As a leading strategic partner to governments across the globe, Maximus helps improve the delivery of public services amid complex technology, health, economic, environmental, and social challenges. With a deep understanding of program service delivery, acute insights that achieve operational excellence, and an extensive awareness of the needs of the people being served, our employees advance the critical missions of our partners. Maximus delivers innovative business process management, impactful consulting services, and technology solutions that provide improved outcomes for the public and higher levels of productivity and efficiency of government-sponsored programs.
Maximus’ key challenge was enforcing standards and ensuring consistency across all public cloud environments. The company has more than 200 AWS accounts under management, and its Azure presence is also growing. It is critical for the organization to have visibility into the many projects spanning AWS and Azure, and that all technical support teams, up to C-level leadership, are aware of the compliance status across the enterprise.
Maximus looked for a solution that would enable it to:
To meet these challenges, Maximus implemented InsightCloudSec, Rapid7’s cloud risk and compliance solution. Rapid7 worked with Maximus to customize the product release to meet their compliance requirements. As a result, the total compliance score across Maximus’ multi-cloud environment increased.
Maximus has two models for supporting its hundreds of AWS and Azure projects:
Maximus’ security architecture team, which reports directly to the CISO, identifies the cloud standards. “Our goal is to ensure that our standards are being followed and environments, accounts, and resources are compliant,” states Jon Powers, Senior Manager of Security Architecture. But enforcing standards across the entire enterprise with hundreds of AWS accounts and Azure subscriptions and different support models was very challenging.
Bridgeman’s CCoE team operates within the Office of the CIO. It is responsible for enforcing all written compliance and security standards in an automated way to enable the project teams to move securely with speed. They have implemented and enforced their internal security standards and standards from industry frameworks like NIST 800-53, CIS, and AWS Fundamentals.
“Written standards are difficult to consume when you need to build AWS and Azure infrastructure resources quickly, with different tools and automation across the enterprise,” explains Bridgeman. “We were trying to do it through AWS native tooling, primarily AWS Config, but it had limitations. And it didn’t allow us to enforce auto-remediation the way we can take action with InsightCloudSec today.”
As Bridgeman explains, Maximus didn’t want to build their own solution. They chose Rapid7 because it provided all the functionality they required, including:
Ultimately, Bridgeman cites ease-of-use as the deciding factor in selecting Rapid7 InsightCloudSec. “Not only can Rapid7’s cloud solution easily scale, but Rapid7’s GUI means that less experienced technical support folks can navigate it. And the ability of InsightCloudSec to integrate with Splunk allows us to enrich our data and display it in consumable dashboards for Security, IT, and project owners.”
Rapid7 has had a positive impact on Maximus’ security environment. It’s unified their security standards in a consistent way, across all AWS and Azure accounts. Maximus has already begun using auto-remediation bots where needed (where remediation steps weren’t being taken by the account owner themselves). And, Bridgeman says that Rapid7 has provided them a more holistic view of what their compliance looks like—across their entire footprint.
Today, Maximus’ Amazon Web Services (Corporate Master Payer Account) is:
“Perhaps the most important success story is the simple fact that with Rapid7 we now have a tool that we can trust,” offers Bridgeman. “We trust the data that InsightCloudSec is providing. That confidence has in turn given the account owners across Maximus and our different business divisions more confidence in the recommendations that we’re presenting them. One of the problems we had before is it was always, ‘Oh, it’s a false positive. Move on.’ But now, we’re actually able to provide a bit more data around the findings, which is really, really helpful.”
“Rapid7 has definitely decreased our risk and brought us to a much more consistent state where everybody is working from the same page and are very aware of the standards. They have visibility into it. They know that InsightCloudSec is monitoring compliance,” concludes Bridgeman.
Not only has the total compliance score under their Corporate Master Payer Account improved, but guardrails are now enforced through automation, reducing the volume of non-compliant resources. Resources which are built in a non-compliant way are automatically remediated, disabled, deleted, or flagged.
“We now have people building more compliant resources. And,they’re taking action on the non-compliant resources much quicker because they’re getting alerted and notified. We have much better visibility into the environments, and we can now pass that up the ladder to our executive leadership.
The biggest takeaway? Perhaps that the security posture of Maximus aligns with the firm’s strategic growth pillars–elevating the customer experience. In other words, they’re achieving higher satisfaction levels, performance, and outcomes through intelligent automation and cognitive computing.