Explore the business case and technology for deploying a CMS in the cloud, using Magnolia CMS on AWS as our case study. Discover how Amazon Web Services infrastructure can save costs and improve the visitor experience. Learn how to optimize the AWS environment for your business and how to make this CMS work seamlessly with AWS through integration.
We will also cover technical areas such as deployment automation, auto-healing and auto-scaling of Magnolia on AWS for high-availability, high-traffic infrastructure. While focused on Magnolia, many lessons can be applied to other enterprise-level CMS deployments.
17. Virtual Private Cloud
Isolated cloud resources
Web Application
Firewall
Filter Malicious Web Traffic
Shield
DDoS protection
Certificate Manager
Provision, manage, and
deploy SSL/TSL certificates
Networking
Key Management
Service
Manage creation and
control of encryption keys
CloudHSM
Hardware-based key storage
Server-Side Encryption
Flexible data encryption
options
Encryption
IAM
Manage user access and
encryption keys
SAML Federation
SAML 2.0 support to allow
on-prem identity
integration
Directory Service
Host and manage Microsoft
Active Directory
Organizations
Manage settings for
multiple accounts
Identity &
Management
Service Catalog
Create and use standardized
products
Config
Track resource inventory
and changes
CloudTrail
Track user activity and API
usage
CloudWatch
Monitor resources and
applications
Inspector
Analyze application security
Compliance
Access a deep set of cloud security tools
Macie
Discover, Classify & Protect
data
Responding to this changes requires a new model of engagement. Many companies are looking at the cloud as a way to double down on investments that support the core mission of the company and differentiate it from competitors. As a result, they are looking at new ways to innovate that allow for more experimentation and more customer engagement. And they are doing it in a way that meaningfully reduces their security and compliance risks.
Unless you’re in the hosting business, it’s unlikely that maintaining physical infrastructure was a core reason for incorporation. It’s what you do with the infrastructure that sets the company apart.
The cloud allows you to get rid of the undifferentiated heavy lifting that comes along with data center management. First, it breaks the cycle of large, risky capital purchases that often tend to make people risk adverse, and trades it for greater flexibility via operating expense. It also eliminates the risk and cost of capacity planning by allowing for the business to acquire exactly the capacity needed at any given time and pay only for time it was in use. Third, it simplifies the complex management tasks inherent in keeping a data center filled with heterogeneous technology running smoothly. And last, global operations are a relatively simple matter of replication. The headaches involved in establishing and running data centers in local markets are eliminated.
------
GE OIL & GAS: GE Oil & Gas is migrating 500 applications to the cloud by the end of 2016 as part of a major digital transformation, helping it attain a 52 percent reduction in TCO. GE Oil & Gas is a business unit of global conglomerate General Electric, with energy-related operations around the world. The company's cloud migration project entailed reexamining—and in many cases, eliminating—legacy processes, resulting not only in lower IT costs but also in greater speed to market and more agility to compete even better in an industry experiencing immense market challenges. GE Oil & Gas is using the AWS Import/Export Snowball appliance to transfer more than 750 terabytes of data from pipeline inspection machinery to AWS, as well as AWS services such as Amazon Aurora, Amazon CloudWatch, AWS Elastic Beanstalk, and AWS Trusted Advisor. [https://aws.amazon.com/solutions/case-studies/ge-oil-gas/]
No other cloud platform has anywhere near the level of technical capabilities or experience that AWS has in helping enterprises setup a hybrid architecture.
Dow Jones example - chat application, engineers looked over, VPC subnets, new IP addresses, automation to move and done in 45 minutes. Big ah ha moment that gave us the confidence to scale our environment….
A lot of executives ask me how long they’ll be running a hybrid environment. I believe that any organization that has been running it’s own IT environment for any substantial period of time will have a hybrid architecture as part of their journey, and we’d probably count the time in years, but it’s hard for me to imagine a future 10 years from now where an organization of any size will be running their own data centers. I think that AWS’ pace of innovation and how much easier we’re making it to migrate, which I’ll touch on shortly, is only accelerating this transformation.
AWS serves hundreds of thousands of customers in more than 190 countries.
Amazon CloudFront and Amazon Route 53 services are offered at AWS Edge Locations
he AWS Cloud operates 52 Availability Zones within 18 geographic Regions around the world, with announced plans for 12 more Availability Zones and four more Regions in Bahrain, Hong Kong SAR, Sweden, and a second AWS GovCloud Region in the US coming online between now and early 2019. The global network of AWS Edge locations now consists of 113 Points of Presence (102 edge locations and 11 regional edge caches), in 56 cities across 24 countries including locations in the United States, Canada, Europe, Asia, Australia and South America.
While every organization will have their own unique constraints and opportunities guide their journey, the pattern we’ve seen in mass migrations tend to:
CLICK.. start with our account teams and partners work with customers to get them some foundational experience and develop a business case for a migration.
CLICK.. Next we work with customers to deploy discovery tools that help them understand their IT portfolio, the dependencies between applications, and begin to consider what types of migration strategies they’ll employ to meet their business case objectives
CLICK.. In the third and fourth phases, which I sometimes call the “migration factory” the focus moves from the portfolio level to the individual application level, and we work with customers to design, migrate, and validate each application
CLICK.. And finally each application lands in a modern operating model
CLICK… and as each customer gains experience migrating, they are often expand the scope of their migration with additional waves, and we iterate on the process in a closed feedback loop. With each iteration or wave the business case, discovery and planning capabilities, and migration capabilities constantly improve. This flywheel effect can help put companies in a position to stay much closer to a modern state enterprise architecture over time.
I’ll spend the next several minutes diving into each phase of this process to give you a better idea for what we’re seeing in each phase.
For a long time, most organizations have had to make a choice between moving fast or maintaining a high degree of security. It’s a difficult choice, and inevitably security trumps all.
But, one of the fundamental benefits of the cloud is that you’re able to do both, because the security of the infrastructure is handled by the AWS global security team. This frees your resources up to focus completely on the security of your applications.
Infrastructure security can be one of the most complex elements of your operation, because the high degree of interconnected systems across a wide range of hardware vendors makes it difficult to have good visibility into what’s going on and what new threats may have been recently identified in the wild.
But, with AWS, we operate together under a Shared Responsibility Model that makes us responsible from the hypervisor down, and you for the operating system up, which puts our respective attention on what we know best.
The AWS infrastructure is custom-built for the cloud, with all element designed to intercommunicate well and present the smallest attack surface possible. In addition, the physical security controls present in our data centers has been designed to be the most stringent in the world. This pursuit has led to AWS being trusted by governments, military organizations, global banks, healthcare institutions, and other high-sensitivity organizations.
Finally, our security team is monitoring the infrastructure all-day, every-day, and is well-connected with all major security watchdog groups and vendors to ensure that potential threats are identified immediately. And, they are doing this at massive scale, which is something that sets the AWS security organization apart. By looking across more than 1 million active accounts each month running virtually every conceivable type of workload, we can see issues that may only occur once in a billion operations multiple times a day. When we remediate the issue, we do so for the entire platform. That kind of visibility and response simply isn’t achievable for the vast majority of organizations.
-----
CAPITAL ONE: Capital One is using AWS to reduce its data centers from eight to three by 2018. Capital One is one of the nation’s largest banks and offers credit cards, checking and savings accounts, auto loans, rewards, and online banking services for consumers and businesses. The bank is using or experimenting with nearly every AWS service to develop, test, build, and run its most critical workloads, including its new flagship mobile-banking application. Rob Alexander, Capital One's chief information officer, says, "The financial service industry attracts some of the worst cyber criminals. We work closely with AWS to develop a security model, which we believe enables us to operate more securely in the public cloud than we can in our own data centers." Capital One selected AWS for its security model and for the ability to provision infrastructure on the fly, the elasticity to handle purchasing demands at peak times, its high availability, and its pace of innovation. [http://aws.amazon.com/solutions/case-studies/capital-one/]
These security tools are incredibly powerful.
Of note, we have, Virtual Private Cloud, the ability to logically isolate your resources in a virtual network that you define.
The Key Management Service, the ability to encrypt your data in the Cloud and if you choose, to bring your own encryption key.
Cloudtrail, is a service that records API calls for your account and delivers log files for you, enabling detailed compliance auditing.
And new services like Macie - A machine learning-powered security service to discover, classify, and protect sensitive data.
Networking
[COVER THIS ONE] Amazon VPC: Amazon Virtual Private Cloud lets you provision a logically isolated section of the AWS Cloud where you can launch resources in a virtual network that you define.
[COVER THIS ONE] AWS KMS: AWS Key Management Service is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys. AWS KMS is integrated with several other AWS services to help you protect the data you store with these services and is also integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
[COVER THIS ONE] AWS CloudTrail: AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. With CloudTrail, you can get a history of AWS API calls for your account, including API calls made via the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services (such as AWS CloudFormation). The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing.
"Display Cabinet"
You've just had a bunch of info on this from previous presenters
What I'm here to cover is not only how we get to these - you'll have heard about that already - but how you get to map technologies from these standards - and others - so you can work toward security and compliance of your environments on top of what we do
AWS operates a shared responsibility model.
When I was at Capital One we partnered closely with AWS on our security model, working backwards from our security objectives and letting AWS look after Security of the Cloud. Allowing us to really focus on Security ’in’ the cloud and the using the comprehensive tools that AWS provide for you to do this in a straight forward way.
New ASG feature – https://aws.amazon.com/blogs/aws/aws-auto-scaling-unified-scaling-for-your-cloud-applications/
Thanks – one more thing Abhay. Can you also add types of auto-scaling and/or talk about that at a high level. Basically Manual Scaling, Dynamic Scaling and Scheduled Scaling. With Magnolia, since Dynamic Scaling presents a challenge, having more controlled manual scaling by modifying the desired capacity programmatically/via console or scheduled scaling actions for predictable traffic patterns would be relevant patterns?
A publication freeze is necessary during this process or published content may get out of sync
Be careful if bringing up multiple public instances simultaneously as this can overload the author server
Quick and dirty solution for people with low AWS skills
Consider removing