Upholding Cloud Security with Less Effort, More Consistency

CDL Uses CIS Hardened Images to Balance Cloud Security and Performance

CDL (Cheshire Datasystems Limited) is a privately owned technology services provider with an agile approach to software development. Its InsurTech ecosystem provides a global insurance blueprint, powering transactions across insurance and financial services markets. Doing so necessitates that it maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS), as some of its systems store customers' payment card information.

CDL is focused on the retail insurance sector, particularly in the United Kingdom, and it provides transformational solutions for insurers, brokers, price comparison websites, and other enrichment providers. These focus on driving operational efficiency, ensuring intuitive user interfaces, and facilitating data-driven customer journeys. It employs more than 500 people at its campus in Greater Manchester, England.

We sat down with Matt Eisengruber and Tom Bullock at CDL. Matt is an architect team lead who handles pre-sales and post-sales support from an architecture perspective. Tom Bullock is a cloud DevOps architect who manages governance and processes for the adoption of cloud-based technologies. They told us how resources from the Center for Internet Security (CIS), particularly CIS Hardened Images, helped them solve some of CDL’s business challenges.

Let’s examine how this happened.

The Challenge: Manual Hardening and a Lack of Consistency

There are two challenges that CDL was initially looking to solve. The first was creating more efficiency to harden their systems instead of manually hardening, and the second was ensuring a consistent security posture across the organization.

Manual Hardening

As an InsurTech provider, CDL handles credit card data in some of its systems. The company therefore must comply with PCI DSS. Of the many requirements in PCI DSS v4.0, Requirement 2.2 mandates that system components be configured and managed securely.

Initially, CDL worked to fulfill Requirement 2.2 on premises by having its engineers manually read guidance from CIS and translate it into scripts. This involved extensive engineering time and skill, so much so that CDL focused its hardening efforts solely on those systems that fell in the scope of PCI DSS.

Ensuring a Consistent Security Posture

CDL's transition to the cloud exacerbated this manual hardening problem. As the company moved to an agile delivery approach, it broke up its traditional teams of developers, engineers, and other personnel by reorganizing them into different squads.

The work of the squads varied depending on the skill sets of their members. This complicated the task of consistently implementing certain initiatives across the organization. Among them was the company's efforts to keep a strong, unified security posture in place.

The Solution: A Win-Win for Security and Price

When CDL moved to the cloud, it containerized a majority of its workload. The company made this choice because it wanted to better leverage the cloud and take inventory of its business logic. During that process, it realized it would still need to run manual checklists with its containers.

To put governance around its different base images, the CDL leadership team recognized that they needed to come up with golden images from which internal people could build. But doing so would require time and effort that they didn't have to spare. Additionally, the company observed that squads weren't regularly patching the base images they did choose. CDL needed a way to consistently keep the images used by its teams up to date.

Instead of building a golden base image itself, CDL chose to use CIS Hardened Images with its payment environment. The company made this decision because the CIS Hardened Images are pre-hardened according to the CIS Benchmarks, secure configuration guidelines which support compliance with Requirement 2.2 of PCI DSS v4.0 and other frameworks. They're also patched for software updates on a monthly basis by CIS, removing the need for squads to update the images themselves.

The company soon propagated CIS Hardened Images across its other accounts to leverage them as a starting point for all operating systems and support its switch to a more open-source stack. Usually, embracing open-source tools involves a tradeoff. On the one side, open-source tools are cost-effective, but they come with their fair share of security challenges. CIS Hardened Images enabled CDL to lay a secure foundation for adopting more open-source technologies...and at a price point that was attractive.

The CIS Hardened Images fulfilled another business objective, as well. At one point in its cloud migration, CDL realized that it could operate more efficiently by moving to Advanced RISC Machines (ARM) architecture. The company wanted to begin by switching to this architecture for one app, but it didn't have a way of doing so that balanced performance and security. Luckily, CIS provides several Hardened Images for ARM on AWS Marketplace; so, CDL began using them.

The Impact: More Time for Development and Stronger Cybersecurity

The biggest benefit of using the CIS Hardened Images is that it enabled CDL to focus on business logic and improve its software. There's always a tradeoff in development between maintaining existing solutions and releasing new features. CIS Hardened Images helped CDL by sharing some of the maintenance load with CIS so that it could focus more on new features and capabilities. 

CDL found that using CIS Hardened Images also positively influenced its interactions with its customers. As the CDL client base typically comprises high-volume insurance retailers looking to migrate from legacy systems, cybersecurity is a key issue, and CDL was able to cite its use of CIS Hardened Images in its pre-sales materials as a way of evidencing vendor-agnostic security best practices that are developed through a community consensus process.

The CIS Hardened Images conferred other business benefits, too. These included the ability to more easily maintain its accreditation with PCI DSS using consistent effort, improving the overall cybersecurity posture, reducing engineering effort to harden the operating systems to almost nothing, along with saving time, money, and resources. As an example, CDL used CIS's ARM Hardened Image to switch one of its apps to ARM. In the process, it upheld security and performance, all while saving 26.7% on its monthly computing bill.

Now It’s Your Turn!

Through the use of CIS Hardened Images, CDL shifted its business focus, took its relationship with its customers to another level, and saved time and money in the process

Interested in learning how CIS Hardened Images can benefit your organization?