Sign up for our newsletter! →

KPA, HanaByte

KPA Chooses HanaByte for Secure Kubernetes Configurations on AWS

HanaByte Automates Kubernetes Security at Scale

HanByte

Executive Summary

Despite being early adopters of containers and Kubernetes on AWS, KPA’s devops team was utilizing first-generation tooling that demanded considerable efforts for any kind of customizations, and as a result did not have a clear path to perform upgrades on a consistent basis. By collaborating with HanaByte, KPA was able to accelerate their Kubernetes upgrades, preventing any adverse impacts on the confidentiality, integrity, or availability of their system due to the lack of system upgrades.

HanaByte delivered Terraform infrastructure as code templates that allowed KPA to provision EKS clusters repetitively as needed to support their Compligo platform. In addition, HanaByte conducted multiple knowledge transfer sessions to ensure that the KPA team felt confident operating this new infrastructure going forward.

"HanaByte migrated our Kubernetes infrastructure and hardened our security protocols. Their team went above and beyond providing support and guidance.”

About KPA

KPA offers Environment, Health, and Safety (EHS), HR Management, and Finance & Insurance compliance software and services to businesses. KPA utilizes cloud software, online training, and on-side audit and loss control services to help over 10,000 client locations achieve regulatory compliance, control risk, protect their assets, and cultivate their workforces.

Why AWS

KPA opted to utilize Amazon Web Services (AWS) for several years prior to partnering with HanaByte due to its scalability and user-friendliness when it comes to running containerized workloads. KPA runs their Compligo software on the cloud-based Elastic Kubernetes Service (EKS), providing a high-performing and relatively low-maintenance Kubernetes solution.

The Challenge

KPA adopted a containerized microservice architecture for their Compligo software in 2019, but updating the hundreds of containers across multiple deployments became increasingly challenging over time. The Kubernetes clusters included ancillary services that required additional configuration such as Grafana and Prometheus (used for monitoring) and controllers used to provision Kubernetes objects as AWS resources. 

As a widely-used compliance tool, Compligo requires risk mitigation to ensure customer trust.  However, KPA lacked a proper infrastructure as code strategy for managing their Elastic Kubernetes Service (EKS) clusters, as well as a continuous integration/continuous deployment (CI/CD) system to deploy Kubernetes updates. Without a reliable update mechanism, the Kubernetes control plane and its workloads can become outdated, leading to security and operational issues.

Additionally, there was no clear separation between production and development environments, which both ran on the same cluster. KPA also lacked sufficient monitoring within the cluster, and had to maintain previous installations of Prometheus and Grafana. From a security standpoint, KPA was in need for the creation of custom Amazon Machine Images (AMIs) with updated security patches and CrowdStrike Falcon sensors to detect threats within the environment.

Services Provided

AWS Services

Elastic Compute Cloud (EC2)
Relational Database Service (RDS) for MySQL
Elastic Kubernetes Services (EKS)
Elastic Block Storage (EBS)
Elastic Load Balancing (ELB)
Virtual Private Cloud (VPC)
Identity and Access Management (IAM)
GuardDuty
Route 53

Third-Party Integrations

MongoDB
Prometheus
Grafana
Terraform
GitHub
Azure DevOps
Crowdstrike Falcon

Why HanaByte

HanaByte was chosen as a partner due to a proven track record in performing updates to Kubernetes, adhering to DevOps best practices, and their expertise in workloads running in AWS. When using HanaByte as a partner, KPA was able to have assurance that DevOps solutions and cloud infrastructure can be built with well-architected best practices and a proper security check in every step of the Kubernetes upgrade process. 

Strategy & Solution

HanaByte was able to answer the needs of KPA by working side-by-side with their team, collaborating and consulting on best practices every step of the way. In-depth discovery sessions were held to understand the Compligo solution and its microservices, enabling HanaByte to identify dependencies and plan a successful migration. To ensure a smooth transition, HanaByte developed backup and rollout plans and established new CI/CD pipelines.

Terraform was utilized as the infrastructure as code tool to create a new EKS cluster that conforms to security best practices, deployed within a Virtual Private Cloud (VPC) with public and private subnets as well as having appropriate IAM policies for interactions with AWS resources. Terraform modules were developed for both EKS and VPC, and code pipelines were created in Azure DevOps to deploy infrastructure as code into the AWS environment and set up the EKS clusters. 

AWS Relational Database Service (RDS) was also implemented, with security groups configured to interface with the VPC networking and EKS clusters, ensuring connectivity without compromising security. Elastic Load Balancing via Application Load Balancing (ELB) was also used for networking, routing to microservices running in EKS. Route 53 was utilized for Domain Name Service (DNS) routing throughout the solution as well.

Results & Benefits

HanaByte was able to successfully create an automated solution for upgrading Kubernetes clusters at scale, while taking into consideration the many microservices dependencies that constituted the Compligo solution. With this solution, KPA experienced an increase in availability, reliability, and security of its deployments, while bringing secure infrastructure and lifecycle provisioning under a single infrastructure as code solution. 

Prior to HanaByte’s solution, upgrades to the Kubernetes cluster were performed once every three years. However, HanaByte’s solution enabled KPA to match the release cadence of EKS updates, which occur around three times per year, thereby accelerating their upgrade cadence by 9 times. 

Next Steps

True to HanaByte’s motto, KPA has chosen us as their “best friend” when it comes to providing ongoing DevSecOps support to their existing AWS environment. HanaByte looks to further increase the partnership with KPA by offering full-stack development application support and continuing to enhance their CI/CD systems, Kubernetes configuration, and security posture.

About the Partner

HanaByte is a cloud security consultancy focused on compliance automation based out of Atlanta, Georgia. We are a remote-first consulting firm, working with cloud-native technologies and processes. HanaByte is an AWS APN Consulting Partner.

View More Case Studies

Low-Risk Migration from App Engine to Kubernetes on Google Cloud