Improving the security posture with Orange Security Control Services

Our Security Control Services ensures security monitoring is set up for all accounts and regions as defined in the security requirements defined by the customer.

The company Allvit AS delivers digital syllabus books online in PDF and EPUB format to give students an easier and more efficient study day. Allvit books weigh nothing, and you can take own notes, highlight as much as you want, search directly in the books and copy out paragraphs – all in one place. The company was founded in 2022 has 10 employees and the headquarter is in Trondheim, Norway.

Allvit

After an initial rapid buildup of their offerings, Allvit did not have the time to focus on security. They needed a solution that quickly would identify key areas to focus their security efforts on. With their relatively small development team they would not have time to set up, manage and continually monitor their security posture. As Allvit distributes e-learning material, any breach of security could lead to distribution of illegal copies of books and in worst case, also to leakage of personal data about their customers.

With Security Control Services from Orange Business, Allvit have greatly increased their security posture. They know their existing deployment is compliant to the selected security frameworks, while still having their development efforts focused on their business needs.

Allvit also know that any breach of the requirements in the future will alert Orange Business and can be addressed in a timely manner ensuring continued compliance to their security requirements.

As an example of how efficient these controls are, we can mention that during deployment it was revealed that a third-party support application had security issues. This was addressed and remediated, together with other findings, generally improving the security posture of their workload.

Solution

Security Control Services from Orange Business offers a flexible way of managing security. It leverages AWS Security Hub for security posture monitoring. Together with a flexible solution from Orange Business it provides easy configuration and alerting of critical security findings.

We have seen that AWS tagging of resources is an easy way to associate additional information to deployed resources on AWS. Using tagging combined with AWS Organizations for configuring security requirements means easy, understandable deployment and a solution that scales well for future growth of the AWS environment and the customer. The customer can align the hierarchy of AWS Organizations to the security requirements defined for each workload/account.

Our Security Control Services ensures security monitoring is set up for all accounts and regions as defined in the security requirements defined by the customer.

To the customer, the solution consists of the following inputs:

  • Configuration details stored in Amazon DynamoDB.
  • Tags associated with AWS Organizations Organizational Units or Accounts.

The result of the setup is:

  • AWS Security Hub configured in relevant accounts and regions.
  • AWS Security Hub consolidated view across all accounts and regions.
  • Possible exceptions to the security standards defined by exception in Amazon DynamoDB.
  • Event notification set up to create tickets in ITSM.
  • 24/7 security event handling done by Orange Business.

Implementation

Security Control Services consists of a deployment of the solution into a delegated administrator account for AWS Security Hub. Within this account the following resources are deployed:

  • AWS Step Functions: Orchestrate the configuration.
  • AWS Lambda: Get account configuration: Retrieve list of accounts and associated tags and merge this information with data from the Amazon DynamoDB configuration database.
  • AWS Lambda: Update configuration: Manage AWS Security Hub configuration for one account according to configuration receive from the previous step.
  • AWS Lambda: ITSM integration. Forward security events to Orange Business ITSM.

The step function is executed on a schedule. It will trigger the Get account configuration AWS Lambda function. This will get all the Organizational Units and Accounts from AWS Organizations, including associated tags. The tags are then used to look up entries in Amazon DynamoDB. These entries contain details of applicable AWS Security Hub standards and controls. The configuration is then passed on to the Update configuration AWS Lambda function. This will enable AWS Security Hub, assign security standards, and possibly disable controls not needed. It is also possible to specify that AWS Security Hub should not be enabled in an account.

Every scheduled execution will align requirements defined by tags and the Amazon DynamoDB table with the setup in each account, thus ensuring continued enforcement of the security configuration.

The AWS Security Hub in the delegated administrator account offer a consolidated view of the compliance for all accounts and regions. If a new security event is identified by AWS Security Hub in the delegated administrator account, this is forwarded to the ITSM integration AWS Lambda function. This will ensure a ticket is created in ITSM and subsequent action is taken by Orange Business operational staff.

Implementation