Fannie Mae uses Terraform Enterprise, Sentinel for policy development

The Federal National Mortgage Association, commonly referred to as Fannie Mae, is a pivotal entity in the United States’ financial landscape. As the largest company in the country by assets and ranking fifth globally, Fannie Mae plays a critical role in the housing finance system. It operates as a government-sponsored enterprise, which subjects it to a myriad of IT security and compliance regulations. Navigating this complex regulatory environment is no small feat, but Fannie Mae is leveraging innovative IT solutions to streamline its operations.

To keep pace with the ever-evolving regulatory demands, Fannie Mae is adopting IT infrastructure lifecycle management tools like Terraform Enterprise. This strategic move allows the organization to automate large-scale cloud infrastructure provisioning while simultaneously addressing security and compliance concerns through policy as code. This approach is backed by Terraform’s Sentinel framework, which provides robust support for policy as code implementation.

This article draws on insights from the HashiConf session titled "Sentinel policy as code in a highly regulated financial industry," presented by Maksim Frenkel. It serves as a comprehensive guide for organizations looking to learn from Fannie Mae’s experience with policy as code and develop their own strategies for mitigating risk.

Terraform and Sentinel at Fannie Mae

Terraform Enterprise has become an essential component of Fannie Mae’s digital transformation efforts. The company’s IT infrastructure is expansive, encompassing over 700 active Terraform workspaces, more than 80 AWS services, and over 450 Sentinel policies. These Sentinel policies act as guardrails, ensuring that the use of AWS services remains secure within a regulated setting. Fannie Mae’s cloud security protocols are derived from several compliance and data protection frameworks, including:

• NIST 800-53 and Risk Management Framework (RMF)
• Center for Internet Security (CIS) benchmarks
• Federal Information Processing Standard (FIPS) 140-2 for data protection
• Department of Defense’s zero trust security model

  By integrating these standards into Sentinel policies, Fannie Mae ensures that its development environments meet all necessary compliance requirements before any infrastructure is provisioned.

  Why Use Sentinel?
  

  Sentinel’s policy as code approach offers numerous advantages for managing infrastructure compliance:

• Version Control: Sentinel policies are seamlessly integrated with Terraform and version control systems, allowing for efficient policy management through common Git workflows.
• Automated Testing: The integration of version control with Sentinel policy code facilitates automated testing, enabling policies to be validated through common testing frameworks and pipelines. Sentinel also features a built-in test framework.
• Embedded in the Terraform Workflow: Sentinel policies operate between the plan and apply phases of infrastructure provisioning. This integration acts as a preventive measure, ensuring compliance requirements are met before any infrastructure is deployed.

  This proactive strategy significantly reduces the risk of non-compliance in production environments. It empowers development teams to identify and rectify compliance issues early in the development process, before transitioning infrastructure to production. Additionally, this approach shifts more compliance responsibility toward developers, who receive immediate feedback on policy violations during their Terraform workflows.

  Applications of Policy as Code
  

  Policy as code can be utilized across various domains. Some practical examples include:

• Security: Ensuring that server-side encryption and Customer Master Keys (CMK) are enabled for DynamoDB.
• Logging: Verifying that Amazon ECS task logging to CloudWatch is active.
• Architecture: Confirming that Amazon Load Balancers use approved subnets and security groups.
• Resilience: Guaranteeing multi-availability-zone configurations for Amazon RDS in production.
• FinOps: Ensuring only approved Amazon EC2 instance types are utilized.

  Numerous compliance policies aligned with industry-standard security benchmarks have been developed and shared by partners and the community in the Terraform Registry. For instance, the CIS benchmarks Sentinel policies are a valuable resource.

  Fannie Mae’s Process for Developing Policy as Code
  

  Fannie Mae employs a meticulous process for creating Sentinel policies that can be adopted by platform teams in various organizations. This process involves five key stages:

  1. Requirements: A cross-sectional group of stakeholders, including representatives from platform, security, compliance, app development, and FinOps, reviews and specifies the requirements for new Sentinel policies. This step involves researching Terraform provider documentation to create detailed policy specifications.
  2. Development: A feature branch methodology is used to build and refine Sentinel policies. This involves creating a feature branch for each policy or policy set change, which is later merged back into the release branch.
  3. Testing: Policies are tested to ensure they function as intended. Fannie Mae defines test cases to validate policy performance under various conditions. Tools like Sentinel mocks and the Sentinel CLI assist in generating and evaluating tests.
  4. Review: Policy code undergoes a two-tier review process, including peer review and information security review. The tests developed in the previous phase are executed during this stage to ensure robust policy performance.
  5. Release: The final step involves merging the policy’s feature branch into the release branch. This process ensures that Sentinel guardrails are effectively integrated into developers’ daily Terraform workflows.
     

     Lessons Learned
     

     Through its extensive experience with policy as code in Terraform Enterprise, Fannie Mae has identified several key focus areas for other organizations:

• Fine-Tune Requirements: Clearly define policy components and their impact on compliance and security risks to avoid hindering developers.
• Consider Performance: Monitor performance and debugging metrics, and utilize mocks for performance testing to prevent slow policy execution.
• Reuse Code: Reuse functions across policies to save time and maintain coding best practices.
• Backward Compatibility: New policies should initially be advisory before becoming mandatory, to prevent development disruptions.
  

  Next Steps
  

  For organizations seeking to emulate Fannie Mae’s success, the next steps involve adopting a systematic approach to policy development, leveraging policy as code to enhance compliance, and continuously refining processes based on performance metrics and stakeholder feedback. By doing so, they can create a secure, compliant, and efficient infrastructure environment.

For more Information, Refer to this article.