1. Culture of Innovation –
Thinking Backwards
With Amazon
Ralf Kleber
Country Manager Amazon Deutschland
Frankfurt, February 2017
2. Invention comes in many forms and at
many scales. The most radical and
transformative of inventions are often
those that empower others to unleash
their creativity – to pursue their dreams.
Jeffrey P. Bezos
Founder and Chief Executive Officer
Amazon.com, Inc.
18. »Customer Obsession
“Start every process with the customer and work
backwards.”
»Long Term Thinking
“Be stubborn on the vision but flexible on the details.”
»If you want to be inventive, you have to
be willing to fail.
“We are willing to go down on a bunch of dark alleys
and occasionally we find something that really works.”
»You have to be willing to be
misunderstood for a long time.
“We are very comfortable being misunderstood.”
Our culture of
innovation
58. Amazon is innovating across many domains
Drone Development
Advanced Shopping
Kindle Reader In-house
Entertainment
Grocery Delivery
Video Streaming
Home AutomationCloud Computing
59.
60.
61. “SignAloud”: Translating Sign Language to Speech
• Bluetooth enabled gloves
• Records hand position and
movement
• Uses deep learning to
match gestures with words
• Text to speech
64. « Invention requires two
things: the ability to try a lot
of experiments, and not
having to live with the
collateral damage of failed
experiments » Andy Jassy
CEO
Amazon Web Services
69. « We reach for new heights and reveal the
unknown for the benefit of humankind »
What is NASA’s Vision?
70. « We're a company of pioneers. It's our job to make bold
bets, and we get our energy from inventing on behalf of
customers. Success is measured against the possible, not
the probable. »
72. Formulaic
Well-defined Vision
Process-Oriented
Over-optimized on team coordination
Value system above breakthroughs
“Play it safe, keep the customer base”
Entrepreneurial
Primary Inventor
Scrappy
Autonomous teams
Disruption vs incremental growth
“Go big, or go home”
vs
86. “We are creating powerful
self-service platforms that
allow thousands of people
to boldly experiment and
accomplish things that
would otherwise be
impossible or impractical."
Self-Service Platforms without Gatekeepers
87. HYBRID
ARCHITECTURE
Data Backups
Integrated
App
Deployments
Direct
Connect
Identity
Federation
Integrated
Resource
Management
Integrated
Networking
MARKETPLACE
Business
Apps
Databases
DevOps
Tools
NetworkingSecurity Storage
Business
Intelligence
ENTERPRISE
APPS
Virtual
Desktops
Sharing &
Collaboration
Corporate
Email
Backup
IoT
Rules
Engine
Device
Shadows
Device
SDKs
Registry
Device
Gateway
DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS
Data
Warehousing
Hadoop/
Spark
Streaming Data
Collection
Machine
Learning
Elastic
Search
Queuing &
Notifications
Workflow
Search
Email
Transcoding
One-click App
Deployment
Identity
Sync
Mobile App
Testing
Push
Notifications
DevOps Resource
Management
Application Lifecycle
Management
Containers
Triggers
Resource
Templates
API
Gateway
Streaming Data
Analysis
Business
Intelligence
Mobile
Analytics
Single Integrated
Console
TECHNICAL & BUSINESS SUPPORT
Support
Professional
Services
Account
Management
Partner
Ecosystem
Solutions
Architects
Training &
Certification
Security &
Billing Reports
GAMING
3D Game
Engine
Character
Designer
Multiplayer
Service
Twitch
Integration
Cloud
Integration
Regions
Availability
Zones
Points of
Presence
INFRASTRUCTURE
CORE SERVICES
Compute
VMs, Auto-scaling, Load Balancing,
Containers, Cloud functions
Storage
Object, Blocks, File,
Archivals, Import/Export
Databases
Relational, NoSQL,
Caching, Migration
CDN Networking
VPC, DX, DNS
Access Control
Identity
Management
Key
Management &
Storage
Monitoring
& Logs
SECURITY & COMPLIANCE
Resource &
Usage Auditing
Configuration
Compliance
Web application
firewall
Assessment and
reporting
Most Robust, Fully-Featured Technology Infrastructure Platform
89. “Our theories determine what we measure.”
– Albert Einstein
Identify your assumptions
Look beyond your frame of references
Be a “Culture of Metrics”
A/B test for optimization
Improve and iterate quickly
Measure, Improve, and Iterate
94. Innovation from the AWS Ecosystem
Netflix Open Source
Software Center
Big Data
Build and Delivery Services
Content Encoding
Pinterest Engineering
Application Configuration
Secrets management
MySQL Management Tools
Airbnb OpenSource
Machine Learning
Workflow
WebUI
96. « We've had three big ideas at
Amazon that we've stuck with for
20+ years, and they're the reason
we're successful: put the customer
first, invent, and be patient »
Jeff Bezos
CEO and Founder
Amazon.com, Inc
100. What to Expect from the Session
Discussion about AWS scale, security, and Germany C5
Three examples of how we deal with massive scale in compliance
1. Access Management
2. Change management
3. Vulnerability management
For each example:
• AWS Services that we utilize for operationalizing compliance
• Lessons learned
Amazon CloudWatch AWS CloudTrail AWS Lambda Amazon API Gateway Amazon Redshift
105. Gall’s Law:
A complex system that
works is invariably found to
have evolved from a
simple system that worked.
A complex system
designed from scratch
never works and cannot be
patched to make it work.
You have to start over with
a working simple system.
106. + C o m p l e x S y s t e m s
+ Highest Security Bar
= Impossible Task
(in a manual world)
Huge scale
108. Designed and released by the BSI in February 2016, the C5 control set offers additional assurance to customers in
Germany as they move their complex and regulated workloads to Cloud Computing Service providers such as AWS.
The following international standards had been taken by BSI into account:
• ISO/IEC 27001:2013 (ISO - International Organization for Standardization)
• CSA Cloud Controls Matrix 3.01 (CSA - Cloud Security Alliance)
• AICPA Trust Service Principles Criteria 2014 (AICPA - American Institute of Certified Public Accountants)
• ANSSI Référentiel Secure Cloud 2.0 (Draft) (ANSSI - Agence nationale de la sécurité des systèmes d'information)
• IDW ERS FAIT 5 04.11.201 (draft statement on accounting: "Grundsätze ordnungsmäßiger Buchführung bei Auslagerung
von rechnungslegungsrelevanten Dienstleistungen einschließlich Cloud Computing" [Generally accepted accounting
principles for the outsourcing of accounting-related services including cloud computing], version of 4 November 2014)
• BSI IT-Grundschutz Catalogues, 14th version 2014•
• BSI SaaS Sicherheitsprofile 2014 [BSI SaaS security profiles 2014]
Cloud Computing Compliance
Controls Catalogue
Mapping table
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/CloudComputing/ComplianceControlsCatalogue/Referencing_Cloud_Computing_
Compliance_Controls_Catalogue.pdf
C5 =
109. IT-Security standards as the BSI C5 catalogue
are an essential part for defining digitalization,
which can’t be successful without cyber security. The
requirement catalogue of the BSI offers the possibility for cloud
provider, to receive an attestation during a compliance audit or
an accounting with minor additional work and expense.
We are pleased, that Amazon Web Services, an international
accepted and important cloud provider received at first an
attestation according the C5 catalogue.
This shows that this standard is accepted and implemented by
the market.
BSI president Arne Schönbohm
110. AWS Automated Compliance
We'll walk you through 3 examples today:
1. Access Management
2. Change management
3. Vulnerability management
+ Lessons learned
112. Example 1: Access Monitoring of Critical Systems
• Problem: monitoring access to a large number of hosts
• Our response: remediation controls that evaluates who AND
what
• How we use it: monitor, validate, remediate access controls
at AWS scale quickly
• Benefit: ensure principle of least privilege access
113. Near real time validation
Baseline rule review
Example 1: Access Management layered controls
Critical Assets
Rules based permission
management
Step 1: Principle of Least Privilege
114. Example 1: Step 1 Under the hood
HR
Permission
store
On-prem
hosts
Amazon
Redshift
S3
AWS
Data
Pipeline
Job
Management
service
EC2 Worker
fleet
AWS
Lamdba
Group owners
Notifications
Amazon
Kinesis
Firehose
On-prem
hosts
Amazon
SQS
“On prem like” environmentA
1
2
3
4
5
ETL SolutionB
6
78
9
Continuous Monitoring & Notification SolutionC
10
11 12 13
115. Example 1: Step 2 Under the hood
Step 2: Principle of Least Privilege
Amazon S3 Log
Repository
Apache Spark
cluster
(Amazon EMR)
ETL using
Lambda
S3 bucket to
store extracted
SSH logins
Amazon Redshift
1 2 3 4 5
116. Example 1: Lessons Learned
• Revoke access of users who
haven’t used their access to critical
AWS resources/systems
• AWS CloudTrail + Credential
Usage Report + Service Access
Report
• Logins to your EC2 fleet vs. SSH
keys access list
118. Example 2: Change Management
• Problem: controlled automated deployment and validation of
daily deployments
• Our response: automated auditable deployment and validation
environment
• How we use it: auditor validation of our preventative and
detective change management controls
• Benefit: all changes to environment and controlled and
documented
123. Example 3: Vulnerability Management
• Problem: analyzing large data set of fleet information and
identifying ‘actionable’ patching data for our large fleet of
hosts
• Our response: utilize active and passive assessments to
accurately capture and identify opportunities for updates
• How we use it: utilizing 3rd-party scanners and on host
agents to reduce false positives and increase accurate
‘actionable actions’ for remediation
• Benefit: Our hosts are patched, preventing security issues
124. Example 3: Under the hood
Amazon
RDS
Amazon
Elasticsearch
Service
Distributed
sensors
Amazon
EC2
Dashboard
125. Example 3: Lessons Learned
• Active Scans are costly in time and resources
• False positives are hard to deal with
• Datatype definitions matter
Amazon
Inspector
Amazon
RDS
Amazon
Redshift AWS
Lambda
Amazon
Elasticsearch Service
Amazon
QuickSight
ASSESS STORE PROCESS VISUALIZE
126. Recap
• Our lesson learned: automate to survive.
• You have the same opportunity for these examples and others.
• AWS can be used to strengthen data protection in Cloud and on-
prem environments.
130. Sky High Customer Expectations
• Web + Phone + Tablet
• Secure
• Always available
• Worldwide
• High performance
• Continuously updated
• Smart use of Big Data
132. Recipe for Success: Use Higher Level Services
Use Case Higher Level Service
Web Apps and Services Elastic Beanstalk
API Gateway
Compute Containers with ECS
Functions with Lambda
Big Data Elastic Map Reduce
Search CloudSearch
Elasticsearch
Batch Computing AWS Batch
Configuration Management OpsWorks
CloudFormation
138. DevOps: Monitoring and Logging
• Track and analyze metrics and logs
• Understand real-time performance of
infrastructure and application
• Automated alarms with escalation
139. = 50 million* deployments a year
Thousands of teams
× Microservice architecture
× Continuous delivery
× Multiple environments
*as of 2014
140. AWS DevOps Portfolio
AWS CodeCommit AWS CodeDeploy AWS CodePipeline
Continuous
Integration &
Delivery
AWS CloudFormation
Infrastructure
as Code
Monitoring
& Logging
AWS CodeBuild
AWS OpsWorks
Stacks
AWS ConfigAmazon CloudWatch AWS CloudTrail
new
new
new
AWS X-Ray
AWS OpsWorks for
Chef Automate
142. Enterprise Controls in a Cloud Era
• Governance
• Compliance
• Risk
• Security
• Data Protection
• Cost
• Availability
143. Recipe for Success: Account Strategy
• Use AWS accounts for ownership and role clarity
• By Ownership
• Central IT
• Business Group #1
• Business Group #2
• …
• By Use
• Dev
• Integration Test
• Production
144. Recipe for Success: Guardrails
Standard configuration across all AWS accounts
• Multi-factor authentication (MFA) for root
• Identity federation with enterprise directory
• CloudTrail turned on – record of all API activity
• Config turned on – record of configuration changes
• Config Rules to encourage/enforce your policies
• Log aggregation to CIO/CSO
145. What is AWS CloudTrail?
AWS CloudTrail is a fully
managed service that
records API calls made on
your AWS account.
CloudTrail helps you gain
visibility into API activity,
enables you to
troubleshoot operational
issues, conduct security
analysis and meet internal
or external compliance
requirements.
Customers
are making
API calls...
On a
growing set
of services
around the
world…
CloudTrail is
continuously
recording API
calls…
And
delivering
log files
to
customer
s
147. Recipe for Success: Use Higher Level Services
Use Case Higher Level Service
Web Apps and Services Elastic Beanstalk
API Gateway
Compute Containers with ECS
Functions with Lambda
Big Data Elastic Map Reduce
Search CloudSearch
Elasticsearch
Batch Computing AWS Batch
Configuration Management OpsWorks
CloudFormation
148. Recipe for Success: Service Catalog
Users
Administrator
Control
Standardization
Governance
Agility
Self-service
Time to market
AWS Service Catalog allows organizations to create and manage catalogs
of IT services and software on AWS described as AWS CloudFormation
templates. It enables users to quickly deploy approved IT services they need
in a self-service manner.
Private Catalog for Organizing and Launching Infrastructure & Software
Services on AWS
149. Summary
• Confluence of Industry Trends Disruption
• Sky High Customer Expectations
• Innovating Faster
• Use Higher Level Services
• Adopt DevOps
• Automate, automate, automate
• Enterprise controls in cloud era
• Guardrails for governance, compliance, and risk
• Use higher level services
162. Wieviel Zeit bleibt ihnen für Produktentwicklung?
Welchen Anteil ihrer Zeit brauchen sie für Betrieb und Wartung?
…
163. Was wäre wenn sie 30% mehr von ihren
Ressourcen für ihre Kunden verwenden
könnten ?
164. Common Priorities
• Time-to Market
• Inflexible Platform
• Technical Debt
• Unplanned Work
• Customer Experience
• Collaboration
6 months per release
Months to procure/provision
60 – 80% of effort
Outages, bugs, compliance
Performance and outages
Integrating with other business
units is technically difficult
High cost & low productivity
166. Praxis (Bremsen der Produktivität)
CCOE
Technical Debt
Resistenz
gegen die
Veränderung
Hemmende
Organization &
Struktur
Fähigkeiten &
Verfahren die
nicht ganz passen
People,
Process
and
Technology
168. Neue Prinzipien
Think Big, Start Small, Go Fast
1. Act like a start-up (that is funded and has domain expertise)
2. Embrace cloud computing
3. Use the right tool for each requirement
4. Use out-of-box functionality whenever possible
5. Create a microservices architecture
6. Enforce YAGNI (You Aren’t Going to Need It)
7. Cultivate DevOps
8. “You build it, you own it!”
9. With great power comes great responsibility!
10.With great responsibility comes great power!
171. Conway’s Law
organizations which design systems
…
are constrained to produce designs
which are copies of the
communication structure
of these organizations
181. Cloud Center of Excellence
Cloud Center of Excellence
Training
Identity
management
Asset
management
Reference
architectures
Cost and account
management
Hybrid
architecture
182. Wie fängt man damit an?
Und wie breitet man das aus?
183. Suche Nach dem Talent
Companies need cloud expertise now more than ever
Indeed Job Postings that include “AWS”
0
100
200
300
400
500
600
700
2012 2013 2014 2015 2016
Relative
Percentage
*Indeed.com job trends, http://www.indeed.com/jobtrends/q-AWS.html
184. Interne Kandidaten
Lernvermögen
Kompetenz in mehreren Programiersprachen
Erfahrung mit Scripting
Erfahrung mit Verwaltung von Betriebssystemen oder DevOps
Leidenschaftlicher Ingenieur
Fullstack Entwickler
Teils Techniker – Teils Tüftler
Jemand den andere um Rat fragen
Teamfähig
Ingenium: [schöpferische] Begabung; Erfindungsgabe
Mensch mit besonderen geistigen, schöpferischen Fähigkeiten
185. Ein Beispiel (2014 - 2015)
AugSep Oct Nov Dec Jan Feb Mar Apr May Jun Jul Sep Oct Nov
Proof of Concept Complete MVP Soft Launch
Go/NoGoStart
1 Exec Sponsor
1 Architect
1 Consultant
2 Product
4 Frontend
5 Backend
+ 1 Consultant
+ 2 Product
+ 2 Mobile
+ 2 Frontend
+ 4 Backend
+ 2 Platform
MVP Launch
Gradual increase of staffing
Production Ready
186. Ein Trainings Beispiel
1st Training Delivered
1400 students trained
11 months
Production
Applications
Time
Jan 2015 Sept 2016
0
~100
189. 16MM Ledger Saving Velocity = 50 apps/qtr.
Operational CostsWorkforce ProductivityCost AvoidanceOperational ResilienceBusiness Agility
• 98% reduction in
P1/P0’s
• 77% faster to deliver
business applications
• 52% average
TCO savings
• 35% reduction in
compute assets (792)
• 15 automated bots
developed
• 80% cloud first
adoption
• 15 cloud services
created
• 50 applications
decommissioned
• 8 cloud migration
parties
• Improved security
posture
• Shift to self-service
culture
• Rapid
experimentation
• Reduced technical
debt
• 14M YOY Savings
• Improved
Performance
• Streamlined M&A
Activity
• DevOps in Practice
Progress as of May 2016
14.2M
Investment
Focus
18
Months
311 Apps
in Cloud &
14M YOY
Savings
Sample outcome – GE
http://www.slideshare.net/AmazonWebServices/demystifying-cloud-economics-how-to-build-an-investment-case-for-scale-migration-to-the-cloud-business
190. Lessons Learned
Automate, then Automate
MoreEverything we do is with automation
in mind, from deployment to
operations. This is the only way to
survive at scale.
Security at Every Layer
Fully utilizing the security provided in
the public cloud allows us to have
confidence in a multi-tenant world.
Embrace Agile
From organization structure to project
management, everything we do is with
agile principles in mind.
Bias toward action
Everyone has a reason not to move to
cloud. Our mission is to find more
reasons why we should.
Work Instead of Workflow
Embracing automation has allowed our
employees to concentrate on doing work,
instead of filling out workflows.
Encourage (calculated)
Risks Celebrate failure. Talk about pivots.
Continuously examine new tools. This
leads to rapid innovation resulting in
progress.
Transformation – Rebuild technology skill
sets, encourage diversity and embrace “hands-
on”
Pipeline – A pipeline of 50+ will ensure
consistent velocity
Collaboration - Embed Security & Risk
teams, CIO + CTO + Corp partnership
Cloud Aware – Rehosting is OK if it
maximizes margin, agility, resilience &
performance
Enablers
191. Fragen sie
• Entwickler für 3 einfache Sachen die sie gerne reparieren würden
• Das Infrastrukturteam für 3 Sachen die man automatisieren könnte
• Die Datengruppe nach 3 Berichten die kaum gelesen werden
• Das QA team nach Sachen die sich immer wiederholen
• Ob jemand eine Lunch’n Learn oder Meetup Gruppe leiten möchte
Bieten sie
• Möglichkeiten für ein Hackathon an
• Training an (es gibt da viele Möglichkeiten)
192. Weitere Empfehlungen
Fowler on Microservices
Building Microservices - Sam Newman
DevOps and AWS
The DevOps Handbook
The Phoenix Project
Release It!
Antifragile
Unser Enterprise Blog
193. Thank you!
Groß ist des Meisters Kraft, wenn er mit dem Hebel schafft!
@groberstiefel
thoblood@amazon.com