A Law Firm (referred to as “The Firm” in this case study with its name hidden for privacy reasons) provides its customers research and consulting services. The Firm has a web-based submission and download platform for all documents related to customer requests.
The Firm needed to re-architect and move their workload and hosting environment entirely into AWS. The goal was to build a FedRAMP-compliant, highly available, reliable and cost-optimized architecture in AWS that could be certified to handle highly sensitive data and run The Firm’s application workloads efficiently.
- Re-architect to leverage cloud native technologies, reduce the Total Cost of Ownership (TCO), and increase reliability and security.
- Every component in the target solution should be FedRAMP certified.
- Use CIS hardened benchmark images for compute resources.
- Leverage multiple AWS regions for Disaster Recovery.
- Monitor and inspect all ingress and egress traffic using third-party tools.
- Leverage AWS multiple account strategy to provide security isolation and minimize blast radius.
- Strong isolation of auditing data in an account separate from where workloads are deployed.
- Automate provisioning of environments using Infrastructure as Code.
- Provide a simple and robust mechanism to maintain adequate separation as well as inter-connectivity between different AWS and on-premises networks.
During early discussions between The Firm and Zuggand technical staff it became apparent the AWS multi-account strategy was right solution to fulfill The Firm’s stringent network, resource and security isolation requirements. Multi-account architecture provides environment separation and makes it easier to manage users access across different accounts.
AWS Transit Gateway was utilized to easily manage connectivity and routing between VPCs belonging to different accounts. Transit Gateway also enabled attaching VPCs and VPN connections in the same region and routing traffic between them.
To secure the access to the AWS environment, the DUO multi-factor solution was used along with AWS Single Sign On and Microsoft Active Directory for every user account in AWS.
CloudFormation templates were utilized extensively from creation of new accounts and VPCs to the deployment of various application stacks in AWS. This gives the ability to consistently provision and decommission resources, as well as entire stacks, and to maintain configuration while limiting the possibility of human error.
The following AWS Services were implemented as part of the solution:
- AWS Organizations: AWS Organizations helps you to centrally manage billing; control access, compliance, and security; and share resources across your AWS accounts. You can use Organizations to define central configurations and resource sharing across accounts in your organization.
- AWS Transit Gateway: AWS Transit Gateway is a service that enables customers to connect their Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway. Transit Gateway acts as a hub that controls how traffic is routed among all the connected networks which act like spokes.
- AWS Landing Zone: AWS Landing Zone is a solution that helps customers more quickly set up a secure, multi-account AWS environment based on AWS best practices. With the large number of design choices.
- AWS Single Sign-On: AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS accounts and business applications.
- Amazon RDS PostgreSQL: A managed relational database service that provides six familiar database engines to choose from, including Amazon Aurora, MySQL, MariaDB, Oracle, Microsoft SQL Server, and PostgreSQL. Here It was used as the backend database for the Dashboard Application.
- AWS Lambda: AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume – there is no charge when your code is not running. Lambda was used for provisioning AWS accounts along with Landing Zone.
- AWS Config: WS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
- AWS CloudFormation: AWS CloudFormation provides a common language for you to describe and provision all the infrastructure resources in your cloud environment. CloudFormation allows you to use a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts.
- AWS Systems Manager: AWS Systems Manager gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources. Systems Manager was used for automated maintenance and deployment tasks on EC2 Instances.
- AWS Certificate Manager: AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.
Third Party Services that were implemented as part of the solution
- Symantec CWP: Symantec Cloud Workload Protection Suite automates security and scanning for your workloads and containers in AWS in addition to scanning Amazon S3 buckets for malware with cloud-native protection that integrates with DevOps and CI/CD pipelines.
- Symantec DLP: Symantec Data Loss Prevention Products provide visibility of sensitive data leaving your network and helps secure vital information and prevent data leaks.
- Duo MFA: Duo provides two-factor authentication solution to protect account that has access to AWS Console and Resources.
- N2WS: Cloud Protection Manager is a leading in-cloud, enterprise-class backup, recovery, and DR solution for AWS.
- Sophos UTM: Sophos Unified Threat Management provides multiple security features and services such as anti-virus, anti-spam, content filtering, and web filtering.
- Manage Engine Desktop Central: Desktop Central is a unified endpoint management solution that helps in managing servers, laptops, desktops, smartphones, and tablets from a central location.
- Manage Engine Log360: Log360 is a one-stop solution for log management and network security challenges. It integrated tightly with Active Directory and provides capabilities of AD Audit, Event Log Analyzer, Office 365 Management.
As a result of the migration to AWS, The Firm now has a secure environment with greater operational visibility, which at the same time is easier to operate and manage. The pay-as-you-go model, combined with the elasticity of the resources, provides a better Return on Investment (ROI). This in turn helps The Firm with dedicating more time and resources towards focusing on their business and innovation.
- Moving from CapEx to OpEx Model has given agility to the business along with an efficient use of resources.
- Utilizing Managed Services like RDS and lambda has helped The Firm realize a better ROI.
- Automation of the delivery pipeline has significantly reduced time to market.
- More time and resources have become available to focus on innovation and delivery instead of maintenance and operations.
- Experimentation is easier than ever with all the latest and newly added services available to all IT staff.
By optimizing the architecture around the five (5) WAF pillars, The Firm was able to gain the benefits of a well-architected design in the Cloud:
- Match supply of resources with demand by provisioning resources dynamically using Auto Scaling Groups.
- Optimize costs by using Managed services like RDS, Lambda, Route 53, Certificate Manager, AWS Single Sign-On etc.
- Established process to review and analyze workload regularly and keep up to date with new service releases.
- Use Trusted Advisor for optimizing resources – instance types and sizes.
- Use tiered storage where possible – S3, IA, Glacier.
- Make architectural choices based on cost/budget, business needs and benchmarking.
- Select compute resources, instance family, type and size based on characteristics, cost and business needs.
- Select storage solution bases on access patterns, characteristics and requirements.
- Utilize RDS for database to reduce the burden of maintenance and management whole fulfilling the business needs.
- Determine priorities by extensively evaluating customer and compliance needs.
- Implement application and user activity telemetry that feed live dashboards as well as trigger notifications when anomalies are detected.
- Mitigate deployment risks by implementing automated integration and deployment using Code Pipeline, Code Commit and Code Deploy.
- Ensure operational readiness by training personnel to support production workloads.
- Manage workload and operations events by using Incident Management tools and communicating health status through dashboards.
- Monitor the performance of resources through metrics collected in CloudWatch.
- Enforce multi-factor authentication through AWS single sign-on and Duo security.
- Centrally manage identities using Federation with Active Directory.
- Defend against emerging security threats and maintain compliance requirements using 3rt part tools like Symantec DLP, Symantec CWP and Sophos UTM.
- Protect network at perimeter by directing all egress and ingress traffic through the transit VPC and monitoring over Sophos UTM appliance.
- Protect compute resources by defining fine-grained security group rules and by regularly scanning for vulnerabilities and patching using AWS Systems Manager.
- Protect all data at rest using KMS keys for encrypting EBS volumes, Snapshots and S3 buckets.
- Protect all data in transit by enforcing SSL encryption and managing SSL Certificates inside AWS Certificate Manager.
- Adapt to changes in demand by dynamically provisioning compute resources using Auto Scaling Groups.
- Well defined strategy for disaster recovery and implemented pilot-light Disaster Recovery in a different region.
- Utilize managed services from AWS where possible to improve the reliability and availability of the entire solution in AWS.
- Automate change deployment process to make it more reliable using Code Pipeline, Code Deploy and Code Commit.
Due to the sensitivity of some of the data The Firm stores, security was undoubtedly the most critical aspect of building out their new AWS environment. Zuggand worked closely with the The Firm security experts to ensure it was meeting its compliance and audit objectives. By leveraging the AWS Well-Architected Framework and following security best-practices, Zuggand was able to meet The Firm’s stringent security requirements.
Going forward, Zuggand has recommended to The Firm they perform AWS Well-Architected Reviews periodically – at least once or twice a year – to ensure it is remaining well-archtiected. By performing these reviews, The Firm will continue to improve its security posture over time. In addition, it can optimize its environment to continuously improve performance and lower costs of maintaining its new AWS environment.