Trace Id is missing
June 09, 2022

Elvia builds a highly secure DevOps platform with Azure infrastructure and network security services

Norwegian energy utility Elvia maintains a power grid network that spans more than 41,000 miles and serves more than 2 million customers. The company set out to build a secure, cloud-first DevOps platform that could meet Norway’s data residency and compliance requirements and scale to perform in a hybrid and multicloud environment. Elvia needed resilient, flexible components to deliver automated services that would help, not hinder, the company’s development of innovative grid network technology. Elvia realized its goal by enhancing its in-house development and data integration capabilities. Using Microsoft Azure DDoS Protection, Azure Web Application Firewall, Azure Bastion, Azure Active Directory (Azure AD), and Azure Kubernetes Service (AKS) to help build and secure a development platform named Atlas.

Elvia

“With components like GitHub, AKS, and Application Gateway, we can have an idea in the middle of the night and immediately start building, testing, automating, and securing it within our Atlas platform.”

Ståle Heitmann, Chief Technology Officer, Elvia

Atlas and Azure: Pillars of innovation

Elvia accelerated its in-house software development transformation and created operational efficiencies by adopting AKS and Microsoft Defender for Cloud. Based on trust earned by those positive experiences, the company turned to Azure to help secure and build out its automated DevOps platform components.

Says Ståle Heitmann, Chief Technology Officer at Elvia, “Our development teams concentrate on solving business problems with Atlas. All other intersecting operations and security concerns are automated and safeguarded by Azure and its network security services.”

The Atlas service framework is inspired by domain-driven design, and Azure services play a prominent role in the system architecture, particularly Azure AD. Developer access to cloud directories is identity-based through Azure AD group membership and services via AKS accounts. For each system, a set of groups is maintained in Azure AD.

Membership in these Azure AD groups gives access to the following:

  • GitHub. All code is stored on GitHub. For each system, a team is maintained in GitHub, giving all developers in the team access to the repositories. The team is automatically synchronized with the Azure AD group.
  • Infrastructure as code. Elvia infrastructure is all defined in code. At the systems layer, this code is maintained by the development team with Azure infrastructure as a service (IaaS) and platform as a service (PaaS) components and safeguarded by services like Azure AD and Defender for Cloud.
  • Azure Kubernetes Service. All services in Atlas run on AKS. There is a namespace in Kubernetes for each system, and all deployments for the system run in this namespace. Developers access the namespace through Azure AD because each group is connected to the corresponding namespace through role-based access control.
  • Azure DevOps. For each system, a project is maintained in Azure DevOps. Access to this group is provided through membership in the systems group in Azure AD. All pipelines for continuous integration and continuous delivery (CI/CD) for each service in the system are maintained in this group. Each pipeline is maintained as code in GitHub.
  • Site reliability engineering. Within Atlas, each deployment in each system has service level objectives (SLOs) for functional requirements. Metrics that count functional events are maintained in the code and exposed via an open-source systems monitoring and alerting toolkit that runs on the Kubernetes cluster. This instance automatically detects and scrapes metrics from each service. The data that’s automatically scraped from this instance is sent to a dashboard that contains the SLOs and helps ensure that alarms are raised and visible in Defender for Cloud if a service isn’t working.
     

“Automation is the key to our success with Azure and Atlas,” says Heitmann. “The optimization and scaling capabilities we get through the Azure services support this whole new world of infrastructure development. That’s a game-changer for many global industries, not just for us.”

Atlas also contains coding practices, guidelines, and libraries to make it easy for developers to code within Atlas. “Our developers have ideas, but how can we test them? I had to ask for a budget increase in the past,” says Heitmann. “With components like GitHub, AKS, and Application Gateway, we can have an idea in the middle of the night and immediately start building, testing, automating, and securing it within our Atlas platform. All without asking for more funds.”

Elvia can now develop software in-house to support new grid technologies on a modern, cloud-first platform and protect its stack using automated security services, like Azure DDoS Protection, Azure Web Application Firewall, and Azure Bastion, from application design to development to deployment. And with Azure DevOps, Azure AD, and serverless Kubernetes from AKS, the Atlas platform has a CI/CD experience backed by enterprise-grade network security and governance.

Elvia now implements security controls directly in its development process. Through this DevSecOps approach, the company has accelerated its pace of innovation and improved its overall security posture. “The insight you get now in Azure Monitor and Defender for Cloud is invaluable,” says Øyvind Naas, Core Services and Security Lead at Elvia. “We can now access the right services for our environment through Azure, so we don’t have to add more vendors within the Atlas platform.”

Well-architected network security

Elvia’s critical infrastructure is a prime target for malicious attacks, so the company implemented the Azure Well-Architected Framework and security principles to enhance its security posture. “Security requires a lot of investment and knowledge, and we need providers like Microsoft that we can trust so we can focus on the business,” says Marius Matonis, Senior Technical Lead at Elvia. “We use Azure DDoS Protection Standard and Azure Web Application Firewall on Azure Application Gateway to protect our business-critical workloads and data streams across our environment.”

The company monitors its power grid network around the clock to ensure a stable electricity supply for its customers. It uses Azure AD identity access and monitoring services to protect its expansive network. The company added DDoS Protection, Azure Web Application Firewall, and Bastion to improve its visibility into threats and vulnerabilities and help staff focus on engineering new electricity distribution and monitoring innovations.

“We now have a better platform for gathering actionable security insights and information,” says Heitmann. “We use Defender for Cloud, Azure Network Watcher, and Monitor to get our Microsoft Secure Score, analyze our weaknesses, and prioritize the tasks required to improve.”

Insight into performance and security is crucial for a power grid network that millions of Norwegians rely on daily. Elvia uses Network Watcher to automate network monitoring, gain insights, and diagnose issues from a single view in Defender for Cloud.

Elvia also streamlined firewall management and reduced time spent on security policies and auditing processes. “We use Application Gateway and Web Application Firewall because we don’t want public traffic to access our virtual machines,” says Matonis. “Through Azure AD groups and Privileged Identity Management, our developers have a highly secure way to activate a virtual machine and access it when and where they need it. And with Azure automation capabilities, we can help ensure that all of our environments are configured the same, and our team can quickly and easily deploy applications that work in all of those environments.”

Benchmarking performance

Elvia has steadily improved its security posture parallel to the enhancements already provided by the Atlas platform. Using powerful automation capabilities, the company strengthened the protection of its critical workloads across databases, endpoints, applications, and infrastructure.

“When we compared our old security systems with Azure security services while running active penetration tests, Defender for Cloud was in a different league,” says Naas. “With Defender for Cloud on the clients, we can get the alerts centralized when we get connectors up.”

Following such positive testing results, Elvia continued to expand its Azure security footprint. “Extending our licensing for products like Azure AD and adding cloud-native services from Azure to our platform has served us well,” says Naas. “We can see much more across our environments, through the virtual machines to the servers.”

Poised for ongoing in-house innovation

Elvia’s drive to modernize its DevOps capabilities reflects its mission to improve the resilience and security of its grid and the network connecting it so that it continues to provide reliable, affordable electricity to millions of Norwegians. It has established a robust development platform in Atlas that takes full advantage of PaaS offerings in Azure. The company can now create, monitor, scale, and safeguard its workloads and add more software as a service (SaaS) solutions, responding to business-critical needs with agility and flexibility.

“As we continue to modernize and strengthen Elvia’s development and operations capabilities through Azure services, we’re empowered to make mistakes and rectify them without leaving any solutions behind as legacy,” says Heitmann. “Everything we build now is greenfield. We’ve paid the technical debts.”

Find out more about Elvia on Facebook and LinkedIn.

“The insight you get now in Azure Monitor and Defender for Cloud is invaluable. We can now access the right services for our environment through Azure, so we don’t have to add more vendors within the Atlas platform.”

Øyvind Naas, Core Services and Security Lead, Elvia

Take the next step

Fuel innovation with Microsoft

Talk to an expert about custom solutions

Let us help you create customized solutions and achieve your unique business goals.

Drive results with proven solutions

Achieve more with the products and solutions that helped our customers reach their goals.

Follow Microsoft