Mobility Services Company
Centralized Cloud Governance
Abstract
The client is a mobility services company in the Nordics, part of a group of companies focused on sustainable transportation in cities. A heterogeneous set of applications, vendors, and AWS accounts made it difficult to manage and control security requirements. When a decision was made to take back governance of these, Omegapoint was engaged as the technical partner to assist, educate, and execute the required changes together with the client's existing technical team. Omegapoint has delivered a stable and secure governance structure in accordance with best practices, helping our client to full control and ownership of their cloud environment.
Background
Over a period of fast-paced innovation and experimentation, a number of application services had been developed and maintained in AWS by different service providers that were using different operating models. This heterogeneous set-up made it difficult to control and manage security requirements, SLA:s, and cost.
The client had set a strategic goal to consolidate ownership and governance of the complete set of applications. However, the client lacked the knowledge and ability to drive this transformation and sought a partner for immediate assistance to plan and execute the change, the end goal being to lay the foundation for an in-house team to take over the operational governance.
There was a need to map out everything from account structure, to access management, to network setup. Next after that, evaluate and correct for industry best practices.
The Solution
The Omegapoint AWS solution to consolidate and centralize governance, security, monitoring, and cost control is built on AWS Control Tower and AWS Organizations. To meet security requirements, services such as AWS Security Hub, Amazon Macie, Amazon Inspector, Amazon Guard Duty, and AWS Config are employed. Copies of all logs in the organization are collected and stored using Amazon S3 and Amazon CloudWatch. Dynamic budgets and budget alarms are configured in AWS Budgets.
On top of the AWS security services, additional security tooling was built to enhance the monitoring and issue tracking: a custom AWS Lambda function gathers data from AWS Security Hub, populates a custom dashboard, and builds a weekly report for the client. AWS Automatic Security Response from AWS Solutions Library is deployed throughout the organization.
Applications are segregated into AWS accounts by workload and environment. There are also isolated sandbox accounts for the development teams for experimentation. To provision access to the accounts, AWS IAM (Identity and Access Management) Identity Center is used with a connection to Azure Active Directory for single sign-on. A selection of assumable IAM roles is available based job role and privilege. Service roles for CI/CD pipelines to enable fast-paced development are also provisioned.
The solution follows the guidelines of the AWS Security Reference Architecture.
Results and benefits
A thorough governance overhaul has been made and the client is now in complete control over its AWS environment, with a dedicated cloud operations team. The client is continuously monitoring its cloud environment and cost together with automated alarms for anomalies, misconfigurations, and unprivileged access. Omegapoint remains engaged as a strategic advisor and a technical partner.
Powered by
About Omegapoint
Founded in 2001, Omegapoint is a leading expert in cybersecurity and cybersecure digitalisation. We are currently an Advanced Tier Consulting Partner with AWS which we first joined in 2012, early on recognizing the significance of the cloud and the monumental changes it would bring to the industry.
Omegapoint consists of a group of sharp and kind consultants who share a passion for development in general and security in particular. We are proud to call ourselves a learning company, built on a culture of constant improvement and furthering of skills. With a watchful eye on industry developments and the privilege of highly experienced colleagues, we take pride in our ability to offer our clients a complete portfolio of services for cloud and AWS, structured around three pillars: cloud advisory, cloud implementation, and cloud life cycle management. With over 1 000 employees and offices in Sweden, Norway and Denmark, we are well positioned to help customers in the whole of the Nordic region.