Refactoring Deployment Architecture

Background

ACE Security Portal (ASP) is a leading provider of unified cyber risk management and security analytics - enabling stakeholders, governance organizations, and security teams to effectively manage technology risk at the speed of business.

Challenge

As the business grew, ASP deployments quickly became complex as many VPCs were created for the growing customer base. In addition, configuration for shared infrastructure also became more complex with hundreds of customization parameters saved in various configuration files. Tracking , cataloging, and managing these configuration parameters became a bottleneck for ASP growth.

Solution

Use of containers-based application deployment model was adopted instead of running services on native OS/java. Containers offer a consistent and identical run time environment irrespective of the underlying infrastructure. So it was decided to replace the fleet of EC2 with an ECS cluster.
Adopting Active configuration management. As configuration management got complex, configuration data was stored in a Key/Value database. A dedicated UI dashboard was created to standardize entry of new and updates to existing data. This standardization would enable ASP to on-board new customers and initialize a new environment with the push of a button. Active configuration management brought tremendous agility in bringing up new subscribers, as teams other than IT can quickly have insight into what has been provisioned for a subscriber.
Fargate as compute provider: Due to the extensive EC2 fleet provisioned on demand and scale out based on workload, a large EC2 fleet was active at all times. Patching this fleet for security vulnerabilities was tedious and time consuming . AWS Fargate compute provider frees up customers from maintaining security patches for core OS and libraries.

Results

Use of Fargate eliminated the need for security and patching of the EC2 fleet, thus saving ASP engineers countless hours of tedious and repetitive tasks. Fargate based ECS cluster helped in security audits of the solution. Also, the security scanning of Docker containers was much more straightforward than patching OS and libraries of the EC2 fleet. Speed of provisioning significantly increased, and new solutions could be provisioned in hours and days rather than weeks. The need for technical staff that would oversee a new subscriber infrastructure provisioning was significantly reduced.