Provisioning Secure and Compliant Applications on AWS with DevSecOps and DuploCloud
By Cheryl Cage, Sr. Security Partner Strategist – AWS
By Ian Hutchinson, VP of Sales – DuploCloud
It has become increasingly important for companies to meet security and compliance standards set forth across industries today, such as SOC 2, ISO 27001, PCI DSS, HIPAA, and GDPR.
This is particularly a hurdle for smaller independent software vendors (ISVs) and startups that do not have the resources and budget to navigate the ever-growing list of security and compliance requirements.
Amazon Web Services (AWS) puts great effort into keeping its cloud services secure and provides tools to improve security posture of the infrastructure.
The reality, however, is that security in the cloud is a shared responsibility between AWS and the customer. This means customers must ensure the proper visibility and controls are in place to safeguard workloads and data in the cloud.
System and Organization Controls 2 (or SOC 2), for instance, has become important for companies that work in the cloud. Applicable to all technology service or software-as-a-service (SaaS) companies that store customer data in the cloud, a SOC 2 audit assures customers and various stakeholders that the proper infrastructure and processes are in place to protect information from unauthorized access.
That’s why DevSecOps is especially important to ensure security provisioning, patching, hardening, and configuration are applied at all phases of the development process. Further, security controls are best implemented from the beginning rather than as an afterthought.
In this post, we will describe an approach and best practices for SOC 2 compliance. We’ll also share how DuploCloud accelerates time to compliance by natively integrating security controls into mainstream DevOps workflows.
DuploCloud is an AWS Security Competency Partner and no-code/low-code platform that implements an out-of-the-box full stack of DevSecOps functions, from network, compute, storage, and containers to AWS-native services and CI/CD.
SOC 2 Approach and Best Practices
You can leverage the AWS services that have been included in the AWS SOC 2 attestation report to build your applications, but you need to ensure you’ve configured the services appropriately to meet your security and compliance objectives.
The SOC 2 standard, as well as the Security Pillar of the AWS Well-Architected Framework, both aim to guide an organization towards an implementation of a secure, highly available, and scalable infrastructure but are not prescriptive in nature.
Automating security processes, testing, and validation help you scale security operations to allow for consistency and repeatability of processes.
The following five-step implementation plan can be used as a reference:
- Narrow down the implementation scope by mapping the SOC 2 focus areas and controls to AWS services.
Figure 1 – SOC 2 compliance process with AWS services mapping.
- Draw a high-level application architecture that encompasses the key aspects of the Well-Architected Framework. This includes firewalls, load balancers, multiple AWS Availability Zones (AZs) and appropriate security controls.
Figure 2 – Example of a Well-Architected Framework architecture diagram.
- Draw out the lifecycle of your DevOps automation process in terms of functional areas.
Figure 3 – Typical cloud infrastructure/app deployment lifecycle.
- Document a control-by-control implementation of SOC 2 controls to AWS configuration in each of these focus areas. Learn more in this DuploCloud whitepaper.
- Build automation to implement.
At the end of Step 4, you may realize that building the automation and implementing the vast set of controls is no small task. The DuploCloud platform provisions these controls in a secure and compliant manner out-of-box in a fraction of the time.
DuploCloud Offers DevOps as a Service
DuploCloud provides a DevOps-in-a-box solution. The idea is that engineering teams can provide their high-level application infrastructure, along with the desired compliance standard, and the DuploCloud software auto-generates and operates all of the lower-level AWS configurations per the chosen compliance standard.
The software runs in a virtual machine in the customer’s cloud account and can be accessed via user interface (UI), API or infrastructure as code (IaC).
After first-time configuration, the same workflow is used for updates while the platform monitors the infrastructure for aberrations. Virtually all aspects of DevOps and security—from logging, monitoring, alerts, host intrusion detection, security information and event management (SIEM), and scores of other functionality—are provisioned and configured out-of-box by DuploCloud. All configurations that have been created and applied by DuploCloud are transparently available to be reviewed and edited in the customer’s cloud account.
With DuploCloud, developers and DevOps engineers are able to operate securely at scale without requiring either deep knowledge in the nuances of DevOps or compliance. Even IaC is made easier with the low-code Terraform provider.
DuploCloud has over 75 customers and a majority of them are startups. Across these customers, the DuploCloud platform has helped achieve dozens of compliance certifications in SOC 2, HIPAA, PCI, ISO, and others.
Figure 4 – DuploCloud DevOps automation platform.
DuploCloud’s Quick Start guide walks you through how to achieve SOC 2 compliance using the example application architecture shown in Figure 2, in just a few steps.
VPC, Regions, Kubernetes Clusters, and VPN
DuploCloud has the concept of “infrastructure” which is basically a virtual private cloud (VPC) in a region with Kubernetes and/or an Amazon Elastic Container Service (Amazon ECS) cluster.
The user can provide a few basic inputs like name, VPC CIDR, region, subnet CIDR, and behind the scenes the platform will configure the lower-level details around network address translation (NAT) gateways, subnets, routing Amazon Elastic Kubernetes Service (Amazon EKS) cluster control plane setup, and more.
Figure 5 – Screenshot for infrastructure setup.
An architecture can create multiple “infrastructures” wherever there’s a business need for separate network segments. At the very least, for a SOC 2 environment there should be a separate infrastructure for production and non-production.
SOC focus areas covered: Defense in depth approach with multiple security controls, applied to all layers (for example, edge of network, VPC, load balancing, every instance and compute service, operating system, application, and code).
Environments or Tenants
Once the networking has been established, DuploCloud introduces the concept of tenant or an environment. A new environment can be created in DuploCloud by simply providing a name and choosing the parent infrastructure (VPC).
Figure 6 – Screenshot for tenant setup.
Tenant is a trust zone, container of resources, and an access control boundary. Each DuploCloud user can have access to one or more tenants. A tenant has the complete source of truth for an environment that has all of its resources, metrics dashboards, alerts, and logs.
Each tenant is self-contained within a VPC and is implemented by creating a set of security groups, AWS Identity and Access Management (IAM) role, instance profile, AWS Key Management Service (AWS KMS) keys, and PEM keys. Each tenant has a namespace in the parent infrastructure’s Kubernetes cluster.
SOC focus areas covered: Implement the principle of least privilege and enforce separation of duties with appropriate authorization for each interaction with your AWS resources.
AWS Platform Services
With networking in place and an environment (tenant) created, you can add various AWS services. DuploCloud supports several dozen AWS services and new ones are continuously being added.
Users are only required to provide a high-level specification, while the platform auto-generates the underlying details. For example, an Amazon Relational Database Service (Amazon RDS) database can be created with a simple form shown in Figure 7 below, while behind the scenes the platform will store the keys in AWS Secrets Manager with appropriate AWS KMS encryption.
The Kubernetes secrets driver will be installed to map the secrets to Kubernetes secrets, and the same can be easily referenced later when creating the Kubernetes app deployments. Logging, metrics, database snapshots, backups, and scores of other compliance controls have been automatically implemented by the platform.
Figure 7 – Screenshot for database setup.
SOC 2 focus areas covered: Use mechanisms, such as encryption, tokenization, and access control where appropriate. Automated software-based security mechanisms improve your ability to securely scale more rapidly and cost-effectively. Create secure architectures, including the implementation of controls that are defined and managed as code in version-controlled templates.
Within the tenant, you can switch to the containers section and choose to deploy apps onto either Amazon EKS or Amazon ECS. Again, just high-level specifications are required and the underlying details are auto-generated.
Figure 8 – Screenshot for AWS services setup.
Metrics, Logs, and Alerts
DuploCloud automatically sets up diagnostics for every tenant.
Figure 9 – Application metrics.
SOC focus areas covered: Monitor, alert, and audit actions and changes to your environment in real time. Integrate log and metric collection with systems to automatically investigate and take action.
Security Setup and Monitoring
DuploCloud orchestrates a wide range of monitoring tools by simply toggling a few switches. These include AWS CloudTrail, AWS Config, Amazon Inspector, and Amazon GuardDuty, as well as installing OSSEC agents on hosts and centralizing into a SIEM.
Figure 10 – Compliance standard metrics and best practices.
SOC 2 focus areas covered: Prepare for an incident by having incident management and investigation policy and processes that align to your organizational requirements. Run incident response simulations and use tools with automation to increase your speed for detection, investigation, and recovery.
Terraform (IaC) Interface
In addition to the no-code UI described above, users can choose to do all interactions with DuploCloud using its Terraform provider. Following is an example of a Terraform script to implement a similar infrastructure, but with a fraction of code that would have otherwise been written with the native AWS Terraform provider.
Figure 11 – Simplified Terraform with DuploCloud Terraform provider.
SOC 2 focus areas covered: Change authorization, management, documentation, and evaluation.
Integration with Compliance Automation Tools
Many organizations use software compliance process automation software from third parties for compliance evidence collection and monitoring. Provisioning an application infrastructure with DuploCloud ensures these software packages display green for the SOC 2 controls, making the audit process a breeze.
Implementing a SOC 2-compliant infrastructure is no easy task. While AWS provides security controls at its scope, there are many controls that need to be implemented and configured properly by the user. A SOC 2 implementation requires substantial subject matter expertise in operations and InfoSec, as well as proficiency in automation (IaC).
Compliance is best implemented and integrated into the main DevOps workflow rather than running software after the fact to determine security gaps that require reworking an existing setup.
Sometimes starting from scratch in a compliant manner is easier than fixing a non-compliant setup. DuploCloud provides an out-of-box solution for infrastructure automation which is compliant to any desired standard. Read DuploCloud’s SOC 2 whitepaper to learn more, or visit DuploCloud.com.
DuploCloud – AWS Partner Spotlight
DuploCloud is an AWS Security Competency Partner and no-code/low-code platform that implements an out-of-the-box full stack of DevSecOps functions, from network, compute, storage, and containers to AWS services and CI/CD.