How Modis goes beyond the ‘Essential Eight’ with DevOps and Security Engineering to deliver ‘evergreen’ security to our clients

Modis Posted 28 February 2022

Security is ‘job zero’ at Modis. Our clients across the public sector and large enterprise trust us to ensure their critical data and systems are protected from current and emerging security threats.

Modis participates in the Australian Signals Directorate’s (ASD) Managed Services Provider Partner Program, subscribing to the ‘Essential Eight’ recommendations and mandating the regular ASD security briefings and alerts from ASD go to all Modis delivery engineers to ensure they incorporate the latest operational recommendations.

Several of our clients within the WA public sector have recently been identified by the Auditor General in the Information Systems Audit Report 2021 – State Government Entities report for having a consistently strong cybersecurity posture, going back over several years. In each of these cases, Modis has been the primary managed services provider to these customers, delivering DevOps (and DevSecOps) as part of our full-stack, full-maintenance approach to managed services.

The approach we take to ensure ‘Evergreen’ security for our clients is to combine the ASD Essential Eight with DevOps engineering principles to facilitate rapid incremental deployments to environments with a Security Engineering and Site Reliability Engineering (SRE) focus.

DevOps provides a level of ringfencing of the people responsible to securing our clients’ environments: they have a smaller, fixed number of solutions that are their focus, and rather than just keeping the lights on, they are tasked with deeper maintenance across the solution stack. We call this the DevOps team or squad. This squad is the core team that provides not just functionality improvements, operational fixes, but ongoing security uplift and optimisation.

The DevOps team is responsible for finding requirements in their solutions that should be modified and identify where they need to collaborate with external providers (e.g., COTS Vendors, OSS Projects). This ensures future versions of products and projects will meet requirements to simplify or optimise operational activities. Using a DevOps approach also allows Modis to facilitate deployment automation, minimising the effort to reliably and regularly deploy security updates into a client’s environment.

Modis also applies Site Reliability and Security Engineering approaches to WHAT to change and how to make these items more reliable. By designing and pre-empting for failure handling (and expanding this handling over time iteratively), Modis can handle low level failure automatically, maintaining the operation while solutioning the issue.

As an example, when rebooting a traditional server (e.g. virtual machine or bare metal) all required processes should also restart automatically. Other approaches may apply remote desktop or SSH to a host to manually restart server processes, leading to extended downtime and increased maintenance (staff) cost. If a database server reboots (including a fail-over scenario), then application servers should handle this scenario and automatically try to reconnect (with some form of incremental back-off).

Key elements we maintain are encryption in-flight and authentication and authorisation. By supporting only the latest TLS protocols and strongest ciphers - and maintaining these optimised standards ongoing – we mitigate security risk. By deprecating legacy weaknesses quickly, these solutions effectively reduce the need for ongoing support of sub-optimal ‘bots’ (scripts). In addition, by ensuring federation of identity with strongly signed certificates, Modis provides not only single sign on, but loosely coupled solutions, increasing the reliability of both workload application and the separate authentication solution.

We also manage point release updates to the various components of a workload solution, across Operating Systems, software execution runtimes (Java and .Net updates) and in the case of bespoke software, updating any third-party libraries in a proactive fashion.

By being proactive and not reactive, Modis continuously minimises the risk and exposure of our customers’ environments. Rather than just minimising cost and effort, any incremental production costs are optimised with scripting and automation. By taking this ‘evergreen’ security approach with our clients we ensure their critical environments are protected from current and emerging threats into the future.

Our global experts are ready to help your businessGet in touch with one of our Global Practice Leads todayContact us
We operate around the world. Would you like to find out more about your local office?Find out about Modis