Overview
Investment and asset management organizations operate complex ERP systems, financial tools, file servers, and internal applications that require strict security controls and uninterrupted availability.
Legacy cloud environments can limit flexibility, introduce governance gaps, and increase operational risk — especially when managing sensitive financial and operational data.
SUDO led a secure migration of critical enterprise workloads from Azure to AWS, delivering a resilient architecture aligned with the AWS Well-Architected Security Pillar and Infrastructure Protection best practices. Data protection was enforced at every layer through AWS KMS encryption at rest and TLS encryption in transit, ensuring sensitive ERP and financial data remained protected throughout and after migration.
Challenge
Securing and Modernizing Mission-Critical Systems
Real estate organizations often face:
1
Data Protection Requirements
Sensitive ERP and file server data required strong encryption both at rest and in transit, with centralized key management and full auditability of data access throughout and after migration.
2
Secure Hybrid Connectivity
Encrypted and seamless connectivity between Azure and AWS environments was necessary during transition.
3
Access Governance
Least-privilege access needed to be enforced across multi-account and hybrid systems.
4
Perimeter & Internal Threat Protection
Workloads required protection against both external threats and lateral movement within the network.
5
Ongoing Compliance & Monitoring
Continuous visibility, auditing, and alignment with industry security standards were mandatory.
Solution
Security-First Hybrid Cloud Architecture on AWS
SUDO architected a secure migration framework centered on AWS-native services and Fortinet FortiGate NGFW to establish layered infrastructure protection — with encryption enforced at every layer from data storage through network communication.
AWS KMS
Centralized key management for all data at rest across ERP databases, file servers, and S3 storage. Customer-managed keys (CMKs) provided full control over encryption lifecycle, rotation policies, and access auditing.
Learn More
TLS Encryption in Transit
All data moving between on-premises, Azure, and AWS environments was secured using TLS protocols, enforced across Application Load Balancers, API Gateway, and inter-service communication.
Learn More
Identity & Access Control
AWS IAM roles and policies enforced least-privilege permissions
Multi-Factor Authentication (MFA) applied to all privileged accounts
AWS Identity Center (SSO) provided centralized authentication and session management
AWS Systems Manager (SSM) Session Manager enabled secure OS-level access with full logging
Active Directory integration maintained consistent access policies across environments
Learn More
Network & Policy Enforcement
FortiGate NGFW functioned as the primary ingress and egress control point within private VPCs
AWS Network Firewall strengthened segmentation between application tiers
AWS WAF secured web-facing components integrated with API Gateway and CloudFront
Centralized log aggregation from FortiGate, CloudTrail, and VPC Flow Logs fed into AWS Security Hub for real-time analysis
Learn More
Post-Migration Managed Security
Amazon GuardDuty delivered intelligent threat detection
AWS CloudWatch and CloudTrail provided operational monitoring and audit trails
24/7 Security Operations support ensured incident response and compliance reporting
Automated security baselines aligned with NIST CSF, ISO 27001, PCI-DSS, and GDPR standards
Learn More
Key Capabilities
End-to-End Data Encryption
AWS KMS customer-managed keys protect all data at rest, while TLS enforcement across all transit paths eliminates unencrypted data exposure throughout and after migration.
Least-Privilege Access Enforcement
AWS IAM roles, MFA, and Identity Center SSO ensure every user and service is granted only the minimum access required across all environments.
Network Perimeter Security
FortiGate NGFW and AWS Network Firewall enforce layered perimeter and internal segmentation controls, preventing external threats and lateral movement within the network.
Continuous Threat Monitoring
Amazon GuardDuty and AWS Security Hub provide real-time threat detection and centralized security posture management from the point of migration onward.
Zero Downtime Migration
A structured, phased transition with parallel environments ensures business continuity with no disruption to live ERP operations throughout.
Business Impact
Real estate and investment organizations manage high-value assets and sensitive operational systems that require strong governance, end-to-end data protection, and uninterrupted service availability. The migration delivered measurable and strategic benefits:
- Zero Downtime Migration — A structured, phased transition with parallel environments ensured business continuity with no disruption to live ERP operations.
- End-to-End Data Protection — AWS KMS customer-managed keys secured all data at rest, while TLS enforcement across all transit paths eliminated unencrypted data exposure throughout the migration.
- 70% Reduction in Attack Surface — Controlled ingress via FortiGate NGFW, private VPC design, and enforced least-privilege access eliminated unnecessary exposure points across all workloads.
- No Direct Internet Exposure — Private workloads including ERP, databases, file servers, and UAT environments were fully isolated from public network access throughout.
- Continuous Compliance Alignment — Automated security baselines aligned with ISO 27001, PCI-DSS, and GDPR standards, with continuous audit visibility via CloudTrail and Security Hub.
- Scalable Security Architecture — AWS infrastructure and encryption controls support portfolio growth and new workload onboarding without requiring changes to the underlying security architecture.
