ZS Delivers Always-On Security Best Practices Using AWS Security Services

ZS Associates (ZS) sought to create greater visibility and simplify management of its security posture for a diverse global client base with complex, demanding security needs. Many of its clients need to meet compliance standards that vary by country and industry. ZS had been building cloud-solution architectures unique to individual clients by using Amazon Web Services (AWS), so it was looking for a replicable security solution that could scale simply and work well alongside the hundreds of AWS services that it was already using. Using AWS, ZS built a scalable, comprehensive security landscape that automates time-consuming manual security procedures and eases the rollout of cloud architecture for clients.

Since its inception in 1983, ZS has used software to solve client issues. Over the years the company has built innovative offerings using analytics and artificial intelligence and machine learning capabilities, offering them as software as a service. ZS often builds client solutions using its own proprietary platform, ZAIDYN, which is built on AWS and augmented by various managed AWS services. The company has its own Cloud Center of Excellence (CCoE), a department dedicated to building, maintaining, and helping to architect more than 250 AWS accounts that are part of ZS’s solutions for its clients. Various AWS services work together for each client in what ZS calls a “spoke AWS account,” all of which ZS can monitor through centralizing relevant logs, metrics, and events.

These logs, metrics, and events generate terabytes of raw information, which ZS stores for at least one year using Amazon Simple Storage Service (Amazon S3), an object storage service offering industry-leading scalability, data availability, security, and performance. The CCoE created a way to filter this information, sending hundreds of gigabytes through intermediary components into a centralized observability platform. (See Diagram 1, AWS Observability Platform reference architecture.) “You have to have your company-specific due diligence process that creates different data tiers so that you’re looking at the logs that give you the most insight,” says Rujuswami Gandhi, director of cloud services for ZS. 

Security is an important part of this information flow. ZS built a robust security landscape centered around the cybersecurity framework from the National Institute of Standards and Technology (NIST): identify, protect, detect and respond, and recover. ZS added governance, an internal initiative to help the company prepare for third-party security auditing. “Across the many different AWS services that we are using with the unique tenancy architecture that we follow for our clients, security is a very important element because our clients have high information security expectations,” says Gandhi. “Our customers can have confidence that we not only are using AWS services in a mature way, but we also align with industry-standard frameworks.” For details on the security landscape that ZS built, see Diagram 2, “ZS AWS Cloud Trust Landscape – Security lens.”

For example, as part of its detect-and-respond pillar, ZS uses eight services from AWS that are augmented by numerous third-party solutions. Using AWS Security Hub, a cloud security posture management service that performs security best-practice checks, aggregates alerts, and supports automated remediation, ZS achieves near-real-time centralized visibility. Plus, ZS has simplified its foundational compliance management with mapping capabilities for many of the security frameworks that ZS clients require, such as SOC 2, ISO/IEC 27001, and HITRUST. Using AWS Security Hub has facilitated ZS’s global expansion because security standards differ globally—the EU’s General Data Protection Regulation and China’s governance framework known as the Multi-Layer Protection Scheme, for example. “Using AWS Security Hub, we just choose from the prebuilt packaged rule sets, and it automatically deploys to provide adherence insights and trending as remediation work progresses,” Gandhi says. “Managing AWS Security Hub is low effort.”

Another service ZS uses to detect and respond to threats is Amazon Inspector, an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure. To thwart immediate threats, ZS uses Amazon GuardDuty, a threat detection service that continuously monitors AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. “Using Amazon GuardDuty has given us great insights that could have been security incidents if our incident response team hadn’t been made aware quickly,” says Gandhi. And to help demonstrate compliance, ZS uses AWS CloudTrail, which monitors and records account activity across AWS infrastructure. This greater visibility simplifies auditing procedures.

As part of its landscape that aligns with the protect pillar of the NIST framework, ZS uses AWS Identity and Access Management (AWS IAM), which provides fine-grained access control across all of AWS. “That is something that would have been very complex to be able to address ourselves without using AWS,” says Beeling Chang, cloud architect for ZS.

The CCoE’s entire workload is built on concepts from the AWS Landing Zone, a solution that helps customers more quickly set up a secure, multi-account AWS environment based on AWS best practices. AWS Landing Zone helps save time by automating the setup to run secure and scalable workloads. ZS estimates that the automated, always-on compliance mode of AWS solutions saves about 1,000 hours of labor every month that would have been spent manually checking adherence to security best practices. Plus, ZS is onboarding new clients three times faster using stackable security and other services from AWS.

ZS’s CCoE team continues to focus on security as it aims for improvement across the AWS Well-Architected Framework, which helps cloud architects build secure, high-performing, resilient, and efficient infrastructure for a variety of applications and workloads.

Also, since shifting its focus to AWS solutions, ZS has improved its agility in tapping into innovative analytics and machine learning capabilities while attracting quality talent and empowering its employees. Employees use these cutting-edge technologies to work collaboratively with clients to help solve complex problems. “Using AWS helps give us central visibility,” Gandhi says. “It’s always on and always live. It’s changing our whole mindset.”