Are you using a CDN on your public-facing website? If you’re not, you should. Learn three ways CDNs bring best practices to your business, and why AWS CloudFront is the right choice, especially if you’re on the AWS cloud.
Listen on Lightstream.tech
Security gaps threatened the company’s cloud migration, but crisis was averted with services from Lightstream.
A desire to stay innovative, modern, and operationally effective—three critical attributes in today’s competitive construction industry—led a large design-build construction company in the Midwest to explore the cloud. The company’s IT leadership team chose Microsoft Azure as their platform and purchased Prisma Cloud, a multi-cloud security offering from Palo Alto Networks, to provide added security protection for their cloud environments.
Once its Azure environment was implemented, the company began migrating applications. The team’s goal was to move as many applications as possible to the cloud, knowing some applications would have to remain on-premises, and their operating environment would result in a hybrid configuration.
After months of moving applications and deploying them into production, however, the company discovered problems. A security assessment revealed there were serious security gaps in the way Azure and Prisma Cloud had been implemented. If not addressed, the gaps would allow external entities to gain access to their environment, leaving the company’s systems vulnerable to breaches. This forced the company to stop its cloud migration and move applications back into its own data center.
With its cloud migration on hold, the company looked for a solution to solve its security problems and contacted Lightstream for help.
Once engaged, Lightstream Azure Cloud experts began gathering information. They reviewed the company’s business requirements, technology environment (infrastructure, data services, security landscape, application portfolio, and operations tools), and processes to gain a clear understanding of the company’s operating environment.
Next, the team evaluated the company’s existing Azure environment. They reviewed the company’s core cloud configurations, standards and governance, identity and access management (IAM), network interconnectivity, security, and monitoring, provided recommendations for changes to address issues, and then created an operational run-book with as-built documentation.
The next step was to review the Palo Alto Networks NGFW (next-generation firewall) configuration. The team reviewed the overall design of the appliances, assessed the Azure routing configurations, network placement, and connectivity, and recommended changes to remediate issues and ensure high availability.
The last step was to address the Palo Alto Networks Prisma Cloud implementation. The team evaluated the existing deployment, including policies and settings for resource configurations, user activities, network traffic, and host vulnerabilities, and made changes to resolve problems and ensure the environment operated correctly.
Remediation of Security Gaps and Reduced Business Risk
After completing the project with Lightstream, the company was able to eliminate its security gaps. External entities were no longer able to gain access to the company’s Azure environment through the known security vulnerabilities. This increased the confidence in the company’s cloud platform and lowered the risk of security breaches to the organization.
Secure Azure Environment with Next-Generation Firewalls
The company gained a secure Azure environment protected by Palo Alto Networks NGFWs in a high availability configuration. This enabled the company to resume migrating applications safely to the cloud and ensured its firewalls would be resilient.
Successful Prisma Cloud Implementation
With help from Lightstream experts, the company was able to overcome its initial problems and successfully implement Palo Alto Networks Prisma Cloud in its environment. This provided added security protection for the company’s cloud infrastructure and cloud-native applications.
Microsoft Azure and Palo Alto Networks NGFW design and implementation services from Lightstream help the company overcome edge security issues and deploy ERP in the cloud.
Dairy is a complex, regulated industry. Since the 1930s, the U.S. government has regulated milk prices. Minimum prices are set for fluid milk (based on several factors, including the price of butter, cheese, nonfat dry milk, and dry whey), and all processors must pay it. Different prices are set for milk used as an ingredient in dairy products, though the process is the same: the government sets the price, and processors pay it.
In addition, milk is a perishable product. As a result, the government sets strict standards on its use. Processors are unable to stockpile product to meet fluctuating consumer demand, which in recent years has been shifting to dairy alternatives like oat and soy milk.
These market realities put pressure on dairy processors. To address these challenges, a large dairy co-operative in the Pacific Northwest decided to expand its operations beyond its regional customer base with the goal of becoming a national brand. But to do that, the company first needed to modernize its systems by moving away from its on-premise legacy enterprise resource planning (ERP) system to Microsoft Dynamics 365 to establish a more flexible operating platform.
Midway through the project, however, the company ran into security problems. It turned out the company didn’t fully understand how to implement native cloud security controls available in Microsoft Azure and did not have proper edge security protection in place to satisfy governance and compliance regulations. After months of trying to correct the problem with the help of a 3rd -party firm, the company was unable to deploy its ERP solution and was faced with either seeking additional help or shutting down the project.
Prior to contacting Lightstream, the company had attempted to implement Palo Alto Networks NGFW (next-generation firewall) in Azure to provide edge security for its users. The company’s IT team was committed to the solution and its capabilities, but they had struggled with the implementation.
Once engaged, the Lightstream team reviewed the company’s requirements. They evaluated the existing Palo Alto NGFW configuration, executed an ingress and egress assessment, developed a security plan for implementing the company’s ERP system in the cloud using Azure native controls and Palo Alto NGFW as the edge inspection point, and architected the design to ensure high availability and resiliency. This was done by performing a customized Cloud Foundation Framework engagement.
After the design was completed, Lightstream built the Azure environment per the design blueprint, including VNets, network security groups, platform logging, and all native security controls. Then, the team implemented the Palo Alto NGFWs in a high availability configuration.
The final step was testing and validation. Lightstream’s Azure Cloud engineering experts helped test traffic flow, routing, and connectivity, as well as security functionality to ensure the solution provided the edge security protection the company needed.
Next-Generation Edge Security Protection
The company now has next-generation security to protect its systems. This includes IPS (intrusion prevention system) that examines network traffic to prevent vulnerability exploits, APT (advanced persistent threat) intelligence and detection, and other security capabilities that help keep data safe from cyber attacks.
Successful Migration to Microsoft Dynamics 365
With edge security in place, the company was able to move forward with its ERP project. Now, the company has replaced its legacy ERP solution with Microsoft Dynamics 365, providing the enhanced computing platform the company needs to expand its operation.
Cloud Managed Services Empower MasterControl through Business Optimization, Cost Control and Enhanced Security within AWS
As a leading provider of Enterprise Quality Management Software (EQMS), MasterControl prides itself on maintaining the highest standards of quality and operational excellence. In fact, the organization’s cloud-based QMS system is titled MasterControl Quality Excellence™. With some of the largest regulatory agencies and life-science companies in the world depending on MasterControl to help them expedite the process of providing people with life-changing products, they can’t afford to leave quality and compliance to chance.
MasterControl is an innovator in the use of cloud technology and started down the path of public cloud with AWS in 2010. They eventually became overwhelmed with the day-to-day contractual management of AWS and sought out a technology provider that could help them streamline processes, fine-tune security and contain costs. They found that partner in Lightstream, an AWS Advanced Consulting Partner that offers a variety of services to assist organizations in assessing, designing and managing their AWS environment.
Over the years, Lightstream has helped MasterControl to find better ways to grow their business with AWS while controlling costs. Lightstream’s assistance with onboarding new accounts and achieving savings discounts has enabled the company to overcome obstacles as they bolstered software development initiatives. AWS and Lightstream supported MasterControl as the company expanded into Europe and Asia Pacific, which expansion was made much faster and more seamless due to the cloud.
As most business leaders know, this magnitude of expansion is almost always accompanied by growing pains. MasterControl’s IT team found that it was being stretched thin and no longer had time or sufficient resources for the ongoing monitoring needed to detect potential cloud security issues. They had to find ways to manage security and reduce cloud spending as they worked to establish a strong global presence. Travis Ruiz, Director of Cloud Services at MasterControl, once again collaborated with long-time partner Lightstream to come up with a solution.
Lightstream knew that its Cloud Managed Services offering could provide MasterControl with enhanced financial optimization along with the security oversight that is critical in order for the company to prosper even during times of crisis. Cloud Managed Services helps companies to improve the day-to-day administration and management of their cloud infrastructure through a flexible mix of consulting, integration and managed services. Lightstream’s gold level service package identifies changes that must be made in MasterControl’s cloud environment for security, technical and financial optimization. Lightstream then implements the changes necessary to remediate the financial aspects of those optimizations, while MasterControl’s in-house team is able to remediate any security and technical issues Lightstream detects.
Lightstream negotiated an Enterprise Discount Plan (EDP) with AWS on behalf of MasterControl in order to achieve a considerable expense reduction. Cost optimization measures have been amped up with additional savings plans and in-depth reviews and revisions to its Reserved Instances contracts. Extensive tagging features and Lightstream Connect customized reporting were established to help the company save time and gain greater visibility while analyzing expenditures and appropriately allocating costs.
Since Lightstream began providing Cloud Managed Services to the company in 2017, MasterControl has been able to meet their stringent budget constraints, even during the worldwide Covid-19 pandemic. Like most organizations, MasterControl faced many challenges in 2020 as customers weren’t as active as they once were, which was negatively impacting the company’s revenue stream.
Despite this, they’ve managed to stay on track with the help of an eight percent discount on AWS costs along with additional savings. A dedicated team at Lightstream has ongoing interaction with MasterControl’s executive officers, regularly delivering detailed reports and savings summaries that demonstrate how Lightstream is helping the company reduce expenses.
MasterControl’s internal IT team is able to focus on keeping its cloud environment safe and secure with the help of Lightstream’s ongoing monitoring, analysis and reports that give insight into potential technical and security threats and concerns that must be remediated.
While MasterControl’s cloud journey with AWS propelled the company’s international growth, Lightstream has ensured business optimization and significant ROI along the way. Lightstream has helped MasterControl to scale down spending without lowering their high standards for quality, compliance and security. The company has managed not only to remain viable during this tumultuous time, but it’s starting to grow again even in the face of an economic downturn.
As MasterControl continues its steady expansion, Lightstream is unwavering in its promise to add value and foster growth within the AWS cloud environment. Lightstream stands ready to support MasterControl well into the future, with ever-broadening service offerings that can continue to help it succeed in its quest to maintain the highest standards of quality, safety and operational excellence.
What MasterConrol had to say:
“We appreciate that Lightstream goes above and beyond to enrich our AWS cloud environment. Our long-term partnership with them has allowed us to keep customer success and innovation at the core of our operating philosophy without compromising on the cost and efficiency of our cloud infrastructure. We’re on track for continued growth with cloud technology firmly at the center of our product and services map.”
-Travis Ruiz, director of cloud services at MasterControl
Industry: Trade Union
The United Brotherhood of Carpenters is one of North America’s largest building trade unions, with over a half-million members. The union leads the way in training, educating and representing the next generation of skilled construction professionals.
With its scalable structure, pay-as-you-go pricing, and 99.95% SLAs, it’s no wonder Microsoft Azure is a long-time leader in the IaaS space. Its popularity is also due to the fact that it not only offers -Infrastructure as a Service (IaaS) but also Software as a Service (SaaS) and Platform as a Service (PaaS). With Azure, clients can use the services purely in the cloud or combine them with any existing applications, data center or infrastructure already in place. But with all of this flexibility and reliability comes responsibility. It is critical that IT professionals understand Azure’s shared responsibility model as well as which security tasks are handled by the cloud provider and which tasks are handled by you.
Here are -five common security mistakes that typically result from a rushed build/setup process and inadequate management, as well as tips on and how you can avoid them when designing, deploying, and managing your Azure cloud solution.
Misconfiguration is a common occurrence in situations where an Azure solution is implemented without proper planning.
One aspect of misconfiguration is the assignment of roles to users. It is recommended that you follow the principle of least privilege and select a role that provides the user only with the amount of permission they need to do their job. Failing to follow this best practice leads to excess access permission which can easily be avoided by taking the time to properly assign these roles at the outset.
The old adage that “too many cooks spoil the broth” applies to countless scenarios, and Azure is no exception. Assigning too many administrators, failing to establish lease permissions for those administrators, and not enabling Azure’s Multi-Factor Authentication (MFA) are risky oversites. MFA provides an extra layer of security by requiring administrators to provide authentication via phone call, text, or mobile app before they can log into the portal. This helps prevent the administrator’s account from being compromised or misused.
This misstep may seem obvious, but regardless of how many times people are warned against setting weak passwords, far too many people still use them. According to Microsoft, they see over 10 million username/password pair attacks every day across their platforms. Failing to assign strong passwords and requiring them to be frequently updated creates vulnerabilities that are easily avoidable.
In setting up Azure services, Microsoft recommends the following to IT administrators:
Failing to turn on the logging feature is another common misstep in the building process. First, logging must be turned on to permit access visibility. But it doesn’t stop there. The Azure Activity Log must be regularly monitored to gain insight into who is accessing and managing your Azure subscription and to track all create, update, delete, and action activities performed. In addition, an investment in Sentinel – Azure’s cloud-native security information and event manager (SIEM) platform – can go a long way, as it uses built-in artificial intelligence to quickly analyze large volumes of data across an enterprise.
Haste and -lack of expertise in the configuration of your security tools can mean huge exposure risks for your organization. Failing to enable Azure’s security center and its highly valuable native security tools is a big no-go as it leaves your data open to breaches.
Network Security Groups (NSGs) are the foundation of all network security designs in Azure, and therefore should always be applied to safeguard subnets of a virtual machine-based web application deployment. In a typical design, there is a virtual network and subnets. The subnets should not be assigned to a public IP that could open unwanted ports. NSGs control access by permitting or denying network traffic via communication between different workloads on a vNET, network connectivity from on-site environment into Azure, or direct internet connection.
IT administrators often view their Azure cloud solution as just a data center, but it’s essential to remember that this isn’t a case of “set it and forget it.” In fact, your job is far from over once the migration or build is complete; ongoing management and security are critical to the success of your Azure environment.
Proper management of your solution requires a multi-faceted approach. In addition to maintaining compliance with organizational and regulatory security requirements, you must continuously monitor the machines, networks, storage, data services, and applications to protect against potential security issues. Prioritize security alerts and incidents so you can zero in on the most critical threats first. Troubleshooting will be easier if you track changes and create alerts to proactively monitor critical components. Managing update schedules will ensure that your solution is equipped with the latest tools to support ongoing operations.
The bottom line is that your Azure solution is only as strong as the team supporting it. Therefore, IT professionals must do everything in their power to remediate security vulnerabilities before attackers have a chance to take advantage of them. If security and technical expertise and staffing have become obstacles to the effective implementation of your cloud strategy, turn to Lightstream’s Cloud Managed Services (CMS) for help overcoming these challenges.
Cloud Foundation and Managed Services help architect an Azure environment to securely support a new line-of-business application
A regional bank in the Pacific Northwest was facing a challenge. The company had 200 locations and aggressive growth plans to triple its business in the next two years. To accomplish its objectives, and offer more modern customer experiences, the organization needed to make changes to its applications and infrastructure.
The company operated two data centers in an active-passive architecture. Maintaining the active-passive configuration meant every time hardware or software was installed at the primary location, a duplicate was installed at the backup site.
Operating two data centers in this way was expensive. The company found that it was buying 2-3 times the amount of capacity it really needed, leaving a lot of costly resources stranded and unused. For this reason, the bank wanted to move applications to the cloud and eventually eliminate the need for a second on-premise data center.
To begin, the company selected a customer-facing application to move to Microsoft Azure. The goal was to integrate the new 3rd-party SaaS application while purchasing no additional hardware, adhering to security and regulatory compliance, and improving business continuity.
But the company had no previous experience working with Azure or with managing cloud environments.
Seeking help with the move to Azure, the bank engaged Lightstream in 2019. To gather data about the company’s technical environment and to establish a baseline, Lightstream consultants performed a Cloud Foundation Workshop. The workshop helped the company better understand Azure and the basics of cloud operations and security.
When the workshop concluded, the Lightstream team worked with the company to design a secure architecture to support the SaaS application. The effort included writing custom integration code that enabled the SaaS provider to securely access line-of-business application data in Azure and creating re-factored SQL databases in Azure to support a SaaS solution. The design allowed the company to successfully move the application and created an architecture, process, and procedure for moving more applications into Azure without needing to re-write, re-architect, or re-engineer the environment for every subsequent application.
Cloud Architecture to Support Strategic Business Goals
Beginning with a Lightstream Cloud Foundation Workshop, the company was able to design and implement a secure cloud architecture. This enabled bank operations to support a new customer-facing line-of-business application while providing visibility for operational and security teams. And it established a baseline process for moving more applications to Azure as business needs arise.
In addition, the cloud architecture positions the company to move forward with its redesigned disaster recovery strategy. The company can now confidently move more applications to Azure and reduce the need for additional hardware at its backup data center.
Ongoing Cloud Management and Optimization
Having limited experience with cloud environments was a concern for the company. To address this, the company uses Lightstream Cloud Managed Services for ongoing Azure management and optimization of financial, technical, security, and operational aspects of the environment.
Access to Specialized Technical Experts When Needed
Cloud expertise and specialized skills can be difficult to find and expensive to hire. Engaging Lightstream has enabled the company to get the benefit of cloud experts without adding people to its staff.
Improved Cross-IT Communication
One unexpected benefit of working with Lightstream has been the impact on cross-IT communication. Like many organizations, the company’s IT group operated in vertical silos. This often was a challenge, because technical problems often crossed silo boundaries and required cross-group communication and collaboration to resolve them. But effective communication between groups was sometimes hard to achieve and caused delays in finding the root cause of issues.
Lightstream Cloud Managed Services, while focused on supporting the company’s Azure environment, has provided a consistent presence to help solve technical problems. With technical expertise in all aspects of IT, including networking, storage, server, and security, and visibility of the company’s entire network, Lightstream’s technical experts have provided valuable insight and helped bridge communications between different parts of the IT organization.
To learn more about how Lightstream Cloud Foundation Workshop or Cloud Managed Services can help your business create a secure cloud architecture, reduce costs, and improve user experience, visit www.lightstream.tech/solutions/managed-services/.
Cloud Foundation Framework helps the company meet FedRAMP requirements and secure a new government contract.
Winning a government contract is a big achievement. It takes months, and sometimes years, of diligence and hard work. New business in the public sector brings many benefits, but it also creates new requirements and responsibilities for the service provider.
For one SaaS company, securing a new government contract was contingent on the company’s ability to meet FedRAMP (Federal Risk and Authorization Management Program), a strict set of federally-mandated requirements for cloud products and services. At the time, the company operated 15 data centers around the world and had no public cloud footprint. Though the company’s application was cloud-ready, it was designed to run only in a private cloud environment.
The company needed an ecosystem to run its software that complied with FedRAMP. But to establish that ecosystem within its own data centers would take a long time to achieve and require a substantial investment.
To address this challenge, the company decided to use Microsoft Azure Government, Microsoft’s cloud service designed specifically for government agencies. But to meet the contract requirements, the IT team needed to architect and build the Azure environment quickly and ensure it met all FedRAMP specifications. As a result, they reached out to Lightstream for help.
The first step was to assess the company’s existing environment—infrastructure, security requirements, application dependencies, and processes—and design Azure to meet both the application needs and FedRAMP requirements. This was done by performing a Cloud Foundation Framework engagement.
Next, Lightstream cloud experts built the new environment. The Azure platform was implemented using a design blueprint, which was created during the framework engagement and defined all the technical specifications for the new environment. The work included defining the Azure architecture, implementing all infrastructure (IaaS) components, networking services, Azure SQL, security, and app services needed to make the platform operational.
The final step was validating the environment. Lightstream specialists helped the company execute a proof of concept (POC) project. The company’s application was deployed to Azure and tested to ensure it functioned properly and met all FedRAMP specifications.
Successful Migration to Azure Government
Through the Cloud Foundation Framework engagement, the company was able to successfully migrate all its production instances to Azure and meet FedRAMP regulations. This enabled the organization to deliver on the requirements specified in the contract, expanding the company’s presence in the public sector space and increasing its revenue.
CMMC and FedRAMP-compliant Platform
The company’s Azure environment met all FedRAMP requirements and CMMC (Cybersecurity Maturity Model Certification) compliance. This established a platform the company can use to pursue more public sector business opportunities in the future, especially those that require CMMC compliance.
Positioning for Future Cloud Migration
With its cloud strategy firmly set, the company is now positioned to migrate additional workloads and data storage from its existing data centers to the cloud. This will enable them to leverage the cloud’s scalability, flexibility, and operational advantages to lower data center costs over time, address skill-gap challenges, and remove facility-based barriers to growth.
To learn more about how Lightstream Managed Services can help you architect, implement, and manage a hybrid cloud environment that meets your business needs, visit www.lightstream.tech/solutions/managed-services/.