Maximus Increases Compliance And Reduces Risk Across All Public Clouds With Rapid7 Cloud Security

The Difficulty of Enforcing Standards Across An Enterprise

Maximus has two models for supporting its hundreds of AWS and Azure  projects:

• The first is the shared services model, where projects rely on IT organizations to build, support, and maintain their infrastructure, operating systems, and applications. 
• In the second, the project team practices self-service DevOps. They own the process of building, deploying, maintaining, and supporting the product, end to end.

Maximus’ security architecture team, which reports directly to the  CISO, identifies the cloud standards. “Our goal is to ensure that our standards are being followed and environments, accounts, and resources are compliant,” states Jon Powers, Senior Manager of Security Architecture. But enforcing standards across the entire enterprise with hundreds of AWS accounts and Azure subscriptions and different support models was very challenging.

Bridgeman’s CCoE team operates within the Office of the CIO. It is responsible for enforcing all written compliance and security standards in an automated way to enable the project teams to move securely with speed. They have implemented and enforced their internal security standards and standards from industry frameworks like NIST 800-53, CIS, and AWS Fundamentals.

“Written standards are difficult to consume when you need to build AWS and Azure infrastructure resources quickly, with different tools and automation across the enterprise,” explains Bridgeman. “We were trying to do it through AWS native tooling, primarily AWS Config, but it had limitations. And it didn’t allow us to enforce auto-remediation the way we can take action with InsightCloudSec today.”

Robust Functionality and Ease-of-Use: An Unbeatable Combination

As Bridgeman explains, Maximus didn’t want to build their own solution. They chose Rapid7 because it provided all the functionality they required, including:

• Consolidated visibility of active cloud resources running across multi-cloud environments consisting of AWS and Azure.
• Continuous monitoring and assessment of compliance against customized organizational security standards 
• Real-time detections of compliance state changes resulting from new builds and configuration changes that make existing resources non-compliant within minutes of a change occurring.
• The ability to both manually and automatically enforce compliance and update configurations and access permissions of non-compliant resources.

Ultimately, Bridgeman cites ease-of-use as the deciding factor in selecting Rapid7 InsightCloudSec. “Not only can Rapid7’s cloud solution easily scale, but Rapid7’s GUI means that less experienced technical support folks can navigate it. And the ability of InsightCloudSec to integrate with Splunk allows us to enrich our data and display it in consumable dashboards for Security, IT, and project owners.”

The Results

Rapid7 has had a positive impact on Maximus’ security environment. It’s unified their security standards in a consistent way, across all AWS and Azure accounts. Maximus has already begun using auto-remediation bots where needed (where remediation steps weren’t being taken by the account owner themselves). And, Bridgeman says that Rapid7 has provided them a more holistic view of what their compliance looks like—across their entire footprint. 

Today, Maximus’ Amazon Web Services (Corporate Master Payer Account) is:

• Monitoring 44,000+ different AWS resources
• Monitoring 100,000K+ Microsoft Azure resources with 80+ Insights
• Has 30+ insights/bots monitoring their environment with automated remediation abilities
• Corrected 550+ findings in first 2 weeks after implementing InsightCloudSec

Reliable Data Increases Compliance

“Perhaps the most important success story is the simple fact that with Rapid7 we now have a tool that we can trust,” offers Bridgeman. “We trust the data that InsightCloudSec is providing. That confidence has in turn given the account owners across Maximus and our different business divisions more confidence in the recommendations that we’re presenting them. One of the problems we had before is it was always, ‘Oh, it’s a false positive. Move on.’ But now, we’re actually able to provide a bit more data around the findings, which is really, really helpful.”

“Rapid7 has definitely decreased our risk and brought us to a much more consistent state where everybody is working from the same page and are very aware of the standards. They have visibility into it. They know that InsightCloudSec is monitoring compliance,” concludes Bridgeman.

Not only has the total compliance score under their Corporate Master Payer Account improved, but guardrails are now enforced through automation, reducing the volume of non-compliant resources. Resources which are built in a non-compliant way are automatically remediated, disabled, deleted, or flagged. 

“We now have people building more compliant resources. And,they’re taking action on the non-compliant resources much quicker because they’re getting alerted and notified. We have much better visibility into the environments, and we can now pass that up the ladder to our executive leadership. 

Bottom Line: Security Elevates the Customer Experience

The biggest takeaway? Perhaps that the security posture of Maximus aligns with the firm’s strategic growth pillars–elevating the customer experience. In other words, they’re achieving higher satisfaction levels, performance, and outcomes through intelligent automation and cognitive computing.