Data Security Firm Leverages Serverless Architecture Using AWS Lambda and API Gateway
Jul 24, 2017
ClearScale was approached by a data security firm specializing in providing organizations of all sizes with true end-to-end protection that can be deployed in hardware, virtual, cloud, and mixed form factors. In order to provide the best synergy with AWS Platform, our client’s data security products needed to be re-designed and re-engineered to complement the existing AWS services. Many of our client’s customers already use a variety of AWS services for their applications and infrastructure.
Our client’s goal was to enable their customers to quickly and efficiently deploy a comprehensive security architecture and a have more seamless experience across their environments. They also needed to further enhance the way they leveraged AWS Services in order to provide an improved delivery mechanism to their customers.
The ClearScale Serverless Architecture Solution
As an expert in AWS services and cloud integration, ClearScale helped our client to fully leverage the power of AWS as well as quickly execute best practices in serverless cloud architecture and advanced API security to deliver the most comprehensive and robust solution.
As a first step, ClearScale implemented a secure and highly available external API that would translate calls, pass them to an internal API, and return the results, which would be consumed by an external Vendor API. The project also required external call authorization to be implemented using API keys that would be generated manually by our client and provided to distributors. All these tasks needed to be accomplished in a very short period of time of three or four weeks.
To create an improved delivery mechanism for our client’s data security products, ClearScale designed a serverless cloud architecture solution based on Amazon Web Services (AWS) Lambda. AWS Lambda is an event-driven, serverless architecture designed to help run code for almost any kind of application or backend service with no administration. This allows the creation of high availability, on-demand applications that respond to events and new information.
AWS CloudFormation service was integrated as an easy way to create and manage AWS resources. With CloudFormation, our client could easily deploy and update an application template and the associated resources, or stack, using the AWS Management Console, AWS Command Line Interface, or via APIs.
CloudFormation has two parts: a Lambda template and stack. A template is a JSON file that defines what AWS resources or non-AWS resources are required to run the application.
The solution also made use of Amazon’s Virtual Private Cloud (VPC), giving our client total control over the virtual networking environment, including selection of a private IP address range, creation of subnets, network ACLs, configuration of route tables, and network gateways.
By splitting the VPC space into public and private subnets, databases and application instances could be safely run on the private subnets, keeping them securely segregated from direct Internet access. The public subnet was used to host the AWS NAT Gateway, allowing secure access to the Internet for the application instances running on the private subnets.
To further increase the security of the application, three measures were put into place: VPC security groups, Amazon API Gateway, and IAM roles. In AWS, security groups are a set of rules that act as a software firewall, controlling inbound and outbound traffic for users and services.
Amazon API Gateway was utilized as an easy way for developers to create, deploy, and maintain secure APIs. The API Gateway acts as a go-between for the application on the front end and the data or services on the back end. By using the API Gateway, the client had a solution that provided full access control, while still being able to handle hundreds of thousands of API calls concurrently.
IAM roles, on the other hand, are used for users or services that need only temporary or special-use access and would not normally be included in a security group. The benefit of an IAM role is that it allows a temporary user to have the necessary access without the need to provide long-term credentials or create a special security group.
To assist in the deployment of the solution to new staging areas, ClearScale implemented Jenkins to help automate the process. Jenkins is an open-source automation server that allows for continuous integration and delivery, relying on plugins to support and integrate with AWS Lamba Deployment.
Our client offers their products on the AWS Marketplace in order to help their customers deploy the most robust security infrastructures in the cloud. By partnering with ClearScale, they were able to take advantage of their fully integrated and re-architected serverless infrastructure and use more AWS products in-house, as well as further enhance their security offerings.
This was made possible by fully leveraging the strategic partnership between ClearScale and AWS. Our client’s updated and serverless architecture and enhanced security will provide peace of mind to their customers now and well into the future.
Learn more about ClearScale’s cloud security services here.