First Guaranty Mortgage Corporation (FGMC) is a full service national lender offering mortgage solutions to clients of varying income and credit types. The Chief Data Officer is looking to provide a cost-efficient elastic hosting solution to meet the Business Analytics needs of the organization. An Amazon Web Services based solution provides FGMC the following benefits:

  • Elastic pricing model that scales up or down based on demand
  • Wide variety of instance choices for optimizing visualization and analysis services
  • Flexibility in leveraging integrated value-added services for security and integrity.
  • Avoiding large upfront capital expenditures in fixed-cost infrastructure

The AWS cloud environment will host the Business Intelligence Portal based on a COTS package from Qlik which is a Microsoft Windows-based business intelligence and data analytics software. The Qlik-based BI system will display and retrieve data contained in the FGMC MongoDB Enterprise Data Warehouse (EDW) that is resident behind the corporate firewall. This document outlines a secure hosting configuration for the FGMC BI Portals project for a production, test and dev environment in a AWS Virtual Private Cloud (VPC).

Problem Statement

The customer was seeking an AWS Architecture, Migration and Managed Services solution that met their security, cost and time requirements. Key challenges with the existing environment included:

  • Single point of failure for both Development and Production application
  • Performance issues with the production environment
  • Need for a robust backup and disaster recovery solution

The scope of services desired included:

  • Provide a AWS Architecture and Design that is based on best practices
    • Highly available architecture
    • Segregation and isolation for environments and application layers
    • Data security and protection including encryption
    • Recovery/Backup and Disaster Recovery capabilities
    • Integrated security architecture with IDS and IPS capabilities
  • Implementation and migration services for the To-Be AWS Hosting environment and executing the application and data migration from the AS-IS enclave.
  • Executing a AWS Managed Services program that includes patching, backup/recovery, continuous monitoring and technical support for enabling the clients’ team to effectively and efficiently consume cloud services

stackArmor – AWS Partner Solution

stackArmor is an AWS Consulting Services and Value-Added Reseller (VAR) with experience in full lifecycle cloud architecture, migration and operations support services. The firm is staffed with highly experienced and certified AWS Solution Architect’s that have multiple real-world implementations and are well versed in security best practices for cloud systems. In order to meet the FGMC’s security and performance requirements, stackArmor configured a AWS Virtual Private Cloud (VPC) that meets industry standard best practices such as boundary protection, centralized account management, logging & monitoring, data encryption at rest and in motion, and network segregation using security groups among environments and instance tiers.

The BI Portal will has two classes of users for the purposes of access and user management: BI Portal Users authenticating against the portal over the internet using TLS/port 443 and Privileged Users accessing the environment through VPN. For initial design and estimation purposes, the expected number of users is around 50. The proposed hosting environment will have the following security architecture as described below.

Feature Description
Physical hosting environment The application will be hosted in the AWS East Region that has received multiple certifications including ISO 27001, SOC, FedRAMP, HIPAA. More information about compliance attestation are available here. https://aws.amazon.com/compliance/
Network Addressing and Segregation Amazon Virtual Private Cloud (Amazon VPC) provides a logically isolated section with complete control over the IP address range, creation of subnets, and configuration of route tables and network gateways. A multi-tier architecture with public-facing subnet for webservers with access to the Internet, and private-facing subnets for database or application servers that do not have internet access. The AWS VPC provides multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.
Network Access to the Environment The network access to the environment for privileged users such as developers and administrators will be through the use of a VPN with centralized account management and authentication.
MongoDB EDW Network Connectivity In the initial phase, a site-to-site VPN will be used to connect the BI Portal Application with the MongoDB EDW behind the Corporate firewall.
Centralized Account Management A local Active Directory/Domain Controller will allow for centralized authentication and account management including Service Accounts for server instances.
Data Protection All data in motion will be protected using TLS/SSL for accessing the web-application. All data stores on disk and backup storage will be encrypted using AES-256.
Patching and Vulnerability Management The FGMC BI Portals environment will be scanned monthly using Tenable Nessus for identifying vulnerabilities. Monthly patching of all services hosted in the AWS VPC will be performed using WSUS for Windows Server 2012 instances.
Logging and Auditing A centralizing logging and monitoring capability will be configured using AWS Cloudtrail, AWS Config with centralized logging using Elasticsearch Logstash Kibana (ELK). A monitoring dashboard using AWS CloudWatch will provide visibility into events.

stackArmor deployed their proven Agile Cloud Transformation (ACTTM) methodology for assisting with Five Guys JV UK’s cloud migration project. stackArmor ACT is based on the following key design principles:

  • Security first architecture that includes boundary protection, identity & access management, continuous monitoring and data protection
  • Highly available architecture including multi-AZ (Availability Zone) based redundancy within a Region.
  • Micro-segmentation and isolation of enclaves and application layers using sub-nets, security groups and access rules.
  • Highly automated environment development and deployment to allow for project scalability and the creation of project assets that enable higher levels of productivity and cost-efficiencies over the long run
  • Secure Microsoft hosting environment with Windows 2012 Server, Microsoft SQLServer 2014 and Active Directory for centralized authentication services to ensure the confidentiality, integrity and availability of the analytics platform.

In order to meet the security, reliability and scalability needs of the application, the proposed solution must provide multi-environment design for Dev, Pre-Prod and Production enclaves based on design best practices and recommendations.

A multi-enclave architecture for Dev, Staging and Production instances was created that segregates and hosts the various environments and application components.

Design Features

  • Boundary protection using WAF/IPS.
  • Data encryption at rest using AWS S3 and EBS volume encryption.
  • Hosting performed in AWS East Region with Multiple AZ’s and a Cold DR in US West Region.
  • The FTP service is replaced with the use of the AWS s3 service that supports http or https transport.
  • Highly available multi-Availability Zone architecture.
  • Shared Services delivery model using Amazon Service Catalog and Marketplace for rapid deployment.

Migration Approach and Support Services

stackArmor supported the migration and cut-over of the application and data in the following manner:

  • Once the environment has been configured and approved for use post-review of the architecture, all application software components are installed in the new environment through the creation of Amazon Machine Images that are subsequently applied to each environment.
  • The application installation and configuration activity is a collaborative exercise where the application owner has the lead responsibility to help setup and configure the application. The stackArmor team is on stand-by to assist as necessary.
  • All Database snapshots are taken and restored in the new environment. A simple backup and restore approach for most database instances is appropriate.
  • Ancillary components such as AWS s3 bucket permissions are enabled and all platform components such as IAM policies and console access controls are configured.
  • SSL certificates and tokens are installed and configured to allow for the cut-over.
  • Upon final testing and review, a formal cut-over is performed.

During the entire migration process, the stackArmor team is available to assist during the application configuration and deployment process. The assumption is that the client team has expert knowledge about the application and have database management and administration skills.

AWS Platform Operations and Technical Support

stackArmor provided AWS platform operations and provide technical support as required including the services described below:

  • Performed vulnerability scanning and patching using WSUS within the Windows environment on AWS.
  • Execute backup and restore activities for the AMI snapshots on the AWS s3 bucket and implement archival strategy based on client needs.
  • Continuous monitoring alerts and performance monitors using AWS CloudWatch, Cloudtrail and Config.
  • Provide technical support to the client team as necessary to support resolution of day-to-day operations issues.

Customer Testimonial

Our ability to compete in the rapidly changing mortgage services marketplace depends on delivering new products and services in rapidly shortening delivery cycles. Our adoption of the AWS cloud platform and DevOps delivery models help us in that journey,” said Ben Sizemore, Chief Information Officer at FGMC. “The AWS Marketplace is a fantastic digital acquisition solution that streamlines our ability to evaluate, install and maintain best of breed software components through a simple AMI import as opposed to going through the time consuming traditional Value-Added Reseller model to get quotes, download software and then spend time getting updates.

— Ben Sizemore, Chief Information Officer, FGMC

About stackArmor

stackArmor provides full-stack cloud solutions for security focused customers. Our AWS Solution Architects and Security Engineers have successfully migrated and operated enterprise applications to cloud platforms such as Amazon Web Services (AWS) since 2009. We provide full lifecycle cloud architecture and migration services, cloud operations support, devops and cybersecurity & compliance services for PCI, Healthcare, Financial Services and Public Sector markets. Please contact us by visiting www.stackArmor.com or send us an email at solutions at stackArmor.com to talk about your cloud migration and support needs.