Taking a Preventative Approach to Cloud Security

Rally® (www.rallyhealth.com) simplifies health care, making it easier for companies and employees to manage complex benefits and improve overall health. Among its other responsibilities, the Rally development team supports critical services within the Rally digital ecosystem to establish user identities and to verify eligibility. Rally uses cloud provider PaaS services and an IaaS virtual infrastructure (including Amazon Web and Relational Databases Services, as well as MongoDB and Scala) that span their identity management, provider, patient eligibility, end user, and privileged user systems.

We wanted a thorough architectural risk analysis on our cloud infrastructure, especially around our authentication and eligibility systems. We wanted someone who was extremely tech-savvy, which was a hard requirement for us. One of the reasons we chose Synopsys was for that level of technical expertise, and that we were guaranteed to have the same person who interviewed with us to do our review, which some of the other candidates couldn’t guarantee."

Nathan Coleman

|

Rally Health, Inc.

Rally had three major areas encompassing their external security evaluation:

  • The security posture of their core authentication and authorization systems.
  • Their security controls.
  • Insight into the threat landscape for their runtime environment.
Synopsys’ services for Rally included an architectural risk analysis (ARA), a configuration review, and a code-assisted penetration test.
  • The configuration review provided an in-depth assessment of the security posture of Rally’s cloud infrastructure and audited the runtime configuration of their deployed cloud applications and security controls to identify weaknesses, giving a snapshot report describing how the configuration met or did not meet security goals.
  • The penetration test identified what sensitive data was managed within Rally’s business model and explored applications to catalogue exposed portions subject to attack and how they might be exploited. Each issue was tested in order of perceived risk using a hybrid of manual and tool-based analysis for both runtime and secure code analysis.

“The ARA verified our understanding about the architecture and provided recommendations for us,” says Coleman. “The coded system penetration test and configuration review gave a clear path for remediation—‘here’s an issue with the configuration and here’s how you fix it.’ The penetration test was informed by the ARA, giving less false positives. The configuration review was probably the easiest to directly funnel to our workflow.”

“Our overall experience with Synopsys was professional and informative,” concludes Coleman. “We really want to be involved in the security community, and we really want to push the envelope of security. Working with Synopsys helped us move closer to both those goals.”

Download the PDF

Company Overview

Rally Health, Inc., is a consumercentric digital health company that makes it easy for individuals to take charge of their health and wellness, working with health plans, providers, and employers to reimagine consumer health engagement. Rally’s integrated platform helps employees, payers, providers, and employers maximize the potential of their health and the health care system.