ZS logo

ZS Delivers Always-On Security Best Practices Using AWS Security Services


ZS Associates (ZS) sought to create greater visibility and simplify management of its security posture for a diverse global client base with complex, demanding security needs. Many of its clients need to meet compliance standards that vary by country and industry. ZS had been building cloud-solution architectures unique to individual clients by using Amazon Web Services (AWS), so it was looking for a replicable security solution that could scale simply and work well alongside the hundreds of AWS services that it was already using. Using AWS, ZS built a scalable, comprehensive security landscape that automates time-consuming manual security procedures and eases the rollout of cloud architecture for clients.

Group of business people is working on new business strategy with a financial analyst while analyzing financial chart during meeting in the office.

A lot of the controls that we have in AWS Security Hub ultimately map back to controls in our clients’ various security frameworks. It really provides good technical empowerment."

Rujuswami Gandhi
Director of Cloud Services, ZS Associates

Managing Security within Complex Architectures

Since its inception in 1983, ZS has used software to solve client issues. Over the years the company has built innovative offerings using analytics and artificial intelligence and machine learning capabilities, offering them as software as a service. ZS often builds client solutions using its own proprietary platform, ZAIDYN, which is built on AWS and augmented by various managed AWS services. The company has its own Cloud Center of Excellence (CCoE), a department dedicated to building, maintaining, and helping to architect more than 250 AWS accounts that are part of ZS’s solutions for its clients. Various AWS services work together for each client in what ZS calls a “spoke AWS account,” all of which ZS can monitor through centralizing relevant logs, metrics, and events.

These logs, metrics, and events generate terabytes of raw information, which ZS stores for at least one year using Amazon Simple Storage Service (Amazon S3), an object storage service offering industry-leading scalability, data availability, security, and performance. The CCoE created a way to filter this information, sending hundreds of gigabytes through intermediary components into a centralized observability platform. (See Diagram 1, AWS Observability Platform reference architecture.) “You have to have your company-specific due diligence process that creates different data tiers so that you’re looking at the logs that give you the most insight,” says Rujuswami Gandhi, director of cloud services for ZS. 

Diagram 1: AWS Observability Platform reference architecture

Integration with a third-party system

Security is an important part of this information flow. ZS built a robust security landscape centered around the cybersecurity framework from the National Institute of Standards and Technology (NIST): identify, protect, detect and respond, and recover. ZS added governance, an internal initiative to help the company prepare for third-party security auditing. “Across the many different AWS services that we are using with the unique tenancy architecture that we follow for our clients, security is a very important element because our clients have high information security expectations,” says Gandhi. “Our customers can have confidence that we not only are using AWS services in a mature way, but we also align with industry-standard frameworks.” For details on the security landscape that ZS built, see Diagram 2, “ZS AWS Cloud Trust Landscape – Security lens.”

Diagram 2: ZS AWS Cloud Trust Landscape – Security lens

Modeled around NIST Cybersecurity Framework

Establishing Always-On Best Practices

For example, as part of its detect-and-respond pillar, ZS uses eight services from AWS that are augmented by numerous third-party solutions. Using AWS Security Hub, a cloud security posture management service that performs security best-practice checks, aggregates alerts, and supports automated remediation, ZS achieves near-real-time centralized visibility. Plus, ZS has simplified its foundational compliance management with mapping capabilities for many of the security frameworks that ZS clients require, such as SOC 2, ISO/IEC 27001, and HITRUST. Using AWS Security Hub has facilitated ZS’s global expansion because security standards differ globally—the EU’s General Data Protection Regulation and China’s governance framework known as the Multi-Layer Protection Scheme, for example. “Using AWS Security Hub, we just choose from the prebuilt packaged rule sets, and it automatically deploys to provide adherence insights and trending as remediation work progresses,” Gandhi says. “Managing AWS Security Hub is low effort.”

Another service ZS uses to detect and respond to threats is Amazon Inspector, an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure. To thwart immediate threats, ZS uses Amazon GuardDuty, a threat detection service that continuously monitors AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. “Using Amazon GuardDuty has given us great insights that could have been security incidents if our incident response team hadn’t been made aware quickly,” says Gandhi. And to help demonstrate compliance, ZS uses AWS CloudTrail, which monitors and records account activity across AWS infrastructure. This greater visibility simplifies auditing procedures.

As part of its landscape that aligns with the protect pillar of the NIST framework, ZS uses AWS Identity and Access Management (AWS IAM), which provides fine-grained access control across all of AWS. “That is something that would have been very complex to be able to address ourselves without using AWS,” says Beeling Chang, cloud architect for ZS.

The CCoE’s entire workload is built on concepts from the AWS Landing Zone, a solution that helps customers more quickly set up a secure, multi-account AWS environment based on AWS best practices. AWS Landing Zone helps save time by automating the setup to run secure and scalable workloads. ZS estimates that the automated, always-on compliance mode of AWS solutions saves about 1,000 hours of labor every month that would have been spent manually checking adherence to security best practices. Plus, ZS is onboarding new clients three times faster using stackable security and other services from AWS.

Innovating Using AWS Solutions

ZS’s CCoE team continues to focus on security as it aims for improvement across the AWS Well-Architected Framework, which helps cloud architects build secure, high-performing, resilient, and efficient infrastructure for a variety of applications and workloads.

Also, since shifting its focus to AWS solutions, ZS has improved its agility in tapping into innovative analytics and machine learning capabilities while attracting quality talent and empowering its employees. Employees use these cutting-edge technologies to work collaboratively with clients to help solve complex problems. “Using AWS helps give us central visibility,” Gandhi says. “It’s always on and always live. It’s changing our whole mindset.”

About ZS Associates

With headquarters in Illinois and 30 offices worldwide, ZS Associates is a consulting and professional services firm focused on consulting, software, and technology, providing services for clients in pharma, healthcare, technology, and other industries. 

Benefits of AWS

  • Saves 1,000 hours per month of labor in security management
  • Onboards clients 3x faster 
  • Automates continual, near-real-time security checks
  • Simplifies compliance management

AWS Services Used

AWS Security Hub

AWS Security Hub is a cloud security posture management service that automates best practice checks, aggregates alerts, and supports automated remediation.

Learn more »

Amazon GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.

Learn more »

AWS CloudTrail

AWS CloudTrail monitors and records account activity across your AWS infrastructure, giving you control over storage, analysis, and remediation actions.

Learn more »

Amazon Inspector

Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities.

Learn more »

Get Started

Organizations of all sizes across all industries are transforming their businesses and delivering on their missions every day using AWS. Contact our experts and start your own AWS journey today.