Sony Music Entertainment Japan Standardizes Security Using AWS Security Hub

Founded in 1968, SMEJ is a subsidiary of Sony Group Corporation. The company is involved in domestic and international music production, distribution, and artist management, as well as a range of entertainment businesses. With such a large and diverse business, SMEJ struggled to maintain standard security processes among its teams. Business units across the organization had different approaches to security measures.

Having used AWS since 2009, SMEJ’s increasing adoption of cloud technology has led to a sprawling AWS environment with more than 300 accounts. Each business unit within SMEJ had its own approach to security when developing new services or managing AWS accounts. This fragmented landscape made it difficult to generate reports or standardize security protocols.

Whereas one team might implement a robust security solution for its website, another team might lack the same protections and become vulnerable to security issues. Some teams did not store log files from AWS CloudTrail—a service that monitors and records account activity across AWS infrastructure—for the required period. To strengthen its security posture, SMEJ needed a way to standardize security practices across all of its entities and accounts.

“Our AWS account management was fragmented,” says Shigeki Wakasa, deputy executive information security officer at SMEJ. “We needed to consolidate our account groups and adopt a unified approach—so we created SMEJ Guardrail.”

SMEJ Guardrail is a security and resource configuration compliance solution tailored for SMEJ’s vast AWS estate. Using SMEJ Guardrail, the company can maintain standard security measures across its AWS accounts and validate that each account adheres to cloud governance guidelines established by Sony Group Corporation. The initial development and implementation of SMEJ Guardrail took about 3 months; during this time, AWS provided technical support and consultations to aid SMEJ’s journey.

The foundation of SMEJ Guardrail is AWS Security Hub, a unified security service that centralizes and prioritizes security findings across various AWS services. AWS Security Hub assesses the company’s AWS resources against established best practices and industry benchmarks, such as the Center for Internet Security and AWS Foundational Security Best Practices. These best practices encompass a range of checks, from proper encryption settings to detecting suspicious activities. As a cloud security posture management solution, AWS Security Hub performs these best practice checks automatically. With this capability, SMEJ can detect potential vulnerabilities and deploy remediation actions as necessary. The company has also implemented automated remediation mechanisms to promptly address security threats.

With SMEJ Guardrail, the company can standardize its security processes and therefore maintain a uniform security layer across its AWS accounts. SMEJ can also view the results of its threat detection and compliance checks across its organization in a central place, gaining better visibility into the health of its AWS estate. “By performing centralized management and visualization using AWS Security Hub, we were able to standardize our security levels, which had varied for each AWS account,” says Wakasa.

SMEJ Guardrail also uses Amazon GuardDuty to monitor accounts for suspicious activities and AWS CloudTrail to track account actions across AWS and support audits and governance. Using AWS CloudFormation templates—which speed up cloud provisioning with infrastructure as code—SMEJ can also adapt and expand its security protocols as needed.

The framework’s benefits extend beyond standardized security. In particular, AWS security services are much more cost effective than external providers, which helps reduce the cost of SMEJ’s entire security portfolio. “We only deploy first-party services, so we do not have to pay license or usage fees,” says Tomoyuki Shirakawa, director of SMEJ. “And by using managed AWS services, we can keep our costs down while maintaining optimal availability and performance.”

With an infrastructure-as-code approach and AWS CloudFormation templates, SMEJ can scale horizontally to expand its digital infrastructure as demands grow. And by using AWS-managed services, SMEJ can make sure that its solutions adhere to AWS best practices and benefit from recommendations given by the AWS team. Furthermore, creating a programmable infrastructure has directly boosted staff productivity. Instead of having to navigate technical challenges, SMEJ’s teams can now shift their focus onto core tasks, which has optimized operations so that teams can deliver security results more efficiently.