About Customer
The customer is a leader provider of life insurance, medical insurance, general insurance, and other employee benefits products across the SEA market.
The Challenge
The customer commenced planning its AWS cloud migration journey in early 2019. They were already using AWS cloud for Data Lake operations, although everything was included in a single account. The customer partnered with Blazeclan for a thorough assessment of their current environment and prepare for future expansion on AWS cloud. Blazeclan proposed to setup a secure landing zone as the first step.
One of the main purposes to create a fresh new Landing Zone was to bring a greater control over security and access management. The customer wanted to use as many native services as possible to ensure proper segregation of duties along with the use of existing authentication mechanisms. Blazeclan’s security team was actively involved in the assessment of their on-premises user roles, policies, and privileges, using the information gathered in the assessment to design the security of the Landing Zone in a scalable and resilient manner.
The Solution
After careful review of the security requirements, Blazeclan proposed a multi-fold approach to support the customer and help them achieve their desired outcome.
Landing Zone Security Design and Implementation
One of the most important areas that needed to be studied while setting up the Landing Zone was security design and ensuring that the right level of user access and monitoring of traffic inflow & outflow is accomplished. The Landing Zone was based on the concept of segregation of duties and creating accounts based on the roles they are designed to perform.
The Multi-Account Strategy
Based on the principle of segregation of duties, following accounts were created in the landing zone.
- Organization account
- Security account
- Shared services account
- Logging account
- Workload accounts for non-production as well as production workloads
Benefits Achieved by the Customer
Optimized Cloud Environment: The security design of the foundation ensured a scalable and secure cloud environment, which was ready for expansion without further rework in the design.
Staying Ahead of the Security Curve: The customer aimed at staying ahead of the technology and the solution supported them in building secure frameworks for future cloud deployments. The customer was also able to leverage the emerging security technologies.
Automated Security: Automating their security operations and integrating them into the customer’s deployment pipeline allowed application teams to scale their pace of deployment without compromising the overall security of the application.
Tech Stack
AWS CloudTrail | Amazon Guard Duty | Amazon CloudWatch |
Amazon API Gateway | AWS IAM | AWS WAF |
Amazon VPC | AWS KMS | AWS Config rules |
AD Connector | AWS Lake Formation | AWS Landing Zone |