AWS Organizations, Security and Networking

The Challenge

Knock launched their first product in 2016, hosted on Amazon Web Services (AWS). Since then, the company’s customer base has grown to include thousands of properties, and today, Knock is the multifamily industry’s leading CRM with multiple product offerings. However, with the growth of the company and products, the underlying AWS environment was still based around the idea of Knock being a single-product company. Knock needed a partner and plan for building a secure, performant and scalable AWS environment that matched their maturing product portfolio and operational goals. .

Why Amazon Web Services and 1Strategy

Knock has partnered with AWS since the beginning; there was never any question whether future workloads would also be built and would run on AWS. Running SaaS lean, though, meant that Knock didn’t staff the full-time AWS Solutions Architect that would be necessary to design and plan a project of this complexity.

“It was a very easy decision to go with 1Strategy,” said Paul Campbell, senior director of security and privacy at Knock. “1Strategy is well-known for delivering exceptional AWS design support, and they presented the most thorough and tailored statement of work.” .

Additionally, Knock’s DevOps team lead was familiar with multiple 1Strategy staff through CoffeeOps; a Seattle DevOps networking group founded by a 1Strategy team member.

The Benefits

Requirements and Design

“The best part of outsourcing architecture and planning for these large, complex, one-off projects is that you can benefit from a proven playbook,” said Matt Hillman, vice president of engineering at Knock.

Indeed, 1Strategy was able to bring a proven playbook for identifying requirements to transition from a single-account architecture to one based on multiple AWS accounts. It started with reviews of the existing environment and interviews of the engineering team leads and ended with a proposed architecture addressing all foreseeable requirements of the business.

Development and Implementation

By leveraging Terraform infrastructure as code and AWS Control Tower, 1Strategy was able to assist Knock in developing and implementing an AWS environment and architecture consistent with recognized best practices. This included aligning accounts with data sensitivity, implementing commensurate preventative and detective controls for organizational units (OU), and configuring AWS Single Sign-on (SSO) to provide for fast role selection and switching.

“Compared to traditional role switching, AWS SSO makes operating in a multi-account environment easy,” said Justin Martenstein, DevOps lead at Knock.

Secure by Design

Knock relied on 1Strategy’s extensive experience with securing AWS workloads as they collaborated on the preventative, detective and response-oriented control design and validation. 1Strategy was able to suggest controls, which scaled much more efficiently in a multi-account environment while still meeting the company’s security commitments. A great example can be found in using Control Tower to automatically centralize AWS CloudTrail event streams so that new accounts are monitored with no additional effort.

Networking

Much like the account structure, Knock’s networking layer wasn’t optimized for a multiproduct company.

“We’re excited to realize a number of network-level benefits such as centralized VPN and simplified DNS management,” said Martenstein. “As well as shifting all network infrastructure to code for modularization and version control.”

The icing on the cake for the project was a centralized ingress/egress networking architecture for sensitive workloads. By utilizing AWS Transit Gateway, Knock can control access to workloads through a single network entry point. Separate Transit Gateway route tables enable sensitive data networks to be isolated from regular networks and permit the efficient deployment of network traffic inspection, intrusion prevention and data-loss prevention systems.