The Client

StepStone Group receive, process and store large amounts of recruitment data across EMEA on a daily basis. There is implicit trust from the end user that data will processed securely.  

The Challenge

Recent investment in AWS cloud technologies across the group resulted in a need to update information security processes to align with new ways of delivering software to the cloud. Without this, StepStone’s high security standards were at risk of no longer being sustainable.

The Solution

Contino suggested a DevOps delivery approach to give StepStone an opportunity to continuously seek to reduce overall security risks in their software. Security tasks were shifted farther left down the development pipeline to identify and eliminate security issues at each step of the development process. 

Improve Operational Excellence

We collaborated with Stepstone's development, infrastructure and security teams to establish a set of best practice and guidelines for running workloads on the AWS cloud platform tailored to the client's needs.

Subsequently, we created a new capability to enable engineers focus on security by defining infrastructure as code and write code-based security tests which can be run as part of software Continuous Integration practices.

Contino's delivery team increased the accuracy and frequency of security-focused testing by creating a capability to write and execute infrastructure security tests at multiple points in the SDLC. This reduces the risk of deploying vulnerable components by ensuring that security vulnerabilities are caught during development.

Protect Business Value

Updated security tooling to link directly to best practice documentation which enabled development, infrastructure and operations to quickly and accurately identify the root cause of security issues, reducing mean time-to-recovery (MTTR).

Deployed a highly available and secure software vault for maintaining secrets and sensitive data which will reduce the risk of a sensitive data being compromised or sensitive data being used to further compromise systems.

Improve Future Workforce

Collaborated on lighthouse projects with two project teams to kick start adoption of the new security best practice and demonstrate the art of possible with the new infrastructure as code and secrets management tooling.

Ran workshops across development and operational silos to upskill employees in new skills of infrastructure and code, testing first and secrets management. 

Amazon Web Services

Following a DevSecOps assessment, Contino executed a lighthouse projects to create security standards for all group companies on AWS.

  • AWS CloudTrail was activated to collect all API activities, with minor security improvements applied
  • HashiCorp Terraform was utilized for handling all infrastructure as code for all AWS Infrastructure
  • All internal corporate communication was being steered by Amazon DirectConnect
  • Post-auditing checks developed and applied with new CloudSploit plug-ins to validate every AWS account across the group
  • HashiCorp Vault was utilized to handle all Secrets Management, including generating temporary AWS credentials, needed for lighthouse projects.

The Result

Contino helped to improved operational excellence by:

  • Applying software engineering practices to infrastructure and group security policy to improve speed and quality of feature development,
  • Reducing the risk of using both rapid and frequent deployment cycles, by increasing the accuracy and frequency of security-focused testing.
  • Reducing failure demand across IT by ensuring that security vulnerabilities can be caught earlier, during development.

Business value was protected by auditing existing infrastructure and closing a number of infrastructure-based vulnerabilities that were highlighted by the new tooling introduced.

Finally, we improved the future workforce by improving awareness of security and enabling a shift left infrastructure for vulnerability testing.