Solving the daunting challenge of how to operate cloud-scale microservices in highly regulated environments led the National Association of Insurance Commissioners (NAIC) to partner with New Context, the leading innovator in DevSecOps in highly regulated industries. By partnering together, the NAIC was able to accelerate their cloud transformation through the deployment of cloud native automation and tooling and ensured they remained ever-effective at serving the chief insurance regulators of all 50 states, the District of Columbia, and five U.S. territories, while simultaneously achieving the highest compliance standards. In short, the NAIC successfully accelerated their security and accountability processes to achieve digital transformation without slowing their business operations!
The NAIC had a mission to implement a multi-year State Ahead Strategic Initiative Plan to redesign its insurance regulation processes. They had to invest in new data technology to support and drive their transformation while ensuring more sophisticated security and accountability methods. To do this, they moved workloads to the cloud and leveraged Continuous Integration and Continuous Development (CI/CD) pipelines that enabled frequent releases, decentralized ownership of applications, and enabled microservice orchestration. Not only did the NAIC build new cloud architectures with cross-functional teams, but they also leveraged best security practices to minimize old processes reliant on manual intervention, which often, can lead to non-compliant systems and massive technical debt.
Partnered with New Context, the NAIC leveraged AWS and open source community tools to automate the detection and remediation of processes that could have put their whole organization at risk and achieve SOC2 compliance
Leveraging AWS Lambda for Ephemeral Computing
When approaching Enterprise-level Digital Transformation, the intent is to build computing systems with no permanent footprint, not even a virtualized server. AWS Lambda services do just that. It’s a way of employing massive computational power without owning the risks associated with infrastructure, containers, or servers; instead, you own answers. It’s a great way to build software that answers questions rapidly with computing power in real-time. By removing the compute footprint and leveraging the security and identity services of AWS, it provides a more simplified and suitability framework, reducing complexity and streamlining the development process.
AWS Lambda’s flexibility and low cost make it the perfect compute service for ensuring deployed resources adhere to SOC 2 policies. Whether attaching Transport Layer Security (TLS) certificates to Elastic Load Balancers (ELB) or CloudFront distributions or removing too permissive security group rules; AWS Lambda was able to execute on a recurring schedule to remediate policy violations.
AWS Lambda was further enhanced by third-party utilities like Cloud Custodian. Using this tool, engineers were able to enforce configuration standardization using YAML DSL to write specific policies for types of resources and ensure those resources were configured in accordance with organizational requirements. The policies were then executed on an event-driven or regular basis, via Lambda functions. Metrics and logs associated with Lambda function executions were then written to AWS CloudWatch. Any security violations remediated by Lambda functions were also alerted via Slack.
A sample of use cases where AWS Lambda and Cloud Custodian were actively used include:
- Enforcing backups via custom tagging
- Ensuring S3 buckets are not publicly accessible
- Encrypting RDS and EFS instances
- Pruning unassociated EBS volumes
- Applying network ACL rules to VPC subnets
- Spinning down EC2 instances during off-hours
AWS Backup Service
By leveraging AWS Backup Service, the NAIC was able to ensure that Amazon Elastic Block Store (EBS), Elastic File System (EFS), Relational Database Service (RDS), and DynamoDB instances were all backed up and retained according to organizational schedules and policies. The NAIC provisioned AWS Backup Vaults according to their own policies and preferences, and appropriately tagged with Cloud Custodian Lambda functions to execute them.
Data Encryption at Rest
Newly created AWS RDS, EFS, Simple Storage Service (S3), and EBS resources were all now encrypted by default using AWS Key Management Service (KMS). If any unencrypted storage systems are identified, a snapshot is taken of it and then encrypted. This automated process leveraged the AWS Command Line Interface and tools like Dome9 for identification, Terraform for remediation, and GitLab CI for the deployment of the change.
In summary, Kyle Sexton the Chief Enterprise Architect at NAIC put it best when he said,
“New Context has been an instrumental partner in our cloud initiative. The flexibility of the cloud allows for rapid innovation and experimentation, but with that comes additional risks. The processes and tools implemented to give us confidence that the controls we define are enforced. Automatic remediation across our environments means developers aren’t surprised by controls as their code moves to production.”
The National Association of Insurance Commissioners (NAIC) is the U.S. standard-setting and regulatory support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia and five U.S. territories. Through the NAIC, state insurance regulators establish standards and best practices, conduct peer review, and coordinate their regulatory oversight. NAIC staff supports these efforts and represents the collective views of state regulators domestically and internationally. NAIC members, together with the central resources of the NAIC, form the national system of state-based insurance regulation in the U.S.
About New Context
New Context, Inc. is the security innovator for highly regulated industries. Our products and consulting services enable global leaders in energy, government and across the enterprise to build, deploy and maintain Secure Compliant Data Platforms. The company is a leader in DevSecOps, open standards, advancing the development of STIX, TAXII, and OpenC2 for security automation as a force multiplier for defenders.
New Context, Inc.
Michael McClanahan, 888-773-8360
National Association of Insurance Commissioners
Kyle Sexton, 816-783-8796