The challenge presented before our federal department customer was in relation to complying with of Management and Budget (OMB) M-15-13 and the Department of Homeland Security’s (DHS) Binding Operational Directive (BOD) 18-01. Both mandates require all federal public facing websites, to enforce ‘HTTPS-only’ and disable weak cryptographic protocols and ciphers. In our customer’s pursuit to achieve full M-15-13 and BOD 18-01 compliance, they faced difficulties in presenting the compliance data for more than 10,000 websites in a digestible manner.
Prior to the advent of our solution, our customer managed and reported this data using a labor-intesive process that relied on a combination of spreadsheets and tedious, manual inspection of network security logs. Our customer needed a cost-effective and efficient approach to harvesting all compliance-related data, presenting this data in human consumable form, and driving decision-making and improved situational awareness.
We devised a solution called Site Monitor to address our customer’s challenges. Site Monitor is a network security compliance monitoring application. We embraced a serverless architecture design approach using AWS services to implement our solution in a cost-effective manner. Site Monitor leverages services such as AWS Lambda, Amazon DynamoDB, Amazon API Gateway, Amazon S3 and Amazon SNS.
Lambda’s parallelization capability was ideal for performing scans of over 10,000 websites operated by the customer, collecting compliance data, and persisting that data to DynamoDB. Moreover, due to Lambda’s on-demand compute characteristic, the service was demonstrably the most cost-efficient compute platform, yielding over 90% in cost savings, when contrasted with more traditional virtualization options like EC2 instances. After Lambda scans the 10,000 or so websites and persists the data to a DynamoDB table, an Amazon Elasticsearch Service cluster indexes the table using DynamoDB streams to provide users the ability to view all compliance data sets. Elasticsearch demonstrated its potential as a reliable storage solution for this application stack and as a service, which would augment the application’s user experience.
We leveraged Elasticsearch for storing data and allowing users to filter through the data set based on various sub-organizations within the agency. Together with filtering through three distinct sub-organization layers, users can also filter data subsets by compliance status. This highly-flexible and multi-tiered filtering feature provides users the ability to pinpoint rapidly any compliance issues. Elasticsearch’s Kibana-powered APIs allowed for the development of a personalized filtered search feature, meeting our customer’s requirement to grant users the freedom to create their own data subsets based on specific sub- organizations and compliance.
The customer also required their users to have the ability to capture real-time compliance data for a questionable website. We implemented an ‘on-demand’ scanning capability using Lambda and API Gateway. Once a user decides to perform a real-time scan on a website, the API Gateway endpoint triggers a Lambda function that scans the requested website(s). Once Lambda successfully executes an on-demand scan, the latest compliance data is persisted to DynamoDB before being indexed by Elasticsearch and pushed out to the client-side for the user to see. To reliably store and host the application’s front-end/client-side codebase we selected AWS S3, for
its high-availability and durability. The static files were stored in an S3 bucket and configured to a CloudFront distribution, to ensure a low-latency user experience. This capability has proven invaluable in helping the customer validate network security patching status.
To meet the customer’s requirement that the solution remained confined to only their networks, we added an Origin Access Identity to the CloudFront Distribution. This safeguarded the front-end codebase in S3 and then we set up AWS Web Application Firewall (WAF) to CloudFront in order to restrict all public traffic.
Site Monitor is a powerful and cost-effective networking security compliance monitoring tool, capable of providing any federal customer with a simple solution to monitor their public websites for M-15-13 and BOD 18-01 compliance. The application’s design around the serverless and microservices-based paradigm ensures cost-efficiency, high-availability, fault tolerance, modularity, and interoperability – all facets that resulted in more successful adoption of the tool and lower total cost of ownership.
Use of Site Monitor has increased steadily by 20% every month since launch. Providing our customer with timely results in a consumable manner has enabled them to improve their overall website compliance by 10%.