Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

(SEC204) AWS GovCloud (US): Not Just for Govies

5,437 views

Published on

For some organizations, all of the technical security features in the world can’t address an underlying need to restrict physical access of resources to citizens within the United States. GovCloud (US) was established to meet the needs of the US federal government, but it is available for any organization facing the challenge of restricting access in this way. Learn about the features available in GovCloud (US), how to onboard your workloads, and the options for using GovCloud (US) as one of multiple regions. Also, hear from government and commercial customers about their experience using GovCloud (US). 

Published in: Technology
  • Be the first to comment

(SEC204) AWS GovCloud (US): Not Just for Govies

  1. 1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. CJ Moses, GM, AWS Government Cloud Solutions Keith Brooks, AWS GovCloud Senior Business Development Manager October 2015 SEC204 AWS GovCloud (US) Not Just for Govies
  2. 2. What to expect from this session 1. Background on the AWS GovCloud (US) region 2. Overview of AWS GovCloud (US) features 3. Description of AWS GovCloud (US) users and suitable workloads 4. Customer use case examples
  3. 3. Background and history
  4. 4. AWS GovCloud (US) features
  5. 5. Requirements for access to AWS GovCloud (US) Can handle export controlled data US person (account holder) US entity on US soil
  6. 6. AWS GovCloud (US) features Managed by US persons on US soil Separate AWS IAM and authentication Located in Pacific NW (Oregon) Data, network, and machine isolation
  7. 7. AWS GovCloud (US) features “Community Cloud” Multiple regulatory and compliance features
  8. 8. Who’s using AWS GovCloud (US) and why?
  9. 9. 2011 2012 2013 2014 AWS GovCloud (US) adoption 273% average YoY growth since launch (Q4 2011 to Q4 2014)
  10. 10. Users span various types of enterprises US Government Federal, state, and local Consulting firms and systems integrators Technology firms and software vendors Resellers Educational institutions Research organizations Commercial industry Nonprofit organizations Managed service providers
  11. 11. …but all share common characteristics Sensitive data and applications Strict regulatory and compliance requirements Restricted, community cloud preference AWS cloud platform
  12. 12. AWS GovCloud (US) is fit for hosting sensitive data Agriculture Copyright Critical infrastructure Export control (ITAR) Financial Immigration Intelligence Law enforcement Legal Nuclear Patent Privacy (PII) Proprietary (IP) Statistical (census) Tax Transportation All levels of Controlled Unclassified Information (CUI)
  13. 13. Example workloads on AWS GovCloud (US) Web applications and websites Backup and recovery Archiving Disaster recovery Development and test Big data High performance computing Business applications Enterprise IT Mobile
  14. 14. Customer highlight: Planet Labs
  15. 15. Imaging the Earth Daily Troy Toman Director of Engineering Planet Labs troy@planet.com I @troytoman Imaging the Earth Daily Troy Toman Director of Engineering Planet Labs troy@planet.com I @troytoman
  16. 16. Planet Labs Proprietary & Confidential Size: 10 x 10 x 30cm Mass: 4kg
  17. 17. Radome – April 2014 Awarua, NZ
  18. 18. 101 satellites launched on 9 rockets
  19. 19. Orange River, South Africa, August 4, 2015
  20. 20. Forest Management Oregon, USA Source: Landsat 8 Date: March 23, 2014
  21. 21. Forest Management Oregon, USA Source: Planet Labs Date: May 2, 2014
  22. 22. 150 satellites 475 KM altitude sun synchronous orbit 30 ground stations 10 sites 370,000 images per day <24 hours online catalog API for data pipeline and platform access 1000S of servers 11 TB processed daily Spacecraft Manufacturing and Operations Data Pipeline and Production Apps
  23. 23. Infrastructure Challenges 11 TB/day…everyday…forever Regulatory compliance Agile aerospace Dynamic use cases Multiple products/output formats Complex/compute intensive pipeline
  24. 24. Procurement Physical security Inventory DC operations Server provisioning Private cloud ops Network management Hardware maintenance What could have been… https://creativecommons.org/licenses/by-nc/2.0/
  25. 25. What AWS GovCloud (US) enables us-gov-west us-west Python (boto) AWS CLI Amazon RDS RDS Amazon S3 S3 AWS import/export SAML Ansible CI Git/GitHub Analytics Logging Messaging Ticketing VPN gateway VPN gateway Amazon Route 53 Route 53 Instances Instances Spot instances Common Ops/Dev Tools Data Pipeline Production APIs Spacecraft Manufacturing/Operations
  26. 26. ansible-jenkins ├── environments │ ├── preprod.ini │ ├── prod-current.ini │ ├── prod-new.ini │ ├── space.ini │ └── test.ini ├── jenkins.yml ├── planet_roles │ ├── apache_saml │ ├── aptly │ ├── aptserver │ ├── awscli │ ├── base │ ├── datadog_agent │ ├── elasticsearch │ ├── fpm │ ├── graphite │ ├── jenkins
  27. 27. A Transparent Planet… …to act on change Commercial access to space Space-capable consumer technology Compliant cloud services Universal access
  28. 28. Customer Highlight: CSC
  29. 29. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Jon Check, CSGov AWS GovCloud (US) Migration CSC’s separation drives rapid migration of business applications to AWS GovCloud (US)
  30. 30. What to Expect from This Part of the Session • Demonstrate a use case of successful, rapid migration of a large business’ application portfolio to AWS GovCloud (US). • Provide a successful cloud migration process. • Share reasons why we chose AWS GovCloud (US). • Demonstrate how CSGov executed the process and migration. • Provide success stories and lessons learned.
  31. 31. Our Challenge May 19, 2015, CSC announced that its Board of Directors unanimously approved a plan to separate the company into two publically traded, pure play leaders: one to serve commercial and government clients, and one to serve public sector clients in the US. CSGov Business Application Portfolios 200+ apps must migrate by October 1, 2015 Program Specific Applications Types: Collaboration Finance HR Payroll Security Other 70,000 Employees 14,000 employees Approximately: 250 servers (phys. and virt.) 3 TB memory 1,300 processors Infrastructure Types: Physical Virtual Private cloud SaaS Data Centers 14+ data centers SaaS providers Data Centers 2 data centers 1 Gov CSP SaaS providers
  32. 32. How Do We Attack This Problem? We need a strong systems integrator with proven applications migration processes to discover, plan, and execute our application separation between the two separate companies. APPLICATION DISCOVERY OPERATIONS ONBOARDING APPLICATION AFFINITY GROUPING MIGRATION EXECUTION CLOUD ADOPTION ASSESSMENT TARGET ASSESSMENT & ARCHITECTURE APPLICATION TREATMENTS MIGRATION VALIDATION OPERATIONS PLANNING CONTINUOUS IMPROVEMENT Migration Process
  33. 33. APPLICATION DISCOVERY Migration – Shape CLOUD ADOPTION ASSESSMENT CSGov Only 49% CSC/CSGov Shared 40% CSC Only 11% Suitability Scorecard Tells you the ideal level at which you should be looking for a cloud-based alternative: SaaS, PaaS, IaaS. Cloud Adoption Roadmap Identifies treatments and prioritization based on customer requirements and target environment. Our Targets: Physical CSGov Data Center, CSGov Private Cloud, AWS GovCloud (US), SaaS Providers App Inventory App Data Flow Diagram
  34. 34. Why AWS GovCloud (US)? Requirement AWS GovCloud (US) Provide rapid, self-service infrastructure provisioning enabling an aggressive migration schedule. Government contracts require strict security standards and CSGov aspires to provide highest security levels for our customers and our business. HR data will contain personally identifiable information, best protected via DoD Impact Level 4 added security controls. CSGov must retain ITAR compliance, and so should our cloud service provider. Ideally the CSP has an established relationship with CSGov.
  35. 35. Migration – Transform APPLICATION AFFINITY GROUPING APPLICATION TREATMENTS Not Migrate 24% Physical (NPS Data Center) 51% Gov Cloud 15% SaaS 10% Treatment Do not migrate Application exists at a location/data center that will remain. No need to migrate at this time. Physical move Ship physical architecture with applications installed to consolidated data center. Migrate to AWS GovCloud (US) Initiate an application migration to AWS GovCloud (US), via cloning, cloning and import/export, rebuilding, or rebuilding with import/export. Migrate to CSGov instance of SaaS CSGov is sharing a SaaS implementation with CSC. Need to work with the SaaS providers to create a CSGov dedicated instance and initiate a data migration and purge.
  36. 36. Migration – Transform (Cont’d) MIGRATION EXECUTION MIGRATION VALIDATION Physical CSGov Data Center/Private Cloud 1. Data center preparation (space, power, network, staffing) 2. Application outage planning 3. Onsite installation 4. Configuration 5. Base testing AWS GovCloud (US) 1. Partnership with Racemi 2. Move group planning 3. Discover, capture, clone, configure 4. AWS import/export 5. Some straight rebuild SaaS Providers 1. Partnership with SaaS providers 2. Professional services 3. SaaS statement of work 4. Configuration migration/establishment 5. Base testing • Release planning • Reuse existing regression testing • Manual test script execution • User acceptance testing • Go/no-go decision • Go-live support period Team used Agile methodologies to deliver the migration execution (scrum planning, kanban execution)
  37. 37. Our AWS Architecture
  38. 38. Our AWS Architecture
  39. 39. Migration – Manage OPERATIONS ONBOARDING CONTINUOUS IMPROVEMENT Integrated Technology Center (ITC) integration: 1. CSC Answers (HR Help Desk) 2. CSC Technical Help Desk 3. Network Operations & Security Center (NOSC) Application O&M teams 1. Parallel O&M for a period of time to support rollback 2. Outage management 3. Triage 4. Scrumban teams 5. DevOps Physical to cloud/virtual Keep moving to the cloud! Stateless architectures High availability Cloud service rich Hybrid – VM/container/SaaS architectures Offering enhancements WHERE WE NEED TO BE… WHERE WE STARTED… WHERE WE ARE… Lift & Shift Optimize
  40. 40. Success Stories • Hybrid environment (compute, network, storage) on physical premises, dedicated private cloud, government community cloud, SaaS provider, all seamless to the end user….and it works! • Agile methodology, delivered value early, identified issues, and mitigated them rapidly. • CSC used its own processes and methods to take on this aggressive application migration effort—and they worked. Lessons will improve these migration offerings, passing on value to our customers. • DR recovery point time reduced from days to minutes with some of these applications. Architected for resiliency to failures. • Use of AWS, rapidly increased the time to value for our cloud-based IaaS (compute, network and storage). Able to execute plan in hours/days versus the weeks/months it would have taken using alternative IaaS with same requirements.
  41. 41. Lessons Learned • No magic bullet for an enterprise migration. • Plan for bandwidth. The biggest bottleneck in an automated migration/cloning to cloud is bandwidth. Plan ahead, expect delays for bandwidth restrictions/issues. • Do not disregard the importance of planning, especially the target environment planning. Much harder to move migrated resources due to poor VPC/target network planning. • Automation cannot migrate everything. Expect some traditional migration methods to be required. • No Re-IP’ing is a great goal, but not entirely possible in a large-scale migration. • Most importantly…utilize your partner expertise, heed their advice (AWS, Racemi, SaaS Partners, etc.).
  42. 42. Thank You!
  43. 43. Important things to remember AWS GovCloud (US) is a physically and logically isolated region Separate AZs, console, IAM and authentication stack, and endpoints AWS GovCloud (US) is not just for the US Government Users span government, commercial entities, education and nonprofits Remember the AWS Shared Responsibility Model AWS IAM users can be non–US persons if adhering to shared responsibility (e.g., development teams outside of the US w/o access to ITAR data)
  44. 44. Learn more about AWS GovCloud (US) AWS GovCloud (US) webpage https://aws.amazon.com/govcloud-us/ AWS GovCloud (US) User Guide http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/welcome.html Keith Brooks AWS GovCloud Business Development brookskl@amazon.com CJ Moses GM, AWS Government Cloud Solutions cmoses@amazon.com
  45. 45. Remember to complete your evaluations!
  46. 46. Thank you!

×