Harden Infrastructure as Code: Terraform & Multi-Authentication

This client needed additional capacity to expedite upgrading the Terraform Infrastructure as Code (IaC) to create parity across all environments and to open up additional features and security updates of the newer versions.

After Trility was hired to implement the upgrades, the team identified concerns with the client’s deployment of their multi-factor authentication tool, RSA SecurID, and provided observations and recommendations to the client.

Upgrading Terraform required changing the way resources work within the tool. Some applications required multi-step version updates, including GitHub, Vault, ActiveMQ, and Artifactory. Aqua Security’s tfsec was used to scan the IaC code for issues – including resetting expiration dates. 

In completing the Terraform upgrades, the Trility team recommended improvements to RSA SecurID due to the manual scripts that left resources running. Leveraging ICD503, NIST, and Center for Internet (CIS) and the RSA security guide as benchmarks, Trility replaced the manual scripts using the upgraded Terraform. The team also built it to automatically deploy for two security parameters: the client’s own and one with specific requirements for government contracts.  

In addition to this work, Trility also enabled centralized logging for Commercial and Steamboat ElasticStack services.

The Terraform upgrades allowed the client to take advantage of enhancements from new releases, create parity for all environments, increase security posture, and improve the developer environment with more dynamic and programmer-friendly code. 

By updating the RSA SecurID deployment, the client hardened security by locking down access for security groups and enabling access for logging and encryption of data.

With both of these initiatives, the client saved time and money by automating deployments to two environments: their internal one and government cloud environment with national security requirements.