Helping enterprises who are conducting an AWS cloud migration as part of a technology transformation project, we are often asked about IT governance and how to ensure policies and controls are consistently applied between old and new environments. Ensuring the goals of IT governance -- from management to security, and from cost to performance -- is central to the Flux7 approach. In today’s article, we’ll share how we help accomplish these governance goals for our customers and as a result, how you, too, might consider approaching IT governance in the cloud.
Last week was the inaugural AWS re:Inforce conference, a two-day conference focused on AWS security architecture best practices. Over 7,000 attendees gathered to hear Stephen Schmidt, VP and CISO at AWS announce the general availability of Security Hub and Control Tower, as well as Amazon’s take on the state of cloud security. Overall, AWS reports that the state of cloud security is strong, and that, “customers regularly tell us that they are better off operating in the cloud than they are in their own data centers on premises, and that is not only from an availability perspective but often from a security perspective as well.”
Keeping in line with the principals of a Well Architected Review (WAR), we are constantly challenged by our customers to help evolve their requirements into repeatable and automated patterns deployed in their AWS environment, using the latest AWS has to offer in its growing list of managed services. In this case, a research wing of a global industrial firm wanted a solution to replace their current VPN and bastion host solution with access control topping the list. The answer: AWS Client site VPN.
Companies have ‘life events’ and we often get the opportunity to work with them at these times as they spur the need for change. In the case of the customer we’re highlighting today, they reached out to the AWS Premier Consulting Partners at Flux7 as they had recently acquired a Canadian-based company for whom they needed to complete a full Disaster Recovery (DR) build out. The firm is subject to Canadian regulations that state that data created in Canada needs to remain stored in Canada. As a result, this audit firm needed a Canadian DR facility that would store all data in country.
With the General Data Protection Regulation (GDPR) set to go live this Friday, we thought we’d focus this week’s DevOps news in review on using the cloud to help ensure compliance. If you aren’t already familiar with the upcoming GDPR, you should be. While it’s an EU regulation, it serves to protect the personal data of all EU citizens. As such, if you control or process data of EU citizens, the rule applies to you, squarely setting responsibility for protection of that data on your shoulders. It's noteworthy that fines are hefty for the regulation, reaching up to 20 Million Euro or 4% of annual turnover.
We recently had the opportunity to work with a privately-held clinical research organization that was interested in updating the systems that its internal team of research scientists uses for data analysis. It was interested in moving to the AWS cloud as the team’s large data-related demands had outgrown its on-premise system and needed the benefit of a highly secure, elastic, high performance computing environment.
At re:Invent just a few weeks ago, AWS announced Amazon GuardDuty, to enable secure monitoring. At the time, we lauded the announcement for its ability to grow security in AWS with a more holistic view of security in the cloud. In the past few weeks, we’ve fielded inquiries from several customers asking about the service, its features, and potential fit for their organization. Knowing that their questions may be indicative of a wider interest in the new managed service that monitors and detects malicious or unauthorized behavior across an organization’s AWS infrastructure, we are sharing today our analysis of Amazon GuardDuty.
We recently had the opportunity to work with a pharmaceutical company that is breaking new ground when it comes to treatments for life-threatening ailments like cancer. Seeking to innovate across the organization -- from R&D to IT -- this company reached out to the DevOps team at Flux7 to help it migrate its Cloudera Hadoop-based analytics systems to AWS. Specifically, the vision was to take all of its diverse data sets to the cloud, establishing a highly available and secure environment where the firm could conduct data modeling and data analysis while protecting sensitive data and ensuring GxP and HIPAA compliance. Read on for the full AWS case study.
In our experience working with hundreds of organizations on compliance projects ranging from AWS PCI compliance and AWS HIPAA compliance to internal risk management initiatives, it’s clear that achieving and maintaining compliance is a delicate balance. Too many rules can slow progress and sometimes even cause teams to avoid complying at all. And too few guidelines can obviously result in unwanted fines, or in a worst case scenario, a security vulnerability that causes the business serious harm. Central to establishing and ensuring AWS risk and compliance efforts is the well-known practice of AWS configuration management. It plays a central role in keeping systems in a known, good state and with the application of automation can help organizations strike an optimal balance.
A misconfigured data bucket in AWS Simple Storage Service (S3) led to a Republican contractor’s database of nearly every voter being left exposed on the Internet for 12 days, according to CRN. This news presents an unfortunate reminder of why good AWS security hygiene is important to designing, building and managing AWS environments. In this spirit, we’d like to explore two basic AWS best practices that when built-in can help stave off extreme events like this.
AWS automation recently got a boost: the company introduced the ability to build an end-to-end release automation workflow that can deploy changes across multiple regions or different AWS accounts. And they subsequently featured an article on their blog on the steps to create a cross region CodePipeline. Today, however, we want to address the other half of this equation -- building cross account pipelines -- and thought it worthwhile to share with you here when and why we would recommend the benefits of this approach.
As systems become more complex, it’s more important than ever to ensure you have a strategy for effective and efficient secrets management. While we will dive into the technical aspects of doing just this within AWS, let’s first review what exactly secrets are and why you need to manage them.
At re:Invent 2016, AWS announced Organizations, the ability to have and easily manage multiple accounts. Flux7 consultants have long recommended multiple accounts to clients as a best practice for maintaining separation of roles and applications to address security and compliance policies and now it’s even easier with the AWS Organizations Service. Let’s first walk through what makes it so easy and then we’ll share AWS and Flux7 best practices.
Controlling access to sensitive information, or secrets, required by your applications is a ubiquitous architectural requirement. Your applications need information like passwords, API keys, and certificates, and as the application owner you need to ensure this information is only accessed by the correct application. You also need to know when this information was accessed and by which entity.
At Flux7, we get the opportunity to work with organizations across many industries and with a variety of challenges. As a result, we often get asked how other companies approach and solve different challenges. One challenge we are frequently asked about is website performance, security and elasticity, especially as it relates to eCommerce. As such, we’re happy to share with you today the story of a customer who was looking to balance these goals and how with the help of Flux7 consultants they were able to do so.
Our DevOps consultants often get asked about the use of specific technologies and if they would make a good fit for the inquirer’s organization. One of those technologies that we frequently field questions about is HashiCorp Vault. As a result, we think you’ll be interested in this short story of a financial services organization who moved to Vault to improve its secret management system. (For a fuller version of this story, please access the case study here.)
An ounce of prevention is worth a pound of cure, and, that’s exactly what this SaaS sales application provider asked for the AWS experts at Flux7 to come in and provide. Knowing our deep background and knowledge of the ins and outs of AWS services -- and the ecosystem of technologies that work with it -- they asked if we could validate their AWS roadmap and help them take full advantage of the benefits AWS provides.
Today we are delighted to be recognized as having achieved AWS Service Delivery Partner status for Amazon Aurora. As you can see from thenews release we issued, the AWS Service Delivery Program is designed to highlight AWS Consulting Partners who have a track record of delivering verified customer success for specific Amazon Web Services (AWS) products.
One of the approaches our AWS Consultants consistently take is Security by Design. By building security in from the beginning--rather than as an afterthought--security rules, processes and controls are inherent to the system. We like to think of it as a race car with the roll cage built into the frame vs. a race car built and the roll cage added afterward. Truthfully, which car would you feel safer helming?
We have been working closely with a customer who is undergoing a business transformation. As a multimedia equipment manufacturer, the organization has a loyal following of its high quality devices. However, like many companies facing the convergence of markets and new customer demands, the company has embarked on a metamorphosis. Traditionally very focused on hardware, their software was largely ignored even though it offered customers real value. Part of the company’s transformation was a move to treat their software like a full-fledged offering, rather than a free supplement. An upcoming product release marked the first (and biggest steps), in cementing this change in company direction.
How Flux7 Helped Increase Developer Productivity with AWS Service Catalog
At Flux7, we are expert at helping healthcare organizations gain a competitive advantage in the market through IT modernization projects that amplify their inherent business strengths. So when were approached by this healthcare organization who sees technology as a competitive advantage, we were quite excited to dive in.
Container technology was a well-read topic on the Flux7 blog in 2016, joining our blog on Continuous Integration Best Practices(CI/CD) and AWS Configuration Management as subject areas that received the most attention from our readers. From hardening containers to container based cloud migration frameworks and Docker-based microservices architecture, our DevOps consultants published a great deal of analysis, advice and best-practice approaches to help our readers achieve success with containers in AWS.
At re:Invent 2016 Werner Vogels, AWS CTO, donned a Transformer shirt to tell us we can be Transformers. And, Andy Jassy, AWS CEO, emphasized in his presentation that we can all be superheroes, with superpowers. This emphasis on the ability to easily control, manage and even transform your AWS environment -- from x-ray vision to immortality -- was a great way to frame the two themes of the show which boiled down to increased ease of use and a greater acceptance for the hybrid cloud model.
Now that the first wave of innovators and early adopters have moved their workloads to the cloud, we are seeing majority, more pragmatist organizations, migrating to the cloud. However, unlike early movers who were willing to navigate the complexity of AWS tools and technology, this second wave of organizations puts a higher premium on ease-of-use. Given that, let’s look at how AWS has done just this through our lens of operations, DevOps and Security.
At this year’s re:Invent, Flux7’s CEO, Aater Suleman, had the great pleasure of presenting with Hemanth Jayaraman, Rent-A-Center’s director of DevOps. (You can watch the full presentation here.) We shared with the audience the story of how we worked with Rent-A-Center to help them address their challenge to architect, deploy, and manage a mission-critical SAP Hybris ecommerce platform that could scale to 6+ million users a month.
AWS recently announced the expansion of the AWS Web Application Firewall (WAF) to include coverage for application load balancers. Working with a wide variety of organizations to design and build secure applications within the AWS cloud, we frequently call upon WAF as a critical component of our solution. In fact, we were recently recognized for having achieved AWS Service Delivery Partner Status for AWS WAF.
Yesterday at re:Invent, we were delighted to be recognized as having achieved AWS Service Delivery Partner status for AWS Web Application Firewall (WAF). As you can see from the news release we issued, the AWS Service Delivery Program is designed to highlight AWS Partner Network (APN) Partners who have a track record of delivering verified customer success for specific Amazon Web Services (AWS) products.
As we discussed recently, AWS microservices are being adopted widely across organizations and industries for their ability to increase service delivery and speed time to market while decreasing team overhead. As organizations begin traveling down the path to a microservices architecture, one hurdle that they often run into is enterprise password management or secret management. For, as the number of microservices increase, so too do the number of credentials—often exponentially so—creating a need for effective and efficient management.
According to Innovative Retail Technologies, 52% of surveyed retailers plan to actively move applications to the cloud this year. The initially tepid response to cloud is waning as retailers learn more about its strengths for availability and innovation. Yet, one question our AWS consultants frequently field from retailers is about achieving AWS PCI Compliance in the cloud. As most readers of this blog know, the Payment Card Industry Data Security Standard, otherwise known as PCI DSS, is an information security standard requiring organizations to incorporate controls around customer data to prevent credit card fraud. There are several ways that AWS helps its retail clients build a foundation for PCI compliance and they’ve recently announced one more in the form of a Quick Start.
Automating common administrative tasks to improve workload reliability and decrease potential risk is a common theme our consultants at Flux7 help our clients with. Doing so simplifies administration, encourages security through consistency and helps improve control over users and permissions. Amazon launched EC2 Run Command in October 2015 to help attain these benefits.
As AWS experts we work closely with organizations who handle a wide variety of sensitive information – from patient health records to credit card data and more. Resultantly, we are always on the look-out for technology and best practice-based improvements to ensuring cloud-based security. With more and more of our clients looking to embrace a microservices architecture, cloud security and compliance naturally didn’t stop being a focus which is why we are happy at the news from AWS today that they’ve addressed how to help secure container-enabled applications with IAM Roles for ECS tasks.
Just last month we wrote about Docker upping the security ante with a number of new security controls built into Docker 1.10 and here we are yet again. Dockercon 16 is coming up fast - June 19-21, 2016 in Seattle - and we're looking forward to sharing the Dockercon stage for second time with a customer - Fugro this time - to talk about how enterprises can use Docker and AWS to address common challenges. Check out the speaker list here.
Amazon Simple Systems Manager or SSM as we’ll refer to it throughout this article, is a great example of an important feature in the Amazon Web Services toolset that we try to highlight for our clients because of its DevOps, compliance and security benefits. As AWS partners recognized for our customer service and expertise, we are often asked about the implications of specific AWS features and their benefits.
Cross Accounts Access Set-Up and Benefits
AWS CodeCommit is a fully managed version control management service offered by Amazon Web Services. It is a highly scalable and fully managed hosted service. It is compatible with Git and hence all of the git commands work with AWS CodeCommit. AWS Codecommit is highly secure in the sense that the data is encrypted both at rest and in transit. The repositories offered under this service are private by default. AWS Codecommit supports both HTTPS and SSH protocols.
Docker recently unveiled version 1.10 of its popular container technology. Security was a major focus of the release with several features designed to strengthen the security of Docker containers. According to the Docker blog,
“All the big features you’ve been asking for are now available to use: user namespacing for isolating system users, seccomp profiles for filtering syscalls, and an authorization plugin system for restricting access to Engine features. Another big security enhancement is that image IDs now represent the content that is inside an image, in a similar way to how Git commits represent the content inside commits.”
Flux 7 Helps HomeAway Save Christmas in the Nick of Time
As the world’s leading online marketplace for the vacation rental industry, HomeAway aims to help families and friends find the perfect vacation rental to create unforgettable travel experiences together.
And while many families like to get away for the holidays, two-thirds of kids worry that Santa won’t find them if they aren’t home on Christmas. As a result, this past holiday season HomeAway launched a marketing campaign to proactively address the issue.
In our last blog post, we discussed how Ansible’s configuration management tools can benefit Amazon Web Services (AWS) environments – especially for DevOps focused organizations. Today we’d like to share how to realize those benefits with Ansible Playbooks.
Playbooks are Ansible’s configuration, deployment, and orchestration language. Keeping in line with Ansible’s focus on simplicity without sacrificing security and reliability, Playbooks purposefully have a minimum of syntax because they aren’t meant to be a programming language or script, but rather a model of a configuration or a process.
AWS Case Studies: DevOps
A Fortune 500 manufacturer was using Hadoop, internal data centers, Rackspace and CenturyLink to facilitate services that connected its customers with data insights using an Internet of Things model. The overarching goal: to facilitate continuous data-driven improvement within its customers’ operations. To help achieve this goal and overcome its Hadoop scaling issues, the company engaged with Flux7, DevOps consulting group and AWS partners. Additionally, the manufacturer sought a global solution that would comply with EU data privacy laws.
One of the key benefits of cloud computing is the opportunity to replace up-front capital infrastructure expenses with low variable costs that scale with your business. And, while it is easy to quickly spin up hundreds or thousands of new servers in minutes with Amazon Web Services (AWS), it’s much more difficult to ensure that those new machines are configured appropriately. Enter the marriage of configuration management tools and AWS.
Part 2: How to Make AWS Config Work for You
One of the biggest fears that CIOs of the digital age have is not only server crashes, but the inability to recover the system to its last-known state. This is particularly painful in compliance-heavy industries that are subject to external audits to make sure everything is being performed to industry standards and within federal compliance. AWS Config is a service which picks out a detailed account of what happens with your AWS configuration while giving you the critical ability to go back in time and verify or check the state your AWS resources were at a given point of time.
Unique cloud strategies to gain business advantage
Cloud computing in healthcare is driving a new era of change.
Code Spaces. Its story is sending shivers up and down the spines of businesses and developers alike, and for good reason. But that doesn’t mean it should stop the progress of cloud migration or significantly change your strategy. In fact, the story brightly shines a light on an issue that is avoidable, and serves as a warning of what can happen in the complex world of cloud architecture.
This past weekend, we solved two problems for two customers. They both had working configuration management solutions. One used Puppet; the other used Chef. One was Red Hat-based; the other was Debian-based. But, both of them had the same problem.
As we expected it to be, the AWS Summit this week was an excellent experience. We talked to a lot of interesting people, new and old. We gathered several customer leads, shared technology best practices, talked about business development strategies, and explored several partnership opportunities. As promised, I am now sharing with you my experience in San Francisco, so please read on.
After my post last week about using AWS in the cloud, I thought I’d share the sessions at the upcoming AWS Summit in San Francisco that have us excited. These sessions are heavily influenced by my own interest coming from my role within Flux7 and the technology development I work on both internally at Flux7 and for our professional services clients.
Amazon has changed the face of the world of startups with its cloud services. Now it’s possible for two men in a garage to set up large computer clusters for zero capital cost.
At Flux7, we believe in high productivity, so each of our engineers handle multiple AWS client accounts, and sometimes multiple engineers handle one client. As a team leader who manages 10s of client accounts, I need to switch in and out of each account several times an hour, which is a real challenge because so much customer-specific information must be loaded into files and environments that we call “customer profiles”. Each includes the following:
As we at Flux7 Labs AWS partners work on deployments for our customers, many ask questions about basic AWS security issues, including those addressed by using Virtual Private Clouds (VPCs). So in this post we provide a guide for setting up and using VPCs in order to help guide your AWS setup. This AWS VPC tutorial is based on our experience from using VPN in AWS deployments both for Flux7 Labs’ internal systems and for our customers’ systems. VyScale, our cost- and performance-management solution, is an excellent tool for setting up systems inside of VPCs.