Announcing the Data Fabric Security on Amazon Web Services solution

by Jenifer Wang and Adam Ralston | on

Announcing the Data Fabric Security on AWS solution

Federal customers are often challenged by integrating data across multiple systems and providing federated access to authenticated users operating across multiple organizations. These challenges are rooted in siloed data repositories, decentralized and incompatible identity data types, and a lack of unified data access control across disparate organizations. To support federal customers in addressing these challenges, Amazon Web Services (Amazon Web Services) developed the Data Fabric Security (DFS) on Amazon Web Services solution to support the identity and access needs of a multi-organization system. With DFS on Amazon Web Services, federal customers can accelerate joint interoperability, modernization, and data-driven decision making in the cloud by removing barriers that prevent systems and users from communicating while still strengthening security via Zero Trust principles.

The DFS on Amazon Web Services solution delivers to customers a secure identity aggregation, data access, and data governance-at-scale solution which is optimal for large-to-enterprise use cases. Deploying a security substrate composed of centralized data governance and identity aggregation layers, DFS on Amazon Web Services provides fine-grained attribute-based access controls (ABAC) that leverage a modern identity, credential, and access management (ICAM) architecture to address identity and access management challenges.

Implementing a Zero Trust approach , DFS on Amazon Web Services integrates a layer of unified identities with granular, attribute-based permissions so mission owners can confidently leverage data from multiple environments to deliver capabilities to customers at the speed of relevance. DFS on Amazon Web Services integrates the identity unification/ICAM solution of solution provider Radiant Logic with the flexible data security platform of Immuta , an Amazon Web Services Partner, all while decoupling identity from authentication and enabling attribute-based control at scale. These integrated capabilities are then launched via an Amazon Elastic Kubernetes Service (Amazon EKS) cluster.

“The goal of our Data Fabric Security solution is to make it easier for our customers to share and integrate data across their enterprise,” said Rob Nolen, the Amazon Web Services chief technologist for U.S. Department of Defense (DoD). “By decoupling identity from authentication, customers can leverage robust identity attributes to develop powerful attribute-based access control policies. This will facilitate agile and secure data sharing with their providers. Radiant Logic and the Immuta Data Security Platform are key pieces of this puzzle, enabling safe, compliant data analysis and collaboration at scale between data platform, security, and compliance teams. We’re thrilled to be joining forces in our effort to remove the bottlenecks in this process and empower our customers with the timely analytics and data sharing capabilities they need and deserve.”

DFS on Amazon Web Services was built by Amazon Web Services using Amazon Web Services Cloud Development Kit (Amazon Web Services CDK), a framework for defining cloud infrastructure as code (IaC) and provisioning it through Amazon Web Services CloudFormation . Delivering via Amazon Web Services CDK automates the integration and launch of this solution, and the provisioning of required networking, which may include a virtual private cloud (VPC) and Amazon Route 53 resources. This turnkey approach allows customers to focus on connecting identities and data sources and configuring policies instead of building out an architecture.

Key elements of Data Fabric Security on Amazon Web Services

There are four key elements to the DFS on Amazon Web Services solution that help large-scale and enterprise customers better manage users, data, and applications.

  1. Automated containerized deployment: DFS on Amazon Web Services provides an automated, turnkey deployment of identity unification, data access, and governance capabilities. Leveraging infrastructure as code (IaC) and containerization means that customers benefit from an already-integrated solution that’s pre-configured with all requisite resources and components.
  2. Unified identities as a single “global” identity: The Radiant Logic component of the solution merges identities from diverse sources and rationalizes them, providing a unified list of users with no overlap, along with their complete identity profiles (attributes). Immuta, the data security component of DFS on Amazon Web Services, then points to Radiant Logic as the single source of truth for authentication and authorization, which makes sure access controls are properly enforced. Radiant Logic can transform and translate identity data to meet each querying system’s requirements.
  3. Implementation of Zero Trust with ICAM and ABAC: Radiant Logic serves as the policy information point, verifying identities and retrieving attributes. Immuta serves as the policy administration and policy decision point, authoring and evaluating policies to be enforced on the data stores being queried. DFS on Amazon Web Services allows the customer to build plain-language data access policies via Immuta that use the identities and attributes stored in Radiant Logic to automate data privacy and governance. Immuta can create data policies once and enforce them across new and existing users while providing access at the column-, row-, and cell-level.
  4. Highly-available, scalable solution: Built with Amazon Web Services, DFS on Amazon Web Services offers high availability and fault tolerance – integral requirements for data sharing and analysis across multiple, always-on environments. DFS on Amazon Web Services is a multi-Availability Zone (AZ) deployment using Elastic Load Balancers to distribute incoming application traffic across multiple targets, allowing it to scale up or down based on ever-changing demand.

How to deploy DFS on Amazon Web Services

The DFS on Amazon Web Services solution provides an overview, deployment guide, and information regarding associated Amazon Web Services costs and how to obtain licenses. The Amazon Web Services Cloud products deployed to run the DFS on Amazon Web Services solution in a non-critical sandbox environment with no activity or workloads include the following:

  • One (1) Amazon EKS cluster
  • Three (3) m5.2xlarge EC2 instances (across two AZs in an Auto-Scaling Group)
  • Two (2) Elastic Load Balancers – classic (one each for Radiant Logic and Immuta)
  • Amazon Route 53 (one hosted zone, two records)

A DFS on Amazon Web Services IaC deployment launches the above core metered products or services. Amazon Web Services Partners should use these services to quote pricing. Amazon Web Services Partners can also get up-to-date pricing on Amazon Web Services Cloud Services from the Amazon Web Services Pricing Calculator .

Both Radiant Logic and Immuta products require licenses. Customers can contact Radiant Logic and Immuta for pricing, licensing, or other solution-specific inquiries.

To learn more about DFS on Amazon Web Services, please contact your Amazon Web Services representative or visit the DFS on Amazon Web Services Quick Starts site .

Learn more about Amazon Web Services for US Government and Amazon Web Services for Defense .

Subscribe to the Amazon Web Services Public Sector Blog newsletter to get the latest in Amazon Web Services tools, solutions, and innovations from the public sector delivered to your inbox, or contact us .

Please take a few minutes to share insights regarding your experience with the Amazon Web Services Public Sector Blog in this survey , and we’ll use feedback from the survey to create more content aligned with the preferences of our readers.