A customer of DivvyCloud by Rapid7 in the financial technology sector wanted to embrace AWS so they could launch their regulated financial service more quickly. Doing this required that they adhere to SOC 2. They didn’t know how to incorporate this framework, but understood that approaching it manually would be expensive and difficult.
As a result, the customer’s CIO and CISO decided to architect their AWS strategy in a way that would allow them to achieve and maintain SOC 2 compliance, Types I and II, continuously. This customer is a highly regulated fintech solution provider, and SOC 2 compliance would allow their customers to adopt their solutions more rapidly. Their primary objective for maintaining compliance was to automate tasks and remediation to keep their teams small and lean.
As a starting point, the customer focused on DivvyCloud by Rapid7’s out-of-the-box AWS CIS Compliance Pack, with the additional layer of SOC 2 applied to relevant workloads in their cloud environment. Through the existing Insight Packs for SOC 2 and CIS, the customer was able to create their own custom pack and validate their cloud account setup and security posture.
The fintech customer confirmed that their AWS cloud accounts achieved SOC 2 compliance. The Compliance Scorecard below showcases the measurement of how they ran their cloud accounts in production through SOC 2 and CIS Insights.
The customer configured DivvyCloud to send notifications for any red cells (areas of noncompliance) to the appropriate account or cloud resource owners for action. The Compliance Scorecard’s value and audience goes beyond security and compliance professionals. The customer's C-level executives use the Scorecard to get a high-level view of how well the company is running its clouds in production. In addition, the customer often uses the Compliance Scorecard to showcase this view to their own customers.
The customer also created custom Compliance Packs using CIS and SOC 2 requirements. Some of the key criteria that they incorporated into their custom Compliance Packs were to only encrypt storage that has sensitive data and application data isn’t stored on an instance (i.e., either it’s attached to a volume/instance and flagged for encryption, or it’s stored at the data layer, such as RDS).
The SOC 2 Insights below translate to enabling dynamic remediation actions, such as retiring and automatically rotating encryption keys.
With the Insight setup, the customer deployed 136 Bots, which allowed them to generate a daily compliance report and send it automatically to the CISO and CIO. Many of the Bots also deploy automated remediation actions.
Accounts that are subject to SOC 2 have their own set of Bots that take different actions, as they contain live production applications. Because of this, different actions are defined for these cloud accounts compared to other accounts. For relevant accounts, the organization won’t tolerate a database with an external IP address. The automated action is to delete, notify the owner (customer), and identify whether tagging is enabled.
The fintech customer has a strict tagging policy for production accounts, especially those subject to SOC 2, and tags are deployed through automation. The customer leverages CloudFormation and CircleCI to deploy templates for:
Remediation plans are in place whenever an Insight identifies a violation.
Some of the key use cases that the customer automated to support SOC 2 compliance are:
SOC 2 is based on audits against the Trust Services Criteria standards for company maturity around processes and security. The fintech customer automated many of their security compliance checks using DivvyCloud Bots. These Bots enabled the customer to remediate any violations and maintain SOC 2 compliance through DivvyCloud's Compliance Packs.
The DivvyCloud by Rapid7 features the fintech customer leverages extensively are: Insights, Bots, Compliance Packs, and Compliance Scorecard.