Continuous Compliance Case Study – Nicobar
Our story begins at Good Earth, and at the crossroads of craft and community. Two decades later the time is ripe for the birth of a new brand: Nicobar. Two separate entities, each with its own voice, Good Earth and Nicobar share fundamental values, and both stem from a desire to shape culture in an original and inspiring way. In Nicobar you will find a contemporary collection that is fresh, aspirational, curious about the world. Seeds of a movement, one that is ready to create a new and democratic vocabulary of design.”
02. The Need
Initially, Nicobar migrated its website into AWS Cloud. As the customer became comfortable with AWS, Nicobar moved more workloads, making AWS its primary data centre. Nicobar has multiple teams working on various workloads and a central security team to look after the infrastructure and take care of security compliance.
The central security team ensures standard security guidelines are followed during the deployment of workloads/application in AWS Cloud. However new releases and updates are owned and managed by respective application dev-ops teams. This creates a scenario where some of the security policies implemented during the deployment are either reversed or not fully adhered. Also different teams launch new cloud resources sometimes without following security guidelines e.g. server hardening, firewall implementation for port blocking, etc. Basic hygiene (non-compliance with tagging strategy) of resource deployment are not followed at times.
Overall, it became challenging for the central security team to keep track of changes and ensure that the AWS Cloud infrastructure is compliant with security guidelines and best practices at all times. The customer could end up without backup for production resources, and improper security and log management practices.
Strict continuous compliance with security best practices is critical for organizational safety and security. This means it is easier to identify and rectify security lapses than clean up the mess or cope with the losses after an event occurs.
Below is the architecture of the Nicobar Website and ERP solution hosted on AWS:
To enable a highly secure production environment, AWS offered services like AWS Cloud Trail, AWS Config and AWS Lambda have been deployed in smart combinations to have a fail-safe security strategy.
AWS Cloud Trail and AWS Config help to track and manage logs of all activity, as any action in AWS environment requires an API call. CloudTrail logs every action and stores in S3 bucket while AWS Config captures all changes in cloud resource and stores in S3 bucket. AWS Config also monitors policies against pre-defined rules and sends notifications or invokes AWS Lambda to initiate action in the event of a violation.
CloudTrail and Config logs are encrypted in the S3 bucket.
In addition Umbrella also used CloudHealth, a cloud-management platform that enables to compare security practices, establish compliance in accordance with Center for Internet Security (CIS) and AWS best practices, and send alerts in case of deviance. Umbrella designed compliance and security features taking inputs from the NICOBAR’s team and linking them to detailed logs created by Cloud Trail and Cloud Config to detect deviant behaviour.
04. The Benefits
As result of close and continuous monitoring of security practices at Nicobar, there is early detection of deviant behaviour, enabling immediate remedial action. This helps to tackle governance issues at an early stage, preventing the outbreak of major escalations.
Continuous compliance via automation has significantly enhanced governance at Nicobar, allowing the company to make changes and provide easy access to any resource at any time without worrying about security violations.
The automated monitoring and alerts create continuous reports and dashboards, making the organization ready for audit at any point in time. This has significantly reduced audit time as compared to earlier manual audits. Security access and lapse are transparent, providing insights into threats to make changes and improve organizational security.
Over time, continuous compliance has helped Umbrella to predict outages and lapses better, significantly improving response time to incidents.