© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Julien Lepine ([email protected]) Chris Gerpheide ([email protected])
Pranesh Ramalingam ([email protected]) Sep 21st 2016
Amazon Work Suite Managed Enterprise Applications in the Cloud
What Customers Are Telling Us
What’s not working?
Personal Computers § Manage inventory § Secure endpoints § BYOD is complicated § Data must be backed up § Expensive to scale
On-Premises VDI § Upfront investment § Weeks to deploy § Requires management § Servers must be secured § Expensive to scale
Embrace personal devices
Support contract workers
Access for Mobile
Workers
Data Security
Agility
Introducing Amazon Enterprise Applications
WorkSpaces
WA
WorkMail WorkDocs
Productivity
WorkSpacesApplication
Manager
Desktop & Apps
Secure, managed end-user computing services on the AWS cloud
A cost-effec*ve, managed cloud desktop
Secure Pay-as-you-go
Simple management
Highly interactive cloud desktops your users will love
Scale consistently
Desktop Experience Your Users Will Love
A formal BYOD policy is four times more likely to result in increased employee productivity and decreased IT support issues1.
Portable Desktop
Consistent Performance
Available on Any Device
1. Enterprise Strategy Group: TechTruths: BYOD and Productivity, 2015
Supports Multiple Devices
Desktop, Laptop: PC, Mac
Tablets: iOS, Android, Kindle, Surface
Zero Clients
Thin Clients *
Chrome OS, Chromium Reuse your existing devices, or
acquire to fit your needs. * OEM-specific, OS-specific
Plays Well With Existing Tools
Microsoft Active Directory
Multifactor Authentication
(Radius) SCCM Intranet
Amazon WorkSpaces integrates easily with your on-premises tools and network
Improves Security
• Data is stored on the AWS cloud, not on devices
• Data is encrypted in in transit with 256-bit encryption
• Volume encryption with AWS Key Management Service
• Users authenticated against your corporate directory
• Deploy multi-factor authentication (MFA) for additional security
• Certification – SOC 1, SOC 2, ISO 9001 and ISO 27001 No sensitive data on users’
devices
Improve Flexibility and Scale
• Quickly add or remove WorkSpaces as your business requires
• Expand to new regions without additional costs
• Easily support temporary and remote workers
• Choose from several desktop configuration options
• Bring your own licenses and applications or purchase from AWS
Simple Management
Centrally manage WorkSpaces using the AWS Management Console or
existing tools
• Integrate your existing corporate network and directory
• Auth and Policy: Active Directory, GPOs
• Patching: WSUS, SCCM, 3rd-party
• Distribution: SCCM, App Layering, App Virt
• Profile Management: 3rd-party
• Automation: Powershell, .NET, and more
No servers to manage
Scale on demand
Amazon WorkSpaces removes the burden of management, and scales instantly
Available globally
Cloud Economics
Pay only for what you use
Reduce Costs
• Pay-as-you-go means no infrastructure acquisition cost
• Eliminate underutilization of desktop management infrastructure
• Expensive PCs can often be replaced with cheaper thin clients or
repurposed
• CapEx can be switched to OpEx
• Pay for what you use with Monthly and Hourly Options
Amazon WorkSpaces Use Cases
Call centers
Temporary workers
Dev/Test
Amazon WorkSpaces can help you realize benefits across many scenarios
Mergers and acquisitions
Securing data Compliance requirements
Mobile workers BYOD
Training and labs Demos
Amazon WorkSpaces Capabilities • User Experience
§ Support for multiple devices including Tablets, Windows, MAC, Zero clients and Chrome devices
§ Local printing with Windows and Mac clients
§ High DPI device support
§ Audio input (Make Skype/WebEx calls from WorkSpaces)
• Management § Custom images
§ WorkSpaces Application Manager (WAM)
§ API support (via AWS SDK, CLI)
• Monitoring § Amazon CloudWatch and AWS CloudTrail integration
§ Network health checks and health check website
Amazon WorkSpaces Capabilities • Performance, Cost, and Flexibility Enhancements
§ Value Bundle
§ Upgrade Standard Bundle at no additional cost
§ Bring your own license (BYOL) for Microsoft Windows 7
• Security and Compliance § Storage Volume Encryption
§ Multi-Factor Authentication
§ Certification – SOC 1, SOC 2, ISO 9001 and ISO 27001
WorkSpaces Monitoring
• CloudWatch Alarms
• CloudWatch Events/Rules
• CloudWatch Logs to alert on specific events
• Based on two dimensions: WorkSpaceID and DirectoryID
• Units are Time and Count
• Statistics Available: Average, Sum, Maximum, Minimum, Data
Samples
CloudWatch Dashboards
Network Flow - Connecting From Public Internet
Network Flow - Connecting From On-Premises
Utilities Bundle includes Internet Explorer 11, Firefox, and 7-Zip
Bring Your Own License and Save $4
Amazon WorkSpaces & WAM Pricing
Add Trend Micro and Microsoft Office Pro for an additional $15/month
Deliver applications with Amazon WorkSpaces Application Manager for $5/month
Value ($25 USD)
• 1 vCPU, 2 GB memory
• 10 GB storage
• Utilities software bundle
• 50 GB Amazon WorkDocs storage
Standard ($35 USD)
• 2 vCPU, 4 GB memory
• 50 GB storage
• Utilities software bundle
• 50 GB Amazon WorkDocs storage
Performance ($60 USD)
• 2 vCPU, 7.5 GB memory
• 100 GB storage
• Utilities software bundle
• 50 GB Amazon WorkDocs storage
Amazon WorkSpaces Regions
Amazon WorkSpaces Customers and Partners
• Endemol Shine Nederland uses contract video crews in locations around the world to create their shows
• Preparing for a project took two weeks as the team had to set up, secure, and ship hardware to a production site
• Endemol Shine Nederland decided to provide contract video crews with Amazon WorkSpaces to run on their own devices
• The switch saved Endemol Shine Nederland 70% in PC capex, 30% in PC operations, and reduced preparation time to two hours.
Leon Backbier IT Manager, Endemol Shine Nederland
”
“
Endemol Shine Nederland is a world leading creator, producer and distributor of multiplatform entertainment with a
portfolio that includes Big Brother, MasterChef, Man vs. Food, The Biggest Loser, and Wipeout.
“With Amazon WorkSpaces, we are able to provide video crews with a secure cloud
desktop they can run on their own devices while onsite. By using Amazon WorkSpaces, we
have saved 70% on PC capital expenditure, and 30% on desktop operations, while reducing our preparation time from two weeks to two hours.”
Use Case | Contract Workers
Endemol Shine Nederland: Contract Workers
The Louisiana Department of Public Safety and Corrections manages nine state correctional
facilities housing 19,000 prisoners.
Rehabilitation through education is now a reality
thanks to ATLO and Amazon WorkSpaces.
• State department of corrections wanted to improve inmate education and improve post-prison outcomes
• Needed to replace on-premises learning solution
• Using Amazon WorkSpaces allows LDoC to offer secure, cloud-based learning program
• Enables better outcomes for inmates
• Team can now launch new training labs in 90 minutes
”
“
ATLO Software is a software provider that partners with local and state organizations to offer virtual learning environments.
Dawson Andrews
IT Director, Louisiana Department of Corrections
Louisiana Department of Corrections: Secure Training
• Provides fast, secure desktops with consistent performance that users will love
• Simplifies desktop management
• Scales globally within minutes
• Plays well with existing tools
• Provides flexibility and agility
• Lowers complexity and cost
Summary
A secure, fully managed enterprise storage and sharing service with strong administrative controls and feedback capabilities
that improve user productivity
Amazon WorkDocs Benefits
• Easy access to documents from anywhere, across devices
• Share and comment directly on documents – no more attachments
• Request feedback with deadlines, and control document versions
• Set sharing rules and manage document access centrally
• Store files securely on the AWS cloud in the regions of your choice
• Use your corporate directory and MFA to authenticate users
Access and Sync From Any Device
• Web application
• iOS Phone and tablet apps
• Android Phone and tablet apps
• Amazon Fire app
• Windows & Mac OS desktop sync
Securing Data
• Your data is encrypted in transit and at rest
• Choose your AWS region and adhere to data sovereignty laws
• Implement policies and roles for site access and sharing behavior
• Store content securely in WorkDocs instead of sending via email
• Authenticate using corporate directory and MFA
Amazon WorkDocs Pricing
• Pay-as-you-go: $5 per user per month for 200 GB
• Bundled *: $2 per WorkSpaces user per month for 200 GB
• Free trial for 50 users for 30 days
• Additional storage available at regular S3 prices
* Amazon WorkSpaces users receive access to Amazon WorkDocs
for no additional charge. This includes 50 GB of storage per
WorkSpaces user.
WorkDocs Availability
A secure, fully managed business email and calendaring service
Managed business email and calendar service
• Eliminate up-front investments to license and provision on-premises email servers
• WorkMail automatically handles patches, back-ups, and upgrades.
• Integrates with your existing on-premise directory.
• As needs grow, add more users with a few clicks in the AWS Console
Enterprise grade security
Encryption using customer managed
keys
Regional data control
Secure mobile access
Protection from malware, spam, and
viruses
Anywhere access
From your PC/Mac
From any browser
From your phone
Microsoft Outlook on Windows
• Support for Outlook 2007, 2010, 2013, 2016
• Native support (Outlook Anywhere)
• No additional software/plugins needed
• Autodiscover for easy setup
Mac OS X support
• Support for Exchange Web Services (EWS) protocol
• Support for Outlook 2011 and Mac Mail
• Outlook 2016 in progress
Mobile device support
• Native mobile support through Exchange ActiveSync protocol
• Supported devices:
• iPhone, iPad
• Android
• BlackBerry 10
• Windows Phone
• Fire
WorkMail Features
• Global Address Book
• Shared calendars
• Resource booking
• Advanced permissions and delegation
• Server-side rules
• Out-of-office rules
• Interoperability with Microsoft Exchange (launching soon)
• Encryption using customer managed keys
Mobile Device Management
• Policy support for:
• Password required
• Password strength
• Automatic screen lock
• Device encryption
• Remote wipe when device is lost or stolen
WebMail client features
• Access to your email, contacts, and
calendar
• Shared calendars
• Access to free/busy information
• Amazon WorkDocs integration
• Accessibility (support for screen readers &
keyboard-only usage)
Pricing and availability
• Pay-as-you-go
• Cost-effective -- $4/user/month for 50GB mailbox
• Bundled with WorkDocs -- $6/user/month
• 30-day free trial for up to 25 users
• Currently available in US East (N. Virginia), US West
(Oregon), and EU West (Ireland) regions
Amazon WorkMail Encryption
Amazon WorkMail Encryption – Pt 1
Amazon WorkMail Encryption – Pt 2
Key Hierarchy
Itemencryptedwithdatakey
Datakeyencryptedwithpublicmailboxkey
MailboxprivatekeyencryptedwithKMSkey
• Master key for your organization
• Asymmetric key per mailbox
• Each item in mailbox encrypted by
symmetric key
Data decryption
Interoperability support with Microsoft Exchange
Integrate Amazon WorkMail with your existing email environment
• Email routing between on-premises email system and WorkMail
• Calendar free/busy lookups between on-premises email systems and WorkMail
• Provide users with a unified global address book containing all users, groups, and
resources
AD Connector architecture
Availability Zone
Availability Zone
VPN connection
corporate data center
AD
LDAP & Kerberos
requests proxied to on-premises
over VPN AD Connector proxy instance
AD Connector proxy instance
Set up interoperability support
Add-AvailabilityAddressSpace -ForestName example.awsapps.com -AccessMethod OrgWideFB -Credentials <Credential>
• Add all domains to WorkMail
• Convert users on Microsoft Exchange to mail enabled users with external mail addresses
that point to Amazon WorkMail
• Set up free/busy service accounts in Microsoft Exchange and Amazon WorkMail
• Specify EWS URL for on-premise environment in Amazon WorkMail
• Set up Availability Address Space in Microsoft Exchange
Email routing in an integrated environment
On-premises environment Amazon WorkMail
example.comexample.comexample.awsapps.com
Forwardto:[email protected]
Primary:[email protected]:[email protected]
Calendar free/busy interoperability
On-premises environment Amazon WorkMail
example.com4.Free/busylookupforMary
withWMserviceaccount
john
1.Free/busylookupforMary
targetAddress:[email protected]
Primary:[email protected]:[email protected]
23
5
Unified Global Address Book
• Interoperability support will automatically sync all Microsoft Exchange users,
groups, and resources to WorkMail
• Object changes must be done using Exchange Management Console
• Enabling users for WorkMail still done through AWS Management Console
Julien Lepine ([email protected]) Chris Gerpheide ([email protected]) Pranesh Ramalingam ([email protected])