As cloud-native infrastructure goes mainstream, fintech companies have adopted safety automation instruments to harden their DevOps deployment environments and make these environments accessible to conservative IT compliance auditors.
LendingClub, an internet loan market in San Francisco, put in a safety coverage enforcement instrument from startup Accurics in late 2019. The instrument inspects a number of layers of infrastructure configuration within the firm’s AWS surroundings, remediates potential vulnerabilities through GitHub and reviews on IT compliance inside its dashboard. Greenlight Monetary Know-how, an Atlanta-based firm that makes a debit card for teenagers, selected a instrument from StackRox to shore up Kubernetes safety in Amazon EKS that additionally generated IT compliance reviews the corporate’s safety workforce can move alongside to auditors.
Each corporations first selected the respective instruments for his or her safety automation options, however quickly realized additionally they might be helpful for IT compliance.
“We’re thought of part of our bank companions’ perimeter, and as we get greater, we begin changing into a much bigger a part of their threat profile, and begin going via deeper and extra frequent audits,” stated James Gaythwaite, CTO at Greenlight, which manages belongings for 1 million customers on its cellular app. “[Before StackRox] we had issue assuring companions, auditors and buyers that we have been following the identical safety practices they have been, even when we weren’t utilizing the identical instruments.”
LendingClub demonstrates IT compliance through coverage as code
LendingClub could not depend on guide code evaluations for IT safety because it embraced DevOps and transitioned from native information facilities to the cloud. The corporate’s IT workforce related with Accurics’ founders via phrase of mouth within the Bay Space tech business, and initially, their curiosity grew as a result of the startup’s eponymous instruments built-in effectively with GitHub code repositories and Jenkins CI/CD pipelines.
“Compliance and cybersecurity are the 2 important threat elements in fintech, and we’re closely regulated beneath probably the most stringent constraints,” stated Paolo Montini, chief information officer and head of cyber threat administration at LendingClub. “However there is a pressure between that threat administration and the agility and pace we want [for DevOps deployments], and the important thing to attain a correct stability is automation.”
Accurics routinely checks AWS system configurations and Terraform infrastructure-as-code templates in opposition to the corporate’s safety insurance policies earlier than they’re utilized. If it detects discrepancies between proposed configuration and code adjustments and safety insurance policies, the Accurics instrument points an alert and suggests remediations to deliver these them into line with coverage. Automating these safety checks saved about 15% to 20% of day by day labor for LendingClub’s SecOps employees, Montini estimated.
LendingClub additionally determined to present inside auditors direct entry to the product’s dashboard, to show the corporate was nonetheless following safety greatest practices in automated deployments to the cloud.
“As an alternative of exhibiting auditors screenshots, we present them the Accurics interface itself,” Montini stated. “It is fairly easy — you possibly can see the insurance policies outlined on one aspect, and any discrepancies or gaps, in addition to suggestions for the best way to remediate these.”
James GaythwaiteCTO, Greenlight Monetary Know-how
There’s additionally threat in going with a brand new firm — Accurics remained in stealth in November 2019 when LendingClub first started evaluating its product. However the startup supplied a broader scope than many policy-as-code instruments developed for particular infrastructure elements. It could possibly scan infrastructure configuration and code in AWS, Azure and Google, together with every cloud supplier’s infrastructure-as-code service, in addition to infrastructure elements similar to Kubernetes and Istio and infrastructure as code written with Terraform and Ansible.
When LendingClub evaluated Accurics, it additionally had on its roadmap the flexibility to evaluate safety vulnerabilities not simply inside particular person system and gear configurations, however in how they match collectively together, Montini stated. Accurics calls this characteristic breach path prediction, and it is now usually accessible.
“Even when particular person configurations themselves are appropriate in response to coverage, while you put them collectively, they will nonetheless introduce a means for an attacker to get in,” Montini stated. “Accurics can analyze throughout insurance policies as effectively — we’re beginning to take a look at that.”
Greenlight StackRox reviews help IT compliance audits
Greenlight, based in 2014, has at all times been primarily based within the cloud, the place it started as a buyer of AWS Elastic Beanstalk. However Greenlight encountered new IT safety dangers when it moved to Amazon EKS a few 12 months in the past, after its enterprise grew and it transformed monolithic apps written in Node.js to microservices written in Go. To deal with these dangers, it bought a instrument from container safety specialist StackRox.
“Lots of IT safety instruments aren’t constructed for Kubernetes and even containers — they assume they will have entry to a number,” stated Ken De La Guera, senior DevOps engineer at Greenlight. StackRox, in contrast, might be routinely deployed to Kubernetes clusters via Helm charts, despite the fact that Helm wasn’t formally supported till a StackRox replace launched final month. As soon as deployed, StackRox regularly scans Greenlight’s surroundings for safety threats, which is essential to sustaining safety requirements as the corporate’s app deployments develop extra frequent, De La Guera stated.
Furthermore, StackRox supplied IT compliance monitoring that helped Greenlight’s companions and auditors sustain with these adjustments, too. The instrument summarizes its evaluation of Kubernetes clusters’ compliance in reviews that examine the state of the surroundings in opposition to regulatory necessities, in addition to normal IT safety benchmarks from NIST and CIS. Like Accurics, StackRox provides suggestions for enhancing customers’ safety posture and remediating safety points.
To this point, Greenlight’s safety workforce has used StackRox compliance reviews in two audits throughout the first quarter of 2020, in response to Greenlight’s Gaythwaite.
“We had been struggling to articulate sure elements of audits, and StackRox simply checked all of the bins we wanted,” he stated. “Its dynamic scanning in the environment confirmed that our containers and container photographs have been vetted and accepted.”
The following step for Greenlight will likely be to combine StackRox with its Jenkins CI/CD pipelines to carry out container picture signing and block the deployment of unauthorized container photographs to Kubernetes clusters. Greenlight can be hoping StackRox will develop options to the instrument’s default failure mode when ingress controllers day trip — proper now, StackRox sensors restart their Kubernetes pods beneath these circumstances, however De La Guera stated he hopes for a much less disruptive response to such timeouts in future variations of the instrument. A StackRox spokesperson stated the corporate is contemplating the request.