Macquarie, a global provider of financial services, identified early on that it would require strong partnership between its business, technology and risk teams to enable the rapid adoption of AWS cloud technologies. As a result, Macquarie built a Cloud Governance Platform to enable its risk functions to move as quickly as its development teams. This platform has been the backbone of Macquarie’s adoption of AWS over the past two years and has enabled Macquarie to accelerate its use of cloud technologies for the benefit of clients across multiple global markets. This talk will outline the strategy that Macquarie embarked on, describe the platform they built, and provide examples for other organizations who are on a similar journey.
3. PAGE 3
2017 Macquarie Group overview
13,966
employees assets under management
as of 30 Sep 17
$961m
1H18 net profit
Macquarie Group overview
1
Global locations
Annuity-style businesses Capital markets facing businesses
Macquarie Asset
Management
Banking and
Financial Services
Corporate and
Asset Finance
Macquarie Capital
Commodities and
Global Markets
Macquarie
Group
Asia
13 locations
Middle East
2 locations
Europe
12 locations
North America
19 locations
New Zealand
One location
Australia
Nine locations
Africa
Two locations
Latin America
Three locations
1. Net profit contribution is management accounting profit before unallocated corporate costs, profit share and income tax. Pie chart is based on 1H18 net profit contribution from operating groups.
Macquarie Group in numbers
27
countries
~$371.3b
14%
7%11%
23%
45%
7. PAGE 7
What sets Macquarie apart?
Heavily
regulated
Globally
distributed
Diverse
applications
Opportunistic
businesses
Dynamic
organisation
8. PAGE 8
Our principles for cloud…
Customer
focused
Application
centric
Immutable
infrastructure
Security, compliance,
resilience in depth
and by design
Agile
DevOps
Buy rather
than build
Cloud
Principles
9. PAGE 9
How we implemented it…
1
Standardised
deployment
framework
2Continuous
delivery and
infrastructure
as code
3
Extendable
engines that
automate
security &
compliance
4Continual
assurance
score-carding
Arturo—Macquarie Cloud Platform
12. PAGE 12
Extendable engines that automate
security & compliance
3
Security
and
compliance
Cloud compliance
Lifecycle management
IAM policies
Security logging
Security groups
Encryption
13. PAGE 13
Extendable engines that automate
security & compliance
3
Amazon Web
Services (AWS)
provides the
building blocks
for managing our
side of the
shared
responsibility
model
Putting security and
compliance standards
first?
With a minimal amount
of effort?
And still enable
business agility?
while
HOW
Can we delegate the
tools at scale within
the organisation?
16. PAGE 16
HOW
Extendable engines that automate
security & compliance
3
Do I need RDS
encryption?
Which Amazon
RDS encryption
key should I use?
When should I be
multi–AZ for
my RDS databases?
How do I take RDS
backups?
Relational
Database
Service
(Amazon
RDS)
19. PAGE 19
Extendable engines that automate
security & compliance
3
AWS Identity
and Access
Management
(IAM) policy
bucket
20. PAGE 20
HOW
IAM policy
Extendable engines that automate
security & compliance
3
How do I ensure my application
is using “least privilege” IAM
policies?
• Resources and Principals
• Condition keys on some
actions but not others
• Cross account delegation
• How do I know which application
an IAM entity belongs to?
• What if that other application
hasn’t even been created yet?
• How do I ensure everyone in my
organisation knows not to ever
set Principal to public in a
bucket policy?
24. PAGE 24
HOW
Extendable engines that automate
security & compliance
3
How do I control which
other network assets
can connect to my
application?
(ingress rules)
How can I ensure
my own network
assets have
“least privilege”
access
(egress rules)
Security
groups
28. PAGE 28
Corporate
level
governance
Continual assurance score-carding
4
Enabling
empowered and
accountable
application
owners
z
Application: commodity market insights
Commodity Market Insights is forecast to only use $2,650 of its $3,000 budget
Budget
Active Environments
Time to ExpiryEnvironment Cost (per day) Total Cost Owner
Production N/A
Uptime
25 days $80.50 $2,012.50 Julie Smith
Feature-334 3 Hrs 5 mins 5 days $13.50 $67.50 Martin Jones
Dev-339 4 Days 3 hours $5.50 $5.50 Jagan Vander
ViolationIssue Due SoonNo IssuesAssurances
Non-ProdProd Assurance Issue
Stack Rolls
Resilience
Snapshots
N/A
N/A
There is one non-prod environment that is due to
be stack-rolled in the next 5 days
29. PAGE 29
Corporate
level
governance
Continual assurance score-carding
4
Enabling
empowered and
accountable
application
owners
Trading Analytics is forecast to use $8,250 of its total $10,000 budget
Trade Capture has exceeded its budget of $2,000 by $65
Data Analytics is forecast to exceed its budget of $2,000 by $112
Real-time Routing is forecast to exceed its budget of $1,500 by $30
Market Insights is forecast to only use $2,543 of its $4,500 budget
Applications
Portfolio: trading analytics
Services Portfolios
Budget
Assurances
Non-ProdProd
Trade Capture is fully compliant
Data Analytics is fully compliant
Real-time Routing is fully compliant
Market Insights has one non-prod assurance (stack rolls) coming due
30. PAGE 30
Did it work ?
100+
running on AWS
and hundreds of
dev/test
solutions
production
applications
10k
each month
all fully automated,
zero-touch,
developer driven
environment
builds
100+
for each cloud
engineer
developers
enabled
31. PAGE 31
1
‘One team one dream’
Business, technology
and risk management
Establish a cloud
centre of excellence
Keys to success
2
3
Embrace
DevOps, InfraOps
and DevSecOps
Listen
to your customers4
Culture
Culture
Culture
Culture
Culture
Culture5