Discover how RKON launched an AWS environment and saved 80% of development and engineering time for Dexcom

ASSIGNMENT

Design, deliver, and cross-train client’s team on a hardened, tailored AWS landing zone complete with shared services and third-party tool integrations. Dexcom contacted RKON with an urgent need to prepare a new AWS environment to support workloads for its growing business, starting with an enterprise data lake based on Amazon Redshift. RKON used an accelerator package to design, deliver, and cross-train Dexcom’s team.

RKON helped secure Dexcom’s cloud infrastructure through access controls, network segmentation, and security monitoring, reducing risk and improving the client’s security posture.

Dexcom contacted RKON with an urgent need to prepare a new AWS environment to support workloads for its growing business, starting with an enterprise data lake based on Amazon Redshift. RKON used an accelerator package to design, deliver, and cross-train Dexcom’s team on a hardened, tailored AWS landing zone complete with shared services and third-party tool integrations. The ten-week engagement included the launch and implementation of a code-driven change management solution.

To support Dexcom’s ongoing global expansion, data analysts needed scalable, secure access to a growing set of structured and semi-structured data. Dexcom selected Amazon Redshift as the data warehouse. But before any workload could be deployed, a new enterprise AWS environment was needed to meet strict security, compliance, and operational requirements.

Jason Borinski is the Director of Information Security for Dexcom. As an experienced cloud customer, Jason recognized that the best time to secure the cloud platform was before workloads went live. With the cloud platform and shared services online, sensitive workloads can be supported without the need to disrupt adoption with costly refits in the future. Jason said, “Ideally you want to bake in security up front wherever possible. So if you’re getting into a new cloud environment, it pays to have a consultant like RKON help you build a landing zone, configure security policy in code up front.”

Services Provided

RKON consultants collaborated with Dexcom to design and build a landing zone to accelerate development of business applications while meeting industry security standards. This design included considerations for identity and access management, protective controls, detective controls, and incident response preparedness. By building these controls into a new environment from the start, Dexcom’s teams are able to build confidently. As Dexcom’s team designed a proposed data lake architecture, RKON reviewed it, developed a threat model, and advised on security improvements.

Regulatory Compliance Built In

RKON designed the new AWS environment to incorporate guidance from the AWS Well Architected Framework, the AWS Security Reference Architecture, ISO 27001, and SOC 2 compliance frameworks. RKON configured the AWS environment with all of the required controls using infrastructure as code to provide clear traceability of how each control is met. Consultants delivered documentation for compliance and audit stakeholders to demonstrate how the controls were implemented, how to test and validate controls, with associated artifacts needed for evidence.

Managing Change Securely at Scale with GitOps

Dexcom is expanding globally, and many employees work remotely. Manual change management processes are difficult to coordinate and manage, especially with a distributed workforce. To support this strategic company initiative, RKON led the implementation of an automated change management workflow for AWS.

“They created excellent documentation and wiki articles for us, and went further by recording knowledge-transfer sessions – and those videos are still being used by staff today.”
Jason Borinski, Director of Information Security | Dexcom

Solution Overview

RKON leveraged the baseline configurations of AWS Control Tower, added custom configurations, integrated with Dexcom’s other security tools, and designed a scalable network topology. Using the GitOps pipeline for all infrastructure deployment, RKON deployed AWS Control Tower and additional security services including AWS GuardDuty for intelligent threat detection. Control Tower provides a starting point for guardrails, and RKON collaborated with Dexcom to identify additional guardrails that apply to their environment, such as enforcing network boundaries, region restrictions, and preventing insecure configurations.

RKON integrated this environment with Dexcom’s enterprise third-party tools for infrastructure management, identity management, log management and threat detection, as well as tools for cloud vulnerability management.

To prepare Dexcom for secure expansion of networked resources, RKON designed a networking topology with shared VPCs in each authorized AWS region to meet region restrictions and data residency requirements. Each regional VPC is created in a central account managed by a networking team, with subnets shared to other AWS accounts as needed. This provides strict boundaries between zones, alleviates the need for application teams to manage their own VPCs, and allows the networking and security teams to mitigate the risk of inadvertently public resources. AWS Transit Gateway is used as a hub for cross-region and cross-cloud connectivity.

RESULTS

Dexcom is now prepared to develop powerful applications and analytics capabilities on AWS, with guardrails and preventative controls in place to ensure innovation continues at speed. Using knowhow from the RKON project, the Dexcom Corporate IT team is now implementing similar workflow automation for other workflows across the enterprise.

“You want to lock down the environment to prevent ad-hoc changes, requiring all changes to be made through code and a GitOps workflow don’t do this upfront, you’re just creating a mess of technical debt.”
Jason Borinski, Director of Information Security | Dexcom