How Kepler Achieved ISO/IEC 27001 Certification

Byron Kim, Head of DevOps / Chief Information Security Officer

Published May 5, 2023

As of 2023, Kepler Group has ~600 employees distributed around the world. We also manage a lot of marketing data. At this size and organizational complexity, we rely on centralized information security policies to define our access controls and data integrity requirements. In order to ensure that we define, and adhere to, a high standard, we maintain an ISO/IEC 27001 certification, which is a globally recognized, industry standard certification that helps organizations manage the security of their information assets and provides the framework for implementing an information security management system (ISMS). Kepler's organizational access controls and information security protections, developed and maintained in accordance with ISO/IEC 27001, have proven immensely valuable for us and our clients.

But we're not here to discuss how great things are in 2023. We're here to talk about where things stood in 2017, when Kepler had ~70 employees and the known world felt oh-so-much smaller. This post will give you a glimpse into how a smaller, scrappier, rag-tag band of Kepler engineers laid down the first tracks toward ISO/IEC 27001 certification.

Vault

Some Kepler applications rely on sensitive credentials, such as database credentials or an API key. Prior to our certification, we had no standard way of handling these credentials. Some applications relied on environment variables injected at build time, while others injected sensitive configuration files that were ignored from our version control system. At the time, Amazon Web Services had not yet released Secrets Manager and our team looked at standardizing around Hashicorp Vault. Beyond securing our applications secrets, Vault could also provide temporary database credentials to our developers and SSH credential management for our administrators. Today, all of our applications rely on Vault to securely store and access sensitive credentials.

Credential Rotation

One of our compliance requirements is that user credentials must be changed at least once every 90 days along with certain complexity needs. Most systems will have this option configurable for passwords and can be easily enforced. In AWS, our clients and team need programmatic access to interact with the AWS services. While AWS provides an option to enforce a password policy for console logins, it does not provide one for programmatic access keys.

We decided to write a Lambda function that would run daily and monitor all of our user's IAM access keys. AWS provides an API that will provide us the age of keys and we can monitor everyone's access. For clients, the process generates new credentials and post them to a secret link. Initially, we used OneTimeSecret but have since deployed our own instance of YoPass. The usage of a secret link allows the data to expire or limited clicks and not storing them in the body of an email. For developers, the process would notify them that their key would be deleted in the coming days. If the key remained active after 90 days, our process would simply delete it. Developers could log back into the console and generate new credentials if required.

Vulnerabilities

There were several controls we had to put in place to conform to our security scanning standards. We had to monitor our systems 24/7 and scan for vulnerabilities and keep our systems patched. There are traditional ways of achieving this such as deploying a tool like Nessus but that required configuring network access and SSH keys. The alerting and reporting is a bit cumbersome as you would have to review each vulnerability and find a potential fix. On top of that, we still needed to configure/deploy a monitoring tool.

Today, there are many SaaS platforms such as Threatstack and Lacework that can achieve both and more. These platforms use an agent based system which push the data and reporting to the platform. The vulnerability scanning can provide remediation steps if available. They can scan your cloud environment and help secure your account with CIS guidelines. In addition, they actively monitor your instances and cloud activity and can alert on anomalous activity.

Conclusion

Back in 2017, Kepler embarked on a journey to obtain our ISO/IEC 27001 certification. Many of the key implementations are still used today as we continue to iterate and improve our data security posture. While we originally did this for a client, Kepler has benefited tremendously having better organizational controls to continue our growth.