Our customer wanted to embrace AWS so they could launch their regulated financial service more quickly. Doing this required their adherence to SOC 2 compliance. They didn’t know how to incorporate this framework but understood that approaching it manually would be expensive and difficult.
As a result, the customer’s CIO and CISO made it a requirement to architect their AWS strategy in a way that would allow them to achieve and maintain SOC 2 compliance, Types I and II, continuously. This customer is a highly regulated FinTech solution provider, and SOC 2 compliance would lead to their customers adopting their solutions more rapidly. Their primary objective for maintaining compliance was to automate tasks and remediation to keep teams small and lean.
As a starting point, our customer focused on DivvyCloud’s out-of-the-box AWS CIS compliance pack with the additional layer of SOC 2 applied to applicable workloads in their cloud environment. Through the existing insight packs for SOC 2 and CIS, our customer was able to create their own custom pack and validate their cloud account setup and security posture using DivvyCloud insights.
Our FinTech customer confirmed that their AWS cloud accounts achieved SOC 2 compliance. The compliance scorecard below showcases the measurement of how they ran their cloud accounts in production through SOC 2 and CIS provided insights.
The customer configured DivvyCloud to send notifications to the appropriate account or cloud resource owners for any red cells,. C-level execs then receive a high-level view of how the company is running its clouds in production. At any point, they can also showcase this view to their customers.
arallel to the powerful features of the scorecard, our customer created custom compliance packs using CIS and SOC 2. Some of the key areas for the packs were: only encrypt storage that has sensitive data, application data isn’t stored on an instance. Either it’s attached to a volume/instance and flagged for encryption, or it’s stored at the data layer, e.g. RDS.
The SOC 2 insights below translate to enabling dynamic remediation actions such as retiring and automatically rotating encryption keys.
With the insight setup, our customer deployed 136 Bots,which allowed them to generate a daily compliance report with notifications going to the CISO and CIO. Many of the Bots deploy automated remediation.
Accounts that are subject to SOC 2 scope have their own set of Bots and different actions, as they contain live production applications. Because of this, different actions are defined for these cloud accounts, compared to other accounts. For relevant accounts, the organization won’t tolerate a database with an external IP. The automated action is to delete and notify the owner (customer) and also identify whether tagging enabled.
Our customer has a strict tagging policy for production accounts, especially those under SOC 2, and tags are deployed through automation. The customer leverages CloudFormation and CircleCI to deploy templates for:
- any resources that have access to production accounts
- logging and reviewing all manual changes
- accounts being managed by respective account owners and remediation plans are in place whenever an insight identifies a violation
Some of the key use cases that the customer automated to support SOC 2 compliance are:
- Exposed public AWS S3 buckets –notify the owners, through Slack, of this violation and identify actions to fix the issue through auto-correction.
- Key Rotation – look through it and work with the third-party vendor and work with them. Not automated yet.
- Bot notification (Slack) for development and/or production environment designated team members:
- running out of storage
- cloud formation stack cleanup
- IAM policies around direct permissions, API credentials, MFA, password management, orphaned cloud groups, etc.
- database backups and enable retention policy to enable backup, automate manual snapshots
- clean up resources that are provisioned in regions that are not allowed or supported, they are deleted
- if database is not encrypted – alerting is enabled and focus on why it was created without encryption
- Enabled automation for deployer keys across all accounts
- Bots that will go into different development environments and running 7 a.m. – 7 p.m.. (not enabled 24/7 because it’s an external deployer and keys are enabled during business hours only
- For production accounts, keys are deleted after deployment is complete.
- Enabled AWS Step function where Bots will monitor any step function failures, notification will go out to developer within the development environment. In production, it goes to the ops team through a Slack notification
- Enabled sleeper Bots for sagemaker notebooks – at the end of every day, checks all running instances that aren’t tagged and turns them off by 7 p.m.
- For instance, one tag profile is “how long will a developer utilize that instance for a job that might take many hours/days etc.”
- This Bot has saved them a lot of money around unnecessary resource utilization.
SOC 2 is based on audits against the Trust Services Criteria standards for company maturity around processes and security. Our FinTech customer automated many of their security compliance checks using DivvyCloud “Bots.” Our Bots enabled the customer to remediate any violations and maintain SOC 2 compliance through DivvyCloud’s Compliance Packs.
The DivvyCloud features our customer leverages extensively are: Insights, Bots, Compliance Packs, and Scorecard.
- An insight is a pre-determined characteristic, condition, or a behavior that is flagged for a cloud resource. Insights provide an in-depth understanding of cloud infrastructure around security and compliance.
- Bots are programs that convert manual workflows to automated programs that allow remediation. Insights are the primary data points for enabling and configuring Bots. Bots come with a set of constructs called filters and actions, which can be applied to not only identify non-secure, non-compliant cloud resources but applies and identifies remediation plans as well.
- Compliance Packs are a collection of related insights that are focused on industry requirements and standards for all cloud resources. Its primary focus is around security, cost, governance, or a combination across frameworks such as: CIS, GDPR, HIPAA, SOC 2, FedRAMP, PCI DSS, NIST, CSA, and ISO.
- Compliance Scorecard is heat map that can assist teams of all types, including auditors, operations, security teams, managers, and executives, to identify areas with compliances issues and provide guidance for acting appropriately on the right resources and mitigate issues.