In this session we will walk through practical examples of how Amazon Web Services customers operate heavily regulated workloads and mission critical applications in the cloud. Through real world customer examples we will apply security and governance controls which will provide you with increased visibility and control of your application and infrastructure for these workloads. You will learn how Enterprise secure and enable audit controls on their heavily regulated workloads in an Amazon Web Services Account. At the same time, extend your datacenter and control mechanisms to Amazon Web Services.
Shaun Ray, Head of Solutions Architect, Amazon Web Services, ASEAN
2. What You Will Learn
Walkthrough the best practice for deploying business
critical applications
Dive deep into fault tolerant and high performance
architectures
Learn about securing sensitive data and workloads in the
AWS cloud
3. Agenda
Why are customers running mission critical applications on AWS
What critical workloads run on AWS
Banking
Health
Media
Migrating a critical workload
Networking
Security
Audit
Resilience
5. Customer Success Story
Capital One is using AWS as a central part of its technology strategy. As a result,
the bank plans to reduce its data center footprint from eight to three by 2018.
Capital One is one of the nation’s largest banks and offers credit cards, checking
and savings accounts, auto loans, rewards, and online banking services for
consumers and businesses. It is using or experimenting with nearly every AWS
service to develop, test, build, and run its most critical workloads, including its
new flagship mobile-banking application.
"The financial service industry attracts some of the worst cyber criminals. We work closely with AWS to
develop a security model, which we believe enables us to operate more securely in the public cloud than
we can in our own data centers."– Rob Alexander, Capital One's CIO
6. Customer Success Story
Orion Health is a health-specific software company that develops modern and
creative solutions for healthcare organizations across the globe. By working with
APN consulting partner, Logicworks, and using AWS the company built Cal
INDEX, one of the largest health information exchanges in the US. By using
AWS, Orion health can scale its platform to handle millions of patient records and
build HIPAA-compliant solutions for its customers.
7. Customer Success Story
The company migrated some of its enterprise applications including SAP
Business Objects, SAP GRC, and Oracle Enterprise Manager from traditional
data centers to AWS. By using AWS, the publisher has shortened its time to
market for new development projects from 6 months to 1 day and reduced its
data center footprint from six to two facilities.
“In particular, the AWS focus on overall security, the ability to isolate systems from the Internet while
running in the cloud, and the ability to encrypt data with our own managed keys addresses our
requirements better than alternative solutions.”
– Mike Wedderburn-Clarke, Infrastructure Architect at News UK
9. Security
A few of our many certifications:
Secured premises
Secured access
Built-in firewalls
Unique users
Multi-factor authentication
Private subnets
Encrypted data storage
Dedicated connection
10. AWS looks
after the
security OF the
platform
AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge
Locations
Encryption Key
Management
Client and Server
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer Content
Customers
Security is shared between AWS and Customers
Customers are
responsible for
their security IN
the Cloud
11. AWS Global Infrastructure
Region
Edge Location
Over 1 million active
customers across 190
countries
800+ government agencies
3,000+ educational
institutions
12 regions (2016: USA,
India, UK)
33 availability zones
54 edge locations
15. Why run critical workloads on AWS
*as of July 31, 2014
Building and managing cloud since 2006
12 regions, 33 availability zones, 54 edge locations
Thousands of partners; 2,500+ Marketplace products
Security & Reliability
Performance
Experience
Scale
Ecosystem
Extensive VM and network performance options
Security in layers approach and 99.95% application SLA
17. Anatomy of a critical workload
Holds sensitive data, liability if breached or deleted
>100 Users, > $10K per minute, Contractual Liability
Loss of data, destruction of IP, productivity penalty
Large scale customer impact if not available
Material Impact
Resilient
Available
Secure
19. Critical Applications
Vendor Applications
SAP Business Suite, Netweaver, BusinessObjects, B1, HANA
Oracle eBusiness, PeopleSoft, Siebel, JDE, Database 11g/12c
Microsoft SharePoint, Exchange, Dynamics, SQL Server
IBM Websphere, DataStage
Infor LN, M3, Syteline, Lawson
Today AWS customers run a wide array of business applications
Companies of all sizes run business applications on AWS
20. Enterprise Agreement
Commercial and Legal
Data Sovereignty
Regulation
Liability and IP
Ownership
Direct Connect
Private Link to
AWS
Non-Public Applications
Cost Reduction
Public Endpoint Access
Enterprise Support
Proactive Engagement
Infrastructure Event Management
(IEM)
15 Minute Response
Proactive Support
Key Enablers
21. Consolidated Billing
payer account ownerNon - Production AWS
Account
Master Consolidated Billing
AWS Account
Production AWS
Account
Consolidated Billing
linked account owner
Consolidated Billing
linked account owner
Cross
Account
Role
IAM
User
IAM
User
(billing)
Payer and Linked Accounts
22. Availability Zone 1 Availability Zone 2
Internet
10.0.0.510.0.0.6
10.0.3.5
VPC Subnet VPC Subnet VPC Subnet
Virtual Private Gateway
Customer
Gateway
VPN Connection
Customer Data Center
10.0.0.0/16CIDR Block:
S3
VPC Subnet
10.0.0.810.0.0.7
10.1.0.510.1.0.6
Elastic Load
Balancing
23. Did we hit our objectives?
Encrypted EBS, IPSEC VPN, Security Groups
No Data Loss, Encryption, Auto-Healing
Replicated DB, Dual AZ, 99.999999999% S3, Auto-
Recovery
Two AZ, Auto scale, Elastic Load Balancing
Material Impact
Resilient
Available
Secure
24. AWS CloudTrail
You are making
API calls...
On a growing set of
services around
the world…
AWS CloudTrail
is continuously
recording API
calls…
And delivering
log files to you
25. HTTP and HTTPs requests logged with ELB Logging
API and Console calls logged with CloudTrail Logs
Network traffic logged with VPC Flow Logs
VPC change history logged with AWS Config
IAM policy and user changed logged with AWS Config
Application level metrics logged with CloudWatch Logs
Out of the box….
27. Environment Setup
virtual private cloud
virtual private cloudvirtual private cloudvirtual private cloudvirtual private cloud
Shared
DevelopmentTestPre-ProdProduction
virtual private cloud
Audit
AWS Directory
Service
corporate data center
customer
gateway
VPN
connection
VPN
gateway
AD
flow logs
AWS
CloudTrail
28. Feature Cost
Amazon VPC $0
VPC Security Groups $0
AWS Identity & Access Management (IAM) $0
AWS Security Token Service (STS) $0
AWS CloudTrail (service) $0
VPC Flow Logs $0
TLS-enabled AWS API access $0
How much does security cost..
29. Summary
Tools to secure your
workload
Protect your data
through encryption
Operate the way
you want
A mission critical workload is more resilient, available and secure when using
the AWS cloud. By leveraging our platform you can connect your critical
applications seamlessly to system running in AWS.