Welcome everyone! It is great to see so many faces once again back here in DC for the AWS Summit.
My name is Brian Price, CEO and Co-Founder at Kion and today I’m excited to share some ways that you can help your organization with effective cloud management.
Over the past six years, Kion has worked with dozens of federal government agencies and higher education institutions to help them apply cloud management and governance practices to accelerate their journey in the cloud. Today, I’ll talk a little about some of the cloud security and compliance lessons we’ve seen and we’ve learned.
First, I’ll share a story to highlight some of the typical experiences that happen inside of most organizations when managing the cloud. Then, I’ll introduce the idea of effective cloud management and how to best accelerate cloud adoption. We will dive into some security and compliance best practices to help navigate through some one way doors and last, I’ll share some specific AWS services along with partner solutions that can help.
Let me paint a picture for you…
You are running a cloud PMO or cloud operations team and you get a request from Jim for a new AWS account for this brand new app that his team is building. What happens?
Typically, that one request spawns many tickets – in you are in the federal government, the first may be to your cloud reseller to provision the new account, the next may go to your security team to turn on some baseline services like CloudTrail, CloudWatch, Guard Duty. Then a ticket goes to the identity team to create IAM users and roles, configure SSO and apply baseline IAM policies. After that your networking team sets up and configures the VPC and security groups. Then probably after about 3 more tickets to 3 separate teams, you are able to reach back to Jim and say – HERE. YOU. GO.
But before that request can be closed, Jim sends you another request. “I needed to be able to connect to on-prem infrastructure and I can’t actually create any EC2 instances in the account.” Ohh….right….that networking requirement wasn’t in the original request…and somehow, we missed the fact that the platform team didn’t share AMIs from our AMI factory with the account. So fire off two more tickets, and oh yeah…Bob who is the only person on the networking team that understands how the heck to correctly setup a VPC had to leave for the day to pick up his sick kid from school…after all, we are still dealing with COVID. So you can’t get back to Jim untill the next day and then maybe…if your lucky…they can get to work.
Fast forward a week and in your morning email, you notice in your daily report of the cloud accounts that have been flagged for violating a security or compliance check that there’s Jim’s account you just provisioned last week. He is using Amazon Kendra to try to make a search capability easy in his app but he did this in a GOVCLOUD ACCOUNT! Doesn’t he know better! Why would he ever do that? That service not been approved by the JAB to run FedRAMP HIGH workloads! He will never get an ATO doing things like that. Jim should know better. You pick up the phone, try calling Jim. Explain the situation. Walk him through how to tear down the infrastructure he and his team spent the past week on. Whew! Crisis avoided!
And then a week later in your morning email, you notice in your daily report of the cloud accounts that have been flagged for exceeding a budget, there’s Jim’s account again. He spent $50,000 in the past 2 weeks…no wait…past two days! How? Why? Doesn’t he know that until his app is given a green light, he only has $5,000 to spend. What the heck?!?! Call Jim up. Explain the situation. Oh you forgot that you left that cluster up over the weekend. Well he is in trouble.
And this happens. Over and over and over again. Not just with Jim’s accounts. But also with John’s, Jerry’s, Jason’s, Jessica’s, Jamie’s. And somehow we aren’t innovating fast enough or hitting those cloud adoption milestones that the CIO asked us to reach. Wonder why?
How many people here can relate to this?
All of these things in this example like siloed IT processes, misunderstood security and compliance standards, long ATO processes, the shift of financial control to engineers all result in friction if cloud management is adopted in the same way as IT has been managed for decades despite cloud being vastly different.
Now let’s look at a different approach…what if we re-invent cloud management to enable an organization to move faster. What if we make those processes more cloud-like, more self-service, with more context to empower folks like Jim to do more and wait less.
Effective cloud management enables you to focus on your mission. The three principals of effective cloud management rely on agile, but controlled, self service account provisioning, budget and spend visibility, allocation and enforcement with the cost optimization context and proactive and reactive controls to help ensure security and compliance standards are met all the time since cloud infrastructure can be very dynamic. Today, I’m going to focus on security and compliance best practices; however, each of these principals are interrelated and have to be working together to enable effective cloud management.
Now I’d like to share some lessons learned we have seen working with many groups that can hopefully help you develop an effective cloud management approach for your organization that helps you go farther and faster in the cloud.
But to get there, let’s talk about one way and two way doors in in cloud management and governance. Whether you are new or experienced managing cloud environments, you are likely going to make some mistakes. But don’t let the fear of making a mistake stop you from making a decision. There are only a few one way doors in designing your cloud management strategy…that is decisions that once you make, it is difficult to unwind and change. As a technical example, setting up your centralized auditing and logging as part of your landing zone through a service like AWS Control Tower is an important first step and one-way door to make sure you have the full provenance of actions that happen inside of all the AWS accounts across your organization. Waiting until you have the full set of preventative controls implemented to achieve a compliance standard isn’t as we find its important and easier to run some detective checks against those standards to get a picture of how far off you are to prevent progress. This will be back and forth anyway as most regulations tend to change and get updated from time to time. But let’s talk a little more about 3 specific one-way doors you need to consider:
First, a really important one is to think through your accreditation boundaries. We have seen some agencies take a carte blanche approach and get an ATO for the entirety of AWS so that any workload can fall under this but doesn’t give you much granularity or flexibility when something needs to change. Others have taken almost the opposite approach and try to achieve ATOs for each and every application that they need to support in a one off capacity. There is a balance in the middle where the ATO boundary should be designed as layers of a cake where the bottom layer is baseline controls satisfied by AWS, such as the physical controls and core services like IAM, then on top of that layer, there are controls satisfied by other shared services that are offered to all tenants, and then, going all the way to the top, there is only a small layer that each application owner need to satisfy based on the unique requirements of their workload. This is a much more agile and adaptive approach that makes it easier to build templates and adjust as requirements change. This also makes a much more streamlined and efficient ATO process that can yield quicker accredidtions.
Next, its important to think through how to implement least privilege. It is very easy to over provision access, forget who has access and remember to revoke access. While most organizations we support today have moved to role-based federation using centralized identities, especially with how easy it is to get started with a service like AWS SSO that now supports using CloudFormation Templates, its important to get this setup right from the very beginning and automate it as much as possible so that it doesn’t become a pain to configure for each workload.
I’ll hit here briefly on the importance of a multi-account strategy, that is to use multiple AWS accounts for specific workloads because they help limit the financial and security blast radius if there is an incident that happens. This is critical especially as it relates to least privilege so that you can quickly adjust permissions in specific roles across specific types of accounts if the underlying IAM policies were overly permissive or some other incident happens.
Last but certainly not least, it is impossible to plan for every possible scenario for every workload like Jim’s new app that needs to run in the cloud. As I mentioned in the first one-way door around accreditation boundaries, taking a one-size fits all approach is destined to fail because it won’t offer enough flexibility as your organization matures its cloud usage. You need to think through how you plan on providing exemptions to established security baselines, weather that is the need to use a service like Amazon Kendra that hasn’t officially achieved its JAB approval for FedRAMP High. Maybe it is based on where the application lives in the organization, or its type…if it is internal or external facing. Its also important to think through who has the authority to approve the exemption and how to keep other guardrails in place despite accepting the risk of certain configurations.
The great news is that AWS offers a ton of services that can help implement these best practices to ensure you build effective cloud management.
AWS Audit manager helps you document and assess your current compliance status in preparation for security audits as part of your ATO process.
AWS Config Conformance Packs provide ways you can check your AWS environment to check and remediate security findings
AWS Control Tower offers the ability to deploy a Landing Zone to setup a multi-account environment
AWS Organizations helps you create and manage AWS accounts in commercial and GovCloud regions
AWS Security Hub brings together multiple AWS services, like Audit Manager, and Config to help you see and take action on your current security posture
And last but not least AWS Service Control Policies help provide preventative guardrails that can be deployed within AWS Organizations to ensure parts of your organization don’t do something they shouldn’t based on their compliance status and can be configured to move accounts that require exemptions into separate OUs that allow services.
These native services can be extended with AWS partner solutions like
GitLab that can serve as the source code repository and shared services to version control all of your security control policies, Infrastructure as Code like CloudFormation Templates
Splunk that can aggregate audit and logging information across your AWS and other cloud environments to bring you a total picture of your organization’s on-prem and cloud-based security posture
And Telos Xacta which can further automate and extend the RMF process to your organizations technical and non-technical security professionals
This is just to name a few solutions that really can help.
And if you need some help connecting these pieces, especially in a way that works across your AWS commercial, GovCloud, SC2S, C2S and even other cloud providers, Kion is here to help. Our cloud enablement platform provides a giant easy button to help assemble these cloud native services provided by AWS and others along with other AWS partner solutions in a way that helps restore the experience that cloud should be in the enterprise.
In today’s session, we have focused a lot on security and compliance. Out-of-the-box, our platform ships with over 4500 checks that map back to nearly 2 dozen regulatory frameworks to help easily satisfy the technical controls required. And the automation possible within Kion helps make sure its easy to provide the right controls and give the right context to folks like Jim to help them build better applications.
So putting this all together…what if instead of Jim just putting a request in, he had the ability to create his own AWS accounts and end-to-end automation sets them up in a matter of minutes, with the right controls to help achieve FedRAMP High compliance and adhere to his budget. And he and his team get the information they need to take action proactively on their own, instead of getting a call when something happens.
Waiting for cloud, security and network operations goes from days or weeks to minutes, context is provided, control is restored, friction is removed and the experience of the enterprise cloud can finally drive innovation.
If the topics today resonate with some of the challenges you are looking to solve in your team, please stop by our booth, number 419, in the expo hall this afternoon to meet some of the Kioneers that can help you on your journey or visit our website at kion dot i-o and let us know how we can help.