Recently, at the AWS re:Invent conference, Harvard’s manager of cloud architecture detailed the main investments that the university made in order to secure its cloud.
When Harvard University began its journey to the cloud, like every other organization it found itself tasked with the monumental job of securing its cloud network. Instead of utilizing an available solution, the team at Harvard decided to build its own, and the Harvard Cloud Shield was born.
At the 2016 AWS re:Invent conference in Las Vegas, Harvard’s manager of cloud architecture, Thomas Vachon, explained how the university built its solution and the lessons that it learned along the way.
Essentially, the Harvard Cloud Shield is a network security platform that aggregates traffic and acts as an inspection point. It is redundant and geographically diverse. Through it, Vachon said, they filter, audit, and analyze all of their Amazon Web Services (AWS) traffic.
The original goals of the team at Harvard were multifaceted. First, Vachon said, they wanted to provide highly-available network access to the cloud. Next, they wanted to provide visibility of traffic into, out of, and and in between applications, as well as provide next-generation firewall protection and mitigate denial of service attacks. Additionally, Harvard wanted to enable a simpler configuration through inline filtering.
In the beginning, they looked at security agents and inline virtual firewalls. The security agents were more expensive for their customers and were too focused on a reactive response, Vachon said. The inline firewalls had a high overhead cost and too complex virtual private cloud (VPC) routing for Harvard’s needs. So, they decided to build their own solution.
In terms of network connectivity, the Harvard Cloud Shield has four AWS Direct Connect connections. Each firewall has two Direct Connects at both the primary site and the standby site, and each VPC gets a single firewall partition.
Vachon said they also developed a serverless architecture to act as a manager and their platform was built primarily on Python. It overlays five different network management products and devices, so one of the key challenges was getting all of those to work together, and managing the APIs needed to make it work.
