The first step in establishing security and governance across your infrastructure, resources and solutions is to handle the configuration of your accounts and services. Whether handling permissions, defining your multi-account environment or setting up billing, you have to define how any user can access what and how.
For this purpose, services such as the AWS Landing Zone Package, an enterprise-grade cloud operations technology and series of methodologies used by organizations to securely adopt, implement and operate their AWS environments at scale, can be utilized. The cloud automation platform developed by Comm-IT Experts to automatically deploy complete AWS enterprise workloads using the industry’s and Amazon Web Services’ best of breed automation tools offers enterprises a secure and automated AWS environment for a wide variety of organizational purposes.
The Landing Zone solution is a customizable security-by-design enterprise-grade Multi-Account, Multi VPC environment based on AWS best practices. In addition, the landing zone is a self-service platform that becomes a business acceleration enabler to the public cloud and a starting point for application deployment and migration journey. The scope of the Landing Zone solution covers:
Comm-It’s experts will help you establish AWS Landing Zones, including establishing roles and policies and incorporation of Federations, such as Windows AD or other directory services, while addressing access-related issues such as multi-factor authentication (MFA) and SSOs (e.g. ADFS).
The next step in establishing proper governance is setting up the Logical Access Control for your environment. The architecture constructed should reflect what should be open to who and how. For instance, external users have to access to applications but not to database management, whereas administrators need access to user-definitions and other management tools. The access needs to be defined as well, whether approached via an API Gateway or an ALB, whether from a specific app or through other forms of access.
The tools Comm-IT’s cloud experts will utilize to make your environment secure include the AWS WAF and Amazon CloudFront, as well as other content-related CDNs, as well setting up protective measures against DDOS and flood attacks with AWS Shield/AWS Shield Advanced.
Your data needs to be protected both in transit and in rest, as it is perhaps your most valuable organizational asset. For data in transit, this means making sure that all interfaces will be secured, both internally (for end-users who have access to applications only) and externally (such as APIs) facing access. The steps Comm-IT’s data and security specialists will set up include setting up HTTPS connections and certificates, TLS protocols and ciphers, in order to match all relevant standards and regulations.
For data at rest, this means that all components, from object storage elements to EBS and EFS services running in your infrastructure, and any other data-relevant component, are all set up with strong encryption, to match the strictest of regulations. This include setting up key management, whether managed by AWS or by the customer, including rotation cycles.
While the first three tiers set up the preconditions for proper governance, for a solution to be feasible, it must address the ongoing management of their systems. At Comm-IT we know the importance of maintaining business continuity through backups and disaster recovery (DR) measures, as well as the importance of monitoring and logging activities for auditing and security purposes and of establishing incident response procedures.
Using tools such as AWS CloudTrail, we can provide full logs for auditing purposes, which means that any security breach can be identified and handled quickly, and later reviewed and audited. With Amazon GuardDuty for intelligent threat detection and AWS Trusted Advisor, all security issues are documented, according to the best practices, in a central managed account.
Comm-IT’s 24/7 SOC monitors and protects strategic assets of your organization and manages security events. The SOC team, former IDF cyber specialists, will implement critical monitoring systems (SIEM) across your organization which will allow for regular analysis of your environment, with playbooks tailored for you. Their reports and recommendations, set up with AWS Shield Advanced and with the support of the AWS Defense team, will mean your organization will be ready as can be against any potential attack.