To be successful in your business and take it to where you want to - we often talk about having the right team ‘on the bus’. It’s also about having the right team members in the right place: the right person at the wheel, the right person in the front row holding the map, the right person serving the drinks and a mechanic in the second row just in case things go wrong. It’s common sense to separate duties.
You also want to keep people focussed on their roles and not dabbling in other people’s. For example you don’t give the driver access to the engine compartment or the bar fridge.
As a start up, when you set up your Cloud environment, typically everyone has access to everything with an 'all hands to the pump mentality'. As the organisation grows, typically the number of AWS accounts grows and the user count increases and more customer data is added and … before you know it you have a serious security headache.
You are not a Cloud security expert. Nor do you want to become one. While you may not be interested in the ‘how’, you want to go to sleep each night knowing that your environment is secure, and that it will stay secure. That’s where PolarSeven’s p7-SecurityFoundation comes in.
p7-SecurityFoundation
p7-SecurityFoundation can quickly configure an environment to one that’s built to AWS best practice, and provide from a suite of AWS Security Services that will identify and then test for securities weaknesses, and report them to a single dashboard for remediation. It works on the principle of separation of duties, and principle of least privilege - i.e. not giving access to users who don’t need it.
One of the singular benefits of this approach is that you get single sign on (SSO) thrown in as part of the package. This means people can get straight to work in those places where they need secure access after they’ve signed on just once. Single Sign On can be configured with a number of identity providers such as G Suite and Microsoft Active Directory.
p7-SecurityFoundation is built on AWS Control Tower. Control Tower is the easiest way to set up and govern a secure, multi-account AWS environment, called a landing zone. Control Tower creates the landing zone using AWS Organizations, ensuring that new accounts conform to company-wide best practices. Control Tower provides a set of rules called Guardrails that help enforce security policies and help detect policy violations, and also an ‘Account Factory’ that standardises and automates the provisioning of new accounts according to pre-approved configuration templates.
A suite of AWS Security Services is implemented on top of this security foundation. These include:
Amazon GuardDuty for threat detection, continuous monitoring for malicious activity and unauthorised behaviour to protect AWS accounts, workloads, and Amazon S3 data buckets.
Amazon Macie for data protection. Macie provides an inventory of who outside your organisation has access to which Amazon S3 data buckets and whether they contain potentially sensitive information.
AWS Single Sign-On, a single sign-on (SSO) service that makes it easy to centrally manage SSO access to all of your AWS accounts and cloud applications.
AWS IAM Access Analyzer fine-grained policy and monitoring to ensure only those roles that require it, have access to resources, whether from within, or outside the account.
AWS Config to provide an inventory of resource configurations, track changes to configurations and automate the evaluation of changes providing an alerting capability when configurations no longer match the desired configuration.
Security findings from these security services are channelled to AWS Security Hub where they can then be collated, analysed and prioritised for remediation. Remediation of the most critical and high severity issues are included within the initial configuration package and are untaken in consultation with the customer's technical team.
Benefits
Once you have your secure foundation in place, you will immediately enjoy a number of benefits:
Not only do you know your environment is secure, but using AWS Security Hub, you can demonstrate to others your security posture with regard to your AWS resources and users.
As the implementation is an AWS standards-based deployment of standard AWS products, you are not beholden to any particular supplier for on-going support or future automation of further security features.
Your environment will take much less effort to manage and supports a more disciplined and hence streamlined continuous deployment pipeline, so that developers can focus on their specific tasks.
Single Sign-On simplifies providing more granular access for developers to environments and removing access when required.
Want to know more about how p7-SecurityFoundation can help you? Book a free consultation or callback, and our security professionals can discuss your unique circumstances and how you could benefit from p7-SecurityFoundation.