About The Customer
The customer is among the leading well-diversified financial services company in India offering end-to-end lending, financing and wealth management solutions to a diversified range of customers across the country. They cater to the varied needs of a diverse set of customers ranging across retail, HNI, ultra HNI, micro enterprises, SME, and mid & large corporates. They offer customized solutions in areas of personal and business loans, corporate finance, mortgages, capital market-based lending, project loans, structured finance, wealth management and digital lending, debt capital markets, and syndication.
The customer embarked on a digital transformation journey by leveraging AWS infrastructure with a focus on enhancing the customer experience. This goal gave them an important box to tick
Automated cloud security:
Amid this digital revolution, and being part of a highly regulated industry, The customer was required to comply with strict regulatory controls, improve their application security posture on AWS, and select the level of security and resiliency appropriate for their workloads.
To navigate through this environment, they were seeking assistance to uplift their cloud security posterity. Although they were running all their workloads in AWS however their applications were not deployed using AWS best practices and also had a single account to work on. While the majority of their workloads were for internal usage, yet they were open to the threats, which was a huge security concern.
There were reported issues of staff not being able to connect to their internal applications because the current VPC setup did not allow them to set up a VPN connection from their corporate network to AWS. Multiple security challenges including encryption of data, ec2 volumes, firewalling were identified during the security assessment.
Blazeclan proposed a multi-fold approach to support the customer in achieving the desired outcome. To begin with:
- The certified security professionals conducted security risk assessment reviews to identify the current environment and performed a gap analysis in their current architecture.
- AWS environment hardening was executed by leveraging custom cloud formation scripts, to ensure that security best practices are used while setting the cloud environment.
- Cloud Perimeter Security was activated by hardening their account from a network perspective and setting-up and installing a network-based firewall for their (web) application.
- With Blazeclan’s Cloud Security Automation service, deployments were accelerated with security as a part of the workflow, automated threat, and vulnerability management and incident response for the cloud environment.
- Automated scripts were used to enforce CIS benchmarking to ensure baseline controls for security were followed.
- The multi-account strategy was incorporated to separate the management plane from the data plane and to separate the management and security resources from production resources.
- VPC re-configuration was proposed to create subnets and CIDRs that would allow them to set up a VPN connection from their corporate office to AWS cloud.
- Encryption strategy for data on S3, EBS, and RDS was highly emphasized in our proposed approach.
- Proxy server/load balancers were set up to better control network and user traffic to their applications. This load balancer acted as a network traffic filter alongside VPC NACLs and security groups which added an extra layer of security at the network layer.
- Infrastructure was made resilient by setting up a DR site in Singapore region to avoid latency and compliance-related challenges.
- Service-specific security consulting included the following:
- For monitoring the production resources, the team advised the use of Amazon CloudWatch to capture and summarize utilization metrics natively for AWS resources.
- AWS CloudTrail was set up to log, continuously monitor, and retain account activity related to actions across their AWS infrastructure.
- Elastic Cache and API gateway were set up to translate and deliver the application over multiple platforms and also use of API gateway acted as a single-entry point into a system.
- AWS WAF was implemented to secure application endpoints.
- Resilient infrastructure was built using auto-scaling and encryption was enabled at EBS level for all their mission-critical servers.
- AWS KMS service was used to generate and manage keys for encryption. Also, to avoid missing out on key security and operational functions, the built golden-images i.e. golden AMI’s which were hardened in accordance with CIS benchmarks and advised the customer to make use of these AMI’s whenever launching new instances. These AMI’s had preinstalled AV, AM protection and hardened from a security perspective. Special emphasis was given to IAM; very specific roles were created for specific AWS services adhering to AWS best practices. Encryption was also enabled on their RDS instances and keys were generated and managed using KMS service.
- Jump hosts and NAT Gateway were deployed into their environment to add an extra layer of network traffic routing into their environment. IP whitelisting and MFA was set up onto their AWS account to restrict and limit access to their environment.
- AWS CloudTrail and CloudWatch were enabled to get almost real-time updates on the security and operational events generated by the AWS environment and instances.
- Amazon GuardDuty was used as threat detection service to continuously monitor for malicious activity and unauthorized behaviour.
Overall, a complete upscale of their entire AWS account and environment-based on security pillars of AWS well-architected framework was proposed to them.
- Optimized cloud environment: The customer identified the security disciplines in place under their legacy system and was able to create a similar secured AWS environment.
- Staying ahead of the security curve: The customer chose to stay ahead of the technology and we supported them in building secure frameworks for cloud deployments. The customer also got a chance to leverage emerging security technology.
- Automated security: Automating their security operations and integrating them into the deployment pipeline allowed their application teams to scale their pace of deployment without compromising the overall security of the application.
AWS CloudTrail, Amazon CloudWatch, AWS IAM, AWS KMS, Amazon GaurdDuty, AWS API Gateway, AWS WAF