ActBlue; the largest progressive online donations platform
If you are giving your money to a democratic or progressive cause and you are not a millionaire or billionaire, you are most likely doing it through the ActBlue platform. ActBlue is a nonprofit that has helped democratic and progressive causes - from local food banks to presidential candidates - raise over $12B online since 2004. Campaigns can customize the branding and look of the platform to organize and solicit grassroots donations using ActBlue’s flexible and full-service offering. Security is a critical capability to the nonprofit, and both donors and campaigns rely on the platform for transparency, support, speed and resiliency.
ActBlue’s Kubernetes journey
Reliability is critical to ActBlue’s business model, as any delay on the platform, even in seconds, could affect a donor’s decision on whether or not to continue with a transaction. ActBlue moved to Kubernetes for more reliability, supporting large-scale and unpredictable traffic spikes that could increase traffic by 100 times in a short period of time. ActBlue also migrated to Kubernetes to improve the developer experience and tooling, as well as future-proof the stack for future engineers living in a Kubernetes-first world of app development. As the team began the main part of its Kubernetes deployment, they started looking for a Kubernetes security tool.
Looking for a Native Kubernetes Security Tool
At ActBlue, the Security team advises and partners with the infrastructure engineering teams that build out the Kubernetes platform and execute the migration. While the infrastructure team leads the deployment, as well as the architecture and collaboration model, the security team reviews those plans and suggests risk mitigation strategies; for example, on logging and alerting. When possible, the security team would lead the implementation of those strategies.
Director of Security, Raj Umadas, describes the philosophy of his team, “Our security philosophy is ‘never say no’: figure out what teams want to happen, advise where we can to limit risk and then implement security mitigations to manage what can’t be limited, leaning toward secure defaults, accurate detections, and swift response. Supporting the adoption of Kubernetes is no different,” says Umadas.
The security team knew that they would not be able to keep true to their philosophy of true partnership in the Kubernetes migration by using the same cloud security and EDR tools for their containerized environment in Kubernetes.
“We were not interested in taking our existing cloud security solution, or detecting misconfiguration in terraform, and patching k8s security on top of this. We wanted a Kubernetes-native approach for our newly implemented Kubernetes environments. This focus on Kubernetes native tooling from day 1 ensured that our security engineers and our infrastructure engineers were speaking the same Kubernetes native language during design and implementation; building trust and security from day 1,” says Umadas.
The security team wanted a tool that would do Kubernetes security in a way that was native to Kubernetes, and that would allow them to ‘speak Kubernetes’ with engineering.
The Security team at ActBlue prides itself on finding new ways to automate manual tasks, as well as support product roll-out with practical support versus slowing down production efforts with overly onerous or inefficient processes. The team found the following benefits of KSOC would help them keep true to these goals, as well as the team’s general philosophy of operations cited above:
“Kubernetes-first” cloud native security for effective communication with engineering
To advise on risky practices and partner on remediation with the engineering team on Kubernetes security, the security team at ActBlue needed a tool that would enable them to ‘deeply integrate in kubernetes’ and ‘speak Kubernetes,’ when partnering with the engineering team. This was to ensure the quality of findings and remediation recommendations were of the highest quality presented in the language of the infrastructure partners; further building trust between security and infrastructure teams.
Umadas calls this approach “Kubernetes-first,” where a tool doesn't shy away from showing deployments, plugins, the Rego code for OPA, and anything else specific to Kubernetes.
Umadas says, “KSOC is a Kubernetes-first platform, meaning that it gives me and my security engineers the confidence to partner with our infrastructure engineers using Kubernetes-first paradigms, versus general infrastructure-first paradigms. If engineering is working in a Kubernetes world, we should provide a Kubernetes world for them to work in.”
Accurately Prioritize Kubernetes risk with threat vectors
After years of working with Kubernetes and understanding the complexity therein, Umadas wanted a trustworthy method of raising and prioritizing potential areas of concern, to help his team automatically understand and surface an accurate view of risk. To turn risk into remediation, he also wanted to understand how risks are mapped to the actual Kubernetes implementation, and ultimately suggest potential remediations. The most critical thing for the security team is the quality and actionability of the data.
Umadas says, “Kubernetes is a new, ever in flux, and complex techstack, which requires security engineers to be on top of the state of the art around kubernetes security or even implementation paradigms to accurately assess risk for any potential misconfiguration. Threat vectors serve as a critical interface between KSOC’s expertise in kubernetes and misconfigurations in my environment to allow my team to quickly assess risks relevant to our org.”
Guardrails and a secure Kubernetes baseline
The security team at ActBlue relies on KSOC to keep ahead of the curve on misconfigurations and attack paths that are important to highlight and understand in their clusters. This gives them a trusted baseline level of Kubernetes security that can be easily replicated across new environments.
“As long as I have KSOC deployed and not throwing concerning alarms, I know our baseline is good,” says Umadas.
Translating Kubernetes risk for any skill level
As the team and platform expand, it is important to have a tool that allows a view of Kubernetes risk that is accessible to team members of various skill levels and familiarity with Kubernetes. Through threat vectors and automated risk triage, the team is able to understand both the risk as well as how those security risks are interacting with resources. The result is they are able to self-serve, with tons of information, as far as any one person needs to go.
“KSOC allows both a 4-person infra team with 100s of nodes, or a ½ time security person who hasn’t been exposed to K8s yet, to be effective, because you can see risk in the context of resources and gain support for remediation in the org. This means anybody can drive towards impactful remediations versus just presenting an alert,” says Umadas.
Working with the team
As ActBlue continues to fold Kubernetes into its critical pathways for its online donation platform, it was important to the team, and remains important, that they have two-way communication with any vendor they use to secure the platform. For them to build trust with their customers, they must be able to give input freely to vendors and have much of their feedback taken into account to build a better experience.
Umadas says, “Working with KSOC is awesome, they take my input seriously and it feels very collaborative. Kubernetes is everywhere and these days, to be a security leader, you cannot be afraid of it.”
The security team at ActBlue is a success story in prioritizing effective communications with stakeholders, as well as automating manual tasks and providing practical help to those shipping product. They found KSOC enabled them to do all these things more effectively for the Kubernetes environment, from ‘speaking Kubernetes’ to engineering, to automating the prioritization of risk across Kubernetes in a way that anybody on the team could dive in. Umadas says, “With KSOC, numerous findings can be combined to paint a story useful for security or infrastructure engineers to help them prioritize where to focus remediation efforts.”
The team continues optimizing and building out its Kubernetes stack, and Umadas continues enjoying his mission-driven role securing Kubernetes (and lots of other things!) at ActBlue.
Umadas comments, “It is pretty awesome to be working in a platform that is highly utilized by customers and by real people, that is aligned with your personal values. Being a security professional here at ActBlue, I feel really lucky that I get to contribute to the sense of safety people feel when they support causes through the platform.”