Securing SAP workloads on AWS Strategies for Success

Hackers can be anywhere, so security must be everywhere

At NorthBay Solutions, we’ve developed a best practices approach for migrating workloads to AWS that is designed to address the security challenges set by modern-day hackers. Our perspective is that hackers are everywhere, and they are constantly focused on finding opportunities to launch a malicious attack. Thus, no matter where in the cloud we are moving data, or what method we are using to move data, we make it a policy to have the right set of tools and technologies in place to continuously scan for nefarious activity—and stop it in its tracks.

It was this comprehensive approach to security that prevented what could have been a catastrophic breach for one of our valuable clients.

Amazon EC2 migration designed with security in mind

Amazon Elastic Compute Cloud (EC2) is a compute instance as a service offered by AWS. In our client’s case, an EC2 test instance was spun up as part of the solution for migrating SAP workloads.

Because security best practices dictate that no EC2 instance should be accessible directly via the public internet, we set up every EC2 instance in a private subnet. Unlike public subnets that can receive in-bound traffic directly from the internet, private subnets provide better network management control and improved network security.

While a VPN—either site-to-site or client-server—is the most secure method of accessing an EC2 instance, not all organizations have VPNs in place, implementing a VPN can take several days and also requires investment in on-premises devices. Further, VPNs can also fail. And when they do, IT teams are unable to access their EC2 workloads.

In this migration use case, the EC2 test instance can be configured on the fly, which can then be accessed via a bastion host (also known as a jump server). A bastion host is a hardened server that can better withstand security attacks, and whose purpose is to provide access to a private network from an external network, including the internet. From there, IT teams can access workloads hosted on the EC2 instance on the private subnet.

Protecting EC2 instances with intelligent threat detection

However, a bastion host could also expose an EC2 instance to potential attack, and as a result, steps must be taken to minimize the chances of penetration. One such solution is AWS GuardDuty, which is a threat detection service that continuously monitors AWS accounts and workloads for malicious activity, and also delivers detailed security findings for visibility and remediation.

Fortunately, with the NorthBay Solutions team’s expertise working with EC2 instances combined with our time-tested frameworks, we had implemented AWS GuardDuty as part of the solution. Thus, we were alerted to the fact that numerous attempts were being made to access the bastion host, many of which were coming from geographies outside of the client’s areas of operation. Having received real-time alerts from GuardDuty, we were able to take immediate steps to thwart the hackers and protect our client’s cloud infrastructure and data. GuardDuty also helped in :

  • White listing IP address for the client’s team members and partners
  • Black listing suspected IP address ranges
  • Immediately terminating the EC2 test instance
  • Taking pre-configured / automated actions in collaboration with other Services of AWS (based on type of security incidents) to make sure, attack
  • is mitigated immediately upon detection.

The best security defense is a strong offense

Hackers are always watching, scanning and seeking out opportunities to penetrate networks, whether on-premises or in the cloud, which is why it’s of paramount importance to fully understand the AWS managed security options available, work with experts, and take the time to implement and test their functionality.

Cyber Security is and will remain an ongoing global war with hackers. Together as a strong team we can win this. Let’s Gear Up..!!