亚马逊AWS官方博客
ZKTeco Builds a Secure and Robust Cloud Infrastructure with AWS Cloud Foundations Solution
1. Background of ZKTeco
Founded in 2007, ZKTECO CO., LTD. (ZKTeco) is an internationally renowned enterprise which specializes in pioneering biometric recognition techniques. In 2021, ZKTeco began collaborating with Amazon Web Services (AWS) to drive its cloud transformation and gradually transfer its product lines to the cloud. One of the key milestones was the construction of the MinervaIoT platform based on the AWS cloud foundations.
2. MinervaIoT Platform Architecture
MinervaIoT is a new-generation IoT platform independently developed by ZKTeco. It enables fast, convenient, and remote connection of front-end smart devices to applications, supports edge-end AI computing, and offers platform-based SaaS cloud services. The platform opens an API market for third-party partners to integrate and connect. MinervaIoT, one of ZKTeco’s digital innovation products, combines such technologies as big data, IoT, and 5G to provide users with comprehensive intelligent solutions.
The AWS architecture of the MinervaIoT platform consists of three layers:
The first layer is the IoT platform layer, which uses a range of AWS services to handle device connectivity, data collection and analysis, video stream processing, and machine learning. It utilizes the serverless AWS Fargate container service for automated container management, AWS IoT Core service for device connectivity and communication, AWS Kinesis Video Stream service for video stream processing, AWS Lambda service for event-driven computing, Amazon Redshift as data warehouses for the storage and analysis of big data, and Amazon SageMaker for the development and training of machine learning models.
The second layer is the authentication services layer, which provides the basic support services required by the platform, such as location services, organization services, identity services, LDAP services, subscription services, and general storage services. These services manage users, devices, organizations, as well as data storage and access.
The third layer is the storage layer, which offers different types of data storage options, including object storage AWS S3, relational database Amazon Aurora, NoSQL database Amazon DynamoDB, cache database Amazon ElastiCache, and data warehouse Amazon Redshift. This layer caters to the diverse storage needs of the platform.
By modularizing the architecture into three layers, the MinervaIoT platform can fully leverage the hosting capabilities of AWS to build a secure and scalable IoT platform with high performance and availability. The serverless architecture reduces management costs, machine learning enhances platform intelligence, and big data analysis provides deeper insights. Besides, the clearly decoupled architecture facilitates agile iteration and expansion.
3. Cloud Foundations Solution
As an ancient Chinese saying goes, “rivers with abundant sources flow far; trees with deep roots grow luxuriant.” A secure and robust cloud operating environment is of utmost importance for the stability and sustainability of production applications and workloads on the cloud. ZKTeco collaborated with AWS to deploy the Cloud Foundations solution. Specifically, guided by the best practices of AWS Well-Architected Framework, it built high-quality cloud foundations for MinervaIoT from six aspects: excellent operations, security, reliability, performance efficiency, cost optimization, and sustainability.
3.1 Solution Overview
Cloud Foundations defines thirty capabilities required for a company’s cloud environment. It covers six categories such as governance, risk management and compliance, operations, security, business continuity, finance, and infrastructure. It is a comprehensive improvement over the cloud adoption strategy of a company. It aims to quickly deploy a cloud-ready environment including a basic landing zone, security baselines, and DevOps functions within two weeks, using cloud-native technologies and automation services. It effectively assisted ZKTeco to deploy, operate and govern workloads on the cloud efficiently, and make them available for business production at the earliest possible time. ZKTeco can continue building based on it and constantly enhance the capabilities of the cloud environment.
The main advantages of this solution are as follows:
- Fast delivery: The Cloud Foundations solution can help ZKTeco accelerate toward value, reduce implementation costs, and facilitate adoption of security best practices. ZKTeco can focus its limited IT resources on high-value opportunities such as large-scale migrations, building the next-generation serverless applications and reinventing business processes on the cloud.
- Enhanced security: Deploying with a centrally managed set of code improves the solution’s quality and security. The Cloud Foundations solution has many baseline configurations for complianceand security built into it. ZKTeco can also propose new security and compliance requirements and quickly integrate them into existing codes and configurations, continuously improving the security of the cloud environment.
- Simplified work: The Cloud Foundations solution simplifies the building process for ZKTeco with multiple Amazon Web Services accounts. With infrastructure-as-code, the solution is developed and tested in advance for infrastructure resources and their configurations on the cloud, thereby reducing a lot of common errors during implementation and greatly saving deployment time.
3.2 Security Enhancements and Risk Prevention
Security has always been a top priority in building cloud environments. We adhere to the following basic principles: static encryption for resources that can use Amazon KMS customer keys, centralized management of these keys in a secure account, and granting of minimum privileges to various policies.
This solution configures resources according to security best practices. Here are some examples that demonstrate how it effectively prevents security risks:
- Avoid the risk of compromising all cloud resources by isolating workloads at the account level to prevent the breach of administrator privileges of a single account;
- Implement mandatory password policies to prevent IAM users from using weak passwords or keeping passwords unchanged for extended periods;
- Establish backup strategies to restore systems to normal condition in the event of data unavailability due to ransomware or other incidents;
- Develop security policies to prevent the creation of publicly accessible S3 buckets, thus avoiding accidental exposure of significant files;
- Enforce the use of https when accessing S3 buckets to prevent unauthorized data access, data theft, or data modification;
- Avoid unauthorized tampering and deletion of critical resources in an account, as well as malicious creation of cloud resources;
- Enforce encryption for data stored in S3, EBS, EFS, and RDS to prevent the exposure of sensitive information;
- Prevent sensitive server ports from being open to the Internet and eliminate insecure security group rules to reduce network hacking;
- Implement early warning mechanisms for malicious resource usage, network-based attacks, and improper user permissions, along with prepared response measures.
3.3 Joint Investigation and Remediation Measures of Security Risks
The solution, in conjunction with services such as Amazon GuardDuty and Amazon Security Hub, is to conduct cross-resource and cross-account joint investigations of reported security risks. It creates custom high-risk findings for suspected risk points and presets several custom actions to assist ZKTeco in responding to security risks and implementing remediation measures.
4. Summary
ZKTeco, in collaboration with AWS, has built the core cloud platform MinervaIoT based on AWS, supporting the company’s cloud transformation. ZKTeco has deployed the Cloud Foundations solution, and built the cloud foundations for MinervaIoT from six aspects according to the best practices of AWS Well-Architected Framework. Cloud Foundations not only assists ZKTeco in efficiently deploying, operating, and managing cloud workloads for rapid business production use, but also systematically raises the security baseline and continuously improves the security of the cloud environment. In this way, it has established a secure and reliable foundation for the MinervaIoT cloud platform and the future business development of ZKTeco on AWS.