Cloud users typically feel that security, compliance, and finance teams throttle speed and innovation. However, the concerns of security misconfigurations and cloud budget overruns are real threats to the enterprise as adoption scales. Organizations struggle with finding the right balance to empower these teams while giving end-users the autonomy required. The governance at scale framework provides visibility, control, autonomy, and confidence to move enterprises to the cloud. It was built on a decade of lessons learned from the largest customers, including AWS itself. This session shares stories of customer successes using this framework and the impacts to their cloud journeys.

1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Unify security, compliance, and finance
teams with governance at scale
Doug Vanderpool
Principal Consultant
AWS Enterprise Advisory
Team
G R C 2 0 4
Brett Miller
Technical Program
Manager
AWS Governance@Scale
Brian Price
CEO
cloudtamer.io

2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Introduction
Tackling anti-patterns
Governance at scale 101
Automating governance at scale
Success stories

3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
4
There’s more to cloud
transformation than this…

5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
5
Legacy IT
Buy
Centralized management that is
divorced from business
On-prem security
Request -> Order -> Installation
Minimal releases
Pay as you go
Decentralized management that is aligned with
business and business owners
Cloud security (where a single person
can have major impact)
Self-service with assurance
Frequent code deployments for
agility and innovation
Modern Cloud@Scale

6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
6
Legacy Culture
“Mother may I?”
Limited visibility
Centralized management
Prolonged procurement
Infrequent change
Autonomy
Stewardship
Delegation
Instantaneous IT resources
Constant change
Cloud Culture

7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
7
Successful cloud
transformation
looks like this…

8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Report: The cloud transformation journey: Great expectations lead to a brave new world
Source: 451 Research, LLC

9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
1
Cloud Sprawl and Cloud ConcernsExperimentationand POCs
2
The journey to cloud adoption
“Lift and Shift” and Limited Success
3

11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
The typical AWS adoption reality
Amazon
S3
Project 1 AWS Account
Amazon
EC2
Project 2 AWS Account
Amazon
S3
Amazon
EC2
Amazon
RDS
Stage 1
Specific Systems
Limited Accounts
Minimal Services
Stage 2
Numerous Systems
Multiple Accounts
Many Services
Amazon
S3
Project 1 AWS Account
Amazon
EC2
Amazon
VPC
Amazon
S3
Project 2 AWS Account
Amazon
EC2
Amazon
VPC
Amazon
EMR
Amazon
Kinesis
Amazon
Redshift
Project 3 AWS Account
Amazon
S3
Project 4 AWS
Account
Amazon
EC2
Project 5 AWS
Account
Amazon API
Gateway
Amazon
SQS
Amazon
WorkSpaces
Amazon ECS
AWS Elastic Beanstalk
Amazon
S3
Amazon
EC2
Amazon
EMR

12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Limited accounts vs. governance at scale
• This is a one-way door
• AI/ML, blockchain, “the next big
thing”
• Agility
• Enable your teams by removing
barriers
• Drive ownership and accountability

13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Guardians at the gate
If one person or team is a “gate,”
you will struggle to scale.
Photo by Paolo Nicolello on Unsplash
AWS Cloud Anti-Pattern Blog Post: https://tinyurl.com/y2pjlk99

14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Trade-offs in developer controls and developer agility
• Prescribes limited access to the AWS
platform based on catalog templates, via
middleware, or via centralized control
• Suitable for meeting common
requirements of less-technical internal
users
• Traditionally doesn’t allow developers to
access cloud APIs
• Relies too much on humans and manual
processes
Controlled environment
• Complete power of the AWS platform; every
“approved” feature available immediately
• Native access to the AWS Console, CLI, API
• Enables powerful DevOps CI/CD pipelines
• Requires a comprehensive foundation for managing
access, security, collaboration
• Requires the building or buying of a solution that can
manage access, budget, compliance
of many AWS accounts
Minimally encumbered environment

15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Avoiding departments of “No”
• Find a way to yes
• Build consensus, not silos Business Unit
Autonomy
Integration
Multi-Account
Strategy

16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Signs you may need governance
• Your cloud management team – or your security team – is viewed as the
“Department of No.”
• You can’t hire enough people to effectively manage your cloud presence and
keep up with the demand from your users.
• Requests for accounts or account access seem to go into a black hole.
• Your dev and test environments are required to be set up to meet the same
approvals as your production environment.

18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS governance at scale framework
• Provides customers with the
blueprint for enterprise cloud
success
• We drink our own champagne:
these best practices were first
adopted by AWS to manage
thousands of cloud accounts
AWS Governance at Scale: https://tinyurl.com/yxwhfqd2

19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Three principlesof governance at scale
Account management
• Align AWS accounts with the organization through a common interface. Standardize and
streamline provisioning, maintenance, and access control policies for many AWS accounts and
workloads
Cost enforcement
• Ensure AWS accounts and workloads do not exceed budget
Compliance automation
• Accelerate security authorizations, provide continuous monitoring and configuration
management, and enforce security controls

20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
People
Process
Technology
Delegation
Decentralized
Autonomy
Stewardship
AWS
Automated governance solution

21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Enforces fiscal and compliance policies
with more than notifications
• Provides native access to cloud
capabilities—it’s not a cloud broker
• Easy access for technical staff to
create the resources they need
• Easy for senior leadership to enact
financial and compliance oversight as
adoption scales
cloudtamer.io enables organizations to manage their
cloud presence at scale

23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud@Scale: Account management
Company X
Dept. A
Project 1
Project 2
Project 3
Dept. B
Project 4
Project 5
Dept. C
Project 6
• Centralized management of all cloud accounts
• Federated single sign-on and 2-factor authentication (MFA)
• Automated, self-service account creation with native Console,
CLI, and API access
Account Management

24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud@Scale: Budget enforcement
Company X
Dept. A
Project 1
Project 2
Project 3
Dept. B
Project 4
Project 5
Dept. C
Project 6
• Centralized management of all cloud accounts
• Federated single sign-on and 2-factor authentication (MFA)
• Automated, self-service account creation with native Console,
CLI, and API access
Account Management
BudgetEnforcement
• Hierarchical budget alignment to projects and organizational units
with real-time spend tracking
• Configurable enforcement actions to alert, freeze spending, and
terminate cloud resources

25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud@Scale: Compliance automation
• Inheritable rules to enforce and share policies, configurations and
approved resources
• Cloud rule and policy exemption workflows to simplify change
management
• Integration with GRC tools to validate account configuration and
accelerate accreditation
Company X
Dept. A
Project 1
Project 2
Project 3
Dept. B
Project 4
Project 5
Dept. C
Project 6
ComplianceAutomation
• Centralized management of all cloud accounts
• Federated single sign-on and 2-factor authentication (MFA)
• Automated, self-service account creation with native Console, CLI,
and API access
Account Management
BudgetEnforcement
• Hierarchical budget alignment to projects and organizational units
with real-time spend tracking
• Configurable enforcement actions to alert, freeze spending, and
terminate cloud resources

26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Visit cloudtamer.io in
booth 234.

27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Global leader in
entertainment
Pain comes with scale.
Pain brings willingness to change.
Integration is hard work.
Speed and ease of implementation is
key.
Governance at scale is a clear path.
Photo: peter-lewicki-411606 on Unsplash

29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Results: Integration and automation
• An integrated governance at scale, AWS security epics, and AWS Landing Zone
solution
• Manual integrations with Apptio, ServiceNow, and Terraform
• Automated AWS account creation and guardrails

30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Governance for massive
data and cost control
Source: NASA
NASA is responsible for a
large and growing earth
science data collection.
Concerns around cost control
endangered the cloud
program.

31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Goals for the multi-account cloud platform
● Maximize autonomy: a platform, not a gate
● Maximize flexibility: freedom to achieve mission
● Deliver shared services and controls: reduce duplication, complexity, cost

32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Controlling user access
• User authentication
• Grant uniform access and experience to end users
from multiple identity management systems
(NAMS (SAML) / internal directory / active
directory)
• Enforce and validate minimum authentication
levels via two-factor authentication
• Ensure that users only have access commensurate
to the authentication type with cloudtamer.io
• User authorization
• Control who views finances, who accesses AWS
resources, and who manages finance
• cloudtamer.io manages AWS IAM roles and
policies at an organization level

33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Spend insight and enforcement
• Enforces individual AWS account-level
budget through “budget caps”
• Provides account alert spend monitoring
and budget control actions
• Allows for flexible access levels:
• Top-level view for management &
business teams
• Account view for admins & developers
as needed

34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Results: Massive data with cost control
80 TBs/day
generation
400 TBs/day
reprocessing
300 GB
granules
150 PBs @ 50 Gbps
processing speed for months
NASA Earthdata Cloud (EDC) – http://earthdata.nasa.gov

35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Governance for
enterprise software
development
Developers needed fast,
unhindered, access to computing
resources, modern development
tools, and streamlined services to
develop applications.
With thousands of developers
accessing this environment, what
could possibly go wrong?
Photo: hack-capital-568971 on Unsplash

36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Developers build at their leisure; leaders get visibility
• Native access to AWS in a secure
manner with access to only allowed
services
• Self-service access to create the
resources needed for projects –
provided those resources are within
budget and compliance standards
• Integrated security and compliance
services
• Budget and compliance oversight for
senior leadership to gain better
insight on usage

37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Results
• Scalability: The ability to scale to 40K+ users with computing availability to
meet unique mission needs
• Speed: Reduction of time to get cloud accounts and resources allowing quicker
innovation
• Security: Automatic monitoring and detection of anomalous security events to
better protect against threats to the enterprise
• Compliance: Prevention against users intentionally or unintentionally violating
financial or security policies (i.e., FedRAMP, Antideficiency Act) ensuring cost-
effective, secure solutions are built

38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Recommendations
✓ Implement a scalable, hierarchical, automated governance solution.
✓ Balance boundaries and guidelines with user capability and speed.
✓ Start with a Minimum Lovable Product (MLP).
✓ Buy, build, or partner, but set timeframes.
✓ Define your success criteria and continually measure and report.

39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Next steps

40. Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Doug Vanderpool
Principal Consultant
AWS Enterprise Advisory Team
dougvan@amazon.com
Brett Miller
Technical Program Manager
AWS Governance@Scale
brettmi@amazon.com
Brian Price
CEO
cloudtamer.io
bprice@cloudtamer.io