AWS Security Case Study
SOC 2 compliance and enhanced security for a FinTech company
Background:
A growing FinTech company had achieved a niche in a specific securities trading market and was growing, but wanted to attract more customers as well as provide reassurance to existing clients by achieving SOC 2 certification.
Challenges:
A number of security-related challenges became our goal set, such as restricting all network ingress and egress by IP address in their AWS VPCs, putting their entire infrastructure under configuration management, automating updates of access lists and adding monitoring and alerts.
Solution:
After an assessment of their systems, we created a plan to model a zero trust security policy.
- Restrict Network Ingress:
We carefully orchestrated migration of all services with public IP addresses into private subnets and limited access by using proxies and load balancers. These used security groups and the AWS Web Application Firewall (WAF) to tightly control and monitor client connections.
- Increase Modularity:
Increasing modularity was another recommended deliverable so clients were not dependent on direct access to instances by IP address when those servers were not available. This restructuring provided the added benefit of modularity. By using proxies they could now move services to other instances while they performed maintenance or upgrades.
- Zero Trust Inside the Network:
We also implemented internal solutions to increase security like proxying all outbound requests and blocking those that were not in IP access lists, limiting connections between systems with security groups, adding mail relays to control email recipients, and implementing a VPN for connections to the AWS network.
Result:
The firm received SOC 2 certification after our upgrades. We have also been able to easily test new features and network changes in separate environments due to the CloudFormation templates created to manage their infrastructure. And lastly, IP access lists are updated automatically without any outside help, and they receive alerts from any suspicious inbound or outbound traffic.