Basefarm brings Continuous security compliance to Ruter

Ruter AS is the public transport authority for the Oslo and Akershus counties in Norway. Formally a limited company – 60% of its shares are owned by the Oslo county municipality and 40% by that of Akershus – it is responsible for the administration, funding, and marketing (but not direct operation) of public transport in the two counties, including bus, Metro, Tram and ferry services. Ruter also has agreements with the Norwegian State Railway, concerning the regulation of fares on local and regional train services within the two counties.

The development of digital services at Ruter involves many actors. At the heart of Ruters digital platform is Ruter’s Core Mobility Platform, a service which is fully managed by Basefarm. The Core Mobility Platform itself consists of a Fleet Logistics service and a Reporting Service built on Amazon EC2 instances where Basefarm operates the key components Kafka, Cassandra, MQ (Message Queue) and several database services on Amazon RDS.

The Challenge

Supporting the operation of public transportation in the greater Oslo area, Ruter has about 20 development teams. Managing the different security and compliance requirements for so many teams and products is a challenge, Ruter’s development teams need to be able focus on developing valuable functionality, rather than on the headaches of compliance. Ruter’ developers should be able to focus on the services they offer to the public, while leaving security and compliance in the hands of its managed services provider; Basefarm.

Ruter required a service to continuously monitor and manage the compliance of their architecture and the configuration of the underlying AWS services and tools, the solution should be policy based, auditable, and have the capability to alert upon the introduction of non-compliant change within the various environments. The solution should also recommend and help to enforce security best practices for services deployed on Windows or Linux instances in Amazon EC2.

The Solution

By leveraging AWS continued compliance solutions, Basefarm is able to offer compliance monitoring solutions to Ruter.

The solution consists of AWS Security Hub, AWS Inspector, AWS Config, AWS CloudTrail, Amazon CloudWatch and Amazon GuardDuty. The services will identify common security issues and potential threats, while allowing Ruter to maintain their development velocity. Security events are raised as tickets within Basefarm’s ITSM solution, allowing security incidents to be managed using Basefarm’s mature and battle tested incident management processes.

Using AWS Security Hub with the CIS AWS Foundations compliance standard, Basefarm can ensure that all of Ruter’s AWS accounts are maintained at a minimum level of security hygiene, which complies with the Centre for Internet Security’s best practices. If any element of the account configuration is discovered not to meet these standards, then a security incident is automatically raised.

Amazon GuardDuty and AWS Inspector are integrated with AWS Security Hub, which offers a single pane of glass for security insight. Additionally AWS Security Hub will flag non-compliance of rules configured in AWS Config.

AWS Inspector provides the capability to conduct vulnerability and compliance analysis for instances running in Amazon EC2, using one or more of four pre-defined rulesets.

For any given rule in an AWS Inspector ruleset, it is currently not possible to ignore certain controls. This can cause unnecessary alerts, which in turn create tickets and cause unnecessary work. It was a requirement that certain controls be disabled, thus Basefarm created a filter function based on AWS Lambda. The filter is configured using JSON objects in Amazon S3. It is used both to ignore certain controls and to augment any event with additional information about it, such as priority, assignee, event type and additional documentation and references.

Amazon GuardDuty is AWS managed threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect AWS accounts and workloads.

GuardDuty uses Machine Learning to analyze events across multiple AWS accounts and data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs.

Amazon CloudWatch Alarms are configured for specific events found in AWS CloudTrail.

One example of configured Amazon CloudWatch Alarm is when the root user is used; as this should never happen without a ticket in Basefarm’s ITSM tool.

The Basefarm ITSM integration also supports receiving alarms defined in Amazon CloudWatch, by using Amazon Simple Notification Service.

Advantages

The deployment of AWS Security Hub and Inspector, together with custom filtering functions and integration with the Basefarm ITSM system have increased the control over important security metrics, allowing Ruter to maintain is development velocity.

AWS services offer hassle-free security compliance monitoring for the development teams, ensuring that Ruter stays compliant with necessary standards.

Using AWS Security Hub and Amazon Inspector, security incidents are brought to the attention of Basefarm ITSM promptly, allowing issues to be resolved very quickly. Without these tools, any security non-compliance would be difficult to detect, and could take a long time to discover, if it were discovered at all, meaning that unauthorized access to the system could go undetected or data leakage could potentially occur. Auditing compliance to established security standards has also been made easy, with a minimum of manual work. Verification according to a certain standard can be completed within minutes, with the knowledge that every deployed resource meets our security requirements. In an ever-changing environment, any manual audit would have been invalid after a very short time period.

Ruter is now able to benefit from continuous compliance solutions. With its Managed Service Provider Basefarm and its 24/7 Operations Center, they now control:

Account/environment compliance, defined in AWS Config, audited by AWS CloudTrail and monitored within AWS Security Hub, giving the customer compliance control on account and resource level.
Threat detection, with Amazon GuardDuty monitoring key aspects of the AWS accounts and networks, providing detection of malicious or unauthorized behavior.
Compliance of EC2 instances, with Amazon Inspector, Basefarm is able to assess the security state of any EC2 instance, giving the customer insight and capability to monitor the security compliance and maturity of their development teams.

About Basefarm

Basefarm is a European managed service provider creating market leaders, by integrating key skills of big data, cloud services and information security into a service offering.
The company provides strategic advice, architecture and implementation together with the management and operation of solutions to several different cloud platforms.

The business was founded in 2000 in the Nordic countries and today there are 550 leading engineers and advisors working in Norway, Sweden, the Netherlands, Germany and Austria.

Basefarm was ranked highest in Whitelane’s IT Outsourcing study Nordics 2018 and was approved by Gartner as cool vendor supplier at the European Cloud Computing Market 2015 for our unique methodology in application operations.

In August 2018, Basefarm was acquired by Orange Group and is now an Orange Business Service subsidiary.