The client, catering to over two billion mobile users worldwide, is a prominent mobility solutions provider. They specialize in offering digital value-added services (VAS), mobile finance, and customer management solutions tailored for telecom operators. Their services cater to a diverse range of users, including retail and corporate clients alike.

The global mobility services provider partners with organizations in the communications and financial industries to maximize customer lifetime value and facilitate large-scale digital transformations. With their solutions deployed by over 130 Communication Services Providers and Financial Institutions in more than 90 countries, the client has helped billions of people worldwide benefit from digital and mobile technology.

information-technology
IT industry

Published Date : 19-May-2023

Securing Infrastructure and Centralizing Console

Our client, a leading mobility solutions provider, sought to establish a robust and secure infrastructure on AWS to deliver reliable services to its diverse customer base. With a priority on safeguarding instance-based and serverless containerized environments, they aimed to mitigate potential security threats and reduce the attack surface across their ecosystem.

Comprehensive & Centralized Security Solution with AWS IAM

In response to the client’s needs, Noventiq crafted a comprehensive AWS (Identity & Access Management (IAM) solution to fortify the security and reliability of their AWS infrastructure. Our solution encompassed several key components to address each requirement effectively.

Fine-Grained Access Control

The client wanted the flexibility for administrators to create and manage user identities and permissions with precision. This means that employees, partners, and customers can be granted only the specific permissions they need to perform their tasks, reducing the risk of unauthorized access to sensitive data or critical infrastructure components.

Multi-Factor Authentication (MFA)

They wanted an extra layer of security with Multi-factor Authorization (MFA). By requiring users to provide two or more verification factors to access their accounts, such as a password and a unique code sent to their mobile device, AWS IAM helps prevent unauthorized access even if credentials are compromised.

Integration with Corporate Directories

For a mobility solutions business with existing corporate directories like Microsoft Active Directory, AWS IAM offers seamless integration. This integration streamlines user management processes and ensures that access to AWS resources aligns with the organization’s existing identity management policies.

Temporary Credentials and Access Keys

AWS IAM allows administrators to create temporary security credentials with limited permissions for users or applications. This reduces the risk associated with long-lived credentials and helps enforce the principle of least privilege by granting access only for the duration necessary to complete a specific task.

Identity Federation

AWS IAM supports identity federation, enabling users to access AWS resources using existing credentials from trusted external identity providers (IdPs) such as Microsoft Azure Active Directory (AD). This eliminates the need to manage separate IAM users and passwords, simplifying the user experience while maintaining security.

Centralized Logging and Auditing

The client wanted centralized logging and auditing. AWS  IAM provides detailed logs that capture all IAM-related activities, including authentication and authorization attempts, changes to policies, and user actions. By centrally aggregating and analyzing these logs using AWS services like CloudTrail and CloudWatch, the business can monitor for suspicious behavior, detect security incidents, and maintain compliance with regulatory requirements.

Policy-Based Access Control

AWS IAM allows administrators to define access policies using JSON-based policy language, granting or denying permissions based on various conditions such as IP address, time of day, or the presence of MFA. This fine-grained control enables the organization to enforce security policies consistently across their AWS environments.

IAM Roles for Applications

Mobility solutions often rely on distributed applications and microservices architectures. IAM roles enable applications running on AWS resources to securely access other AWS services without the need for long-term credentials. By assigning roles to applications with only the necessary permissions, businesses can minimize the risk of privilege escalation in the event of a compromise.

Continuous Monitoring and Compliance

AWS IAM integrates with AWS Config and AWS Security Hub to provide continuous monitoring of security configurations and compliance with industry standards and best practices. Automated checks can identify misconfigurations, unused permissions, and potential security vulnerabilities, allowing organizations to remediate issues proactively.

Solution Highlights

  • Single Sign-on (SSO) authentication for access to AWS accounts.
  • Federation of AWS Identity Center with Azure Active Directory (AD) using Security Assertion Markup Language (SAML).
  • Centralized access mechanism for AWS instances & applications using Azure AD.
  • User Virtual Private Network (VPN) with MFA for resource access.
  • Anomaly-based detection for all authentication requests on Azure AD.
  • Use of Amazon Guardrails to mandate enforcement of Multifactor Authentication (MFA) for Identity & Access Management (IAM) & root users’ console access.
  • Configuring strong password policies for IAM and Azure AD
  • Granular and customized permission sets including use of power users, network administrators and read-only.
  • Alert for Authentication failure, AWS IAM policy change and root user access.
  • Securing Web access using URL filtering and web reputation.

Noventiq’s proposed solution offers several benefits

  • Centralized visibility for security policies and event logs
  • Real-time compliance visibility
  • Protection from Bots and common web attacks like Open Worldwide Application Security Project® (OWASP) top 10
  • Host-based malware scanning and protection
  • Protection from outbound web connection to malicious websites or C&C communication
  • Threat alerting and monitoring
  • Scanning of container images for malware, vulnerabilities assessment, policies compliances
  • Code-level visibility into attacks

AWS IAM offers a comprehensive set of tools and features that enable mobility solutions businesses to implement robust security controls, manage user access effectively, and protect sensitive data and resources in their AWS environments. By leveraging IAM’s capabilities, the mobility solutions provider can enhance security, reduce the risk of unauthorized access and data breaches, and maintain compliance with regulatory requirements.

Key AWS Services Used

  • Amazon CloudWatch
  • Amazon GuardDuty
  • Amazon Inspector
  • AWS Access Analyzer
  • AWS Certificate Manager
  • AWS Detective
  • AWS Direct Connect
  • AWS Identity and Access Management (IAM)