AWS Public Sector Blog
Announcing the Data Fabric Security on AWS solution
Federal customers are often challenged by integrating data across multiple systems and providing federated access to authenticated users operating across multiple organizations. These challenges are rooted in siloed data repositories, decentralized and incompatible identity data types, and a lack of unified data access control across disparate organizations. To support federal customers in addressing these challenges, Amazon Web Services (AWS) developed the Data Fabric Security (DFS) on AWS solution to support the identity and access needs of a multi-organization system. With DFS on AWS, federal customers can accelerate joint interoperability, modernization, and data-driven decision making in the cloud by removing barriers that prevent systems and users from communicating while still strengthening security via Zero Trust principles.
The DFS on AWS solution delivers to customers a secure identity aggregation, data access, and data governance-at-scale solution which is optimal for large-to-enterprise use cases. Deploying a security substrate composed of centralized data governance and identity aggregation layers, DFS on AWS provides fine-grained attribute-based access controls (ABAC) that leverage a modern identity, credential, and access management (ICAM) architecture to address identity and access management challenges.
Implementing a Zero Trust approach, DFS on AWS integrates a layer of unified identities with granular, attribute-based permissions so mission owners can confidently leverage data from multiple environments to deliver capabilities to customers at the speed of relevance. DFS on AWS integrates the identity unification/ICAM solution of solution provider Radiant Logic with the flexible data security platform of Immuta, an AWS Partner, all while decoupling identity from authentication and enabling attribute-based control at scale. These integrated capabilities are then launched via an Amazon Elastic Kubernetes Service (Amazon EKS) cluster.
“The goal of our Data Fabric Security solution is to make it easier for our customers to share and integrate data across their enterprise,” said Rob Nolen, the AWS chief technologist for U.S. Department of Defense (DoD). “By decoupling identity from authentication, customers can leverage robust identity attributes to develop powerful attribute-based access control policies. This will facilitate agile and secure data sharing with their providers. Radiant Logic and the Immuta Data Security Platform are key pieces of this puzzle, enabling safe, compliant data analysis and collaboration at scale between data platform, security, and compliance teams. We’re thrilled to be joining forces in our effort to remove the bottlenecks in this process and empower our customers with the timely analytics and data sharing capabilities they need and deserve.”
DFS on AWS was built by AWS using AWS Cloud Development Kit (AWS CDK), a framework for defining cloud infrastructure as code (IaC) and provisioning it through AWS CloudFormation. Delivering via AWS CDK automates the integration and launch of this solution, and the provisioning of required networking, which may include a virtual private cloud (VPC) and Amazon Route 53 resources. This turnkey approach allows customers to focus on connecting identities and data sources and configuring policies instead of building out an architecture.
Key elements of Data Fabric Security on AWS
There are four key elements to the DFS on AWS solution that help large-scale and enterprise customers better manage users, data, and applications.
- Automated containerized deployment: DFS on AWS provides an automated, turnkey deployment of identity unification, data access, and governance capabilities. Leveraging infrastructure as code (IaC) and containerization means that customers benefit from an already-integrated solution that’s pre-configured with all requisite resources and components.
- Unified identities as a single “global” identity: The Radiant Logic component of the solution merges identities from diverse sources and rationalizes them, providing a unified list of users with no overlap, along with their complete identity profiles (attributes). Immuta, the data security component of DFS on AWS, then points to Radiant Logic as the single source of truth for authentication and authorization, which makes sure access controls are properly enforced. Radiant Logic can transform and translate identity data to meet each querying system’s requirements.
- Implementation of Zero Trust with ICAM and ABAC: Radiant Logic serves as the policy information point, verifying identities and retrieving attributes. Immuta serves as the policy administration and policy decision point, authoring and evaluating policies to be enforced on the data stores being queried. DFS on AWS allows the customer to build plain-language data access policies via Immuta that use the identities and attributes stored in Radiant Logic to automate data privacy and governance. Immuta can create data policies once and enforce them across new and existing users while providing access at the column-, row-, and cell-level.
- Highly-available, scalable solution: Built with AWS, DFS on AWS offers high availability and fault tolerance – integral requirements for data sharing and analysis across multiple, always-on environments. DFS on AWS is a multi-Availability Zone (AZ) deployment using Elastic Load Balancers to distribute incoming application traffic across multiple targets, allowing it to scale up or down based on ever-changing demand.
How to deploy DFS on AWS
The DFS on AWS solution provides an overview, deployment guide, and information regarding associated AWS costs and how to obtain licenses. The AWS Cloud products deployed to run the DFS on AWS solution in a non-critical sandbox environment with no activity or workloads include the following:
- One (1) Amazon EKS cluster
- Three (3) m5.2xlarge EC2 instances (across two AZs in an Auto-Scaling Group)
- Two (2) Elastic Load Balancers – classic (one each for Radiant Logic and Immuta)
- Amazon Route 53 (one hosted zone, two records)
A DFS on AWS IaC deployment launches the above core metered products or services. AWS Partners should use these services to quote pricing. AWS Partners can also get up-to-date pricing on AWS Cloud Services from the AWS Pricing Calculator.
Both Radiant Logic and Immuta products require licenses. Customers can contact Radiant Logic and Immuta for pricing, licensing, or other solution-specific inquiries.
To learn more about DFS on AWS, please contact your AWS representative or visit the DFS on AWS Quick Starts site.
Learn more about AWS for US Government and AWS for Defense.
Subscribe to the AWS Public Sector Blog newsletter to get the latest in AWS tools, solutions, and innovations from the public sector delivered to your inbox, or contact us.
Please take a few minutes to share insights regarding your experience with the AWS Public Sector Blog in this survey, and we’ll use feedback from the survey to create more content aligned with the preferences of our readers.