Securing the Cloud: Cloud Migration project on AWS
This article is co-authored with Gennaro Cimmino
Abstract
Explore the Cloud Migration project, which drives the seamless transition of a banking infrastructure to AWS. Emphasizing the critical role of security, the project strategically implements a suite of security services that span multiple layers of the OSI model. This imperative focus on security highlights the critical importance of safeguarding sensitive financial data, a cornerstone for any banking institution adopting cloud technology.
Introduction
In the dynamic context of financial institutions, where digital transformation constantly evolves, the necessity to secure sensitive data while embracing innovation is crucial.
This article focuses on a transformative initiative undertaken by one of the main banks spread in south Italy.
Given the constant expansion across the territory, the client had the need to evolve his organizational structure towards a reliable and scalable system. It was able to adapt its application and infrastructural systems, leveraging the benefits offered by Amazon Web Services (AWS) cloud provider.
AWS is designed to be a secure, reliable and scalable cloud platform where to manage applications and workloads. The decision to migrate servers and databases to AWS emerged as the optimal solution, not only to align with regulatory financial requirements, but also to position the institution on the cutting-edge of technological advancements.
Afterwards cloud strategy and adoption phases, a landing zone was implemented, which will be discussed in the first part of this article. A particular emphasis will be placed on security, given the highly sensitive nature of the financial data being managed. Through the adoption of AWS, this project aims to ensure a robust and secure cloud environment by implementing best practices and leveraging the security features provided by the platform.
Landing Zone Architecture
A multi-account landing zone architecture is designed to be highly resilient with a multi-AZ approach. The architecture consists of several dedicated accounts: development, production, shared services, security, logging and networking. Each account has its own network with specific access policies. The separation of different working environments enhances security and simplifies resource management.
Each account in the landing zone is logically structured into different Virtual Private Cloud (VPC), which are isolated virtual networks.
The main part of this architecture is the networking account, where communication between VPCs inside each account and the on-premise environment is efficiently handled through the Transit Gateway (TGW) located in the same account. Direct Connect connections are used to establish high-speed links to on-premise environments, ensuring reliable and redundant connectivity. Instead, VPNs are used for fault back purposes.
The egress VPC allows Internet access for all the VPCs across accounts, and it is structured into three layers of subnets. The first private layer is dedicated to TGW attachments, the second one is the layer used to host the AWS Network Firewall, and in the public one there are the NAT gateways. AWS Network Firewall is a stateful managed network firewall and it is essential for domains/IPs discrimination and access control towards the external environment.
To provide private and secure direct access to specific AWS services without the need to traverse the public network, dedicated VPC Endpoints were requested by the client. This configuration not only optimizes performance but also reduces exposure of resources to potential external threats.
Account’s Workload Architecture
All workloads are deployed across the VPCs of the dedicated accounts, in multi-Availability Zone (multi-AZ) 3-tier architecture. To transfer existing on-premise servers or applications into the cloud, it was used lift-and-shift server migration strategy with AWS Server Migration Service (MGN), which is an easiest, quickest and managed solution.
The Public layer hosts exposed virtual machines instances (EC2) and Internet-facing load balancers, allowing external access to client’s vendors.
The Application layer includes private EC2 instances which can access internet through the egress VPC. Thanks to a centralized routing system, instances can communicate across different accounts within the Organization. This solution also enables segregation between environments, such as for Production and Development.
The Data layer consists of private Oracle RDS databases migrated using Data Pump methodology, involving the export and import of Oracle schemas directly into the cloud.
For disaster recovery, RDS instances were configured with synchronous replication across different Availability Zones and AWS Backup service is employed in the entire workload.
AWS Backup is a fully managed centralized backup solution for various AWS services
Security Levels
This project strategically incorporates several security services designed to address multiple layers of the OSI model. A multi-layered security system can protect against a wide range of threats, such as cyber-attacks, malware, phishing, data theft, unauthorized access, etc., increasing protection coverage. AWS offer a set of security services suited for each level, which follow security best practices and compliance benchmarks.
The following security levels were covered:
Application Level
Ensuring security of the application layer is critical because it directly interfaces with customers. Online banking platforms, payment gateways, trading systems and other financial applications could be prime targets for cyber threats, like DDoS attacks and cross-site scripting. For this reason, it was introduced a Web Application Firewall (WAF). This component is designed to identify and mitigate vulnerabilities on this level, by filtering and monitoring incoming traffic. So, it provides an effective shield against targeted web applications.
A set of rules have been enabled to protect against common OWASP vulnerabilities, SQL injections and other cyber-attacks.
Instance Level
Protecting at instance level helps to mitigate vulnerability exposure and cyber-attacks like ports scanning, unauthorized access. In addition, databases can be secured against data leakage, SQL injection, etc., which are one of the main requirements of financial institutions.
Security Groups, acting as virtual firewalls, were configured specifying rules for transport layer protocols and ports. Each AWS resource (EC2, RDS, ELB, etc.) has its own Security Group to effectively manage inbound and outbound traffic for that specific instance. This configuration allows communication with both cloud-based machines and on-premise resources, ensuring comprehensive control over its network traffic.
Alert mechanisms are also important to enhance security indirectly, because they allow people to react promptly to eventual incidents. CloudWatch Alarms are designed to achieve this purpose, alerting relevant stakeholders upon detecting deviations from expected metrics or unusual patterns, and trigger automated remediations to reduce the blast radius.
To this end, AWS Inspector has been leveraged as a fundamental tool for identifying and addressing potential vulnerabilities across the EC2 instances within the designated workloads. AWS Inspector offers comprehensive scanning capabilities, used for creating detailed security reports.
Network Level
Due to the complex networked structure of financial systems and their reliance on digital channels for transactions and communication, any disruption or compromises at the network layer may lead to unauthorized access to critical data, financial theft, fraud, or non-regulatory compliance.
In the context of the Cloud Migration project, AWS Network Firewall has been strategically implemented to safeguard integrity and confidentiality of network packets traversing the network.
One of the key advantages of this AWS service lies in its ability to enforce granular traffic filtering rules based on predefined policies and configurations. Specific rules were designed to allow or deny traffic, whitelisting source/destination IP addresses, ports, protocols and designated domains.
Furthermore, AWS Network Firewall offers enhanced visibility and monitoring capabilities, providing real-time insights into network traffic patterns and security events. This enables organizations to proactively identify and respond to potential security incidents, minimizing the impact of malicious activities.
OS Level
One notable aspect of this project is the integration of an open-source Host-Based Intrusion Detection System (HIDS), onto EC2 instances within AWS workloads. OSSEC is a scalable, multi-platform HIDS, so it was selected for this purpose.
OSSEC monitors and analyzes network traffic, logs and access files for any signs of malicious activity or anomalies. By leveraging sophisticated detection algorithms, OSSEC provides rootkit and malware detection. This service can also identify and alert potential security incidents, including unauthorized access attempts, system compromises and suspicious behaviors.
Thanks to its active response mechanism, organizations can handle attacks and system changes promptly.
Furthermore, OSSEC integrates with existing security infrastructure, complementing other security measures such as firewalls and antivirus software. Its modular architecture allows for easy customization and scalability, enabling organizations to tailor the system to their specific security requirements and scale as their infrastructure grows.
Moreover, OSSEC offers compliance auditing functionalities, facilitating application and system-level auditing for adherence to industry standards such as PCI-DSS and CIS benchmarks.
To facilitate the implementation of OSSEC within the AWS environment, a dedicated solution stack was developed using Terraform Infrastructure as Code (IaC). This solution includes the configuration of AWS resources to intercept, process, and display alerts generated by OSSEC.
OSSEC is deployed as an agent on each EC2 instance, where it continuously monitors the system for security events [1]. The generated alerts are then captured by a CloudWatch Logs agent (installed on each EC2) and forwarded to a centralized CloudWatch Log Group [2]. Subsequently, a CloudWatch Logs subscription [3], coupled with an AWS Lambda function, routes the alerts to the Amazon OpenSearch Service for further analysis and storage [4]. Finally, Kibana, a visualization tool, integrated with Amazon OpenSearch Service, provides a user-friendly interface for monitoring and analyzing security events in near real-time through customizable dashboards [5].
Overall, the integration of OSSEC within the AWS environment enhances the security of the infrastructure, providing real-time threat detection and response capabilities essential for safeguarding sensitive data and ensuring regulatory compliance.
Access Level
In terms of access security, the client has required the implementation of security best practices and governance measures. Cloud migration implies the adoption of robust security protocols, industry standards compliance, and the application of stringent access controls.
The first part of this security level involved the configuration of AWS Identity Center service with Azure Active Directory integration, for centralized user access. The service allows the creation of logical groups, which are combinations of users. Users assigned to a specific group have a designated role for managing a set of resources within specific accounts of the Organization, applying the least-privilege principle. For example, a group was created for finance management, one for database administrators, and so on.
Additionally, IAM policies were implemented to restrict access to the cloud infrastructure, allowing it only from on-premise IP addresses or by a Virtual Private Network (VPN). These security measures have further strengthened the system’s protection, ensuring that access to the platform occurs only from authorized and secure locations. All IAM policies within the Organization are limited by Service Control Policies (SCPs), which set maximum available permissions for the organization’s accounts. For instance, the client decided to limit a subset of IAM users and roles actions, only in two admitted regions.
Conclusions
Compared to other sectors, security is more critical for financial services institutions. This solution demonstrates to be a strategical security model about transitioning a bank infrastructure to a cloud provider.
Thanks to AWS, it found an effective solution to spread security across the OSI model. Relying on managed services and exploiting external specific applications, the client meets financial regulations and compliances from instance to access level.
Another important, but not visible, advantage to consider is the general improvement in IT management, regarding external suppliers’ integration and internal employees’ quality of work, which affect the end-user experience.
In conclusion, through the integration of robust security measures and the adoption of best practices on AWS, the customer ensures the integrity, confidentiality, and availability of its systems, essential pillars for any financial institution leveraging cloud technology.
