AWS Security Case Study (Zero Trust Network)

| | |

Zero Trust Network Access

Securing a Remote Workforce: Overcoming Challenges and Enhancing Network Security with Foghorn Consulting

One of Foghorn’s customers, a service provider to the United States Federal Government, is entrusted with significant contracts across various agencies. Serving as the prime contractor for the Centers for Medicare and Medicaid Services (CMS) Eligibility Support program valued at $6 billion over five years, the client operates a fully remote workforce of approximately 2,000 individuals dedicated to this program.

Their operations revolve around a secure call center that assists citizens in enrolling for health insurance through the Affordable Care Act marketplace.

The client faced several challenges stemming from the need to transition to a fully remote workforce due to the impact of the COVID-19 pandemic. This transition brought about three distinct challenges:

  1. Meeting Government Cybersecurity Standards: As a government contractor, the client had to ensure compliance with standard government cybersecurity standards.
  2. Handling HIPAA Data: Dealing with Health Insurance Portability and Accountability Act of 1996 (HIPAA) data, which includes Personally-Identifiable Information (PII) and Personal Health Information (PHI), required additional security measures to protect the sensitive data.
  3. Securing the Remote Call Center: Operating a secure call center with remote operators necessitated robust security measures to safeguard sensitive information and maintain operational integrity.

Addressing these challenges was crucial not only to meet contractual obligations, which amounted to billions of dollars, but also to protect the client’s reputation and the privacy of American citizens.

Foghorn Consulting, in collaboration with partner organizations, proposed a multi-tier solution to overcome these challenges effectively. The solution consisted of the following key components:

  1. Virtual Air-Gaps: The implementation involved segregating the processing of PII/PHI from regular business data by establishing virtual air-gaps within different virtual desktop environments.
  2. Zero Trust Network Access (ZTNA) Framework: A ZTNA framework was deployed to establish secure one-to-one connections between users and applications, enhancing network security. This approach replaced traditional user-to-network or network-to-network connectivity.
  3. Migration to AWS: The migration of workloads from legacy data centers to Amazon Web Services (AWS) followed the Well-Architected Framework, with a strong emphasis on enabling ZTNA capabilities.

The architecture of the solution focused on end-to-end ZTNA implementation. Zscaler was selected as the vendor of choice due to its comprehensive Zero Trust Exchange, providing the ideal solution for securing a remote-first organization. Zscaler facilitated least-privileged, secure remote access to on-premises, cloud, and internet resources. To meet the client’s stringent security posture, which mandated “permit by exception” access to resources, extensive customization was undertaken by both the Zscaler partner solution architect and Foghorn. This ensured compliance with the client’s specific requirements and enabled seamless integration between Zscaler and the AWS AppStream 2.0 virtual desktop infrastructure.

Each remote user received a company-owned workstation, which was required to be hard-wired to their home internet service provider router as per policy. Once basic internet connectivity was established, the Zscaler Client Connector (ZCC) software, installed on the workstation, intercepted all network packets and routed them through TLS-encrypted tunnels to Zscaler. At Zscaler, each packet was subjected to termination at the security broker, inspection, enforcement, and subsequent forwarding to the destination, provided all authorization conditions such as source location, endpoint posture, and user group were met. This approach effectively eliminated lateral movement at the network level and ensured that any changes to a user’s context or policy were immediately enforced. From their physical devices, users were granted access only to company email, time cards, a limited set of business applications, and AppStream virtual desktops responsible for processing protected data based on assigned Posture Profiles.

To process protected data and manage phone calls with citizens through the Amazon Connect cloud call center, users were required to connect to a specific AppStream fleet named “Ops.” An Identity and Access Management (IAM) policy restricted access to this fleet solely to Zscaler data centers or the client’s corporate offices. Within the fleet, desktops were secured using ZCC to ensure that all outgoing traffic from instantiated AppStream desktops was directed to Zscaler for processing. This virtual air-gap approach isolated the fleet from other AppStream fleets and the underlying infrastructure. Upon logging into an AppStream desktop, users were prompted to authenticate with Zscaler again, establishing a distinct context associated with different policies and permissions. These desktops provided access to a limited set of private applications involved in PII/PHI processing, along with Connect and Chime, while general internet access remained restricted.

Furthermore, the account and Virtual Private Cloud (VPC) housing the AppStream environment were virtually air-gapped from the rest of the infrastructure. Although connected to a Transit Gateway, the Route Tables were configured to prevent traffic from being sent to other VPCs, while direct internet access was disabled. This meticulous setup ensured end-to-end Zero Trust connectivity, establishing a secure environment for users, applications, and workloads.

Specific details regarding the results and benefits of the solution are forthcoming.

Foghorn Consulting is a specialized provider of expert cloud consulting services. Leveraging their deep expertise in DevOps, CI/CD, Containers, SRE, and Infrastructure as Code, their team of cloud and DevOps Engineers designs, builds, and deploys digital transformations that drive innovation.

The Reinvention of Amazon Bedrock

The Reinvention of Amazon Bedrock

Amazon Bedrock is a sophisticated and fully managed service provided by AWS, designed to facilitate the development and scaling of generative AI applications. Some key improvements have been launched at AWS Re:Invent this week. We’ll dive deeper into those later....