The challenge:Â lack of visibility
Axis Security runs on basically all of the most popular cloud providers; while mainly AWS, they have multi-cloud operations that span Google Cloud, Azure, and even Oracle Cloud. Being highly invested in Terraform, their biggest pain was having a good grasp of their inventory. They needed better visibility. Nokky Goren is the Director of Cloud Operations & Solutions, which in his words, is a fancy title for all things system engineering. He runs the DevOps group, security and IT. He found that the human factor had the greatest impact on day to day operations. His highly talented staff of engineers bring very diverse training and cost awareness, along with broad knowledge required by today’s multi-cloud operations. But this is where things started to get messy.
Virtual machines were created without proper resource tagging, shared keys were found infiltrating different accounts and even cloud providers, predefined configurations were being overwritten, and the configurations running in production were not the perceived configurations. It felt like mayhem.
The solution
The first order of business was to bring some order to the chaos by understanding things as
simple as who changed what, when, and where. They needed to start analyzing issues and reduce costs. They took a two-prong approach with optimizations they built in-house and also third-party tooling.
They first tackled the issue of cloud instance creation through a chatbot that automates the creation via Slack. This method ensures all instances are mapped to a user, their resources are tagged and deployed to the right environment, and that the time of creation is captured. Next, they chose a best-of-breed CSPM tool for its full cloud inventory. These two solutions together initially provided the visibility and enforcement of policies, which was formerly a very (arduous) manual process.
However, the CSPM, built as a security tool, was very complex for the DevOps engineers to work with and the terminology was unfamiliar. With their internal Terraform base growing
alongside the number of clouds in use, they understood the need for a tool more optimized for Infrastructure as Code versus one purely focused on cloud visibility and security.
The results: fundamentally better inventory and visibility
Context for better decisions
Firefly was selected initially to gain greater visibility of unmanaged resources spread across different cloud providers and accounts. However, once they ramped up, it quickly became apparent that Firefly provides not only visibility but also valuable context to the cloud inventory that was lacking in the CSPM. They quickly replaced the CSPM as the cloud inventory tool of choice.
With terminology aligned with DevOps and SRE practice, it became easy to understand when EC2 instances were isolated from security groups, and where configuration was lacking for a specific component. Firefly makes it really simple to understand the relationship between services, resources and components.
Root-cause identification
The inventory and visibility, coupled with the deep understanding of IaC practices, was a
fundamentally unique capability that Firefly provided the Axis Security DevOps team. It has proven to be invaluable to identify root-cause of issues and point to where in the code the issue originates. Nokky provides a specific example of a database misconfiguration that could have had disastrous results if not caught in time.
He says “If the database would have restarted with such a configuration, it would have had some drastic implications on CPU and memory allocations.” It simply would not have been possible to detect this misconfiguration without Firefly’s drift detection, and it really saved them a lot of heartache and potential downtime. This really brought home the impact infrastructure drift can have on the business and demonstrated a clear situation where “what is in code isn’t necessarily what’s deployed in the cloud”. Now that everything is managed in IaC, any further changes to the database will be identified by Firefly and will use git for ongoing governance and control.
ROIÂ that is "Fun"
Axis finds Firefly cool not just for its clear business and technical benefits, but as Nokky describes it has some “nifty” capabilities his engineers love. As a team, they really appreciate the optimizations and insights tabs, and they look at them often. Here they learn about possible cost optimizations in areas they weren’t aware of, such as the over-usage of a service. As an organization, Axis regularly holds “Cloud Cleanup Days”, that are equally focused on cost and resource optimization. They leverage Firefly for each of these hack days.In one such example, they identified cost savings by upgrading GP2 to GP3, solely based on Firefly’s Insights. GP2 is not only outdated, it is more expensive.
Helpful alerts
Another value-add for his DevOps engineers is the useful alerting. As a team that suffers from alert fatigue from the many SaaS, monitoring and logging tools - it’s always great to have a tool whose alerts are truly useful. He notes that they always read them as they always bring value.
Built by DevOps engineers for DevOps engineers
Nokky’s hope for the future is to use Firefly to bring his team to a place where they don’t need to be Terraform experts. He wants them to be able to create resources however they see fit, and Firefly will codify it properly so they can apply git methods for governance and monitoring. It is truly apparent that Firefly was built by DevOps engineers, and optimized for DevOps engineers, and that is the unique differentiator that brings his team back daily to use this excellent platform.
About Axis Security
Axis Security has been purchased by Hewlett Packard Enterprise. Axis delivers secure, frictionless, access to their customers’ most critical resources. With 350 cloud service edges across the world, Axis helps IT leaders enable their employees, partners, and customers to securely access business resources by making it simple to transform legacy networking and security environments, and embrace its unified Connectivity-as-a-Service platform.  For more information, visit www.axissecurity.com
‍
‍