

  • Built custom Amazon Machine Images (AMIs) using Packer for all new applications and for air-gapped account environments (no access to internet).

  • Provided a Delivery Manager to integrate with the security operations team to accelerate their program using our agile Continuous Delivery approach.

Outcomes

With this partnership, the client increased traceability for all environments – including evidencing compliance for government contracts requiring ICD503 compliance.

The Trility team built a compliance gate that included pre- and post-deploy tests that required 100% of tests to pass before deploying to production.

With centralized logging for applications, the client was able to evidence compliance for developer applications using IaC in SC2S environments – making it more observable and easier to verify compliance.

Trility also created the gold image for AMIs with air-gapped accounts that streamlined consistent application of security practices to new cloud environments across the enterprise. 

The security operations team met imperative program milestones with Trility’s Delivery Management support.

Project Attributes

  • Reduced Risk
  • Reduced Technical Debt
  • Accelerate Delivery
  • Increased Automation
  • Increased Scalability
  • Reusable Patterns
  • Increased Capabilities
  • Increased Security
  • Verifiable Compliance
  • Coaching
  • Documentation
  • Learning Sessions
  • Paired Programming
  • Videos

Technologies Used

  • Artifactory
  • Jenkins
  • Kubernetes
  • AMQ
  • Eureka
  • Vault
  • Terraform
  • Packer
  • Aqua Security tfsec
  • Terragrunt
  • Inspec
  • Steampipe
  • Python
  • Docker