Our team takes an iterative approach, responding to stakeholder feedback with each sprint. We use modern configuration management and IT automation (DevOps) practices to efficiently deploy software on multiple platforms including Windows, variants of Linux, macOS and iOS. Future-proofing is baked into our process—we create flexible, scalable software that can grow according to business needs.
Case Study: Encryption Algorithm Implementation
Daycast—a real-time web application for time-tracking and team awareness—uses over half a dozen Node.js microservices behind a web proxy to communicate with third-party applications and services for authentication, data storage, project management, and reporting.
We give real-world work to interns; this project is an example of the kind of hands-on learning they do, producing meaningful deliverables.
We initially created Daycast for our own internal use; it’s now publicly available by subscription. Our interns therefore sought to harden the Daycast application by encrypting service account passwords and other tokens used to access our database. We wanted to remove the possibility of accidentally leaking unencrypted secrets to log files or memory dumps. By successfully completing this project, our interns would also add a layer of protection from attackers—if one were able to gain code execution privileges, they would not be able to see our secrets and obtain access to those resources.
They began by researching the encryption algorithms available in our software framework (Node.js) then chose one that was suitable for the task of encrypting our secret environment variables.
Then they wrote a module that encrypts and decrypts strings passed to it using a private key. This module generates random initialization vectors for strings it encrypts and returns them with the encrypted value for use in decryption.
Next they audited our codebase for all uses of sensitive environment variables and wrapped each with a just-in-time call to our module to decrypt the value. They also ensured that the decrypted result was ephemeral and never stored in a global or easily-accessible location.
After testing on a staging server, they successfully completed the project and met their goal by encrypting our secrets using the module, setting the encrypted values as the new environment variables, and deploying the change to our server.
Our systems administrators provide a comprehensive suite of IT infrastructure support services, including Office 365 administration, asset lifecycle management, cloud services, and more. Working with all major operating systems, Cornerstone’s sysadmin team delivers best-in-class IT and logistical support both remotely and, as needed, on-site.
Case Study: Remote Team Support
Our work with the client started with a small data mining and visualization project back in 2001 and has grown since. As such our transition into direct-to-user support was a natural progression as both our firms grew in size. Our relationship with this client is an example of the durable commitment we have to growing with and accommodating the needs of clients on a long-term basis.
We provide lifecycle management for the client’s workstations and laptops, including:
- Workstation asset management—acquisition, per-policy configuration, distribution, and decommissioning and data wiping
- Workstation user-specific data backup management
- User support for all hardware issues
- Management of local storage encryption keys
- A/V installation and support
- Decommissioning and compliant disposal services for hardware at end-of-life
We also migrated this client from self-hosted email to cloud-based email services. This migration was mission-critical, and zero downtime was a requirement. We completed the transition smoothly after careful planning and communication to all affected users. Support services include:
- User management—account setup, password resets, compliant off-boarding process
- Set up and management of email groups
- Security advisement and active threat monitoring
Additionally, we manage the client’s productivity tools. Including migrating their team to Office 365, our service work includes:
- User management—account setup, password resets, off-boarding process
- Email group management
- Security advisement
Support forum service management
- user account management
- trigger/rules configuration and maintenance
- Support agent management
Key operational functions depend on successful data center management. We understand this, and we monitor and analyze change, capacity, power, and space to increase efficiency, guard against threat, and maintain rock solid IT infrastructure for our clients’ mission-critical activities.
Case Study: Managed Data Center Service
In addition to extensive logistical and technical support, we built and maintain a knowledge management system (KMS) for the client containing meeting logs, presentations, past discussion notes, decisions, and project tracking to assist researchers and ensure that previous work is not lost over the span of multiple funding cycles. Along with several other Cornerstone-built, mission-critical applications, we host the KMS at our data center.
Our data center services for the client encompass all hosting and technical support, including internet connections, hardware, software licenses, security certificates, security patches, backups, new user accounts, and monitoring for the KMS. All web-hosting infrastructures are implemented using client and National Institute of Standards and Technology (NIST) standards.
Resources provisioned and maintained include:
- Multiple web-servers with redundant connections to the internet
- Continuously-replicated offsite warm-backup web-servers.
- Cross-datacenter active-active infrastructure
- Automated daily backup systems replicated to two locations
- Systems running under vendor-supported, current-version operating systems.
Knowing when and how best to modernize is key. We consult on whether to customize an off-the-shelf product, leverage in-place technology, or build an entirely custom solution. Our team has considerable experience developing and customizing content management systems; workflow control systems; regulatory inspection and enforcement systems; standards-compliant and cross-browser compatible enterprise applications; custom mobile, desktop, and server software.
Case Study: Identity Verification Smart Card Implementation
New federal guidelines required a client’s collection of mission-critical legacy applications to support login via identity verification smart cards. The project specifically needed to build in support for adding identity verification authentication to existing user accounts, as well as building and adding tools for managing and deactivating smart cards from user accounts.
As these applications were in daily use by hundreds of employees for mission-critical operations, we carefully managed the transition process and, in collaboration with the application owners, successfully added identity verification support to all applications. Our methodology included:
- Use survey: It is best practice to devote significant survey resources early in any work involving legacy applications as utilization can often creep beyond the original intent of the software or system.
- Implementation specifications/tests: Based on the use survey, we wrote implementation specifications and corresponding tests for each key finding.
- Mirrored development environment: In order to facilitate incremental, test-driven development of the smart card capabilities across all applications, we deployed a safe development environment mirroring the production environment. This allowed each use-case scenario to be tested and re-tested without end-user impact.
- Develop starting from most complicated application to least: This approach helped us to identify shortcomings in the approach early vs late and adjust our approach and testing methodology accordingly. Starting with the easiest first would provide for quick wins but also expose us to late-in-project surprises we wished to avoid.
- Test all applications in staging environment: Once the solutions were implemented and tested in the development environment, we tested deployment operations against the staging environment. This provided us a valuable first-time-install experience and influenced communications to stakeholders prior to the production release.
- Deploy simplest application to most complex: Contrary to development sequencing, we deployed the changes starting with the simplest, least-used applications in order to minimize any operational impact of unexpected events during production deployment.
We also do system migration plans to enable the migration of data from legacy systems into modern systems. Our experience with both modern and legacy (dBase, Microsoft Access, Microsoft Visual Foxpro, and Filemaker pro) systems gives us the expertise to know when to recommend a retrofit and when to recommend and support a migration to current technology.
It’s not unusual for clients to have a crystal clear understanding of the problem they need to solve but only a preliminary idea of how the solution should operate. We welcome that! Our team shines at helping stakeholders identify technical restraints, design and architecture specifications, and a clear scope and timeline for their projects.
Case Study: Web Application Centralizing Proxy
One of our client’s software systems consists of a suite of Cornerstone-built, enterprise-class applications that support key functions in pipeline risk management. Our team was tasked with designing and implementing a Web Application Centralizing Proxy, preparing the system to more efficiently comply with future IT policy directives.
CSNW excels at taking projects through the entire design-build-implement process. For example, we performed the following three categories of technical work in this project:
- Architecting and developing the Web Application Centralizing Proxy
- Upgrading and extending each of the sub-applications, enabling them to function properly behind the proxy
- Scheduling and implementing a cut-over date for each application to migrate
The proxy architecture was designed specifically to avoid any user-facing changes. We catalogued an extensive test suite of URLs to enable accurate pre- and post-migration tests. Particular care was taken to ensure PIV cards and other security measures remained fully functional for proxied data.
The application upgrades were split into two separate and non-blocking task lists. This enabled different teams to work in parallel and independently on each half of the application list to speed up this section of the project.
The cut-over dates for each application were chosen for off-hours when the applications had minimal traffic.
Per our standard practice of utilizing existing technology when possible, the Web Application Centralizing Proxy was based on an existing node module currently used by one of the suite’s applications. This module had been extensively tested and had already passed security assessments and evaluations. Re-using this module as the core of the proxy decreased the total effort required and minimized the risk of introducing vulnerabilities
This project exemplifies how we can extend legacy applications to meet modern security requirements. We were able to successfully centralize and secure all 12 applications in the suite without requiring any user-impacting changes.
The key to a successful migration is preparation. Safeguarding client data and minimizing downtime are absolutely realistic objectives for relocation teams that prioritize communication and planning. We know this because our relocation team executes secure data center migrations with downtime measured in seconds, and they consistently credit the pre-move phases with the overall success of the move. We prepare, simulate, and think pessimistically about every step in the process, revise our preparations, and repeat. This pessimistic perspective is often missing in the milieu of rosy forecasts from vendors and looming deadlines. When it comes to revision and relocation of your data and mission-critical business processes we are all Eyore.
Case Study: Live Application Suite Migration
Our client’s application suite consisted of 12 applications running on 10 virtual servers. This migration would relocate the VMs across the country from a private datacenter to a federal facility.
We began by documenting step-by-step instructions for the re-deployment of a single application server. It was written in consultation with IT and infrastructure support personnel at both data centers. The process can be summarized as follows:
- Deploy virtual server at destination data center per template
- Copy all data from source to target data center with an initial low-level sync
- Stop application at original data center
- Perform touch-up final sync (small delta expected due to the initial sync above)
- Start application at destination
- Verify applications function normally
- Switch public traffic to server at new data center
- Perform DR test from new location
As this was the first time the client had attempted such a move, we opted to test our instructions on a non-production exemplar server as a means to refining the process and documentation. Next we identified owners and stakeholders for each application and established a communication plan for each in order to minimize the impact the downtime would have on end-users.
Final cut-over for each server was performed during a time of low-expected utilization, and the downtime was measured in seconds, not minutes.
After 90 days of successful running and validation of O&M procedures at the target location, we decommissioned the virtual servers at the original data center and deleted them from the storage array per federal requirements. To make sure all data was destroyed, we retired and wiped the storage array on which the old hosted servers were running, as well as on the backup storage.