PercayAI Operating Securely in the AWS Cloud
In This Case Study
PercayAI is a startup with a team of computer scientists, computational biologists, chemists and life science executives devoted to understanding the complexities of human biology. The primary objective is to enhance a patient's quality of life by reimagining the drug discovery process with innovative augmented intelligence software. The augmented intelligent software improves the speed, cost and success rate of diagnostic and drug development.
Using a unique integration of novel heuristics and machine learning saves researchers time and energy by enabling rapid generation of testable hypotheses from complex, omic and multi-omic data sets. Omics aims at the collective characterization and quantification of pools of biological molecules that translate into the structure, function and dynamics of an organism or organisms. Organizing and prioritizing relevant data in a highly contextual manner is not possible with traditional tools.
Many startups quickly adopt and utilize AWS because of the ability to quickly spin up the required services need to support applications. This enables a faster time to market, which can lead to a competitive advantage in supporting end users. Unfortunately, a quick adoption of cloud can lead to a lack of strategy around growth, operations, business objectives, cost optimization and security.
PercayAI began seeing great success of their application, which required their operations teams and AWS infrastructure to scale to support more customers and workloads. This in turn created a need to deploy a new AWS environment with a foundation based on automation and security.
PercayAI, working together with WWT Cloud Architects and Engineers, designed and deployed a customized Landing Zone based on AWS Best Practices.
A secure foundation in AWS started with a new deployment centered around AWS Control Tower. Control Tower offered many key services that included AWS Organizations, AWS Single-Sign On, CloudTrail, Config, SNS and the ability to have a repeatable, secure account deployment with account factory.
Utilizing the Account Factory in Control Tower allowed for a repeatable and automated account provisioning strategy. Account Factory automates the provisioning of AWS Config Logs and CloudTrail Logs and enables a secure framework of centralized logging for long term archive and central analysis.
VPC Flow Logs
After the new AWS Foundation was deployed, additional steps were taken to continue to secure the environment. Automated VPC Flow Logswith Lambda, CloudWatch Events, Log Groups, Subscriptions and Kinesis Firehose allowed for all VPCs to have Flow Logs, to be automatically enabled and set to a central location for long term archive and log analysis.
AWS Web Application Firewall (WAF)
The application has a public facing application load balancer, and web traffic needed another layer of security. AWS Web Application Firewall (WAF) 2.0 was implemented with AWS Managed Rulesets focused around SQL Injections, Unix, IP reputations and Open Web Application Security project (OWASP).
Amazon GuardDuty was implemented as a threat detection service that continuously monitors for malicious activity in each AWS Account. GuardDuty analyzes events across many services, sends all findings to the central management account and stores the findings for long-term archive and analysis.
AWS Security Hub
AWS Security Hub was enabled in order to provide compliance and security guidance by following the Center for Internet Security's (CIS) AWS foundation benchmark. CIS is focused on IAM, logging, monitoring and networking and adds another tool to maintain a strong security posture in a multi-account environment. The Management Account was designated the Security Hub Management Account and all findings can be analyzed from a central location.
For WWT, the goal is to help customers enable business growth by designing and deploying reliable and secure AWS environments. The starting point for any application deployment in AWS is a secure, reliable and automated foundation.
Security in AWS is a multi-tiered approach that starts at the foundation, is applied at every tier of an application and is continuously monitored and alerted on. Implementing a secure foundation and multiple layers of security has given PercayAI the confidence in AWS to continue to grow its business.
"The team from WWT has done an amazing job transforming our partially-baked, single-account AWS environment into a (still evolving) best practice work of art. They have provided us with a secure, orchestrated, multi-account framework that will grow with our company and of which we can be proud to present to our customers." COO – PercayAI