Basefarm brings Continuous compliance solutions to Bokbasen

Bokbasen provides a wide range of services to all parts of Norway’s publishing community.

The company builds and maintains the Den norske Bokdatabasen catalogue containing data about all Norwegian publishers. By making use of this single centralized register, the industry can easily make use of the data – in online stores, bookshops, libraries and schools – instead of spending time gathering it, as is the focus in many other countries.

When e-books entered the market, Bokbasen was quick to build the infrastructure to support them, including a streaming service for audiobooks. AWS partner Basefarm has been hosting and managing operations for Bokbasen in its private cloud since 2012.

In 2017 Bokbasen started utilizing AWS for storing and transcoding of audio files.

In 2018 Bokbasen migrated their public website to AWS.

In 2019, Bokbasen set out on a new mission to digitize books and learning materials, beginning with Digitalelev, a product for management and procurement of digital learning materials in schools, and Allvit, a platform for distribution of textbooks and resources for higher education.

The Challenge

Bokbasen are operating the solution using a Continuous Integration / Continuous Deployment strategy, with a single development team focused on delivering both the functionality and security of the application. The applications are providing services to the general public and as such must conform to rigid security requirements. Bokbasen require a solution to manage the security and compliance of the AWS resources that are utilised with the application architecture, to ensure that all services are configured in a way that maximises the integrity of data as well as maintaining the privacy of users.

It is important to not hinder development, while at the same time, make sure the environment maintains its security. Deployment of the solution must be quick and flexible, allowing for as little as possible intrusion, into the development workflow.

Bokbasen required a service to continuously monitor and manage the compliance of their architecture and the configuration of the underlying AWS services and tools, the solution should be policy based, auditable, and have the capability to alert upon the introduction of non-compliant change within the various environments. The solution should also recommend and help to enforce security best practices for services deployed on Windows or Linux instances in Amazon EC2.

The Solution

By leveraging AWS continued compliance solutions, Basefarm is able to offer compliance monitoring solutions to Bokbasen.

The solution consists of AWS Security Hub, AWS Inspector, AWS Config, AWS CloudTrail, Amazon CloudWatch and Amazon GuardDuty. The services will identify common security issues and potential threats, while allowing Bokbasen to maintain their development velocity. Security events are raised as tickets within Basefarm’s ITSM solution, allowing security incidents to be managed using Basefarm’s mature and battle tested incident management processes.

Using AWS Security Hub with the CIS AWS Foundations compliance standard, Basefarm can ensure that all of Bokbasen’s AWS accounts are maintained at a minimum level of security hygiene, which complies with the Centre for Internet Security’s best practices. If any element of the account configuration is discovered not to meet these standards, then a security incident is automatically raised.

Amazon GuardDuty and AWS Inspector are integrated with AWS Security Hub, which offers a single pane of glass for security insight. Additionally AWS Security Hub will flag non-compliance of rules configured in AWS Config.

AWS Inspector provides the capability to conduct vulnerability and compliance analysis for instances running in Amazon EC2, using one or more of four pre-defined rulesets.

For any given rule in an AWS Inspector ruleset, it is currently not possible to ignore certain controls. This can cause unnecessary alerts, which in turn create tickets and cause unnecessary work. It was a requirement that certain controls be disabled, thus Basefarm created a filter function based on AWS Lambda. The filter is configured using JSON objects in Amazon S3. It is used both to ignore certain controls and to augment any event with additional information about it, such as priority, assignee, event type and additional documentation and references.

Amazon GuardDuty is AWS managed threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect AWS accounts and workloads.

GuardDuty uses Machine Learning to analyze events across multiple AWS accounts and data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs.

Amazon CloudWatch Alarms are configured for specific events found in AWS CloudTrail.

One example of configured Amazon CloudWatch Alarm is when the root user is used; as this should never happen without a ticket in Basefarm’s ITSM tool.

The Basefarm ITSM integration also supports receiving alarms defined in Amazon CloudWatch, by using Amazon Simple Notification Service.

When AWS Config was enabled in Bokbasen’s highly dynamic accounts with stopping and starting EC2 instances happening all the time, the cost of AWS Config on certain resources was higher than the cost of the resources. Basefarm along with the customer ended up disabling AWS Config on Amazon EC2 and AWS Auto Scaling resources.

Advantages

The deployment of AWS Security Hub and Inspector, together with custom filtering functions and integration with the Basefarm ITSM system have increased the control over important security metrics, allowing Bokbasen to maintain is development velocity.

AWS services offer hassle-free security compliance monitoring for the development teams, ensuring that Bokbasen stays compliant with necessary standards.

Using AWS Security Hub and Amazon Inspector, security incidents are brought to the attention of Basefarm ITSM promptly, allowing issues to be resolved very quickly. Without these tools, any security non-compliance would be difficult to detect, and could take a long time to discover, if it were discovered at all, meaning that unauthorized access to the system could go undetected or data leakage could potentially occur. Auditing compliance to established security standards has also been made easy, with a minimum of manual work. Verification according to a certain standard can be completed within minutes, with the knowledge that every deployed resource meets our security requirements. In an ever-changing environment, any manual audit would have been invalid after a very short time period.

Bokbasen is now able to benefit from continuous compliance solutions. With its Managed Service Provider Basefarm and its 24/7 Operations Center, they now control:

Account/environment compliance, defined in AWS Config, audited by AWS CloudTrail and monitored within AWS Security Hub, giving the customer compliance control on account and resource level.
Threat detection, with Amazon GuardDuty monitoring key aspects of the AWS accounts and networks, providing detection of malicious or unauthorized behavior.
Compliance of EC2 instances, with Amazon Inspector, Basefarm is able to assess the security state of any EC2 instance, giving the customer insight and capability to monitor the security compliance and maturity of their development teams.

About Basefarm

Basefarm is a European managed service provider creating market leaders, by integrating key skills of big data, cloud services and information security into a service offering.
The company provides strategic advice, architecture and implementation together with the management and operation of solutions to several different cloud platforms.

The business was founded in 2000 in the Nordic countries and today there are 550 leading engineers and advisors working in Norway, Sweden, the Netherlands, Germany and Austria.

Basefarm was ranked highest in Whitelane’s IT Outsourcing study Nordics 2018 and was approved by Gartner as cool vendor supplier at the European Cloud Computing Market 2015 for our unique methodology in application operations.

In August 2018, Basefarm was acquired by Orange Group and is now an Orange Business Service subsidiary.