Insurer IAG has developed and open-sourced two frameworks that are designed to improve security and compliance with internal policies when its teams are working with AWS.
Automation specialist Shruti Kembhavi told AWS Dev Day Australia that the frameworks assisted the insurer - which is heavily regulated - to be able to run workloads in public cloud.
One of the frameworks, Watchmen, ensures that different teams using separate AWS accounts and resources stay compliant with IAG's policies.
The second framework, Bakery, is “a centralised AWS identity and access management solution to avoid the duplication of user accounts/policies across multiple AWS accounts.”
Kembhavi saw several benefits in making the frameworks available via Github.
“I think it’s a cool way of attracting talent, improving the code quality, and giving back to the community as well,” she said.
When the company interviewed prospective new hires, the interviewer could simply put the candidate to the repository to view examples of code the company had developed, and to get a sense of the development culture (as well as the existing team’s architecture skills).
Knowing the code would be public domain also served as an important motivation for its creators.
“The most important incentive for us as developers is that the whole world is going to see our code so that automatically gives us the motivation to write the best possible code we can,” Kembhavi said.
“Also, we want to actually build a community so they can actually contribute back and actually build better software.
“I feel strongly about open source software and I think like open source software comes the closest to what customers actually want, because the customers can make what they want it to be rather than vendors thinking this is what customers might want and building that.”
Back in May, IAG’s head of cybersecurity and governance Ian Cameron outlined to an IBM conference how the insurer was migrating workloads from on-premises infrastructure into the cloud.
Cameron said at the time that a key focus for the security team was baking security into the process by which code is developed and prepared to run in the cloud.
He flagged the integration of security into DevOps and the continuous delivery toolchain, and a goal to turn developers into security champions.
Kembhavi indicated that progress on that front is being made, and that the culture change is taking place.
“We are in the regulated industry so we have to constantly think about security,” she said.
“At IAG, security is job zero for us, and it is everyone’s responsibility. It is more of the mindset that we are building into developers. It’s not the function of a security group like a cybersecurity team - it is everyone’s responsibility.”
Developers had to start building applications that were secure by design, she said.
However, they would be supported in that evolution by IAG’s adoption of SecDevOps and the increased integration of security - and, in particular, automated security - into the company’s continuous integration/continuous delivery (CI/CD) pipelines.
“We give them some guidance and guardrails so we leverage a lot of AWS services and we actually build some automated frameworks on top of that to help developers get started and start using the resources sensibly,” Kembhavi said.
“We can give them role-based access and we actually have the principle of least privilege, so developers will have only a certain kind of privileged [access to systems].
“In higher environments like production we only [allow] deployments through our CI tools and not through users.
“There’s also controls around encryption at rest and so on, but we try to use automation so it takes away the burden of manual checks [by the developers].”