Dexcom x ScaleSec Client Story

Dexcom

Discover how ScaleSec launched a production AWS environment and saved 80% of development and engineering time for Dexcom
INDUSTRY
Medical Devices
PRODUCTS
Glucose monitoring devices
LOCATION
San Diego, CA
ANNUAL REVENUE
$2.91B

Dexcom logo

PLATFORM

AWS

ASSIGNMENT

Design, deliver, and cross-train client’s team on a hardened, tailored AWS landing zone complete with shared services and third-party tool integrations. Dexcom contacted ScaleSec with an urgent need to prepare a new AWS environment to support workloads for its growing business, starting with an enterprise data lake based on Amazon Redshift. ScaleSec used an accelerator package to design, deliver, and cross-train Dexcom’s team.

Watch the ScaleSec Dexcom Client Story video

ScaleSec helped secure Dexcom's cloud infrastructure through access controls, network segmentation, and security monitoring, reducing risk and improving the client's security posture.

Dexcom contacted ScaleSec with an urgent need to prepare a new AWS environment to support workloads for its growing business, starting with an enterprise data lake based on Amazon Redshift. ScaleSec used an accelerator package to design, deliver, and cross-train Dexcom’s team on a hardened, tailored AWS landing zone complete with shared services and third-party tool integrations. The ten-week engagement included the launch and implementation of a code-driven change management solution.

To support Dexcom’s ongoing global expansion, data analysts needed scalable, secure access to a growing set of structured and semi-structured data. Dexcom selected Amazon Redshift as the data warehouse. But before any workload could be deployed, a new enterprise AWS environment was needed to meet strict security, compliance, and operational requirements.

Jason Borinski is the Director of Information Security for Dexcom. As an experienced cloud customer, Jason recognized that the best time to secure the cloud platform was before workloads went live. With the cloud platform and shared services online, sensitive workloads can be supported without the need to disrupt adoption with costly refits in the future. Jason said, “Ideally you want to bake in security up front wherever possible. So if you’re getting into a new cloud environment, it pays to have a consultant like ScaleSec help you build a landing zone, configure security policy in code up front.”

Services Provided

ScaleSec consultants collaborated with Dexcom to design and build a landing zone to accelerate development of business applications while meeting industry security standards. This design included considerations for identity and access management, protective controls, detective controls, and incident response preparedness. By building these controls into a new environment from the start, Dexcom’s teams are able to build confidently. As Dexcom’s team designed a proposed data lake architecture, ScaleSec reviewed it, developed a threat model, and advised on security improvements.

Regulatory Compliance Built In

ScaleSec designed the new AWS environment to incorporate guidance from the AWS Well Architected Framework, the AWS Security Reference Architecture, ISO 27001, and SOC 2 compliance frameworks. ScaleSec configured the AWS environment with all of the required controls using infrastructure as code to provide clear traceability of how each control is met. Consultants delivered documentation for compliance and audit stakeholders to demonstrate how the controls were implemented, how to test and validate controls, with associated artifacts needed for evidence.

Managing Change Securely at Scale with GitOps

Dexcom is expanding globally, and many employees work remotely. Manual change management processes are difficult to coordinate and manage, especially with a distributed workforce. To support this strategic company initiative, ScaleSec led the implementation of an automated change management workflow for AWS.
"They created excellent documentation and wiki articles for us, and went further by recording knowledge-transfer sessions – and those videos are still being used by staff today."
Jason Borinski, Director of Information Security | Dexcom
Jason BorinskiDirector of Information Security — Dexcom

Solution Overview

ScaleSec leveraged the baseline configurations of AWS Control Tower, added custom configurations, integrated with Dexcom’s other security tools, and designed a scalable network topology. Using the GitOps pipeline for all infrastructure deployment, ScaleSec deployed AWS Control Tower and additional security services including AWS GuardDuty for intelligent threat detection. Control Tower provides a starting point for guardrails, and ScaleSec collaborated with Dexcom to identify additional guardrails that apply to their environment, such as enforcing network boundaries, region restrictions, and preventing insecure configurations.

ScaleSec integrated this environment with Dexcom’s enterprise third-party tools for infrastructure management, identity management, log management and threat detection, as well as tools for cloud vulnerability management.

 

To prepare Dexcom for secure expansion of networked resources, ScaleSec designed a networking topology with shared VPCs in each authorized AWS region to meet region restrictions and data residency requirements. Each regional VPC is created in a central account managed by a networking team, with subnets shared to other AWS accounts as needed. This provides strict boundaries between zones, alleviates the need for application teams to manage their own VPCs, and allows the networking and security teams to mitigate the risk of inadvertently public resources. AWS Transit Gateway is used as a hub for cross-region and cross-cloud connectivity.

AWS services implemented in the new organization include:

  • AWS Control Tower
  • AWS Organizations
  • AWS IAM
  • Amazon VPC
  • Amazon Macie


  • AWS IAM Identity Center
  • AWS GuardDuty
  • AWS KMS
  • AWS Config
  • AWS Transit Gateway

Results

Dexcom is now prepared to develop powerful applications and analytics capabilities on AWS, with guardrails and preventative controls in place to ensure innovation continues at speed. Using knowhow from the ScaleSec project, the Dexcom Corporate IT team is now implementing similar workflow automation for other workflows across the enterprise.
"You want to lock down the environment to prevent ad-hoc changes, requiring all changes to be made through code and a GitOps workflow don’t do this upfront, you're just creating a mess of technical debt."
Jason Borinski, Director of Information Security | Dexcom
Jason BorinskiDirector of Information Security — Dexcom

Want to speak with a ScaleSec expert?

Want to optimize and transform your existing digital portfolio? Reach out to us.