A significant portion of all organisations using the cloud faces implementing security controls among their users, both internal and external, and their cloud and on-premises workloads. These controls are primarily driven by security policies based on state or industry regulatory requirements. Some of them are General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), and many others.
In some cases, the solution can be found among one of Amazon Web Services (AWS) network traffic controls like network access control list (NACLs) or security groups. But, in other cases, a deeper level of control and regular audit is required.
Although in constant and rapid evolution, the IT world often builds on proven traditional solutions and upgrades or refactors them with new tools, giving them a new edge. If you have previously worked in the pre-cloud era, you’ve surely encountered the demilitarized zone (DMZ) controlled by firewalls construct. Well, our solution builds on that construct. However, in our case, the architecture is redesigned to be applicable to multi-cloud hybrid environments and it is highly modular and flexible.
As shown in the solution overview diagram below, the focal point of our architecture is the transit Amazon Virtual Private Cloud (VPC), in the AWS Cloud. Our strategy is the implementation of a hub-and-spoke network topology that routes all traffic through the transit Amazon VPC, while at the same time, the whole process of traffic sanitisation is done within the transit Amazon VPC as seen in the Transit Amazon VPC internals diagram.
The transit Amazon VPC can be connected via various connection technologies (AWS Direct Connect, AWS Site-to-Site Virtual Private Network (VPN), AWS Transit gateway, etc.) to all major cloud providers environments and on-premises environments.
Transit VPC internals
Depending on the organisational needs, there is a wide scope of security features that can be implemented. The list below is composed of some of them:
- Extensive logging into Amazon CloudWatch
- Amazon GuardDuty traffic monitoring
- AWS Lambda for automated remediation, based on Amazon GuardDuty findings
- Notifications sent with Amazon SNS or AWS ChatBot
- AES 256-bit and RSA 4096-bit encryptions
- Windows, Linux, Mac, Android, iPhone and iPad clients are supported
- RADIUS / NT Domain user authentication function
- RSA certificate authentication function
- Deep-inspect packet logging function
- AWS Shield for distributed denial-of-service (DDOS) attack mitigation
- AWS WAF for protection from common attack techniques
In addition to the security features, the seamless failover across availability zones, automated scaling, Infrastructure as Code (IaC) deployments with AWS CloudFormation or Terraform, and IPv4/IPv6 dual-stack capabilities make this system a long-term answer to many security headaches for most of the organisations.
If you have any questions, feel free to send me an email on email@example.com.