For some organizations, all of the technical security features in the world can’t address an underlying need to restrict physical access of resources to citizens within the United States. GovCloud (US) was established to meet the needs of the US federal government, but it is available for any organization facing the challenge of restricting access in this way. Learn about the features available in GovCloud (US), how to onboard your workloads, and the options for using GovCloud (US) as one of multiple regions. Also, hear from government and commercial customers about their experience using GovCloud (US). 

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CJ Moses, GM, AWS Government Cloud Solutions
Keith Brooks, AWS GovCloud Senior Business Development Manager
October 2015
SEC204
AWS GovCloud (US)
Not Just for Govies

2. What to expect from this session
1. Background on the AWS GovCloud (US) region
2. Overview of AWS GovCloud (US) features
3. Description of AWS GovCloud (US) users and suitable
workloads
4. Customer use case examples

3. Background and history

4. AWS GovCloud (US) features

5. Requirements for access to AWS GovCloud (US)
Can handle export
controlled data
US person
(account holder)
US entity on US soil

6. AWS GovCloud (US) features
Managed by US
persons on US soil
Separate AWS
IAM and
authentication
Located in Pacific
NW (Oregon)
Data, network, and
machine isolation

7. AWS GovCloud (US) features
“Community Cloud” Multiple regulatory and compliance features

8. Who’s using AWS GovCloud (US)
and why?

9. 2011 2012 2013 2014
AWS GovCloud (US) adoption
273% average YoY growth since launch
(Q4 2011 to Q4 2014)

10. Users span various types of enterprises
US Government
Federal, state, and local
Consulting firms and
systems integrators
Technology firms
and software
vendors
Resellers
Educational
institutions
Research
organizations
Commercial
industry
Nonprofit
organizations
Managed service
providers

11. …but all share common characteristics
Sensitive data and applications
Strict regulatory and compliance requirements
Restricted, community cloud preference
AWS cloud platform

12. AWS GovCloud (US) is fit for hosting sensitive data
Agriculture Copyright Critical infrastructure
Export control (ITAR) Financial Immigration
Intelligence Law enforcement Legal
Nuclear Patent Privacy (PII)
Proprietary (IP) Statistical (census) Tax
Transportation
All levels of Controlled Unclassified Information (CUI)

13. Example workloads on AWS GovCloud (US)
Web applications
and websites
Backup
and recovery
Archiving Disaster recovery Development
and test
Big data
High performance
computing
Business
applications
Enterprise IT Mobile

14. Customer highlight: Planet Labs

15. Imaging the Earth
Daily
Troy Toman
Director of Engineering
Planet Labs
troy@planet.com I @troytoman
Imaging the Earth Daily
Troy Toman
Director of Engineering
Planet Labs
troy@planet.com I @troytoman

17. Planet Labs Proprietary & Confidential
Size: 10 x 10 x 30cm
Mass: 4kg

18. Radome – April 2014
Awarua, NZ

19. 101 satellites launched on 9 rockets

20. Orange River, South Africa, August 4, 2015

21. Forest Management
Oregon, USA
Source: Landsat 8
Date: March 23, 2014

22. Forest Management
Oregon, USA
Source: Planet Labs
Date: May 2, 2014

23. 150
satellites
475 KM
altitude
sun synchronous orbit
30
ground stations
10
sites
370,000
images per day
<24
hours
online catalog
API
for data pipeline
and platform access
1000S of
servers
11 TB
processed daily
Spacecraft Manufacturing and Operations Data Pipeline and Production Apps

24. Infrastructure
Challenges
11 TB/day…everyday…forever
Regulatory compliance
Agile aerospace
Dynamic use cases
Multiple products/output formats
Complex/compute intensive pipeline

25. Procurement
Physical security
Inventory
DC operations
Server provisioning
Private cloud ops
Network management
Hardware maintenance
What could have been…
https://creativecommons.org/licenses/by-nc/2.0/

26. What AWS GovCloud (US) enables
us-gov-west us-west
Python (boto) AWS CLI
Amazon RDS
RDS
Amazon S3
S3
AWS import/export
SAML
Ansible
CI
Git/GitHub
Analytics
Logging
Messaging
Ticketing
VPN gateway
VPN gateway
Amazon
Route 53
Route 53
Instances
Instances Spot
instances
Common
Ops/Dev Tools
Data Pipeline
Production APIs
Spacecraft
Manufacturing/Operations

27. ansible-jenkins
├── environments
│ ├── preprod.ini
│ ├── prod-current.ini
│ ├── prod-new.ini
│ ├── space.ini
│ └── test.ini
├── jenkins.yml
├── planet_roles
│ ├── apache_saml
│ ├── aptly
│ ├── aptserver
│ ├── awscli
│ ├── base
│ ├── datadog_agent
│ ├── elasticsearch
│ ├── fpm
│ ├── graphite
│ ├── jenkins

28. A Transparent Planet…
…to act on change
Commercial access to space
Space-capable consumer technology
Compliant cloud services
Universal access

29. Customer Highlight: CSC

30. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jon Check, CSGov
AWS GovCloud (US) Migration
CSC’s separation drives rapid migration of
business applications to AWS GovCloud (US)

31. What to Expect from This Part of the Session
• Demonstrate a use case of successful, rapid migration of a large business’
application portfolio to AWS GovCloud (US).
• Provide a successful cloud migration process.
• Share reasons why we chose AWS GovCloud (US).
• Demonstrate how CSGov executed the process and migration.
• Provide success stories and lessons learned.

32. Our Challenge
May 19, 2015, CSC announced that its Board of Directors unanimously approved a plan to separate the company
into two publically traded, pure play leaders: one to serve commercial and government clients, and one to serve
public sector clients in the US.
CSGov
Business Application Portfolios
200+ apps must
migrate by
October 1, 2015
Program Specific
Applications Types:
Collaboration
Finance
HR
Payroll
Security
Other
70,000 Employees
14,000 employees
Approximately:
250 servers (phys.
and virt.)
3 TB memory
1,300 processors
Infrastructure Types:
Physical
Virtual
Private cloud
SaaS Data Centers
14+ data centers
SaaS providers
Data Centers
2 data centers
1 Gov CSP
SaaS providers

33. How Do We Attack This Problem?
We need a strong systems integrator with proven applications migration processes to discover, plan, and execute
our application separation between the two separate companies.
APPLICATION DISCOVERY
OPERATIONS ONBOARDING
APPLICATION AFFINITY GROUPING
MIGRATION EXECUTION
CLOUD ADOPTION ASSESSMENT
TARGET ASSESSMENT & ARCHITECTURE
APPLICATION TREATMENTS
MIGRATION VALIDATION
OPERATIONS PLANNING
CONTINUOUS IMPROVEMENT
Migration
Process

34. APPLICATION DISCOVERY
Migration – Shape CLOUD ADOPTION ASSESSMENT
CSGov
Only
49%
CSC/CSGov
Shared
40%
CSC Only
11%
Suitability Scorecard
Tells you the ideal level at which you should be looking
for a cloud-based alternative: SaaS, PaaS, IaaS.
Cloud Adoption Roadmap
Identifies treatments and prioritization based on
customer requirements and target environment.
Our Targets: Physical CSGov Data Center, CSGov
Private Cloud, AWS GovCloud (US), SaaS Providers
App Inventory
App Data Flow
Diagram

35. Why AWS GovCloud (US)?
Requirement AWS
GovCloud
(US)
Provide rapid, self-service infrastructure provisioning enabling an
aggressive migration schedule.
Government contracts require strict security standards and CSGov
aspires to provide highest security levels for our customers and our
business.
HR data will contain personally identifiable information, best
protected via DoD Impact Level 4 added security controls.
CSGov must retain ITAR compliance, and so should our cloud
service provider.
Ideally the CSP has an established relationship with CSGov.

36. Migration – Transform
APPLICATION AFFINITY GROUPING APPLICATION TREATMENTS
Not Migrate
24%
Physical
(NPS Data
Center)
51%
Gov Cloud
15%
SaaS
10%
Treatment
Do not migrate
Application exists at a location/data center that will
remain. No need to migrate at this time.
Physical move
Ship physical architecture with applications installed to
consolidated data center.
Migrate to AWS GovCloud (US)
Initiate an application migration to AWS GovCloud (US),
via cloning, cloning and import/export, rebuilding, or
rebuilding with import/export.
Migrate to CSGov instance of SaaS
CSGov is sharing a SaaS implementation with CSC.
Need to work with the SaaS providers to create a CSGov
dedicated instance and initiate a data migration and
purge.

37. Migration – Transform (Cont’d)
MIGRATION EXECUTION MIGRATION VALIDATION
Physical CSGov Data Center/Private Cloud
1. Data center preparation (space, power, network, staffing)
2. Application outage planning
3. Onsite installation
4. Configuration
5. Base testing
AWS GovCloud (US)
1. Partnership with Racemi
2. Move group planning
3. Discover, capture, clone, configure
4. AWS import/export
5. Some straight rebuild
SaaS Providers
1. Partnership with SaaS providers
2. Professional services
3. SaaS statement of work
4. Configuration migration/establishment
5. Base testing
• Release planning
• Reuse existing regression testing
• Manual test script execution
• User acceptance testing
• Go/no-go decision
• Go-live support period
Team used Agile methodologies to deliver the migration
execution (scrum planning, kanban execution)

38. Our AWS Architecture

39. Our AWS Architecture

40. Migration – Manage
OPERATIONS ONBOARDING CONTINUOUS IMPROVEMENT
Integrated Technology Center (ITC)
integration:
1. CSC Answers (HR Help Desk)
2. CSC Technical Help Desk
3. Network Operations & Security Center (NOSC)
Application O&M teams
1. Parallel O&M for a period of time to support rollback
2. Outage management
3. Triage
4. Scrumban teams
5. DevOps
Physical to cloud/virtual
Keep moving to the cloud!
Stateless architectures
High availability
Cloud service rich
Hybrid – VM/container/SaaS architectures
Offering enhancements
WHERE WE NEED TO BE…
WHERE WE STARTED…
WHERE WE ARE…
Lift & Shift
Optimize

41. Success Stories
• Hybrid environment (compute, network, storage) on physical premises,
dedicated private cloud, government community cloud, SaaS provider, all
seamless to the end user….and it works!
• Agile methodology, delivered value early, identified issues, and mitigated them
rapidly.
• CSC used its own processes and methods to take on this aggressive
application migration effort—and they worked. Lessons will improve these
migration offerings, passing on value to our customers.
• DR recovery point time reduced from days to minutes with some of these
applications. Architected for resiliency to failures.
• Use of AWS, rapidly increased the time to value for our
cloud-based IaaS (compute, network and storage). Able to
execute plan in hours/days versus the weeks/months it would
have taken using alternative IaaS with same requirements.

42. Lessons Learned
• No magic bullet for an enterprise migration.
• Plan for bandwidth. The biggest bottleneck in an automated migration/cloning to
cloud is bandwidth. Plan ahead, expect delays for bandwidth restrictions/issues.
• Do not disregard the importance of planning, especially the target environment
planning. Much harder to move migrated resources due to poor VPC/target
network planning.
• Automation cannot migrate everything. Expect some traditional migration
methods to be required.
• No Re-IP’ing is a great goal, but not entirely possible in a large-scale migration.
• Most importantly…utilize your partner expertise, heed their advice (AWS,
Racemi, SaaS Partners, etc.).

43. Thank You!

44. Important things to remember
AWS GovCloud (US) is a physically and logically isolated
region
Separate AZs, console, IAM and authentication stack, and endpoints
AWS GovCloud (US) is not just for the US Government
Users span government, commercial entities, education and nonprofits
Remember the AWS Shared Responsibility Model
AWS IAM users can be non–US persons if adhering to shared responsibility
(e.g., development teams outside of the US w/o access to ITAR data)

45. Learn more about AWS GovCloud (US)
AWS GovCloud (US) webpage
https://aws.amazon.com/govcloud-us/
AWS GovCloud (US) User Guide
http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/welcome.html
Keith Brooks
AWS GovCloud Business Development
brookskl@amazon.com
CJ Moses
GM, AWS Government Cloud Solutions
cmoses@amazon.com

46. Remember to complete
your evaluations!

47. Thank you!