Customer case
Global retail food division enhances security with centralized cloud firewall
The Challenge
A major food service division of one of Forbes’ World’s Largest Private Companies with operations across 400+ locations in 50+ countries sought to strengthen their AWS cloud security architecture. The client was experiencing inconsistent firewall policies across their environment, creating potential security gaps. Their existing security infrastructure needed enhancement to support their expanding cloud-based operations while ensuring secure traffic flow across all Transit Gateways.
Security was a top priority for the customer, who had already implemented OpenSearch as a SIEM solution and maintained a rigorous patching process. This centralized firewall project represented the next step in their ongoing security maturity journey. The company needed to meet stringent security compliance criteria across their global operations, requiring comprehensive monitoring and consistent security controls.
Why Elastic Move
Elastic Move was chosen for our deep understanding of AWS network security architecture and proven expertise in AWS security implementations. As a trusted partner for over 10 years, we’ve consistently delivered secure, reliable solutions that address our client’s evolving needs. Our team’s specialized knowledge in AWS Network Firewall, Transit Gateway, and security integration has recognized us as trusted advisors in designing end-to-end cloud security frameworks.
Our security specialists bring extensive experience in implementing centralized firewall solutions that provide consistent protection across complex multi-regional environments. With certified AWS security professionals and a track record of successful implementations, we excel at translating stringent security requirements into practical, scalable architectures that enhance visibility while simplifying management.
- 15+ years of experience of AWS
- Certified security experts
- Specialized knowledge in AWS Network Firewall & Transit Gateway
The Strategy
The Strategy
Elastic Move conducted a thorough security assessment that included a detailed gap analysis, where we evaluated the current environment’s compliance level across different security criteria. This assessment served as critical input to the design process, ensuring the solution would address all identified security gaps while meeting the company’s strict compliance requirements.
We designed a solution leveraging AWS’s advanced security services to create a centralized and scalable security architecture that would satisfy their stringent security standards.
Our Approach
Our approach included:
- Designing a hub-and-spoke network architecture using AWS Transit Gateway to connect multiple VPCs across regions.
- Implementing AWS Network Firewall in strategic inspection VPCs to filter both north-south and east-west traffic.
- Configuring stateful firewall rules for consistent policy enforcement.
- Creating a monitoring solution integrated with their existing OpenSearch SIEM.
- Implementing infrastructure-as-code using CloudFormation for consistent deployments.
AWS Services used
The solution leveraged several key AWS security services:
- AWS Network Firewall: Deployed as a managed network firewall service that provided essential protection for VPCs. We configured stateful inspection rules to filter traffic based on protocol, source, and destination, creating a consistent security boundary across the entire cloud environment.
- AWS WAF (Web Application Firewall): Implemented to protect web applications from common exploits and attacks. We configured custom rule sets to address specific application vulnerabilities and integrated AWS WAF with their content delivery infrastructure to ensure protection at the edge.
- AWS Certificate Manager: Utilized to provision, manage, and deploy SSL/TLS certificates for secure communications. This enabled encrypted connections for both internal services and customer-facing applications, with automated certificate renewal to eliminate security lapses caused by expired certificates.
- Amazon OpenSearch: Enhanced their existing OpenSearch deployment by ingesting AWS Network Firewall logs for centralized security monitoring and analysis. This integration provided real-time visibility into network traffic patterns, potential threats, and security events across their entire cloud infrastructure, enabling faster detection and response to security incidents.
- Amazon CloudWatch: We implemented CloudWatch as an intermediate log destination, establishing a standardized pattern where logs from Network Firewall and other AWS services were first collected in CloudWatch before being distributed to S3 and OpenSearch via CloudWatch Logs Subscription Filters and Kinesis Data Firehose. This architecture provided a consistent logging framework even for services that don’t support direct S3 logging, ensuring comprehensive visibility across their entire security infrastructure while maintaining a unified approach to log management.
The Benefits
The centralized cloud firewall implementation delivered significant business value:
- Compliance Achievement: Successfully met the company’s stringent security compliance criteria through consistent controls and monitoring.
- Enhanced Security: Consistent policy enforcement across all environments.
- Operational Efficiency: Streamlined management of firewall rules, allowing IT teams to focus on innovation.
- Improved Visibility: Significantly enhanced visibility into network traffic across cloud environments through centralized log analysis in OpenSearch and CloudWatch monitoring.
- Security Integration: Successfully integrated multiple security tools into a cohesive security monitoring system.
- Business Agility: Security controls now seamlessly scale with their expanding cloud footprint.
- Architectural Consistency: Established a standardized approach to network security across regions.
- Certificate Management: Eliminated risks associated with expired certificates through automated management.
- Application Protection: Strengthened defense against web-based attacks with customized WAF rules.
- Threat Detection: Improved ability to identify suspicious patterns and potential security incidents through log analysis.
The new security foundation enables the client to confidently expand their cloud presence while maintaining consistent security controls across their global operations, all while ensuring compliance with their strict security requirements.
