CASE STUDY
Building a Platform-as-a-Service in AWS: How Aquia Partnered With the Federal Government to Safeguard Personal Health Information for Millions of Americans
A large United States federal agency provides an extensive portfolio of applications and capabilities that must comply with certain federal requirements as part of the broader Risk Management Framework (RMF). Partnering with Aquia, the agency developed a Platform-as-a-Service (PaaS). The PaaS provides a robust shared development environment for the agency’s applications that maximizes security control inheritance, shifts security left via security tooling and pipeline automation, facilitates emerging GitOps practices leveraging cloud-native technologies and ultimately drives down application costs while expediting the delivery of value for stakeholders.
About the Customer
This case study documents the experience of an Aquia customer — a large United States federal agency provides an extensive portfolio of applications and capabilities that are responsible for safeguarding the personally identifiable information (PII) and protected health information (PHI) of millions of Americans.
The Challenge
A large United States federal agency provides an extensive portfolio of applications and capabilities that must comply with certain federal requirements as part of the broader Risk Management Framework (RMF). The agency was looking to enhance scalability, flexibility, and efficiency in their applications through the adoption of microservice architectures, containers, and cloud infrastructure.
The Solution
Partnering with Aquia, the agency developed a Platform-as-a-Service (PaaS). The PaaS provides a robust shared development environment for the agency’s applications that maximizes security control inheritance, shifts security left via security tooling and pipeline automation, facilitates emerging GitOps practices leveraging cloud-native technologies and ultimately drives down application costs while expediting the delivery of value for stakeholders.
The Results
Initial adopters of the PaaS have recognized a decrease in costs, a 30-50% reduction in authorization time and compliance overhead, and more secure and streamlined development processes while taking advantage of the efficiencies of cloud-native services.
Addressing Complexities While Maintaining a Stringent Level of Security
This large United States federal agency provides an extensive portfolio of applications and capabilities that are responsible for safeguarding the personally identifiable information (PII) and protected health information (PHI) of millions of Americans.
The agency’s applications must adhere to a number of federal requirements as part of the broader Risk Management Framework (RMF), including the Federal Information Security Modernization Act (FISMA) and an internal customized baseline of NIST 800-53 Rev. 5 that contains more than 350 controls and 750 control elements.
With hundreds of applications in its portfolio, the agency sought to reduce duplicative efforts, time to authorization, and compliance overhead for each of these systems while maintaining the stringent level of security required for applications safeguarding PII and PHI.
Furthermore, the agency was actively promoting the adoption of microservice architectures, containers, and cloud infrastructure in an effort to enhance scalability, flexibility, and efficiency in their applications.
Left unaddressed, the applications would continue to drain resources and operate with reduced efficiencies — spending money, time, and effort to meet compliance, security, and privacy requirements in a non-uniform manner or without proper support and lessons learned from consolidated development environments.
Building a Secure and Cost-Effective PaaS for Agency Applications
The agency identified the need to build a PaaS that would provide a robust shared development environment for its applications that maximizes security control inheritance, shifts security left via security tooling and pipeline automation, facilitates emerging GitOps practices, and drives down application costs while expediting the delivery of value for stakeholders.
Having already developed a large presence on Amazon Web Services (AWS) across the agency’s portfolio of applications, building the PaaS on AWS was the clear choice. Doing so aligned with many parallel teams and efforts, and positioned the platform to best suit application needs and desires.
With extensive experience in AWS, Aquia was uniquely positioned to support the agency in this mission. In addition, Aquia had supported agency leadership with their digital transformation efforts in the past and possessed the skills necessary to ensure this effort would be a success, including expertise spanning compliance, security engineering, application security, and purple teaming.
Leveraging AWS Services to Implement Secure Functionality
By leveraging insights gained from past platforms and programs in the federal sector and adopting a user-centric approach, Aquia took charge of the platform's security right from the initial design and discovery stage to the development of a minimum viable product (MVP) and its delivery to various agency applications.
Aquia identified core security functionality and chose tooling to fulfill those functions, mapped the full platform infrastructure to all 352 security controls, and provided implementations to offer 74% control inheritance to applications.
In addition to ensuring compliance, Aquia implemented several key security measures such as detections-as-code, threat models, and security engineering efforts. These proactive actions played a crucial role in obtaining the platform's authority to operate (ATO). Notably, the platform achieved a significant milestone as its system security plan became the first to receive a flawless evaluation with no findings.
Applications within the agency are now onboard to the PaaS and experience faster authorization times with lower compliance overhead.
The agency leveraged a range of AWS services to build its solution. Amazon GuardDuty was utilized for threat detection and alerts in each environment, while AWS Identity and Access Management (IAM) played a crucial role in managing identities and access for accounts and services. Amazon Simple Storage Service (Amazon S3) served as the storage solution for logs, while AWS CloudTrail facilitated logs and monitoring. Amazon CloudWatch was used for generating alerts, and network access control lists (ACLs) and security groups were employed to control traffic.
Amazon Virtual Private Cloud (VPC) enabled the segregation of workloads, and VPC Flow Logs were utilized for monitoring and capturing IP traffic information. Amazon Elastic Kubernetes Service (EKS) was chosen for efficient Kubernetes management, while Amazon Elastic Compute Cloud (Amazon EC2) provided the necessary compute resources. Amazon Relational Database Service (RDS) was utilized as the database solution, and Amazon Elastic Block Store (Amazon EBS) served as a storage and backup solution. AWS Shield offered protection against distributed denial-of-service (DDoS) attacks, and Amazon Route 53 fulfilled Domain Name System (DNS) service requirements. AWS Secrets Manager was used to manage secrets, and AWS Web Application Firewall (AWS WAF) played a vital role in safeguarding web APIs.
Gaining Efficiencies and Streamlining Processes
Initial adopters of the PaaS have seen a decrease in costs, authorization time, and compliance overhead.
Specifically, applications using the PaaS have benefitted from a 74% reduction in compliance overhead for their system security plans, a 30% decrease in authorization time for ATO (from 9 months to 6 months), and a 50% reduction in onboarding time (from 2-3 months to less than 1 month).
The 74% reduction in compliance overhead also directly ties to the applications’ inherited controls from the platform which are abstracted from the application team leading to less engineering overhead.
Overall, users have recognized a more secure and streamlined development process while taking advantage of the efficiencies of cloud-native services.
Aquia’s success with the agency’s PaaS has laid the foundation for automation efforts which are currently in progress for each of the benefits of the platform. These efforts include detections-as-code, compliance-as-code, and transitioning manual compliance processes to automated checks.
Work With Us
Contract Vehicles
GSA Multiple Schedule Award (MAS) Contract # 47QTCA23D000H
SIN 518210C: Cloud Computing and Cloud
SIN 54151HACS: Highly Adaptive Cybersecurity Services (HACS)
SIN 54151S: Information Technology Professional Services
CAGE Code
8XPQ4
Unique Entity ID
RGMQQK1DLAN9
NAICS Codes
541511 Custom Computer Programming Services
334111 Electronic Computer Manufacturing
334112 Computer Storage Device Manufacturing
334310 Audio And Video Equipment Manufacturing
334419 Other Electronic Component Manufacturing
518210 Data Processing, Hosting, And Related Services
519130 Internet Publishing And Broadcasting And Web Search Portals
519190 All Other Information Services
541430 Graphic Design Services
541512 Computer Systems Design Services
541513 Computer Facilities Management Services
541519 Other Computer Related Services
541611 Administrative Management And General Management Consulting Services
541614 Process, Physical Distribution, And Logistics Consulting Services
541618 Other Management Consulting Services
541715 Research And Development In The Physical, Engineering, And Life Sciences (Except Nanotechnology And Biotechnology)
561110 Office Administrative Services
561320 Temporary Help Services
561439 Other Business Service Centers (Including Copy Shops)
611420 Computer Training
We’re in good company.
Subscribe to Our Newsletter
Sign up to receive news and updates from experts on the ever-changing cybersecurity threat landscape.