Cloud Engineering
Communications & Media

Policy as Code: Compliance Gate Integration

To help retain government contracts with security requirements, Trility helped this client establish verifiable compliance by building a gate in the existing CI/CD deployment pipelines by integrating tests. In addition, the team helped centralize application logging to verify and report access permissions, and demonstrate compliance with ICD503.

Problem Statement

To retain critical government contracts with high security requirements, this client needed to achieve verifiable compliance with P2020 for services using Commercial Cloud Services (C2S) and destined for Secret Commercial Cloud Services (SC2S) in AWS GovCloud.

The client also needed functionality for application notifications and alerts within SC2S, demonstrate compliance with ICD503, and delivery management support to accelerate the security operations team with critical deadlines.

Solution Approach

To achieve verifiable compliance, Trility build a gate that integrated compliance tests into the existing CI/CD deployment pipelines. The team wrote pre-deployment and post-deployment tests for everything that could leverage integrated testing using Aqua Security’s tfsec, which scans Terraform Infrastructure as Code created by developers. 

In addition to the compliance gate, Trility:

  • Centralized application logging by collected all logs generated by infrastructure applications in one location to simulate logging in SC2S. Identity and permissions were built into the testing functionality and utilized resource tagging for report functionality. 

  • Built custom Amazon Machine Images (AMIs) using Packer for all new applications and for air-gapped account environments (no access to internet).

  • Provided a Delivery Manager to integrate with the security operations team to accelerate their program using our agile Continuous Delivery approach.

Outcomes

With this partnership, the client increased traceability for all environments – including evidencing compliance for government contracts requiring ICD503 compliance.

The Trility team built a compliance gate that included pre- and post-deploy tests that required 100% of tests to pass before deploying to production.

With centralized logging for applications, the client was able to evidence compliance for developer applications using IaC in SC2S environments – making it more observable and easier to verify compliance.

Trility also created the gold image for AMIs with air-gapped accounts that streamlined consistent application of security practices to new cloud environments across the enterprise. 

The security operations team met imperative program milestones with Trility’s Delivery Management support.

Project Attributes

  • Reduced Risk
  • Reduced Technical Debt
  • Accelerate Delivery
  • Increased Automation
  • Increased Scalability
  • Reusable Patterns
  • Increased Capabilities
  • Increased Security
  • Verifiable Compliance
  • Coaching
  • Documentation
  • Learning Sessions
  • Paired Programming
  • Videos

Technologies Used

  • Artifactory
  • Jenkins
  • Kubernetes
  • AMQ
  • Eureka
  • Vault
  • Terraform
  • Packer
  • Aqua Security tfsec
  • Terragrunt
  • Inspec
  • Steampipe
  • Python
  • Docker

Explore Experience

Read about other projects Trility has delivered.

AI & Data
Cloud Engineering
DevOps
Software Design & Development

Insights

Explore the latest insights, ideas, and perspectives from Trility's team.

Cloud Engineering
DevOps
Software Design & Development
AI & Data
Continuous Delivery Method
Security by Design
Leadership
Our Work
Podcasts
News

Let's Talk

Get in TouchJoin our team
What We DoAI & DataCloud EngineeringDevOpsSoftware Design & Development
Who We AreContinuous DeliverySecurity By Design

Careers

Life at TrilityCareer OpportunitiesVeterans
Insights

Partners

AWSMicrosoftHashiCorp

© 2024 Trility Consulting LLC® | 14001 University Ave. Suite 300 Clive, IA 50325 | (515) 650-5999

Trility LLC is a wholly owned subsidiary of Trility Group Holdings, Inc.

Verify Employment

|

Privacy Policy