Balancing Control and Agility to Achieve Cloud@Scale · Central log aggregation and analysis...
Transcript of Balancing Control and Agility to Achieve Cloud@Scale · Central log aggregation and analysis...
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Dede Dascalu
CEO, Stratus Solutions
Balancing Control and Agility
to Achieve Cloud@Scale
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Stratus Solutions is a technology partner that enables
purpose-led organizations to achieve more.
#951(2017)
Fulton, MDHeadquartered in
2008Founded in
100+Full-Time Staff
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
• What Cloud@Scale Looks Like
• Building Blocks
• Design Considerations
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What Cloud@Scale Looks Like
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
The Journey to Cloud Adoption
• Specific Systems• Manual Governance
Limited Accounts
• Numerous Systems• Manual Governance
Multiple Accounts
• Numerous Systems• Manual Governance
Single AccountOR
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Source: AWS
Growing Cloud Adoption
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tradeoffs In Developer Controls and Developer Agility
• Prescribes limited access to the AWS platform based on catalog templates or via middleware
• Suitable for meeting common requirements of less-technical internal users
• Traditionally doesn’t allow developers to access cloud APIs
• Relies too much on humans and manual processes
Cloud broker
• Complete power of the AWS platform; every “approved” feature available immediately
• Native access to the AWS Console, CLI, API
• Enables powerful DevOps CI/CD pipelines
• Requires a comprehensive foundation for managing access, security, collaboration
• Requires the building or buying of a solution that can manage access, budget, complianceof many AWS accounts
Minimally encumbered AWS accounts
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Elements of Cloud@Scale
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Elements of Cloud@Scale
Entry pointsMethods of access to the cloud environment
Central ServicesCommon services accessible by cloud tenants
NetworkingEnterprise networking strategy for intra-AWS Account communication and ingress/egress control
Connections to On-Premise ResourcesEnabling access betweenon-premise and cloud resources
Security ServicesCentral log aggregation and analysis
Certification and AccreditationStrategy (SSPs)Methodology to reach ATO fast with a repeatable process
Governance of Cloud AccountsTools for account management, budget enforcement, compliance automation + Access to AWS CLI, API, Console
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud Governance Architecture Case Study
Internet access
Federated access to native
AWS Console
Centrally hosted
developer tools
AWS account mgt.,
budget enforcement,
compliance automation
Local and remote entry
point access
Log aggregation, continuous
monitoring
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Challenges with Governance of Cloud Accounts
Ensure deployments and operations are compliant with relevant legal, regulatory, and/or contractual policies?
Adhere to IT budgets in apay-per-use model?
Determine the current state of all cloud users and their access rights across your enterprise?
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Design Considerations for Cloud@Scale
• Centralized management of all cloud accounts
• Federated single sign-on and 2-factor authentication (MFA)
• Automated, self-service account creation with native Console, CLI, and API access
AccountManagement
Company X
Dept. A
Project 1
Project 2
Project 3
Dept. B
Project 4
Project 5
Dept. C
Project 6
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Design Considerations for Cloud@Scale
• Centralized management of all cloud accounts
• Federated single sign-on and 2-factor authentication (MFA)
• Automated, self-service account creation with native Console, CLI, and API access
AccountManagement
• Hierarchical budget alignment to projects and organizational units with real-time spend tracking
• Configurable enforcement actions to alert, freeze spending, and terminate cloud resources
BudgetEnforcement
Company X
Dept. A
Project 1
Project 2
Project 3
Dept. B
Project 4
Project 5
Dept. C
Project 6
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Design Considerations for Cloud@Scale
• Centralized management of all cloud accounts
• Federated single sign-on and 2-factor authentication (MFA)
• Automated, self-service account creation with native Console, CLI, and API access
AccountManagement
• Hierarchical budget alignment to projects and organizational units with real-time spend tracking
• Configurable enforcement actions to alert, freeze spending, and terminate cloud resources
BudgetEnforcement
• Inheritable access policies to restrict use of non-compliant cloud services
• Compliance tools for continuous security control monitoring and reporting
Compliance Automation
Company X
Dept. A
Project 1
Project 2
Project 3
Dept. B
Project 4
Project 5
Dept. C
Project 6
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
www.cloudtamer.io