With Amazon EC2, Amazon EBS, Amazon S3, AWS KMS, and more, Intuit’s data platform was able meet the requirements of high availability and rapid infrastructure scaling for 100 percent of the tax year’s seasonal demands. In this session, Intuit answers questions such as: Which portions of a complex system can be forklifted directly? Which need to be reengineered? How can highly sensitive data be migrated and stored securely in AWS? Are operational best practices in AWS different than those on premises? Intuit shares its strategy for establishing sufficient confidence in your business partners and delivering 100 percent product uptime.

1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tax returns in the cloud: The journey
of Intuit’s data platform
Amit Matety
Principal Software Engineer
Intuit
S D D 3 3 0
Ben Covi
Staff Software Engineer
Intuit

2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Intuit data platform
• Multi-tenant platform for storing Intuit customers' data
• Supports key-value and document store use cases
• Managed service that provides out of the box:
• Access control
• Encryption
• Auditing
• Data lifecycle management
• Multi-modal integrations
• Analytics integrations
• High availability/disaster recovery
• Supports the TurboTax ecosystem and other critical experiences within Intuit

6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Intuit data platform - logical architecture

7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Principles
• Highly available and secure
• Never lose data
• Keep it simple
• Leverage existing patterns
• Refactor to accelerate
• Automate everything

9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Big boulders
• Technology evaluation
• Security strategy
• Porting the application
• Operations
• HA/DR strategy
• Data migration

10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Technology evaluation
Corporate data center AWS
Application
server hosting VM Amazon EC2
Key-value store Cassandra on Bare Metals Cassandra on Amazon EC2 + EBS
Document store IBM Cleversafe Amazon S3
Encryption
provider
Gemalto SafeNet Intuit Data Protection Service (IDPS) +
KMS

11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy
https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf

12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy
• Infrastructure
• Data handling
• Partitioning
• Access
• Threat modelling
• Pen testing

13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - infrastructure
• Intuit Cloud Operations
• Deploys accounts, Amazon VPCs, subnets
• Patterns are enforced during onboarding
• We deploy into this structure
• Application
• Datastore

14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - infrastructure

15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - infrastructure

16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - infrastructure

17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - infrastructure

18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - infrastructure

19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - infrastructure

20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - infrastructure

21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - data handling
• What data will you encrypt?
• Classify your data: Public, Restricted, Sensitive, Highly Sensitive, Secret
• Where will you encrypt the data?
• Application Level Encryption
• Encryption At Rest
• Application Level Encryption (ALE)
• Intuit Data Protection Service (IDPS)
• Symmetric-key encryption
• AES-256
• Probabilistic
• Key rotation
• Re-encrypting old data
• Encryption At Rest
• AWS KMS

22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - what is Intuit data protection service?
• Intuit’s key management/HSM solution
• Features
• Generation and secure storage of high-quality cryptographic keys and application secrets
• Encryption and decryption with symmetric and asymmetric algorithms
• Key versioning
• Support for a large number of keys, rapid key rotation, and re-encryption
• Access control
• Policy-based authentication

23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - partitioning
Business unit
Functional
group
Key-value
store
Table
Document
store
Amazon S3
bucket

24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - access
• Platform runtime
• Strict ‘NO’ on usage of access and secret key
• ONLY instance profile based access
• Policy rules to restrict access
• AWS region
• AWS service
• IAM Role
• Amazon VPC
• Resource operations
• Platform operations
• ‘Olympus’ for all human access
• What is ‘Olympus’?
• AWS access management tool for Intuit
workforce
• Integrated with IAM to provide predefined roles
to workforce users
• Read only
• Application operations
• Power user
• SSH access
• Ability for teams to create custom role mapping
on a need basis
• Provides out of box capabilities like security
monitoring, audit, and compliance

25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - threat modelling
Attack vectors
Initial risk summary
Mitigation controlsResidual risk
summary
Playbook
crawl/walk/run

26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security strategy - pen testing
• What?
• External testing
• Assets visible on the internet
• Internal testing
• Assets behind the firewall
• Who?
• Internal security team
• External vendor
• Collaboration

27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Operations - continuous deployment
• Secure SDLC Tools in the CICD Pipeline
• Threat modeling, static analysis, composition analysis, interactive application security testing
• Code, artifacts, dependencies all scanned
• Restricted orchestration
• Jenkins runs the pipeline from a separate account, deploys with Terraform
• Temporary AssumeRole creds are used to silo access to other accounts
• The target role is limited in scope
• Mandatory restacking
• Intuit generates baseline AMIs, monitors their use
• AMIs deprecated every 30 days
• Cert and key rotation

28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Operations - monitoring
• Centralized logging and monitoring
• Bastion logs indexed by Splunk
• Named Olympus sessions authenticated by CA
• Security visibility
• Agent baked into the Baseline AMI, forwards events for analysis
• Policy engine
• Framework for Cloud Custodian, uses AWS Lambda and Amazon CloudWatch via cross-account roles
• Alerts account owners to rule violations
• Deprecated libraries
• The SSDLC tools in the pipeline all generate reports
• Deprecated AMIs
• Central database of baseline images, instance IDs

29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lessons learnt
• Identify the biggest blockers to adoption and address them first
• Identify and plan for the long poles
• Security related testing, monitoring and alerting should never be an
afterthought
• Business continuity planning is a cornerstone to a successful migration
• Prepare your team
• Learn and optimize along the way

31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Three key takeaways
• Security strategy is ever evolving
• Automation should never be an afterthought
• Leverage your partnership with AWS

32. Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.