Highlights

• Implemented VPN tunnelling to enable secure access to the enterprise network from any device at any location.
• Created a simple and intuitive authentication experience for end users to mitigate friction while ensuring secure network activity.
• Deployed a cloud-hosted managed Active Directory instance to enable remote servicing of users, groups, and policies.
• Integrated the authentication and VPN tunnelling solution to the client’s existing technology stack.

Overview

A 59-year-old financial services business offering mutual funds, insurance, fixed deposits, and other instruments to retail investors. The organisation employs over 5,000 people across the country and is spearheading growth in the mutual fund sector. The client operates in a highly regulated space, and their employees deal with sensitive personal and financial data of end customers on a daily basis. A substantial size of enterprise resources and systems reside in the AWS cloud.

Requirements

The client was exposed to significant risk factors due to a lack of centralised control on the desktop computers of remote users. The systems were not domain-joined, and because they were not kept up-to-date at all times, they were exposed to known vulnerabilities.

Moreover, due to lack of centralised control over user computers, the client could not enforce password or domain group policies for remote users.

Key objectives:

1. Implement PC and user authentication via AWS-managed Microsoft Active Directory (AD).
2. Enable device-agnostic authentication and access from any location with remote VPN.
3. Enable centralised Group Policy management for remote users across the domain, and enforce a uniform password policy for all users.

Moreover, the client required a simple authentication experience that would cater to users with varying levels of technical proficiency. This required the deployment of an enterprise-grade VPN solution and seamless integration of AD and the VPN solution into the existing tech stack.

Solution

The client engaged Velocis to implement the VPN solution and AWS-managed AD. The Velocis team chose Cisco Secure AnyConnect Remote VPN and devised a network topology to enable secure user and machine authentication via AWS-managed AD.

Here are the key highlights of the deployed solution:

1. Implemented a pre-logon connection method that establishes a VPN tunnel between the user’s machine and the organisation’s AWS Virtual Private Cloud. This authenticates the endpoint and triggers domain scripts and startup tasks when the endpoint is powered on.
2. Configured Cisco Secure AnyConnect Remote VPN to create an encrypted connection from any device at any location to the enterprise network. The VPN tunnelling enables a user to connect via public internet connections to establish a ‘virtual private’ connection with the enterprise network.
3. Deployed AWS-managed AD which enables the IT team to centrally manage remote user access, set up group policies, and define password requirements. The managed AD instance acts as a centralised hub for managing network security and access policies.
4. Devised a simple authentication interface that enables users to establish a secure VPN connection with two clicks within the familiar Windows Logon interface. The AD integration offers users a familiar authentication experience, minimising friction while ensuring watertight security.

Business outcomes

Velocis enabled the client to improve their security posture while minimising their network security administration overheads. Here are the key benefits delivered to the client:

1. Intuitive authentication method that enables improved security without impinging on the employee experience.
2. VPN tunnelling facilitates secure remote access via public internet connections from any device, enabling support for hybrid work models.
3. Enhanced security posture with the ability to enforce uniform password policies, and encryption of data in transit.
4. Cloud-managed AD enables centralised management of user authentication controls and access policies, bringing standardisation of authentication and access mechanisms.

‍