AWS Blu Insights

We protect your data

Security has always been a top priority, and we have relentlessly pursued a robust and mature security strategy since Day 1. Security isn't just about technology, it's about trust. Over the past years, we've worked hard to earn the trust of hundreds of companies worldwide. We'll continue to work hard every day to maintain that trust. Read more here.

AWS Blu Age integrates with the AWS Mainframe Modernization service to expedite the migration of mainframe applications to AWS. The initial step for each migration project involves creating a fresh, isolated and dedicated AWS Blu Insights environment fully managed by the customer. This environment is fortified with a set of security measures and safeguards implemented to protect customers’ uploaded artifacts throughout the entire duration of the project lifecycle.

This fortified environment undergoes regular and rigorous scrutiny through AppSec reviews and penetration tests performed by an independent security team within AWS. This ensures that the security controls and configurations align with AWS security standards’ best practices.

It is also important to mention that AWS Blu Insights does NOT:

  • Allow to create, configure, or host workloads.
  • Execute any uploaded content.
  • Require production data.

Tenant isolation

AWS Blu Insights is a managed service operating in a multitenant environment meticulously designed with clear-cut boundaries between resources.

These airtight measures suppress any possibility of cross-tenant access and ensure data security through rigorous logical isolation.

The resources you entrust with us remain strictly inaccessible to other tenants.

AWS Blu Insights isolation scheme is rooted in a combination of identity and other sophisticated constructs, prominently featuring Role-Based Acess Control (RBAC).

Our approach revolves around storing comprehensive tenant context for each customer.

This context includes a wide range of information linked with that tenant such as their affiliated database, owned license, accessible features, permitted projects, and more.

The AWS Blu Insights contextual framework integrates seamlessly with the application.

Upon successful authentication, the system promptly provides the application with the instrumental tenant context. It encapsulates the user’s association with a specific tenant and the underpinning policies mandated to ensure strict isolation.

This context flows through downstream components’ interactions and is used to scope access to resource ranging from projects to files and documents.

Each single operation undergoes separate stringent verifications, effectively preventing spoofing and escalation of privilege.

For more details about tenant isolation, read this whitepaper or watch this video.

Identity and Access Management

Authorized users get access to AWS Blu Insights through the AWS console using their AWS accounts. When a user seeks access to the service, the email address associated with the request becomes tied to their AWS account.

In scenarios where multiple users share the same AWS account, a distinct isolated environment is generated for each user. This prudent approach ensures the integrity of the operational environment.

Read the Account page

The control of individual user rights in the scope of a project rests securely in the hands of the project owners. They can manage these controls by granting fine-grained user permissions tailored to specific actions. Customer data, including pivotal elements like source code files and analysis, can only be accessed by fellow users if those items were specifically shared with them, or if the items have been placed within a shared feature.

AWS Blu Insights offers a flexible data access control system that adapts to your requirements. Project owners take the reins by configuring their personalized access roles, offering the choice of over 50 different permissions. This impressive range of permissions governs all user actions and access levels to specific features and content.

Read the People and Permissions documentation page

Data Protection

Comprehensive artifact protection

Artifacts uploaded to AWS Blu Insights are secured in transit via TLS encryption and at rest on AWS EFS where they are and encrypted and automatically rotated using AWS KMS, with vigilant monitoring for rotation integrity.

Layered access security

Access to the customer’s EFS folder is fortified at:

  • Application layer: through JWT authentication with Spring Security and business rules authorization.
  • Infrastructure layer: through restricted mounting permissions to a specific IAM role.

Shared responsibility model

Customers exercise full control over their resources. They can:

  • Dictate fine-grained access permissions for their artifacts.
  • Decide to delete an artifact at any moment (any backup copies of it will automatically be completely erased).
Customers are, on the other hand, entrusted with preventing sensitive data inclusion (PII, PHI, PCI...).

Read the FAQ

Security best practices

Vulnerabilities Management and Scanning

As an AWS Mainframe Migration managed service, AWS Blu Insights rests on a fortified software stack which undergoes daily scans to detect any vulnerabilities. These scans yield automatic reports, swiftly followed by patch fixes. Uploaded files undergo rigorous antivirus scanning to prevent any malware or virus infiltration.

AppSec reviews and testing

For pivotal releases, a strict protocol is set in motion involving a mandatory AppSec reviews, often complemented with thorough penetration tests. This meticulous evaluation delves into new features, their architecture, and an updated threat model. These assessments are orchestrated in collaboration with AWS security engineers and third party pentesters. Supplementing these proactive measures, our service team maintains hundreds of automated tests, encompassing numerous security tests.

Detection

Network Protection

  • Network traffic management: Security Groups and VPCs are configured to finely control network ingress and egress.
  • Selective inbound access: Inbound access is restricted to only necessary traffic from allowed IP addresses.
  • Exclusive external network entry: Network access from outside is only allowed to AWS Blu Insights. Other traffic is totally prohibited.

Logging and Monitoring

AWS Blu Insights identifies threats by monitoring the network activity and platform behavior. To fortify this stance, comprehensive log management, audits, and incident response protocols are strictly followed, reflecting industry-leading AWS standards.

Here is a succinct breakdown of our vigilant stance:

  • CloudWatch Logs: Extensive logs ranging from the application to the infrastructure level are continuously collected. These logs offer real-time insights and visibility into the system.
  • AWS CloudTrail: Enabled for comprehensive tracking of every AWS services API activities.
  • AWS VPC Flow Logs: Record metadata for traffic within the VPC, providing an additional layer of visibility.
  • AWS GuardDuty and AWS Security Hub: These tools continuously monitor AWS CloudTrail event logs and AWS VPC Flow Logs. They diligently flag any anomalies, encompassing unexpected, potentially unauthorized, and malicious activities.
  • Additional guardrails: With a keen eye for data integrity, we implement guardrails to prevent unwanted alteration to buckets storing the activity logs.
Read the FAQ