Implementing stringent security and compliance controls, like GxP, across your enterprise cloud ecosystem, while ensuring the agility of the DevSecOps process requires significant expertise and a lot of time to design, build, and maintain custom operations tooling. In this session, you learn how Turbot used AWS services to simplify IT operations to provide continuous compliance to major life sciences customers. You also hear how life sciences companies like Novartis Institutes for Biomedical Research (NIBR) have become agile, ensured control, and automated best practices using automated policy controls to configure, monitor, and maintain their cloud resources. By doing this, they became more supportive of their researchers' application stack. You also learn how data scientists and core researchers can take advantage of the power of DevOps and cloud computing without compromising enterprise security or data protection requirements.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
Automated Policy Enforcement for
Real-Time Operations, Security, and
Compliance for Life Sciences
L F S 3 0 5
N o v e m b e r 2 7 , 2 0 1 7

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Executive Director of Engineering
Novartis Institutes for BioMedical Research
ken.robbins@novartis.com
Founder and CEO
Turbot
nathan@turbot.com
Nathan Wal l aceKen Robbi ns

3. Novartis Institutes for BioMedical Research
Novartis Institutes for BioMedical Research (NIBR)
Drug discovery and early development
~6,000 Scientists
~90
New Molecular Entities
~400
Research projects
Immuno-Oncology
Oncology
Ophthalmology
Respiratory Diseases
Neuroscience
Autoimmunity, Transplantation & Inflammation
Cardiovascular & Metabolism
Infectious Diseases
Musculoskeletal

4. Novartis Institutes for BioMedical Research
Our technical ecosystem
40 PB
↗ 30% YOY
300 engineers 400 informaticians
Many apps
under-the-radar
400 supported apps
Bleeding edge + legacy

5. Novartis Institutes for BioMedical Research
How can we achieve agility and velocity
across a broad range of needs
while ensuring control?

6. Novartis Institutes for BioMedical Research
Unique needs for each use case
Distributed
Computing
Big cloud
compute jobs
External Cloud
Services
SaaS/PaaS
vendor services
Applications
and Services
Where
applications live
External Partner
Collaboration
Secure
rendezvous
Informatics
Labs
Data science &
informatics
Tech Labs
Cloud sandboxes
Distributed
Computing
Big cloud
compute jobs
External Cloud
Services
SaaS/PaaS
vendor services
Applications
and Services
Where
applications live
External Partner
Collaboration
Secure
rendezvous
Informatics
Labs
Data science &
informatics
Tech Labs
Cloud sandboxes

7. Novartis Institutes for BioMedical Research
Single-account model

8. Novartis Institutes for BioMedical Research
Multi-account model
Diversity Autonomy
Unique
limits
Access
control
Limited
blast
radius
Cost
Mgmt
WiNG (https://commons.wikimedia.org/wiki/File:The_Venetian_Macao_Food_Court.jpg)
“The Venetian Macao Food Court”, https://creativecommons.org/licenses/by-sa/3.0/legalcode

9. Novartis Institutes for BioMedical Research
Template based on function/control needs
Distributed
Computing
Big cloud
compute jobs
External Cloud
Services
SaaS/PaaS
vendor services
Applications
and Services
Where
applications live
External Partner
Collaboration
Secure
rendezvous
Informatics
Labs
Data science &
informatics
Tech Labs
Cloud sandboxes

10. Novartis Institutes for BioMedical Research
Multi-account model at Novartis
Common
Services
Partner
Collaboration
Product A
(test)
Product B
(dev/prod)
Product A
(prod)
Product A
(dev)
Applications and Services
Informatics
Lab
Distributed
Computing
Tech
Lab
Consolidated
Billing $Automated
Guardrails
Networking
Partner
Collaboration
Informatics
Lab
Distributed
Computing
Tech
Lab
Product A
(test)
Product B
(dev/prod)
Product A
(prod)
Product A
(dev)
Applications and Services
Consolidated
Billing $Automated
Guardrails
Networking

11. Novartis Institutes for BioMedical Research
Automation unlocks benefits
Multiple
accounts
Autonomy
Agility and
innovation
Automation
Enables

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Hard blast radius
Clear ownership
Cost allocation
Network isolation
Access management
Change management
Workload isolation
Lesson 1
|

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ride the rocket
Lesson 2
Do not abstract or compete
AWS speed is your advantage
Focus on enabling your business
Unlock the power of open
|

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Teach, don’t do
Lesson 3
Avoid being a bottleneck
Eliminate the cycle of blame
Leverage public tutorials and answers
(You can’t do it in real-time anyway!)
|

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
App Team
Infrastructure Team
REQUEST FULFILL
Network
Hardware
VMs DBs
Software
App Teams
SELF-SERVICE & APISCONFIGURE
SECURE
MONITOR
MANAGE
AUTOMATE
SUPPORT
Cloud Team
(Customer and/or
Partner)
MONITOR
REQUEST
LEARN
and more
|

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Policies
Lesson 4
Simple rules behind the controls
Policy (MUST) or recommend (SHOULD)
Full automation requires a lot of policies
There are always exceptions!
Use exceptions to experiment and learn
|

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The <POLICY> <REQUIREMENT> be <VALUE> in <SCOPE>.
MUST =
SHOULD =
Required by policy
Recommended default Cluster 1
Account A
VM DB …
Account B
VM …
e.g. Amazon Route 53
e.g. snapshot retention days
e.g. disabled
e.g. 24
Turbot Implementation
Cluster 2
DB
… …
|

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Learn by doing
Lesson 5
Experiment within blast radius
Use exceptions and limited
SuperUser
Collaborate on new services
Hand-build > pattern > automation
|

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Kickstart with
best practice
Automate & teach
other teams
Learn by doing
with specific apps
|

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Guardrails
Lesson 6
Detect and correct
Real-time — more effective & user friendly
Native to the services and tools
Automate patterns and best practices
|

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Events & SNS SQS Context & Policies Guardrail Audit Trail
CHANGE
CHANGE
MANAGE
REPORT
|

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Patterns at scale
Lesson 7
Use common language and models
Automate and repeat patterns
Avoid custom central services
Learn and enhance patterns over time
Accelerate, don’t constrain, teams
|

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
|
Grant <USER> <LEVEL> rights for <SERVICE> on resources in <SCOPE>.
SuperUser =
Owner =
Admin =
Operator =
ReadOnly =
Metadata =
User =
Full access
Manage access; metadata
Med-high risk changes; and
Low-med risk changes; and
Read data; and
Read metadata; and
Basic access, no rights
TurbotAWS
S3 RDS …
Turbot LDAP DB
Cluster 1
Account A
VM DB …
Account B
VM …
Turbot Implementation
Cluster 2
DB
… …
SAML OS …

24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Visibility
Lesson 8
Audit trail for security and compliance
Change history to understand behavior
Review actual configuration, not docs
Detailed logs for trouble-shooting
|

25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Automate3!
Lesson 9
Kill the ticket
Automate all level 1-2 responses
Invest to elevate and remain agile
|

27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cloud
Team
App Team
Application
SELF-SERVICE
APIS
CONFIGURE
AUTOMATE
SECURE
MONITOR
AUTOMATE
HELP
LEARN
DB OS …
|
Software defined operations: Go faster, safely

28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Let’s see it live: #sdops
|

29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Workload
isolation
Patterns
at scale
Visibility
Teach,
don’t do
Ride the
rockets
Guardrails
Policies
Learn by
doing
 Move at cloud speed
 Common language
 Security and compliance
 Cost control
 Close the skills gap
 Reduced friction

30. Novartis Institutes for BioMedical Research
Tech Labs
Distributed
Computing
External Partner
Collaboration
External Cloud
Services
Applications and
Services
Informatics
Labs
Cloud sandboxes
Big cloud
compute jobs
Data science &
informatics
SaaS/PaaS
vendor services
Secure
rendezvous
Where
applications live
Where is NIBR now?
170 accounts
+ 10/month
Represents new work per our “cloud first for new” strategy
(migrations to follow later)
400 w/console access

31. Novartis Institutes for BioMedical Research
Up to 1000 plates 1536 wells/plate 1k to 5k cells/well
200 to 2000 features/cell
Per screen
• 100-1000 billion observations
• 5-50 TB data
Occasionally up to
• 15 trillion observations
• 1 PB data
1 screen
*Multi-Parametric Data Analysis
MPDA*–one of many big data problems

32. Novartis Institutes for BioMedical Research
Transformed our species’ first population-scale medical genomics effort into actionable data for drug discovery in weeks
September October 2017
PublicNIBR
July: UK Biobank data available:
nearly half a million genomes with health records
9 days
October 15th: Im lab transcriptome association ties Neale lab
GWAS results to putatively causal genes; result deposited in S3
Credit:HaeKyungIm
http://hakyimlab.org/
August 20th: Neale lab “rapid GWAS” released.
Genome-wide mapping of >2,000 traits by 10M
genetic sites 26 billion linear regressions
Credit:ClaireChurchhouse
andBenNeale
http://www.nealelab.is/
October 25th: putative gene targets for over a dozen
diseases distributed to NIBR drug discovery teams
Credit:BrantPeterson
(Novartis)
October 16th: transcriptome association data available
within a NIBR AWS account
October 18th: preliminary analyses of transcriptome data
complete (5 billion QC runs in 2 days in Spark on EC2)
October 19th: EC2/S3/Spark internal data
browser app published to informaticians

33. Novartis Institutes for BioMedical Research
What people think
… hard to
explain just
how excited …
Thanks for bringing the
AWS console safely into
developer’s hands
… awesome it is to
have autonomy! … control our own
environments was an
extreme enabler …

34. Novartis Institutes for BioMedical Research
Automation drives high productivity
Succeeding with a very small (and amazing!) team
TBH

35. Novartis Institutes for BioMedical Research
Tips and lessons learned
Transformation
• Separate use cases
• Tech Lab
• Console access
• Inclusive team
Multi-account
• Essential for diversity
• Automation required
• API access important
Networking
• Networking is hard
• VIF limits
• IP allocation
kenrobbins.link/reinvent

36. Novartis Institutes for BioMedical Research
Summary
👉 Use multi-account if you have any appreciable variety and agility needs
👉 Account-as-a-container enables rapid org transformation to cloud
👉 Multi-account requires automation
👉 Software-defined operations enables agility and control

37. Novartis Institutes for BioMedical Research
• NIBR
– Cloud Team
– Network Operations
– Cyber Security
– Information Security & Risk Management
– Research Computing Platforms
– Multi-Parametric Data Analysis (MPDA) team
– Core Data & Analytics team
– Scientific Data Analysis team
– Our entire user community
• Turbot
– Support
– Product Management
– Executive team
• AWS
– Solution Architects
– Enterprise support team
– Account management
Acknowledgements

38. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!