Speaker: Jonathan Allen, Enterprise Strategist, AWS
Hear why customers adopt, how you can follow and the positive impact of Financial Services customers choosing to use AWS Cloud. This session will be presented by Jonathan Allen – AWS Enterprise Strategist and Evangelist. Sharing some of his experience and lessons learned when he was the CTO of Capital One UK, across the paradigms of People, Process and Technology and leveraging first-hand knowledge of the AWS Cloud Adoption Framework and Mass Migration best practices.
7. enterprise
strategy
AWS is the first choice for highly regulated organizations
We can be far more secure in the
cloud and achieve a higher level of
assurance at a much lower cost, in
terms of effort and dollars invested.
We determined that security in
AWS is superior to our on-premises
data center across several
dimensions, including patching,
encryption, auditing and logging,
entitlements, and compliance.
—John Brady
CISO, FINRA
Cloud computing has reached the
tipping point as the capabilities,
resiliency and security of services
provided by cloud vendors now
exceed those of many on-
premises data centers.
—DTCC, Moving Financial
Market Infrastructure
to the Cloud
8. enterprise
strategy
Customers rely on AWS’ compliance with global standards
Certifications & Attestations Laws, Regulations and Privacy Alignments & Frameworks
Cloud Computing Compliance Controls
Catalogue (C5)
! CISPE " CIS (Center for Internet Security) #
Cyber Essentials Plus $ EU Model Clauses " CJIS (US FBI) %
DoD SRG % FERPA % CSA (Cloud Security Alliance) #
FedRAMP % GLBA % Esquema Nacional de Seguridad &
FIPS % HIPAA % EU-US Privacy Shield "
IRAP ' HITECH # FISC (
ISO 9001 # IRS 1075 % FISMA %
ISO 27001 # ITAR % G-Cloud $
ISO 27017 # My Number Act ( GxP (US FDA CFR 21 Part 11) %
ISO 27018 # Data Protection Act – 1988 $ ICREA #
MLPS Level 3 ) VPAT / Section 508 % IT Grundschutz !
MTCS * Data Protection Directive " MITA 3.0 (US Medicaid) %
PCI DSS Level 1 + Privacy Act [Australia] ' MPAA %
SEC Rule 17-a-4(f) % Privacy Act [New Zealand] , NIST %
SOC 1, SOC 2, SOC 3 # PDPA - 2010 [Malaysia] - Uptime Institute Tiers #
PDPA - 2012 [Singapore] * Cloud Security Principles $
PIPEDA [Canada] .
# = industry or global standard Agencia Española de Protección de Datos &
9. enterprise
strategy
The AWS Compliance Center features country-specific resources
The AWS Compliance Center
is a central location to research
cloud regulations in specific
countries and learn about
AWS Compliance programs.
13. enterprise
strategy
Component Availability Downtime
X 99% (2-nines) 3 days 15 hours
Y 99.99% (4-nines) 52 minutes
X and Y Combined 98.99% 3 days 16 hours 33 minutes
…availability in series
Part X Part Y
A = AX AY
Availability
20. enterprise
strategy
Customer
AWS
AWS is responsible for security of the cloud
Customer is responsible for
security in the cloud
Customer data
Platform, applications, identity, & access management
Operating system, network, & firewall configuration
Client-side data encryption &
data integrity authentication
Server-side encryption
(file system &/or data)
Network traffic protection
(encryption/integrity/identity)
Compute Storage Database Networking
Edge
locations
Regions
Availability Zones
AWS Global
Infrastructure
Shared responsibility model for security
21. enterprise
strategy
AWS Security Hub
Centrally view and manage security alerts
and automate compliance checks
AWS Control Tower
Automates the set up and governance of a secure,
compliant multi-account AWS environment
New services, now
available in preview:
AWS Identity & Access
Management (IAM)
AWS Single Sign-On
AWS Directory Service
Amazon Cognito
AWS Organizations
AWS Secrets Manager
AWS Resource Access
Manager
AWS Security Hub
Amazon GuardDuty
AWS Config
AWS CloudTrail
Amazon
CloudWatch
VPC Flow Logs
AWS Systems Manager
AWS Shield
AWS WAF—Web
application firewall
AWS Firewall Manager
Amazon Inspector
Amazon Virtual Private
Cloud (VPC)
AWS Key Management
Service (KMS)
AWS CloudHSM
AWS Certificate Manager
Amazon Macie
Server-Side Encryption
AWS Config Rules
AWS Lambda
Incident
response
Infrastructure
securityIdentity
Detective
control
Data
protection
Our tools and services automate tasks and enhance security
25. enterprise
strategy
We’re taking a cloud-first
approach to development with
AWS as our predominant cloud
infrastructure provider.
—Rob Alexander, CIO
1. Keep it simple
26. enterprise
strategy
Biz Case & Reqs
Business
Creative & Functional
Design
Finance & PMO
Prioritization
Software Development
Engineering
Integration & Perf.
QA & Testing
Deploy & Manage
Infra & Ops
Policy & Compliance
Security
Idea
Value
Defects
Defects
Defects
Defects
Defects
Wait
Wait
Wait
Wait
Wait
Wait
Wait
Wait
Defects
2. Not moving to agile fully
27. enterprise
strategy
Product-basedteams
Full Stack. Two Pizzas.
Product-basedteams
Full Stack. Two Pizzas.
Product-basedteams
Full Stack. Two Pizzas.
Product-basedteams
Full Stack. Two Pizzas.
“You build, you run it”
2. Not moving to agile fully
28. enterprise
strategy
23 TIMES*
Teams that adopt essential cloud
characteristics are 23 times more
likely to be elite performers.
*Accelerate: State of DevOps 2018: Strategies for a New Economy
“It’s worth noting that four deploys
per day is a conservative estimate
when comparing against companies
such as CapitalOne.”
3. Treating cloud as ‘just a project’
29. enterprise
strategy
Elite vs.
low performers*
46 TIMES MORE
frequent code deployments
2,555 TIMES FASTER
lead time from commit to deploy
7 TIMES LOWER
change failure rate
2,604 TIMES FASTER
time to recover from incidents
3. Treating cloud as ‘just a project’
*Accelerate: State of DevOps 2018: Strategies for a New Economy
32. enterprise
strategy
1
Procurement CISO CFO Head of
Infrastructure
Head of
Delivery
Engineering Risk Leader
Audit Leader
HRLegal
Single-threaded leader
i !
2-pizza cloud leadership team
35. enterprise
strategy
Amazon.com
Big Data & Analytics
Business Apps
Migration Acceleration Program
Compute Options
Contracts & Legal
Database Options
Container Options
Desktop & App Streaming
DevOps
Management Apps
Digital Transformation
Edge Services
Enterprise Strategy
General AWS Topics
Industry Specific Solutions
Internet of Things
Machine Learning
Mobile Options
AWS Executive Briefing Sessions
AWS Cloud Adoption Framework
AWS Well Architected Framework
AWS Migration Acceleration Program
36. enterprise
strategy
1
Be clear on your
business goal
Choose a predominant
public cloud partner
Agree on your
security objectives
The team you have is
the team you need
You build it,
you support it
Trust,
but verify
…unless you have better ones
Establish your principles
37. enterprise
strategy
We have a strategic imperative for a pretty
dramatic transformation of our technology
capabilities as a company.
The hardest part of that transition is really
a talent transformation.
—Rob Alexander, CIO, Capital One
4. There is no compression algorithm for experience
38. enterprise
strategy
Comprehensively trained
organizations are*
3.7 TIMES MORE LIKELY
to overcome IT governance concerns
3.8 TIMES MORE LIKELY
more likely to meet ROI requirements
1.8 TIMES MORE LIKELY
to resolve security concerns
4.4 TIMES MORE LIKELY
to overcome performance concerns
14 TIMES MORE LIKELY
to overcome operational control concerns
*IDC training report 2018
4. There is no compression algorithm for experience
40. enterprise
strategy
4. There is no compression algorithm for experience
10%
Critical mass: reach 10% certified
A c h i e v e t h e
h a l o e f f e c t
51. enterprise
strategyRetire
Retain
Refactor
Repurchase
Replatform
Rehost
Determine
Discover
RearchitectLift & Shift Lift & Reshape Drop & Shop
Sustain
Grow
Optimize
Traditional
Operations
Distributed
DevOps
Decentralized
DevOps
OperationsEngineering
PlatformApplications
Application
Engineering
Cloud Platform
Engineering
ITSM
OperationsEngineering
PlatformApplications
Application
Engineering
ITSM
Cloud Platform Engineering
Migration paths
should be chosen
to support desired
business outcomes,
not to speed up
migration.
OperationsEngineering
PlatformApplications
Application
Operations
Application
Engineering
AWS Managed
Services
Cloud Platform Engineering
ITSM
10. Not optimizing your operating model
52. enterprise
strategy
1. Keep it simple
2. Not moving fully to agile
3. Treating cloud as just a project
4. There is no compressional algorithm for experience
5. Get the risks and controls balance right
53. enterprise
strategy
6. Thinking on premises
7. Thinking regulation is a blocker
8. Trying to build the perfect
9. Overthinking migration
10. Not optimizing your operating model