Project outline: building the secure infrastructure
The client had their pre-existing identify verification software hosted on AWS.
The software dealt with highly sensitive personal documents, submitted via the web and a mobile app.
In order to secure a large contract in the nuclear industry, the platform needed to pass a thorough security audit and penetration test to gain certification.
An initial security audit was undertaken, which highlighted a large number of issues with the existing infrastructure.
The client's existing team, which included employees and external contractors, did not have the capability to deliver a secure infrastructure to the required standard.
The client also did not have a technical lead, making managing a disjoint technical team very challenging.
This situation made it very easy for contractors to take advantage, as they had to be taken at their word, with their work going unchecked.
The back-end software was quite large and complex, being made up of a number of services and microservices - a lot of moving parts.
As is commonly seen in start-up environments, documentation and code quality suffered.
We became a core part of both the management and development teams, acting in the capacity of CTO/head of technical as well as in a hands-on capacity.
Initially, we performed technical evaluations on the existing infrastructure and software, to take stock of the situation.
From there, we put together a detailed specification for a new infrastructure that would meet the security, as well as performance, requirements.
We found multiple issues with the software and worked closely with the developers to rectify them.
Various modifications to the software were required for it to be compatible with a modern infrastructure.
In parallel to the infrastructure design and development, we were providing consultancy to the non-technical management.
Not only the new infrastructure was required, but there was also an ongoing software development effort.
This involved helping to manage the various parts of the development team, to ensure the project was delivered on time and in budget.
Once the specification was signed off, we built a greenfield AWS infrastructure using best practices, securing it to high standards.
With our new infrastructure and our involvement in improving the software, we successfully passed the strict security audit and penetration test, allowing the client to achieve its certification.
Performance bottlenecks were also improved with the new infrastructure, improving the usability of the software.
Now that the infrastructure is in place, it is largely self-sustaining and requires little maintenance.
Monitoring and alerts are in place to let the client's team of performance problems, security breaches and service outage.
After the delivery of the project, the ongoing consultancy retainer was kept in place to help the company manage and grow its internal development team.