Advantages of Hiring UIUX Design Service Providers for Your Business
Modern IT Governance Through Transparency and Automation
1. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Modern IT Governance Through
Transparency and Automation
Mark Ryland
Chief Architect, WWPS
markry@amazon.com
2. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
IT governance: high-level definition
• “The leadership, organizational structures,
and processes to ensure that the
organization's IT sustains and extends the
organization's strategies and objectives.”
– IT Governance Institute
3. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Where does governance sit?
• Part of a larger complex of GRC(S): governance,
risk management, compliance, and security
• Compliance (policy) and security (implementation)
are shared responsibilities on AWS
• Risk (management) is a strategic responsibility
• Governance is your responsibility, with help from
AWS tools and capabilities
4. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Compliance and security
Certifications and accreditations
for workloads that matter
Security is a shared responsibility
5. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Key governance questions
• What do I have?
• How it is performing?
• Who is in control of it?
• Is it secure and compliant?
– Are changes occurring with the right processes
and protections?
• What is it costing me?
6. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS and governance
• AWS capabilities and services provide key
building blocks to answer these questions
• Better answers than ever before in
traditional infrastructure
• Still integration challenges, but leverage
the head start provided by the cloud
7. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
What do I have?
• Describe* calls provide comprehensive lists of all
resources (for example, aws ec2 describe-
instances)
• AWS Config provides integration, time-based
insights
• Partner ecosystem adds more value, richer
capabilities
• (Building a comprehensive, accurate configuration
DB on-premises is practically impossible)
8. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
How is it performing?
• Services emit metrics into CloudWatch
– Accessible through console, CLI, API
• Alerting and alarming on all metrical data
– Rich integration with Simple Notification Service
• CloudWatch Logs integrates OS and app log data
• Trusted Advisor (TA) for dashboard and alerts for
under-utilization, availability issues
• Rich integration into third-party monitoring platforms
from AWS partners
9. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Who is in control?
• Powerful, fine-grained IAM capabilities
– Authentication and authorization
– Reporting and analysis
• Rich integration to corporate identity systems
through SAML or directly into Active Directory
• Tagging for administration, authorization, billing
• [Demo]
10. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Secure and compliant?...
• … Are changes occurring with the right
processes and protections?
• AWS infrastructure: yes
• Customer responsibilities:
– Great tools and building blocks
– Innovation required in the process model
11. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Tools and building blocks
• TA displays obvious (possible) issues
• CloudTrail, Config, CloudWatch (Logs),
VPC Flow Logs, S3 logs, ELB logs
• VPC peering (including cross-account)
• CloudFormation for repeatable processes
• Cross-account role-based access
12. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Horizontal shared responsibility
• Mission teams control their own infrastructure
(VPCs, instances, AMIs, DBs, S3 buckets, etc.)
• Central security team has audit and control rights
over core infrastructure along with “shared
security/compliance services”
– Using cross-account role-based access, for example
• Agility benefits of mission-driven “shadow IT,”
governance/security benefits of central IT control
13. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Shared security services
• Central team can manage for all
– Account creation/provisioning/setup
– Identity management, federation endpoint(s)
– Core networking and security IAM policies
– CloudTrail, Config, security log management
– Golden OS images (AMIs), associated IAM limits
– Incident response/forensics services
– Cost alarm/review/auditing services
14. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Example: Shared services VPC
15. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Automate, automate, automate
• Programmable infrastructure changes
everything!
• CloudFormation, APIs for everything at the
infrastructure level
• For apps, Elastic BeanStalk, OpsWorks,
CodeDeploy, CodePipeline
16. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Programmable infrastructure
• Manage everything (including security and
compliance) using SDL from a source
code repository
• Security and compliance baked in to your
continuous integration/continuous
deployment pipeline
17. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Cost transparency and control
• Everything billed by the hour, gigabyte
• Bills updated 4x per day
• Programmatic access to all billing data with
user-generated resource tags
• CloudWatch tools/alarms for billing data
• AWS MarketPlace helps with software
license management challenges
18. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
It’s happening!
• Not a pipe dream, but a reality at agencies
like USA CIS, DHS
– Michael Schwartz, CIO:
https://youtu.be/QwHVlJtqhaI
• DevOps and CI/CD on the AWS cloud
providing dev/ops CI/CD agility with
baked-in governance benefits
19. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
AWS cloud can help
• Today: Trusted Advisor and
other key building blocks
• Soon: Automation-based
security and compliance with
AWS “Trusted Architect” –
documentation and workshops
coming soon
20. AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Thank You.
This presentation will be loaded to SlideShare the week following the Symposium.
http://www.slideshare.net/AmazonWebServices
AWS Government, Education, and Nonprofit Symposium
Washington, DC I June 25-26, 2015
Hinweis der Redaktion
Programmable infrastructure allows IT governance to advance from a fully manual people/process mode to an increasingly automated and software-driven mode. In this session, we will examine how the AWS cloud enables advances and best practices in governance and compliance based on APIs and automation.
If you look at the amount of certifications that AWS has achieved and secured for its customers over the last several years, influenced by what they told us matters most, it’s been a real enabler for enterprises to move.
We have SOC 1, SOC 2 and SOC 3, and ISO27001. Customers can be PCI and HIPAA compliant on AWS and we have a number of public sector certifications like FIZMA, ITAR, FEDRAMP and have been successfully evaluated at the Moderate level for Federal government systems as well as DIACAP Level 2 for DoD systems.
We also recently launched our latest certification ISO9001 which is primarily for healthcare, life sciences, medical devices, automotive and aerospace.