sdecoret - stock.adobe.com
As cloud-native infrastructure goes mainstream, fintech firms have adopted security automation tools to harden their DevOps deployment environments and make those environments accessible to conservative IT compliance auditors.
LendingClub, an online loan marketplace in San Francisco, installed a security policy enforcement tool from startup Accurics in late 2019. The tool inspects multiple layers of infrastructure configuration in the company's AWS environment, remediates potential vulnerabilities via GitHub and reports on IT compliance within its dashboard. Greenlight Financial Technology, an Atlanta-based company that makes a debit card for kids, chose a tool from StackRox to shore up Kubernetes security in Amazon EKS that also generated IT compliance reports the company's security team can pass along to auditors.
Both companies first chose the respective tools for their security automation features, but soon realized they also could be useful for IT compliance.
"We're considered a part of our bank partners' perimeter, and as we get bigger, we start becoming a bigger part of their risk profile, and start going through deeper and more frequent audits," said James Gaythwaite, CTO at Greenlight, which manages assets for 1 million users on its mobile app. "[Before StackRox] we had difficulty assuring partners, auditors and investors that we were following the same security practices they were, even if we weren't using the same tools."
LendingClub demonstrates IT compliance via policy as code
LendingClub couldn't rely on manual code reviews for IT security as it embraced DevOps and transitioned from local data centers to the cloud. The company's IT team connected with Accurics' founders through word of mouth in the Bay Area tech industry, and initially, their interest grew because the startup's eponymous tools integrated well with GitHub code repositories and Jenkins CI/CD pipelines.
"Compliance and cybersecurity are the two main risk factors in fintech, and we're heavily regulated under the most stringent constraints," said Paolo Montini, chief data officer and head of cyber risk management at LendingClub. "But there's a tension between that risk management and the agility and speed we need [for DevOps deployments], and the key to achieve a proper balance is automation."
Accurics automatically checks AWS system configurations and Terraform infrastructure-as-code templates against the company's security policies before they are applied. If it detects discrepancies between proposed configuration and code changes and security policies, the Accurics tool issues an alert and suggests remediations to bring those them into line with policy. Automating those security checks saved about 15% to 20% of daily labor for LendingClub's SecOps staff, Montini estimated.
LendingClub also decided to give internal auditors direct access to the product's dashboard, to prove the company was still following security best practices in automated deployments to the cloud.
"Instead of showing auditors screenshots, we show them the Accurics interface itself," Montini said. "It's pretty straightforward -- you can see the policies defined on one side, and any discrepancies or gaps, as well as recommendations for how to remediate those."
James GaythwaiteCTO, Greenlight Financial Technology
There's also risk in going with a new company -- Accurics remained in stealth in November 2019 when LendingClub first began evaluating its product. But the startup offered a broader scope than many policy-as-code tools developed for specific infrastructure components. It can scan infrastructure configuration and code in AWS, Azure and Google, including each cloud provider's infrastructure-as-code service, as well as infrastructure components such as Kubernetes and Istio and infrastructure as code written with Terraform and Ansible.
When LendingClub evaluated Accurics, it also had on its roadmap the ability to assess security vulnerabilities not just within individual system and tool configurations, but in how they fit together in combination, Montini said. Accurics calls this feature breach path prediction, and it's now generally available.
"Even if individual configurations themselves are correct according to policy, when you put them together, they can still introduce a way for an attacker to get in," Montini said. "Accurics can analyze across policies as well -- we're starting to test that."
Greenlight StackRox reports assist IT compliance audits
Greenlight, founded in 2014, has always been based in the cloud, where it began as a customer of AWS Elastic Beanstalk. But Greenlight encountered new IT security risks when it moved to Amazon EKS about a year ago, after its business grew and it converted monolithic apps written in Node.js to microservices written in Go. To address those risks, it purchased a tool from container security specialist StackRox.
"A lot of IT security tools aren't built for Kubernetes or even containers -- they assume they'll have access to a host," said Ken De La Guera, senior DevOps engineer at Greenlight. StackRox, by contrast, could be automatically deployed to Kubernetes clusters through Helm charts, even though Helm wasn't officially supported until a StackRox update released last month. Once deployed, StackRox continually scans Greenlight's environment for security threats, which is key to maintaining security standards as the company's app deployments grow more frequent, De La Guera said.
Moreover, StackRox offered IT compliance monitoring that helped Greenlight's partners and auditors keep up with those changes, too. The tool summarizes its assessment of Kubernetes clusters' compliance in reports that compare the state of the environment against regulatory requirements, as well as standard IT security benchmarks from NIST and CIS. Like Accurics, StackRox offers tips for improving users' security posture and remediating security issues.
So far, Greenlight's security team has used StackRox compliance reports in two audits during the first quarter of 2020, according to Greenlight's Gaythwaite.
"We had been struggling to articulate certain parts of audits, and StackRox just checked all the boxes we needed," he said. "Its dynamic scanning in our environment showed that our containers and container images were vetted and approved."
The next step for Greenlight will be to integrate StackRox with its Jenkins CI/CD pipelines to perform container image signing and block the deployment of unauthorized container images to Kubernetes clusters. Greenlight is also hoping StackRox will develop alternatives to the tool's default failure mode when ingress controllers time out -- right now, StackRox sensors restart their Kubernetes pods under those conditions, but De La Guera said he hopes for a less disruptive response to such timeouts in future versions of the tool. A StackRox spokesperson said the company is considering the request.