Symphonica as a Well-Architected AWS Framework Secure Solution

Constructing a secure, efficient, and reliable software system requires developing a solid foundation upon which it will reside, comparable in many respects to how a tall skyscraper must reside upon a well-built foundation. This article will focus on the foundational security pillar as it relates to AWS (Amazon Web Services) frameworks. Symphonica was built from scratch to be fully compliant with this framework.

Symphonica, our no-code provisioning automation engine, takes the complexity out of service and network operations so you can focus on growing your business.

Security Pillar

To begin building a foundation of security, organizations must view security as an integral part of every process from the topmost organizational level all the way down to each individual workload. Ensuring a continually high level of security also means staying up to date with AWS and other industry recommendations about potential threats.

Automation is another key component of best security practices as the processes, testing, and validation that occurs in the automation process allow organizations to monitor their security operations fully.   

Symphonica is deployed over a securitized AWS account with all tooling in place and a secure enabled operative model with tooling, processes, and policies in place. 

Managing Identity and Access

For a system to remain secure, it must be used only by those authorized to use it — and then only on a need-to-know basis. Each role, service, user, and account must be examined to determine which area each entity is allowed access, and what actions they can perform within each specific area.

Strong password policies must be put in place, including standards such as enforcing complex passwords and avoiding password reuse. In some instances, the use of multi-factor authentication will be required to ensure the highest safety level. In addition, AWS recommends that any API calls to their services should include the use of temporary and limited-privilege credentials provided by their Security Token Service.

Symphonica is fully secured and encapsulated behind an access component that enforces strong authentication and authorization, including a self-service portal. 

Discovery 

Organizations must develop a solid plan to detect and investigate security threats, both potential and known. The process of detecting threats may include a wide variety of best practices such as internal auditing systems and performing asset inventory. More targeted routes of discovery may include the use of evaluating logs, events, and configuration history.

To help with threat detection, Amazon offers tools such as their Simple Storage Service, which logs access requests, and other tools such as Amazon Guard Duty. The latter tool provides continuous monitoring of AWS accounts and workloads, checking for instances of unauthorized access and external/internal suspicious behavior.

Symphonica and Intraways operative model include Guard Duty and Cloud Watch to discover unauthorized access or modifications.

Protecting Infrastructure 

Protecting infrastructure will likely mean implementing multiple layers of defense, along with meeting any regulatory or organizational obligations. Whether working with a cloud or on-premise model, a best-practices security plan will include at least the following:

  • Enforcement of boundary protection.
  • Monitoring both ingress and egress points.
  • Thorough logging, monitoring, and alerts.

Symphonica is constantly monitored for unintended attack exposed surface and exposed ports are secured, patched, and constantly monitored for intrusion attempts, using internet surface scraping techniques.

Protecting Data 

Protecting data begins with data classification. Classifying data should include categorizing it based upon sensitivity levels along with any regulatory or organizational obligations. While AWS maintains that their clients always have full control over their own data, Amazon does offer several tools that AWS clients may find useful. This includes multiple mechanisms for clients to encrypt their organization’s data, whether at rest or during transit, along with other tools that provide the ability to log important details such as file changes and file access.  

Our policy enforces data encryption at rest and in transit, including backups. 

Responding to Incidents 

It’s not enough to detect threats. Organizations must have a measured plan in place for how to respond to an adverse event. The best practices for responding to an incident will include mitigating the impact of an event by isolating the threat and having a plan in place to restore operations to a safe and full-functioning state as quickly as possible.

Our Policy assigns responsibilities and guidelines implemented in our processes. Automated infrastructure guarantee high availability and fast service migration in case of incidents.

Practice 

After developing the security pillar of their overall foundation, organizations must commit to regular testing of their security plans to determine how well they can foresee and respond to security threats, as well as how quickly they can restore their systems back to a fully functioning level. By regularly testing their own systems, organizations will be able to benefit from a continuous feedback loop that notes where they are doing well, and where they still need to make improvements.

If you would like to know more about how Symphonica is developed and operated according to AWS Well-Architected frameworks, Security Pillar, please contact us.

Symphonica, our no-code provisioning automation engine, takes the complexity out of service and network operations so you can focus on growing your business.

You may also like

Moving the OSS Infrastructure Stack to the Cloud

Moving the OSS Infrastructure Stack to the Cloud – Challenges and Myths

no-code

Going No-Code to Launch Services Fast

Cloud HSM

Achieving security goals with AWS Cloud HSM

Menu