CEBSA

CEBSA is a company in the electrical industry, which housed its servers in a physical infrastructure, the main problem is due to its type of information and its maintenance was necessary for strong security, so it should be sufficient to protect all information throughout the application layer.

Due to being in a physical infrastructure, the company decided to migrate to the cloud, to take advantage of all the benefits and features that an AWS provider can offer.

CEBSA's technical team is experienced in solving security problems, even though they did not have a knowledge base that could help the organization solve the problem in a standardized way, and continuous monitoring of the infrastructure that would help them detect security deviations.

Solution proposal by Compucloud

The compucloud team of experts offered a consultation to begin with the relevant remediations and best practices in the AWS cloud, to solve the problems presented, with our experience as a Managed Service Provider, Well Architected Framework and as a Service Delivery Program WAF, as well as the support and knowledge of Trend Micro, we developed a solution proposal based on the best security practices and the Well Architected Framework, as well as knowledge of the AWS maturity model.

According to the customer's problem, the most suitable solution to implement were the following services, 4 EC2 instances, which have a properly configured network environment, composed of a pair of public and private subnets, with their respective Internet Gateway and Nat Gateway to allow Internet traffic, the corresponding security groups for the servers, and also two of the instances have their respective elastic IP, this because they are terminal servers licensed by TSPLUS in order to provide more access filtered and limited to resources within the server.

In addition to the main resources, a third-party security service was initially implemented at the OS level, a solution that makes it possible to strengthen security

remote desktop because it prevents external remote sessions from being opened, includes a blacklist of suspicious IP addresses and provides management:

centralized policy, as well as protection against ransomware. At the same time, log collection services were added at the VPC level and

complemented with the GuardDuty service to analyze and find possible security risks, this solution was complemented by a lambda script that

allows you to carry out the blocking of attacking IPs in the NACL of the VPC, in addition to the resources mentioned above, with the modernization strategy

Once implemented, the security posture was improved after recommending other existing solutions in the Compucloud Addons.

1. Infrastructure Vulnerability Analysis

CEBSA, is a company that is in the electrical industry, the type of information it handles is critical, therefore, due to all the processes and types

of workload, it was recommended to use security solutions for vulnerability analysis within their EC2 instances, with the objective of increasing their security posture and reducing deviations and vulnerabilities that may exist within their servers.

2. Visibility of the AWS resource inventory

One of the benefits that customers have when they are part of Compucloud is that we provide our customers with a web application that can

consult to keep track of your inventory changes and events performed within your work infrastructure. The application developed by

Compucloud allows the customer to centrally view all assets and movements through a GUI interface, which makes gathering information easier and faster.

3. AWS Security Best Practices Monitoring

As part of its support policy, Compucloud performs recurring security audits of the security best practices recommended by AWS, which are executed and presented to the customer with recommendations and actions to be taken.

4. AWS Security Best Practices Monitoring

   CEBSA, due to the type of workload and the processes managed within its organization, the customer must comply with the following certifications:

   • ISO 27001 2013

   • CIS AWS Foundation Benchmark 1.2.0

     This is why we integrate services that we have with one of our security partners and that provide us with first-hand support by TrendMicro.

5. Monitor and classify security events

CEBSA has a Compucloud support policy that provides 24/7 support, as well as constant monitoring of your security. A support policy that provides you with automations and reports that are constantly being carried out to have wide visibility of your entire security posture.

• 24/7 support.

• Continuous monitoring of security events through Zendesk.

• Different means of direct communication with Compucloud agents.

• Incident response automations.

• Continuous delivery of safety reports.

• Security Incident Knowledge Base

  6. Denial of Service (DDoS) Mitigation

  As part of the continuous improvement of security, the customer has a solution within their security services, which helps protect their servers against different types of threats, including protection against DDOS.

  7. Managed Intrusion Prevention and Managed Detection and Response System for AWS End Points

  Due to the workload, type of application and information handled by the Cebsa customer, it was necessary to implement a solution that would allow protection at all layers, so the use of the solutions that Compucloud manages within CLOUD FORTRESS was recommended, including: Workload security and compliance. These Solutions together with AWS services allow us to increase the security posture of the entire infrastructure to meet the highest security standards.

AWS services that drove the development of a more robust project

The implementation of memory-optimized next-generation R5 family type instances was recommended, as they are suitable for memory-intensive applications, increase performance and reduce latency.

M5 instances are the next generation of general-purpose instances and provide improved performance over M4. This family provides a balance of computing, memory, and network resources, and is a good choice for many database workloads.

M5a instances are the next generation of general-purpose instances with AMD EPYC 7000 series processors. This family was recommended, as it offers up to 10% cost savings compared to other types of instances.

In turn, when entering the modernization program, improvements were made at the database level, since CEBSA requires continuous work, since it is part of

for the electrical industry, it was recommended to implement an Aurora MySQL Serverless cluster. v2 (from 1 to 4 ACU) with version 8.0.mysql aurora.3.02.1, due to its various advantages, such as being one of the most cost-effective resources during periods of low activity, or related to faster and easier scaling that will help provide a better response to a contingency.

SSD-backed volumes were also used because they are optimized to run transactional workloads that involve frequent read/write operations, because transactionality does not require the provisioning of additional IOPS, since the default IOPS that gp2 has meet the desired performance.

With regard to the network, a VPC was implemented for the entire infrastructure, this one to have access control to and from the subnets, in this sense, 4 public subnets were configured for the application layer, 4 RDS subnets for the database and 4 private subnets for the private environment.

For the network environment, network flow compilation (VPC Flow Logs) has been enabled, allowing traffic within the network environment to be monitored and helps resolve configuration, network and security issues. On the other hand, the GuardDuty service was enabled to continuously detect and monitor the workloads of the

client and to be able to detect unusual and malicious activity, in the same way the service was complemented with the script developed by Compucloud to provide answers in one to the security events found by the service by detecting findings from Amazon Guardduty and automatically blocking the actor from finding it at the Network Access Control List (NACL) level

AWS services that are part of the solution

• CloudTrail

• CloudWatch

• Elastic Compute Cloud

• Glue

• GuardDuty

• Key Management Service

• Lambda

• Relational Database Services

• Secret Manager

• Simple Email Service

• Simple Notification Service

• Simple Queue Service

• Simple Storage Service

• Workdocs

Through the AWS services that are implemented, it is possible to solve customer problems, which were high availability, low latency, security, flexibility and scalability. It is worth mentioning that the security of their infrastructure is even more protected with the use of TSPLUS servers since they allow better filtering of access to resources according to the level of permission the user has within the organization, however, this only solves the connectivity with the main resource, the integration of the collection of logs to be analyzed through a security monitoring service such as GuardDuty, it allows informed decisions to be made about those resources that may become vulnerable.