As Amazon Web Services (AWS) continues to develop their enterprise adoption strategy, we sometimes forget that less than 10 years ago these services were created for the developer community. The vision for developing an enterprise-grade cloud infrastructure was only an apparition. This dream of running enterprise applications in the cloud is starting to take hold. Many years of ing, qualifying, and redesigning has led us to a time when enterprises have the choice to host more than a simple website in the cloud. Today, we are seeing this adoption take place right in front of our eyes based on a few simple human factors when it comes to trying new things. This physiological human factor is defining the way that we are consuming cloud technologies, and we are seeing it play out time after time in just a few simple steps.
Pre-Observation – In this stage, you have either never thought about needing to change your IT structure or you have never thought about it seriously. Trying something new often takes courage. You never want to be the first to try something for the first time for fear of failing. Often we receive ideas about things we might need to change from others—family, friends, co-workers—but react negatively by reflex. After all, we are usually quite happy with our current stable of habits (if we were not, we would not have them in the first place). However, if we can find a way to react more openly to change, we might find some value in learning something new. As Humans, we are inherently defined by our surroundings and we constantly review and evaluate our progress by the actions of others near us. At this point, you understand if you are a leader or a lager.
Observation – Here we have begun to actively think about the need to change a behavior, in this case adopting cloud services. This stage can last anywhere from a moment to an entire lifetime. What exactly causes us to move from this stage to the next is moving from awareness to practice. What causes this change can come from many different factors. They can include competition, survival, personal perception, growth, and the list continues. Everyone has their own motivational drivers, so it is up to each of us to understand them and react to them when we see fit. Trying new things can be very rewarding as it offers us an opportunity to develop into something better than our current state. Observe where you are and think if you are in a place to accept change.
Purpose – In this stage, we begin preparing ourselves mentally and even physically for action. This is our opportunity to place our preverbal stake in the ground and say, “Now we change.” The commitment to change energizes our promise to achieve a goal. This change away from our routine helps challenge us. It helps guide new opportunities and growth because we have alleviated our fear of change. This stage is extremely important for decision makers, as the commitment states that you understand all the facts, you understand a path for change, and it is measureable and achievable to your organization. In the case of cloud services adoption, this stage is also known as “The cloud migration strategy and adoption methodology”.
Action – In this stage, you start changing. You can feel this in every action you put forward. Business units, stakeholders, and executives feel the change happening with every move. It is uncomfortable, but it is leading your team in the right direction. Your commitment keeps driving you to stay the course, and you know that your earlier preparations will guide you to success.
Management – Now that you have changed to cloud based services, you are done, right? Not likely. Just like losing weight, once you lose it, you need to maintain a healthy lifestyle to keep the weight off. Once you have made the commitment to using cloud-based services, you need to maintain that change by reviewing our adoption processes. What worked well and what didn’t? What other units of your business could benefit from this change? Management of a new behavior can be the most challenging part of the adoption process. Changing habits and practices is tough because you will find resistance at every level. Constant evaluation will keep the adoption process moving forward successfully. This process will need to be executed from the top-down and bottom-up. You have just changed a process, now you need to change behavior.
Change is hard for any organization, let alone just one person. The larger the organization, the more challenging the process will be. However, the process will be more rewarding in the end as well because you were able to make considerable impact to the way processes are completed within your organization. You must be willing to take risk, and you will benefit from the reward.
-Blake Diers, Alliance Manager
One of the main differentiators between traditional on premise data centers and Cloud Computing through AWS is the speed at which businesses can scale their environment. So often in enterprise environments, IT and business struggle to have adequate capacity when they need it. Facilities run out of power and cooling, vendors cannot provide systems fast enough or the same type of system is not available, and business needs sometimes come without warning. AWS scales out to meet these demands in every area.
Compute capacity is expanded, often automatically with auto scaling groups, which add additional server instances as demands dictate. With auto scaling groups, demands on the environment cause more systems to come online. Even without auto scaling, systems can be cloned with Amazon Machine Images (AMIs) and started to meet capacity, expand to a new region/geography, or even be shared with a business partner to move collaboration forward.
Beyond compute capacity, storage capacity is a few mouse clicks (or less) away from business needs as well. Using Amazon S3, storage capacity is simply allocated as it is used dynamically. Customers do not need to do anything more than add content and storage, and that is far easier than adding disk arrays! With Elastic Block Storage (EBS), these are added as quickly as compute instances are. Storage can be added and attached to live instances or replicated across an environment as capacity is demanded.
Growth is great, and we’ve written a great deal about how to take advantage of the elastic nature of AWS before, but what about the second part of the title? Price! It’s no secret that as customers use more AWS resources, the price increases. The more you use, the more you pay; simple. The differentiators come into play with that same elastic nature; when demand drops, resources can be released and costs saved. Auto scaling can retire instances as easily as it adds them, storage can be removed when no longer needed, and with usage of resources, bills can actually shrink as you become more proficient in AWS. (Of course, 2ndWatch Managed Services can also help with that proficiency!) With traditional data centers, once resources are purchased, you pay the price (often a large one). With the Cloud, resources can be purchased as needed, at just a fraction of the price.
IT wins and business wins – enterprise level computing at its best!
-Keith Homewood, Cloud Architect
To solve this problem AWS has a service called Identity and Access Management (IAM). IAM is an AWS feature that allows you to regulate use and access to AWS resources. With IAM you can create and manage users and groups for access to your AWS environment. IAM also gives you the ability to assign permissions to the users and groups to allow or deny access. With IAM you can assign users access keys, passwords and even Multi Factor Authentication devices to access your AWS environment. IAM on AWS even allows you to manage access with federated users, a way to configure access using credentials that expire and are manageable through traditional corporate directories like Microsoft Active Directory.
With IAM you can set permissions based on AWS provided policy templates like “Administrator Access” which allows full access to all AWS resources and services, “Power User Access” which provides full access to all AWS resources and services but does not allow access to managing users and groups, or even “Read Only Access”. These policies can be applied to users and groups. Some policy templates provided can limit users to use certain services like the policy template, “Amazon EC2 Full Access” or “Amazon EC2 Read Only Access”, which gives a user full access to EC2 via the AWS management console and read only access to EC2 via the AWS management console respectively.
IAM also allows you to set your own policies to manage permissions. Say you wanted an employee to be able to just start and stop instances you can use the IAM Policy Generator to create a custom policy to do just that. You would select the effect, Allow or Deny, the specific service, and the action. IAM also gives you the ability to layer the permissions on top of each other by adding additional statements to the policy.
Once you create a policy you can apply it to any user or group and it automatically takes effect. When something changes in the organization, like an employee leaving, AWS IAM simplifies management of access and identity by allowing you to just delete the user or policy attached to that user. If an employee moves from one group to another it is easy to reassign the user to a different group with the appropriate access level. As you can see the variety of policy rules is extensive, allowing you to create very fine grained permissions around your AWS resources and services.
Another great thing about IAM is that it’s a free service that comes with every AWS account, it is surprising to see how many people overlook this powerful tool. It is highly recommended to always use IAM with any AWS account. It gives you the ability to have an organized way to manage users and access to your AWS account and simplifies the management nightmare of maintaining access controls as the environment grows.
Senior Cloud Engineer
There are four main reasons why companies are moving to the cloud. They include: agility, availability, cost and security. When meeting with the CIO of a prominent movie studio in LA earlier this week he said, “The primary area that we need to understand is security. Our CEO does not want any critical information leaving or being stored offsite.” While the CEO’s concern is valid, cloud providers like Amazon Web Services (AWS) are taking extraordinary measures to ensure both privacy and security on their platform. Below is an overview of the measures taken by AWS.
- Accreditations and Certifications – AWS has created a compliance program to help customers understand the substantial practices in place for both data protection and security to meet either government or industry requirements. For example, PCI DSS Level 1, ITAR, etc. for government and HIPAA, MPAA, etc. for industry.
- Data Protection and Privacy – AWS adheres to the stric data protection and privacy standards and regulations, including FISMA, Sarbanes-Oxley, etc. AWS datacenter employees are given limited access to the location of customer systems on an as-needed basis. Discs are also shredded and never re-used by another customer.
- Physical Security – Infrastructure is located in nondescript AWS-controlled datacenters. The location of and access into each datacenter is limited to employees with legitimate business reasons (access is revoked when the business reason ends). Physical access is strictly controlled at both the perimeter and building ingress points.
- Secure Services – AWS infrastructure services are designed and managed in accordance with security best practices, as well as multiple security compliance standards. Infrastructure services contain multiple capabilities that restrict unauthorized access or usage without sacrificing the flexibility that customers demand.
- Shared Responsibility – A shared responsibility exists for compliance and security on the AWS cloud. AWS owns facilities, infrastructure (compute, network and storage), physical security and the virtualization layer. The customer owns applications, firewalls, network configuration, operating system and security groups.
The AWS cloud provides customers with end-to-end privacy and security via its collaboration with validated experts like NASA, industry best practices and its own experience building and managing global datacenters. AWS documents how to leverage these capabilities for customers. To illustrate: I recently met with a VP of Infrastructure for a $1B+ SaaS company in San Francisco. He said, “We are moving more workloads to AWS because it is so secure.” The people, process and technology are in place to achieve the highest level of physical and virtual privacy and security.
-Josh Lowry, General Manager-West
There have been numerous articles, blogs, and whitepapers about the security of the Cloud as a business solution. Amazon Web Services has a site devoted to extolling their security virtues and there are several sites that devote themselves entirely to the ins and outs of AWS security. So rather than try to tell you about each and every security feature of AWS and try to convince you how secure the environment can be, my goal is to share a real world example of security that can be improved by moving from on premise datacenters to AWS.
Many AWS implementations are used for hosting web applications, most of which are Internet accessible. Obviously, if your environment is for internal use only you can lock down security even further, but for the interest of this exercise, we’re assuming Internet facing web applications. The inherent risk, of course, with any Internet accessible application is that accessibility to the Internet provides hackers and malicious users access to your environment as well as honest yet malware/virus/Trojan infected users.
As with on premise and colocation based web farms, AWS offers the standard security practices of isolating customers from one another so that if one customer experiences a security breach, all other customers remain secure. And of course, AWS Security Groups function like traditional firewalls, allowing traffic only through allowed ports to/from specific destinations/sources. AWS moves ahead of traditional datacenters starting with Security Groups and Network ACL’s by offering more flexibility to respond to attacks. Consider the case of a web farm that has components suspected of being compromised; AWS Security Groups can be created in seconds to isolate the suspected components from the rest of the network. In a traditional datacenter environment, those components may require making complex network changes to move them to isolated networks in order to prevent infection to spread over the network, something AWS blocks by default.
AWS often talks about scalability – able to grow and shrink the environment to meet demands. That capability also extends to security features as well! Need another firewall, just add another Security Group, no need to install another device. Adding another subnet, VPN, firewall, all of these things are done in minutes with no action from on premise staff required. No more waiting while network cables are moved, hardware is installed or devices are physically reconfigured when you need security updates.
Finally, no matter how secure an environment, no security plan is complete without a remediation plan. AWS has tools that provide remediation with little to no downtime. Part of standard practices for AWS environments is to take regular snapshots of EC2 instances (servers). These snapshots can be used to re-create a compromised or non-functional component in minutes rather than the lengthy restore process for a traditional server. Additionally, 2nd Watch recommends taking an initial image of each component so that in the event of a failure, there is a fall back point to a known good configuration.
So how secure is secure? With the ability to respond faster, scale as necessary, and recover in minutes – the Amazon Cloud is pretty darn secure! And of course, this is only the tip of the iceberg for AWS Cloud Security, more to follow the rest of December here on our blog and please check out the official link above for Amazon’s Security Center and Whitepapers.
-Keith Homewood, Cloud Architect
Amazon Web Services™ (AWS) released a new service at re:invent a few weeks ago that will have operations and security managers smiling. CloudTrail is a web service that records AWS API calls and stores the logs in S3. This provides organizations the visibility they need to their AWS infrastructure to maintain proper governance of changes to their environment.
2nd Watch was pleased to announce support for CloudTrail in our launch of our 2W Atlas product. 2W Atlas is a product that organizes and visualizes AWS resources and output data. Enterprise organizations need tools and services built for the cloud to properly manage these new architectures. 2W Atlas provides organizations with a tool that enables their divisions and business units to organize and manage the CloudTrail data for their individual group.
2nd Watch is committed to assisting enterprise organizations with the expertise and tools to make the cloud work for them. The tight integration 2nd Watch has developed with CloudTrail and Atlas is further proof of our expertise in bringing enterprise solutions that our customers demand.
To learn more about 2W Atlas or CloudTrail, Contact Us and let us know how we can help.
-Matt Whitney, Sales Executive