Edtech startup Transeo was experiencing rapid growth and wished to lay a strong foundation for operating at scale. We conducted exhaustive security and infrastructure assessments to provide both tactical and strategic deliverables. The engagement helped Transeo minimize cybersecurity risks, optimize server costs, create documentation, and introduce Infrastructure as Code in the organization. This helped them prepare their infrastructure for future growth and improve their overall security posture.
Our Work Involved
- Github Review
- Whitebox Security Review
- Identity and Access Management Review
- Asset Discovery and Cost Optimization
- CI/CD Examination
- AWS Network Layer Review
- AWS EKS Migration Planning
Impact
- Minimized cybersecurity risks
- Optimized server costs
- Consolidated documentation
- Introduced Infrastructure as Code
Rapid Engagement Delivery: 3 Weeks
User data is always prone to cyberattacks. However, the risk is amplified when the data belongs to students.
According to a report by Security Scorecard, the education sector is the least prepared to deal with cyberattacks among all major industries. Additionally, they have vast volumes of sensitive student information, making them a magnet for malicious actors online.
Transeo is a suite of cloud-based educational solutions that helps students and staff connect to each other in a more effective way. They help schools transform their student readiness by tracking and reporting community service, workplace learning experiences, and graduation plans without paper.
Transeo’s growth has been rapid and its leadership expects it to continue. Being a proactive organization, it wanted to prepare itself for exponential growth, rather than reacting to growth pains as they appear.
Transeo wanted to ensure that its digital infrastructure was ready to scale and that its security posture was robust enough to safeguard user data.
Additionally, Transeo’s AWS costs had been rising aggressively, growing by 429% in four months.
After a recommendation from another Edtech client: Full Measure Education, Transeo reached out to Modus Create for a comprehensive assessment of their infrastructure and actionable recommendations for the next stage of growth.
A Security Architect and a DevOps Architect joined the Transeo team for the engagement with a goal to provide a list of action items in three weeks.
Security Assessment
The first part of the engagement involved a dedicated security assessment to evaluate the existing application for code quality, security issues, examine DevOps processes, and cloud hosting design.
The team designed the security assessment to prevent threats from four types of threat actors that have targeted the EdTech industry in recent months.
Advanced Persistent Threats
Groups with sophisticated intelligence gathering and attacking techniques
Hacktivists
Protestors who use hacking techniques in order to bring attention to a particular issue
Lone Wolves
Individuals who attack a system out of curiosity, to gain notoriety, or simply out of malicious intent
Insider Threats
Disgruntled employees, negligence, poor monitoring, weak QA processes, or defective systems
Working together with the Transeo team, the Security Architect took a deep dive into application and AWS security.
After a comprehensive review of the existing security posture, it was time for the DevOps Architect to perform an in-depth assessment of Transeo’s digital infrastructure.
DevOps / Infrastructure Assessment
The team used the AWS Well-Architected Framework as a guide to review the Virtual Private Cloud (VPC), network, and DevOps pipeline. As a starting point, they used CloudMapper to generate a diagram of the interrelationship of nodes in the AWS infrastructure.
Similar to the security assessment, a DevOps assessment also involved a deep dive into both the application and AWS implementation:
- Examining CI/CD solutions for static code quality checks
- Understanding application deployment, rollback, and migration processes
- Reviewing AWS network-layer configurations
- Understanding data stores and third-party utilities
- Scanning for misconfigurations and analyzing availability and redundancy.
- Performing asset discovery and estimating cost savings
After exhaustive security and DevOps review, the team suggested the next steps in the Recommendations Report.
Getting Actionable Recommendations
The report suggested tactical recommendations to deal with high-priority items and strategic actions to bolster infrastructure in the long run. Let’s look at a few of them:
1. Address Tactical Security Issues
The team listed specific recommendations to address application, network, and DevOps vulnerabilities. It also prioritized them to help Transeo address high-risk/low-effort issues first.
2. Create Documentation
Documentation is more than just creating assets. It also includes appointing a designated person responsible for maintenance. Similarly, another important aspect of documentation is governing its access to ensure compliance with data regulations such as the GDPR.
The team provided specific recommendations around creating, maintaining, and managing relevant documentation.
3. Optimize AWS Cloud Environment
A significant part of the report focused on specific improvements in Transeo’s AWS cloud environment, such as:
- Implementing multiple AWS organizations instead of a single account to strengthen security and administering them using AWS Control Tower.
- Implementing Service Control Policies (SCP) to manage organization-level permissions.
- Configuring VPC flow logs on all provisioned VPCs for audit and compliance purposes.
- Using AWS Secrets Manager to control access to secrets using fine-grained permissions and audit secret rotation centrally for resources in the AWS Cloud and third-party services.
- Enabling Multi-Factor Authentication (MFA) for all users to create an additional layer of protection
In total, Transeo received 13 specific recommendations to upgrade its AWS cloud environment.
4. Migrate to AWS EKS
EKS (Elastic Kubernetes Service) is Amazon’s managed Kubernetes service. It removes the need to manage aspects of the Kubernetes infrastructure, such as the main node, simplifying the administration and management of Kubernetes clusters.
We suggested that Transeo migrate to AWS EKS and proposed a customized approach for it.
5. Adopt Infrastructure as Code
Transeo had expressed interest in adopting Terraform, an “infrastructure as code” tool that allows users to create, update, and version AWS infrastructure. The team endorsed this approach as it made sense from both a security and infrastructure perspective.
Modus Create’s DevOps architect suggested several approaches Transeo can take to import existing infrastructure and improve security around the IaC files.
The team also suggested using infracost.io to estimate new and existing infrastructure costs based on pull requests on Terraform code. This helps estimate service prices and opportunities for saving.
Impact of the Engagement
The entire engagement took less than three weeks and provided Transeo with three different options to execute the recommendations. This allowed them to pick the most appropriate course of action based on their requirements.
Vital Stats
Engagement duration
Uptime SLA with EKS
New cluster cost
Transeo was excited by the assessment results, particularly by the recommendations on converting to Infrastructure as Code and reevaluating the security practices.
The engagement helped Transeo minimize cybersecurity risks, optimize server costs, create documentation, and introduce Infrastructure as Code in the organization. By getting ahead of the growth pains, Transeo has prepared its infrastructure to sustain accelerated growth.
If your startup is preparing for a phase of accelerated growth, talk to Modus. Our assessments can help you strengthen your infrastructure and security posture.