Case Studies

About the Company

One of the largest utility service providers, servicing approximately 4 million customers in more than 300 urban, suburban and rural communities, including New Jersey’s six largest cities. The company serves the population in an area consisting of a 2,600-square-mile (6,700 km2), diagonal corridor across an East Coast state in the United States.

The Challenge

The company used legacy Identity and Access management systems deployed on premises. As the customers grew, the number of hits to the site grew, and downtime started increasing. Major downtimes were encountered during dire need, especially during natural calamities when customers required the site up and running.

Considering these growing downtime issues, and the need to serve its growing customer base, the company decided to move to an efficient solution which would be faster, more secure, reduce downtime, and most importantly, be cost effective.

Solution

Kapstone proposed and implemented a solution using Amazon Web Service (AWS) which would meet all the company’s needs. We used AWS Lambda to host the APIs that are consumed by the core application. The Lambda endpoints were protected using the API Gateway and exposed to the core application.AWS CloudWatch is used to monitor the logs generated by the Lambda Functions and API Gateway.We developed and deployed Admin application in AWS for call center employees, with capability to report customer activities and analytics.

The Benefits

As a result, the company was able to provide an efficient and secure application with minimal downtime to its customers, and at the same time reduce its ownership costs by a significant margin as it no longer had to maintain the servers On-Premises. The applications were easily auto scalable to meet traffic peaks
and the infrastructure was then scaled down during quieter times. Because the company pays only for the AWS resources it consumes, the AWS infrastructure proved to be highly cost-effective.

About the Company

The company is focused on providing incarcerated learners with the digital tools they need to succeed.
The U.S. incarcerates more people than any other nation in the world. Despite spending more on corrections than the GNP of most countries, it fails to help them lead a better life. They fill the gap of corrections administrators struggle to find effective options they can afford and trust.

The Challenge

The company used legacy method of provisioning users into their systems and multiple partner systems. As the customers grew, the number of hits to the application grew, and user set up time started increasing. Manual provisioning required more hours to complete the work and often delayed due to technical errors.
Considering this growing facility issues, and the ability to serve its growing customer base, the company decided to move to an efficient solution which would be faster, secure, low downtime, and most importantly cost effective.

Solution

Kapstone proposed and implemented a solution using Amazon Web Service (AWS) which would meet all the needs of the company. Created custom services hosted on AWS ECS – Elastic Container Service which will take new/existing user data from facility admins. Also made use of AWS SQS- Simple Queue Service to hold data for all user creation/update messages for various applications like salesforce, in house databases (hosted on AWS RDS) , third party learning portal etc. Invoked SCIM services hosted on AWS lambda and trigger them based on every SQS message received. To achieve security, used AWS Secrets Manager to hold all endpoints, username and password for third party applications in a secured way.

Set up a monitoring using AWS cloudwatch which helps in investigating through services logs in case of issues. For setting up single sign on, use open source sso options like simpleSAMLphp and host it on AWS EC2 instance and accessed via ELB – Elastic load balancer. Use AWS EBS – Elastic block storage to store log data from EC2 instance to track user login attempts. Set up autoscaling on the EC2 instances which helps in bringing up IDP instances in real time manner and also helps in load balancing.

The Benefits

As a result, Automated user provisioning process and reduce manual workload for operations team. The process of provisioning 100 users takes hardly 5 minutes in comparison to almost a day with previous manual work. Implemented serverless and independent services architecture with robust and scalable solution to handle bulk load for new user data.

About the Company

The company is an international hotel and resort chain based in the United States and also located worldwide. It offers brands in lodging franchising, vacation ownership, vacation rentals and vacation exchange. It is composed of more than 9,000 hotels under 21 brands spanning more than 75 countries in six continents, competing in brand markets ranging from economy to upscale.

The Challenge

The company had a need of designing a cloud governance framework with handles the responsibility for maintaining different AWS environments, maintain standard of implementing best practices for resources set up. Also required to automate the processes using AWS Lambda and guide application teams to leverage various features of AWS services and also introduce new technologies which can be integrated with cloud.

Solution

Kapstone proposed and implemented a solution using Amazon Web Service (AWS) which would meet all the needs of the company. Made use of various cloud governance and optimization tools like Evident.io and AWS Trusted Advisor. Automating regular maintenance tasks by leveraging lambda, API gateway, IAM policies, CloudFormation and other AWS services

Also used AWS Resource Tags to identify each resource and its use Enterprise application, integrated with lambda and API gateway to track down invalid resources created in various aws environments and set up monitoring using it.

The Benefits

As a result, successfully implemented real-time security and threat analysis on AWS resources. Optimized the cloud architecture to lower the cost. Effective $ spending representation for business stakeholders helped to see department and application wise detailing and use of CloudFormation helped in coding the infrastructure set up and deploying the solution in lesser time.

About the Company

The Department of Health – Agency's priority is improving population health by strengthening State’s health system. The Department’s five branches, Public Health Services, Health Systems, Integrated Health, Office of Population Health and the Office of Policy and Strategic Planning work collaboratively toward that goal. Population health focuses on keeping healthy state people well, preventing those at risk from getting sick, and keeping those with chronic conditions from getting sicker. Population health promotes prevention, wellness and equity in all environments, resulting in a healthy state.

The Challenge

The agency had the immediate need for the implementation of enterprise data lake services for the COVID-19. The data analytics solution would have helped them in order to do efficient contact tracing for COVID-19 and also provide reports (public and internal) for overall contact tracing performance. The data lake solution would then be used for other sources and use cases in future.

Solution

Kapstone proposed and implemented a solution using Amazon Web Service (AWS) which would meet all the needs of the company. Various third-party data sources were integrated using services like API Gateway, Lambda, Kinesis, S3 etc. S3 buckets were designed to accommodate various data set types and schemas and Glue Crawler were developed to parse through data and generate logical schema. The data was then reported from various dashboards using Tableau which used the data from S3 via Athena. To achieve security, used AWS Secrets Manager to hold all endpoints, username and password for third party applications in a secured way. Least access privileges were given to end users of the data lake. Set up a monitoring using AWS CloudWatch which helps in investigating through services logs in case of issues.

The Benefits

As a result, highly-available data lake solution was built to handle near to real-time data. Serverless services helped in order to reduce management overhead. The process of reporting was automated to reduce the work of business users. Implemented serverless and independent services architecture with robust and scalable solution to handle bulk load for new data.

About the Company

Equinix, Inc. is an American multinational company headquartered in Redwood City, California. The company is a leader in global colocation data center market share, with 210 data centers in 25 countries on five continents. It connects the world’s leading businesses to their customers, employees and partners inside the most-interconnected data centers. On this global platform for digital business, companies come together across continents to reach everywhere, interconnect everyone and integrate everything they need to create their digital futures.

The Challenge

The company had the need to move business critical applications from on premise to cloud. Objective was to build immutable infrastructure with end to end automation and embedded security. Which will allow it to scale rapidly and securely to fulfil increasing global demand. Along with this need to make sure the right DR strategy is in place to cope up with unplanned incidents.

Solution

Kapstone proposed and implemented a solution using Amazon Web Service (AWS) which would meet all the needs of the company. This solution was designed with AWS well architected framework, Implemented multi account strategy with AWS control tower. Designed and implemented IAC using Terraform and Terragrunt to support the objective of immutable infrastructure. Heavily focused on securing the infrastructure, automation done from the point New account provisioned via Control Tower. Bootstrapping steps added to create a service role for CI/CD, Configure Custom AWS Config rules, Apply Custom SCP’s on newly provisioned OU’s. Setup private root certificate per environment, Enable critical logging for core services along with application level auditing. AWS Lambda based event driven automation done to identify and fix non compliance issues. Designed and implemented deployment strategy for microservices based applications.

Detail Solution

1.AWS Control Tower and Organization
Design OU structure per Equinix product (Application) , Each OU to cover all Prod and Non prod environments. Designed and implemented custom Control Policies per product to cover following requirements

• Region Restrictions to allow access to only 3 regions
• Restriction to allow only Golden Image to provision EC2 instance
• Restriction to use specific EC2 instance type
• Disallow Human users to stop custom AWS Config rules
• Disallow Human users to disable VPC flow logs
• Disallow Human Users to disable ELB access logs
• Disallow Human/Service account users to delete Core infrastructure resources i.e.
  • ELB’
  • TGW Attachment
  • Security Groups
  • NACl’s
• Automation to enable and Disable Certain SCP’s before production deployment and approval flow design and implementation.

Deployment of AWS control Tower and Bootstrapping steps for new provisioned accounts.

• Create service account Role in newly provisioned account
• Delete all Default VPC’s from the regions which are not supported by Control Tower
• Analyzed strongly recommended Detective Guardrails and apply them per OU

2.AWS SSO and IAM
AWS SSO integration with Ping Federation, Design custom permission sets and Groups strategy and implementation of it. This implementation was focused on Human user access to AWS environment
AWS IAM : Is used for Service account implementation, We designed to use specific AWS account to provision all service accounts as IAM users, these IAM users designed to assume
service roles in Product specific AWS accounts. Following is high level flow.
3.AWS Config
Identify AWS config rules which are not part of detective guardrails and prepare the final requirement for Config rule setup. All custom AWS config rules were deployed using terraform via Security pipeline. Created a custom aggregator in Audit account to stream all findings to a centralized console. Created custom s3 bucket in centralized logging account to hold finding of config rule.
4.AWS ACM
Designed and implemented private root CA per prod and non prod environment in a shared account. Setup and implemented automation to export and import certificates in product accounts depending on prod and non prod environments.
Also design separate flow to cover host specific certificate requirements.
5.AWS KMS
Designed KMS key’s per service account IAM user, Creation of KMS’s keys is implemented via Security pipeline and restricted usage of KMS key per IAM user.
6.Centralized Logging
We designed and implemented a centralized logging solution for security specific logs.
Type of Logs

• AWS Services Security Logs
• Application Specific Security logs
• Other Applications logs
• Operational Metrics
• AWS Specific Security Logs

Following is logging and bucket structure
For application Specific logs we target following types of logs and implemented the solution to stream these logs to centralized logging accounts.

• EC2 ( /var/log/secure )
• RDS ( Audit Logs )

7.SIEM integration
We did the integration of a centralized logging bucket with the SIEM tool. We did the integration with Securonix with the same approach we did the POC for Exabeam SIEM tool.

8.Compliance Tool ( Prisma Cloud ) implementation and Automation
We implemented the prisma cloud solution for compliance. This implementation was also done via CI/CD pipeline and with this we are able to generate the non compliance resources list per compliance framework.

The Benefits

As a result, successfully implemented a multi account strategy with zero trust architecture. End to end automation achieved to build immutable infrastructure with minimum end user interaction. Logging and auditing framework implemented per compliance requirement.