Case Study:

GeoComm Boosts Security with AWS

SHI ensures CIS compliance for communications engineering and GIS mapping provider through multi-account, cloud-native solution

Highlights:

Customer Profile

GeoComm - An industry leader in providing Public Safety Location Intelligence.

Challenge

The customer needed an easily managed, multi-account, cloud-native solution that would address security, compliance and governance.

Solution

ITAM and Licensing

SHI utilized AWS native Infrastructure as Code (IaC) templates to orchestrate deployment across the multi-account organization.

Partners

AWS

Benefits/Results

  • Achieved CIS compliance, identified threats and assessed infrastructure performance issues
  • Reduced manual configuration and automated account provisioning
  • Introduced a native, cost-effective threat detection solution

GeoComm – an industry leader in public safety location intelligence that empowers customers to create, maintain, and leverage public safety grade GIS data for use in 9-1-1 and NG9-1-1 systems – was looking to ensure their own safety by introducing an easily managed, multi-account, cloud-native solution that would address security, compliance, and governance at scale.

Challenge:

GeoComm required a comprehensive, easily managed, cost-effective, multi-account solution that would address security, compliance, and governance at scale using AWS native tools and aligned to AWS best practices. As such, GeoComm needed the help of a partner with the required AWS cloud expertise. With a focus on cloud native tools, GeoComm wanted a centralized location to view and enforce CIS compliance, identify threats for malicious activity and unauthorized behavior, as well as aggregate high-priority security alerts and assess security posture across all their cloud accounts.

In addition, GeoComm wanted to assess their current observability stack against the native AWS cloud tools with a focus on dashboard visualization, metric and log aggregation, anomaly detection, and alerting. GeoComm needed to assess the monitoring tools in the AWS portfolio to determine how they compared against their current observability solution with regards to cost, ease of use, and overall available features.

Utilizing their existing relationship with SHI, GeoComm reached out for assistance with developing and implementing a solution using cloud native tools to address their cloud security, compliance, and governance needs. In addition, GeoComm tasked SHI with building an observability stack using AWS native tools to determine how it compared with their current open source solution.

Solution:

SHI assessed GeoComm’s environment and implemented a solution that utilizes AWS native tools and aligns with the Well-Architected framework’s best practices. SHI provided a repeatable solution via native Infrastructure as Code (IaC) templates which orchestrated a consistent deployment across the multi-account organization.

SHI designed and implemented a structured, multi-phased approach to address Geocomm’s security, compliance, and governance initiatives. In the initial phase, SHI reviewed GeoComm’s current organizational account structure and created a set of organizational units within AWS to logically group accounts by environment. SHI then reviewed a set of available AWS Conformance Packs and determined the AWS CIS Conformance Pack provided a comprehensive set of AWS Config Rules, which met GeoComm’s governance and compliance requirements. Using GeoComm’s AWS Security account as an AWS Organizational delegated administrator, SHI centralized AWS Config compliance findings using AWS CloudFormation StackSets. AWS CloudFormation StackSets provided an automated strategy to orchestrate the deployment of AWS Config, AWS Config Account Aggregators, and AWS Conformance Packs across GeoComm’s AWS Organization. This allows for a reduction in manual configuration of AWS resources and provides an automated strategy to provision additional accounts. New and invited AWS Accounts will only need to be added to the appropriate organizational unit in AWS organizations to have the required AWS Resources automatically deployed. As the final step in the initial phase, SHI created an AWS Lambda function to summarize and notify GeoComm by reporting the Account Identifier, AWS Config Rule, Region, and Resource Id of any non-compliant items.

In the second phase, SHI deployed AWS GuardDuty across the AWS Organization to provide a multi-account support. AWS GuardDuty provides a native, cost-effective threat detection solution powered by machine learning and anomaly detection across GeoComm’s AWS accounts. SHI wrote an AWS Lambda function along with CloudWatch events deployed using AWS CloudFormation templates to action automated remediation and notifications. The findings identify AWS resource details and information associated with the attack including IP Address and geo-locations. To support GeoComm’s need to track high-priority security alerts and general security posture as aggregated findings across the AWS Organization, SHI worked with GeoComm to implement and configure AWS SecurityHub. SHI configured automated security checks via AWS Foundations Security Best Practices Benchmarks and CIS AWS Foundations Benchmark.

In the final phase, SHI implemented a monitoring solution using native AWS tools to assess native capabilities with GeoComm’s current observability stack, which uses open-source tools built on AWS EKS. Specifically, SHI created a multi-account monitoring solution using Amazon CloudWatch Events, CloudWatch Alarms, Amazon CloudTrail, and Amazon CloudWatch Dashboards. SHI deployed a monitoring solution that watched and alerted on EC2 system metrics, AWS Service Metrics and EKS container metrics using AWS Container Insights. As part of the solution, SHI proved that AWS has the capability to alert GeoComm using several notifications channels including Email and Webhooks. SHI created CloudWatch Dashboards that supplied account-based reporting. SHI deployed dashboard widgets that monitored key performance metrics for anomalies. These metrics are disclosed as part of Container Insights and allow for granular views down to the service, namespace, and pod level. Upon breaching of certain anomaly bands, alarms are triggered that write to AWS SNS topics, alerting the appropriate parties to potential issues.

Result:

The solution enabled the customer to enforce CIS compliance, identify threats, assess infrastructure performance issues, and introduced the following benefits:

  • Consistent compliance and governance enforcement using AWS Config, AWS Conformance Packs, and AWS CloudFormation StackSets.
  • An automated strategy for account provisioning with consistent detective and preventative guardrails.
  • Reduction of manual configuration through repeatable and consistent deployments, using AWS CloudFormation Templates and StackSets.
  • Native, cost-effective threat detection solution powered by machine learning and anomaly detection across AWS accounts, using AWS GuardDuty.
  • A comprehensive, consistent, and aggregated view of security posture, including high-priority issues across accounts and AWS services.
  • Tailored dashboards with granular anomaly detection.

Benefits:

The adoption of AWS Config and Organizational Conformance Packs provided GeoComm a repeatable, codified strategy designed to address security, compliance, and governance at scale. The solution using AWS native tools allows GeoComm to define policies as detective and preventative guardrails that are implemented across each account within AWS Organizations and supplies tight integration and comprehensive analysis by being part of the AWS Platform.

As GeoComm adds new accounts, the AWS Config Rules and AWS Conformance Packs are automatically deployed by AWS CloudFormation StackSets, which later reduces human error and manual configuration and delivers a consistent deployment experience.

Using AWS GuardDuty, GeoComm has a native, cost-effective solution that uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. In addition, with the use of AWS Security Hub, GeoComm has an aggregated view across their AWS Organization, an improved security posture with automated checks, along with the ability to quickly act based upon reporting findings.

Using AWS CloudWatch with Container Insights and Anomaly detection affords GeoComm the ability to closely monitor their applications and infrastructure. CloudWatch dashboards allow GeoComm to have informational dashboards tailored to specific audiences. Container Insights provides granular metrics for containerized workloads on a service, namespace, pod, and cluster level. This allows GeoComm to inspect container performance on a much deeper level than what is offered out of the box with CloudWatch. Utilizing Anomaly Detection allows CloudWatch to apply statistical and machine learning algorithms to continuously analyze system and application metrics to produce trends and alert on anomalous behavior.