At Welkin, we’re constantly evaluating our infrastructure to improve security controls for our platform. Our evaluations identified key areas for improvement, leading us to adopt a new security model: BeyondCorp.
BeyondCorp is an enterprise security model created and improved upon by Google. It assigns access controls to individual devices and users, rather than networks. This gives employees secure remote data access without relying on virtual private networks (VPNs).
To move us closer to the BeyondCorp model, Welkin’s infrastructure team has undertaken 3 major projects:
- Amazon Web Services (AWS) Sessions Manager
- Identity-aware proxies
- Device Trust
One piece of the BeyondCorp strategy is accessing Elastic Compute Cloud (EC2) instances without managing the inbound entry points, such as through a Secure Shell (SSH) connection. In this post, we focus on AWS Session Manager as an alternative for replacing a Secure Shell connection to EC2 instances.
Moving off of VPN
Welkin’s infrastructure team takes a number of precautions to ensure the safety of users’ data. This includes using a virtual private network (VPN) to protect remote data access. VPNs create a safe tunnel between two or more devices. They safeguard private web traffic from snooping, interference, and censorship. We use OpenVPN to secure remote access to our AWS environment. But, OpenVPN’s complicated feature-set can be difficult to manage and operate. Additionally, VPNs must be directly internet-accessible, which creates opportunities for potential attacks. So we recently explored and implemented alternative security channels to replace our VPN.
Introducing, Sessions Manager
AWS Sessions Manager is a modern alternative for replacing a Secure Shell (SSH) connection. It provides a connection to instances running on our virtual private cloud (VPC). VPCs offer isolated networks with exclusive access. We use AWS VPC to host our production and test environments. Amazon’s Sessions Manager allows us to manage our Elastic Compute Cloud (EC2) instances through the Command Line Interface (CLI) without the need for inbound ports or SSH keys, having exactly one entry point to the VPC.
There have been benefits and trade-offs from replacing our VPN:
- Secure Access – Session Manager communicates with instances via AWS Systems Manager Agent (SSM Agent). The SSM Agent sends data across an encrypted tunnel originating from the instance. It doesn’t require a bastion host, VPN, or SSH port.
- Auditability – Session Manager allows us to log and audit our AWS activity on EC2 instances through Amazon CloudWatch.
- Access Control – Identity and Access Management (IAM) policies determine who can access data in AWS. Using Session Manager, we define and oversee these policies. This ensures permissions-based access for employees, without distributing SSH keys
- Sessions Manager is a new technology, and AWS is still building its capabilities. Although it provides better security, our engineers found it was still rough around the edges. They experienced some incompatibility with existing scripts that relied on SSH.
Implementing AWS Sessions Manager is just one step in moving towards the BeyondCorp security model. Welkin’s infrastructure team has also focused on:
- Identity-aware proxies – moving away from AWS Elastic Load Balancers (ELB) and adopting Application Load Balancers (ALBs)
- Device Trust – ensuring that only known and secured devices can access our managed infrastructure
The infrastructure team’s work has already greatly improved Welkin’s cloud security. As we continue our push towards BeyondCorp, we’ll publish subsequent articles explaining why and how our security controls have changed. Our goal is to encourage other companies to implement similar strategies to keep their data safe.