Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
2013 AWS Worldwide Public Sector Summit Washington, D.C.
Maintaining Control in the Cloud
Larry Pizette
Sr. Manager, Solution Architecture
State, Local and Education , WWPS
2013 AWS Worldwide Public Sector Summit
Common CIO Questions on Control
• How do I control costs in the cloud?
• How do I control who accesses the cloud from my organization?
• How do I know that my organization’s cloud usage is secure?
• How easy is it to migrate into the cloud and am I locked in?
• How do I get started incorporating AWS into my IT ecosystem?
2013 AWS Worldwide Public Sector Summit
How do I control costs in the cloud? (1 of 3)
• AWS helps customers replace up-front capital expense with low variable cost
– Pay for what you need, when you need it
• Massive economies of scale and efficiency gains allow us to continually lower
prices
– AWS has lowered prices 37 times since 2006
• Multiple pricing models allows customers to optimize costs for both variable and
stable workloads
– On-demand, Reserved instances, Spot instances
– Choose services that match needs (e.g., S3/Glacier) and instance sizes (e.g., EC2)
2013 AWS Worldwide Public Sector Summit
How do I control costs in the cloud? (2 of 3)
• Cloud computing drives down IT labor costs both up-front and on an on-going
basis
– “Developer and IT staff productivity accounted for nearly 30% of overall financial
benefits.” – IDC, July 2012
• AWS allows customer workloads to be highly available for a fraction of the cost
of self-hosting
– Multiple Availability Zones per region; multiple regions around the globe
– Amazon S3 provides 11 nines of durability
– Customer example: PBS improved availability to 99.99%
• Lower costs to innovate: Experiment and succeed or fail fast with low cost and
low risk
2013 AWS Worldwide Public Sector Summit
How do I control costs in the cloud? (3 of 3)
• Monitor variable costs with Amazon CloudWatch alerts
– Billing alerts to monitor estimated charges
– Amazon CloudWatch alarms to stop or terminate instances
• Tag AWS resources (Amazon EC2 instances, Amazon S3 buckets, Amazon RDS, etc.) for billing analysis
– Track usage and costs based on tags; e.g., CostCenter, Department, Application, etc.
• Linked accounts
– Track account costs separately
– Organization still benefits from combined volume discounts
• Share benefit of RIs across organization
2013 AWS Worldwide Public Sector Summit
Customer Case Study: Gibraltar Area Schools
• Small public school district in Fish Creek, Wisconsin
• Needed to upgrade servers running everything from student databases to
library management system
– IT department estimated that new equipment and 4 years of upkeep would have cost
close to $50,000—a lot for a cash-strapped institution
• After moving LOB infra to AWS, on track to save 25% over the typical 5 year
lifespan of on-premises infrastructure
– IT department had initial AWS workloads running within 20 minutes, and fully
operational within 6 hours
2013 AWS Worldwide Public Sector Summit
How do I control who accesses the cloud? (1 of 3)
• Amazon is responsible for
– Facilities
– Physical security
– Compute infrastructure
– Storage infrastructure
– Network infrastructure
– Virtualization layer (Amazon EC2)
– Hardened service endpoints
– Rich AWS IAM capabilities
• Customer is responsible for
– Network configuration
– Security groups
– OS firewalls
– Operating systems
– Applications
– Proper service configuration
– Account management
– Authorization policies
2013 AWS Worldwide Public Sector Summit
How do I control who accesses the cloud? (2 of 3)
• Identity Federation makes AWS a Relying Party to your directory service
• Identity and Access Management Service has many principal types:
– AWS IAM Users
– AWS IAM Groups
– AWS IAM Roles
– AWS IAM Federated users
• For most services, action-based controls per AWS IAM user/group; for many, resource-based controls
• For Amazon EC2, users can be restricted to starting/stopping/terminating instances by regions/AZ/instance/tags/profiles (roles) using Resource Level Permissions
– Many more Amazon EC2 permissioning features coming by end of 2013
2013 AWS Worldwide Public Sector Summit
How do I control who accesses the cloud? (3 of 3)
• “Gold Image” AMIs managed by customer’s approved individuals/organizations
– Amazon Machine Images (AMI) contain a software configuration (operating system,
application server, and applications) that you can run on AWS
• Optionally, provisioning portal provides a layer between requester and AWS that
is controlled by enterprise
– Enforce rules according to customer’s governance, security and architecture policies
– Enabled through AWS SDKs and APIs
– Example AWS Partners offering portals:
• Aquilent
• BMC Software
• Cloudnexa
• Etc.
2013 AWS Worldwide Public Sector Summit
How do I know that my cloud usage is secure? (1 of 2)
• Shared security model: AWS
– Reports and certifications produced by third-party auditors which attest to the design
and operating effectiveness of the AWS environment
– Examples: SOC1 Type II, SOC2 Type II, SOC3, PCI DSS Level 1, ATO under the
FedRAMP at the Moderate impact level for AWS GovCloud (US) and all US regions
• Shared security model: customer
– Extend best practices from on-premise to cloud (e.g., encrypt data at rest, firewalls)
– Configure security to meet your enterprise needs (e.g., IAM users, Resource Level
Permissions)
2013 AWS Worldwide Public Sector Summit
How do I know that my cloud usage is secure? (2 of 2)
• Leverage VPC to extend on-premise to AWS cloud
• Customer has complete control over your virtual networking environment,
including :
– IP address range
– Creation of subnets
– Configuration of route tables
– Network gateways
– VPN tunnels to on-premises infrastructure
2013 AWS Worldwide Public Sector Summit
How easy is it to migrate; am I locked in? (1 of 2)
• Use the services you choose; choose as much or as little as needed
• Most applications remain unchanged; optional how much you integrate with
AWS-specific APIs/functionality
• Many OS choices (major Linux versions; Windows 2003/2008/2012)
• Many database choices, including managed services
– AWS Relational Database Service (RDS) includes MySQL, Oracle and SQL Server
2013 AWS Worldwide Public Sector Summit
How easy is it to migrate; am I locked in? (2 of 2)
• No up front investment and pay as you go pricing
– Utility pricing model, customer determines usage
• For every import service (VM import, data import) there is an export service
• Self-service for authenticated and authorized users
2013 AWS Worldwide Public Sector Summit
Donor Collection
System
Volunteer
Management
System
Voter File
“The AWS Cloud let us
build solutions for an
environment that moves
so rapidly that you can’t
plan for it. It made a big
difference to the success
of the campaign.”
- Mike Slaby, Chief Integration and
Innovation Officer, Obama for
America
Millions of Users
Served
Call Tool
Micro-targeting
Dashboard
Over 200
applications built
on the platform
Scaled up, and
scaled down
Obama for American used AWS to run Mission Critical
Applications
2013 AWS Worldwide Public Sector Summit
How do I get started with AWS?
• Pilot an application or system on AWS
• Common applications to migrate first
– Web sites, web apps, cross-organization collaboration apps
– Development and test infrastructure
– Backup, archive, storage
– Video and content distribution
– Disaster recovery/continuity of operations (DR/COOP)
– Later: LOB applications
– Many SaaS vendors are already there in AWS
• Contact us for further information and consultation
– AWS Solutions Architects stand ready to help!
Thank You