The agency works to improve the standard of living and quality of life by promoting a labor force that is highly skilled and a labor market that is efficient and inclusive. The organization is also involved extensively in programs and policy development and execution. The agency delivers approximately $100 billion in programs.
This agency of the government supports thousands of people with world-leading social programs. Behind those programs are important applications providing access for users to manage everything from employment and pensions to housing and healthcare. They have many development teams building and maintaining those applications, which they have steadily been moving to the cloud over the past several years. During this transition to multi-cloud and containerized applications, the organization made an important decision to shift left and integrate security earlier into development. It has been a large undertaking — one that required a key partner with highly effective, specialized technology.
As with most organizations, there was some divide between development and security, so choosing a solution that would be easy for developers to integrate into their existing workflows was important for adoption. Recognizing that cloud security is intrinsically tied to application security and the development process, the challenge was easily implementing and enforcing security best practices across all departments. They needed to ensure any newly created functionality went through predefined security tests. Similarly, they needed to prevent risk from production by automating detection and blocking of risk like vulnerabilities, secrets, and misconfigurations before deployment. At this agency, developers are required to go through testing and authorization before pushing apps into production. It was important for any new security tool to create positive experiences and not hinder processes.
Compliance was another key consideration when selecting a cloud native security solution. As a government agency with more than 100 security controls to comply with, they must provide evidence of how all solutions meet their strict requirements.
They chose Aqua — the industry’s most advanced container security solution — to bolster application protection on its journey to the cloud. They rely on Aqua to scan CI builds and container images based on a consistently updated source of vulnerability data to identify issues with minimal false positives and mitigate risk. With the Aqua platform, they effectively reduce the attack surface before the container is deployed by continuously detecting, prioritizing, and responding to risk across the entire software development lifecycle.
As they continue their move to the cloud, they require all new apps and software to be cloud native. The teams are armed with Aqua’s capabilities in their initial builds to ensure they are secure from the start. As these and other teams have begun using Aqua, it’s been easy for security to socialize the solution with developers. Because Aqua fits seamlessly into the CI/CD workflow, it is simple for them to adopt. In fact, Aqua empowers developers to proceed through their rigorous testing and authorization requirements more quickly and effectively. As a result, Aqua is seen as a benefit versus a roadblock that might slow down their work.
“Aqua made it easy for us to implement security into the development life cycle. There were not a lot of extra steps. Developers already had their CI/CD pipeline; so, they just had to add the Aqua task. Then, for every build, it would run automatically and provide a report on vulnerabilities for them to follow.”
Aqua also automatically sends notifications via Microsoft Teams for any medium- or high-priority vulnerabilities so they can be addressed quickly. A security analyst at the agency, said Aqua’s ability to detect malfunctions during runtime is another valuable feature that can provide another layer of security at the application level.
Granular user management features, such as role-based access control, enable their security team to maintain tight control and grant least privilege access to keep risk low and adhere to their extensive compliance standards. Reporting was easy — just a quick download.
With apps in both Azure and AWS, they’re on track to fully embrace the cloud, so Aqua’s deep focus on cloud and container technology is crucial to their success.
With Aqua’s container security, this government agency was able to integrate security early into its development processes as the organization moved more of its applications into the cloud: