The Challenge of Achieving FedRAMP Compliance
FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is extremely important as it’s the gold standard for assessing cloud service providers within the government.
Lookout sought FedRAMP compliance in order to sell their products and services to government agencies. However, to achieve compliance, they had to undergo the stringent FedRAMP process, which included heavy technical documentation, audits, and evaluations. Specifically, they needed to validate that their software delivery practices met their security standards.
Accelerating FedRAMP Compliance with Armory & Spinnaker
To ensure compliance with FedRAMP’s security requirements, Lookout chose Spinnaker — the open source standard for software delivery — to automate their software delivery process and streamline what was previously highly manual, resource intensive, and error-prone. In order to productionize Spinnaker, they turned to the Spinnaker experts at Armory. Armory was able to help them implement Spinnaker and satisfy the core requirements needed to achieve compliance:
- Patching: Services that are FedRAMP-certified must patch issues and vulnerabilities every 30 days. Historically, software deployments and patches update existing infrastructure – any infrastructure issues remained after the new build was installed. Immutable infrastructure is reprovisioned on the fly each time a deployment occurs, so that the underlying infrastructure is in a known good state. However, recreating that infrastructure at the same time new software is being deployed is a complex and error-prone process. Spinnaker makes deploying to immutable infrastructure safe and automatic by encapsulating deployment process with native intelligence about the health of the infrastructure.
Armory’s expert consultants were able to implement Lookout’s Spinnaker deployment pipelines where one pipeline built a base image containing the latest secure operating system and common packages, and downstream pipelines that inherited the base image, thus ensuring all services are using the latest secure image. If a patch is released or new bugs are fixed upstream (in the OS or other common libraries), it’s trivial to relaunch all services by rebuilding the base image.
- Configuration Changes: Another requirement they needed to achieve was to change some of its architecture. Spinnaker allowed them to quickly relaunch services to meet them.
Lookout’s Operations Engineers had an existing process for reconfiguring and relaunching services but it was highly manual and error-prone. Spinnaker made it easy for them to relaunch and configure its services to meet these specific infrastructure configuration requirements.
Without Spinnaker it would have taken more effort to recreate and reorient those services — requiring engineers to relaunch each one by hand.
- Documentation of Process and Policies: One of FedRAMP’s requirements is to document all policies and procedures around configuration change management and service deployment. For example, if there is a need to change the configuration of a service, Lookout would need to show FedRAMP auditors every step in that process and that it was safe and repeatable.
Spinnaker provides them with is a single pane of glass and central source of truth for all changes to production. When changes occur, Spinnaker emits rich logs which describe who changed what, when, where, and how. This provides the data necessary to auditors to give them confidence that these changes are done in a transparent and safe manner by the specific person allowed to do so.
The Bottom Line
The impact that Spinnaker and Armory has had with Lookout’s efforts to achieve FedRAMP compliance is significant. They were able to automate manual processes and accelerate the time to deliver a new service. Below is a table that illustrates the software delivery performance gains.