Founded in 1986, Rent-A-Center (RAC) has more than 4,285 retail locations across 50 states, Washington, D.C., Canada, Mexico and Puerto Rico. Its stores offer people an easy, affordable way to furnish their homes without incurring a continuing obligation and without needing access to credit. RAC also has a store within a store concept where customers at Ashley Furniture, for example, have an option to rent to own if they don’t qualify for store credit.
Rent-A-Center Builds Innovation, Availability and Security-By-Design
RAC’s challenge was to evolve its security using a DevOps approach and applying Security by Design principles. It wanted to apply these principles and approaches across projects at RAC — starting with its Acceptance Now business unit which supports RAC’s “store within a store” partners. RAC partnered with Flux7 which enabled them to take the Security by Design principles and start implementing them with a Security First framework. Flux7 was also instrumental in helping RAC enable DevOps philosophies within the organization.
RAC and Flux7 approached the challenge with three pillars: Security, Availability, and Innovation which were built into RAC’s AWS-enabled cloud solution. Beginning with the up-front design, Flux7 and RAC split the accounts and Virtual Private Clouds (VPC) by applications. For example, security-related events were assigned to their own security VPC as were production, shared, lower-level environments and more. Design for each pillar included:
Security: Handling personally identifiable information and requiring PCI compliance, the Acceptance Now partner portal was an ideal place to begin applying Security by Design principles. To do so, RAC and Flux7 used a standard Amazon Relational Database Service (RDS) which helped address many compliance and security requirements with automated patching. Also designed into the solution was centralized logging and threat management which gives greater security and control over logs as well as better context for event correlation.
The security architecture also included encryption for data at rest and in motion and followed SAN prescriptions such as separation of services, segregation of duties, and least privilege access. The Flux7 design also relied extensively on Docker which effectively reduces the number of attack vectors because when containerized, the only thing exposed is the application, automatically minimizing security threats at the OS level and below.
Availability: Availability is part and parcel with security as a highly available system with no single point of failure to ensure greater uptime and reliability which are critical for retailers to capture a sale at the point a purchase decision has been made. The Acceptance Now portal was designed from the ground up to meet spikes in demand; every single layer was separated using Elastic Load Balancers (ELB) that provide applications with greater fault tolerance and also allowed them to scale independently providing capacity to meet demand where and when it was needed.
Remaining true to DevOps principles, a great deal of automation was built into the design, providing the ability to recover quickly from an issue, should it arise. However, it also allowed the team to build a system that required very minimal intervention, reducing the risk of human error which again serves to grow both system security and continued availability.
Innovation: To drive a focus on innovation, everything within the architecture was templatized with Cloud Formation templates. Amazon Machine Images (AMIs), the OS and application stack were built using Ansible, an IT automation and DevOps platform for automating heterogeneous infrastructure. Everything possible within the architecture was scripted, with much of the automation orchestrated with Jenkins. This approach satisfies a core principle of Security by Design; that is, using a templatized design from the lowest levels of architecture all the way up to production. Additionally, automation allows human resources to be used in more strategic work, further increasing innovation and business-impacting output.
In the end, this group was able to achieve its goals by implementing infrastructure as code, tightening several security standards, and implementing a DR plan. The company’s new product is now highly available, scalable, and developers are able to easily add new features and functionality, growing the product to meet customer demand. Simultaneously, the security team is confident that the company’s IP is safe and the CFO is greatly satisfied at the cost optimization achieved.
An AWS account can be created in a way that makes for a reliably secure and controlled environment no matter how the AWS resources are used. By deploying Secure by Design principles from the outset, RAC and Flux7 were able to configure and provide a reliable operational security control capability to meet the PCI compliance and security needs of the business. Moreover, with its templatized approach, RAC is now able to satisfy auditor questions by simply turning on its Ansible Playbooks or Cloud Formation templates to show auditors how the system was built.
Templates have also served to further enhance security as according to Hemanth Jayaraman, Director of DevOps, RAC, “In traditional IT, usually most of us run into security issues in production; just before going live, you have everybody scrambling. With this approach of building things templatized, going through automation, we had no surprises before go live. We knew what we were getting into. We were not seeing it for the first time in production.” DevOps approach dictated that everything was built as code, which means there is less hands-on and less room for human error. And, for the first time, DevOps engineers checked in their infrastructure components into the source code management system.
Moving forward, RAC plans to continue its DevOps and Security by Design approach with new projects this year. It is applying its learning of AWS security best practices and automation capabilities for securing its environment and plans to add new technologies including AWS CloudTrail and AWS Web Application Firewall (WAF). It plans to further its security initiative by building in the CISbenchmarked AMIs to make sure that yet another layer of security is baked in from the get-go. Amazon Aurora with Amazon Key Management Services (KMS) is also planned in order to automate key rotation and an advanced content delivery network for distributed denial of service attacks is also planned.
With a successful launch of the Acceptance Now B2B portal as a template itself for future projects, RAC is well on its way to fulfilling its mission to evolve its security using a DevOps approach and applying Security by Design principles.