How Dexcom Accelerated Global Expansion with Modern Security

Discover how ScaleSec launched a production AWS environment and saved 80% of development and engineering time for Dexcom

Dexcom contacted ScaleSec with an urgent need to prepare a new AWS environment to support workloads for its growing business, starting with an enterprise data lake based on Amazon Redshift. ScaleSec used an accelerator package to design, deliver, and cross-train Dexcom’s team on a hardened, tailored AWS landing zone complete with shared services and third-party tool integrations. The ten-week engagement included the launch and implementation of a code-driven change management solution.

To support Dexcom’s ongoing global expansion, data analysts needed scalable, secure access to a growing set of structured and semi-structured data. Dexcom selected Amazon Redshift as the data warehouse. But before any workload could be deployed, a new enterprise AWS environment was needed to meet strict security, compliance, and operational requirements.

Jason Borinski is the Director of Information Security for Dexcom. As an experienced cloud customer, Jason recognized that the best time to secure the cloud platform was before workloads went live. With the cloud platform and shared services online, sensitive workloads can be supported without the need to disrupt adoption with costly refits in the future. Jason said, “Ideally you want to bake in security up front wherever possible. So if you’re getting into a new cloud environment, it pays to have a consultant like ScaleSec help you build a landing zone, configure security policy in code up front.”

Services Provided

ScaleSec consultants collaborated with Dexcom to design and build a landing zone to accelerate development of business applications while meeting industry security standards. This design included considerations for identity and access management, protective controls, detective controls, and incident response preparedness. By building these controls into a new environment from the start, Dexcom’s teams are able to build confidently. As Dexcom’s team designed a proposed data lake architecture, ScaleSec reviewed it, developed a threat model, and advised on security improvements.

Regulatory Compliance Built In

ScaleSec designed the new AWS environment to incorporate guidance from the AWS Well Architected Framework, the AWS Security Reference Architecture, ISO 27001, and SOC 2 compliance frameworks. ScaleSec configured the AWS environment with all of the required controls using infrastructure as code to provide clear traceability of how each control is met. Consultants delivered documentation for compliance and audit stakeholders to demonstrate how the controls were implemented, how to test and validate controls, with associated artifacts needed for evidence.

Managing Change Securely at Scale with GitOps

Dexcom is expanding globally, and many employees work remotely. Manual change management processes are difficult to coordinate and manage, especially with a distributed workforce. To support this strategic company initiative, ScaleSec led the implementation of an automated change management workflow for AWS. As Jason said, “You want to lock down the environment to prevent ad-hoc changes, requiring all changes to be made through code and a GitOps workflow. If you don’t do this up front, you’re just creating a mess of technical debt. Trying to do this after-the-fact is very challenging.”

Accelerated Implementation with ScaleSec’s Terraform code base

ScaleSec provided a “starter kit” code base tailored to Dexcom’s needs. This code base was extended to include an infrastructure management pipeline using GitHub source control integrated with HashiCorp Terraform Cloud. The teams collaborated using the GitFlow development workflow to accelerate the testing, approval, and implementation of changes. This process helped ensure that Dexcom engineers reviewed and understood changes as they were proposed by ScaleSec consultants.

The Dexcom InfoSec Team governs policy for the AWS Organization with Service Control Policies, using AWS Control Tower guardrails as a baseline with additional guardrails customized for the Dexcom environment. Policies are defined and managed as code with HashiCorp Terraform. Jason adds, “The new landing zone included things like the account layout, tagging standards, and service control policies.”

Solution Overview

ScaleSec leveraged the baseline configurations of AWS Control Tower, added custom configurations, integrated with Dexcom’s other security tools, and designed a scalable network topology. Using the GitOps pipeline for all infrastructure deployment, ScaleSec deployed AWS Control Tower and additional security services including AWS GuardDuty for intelligent threat detection. Control Tower provides a starting point for guardrails, and ScaleSec collaborated with Dexcom to identify additional guardrails that apply to their environment, such as enforcing network boundaries, region restrictions, and preventing insecure configurations.

ScaleSec integrated this environment with Dexcom’s enterprise third-party tools for infrastructure management, identity management, log management and threat detection, as well as tools for cloud vulnerability management.

To prepare Dexcom for secure expansion of networked resources, ScaleSec designed a networking topology with shared VPCs in each authorized AWS region to meet region restrictions and data residency requirements. Each regional VPC is created in a central account managed by a networking team, with subnets shared to other AWS accounts as needed. This provides strict boundaries between zones, alleviates the need for application teams to manage their own VPCs, and allows the networking and security teams to mitigate the risk of inadvertently public resources. AWS Transit Gateway is used as a hub for cross-region and cross-cloud connectivity.

AWS services implemented in the new organization include:

Results

Dexcom is now prepared to develop powerful applications and analytics capabilities on AWS, with guardrails and preventative controls in place to ensure innovation continues at speed.

Using knowhow from the ScaleSec project, the Dexcom Corporate IT team is now implementing similar workflow automation for other workflows across the enterprise. In Jason’s words, “They created excellent documentation and wiki articles for us, and went further by recording knowledge-transfer sessions – and those videos are still being used by staff today.”

ScaleSec can knock out in a few months what would take us a year or more to do. They have significantly accelerated our adoption of DevOps and cloud technologies and allowed us to move much more quickly into those technologies than would have been possible without their support. –Jason Borinski, Director of Information Security

If your company needs a regulated landing zone on AWS, see our offering on the AWS Marketplace.

Interested in what ScaleSec can do for you?

Use the form below to contact us. We usually respond the same day.