When you’re managing the distribution of people’s paychecks, you’ve got a high bar to meet on security. So for Namely, whose SaaS application supports payroll, people management, compliance and tax, and team collaboration for hundreds of thousands of users, security has been a priority from Day 1. The move to a microservices architecture, however, drove the need for a whole new approach to security.
Namely’s flagship SaaS platform uses hundreds of services that are constantly being released and updated, so the company standardized on Kubernetes to scale and operationalize infrastructure management. Namely moved to Amazon Web Services about five years ago, and the team chose to run this application in Amazon EKS.
Definitive Guide to AWS EKS Security
Download to learn how to securely design your EKS clusters, build secure images and prevent vulnerabilities, enforce networking best practices, and monitor your environment for security and performance.
As Namely was defining the security needs for this new architecture, the teams realized the importance of covering both ends of the SDLC. So first the company needed to make sure it could detect and prevent non-compliant workloads, track configuration baselines and prevent drift, and monitor the state of compliance across all clusters, nodes, and containers. Hardening the environment is a crucial first step, but protection can’t stop there. So Namely also needed to detect and prevent a bunch of runtime threats, including unauthorized access, privilege escalation, data exfiltration, lateral movement, and other behavior anomalies.
In looking for a container security solution, Namely made it a priority to extend the infrastructure benefits of Kubernetes – scale, pace, the ability to make things operational – to its security architecture. The company’s SREs got involved in the security platform decision and insisted the company avoid using any approach that would be intrusive or opaque. It was crucial that they not lose control over security operations – a separate control tool that was taking actions on containers and Kubernetes that they couldn’t see was a non-starter, in their view.
This focus on operationalizing security and consistency between security and infrastructure management led the team to choose StackRox – the only Kubernetes-native security platform. Namely has really appreciated that StackRox provides all security functions, from visibility to control, in Kubernetes constructs – pods, nodes, clusters, deployments. The company also values the StackRox ability to assess risk using the declarative data available in containers and Kubernetes. The company has been able to make more informed decisions, keep up with its fast pace of application delivery and growing scale, and respond quickly to risky changes using StackRox.
And best of all, Kubernetes-native security has enabled Namely to have all these security capabilities applied without slowing down app dev, making the security team an enabler of moving at business speed.
*** This is a Security Bloggers Network syndicated blog from The Container Security Blog on StackRox authored by The Container Security Blog on StackRox. Read the original post at: https://www.stackrox.com/post/2020/06/securing-namelys-sensitive-hr-and-payroll-data-on-amazon-eks/