– Plaza Premium
With a mission of “making travel better”, Plaza Premium Group is a pioneer and the market leader in airport hospitality services with an international footprint of over 170 locations across 46 airports in 23 countries and regions, serving 16 million travellers annually.
The group comprises five core business segments – airport lounges Plaza Premium First and Plaza Premium Lounge; airport terminal hotels Aerotel and Refreshhh by Aerotel; airport meet & greet services ALLWAYS and a range of Airport Dining concepts. In addition to its own brands, Plaza Premium Group provides airport hospitality solutions to leading airlines, alliances and corporates around the world, including but not limited to Cathay Pacific Airways, Singapore Airlines, Lufthansa, China Southern Airlines, Star Alliance, SkyTeam, American Express and many more. By continuously innovating and striving to surpass travellers’ expectations of airport experiences, the group is growing exponentially across major international airports globally.
Plaza Premium was running their IT infrastructure on-premise maintained by a full technical team. In order to manage it, all physical hardware and human resources have to be managed with a fixed budget every year. When the client’s workloads reach capacity limits, scaling up IT capacity in an on-premise environment can be time consuming and frustrating at the same time wasting unnecessary time and capital. In terms of security, as the infrastructure scales, more vulnerabilities are exposed as “known” unknown due to IT infrastructure sophistication. That is why Plaza Premium wished to migrate their workload to a highly scalable platform in PaaS/SaaS model with ready-to-use security and compliance services.
In order to achieve high scalability for future growth and fulfil PCI-DSS compliance standard at the same time, Nextlink plays an important role on:
- Infrastructure provisioning under Well-Architected framework
AWS Well-Architected framework is always a golden standard to build secure, high-performing, resilient, and efficient infrastructure for applications and workloads. Nextlink, as AWS premier partner, straightly follows this guideline to design and implement the whole infrastructure for Plaza Premium, so as to prepare them for a growth footprint on cloud technology.
- Achieving Compliance-Standard Security Hardening
Cloud security at AWS is the highest priority. As an AWS customer, Plaza Premium benefits from a data center and network architecture built to meet the requirements of the most security-sensitive organizations. Nextlink has designed a security principle based on AWS best practices and AWS Cloud Adoption Framework (CAF), so as to provide a reliable and compliance-ready security solution for our customers under the strategy of Directive, Preventive, Detective and Responsive.
On solution architecture, Nextlink has proposed a wide range of AWS and ISV services under Well-architected best practice to achieve such enterprise level security standard:
- Intrusion Detection and Protection
- GuardDuty is able to detect threats and continuously monitor for any malicious activity and unauthorized behaviour. GuardDuty is integrated with threat intelligence feeds. Coupled with machine learning it can perform automated remediation actions by leveraging CloudWatch events thus reducing client’s remediation and recovery time.
- WAF are costly and hard to manage in an on-premise environment. But in AWS, AWS WAF is a fully managed layer-7 application firewall which is well integrated with CloudFront and ELB to protect client’s applications from DDoS attack and common attack patterns such as SQL ingestion and Cross-site scripting.
- Encryption in-transit and at-rest
- KMS is a managed encryption service to provide a highly available key storage, management, and auditing solution for data encryption across AWS services and within self-own applications.
- ACM is a managed SSL certificate provider, which generates SSL certificates for free, highly-integrated with AWS services to serve HTTPS requests with in-transit encryption.
- Logging and Monitoring
- CloudWatch as a monitoring and logging service to centralize log management and alarm configuration. All EC2 should have CloudWatch log agent and IDS agent installed, so that both system, application log and other custom log can be sent to CloudWatch log.
- CloudTrail as a logging service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain events related to API calls across your AWS infrastructure.
- ElasticSearch Service as a logging centralization and visualization tool. By utilizing Kibana dashboard, users can visualize the findings and convert data into actionable intelligence.
- Maintenance and Optimization
- Systems Manager Patch Manager to automate the process of patching managed instances with security-related updates.
- ISV solutions including Tenable and Trend Micro to further harden the security protection on OS and S3 layer anti-virus.
- Resource capacity is automatically handled by AWS auto scaling capabilities, which in turn improves service reliability and cost efficiency by at least 20%.
- Technical maintenance is automated with cloud native features, which in turn reduces manpower and labour cost associated with maintenance by 50%
- Pricing models for these services are “pay as you go” so it gives the client more flexibility as no annual based license is required.
Security services are delivered in SaaS model, which is out-of-the-box PCI compliant. By using AWS services, PCI compliance is greatly mitigated through AWS. These services provide smarter and more proactive protection to the client’s system and network resources in order to meet the required compliance standards.
The application products and services
Nextlink assisted Plaza Premium in migrating workloads to AWS with high scalability and security, and improved the reliability of the AWS system architecture by 20% and reduced costs by 50%. With AWS information security best practices, Nextlink has strengthened the five aspects of security for Plaza Premium, and greatly improved the security protection.
As an AWS Managed Services Provider (MSP), Nextlink also provides Plaza Premium with 24×7 monitoring, reporting, and management of their AWS infrastructure and environment after the migration. A monthly report is provided to Plaza Premium to give them a holistic overview of their AWS environment and usage. Potential vulnerabilities are identified and shared in the report. Well-architected reviews are conducted on a regular basis to optimize Plaza Premium’s environment based on the five pillars – operational excellence, security, reliability, performance efficiency and cost optimization. Through these reviews Nextlink is able to deliver cost savings and close any identified security gaps. With Nextlink’s Managed Services, Plaza Premium can tap the full potential and benefits of cloud.