Security Sprint: The Story of a SaaS Company’s Security Revamp
How I Transformed a SaaS Company’s Security Posture in 30 Days
I have a small cybersecurity consulting business called AudSecurity. I bring over four decades of diverse and comprehensive technical experience, encompassing a variety of roles, such as Chief Information Security Officer (CISO) and Vice President of Engineering (VPE), in addition to hands-on, teaching and consulting roles. This extensive background has equipped me with a deep understanding and expertise in technology and cybersecurity. So, I teamed up with a subcontractor who excels in compliance. She not only has a strong grasp of the regulatory landscape but also possesses impressive skills in technical writing.
Upon acquiring a new client, I comprehensively assess the company’s existing technical architecture and security measures. This process typically involves two detailed meetings featuring screen shares to examine cloud infrastructure setups, application architecture, security-related controls, processes, and documentation. During this phase, I gather various documents for analysis, including security policies and procedures, Standard Operating Procedures (SOPs), white papers, and other relevant materials.
The result of this phase is a comprehensive report offering recommendations to mitigate risk and adopt best practices in areas such as high availability, business continuity, and cybersecurity. These suggestions are tailored to align with the company’s objectives and are designed to be implemented within a realistic timeframe. Then, I present a proposal outlining how AudSecurity consulting services can assist in implementing the recommended strategies. I typically assume the role of virtual CISO during the implementation.
My New Client
A former client’s recommendation led me to my new client. This startup is small, consisting of three developers, a Chief Technical Officer (CTO), a Chief Executive Officer (CEO), a Chief Financial Officer (CFO), and five individuals in business and support roles. The handling of confidential information necessitates the implementation of strong security measures. The company wanted to switch to a new third-party vendor, which required my client to complete a detailed security questionnaire. However, the Chief Technical Officer (CTO) is young, relatively inexperienced, and uncertain about how to proceed with this questionnaire. So, I was brought in to plan what company and systems changes were needed for a successful outcome regarding this vendor.
The Initial Architecture
My client’s application is a traditional Node/React application whose infrastructure is hosted at Amazon Web Services (AWS) with the simple topology below.
There is a significant risk in this basic infrastructure layout:
- Each component is accessible from the internet; nothing is private. Due to limitations in the Admin interface, it is routine for a developer to manipulate customer data residing in the production database using client tools from their uncontrolled desktop or laptop computers.
- Similarly, accessing the sole server used for back-end processing through SSH from corporate desktops or laptops was standard practice for support and deployment purposes. These activities were not logged, and deployments were entirely manual. This deployment approach involved an engineer manually copying the software repository to the production server, where they would then initiate a build and deployment.
- The single server had not been updated in two years and contained known vulnerabilities. The operating system was not a long-term supported (LTS) version and was heading toward end-of-life with no agreed-upon upgrade plan.
- Secrets and other secure bits persisted on the production server's local disk.
- This simple configuration is not highly available, as each component is a single point of failure, with no plan or approach for business continuity or disaster recovery.
The After-30-Day Architecture
New Architecture Explained
- This newer architecture has no single points of failure and is both highly available and scalable (using AWS autoscaling).
- No components have public IP addresses, and none are directly reachable via the Internet.
- A small instance, labeled db console, is instantiated in a private subnet with PostgreSQL client tools installed, which can be used for database maintenance and migration activities. No application processing hosts are used for these tasks.
- The db console host and production RDBMS access is securely accessed through SSH tunneling using the new AWS EC2 Connection Endpoints feature. Identity and Access Management (IAM) is configured to limit access (i.e., a dedicated IAM group for tunnel access). This approach is safer and simpler than traditional methods that depend on bastion hosts with SSH keys for authentication and employee IP addresses embedded in security group definitions.
- Secrets and other secure bits persist using strong encryption in the Systems Manager Parameter Store.
- All user interactions go through Cloudfront, which provides the following:
- Consistent use of standard browser security headers
- Filtering of user input by a Web Application Firewall (WAF).
7. AWS Elastic Beanstalk adds simplicity and provides a more managed application deployment and management environment, including:
- Comprehensive application health and performance monitoring, logging and alerting mechanisms
- Automated deployment process
- Patching, security updates, and other maintenance tasks
Additional Enhancements in the New Setup
- Isolated production and staging areas in different AWS accounts, replacing a single account containing co-mingled production and lower environments.
- CloudFormation templates have been introduced to automate and ensure reproducibility of infrastructure creation.
Post-30-Day Risk Profile
This newer architecture significantly reduces the risk of a breach, data leak or outage. Additionally, a cybersecurity program has been put into place with the following features:
- Virtual CISO, weekly meetings, security planning activities
- Documented Incident Management program
- Risk Management program with active Risk Register
- Documented policies and procedures to support the business
- Mobile Device Management
- All employees undergo security awareness training. All developers undergo secure coding training.
Future Roadmap
One major initiative on the roadmap is to containerize the application. Benefits include:
- The deployment to staging and production would become immutable and simplified. Immutability is critical to maintaining parity between staging and production environments, ensuring reliability for automated testing environments and efficiency of scaling operations.
- Staging would support multiple application versions running in a single lower environment. Different application versions could be tested under varying conditions without needing separate staging environments for each version, leading to improved resource utilization and cost reduction.
- Containerization is a stepping-stone to a serverless architecture using services like AWS Fargate, a container orchestration service that runs containers without managing the underlying servers.
Additional items on the roadmap include an increased focus on automated testing and DevOps while incorporating Privacy Impact Assessments into the development workflow.
Conclusion
After 30 days, the company successfully cleared the security requirements set by the third-party vendor and migrated to the secure environment described above. A skeleton cybersecurity framework and information security program have also been implemented, with ongoing plans to grow the program to strengthen the company’s security posture further.