AusPost builds tool to plug cloud security gaps in 30 seconds

Australia Post has automated security remediation across its “growing” AWS public cloud environment using a tool that is capable of identifying security gaps and applying a fix in as little as 30 seconds.

The government-owned corporation has built the solution to meet the contemporary security needs of its continuous delivery pipeline, with hundreds of developers now working to deliver products and services using AWS.

AusPost has been using the hyperscale provider since beginning its cloud journey in 2013, when it opted to migrate off its traditional on-premise hardware and consolidate its data centre footprint.

“We run a continuous integration and delivery environment, and we do roughly around eight to 12 production drops every single day,” head of security, education and culture Steven Stojanovski told last week’s AWS Summit in Sydney.

“All of our teams are co-located, which means that we've got business stakeholders sitting amongst our engineers, and we even got security staff in that mix.”

But with “hundreds and hundreds of AWS configuration changes happening across our cloud landscape every single day”, Stojanovski said it was no longer viable to simply “throw people at the problem”.

He put this down to both the current cyber security skills shortage, as well as the rapid pace of change occurring in AusPost's cloud environment.

“With the current skills shortage we simply can’t find enough skilled security staff,” Stojanovski said.

“And the reality is that even if we could, there’s no way we could be keeping pace with the change that’s happening in our cloud landscape.

“Add to that the fact that the threat landscape is constantly evolving and growing, and it's clear that what got us here won't get us to where we need to be.”

Instead, AusPost has undergone a “paradigm shift” towards its enterprise security, adopting a DevSecOps approach to securing its cloud-base workloads and data.

“We’re taking core foundational AWS services and coupling that with automation to build out a DevSecOps capability that can scale along with our organisation as it grows,” Stojanovski said.

He said this had allowed AusPost to check key security events that occur across its “growing cloud environment” against predefined security baseline, polices and standards to automatically understand “whether they’re legitimate and expected, or perhaps they’re anomalous”.

Better, faster, stronger

In addition to improved security coverage across its cloud landscape, the government-owned corporation with Australia’s largest retail footprint has seen a significant reduction in remediation time since since rolling out the solution.

“We’re talking about 30 to 45 seconds to remediate a particular condition, and that is magnitudes better than what we’d be able to achieve if we were using a more traditional approach,” he said.

“If we were trying to tackle these sorts of things without the help of automation, we might be talking about hours to remediate, days to remediate, weeks to remediate.

“And the reality is you’ve got a repeatable process here, and you’re going to get that same remediation and that same level of service every single time.”

Stojanovski said that the 70,000 invocations – or checks resulting in remediation actions taking place – performed every month were costing AusPost just $5.

“We’re paying $5 a month run a process that’s going to remediate any violations against your security policy within 30 to 45 seconds,” he said.

Transparency

Automated security remediation has also empowered AusPost’s delivery teams, with Slack integration used to communicate when the solution flags a security gap.

“Through this solution we’re dispelling some of those myths around security where it no longer sort of ‘security is doing a bunch of stuff behind the black curtain and no one knows about it’, Stojanovski said

“The delivery teams are actually seeing what we’re seeing, and at the end of the day that transparency – as important as it is – is actually breeding trust, which is even more important.

“So all of a sudden we’re having a lot more conversations with out delivery teams, and we’re all on the same page and working together.”

Having conversations with the teams also resulted in what Stojanovski describes as “the ability to influence upstream change”.

“When we first kicked off this project and rolled it out to production, what we would find was there were certain teams [that] would get caught in the net,” he said.

“And it would happen on sort of a regular basis, and we were curious as to why that was happening.”

These conversations unearthed that teams “were using Elastic Beanstalk and the default configuration was actually exposing Port 22 to the internet”.

“Now, obviously the remediation controls were kicking in, and they were taking care of that., however once we had that conversation we could then influence that upsteam,” he said.

“So we worked with them, we helped them modify the default configurations and they were no longer getting caught up in that net.”