Lookout Achieves FedRAMP Compliance with Spinnaker

CHALLENGE

  • Achieving FedRAMP compliance to sell security products to government agencies
  • Validating the security of software delivery practices
  • Eliminating time- consuming, error-prone manual processes for software delivery

SOLUTION

  • Leveraging Spinnaker’s open source, multi-cloud continuous delivery platform
  • Creating an agile patching framework for security
  • Transforming a largely manual delivery process into a largely automated one

IMPACT

  • Successfully achieved FedRAMP compliance
  • Transformed a 25-step deployment process into 1-3 steps
  • Accelerated delivery time for new services from over a week to less than a day

Lookout prides itself on being the leader in securing the post-perimeter world. Using the Lookout app, individuals and organizations can keep their personal information and data secure by monitoring which apps on their mobile devices are gathering and transmitting information related to their location, contacts, communication, payment information, and so on.

THE CHALLENGE OF FedRAMP COMPLIANCE

The FedRAMP program exists to verify the security and quality of cloud-managed products and services for use in government agencies. Without compliance, solution providers cannot contract with federal entities.

Achieving FedRAMP compliance can be a long, complex process involving a great deal of documentation, an assessment from a third-party organization, a clear plan of action, and a continuous monitoring program that includes monthly vulnerability scans and patching of weaknesses.

San Francisco-based Lookout, whose cybersecurity products support an incredible variety of individuals and businesses ranging in size from small to enterprise, strongly believed that their products would be highly beneficial in a government setting, where security, integrity, and data protection are most crucial. With the 2017 rollout of the CloudFirst strategy, which mandates government agencies must use cloud-based solutions whenever possible, Lookout saw the opportunity to bring their Lookout Security Cloud to the federal marketplace.

However, when Lookout began their FedRAMP application process, they realized that even though their core products had industry-leading strengths and functionality, they still weren’t ready to achieve compliance. At first, it appeared Lookout’s architecture would need to be stripped to the ground and completely rebuilt to align with FedRAMP’s configuration requirements.

“Using their existing methodology, deploying new software into production was a 25-step manual process, and patching the product required five full days of engineering time.”

Furthermore, Lookout was concerned with their ability to create new security patches every thirty days. Using their existing methodology, deploying new software into production was a 25-step manual process, and patching the product required five full days of engineering time. Given the expectations of FedRAMP, Lookout’s pace of development and deployment simply wasn’t up to speed with their product quality.

Documentation was another challenge in Lookout’s quest for FedRAMP compliance, as the regulations require full and complete records of all policies and procedures related to configuration change management or service deployment. Achieving that level of granular documentation using Lookout’s existing manual framework would be incredibly complex and require a great deal of human work hours, creating opportunities for errors that would sink their chances with government regulators.

Lookout knew their products and services were of tremendous value to government agencies, but they required some assistance reimagining their architecture and streamlining the deployment and delivery processes with automation in mind to provide them with the agility, reliability, and documentation power FedRAMP demands.

Performance Gains

Spinnaker helped Lookout achieve a massive reduction in manhours, production and deployment time, and days to market. Here’s a specific breakdown of some of the ways Lookout was able to streamline their work and serve customers and regulators better using Spinnaker:

Accelerating Compliance with Spinnaker

Seeking a proven platform they were sure could help them build a high-velocity, secure platform that could decrease their time to market dramatically while achieving flawless documentation without sacrificing security, Lookout leveraged Spinnaker to reimagine their delivery framework in a way that would improve their operational capacity and achieve FedRAMP compliance.

Spinnaker provided two specific benefits as it related to FedRAMP compliance: 1) Providing a secure, agile development pipeline that would help Lookout achieve the timeline and record-keeping capabilities demanded by FedRAMP. 2) Automating Lookout’s resource-intensive deployment framework to protect valuable work hours, eliminate human error, and make the process more responsive to the needs of both regulators and crucial government clients.

“We knew our product had game-changing potential in the government sector, but our existing deployment framework was too human-intensive and time-consuming for FedRAMP compliance. Spinnaker provided the platform, support, and delivery pipeline we needed to bring our patch deployment times up to speed.”

– Brandon Leach, Lookout

To accelerate their ability to patch software in a timely and reliable manner, Lookout applied Spinnaker’s deployment pipelines to create an immutable infrastructure in a way that significantly reduced the amount of time and number of steps necessary to create a patch. Their previous update process basically required rebuilding the platform from the ground up during each sprint, reconfiguring and relaunching each aspect of the services every time.

With Spinnaker, however, Lookout gained the ability to maintain the core, healthy framework of their code from version to version, editing only the specific areas that needed to be patched. That means there’s significantly less work involved in creating a patch, and each patch can be created and QA tested in a more focused, purposeful way because Lookout knows exactly which granular pieces of the software code have been tweaked.

Lookout was also able to deliver each new version of their software to users and regulators quicker than before by leveraging Spinnaker to create automated reconfiguring and relaunching processes that both eliminated human error and automatically generated regulator-ready reports of all changes to services and configuration. In this way, Lookout was able to improve the quality of experience and the level of quality assurance built into their deployment processes by significantly reducing the time the software is vulnerable and building a documentation framework that illustrates how each problem was solved.

“Thanks to Spinnaker, we were able to streamline and automate our patch engineering, deployment, and on-boarding processes which made our timeline to delivery almost 200 timex faster than it was using our previous manual system. This isn’t just a compliance solution; it’s a significantly better way of delivering the support and protection we know our customers in both the government and private sectors require.”

– Brandon Leach, Lookout
The Bottom Line

Before Spinnaker, Lookout was already a great company with a strong product, but their capabilities and ambitions had extended beyond what their human-intensive, multi-step approach to updates and deployment could achieve. To get to the next level of growth, profitability, and innovation, they needed a modern, automation-friendly approach that took the strain off developers while making it easier to achieve deadlines in a timely manner.

Spinnaker was able to help Lookout achieve all their goals in this scenario to a high degree of satisfaction. What was once a human-intensive task is now largely automated. Deployment and delivery tasks that took days or weeks now take hours, minutes, or even seconds. A strong documentation trail is created automatically, with no strain on human resources and no risk of human error. The quality, power, and security of their delivery pipeline now matches the quality, power, and security of their product.

Most importantly, with their patching, deployment, and documentation abilities increased and accelerated, Lookout is now FedRAMP-compliant. They are the only vendor in the FedRAMP marketplace that provides continuous authentication to mobile users as they connect to sensitive networks and data.

Thanks to Spinnaker, Lookout was able to improve their existing approach rapidly without scrapping what worked about what they had created or losing any control over the actual strength, functionality, or quality of their products and services. Spinnaker provided Lookout with the delivery pipeline, the documentation framework, and the potential for automation that they needed to strengthen their approach, achieve FedRAMP certification, and connect with a wealth of great opportunities.

Spinnaker is an open-source, multi-cloud continuous delivery platform that helps you release software changes with high velocity and confidence. Spinnaker technology provides balance, validation, speed, and reliability for apps and micro-services of all shapes, sizes, and types.

Website: https://cd.foundation/ | Slack: join.cdeliveryfdn.slack.com | Blog: https://cd.foundation/news/blog/