Upload
amazon-web-services
View
223
Download
2
Tags:
Embed Size (px)
Citation preview
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Modern IT Governance Through Transparency and Automation
Mark RylandChief Architect, [email protected]
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
IT governance: high-level definition
• “The leadership, organizational structures, and processes to ensure that the organization's IT sustains and extends the organization's strategies and objectives.”– IT Governance Institute
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Where does governance sit?• Part of a larger complex of GRC(S): governance,
risk management, compliance, and security• Compliance (policy) and security (implementation)
are shared responsibilities on AWS• Risk (management) is a strategic responsibility• Governance is your responsibility, with help from
AWS tools and capabilities
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Compliance and securityCertifications and accreditations
for workloads that matter
MTCS
Security is a shared responsibility
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Key governance questions• What do I have?• How it is performing?• Who is in control of it?• Is it secure and compliant?
– Are changes occurring with the right processes and protections?
• What is it costing me?
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS and governance• AWS capabilities and services provide key
building blocks to answer these questions• Better answers than ever before in
traditional infrastructure• Still integration challenges, but leverage
the head start provided by the cloud
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
What do I have?• Describe* calls provide comprehensive lists of all
resources (for example, aws ec2 describe-instances)
• AWS Config provides integration, time-based insights• Partner ecosystem adds more value, richer
capabilities• (Building a comprehensive, accurate configuration
DB on-premises is practically impossible)
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
How is it performing?• Services emit metrics into CloudWatch
– Accessible through console, CLI, API
• Alerting and alarming on all metrical data– Rich integration with Simple Notification Service
• CloudWatch Logs integrates OS and app log data• Trusted Advisor (TA) for dashboard and alerts for under-
utilization, availability issues• Rich integration into third-party monitoring platforms from
AWS partners
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Who is in control?• Powerful, fine-grained IAM capabilities
– Authentication and authorization– Reporting and analysis
• Rich integration to corporate identity systems through SAML or directly into Active Directory
• Tagging for administration, authorization, billing• [Demo]
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Secure and compliant?... • … Are changes occurring with the right
processes and protections?• AWS infrastructure: yes• Customer responsibilities:
– Great tools and building blocks– Innovation required in the process model
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Tools and building blocks• TA displays obvious (possible) issues• CloudTrail, Config, CloudWatch (Logs),
VPC Flow Logs, S3 logs, ELB logs• VPC peering (including cross-account)• CloudFormation for repeatable processes• Cross-account role-based access
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Horizontal shared responsibility• Mission teams control their own infrastructure (VPCs,
instances, AMIs, DBs, S3 buckets, etc.)• Central security team has audit and control rights over
core infrastructure along with “shared security/compliance services”– Using cross-account role-based access, for example
• Agility benefits of mission-driven “shadow IT,” governance/security benefits of central IT control
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Shared security services• Central team can manage for all
– Account creation/provisioning/setup– Identity management, federation endpoint(s)– Core networking and security IAM policies– CloudTrail, Config, security log management– Golden OS images (AMIs), associated IAM limits– Incident response/forensics services– Cost alarm/review/auditing services
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Example: Shared services VPC
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Automate, automate, automate• Programmable infrastructure changes
everything!• CloudFormation, APIs for everything at the
infrastructure level• For apps, Elastic BeanStalk, OpsWorks,
CodeDeploy, CodePipeline
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Programmable infrastructure• Manage everything (including security and
compliance) using SDL from a source code repository
• Security and compliance baked in to your continuous integration/continuous deployment pipeline
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Cost transparency and control• Everything billed by the hour, gigabyte• Bills updated 4x per day• Programmatic access to all billing data with
user-generated resource tags• CloudWatch tools/alarms for billing data• AWS MarketPlace helps with software license
management challenges
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
It’s happening!• Not a pipe dream, but a reality at agencies
like USA CIS, DHS– Michael Schwartz, CIO: https://youtu.be/QwHVlJtqhaI
• DevOps and CI/CD on the AWS cloud providing dev/ops CI/CD agility with baked-in governance benefits
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
AWS cloud can help• Today: Trusted Advisor and
other key building blocks• Soon: Automation-based
security and compliance with AWS “Trusted Architect” –documentation and workshops coming soon
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015
Thank You.This presentation will be loaded to SlideShare the week following the Symposium.
http://www.slideshare.net/AmazonWebServices
AWS Government, Education, and Nonprofit Symposium Washington, DC I June 25-26, 2015