AWS

How YASH protects our customers across the AWS cloud journey

By: Mahipal Kirupanithy | Ashish Maheshwari

Publish Date: November 5, 2024

Digital transformation can be an exhilarating journey filled with possibilities and innovation for any business looking to level up its game in any sector.

But let’s face it: without robust cloud security governance and proactive risk management, the risks can be catastrophic. Business impacts can range from revenue loss and business disruptions to loss of reputation, legal consequences, regulatory penalties, and loss of customer trust.

It is not all doom and gloom, though; AWS already provides most of the security features that businesses will need. As long as we stick to the fundamentals, starting with business context, then architecture, the shared responsibility model, IAM, etc., all the way to the Zero Trust approach.

What we have seen really work

The strategy that we live by

Baseline/Assess/Analyse/Identify(risks)/Prioritize (Back to the basics, right?)

Step 1: Conduct a Detailed Security Assessment

Baseline against industry-leading standards “AWS Well-Architected Framework (Security Pillar), NIST Cybersecurity Framework (CSF), CIS Controls (Center for Internet Security), and CCA CCM.

Perform Gap Analysis:

  • Assess the AWS environment’s alignment with best practices and security standards. This involves reviewing configurations of AWS services like Amazon S3, IAM, EC2, VPC, and RDS.
  • Use AWS Config Conformance Packs to automate compliance checks for specific frameworks (e.g., PCI-DSS, HIPAA, CIS AWS Foundations Benchmark).

 

Identify Risks and Vulnerabilities:

  • Utilize tools such as Amazon Inspector for automated security assessments of EC2 instances, container images, and Lambda functions.
  • Perform manual reviews and penetration testing to identify vulnerabilities and attack surfaces.

 

Step 2: Develop a Custom Security Control Framework

Create tailored security control framework specific to the customer’s environment and business objectives, regulatory requirements, and risk appetite.

Secure Investments, leverage AWS-native security controls where relevant (e.g., IAM policies, Security Groups, AWS WAF, AWS Shield) and map them to the identified risks and gaps.

Leverage AWS Organizations to implement Service Control Policies (SCPs) that enforce security controls across multiple accounts.

Define Policies and Procedures

Ensure policies integrate AWS-native capabilities such as AWS IAM, AWS KMS (Key Management Service), AWS CloudTrail, and Amazon CloudWatch for continuous monitoring and auditing.

Implement Security Controls

  • Implement security controls at multiple layers – data protection (e.g., encryption using AWS KMS), network security (e.g., AWS VPC, Network ACLs, Security Groups), and application security (e.g., AWS WAF).
  • Leverage Infrastructure as Code (IaC) tools like AWS CloudFormation or Terraform to codify security controls and automate deployments.
  • Integrate AWS Config Rules to continuously monitor compliance with security controls and automatically remediate misconfigurations.

 

Step 3: Develop and Execute a Security Improvement Plan

Continuously enhance security posture by addressing identified gaps and mitigating risks.

1.  Prioritize and Remediate Gaps:

  • Remediation plan to address the identified gaps based on risk levels. Use AWS Systems Manager AWS Lambda for automated remediation of misconfigurations.
  • Regularly review and update the plan to incorporate new threats, vulnerabilities, and compliance requirements.

 

2. Enhance Visibility and Monitoring:

  • Implement monitoring and logging using AWS CloudTrail (for API activity logging), AWS Config (for configuration monitoring), and Amazon GuardDuty (for threat detection).
  • Centralize all security alerts and findings in AWS Security Hub to provide a unified view of security across the AWS environment.

 

3. Automate Security Operations:

  • Use AWS services such as AWS Lambda and Amazon EventBridge to automate security workflows, incident response, and compliance checks.
  • Leverage AWS CodePipeline and AWS CodeBuild to integrate security checks into the CI/CD pipeline, ensuring security is part of the development process

 

Some of the challenges across the board

Some of the common security challenges which Yash came across with ours global customers that needed to be addressed.

  • Misconfigurations leading into system breaches and data exfiltration: As sensitive data migrates from on-premise to the cloud, the risk of data breaches increases. Misconfigurations, unauthorized access, or inadequate encryption can lead to data leakage or unauthorized access to critical assets.
  • Compliance with Regulatory Requirements: Different regions and industries are governed by various regulations (e.g., GDPR, HIPAA). Ensuring that security controls align with compliance requirements while migrating workloads can be complex.
  • Identity and Access Management (IAM): As workloads shift to AWS, managing identities, roles, and permissions across a hybrid or multi-cloud environment becomes critical. Without proper IAM controls, businesses face risks of privilege escalation, insider threats, and unauthorized access.
  • Securing APIs and Endpoints: APIs are the lifeblood of modern applications in the cloud, but they can also serve as vulnerable entry points. Securing APIs and network endpoints during migration is crucial to ensure they aren’t exploited by attackers.
  • Maintaining Visibility and Monitoring: Cloud environments are dynamic and scalable, making it difficult for organizations to maintain visibility over their entire infrastructure. Without the right monitoring tools in place, detecting anomalies or security incidents can become challenging.

 

Results: Customer experiences and outcomes

YASH Technologies and Agricultural Machinery Client

Consider YASH’s collaboration with a client in the agricultural and construction machinery manufacturing sector. The client faced business inefficiencies due to low-quality data captured from various sources. YASH analyzed and measured data quality using a scalable big data platform on AWS, which led to enhanced operational efficiency, reduced data storage costs by 80%, and better visibility of data quality through a web-based dashboard.

Aligning with the security pillar of the AWS Well-Architected Framework, YASH leveraged AWS Key Management Service (KMS) for data encryption, AWS Identity and Access Management (IAM) for strict access controls, and AWS CloudTrail and AWS Config for monitoring and ensuring data integrity. These services helped secure the client’s data and enhanced the reliability of their analytics processes.”

Security strategy during cloud migration for a biopharma customer

The migration journey poses its own set of challenges. Organizations often face a trade-off between maintaining security and enabling rapid innovation. Our AWS architects emphasized the importance of building a well-architected landing zone before migration. This landing zone should include monitoring, governance, operational, and security controls to establish a secure foundation.

We assisted our customer in migrating servers that weren’t sufficiently hardened to the Center for Internet Security (CIS) benchmarks. Instead of performing hardening on-premises, which would have been resource-intensive, we migrated the application to the cloud, took snapshots of the servers, and ran scripts to enhance their security. This approach significantly improved their security scores against the CIS benchmarks.

YASH leverages the AWS Well-Architected Framework to optimize costs and enhance cloud workload performance. By adhering to the framework’s six pillars—operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability—our experts ensure that businesses can achieve cost-effective solutions while maximizing the efficiency and effectiveness of their cloud-based applications.

As part of the comprehensive security strategy during cloud migration, and to ensure robust protection for the customers’ workloads. We leveraged AWS native security services such as AWS Identity and Access Management (IAM) for granular access control, Amazon GuardDuty for continuous threat detection, and AWS Config for ensuring compliance with configuration best practices, we help our customers build a secure foundation right from the start.

Post-migration cybersecurity configuration and monitoring for a manufacturing giant

Post-migration, organizations often struggle with security misconfigurations that arise from differences between on-premises and cloud environments. By design, cloud security access is set to deny by default, contrasting with on-premises environments where specific accesses might be allowed by default. This fundamental difference can lead to elevated permission provisioning and overall security misconfigurations.

To address these challenges, it is paramount to implement and validate security controls post-migration. AWS offers native security tools and services that help maintain a secure environment. These include:

  • Infrastructure Security: Network firewalls, DDoS mitigation, and automatic encryption of all traffic within AWS.
  • Inventory and Configuration Management: Tools for managing AWS resources in compliance with organizational standards.
  • Data Encryption: Scalable and efficient encryption features for data at rest and in transit.
  • Identity and Access Control: Comprehensive identity and access management capabilities.
  • Monitoring and Logging: Tools like AWS CloudTrail, Amazon CloudWatch, and Amazon GuardDuty for real-time monitoring and threat detection.

 

Leveraging AWS Native security services

AWS already provides a robust set of native security services designed to protect mission-critical information from theft, leakage, integrity compromise, and deletion.

Some of them are listed below:

AWS IAM| Amazon Cognito | Amazon GaurdDuty | AWS Shield | AWS Secrets Manager | AWS Security Hub | Amazon Macie | AWS CloudTrail

Conclusion

Ensuring security during cloud journey is critical for the success of digital transformation initiatives and  YASH is well placed to deliver necessary services with the tools, frameworks, and expertise needed already in place.

Ashish Maheshwari
Ashish Maheshwari

VP – Global Alliance & Cloud Business Unit

Ashish has been part of the Strategy and Business Development for over 20 years with 10+ years of experience in multiple cloud technologies. He has held various leadership roles of helping customers driving transformations.
At YASH, he is primarily responsible for AWS and GCP Business Planning, Portfolio Management, strengthening alliances globally and position YASH as preferred Partner of Choice for customer’s Cloud Transformation journey.

Related Posts.

AWS , AWS Environment , EC2 Instances
AWS Architectures , AWS Architectures Benefits
AWS Launch Wizard , SAP Migration , SAP On AWS

Maximizing SAP Migration with AWS Launch Wizard: Features, Considerations, and Troubleshooting

Ashish Maheshwari Bhavani Sankar Rajasekharuni Naga Manasa Surikuchi

AWS , AWS RDS , AWS Relational Database Service
API , AWS , Digital Evolution
AWS , AWS EC2 , Windows Workload Migration
Amazon CloudFront , Content Delivery Networks
AWS , AWS Optimization , Microsoft Workloads