By Aaron Brown, Partner, Cyber Cloud Managed Services Leader – Deloitte & Touche LLP
By Steve Bollers, Sr. Partner Solutions Architect, Global Cybersecurity Leader, Deloitte – AWS
In this post, we will show you how Deloitte Guardian for AWS can help organizations become more trustworthy, resilient, and secure through proactive management of cyber risks.
Deloitte is an AWS Premier Consulting Partner and Managed Service Provider (MSP) with the AWS Security Competency, and is positioned as a leader in the 2021 Gartner Magic Quadrant for Public Cloud IT Transformation Services.
Both Amazon Web Services (AWS) and Deloitte understand that a customer’s cloud journey is different and have their own set of requirements. This is why Guardian for AWS provides a wide range of options for businesses to choose from to create the right package for them.
Deloitte will deploy and operate right-sized security solutions and services to meet clients’ ongoing business requirements, allowing them to focus on the business benefits of cloud adoption. This is what’s at the foundation of Guardian for AWS.
Consistent with the mindset of bank robbers who focus on banks because “that’s where all the money is,” cyber bad actors are attracted to cloud services providers with the idea of larger payoffs in the form of multiple enterprises’ data.
To help mitigate this issue for businesses, Deloitte Guardian for AWS brings the cyber solution to clients’ AWS environment. Leveraging Terraform and the AWS Cloud Development Kit (AWS CDK), all of the tooling required to deliver this solution is deployed via Deloitte’s pipeline inside the client’s environment.
A differentiator for Deloitte in the managed security service provider (MSSP) space is the fact that Guardian for AWS covers the full spectrum of cyber domains. Deloitte’s security services are offered à la carte by domain to meet clients’ requirements, but clients can also have the domains covered by a single provider under a single operation model.
Deloitte Guardian for AWS Leverages Native AWS Services
Guardian for AWS provides 24/7 security protection and monitoring of essential resources that enable you to develop at the speed of your innovation. To achieve this offering, Deloitte collaborated with security specialists from AWS to develop the Guardian for AWS core domain managed services using native AWS services.
The core offering includes:
- Identity and access management
- Data protection
- Infrastructure and network security
- Security logging and monitoring
- 24/7 threat and incident response
AWS customers can also benefit from Guardian for AWS extended domain offerings featuring Deloitte’s innovative approach to:
- Compliance monitoring
- AWS resource visibility
- Managed detection and response for AWS endpoints
- DevSecOps, automation, and orchestration
- Cloud security policy
Identity and Access Management
The Deloitte Guardian for AWS pipeline delivers all of the base functionality necessary to integrate with clients’ identity management tools, AWS Organizations, and AWS Identity and Access Management (IAM) capabilities. It provides single-sign on (SSO) and enforces multi-factor authentication (MFA) for users having access to the environment.
Instead of a traditional virtual private network (VPN) connection that creates potential connectivity anywhere in a client’s environment once connected, the Guardian for AWS remote access technology allows for secure point-to-point connection. This results in no exposure of the enterprise resources or servers and no lateral movement, while offering user controls for printing, copy/paste, screen capture, anti-keylogging, and watermarking.
No changes are required to existing topology, access control lists (ACLs), or firewall rules.
You can secure data in transit using 2048 bit datagram transport layer security (DTLS) end-to-end encryption. Meanwhile, secure data at rest with encrypted local files and a self-destruct option.
Figure 1 – IAM solution architecture.
The Guardian for AWS Data Protection solution uses AWS Key Management Service (KMS) to create and manage cryptographic keys and control their use across a wide range of AWS services.
AWS Config is used to validate data encryption, handling the key management by providing a template to request and create keys while ensuring key rotation and monitoring changes like deletion and disabling.
Figure 2 – Managed KMS key administration for client services.
The Guardian for AWS Data Protection solution provides a fully managed certificate management solution leveraging AWS Certificate Manager. It provides a service management workflow for users to request a certificate which will be generated based on a template and returned to the user for use.
The solution also leverages AWS Config to confirm that AWS services like Elastic Load Balancing, Amazon API Gateway, and Amazon CloudFront are using certificates. Guardian for AWS provides annual review for certificate usage while monitoring for invalid certificate and expiration.
Figure 3 – Managed public certificates in AWS Certificate Manager.
Managed L7 Network
The Guardian for AWS Layer 7 network solution provides fully managed web application firewall (WAF) protections for Application Load Balancers, Amazon API Gateway stages, and CloudFront distributions.
AWS Firewall Manager is used to centrally manage, deploy, and ingest logs from web ACLs for an organization from a single account and will send an alert if Firewall Manager web ACL protections are not enabled. When alerts are triggered, Guardian for AWS handles the remediation on non-compliant resources and web ACL rules, including Tor and distributed denial of service (DDoS) protections.
Figure 4 – Layer 7 network micro-architecture.
Managed L4 Network
The Guardian for AWS Layer 4 network solution provides a fully managed virtual private cloud (VPC) setup that leverages AWS Transit Gateway and AWS Network Firewall to centrally inspect north-south network traffic.
Internet gateways are only deployed in a central egress and central ingress VPC—the other VPCs contain only private subnets, connected via AWS Transit Gateway.
AWS Network Firewall provides stateful traffic inspection with rule groups for protocol and internet protocol (IP) matching, domain lists, and Suricata rules, based on the open-source intrusion detection system (IDS)/intrusion prevention system (IPS) of the same name.
The centrally deployed AWS Network Firewall sends alerts and flow logs to the central Amazon Simple Storage Service (Amazon S3) log bucket in the client security account. Proprietary Zero Trust remote access connectors are also deployed to the central network account within the Layer 4 solution.
Guardian for AWS leverages a proprietary Zero Trust remote access tool as a way to limit risk associated with Deloitte personnel having access to the clients’ environment.
Figure 5 – Layer 4 network micro-architecture.
Threat and Vulnerability Management
The Guardian for AWS auto-healing capability is an event-based solution that leverages AWS-native services to monitor, analyze, and automatically revert critical misconfigurations that represent vulnerabilities in the environment. This includes misconfigured security groups, misconfigured S3 buckets, and overly permissive identities.
Where traditional cloud security posture management solutions use periodic reads of logs (leading to a potential lag time of up to 15-30 minutes), the Guardian for AWS event-driven solution continuously monitors AWS environments for configuration deviations. This reduces the time between detection and remediation of misconfigurations to near real-time (the majority of the misconfigurations are reverted to a compliant state within two minutes).
The Guardian for AWS auto-healing capability will support over 65 auto-remediation rules. The solution supports customizing rule configurations (based on region, account, resource), has an extensive exception handling capability, and provides visibility into the compliance posture of the AWS environments.
Figure 6 – Auto-remediation architecture.
The remediation logs generated by the solution are ingested in for further analysis. The solution leverages the native capabilities of Splunk SIEM to send notification emails to violators and account owners, and to raise ServiceNow tickets as needed based on the severity of the alert.
Figure 7 – Logging and monitoring architecture.
Virtual Machine Scanning with Auto Patching
The Guardian for AWS patch management solution keeps Amazon Elastic Compute Cloud (Amazon EC2) instances up-to-date in a multi-account, multi-region architecture.
Amazon EventBridge, AWS Lambda, and AWS Systems Manager are utilized to set up an automated, scheduled patch/scan process. Inventory and patch data is aggregated in the client security account, where Amazon Athena generates a report of missing patches to be shared with application teams.
AWS Systems Manager’s patch manager and patch groups provide the capability to apply different sets of patches to different groups of EC2 instances.
Once an application team has reviewed the missing patch report, a list of rejected patches can be applied to a specific patch group through a Lambda function which updates the desired patch group in all accounts and regions. The patch installation process will utilize the patch group rejected lists to determine which patches will be installed.
Figure 8 – AWS Systems Manager patching.
Incident Alerting and Response
The Guardian for AWS cloud security posture management (CSPM) solution provides a centralized view of the security landscape in a multi-account, multi-region architecture.
A variety of AWS services are utilized to monitor and alert on suspicious activity throughout the AWS environment. Amazon GuardDuty provides intelligent threat detection by monitoring Amazon CloudTrail Events, S3 activity data, Amazon VPC network traffic flow logs, and Amazon Route 53 DNS logs.
Amazon Macie assesses S3 bucket level security and perform sensitive data discovery. Amazon Inspector provides assessments of EC2 instances to identify vulnerabilities, exposures, and deviations from best practices.
AWS Config monitors and records configuration changes of AWS resources, and enables AWS Security Hub to assess and provide configuration findings relating to Security Hub standards, such as Center for Internet Security (CIS) and AWS Foundational Security Best Practices.
AWS Security Hub provides a single, centralized location to view security findings in the client security account by integrating with each of the AWS services used by the Cyber CSPM solution.
AWS Security Hub runs continuous automated security checks, consolidates the findings, and forwards them to Guardian for AWS, which is be responsible for handling alerts generated by security services.
Figure 9 – Cloud security posture management.
As you can see, Deloitte Guardian for AWS made a fundamental strategic decision to go with native AWS security solutions. The use of cloud-native services provides many benefits to clients, including no upgrades and no upfront license costs. The tool costs for capabilities just become part of the client’s existing AWS bill.
The other key benefit is the speed with which these solutions can be deployed through Deloitte’s Guardian for AWS pipeline.
Figure 10 – Guardian for AWS pipeline.
A DevOps mindset was followed with one primary goal in mind: continuously deliver incremental value to clients. This is achieved using DevSecOps practices and procedures.
A release-on-demand strategy is implemented whereby new capabilities are deployed to clients immediately or incrementally based on client subscriptions. Clients submit a request for a new subscription using the solution API interface, which initiates the propagation of the solution but assets to the client repository.
Figure 11 – Release process.
Regardless of where your business is at on the cloud adoption journey, we know that security is likely your top priority. Now more than ever, it’s critical to protect yourself with the proven operational and security leadership that AWS and Deloitte’s Guardian for AWS offers.
Customers benefit from a fully managed security solution that’s built on the foundation of more than four years as an industry-leading managed public cloud services provider. Deloitte Guardian for AWS has the process and technical automation that enables customers to skip past the cloud security learning curve and the time required to develop the security automation required to scale.
A native AWS security service-centric approach like Guardian for AWS enables customers to skip past the time and effort to procure hardware and software, or integrate and configure new or existing security tools. With Deloitte Guardian for AWS, customers can deploy secure solutions faster, enabling them to scale at the speed of business, and focus on their core objectives while Guardian for AWS manages security on AWS.
Learn more about Deloitte Guardian for AWS or to connect with the Deloitte team.
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.
Deloitte – AWS Partner Spotlight
Deloitte is an AWS Premier Consulting Partner and MSP. Through a network of professionals, industry specialists, and an ecosystem of alliances, they assist clients in turning complex business issues into opportunities for growth, helping organizations transform in the digital era.
*Already worked with Deloitte? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.