1

Building Bulletproof Infrastructure on AWS

2

What’s new at AWS?

Cloud Consumers / Cloud Adoption

Building Bulletproof Infrastructure

Q&A

Introduction to 2nd Watch

Lunch with 2W Insight Billing Application Demo

1Agenda

2

3

4

5

6

3

Our Mission“The mission of 2nd Watch is to bring enterprise Cloud technology to organizations of all sizes to enable cost and technology efficiencies and power innovation.”

‣ Cloud Enablement‣ Services (strategy, architecture,

build, migration and support) to enable Cloud adoption

‣ Software to optimize‣ Billing and Usage‣ Demand Management

4

2nd Watch Overview2nd Watch Associates

‣ Microsoft Certified

‣ Virtualization

‣ Remote Desktop Services

‣ ITIL Certified

‣ CISSP

‣ Enterprise Experience

‣ Microsoft – Toshiba - IBM

‣ Continental Airlines

‣ Iron Mountain

‣ Ambassadors Group

‣ Production Hosting

‣ Security and Compliance

‣ Technical Competency & Reseller

‣ Excellence in Operations

‣ Customer Testimonials

‣ Technical Competency

‣ Office 365

5

Microsoft and 2nd Watch‣ Recognized for expertise in implementing Office 365

‣ # of seats, # of deals, customer references, etc.

‣ SharePoint Online

‣ Implementing complex O365

‣ Hybrid Environment (Part on-premise, part cloud)

‣ Single Sign on with existing Active Directory

‣ Advance archiving, legal compliance

6

Strategy & Roadmaps

Support Services

Cloud Assessments

Cloud Architecture

Build & Migrations

‣ Identify Need

‣ Formulate the Strategy

‣ Identify goals

‣ Identify all considerations

‣ Get team buy in

‣ TCO

‣ Hardware

‣ Applications

‣ Customer experience

‣ Personnel needs

‣ Contract negotiations

‣ Security

‣ Deep dive

‣ Operational toolsets

‣ High level diagrams

‣ POC

‣ Cost analysis

‣ Enterprise designs

‣ Architect for failure

‣ Build HA

‣ Seamless migrations

‣ Testing

‣ As Built detailed doc

‣ Performance optimization

‣ Cost optimization

‣ Managed services

‣ Account management

Core Offering: Full Lifecycle

Examples of starting points‣ Web Applications

‣ Batch Processing systems

‣ Content Management Systems

‣ Digital Asset Management Systems

‣ Log Processing Systems

‣ Collaborative Tools

‣ Big Data Analytics Platforms

7

2nd Watch Cloud Migration Process

Deep Dives

High Level Design (HLD)

Detailed Design (DLD)

Build (Dev)

Data Migration

User Acceptance Testing

(UAT)

Go-Live Optimize

Business Requirements

1) Mockups2) Environment

Designs3) Data Flow

1) Wireframes2) As Built3) AWS Run-IT

Analysis

Project Builds Production Data

User Sign/off Go Live! Start maximizing savings

Project Deliverables

8

UpdateWHAT’S NEW AT AWS

Amazon Glacierinfinite archival storage

9

10

Amazon Glacier for Long Term Archive

‣ Secure and Cost effective Offsite data archiving

‣ Tape Replacement for backup and recovery

‣ Long term digital preservation for historical and digital information

11

2.9 Billion

Q4 2006

14 Billion

Q4 2007

40 Billion

Q4 2008 Q4 2009

102 Billion

262 Billion

Q4 2010

762 Billion

Q4 2011

905 Billion

1 Trillion

Peak Requests:750,000+

per second

Total Number of Objects Stored in Amazon S3

The Scale of AWS: Amazon S3 Growth

12

Other Recent “IT” Items‣ Elastic Load Balancing – Internal to VPN

‣ Support for Static Routes for VPC VPN

• Enables non BGP Based AWS Supported VPN connection

‣ Provisioned IOPs

• Enables High Performance Databases

‣ Reserved Instance Marketplace

13

TCO CalculatorTotal Cost of Ownership Comparison for Web Applications

14

AWS Global Infrastructure

AWS Regions

AWS Edge Locations

GovCloud(US ITAR Region)

US West(Northern California)

US West(Oregon)

US East(Northern Virginia)

South America(Sao Paulo)

EU(Ireland)

Asia Pacific(Singapore)

Asia Pacific(Tokyo)

15

CLOUD CONSUMERS / CLOUD ADOPTION

16

Powering the Most Popular Internet Businesses

17

Trusted by Enterprises

18

And Government Agencies

19

BusinessApplications

What Enterprises are Running on AWS

Web Applications

Big Data & High Performance Computing

Disaster Recovery & Archive

20

Concern: How we address:‣ AWS is a mystery

‣ Security

‣ Accessibility

‣ Control

‣ Cost

‣ All or nothing?

‣ Training and Certifications

‣ Shared Responsibility

‣ IAM, ACL’s, Logging, etc.

‣ You own the app!

‣ TCO support

‣ Hybrid Models

Common Concerns

21

AWS Architecture to Support Your Application

Architecture Templates for Common Patterns

aws.amazon.com/architecture

MICROSOFT SHAREPOINT

23

Building Bulletproof Infrastructure on AWS

24

AWS

‣ Facilities

‣ Physical Security

‣ Physical infrastructure

‣ Network Infrastructure

‣ Virtualization Infrastructure

2nd Watch or Customer

‣ Architecture Build

‣ Engineering Build

‣ Security Groups

‣ Firewalls

‣ Network Configuration

‣ Monitoring and Reporting

‣ Operating System

Customer

‣ Application

‣ Application Development

‣ Application Fixes/Patches

‣ Customer Contact

‣ Compliance

Shared Responsibilities

25

Security on AWS

26

1. Infrastructure SecuritySAS 70 Type II AuditISO 27001/2 CertificationPCI DSS 2.0 Level 1-5HIPAA/SOX ComplianceFISMA ModerateFEDRamp / GSA ATO

2. Application SecurityEncrypt data in transit

Encrypt data at restProtect your AWS Credentials

Rotate your keysSecure your OS and applications

3. Services SecurityEnforce IAM policiesUse MFA, VPC, Leverage S3 bucket policies,EC2 Security groups, EFS in EC2 Etc..

1

2

3

In the Cloud, Security is a Shared ResponsibilityHow we secure our infrastructure

How can you secure your application and what is

your responsibility?

What security options and features are available to you?

27

Certifications

‣ SOC 1 Type 2 (Formerly SAS-70)

‣ ISO 27001

‣ PCI DSS for EC2, S3, EBS, VPC, RDS, ELB, IAM

‣ FISMA Moderate Compliant Controls

‣ HIPAA & ITAR Compliant Architecture

Physical Security

‣ Datacenters in nondescript facilities

‣ Physical access strictly controlled

‣ Must pass two-floor authentication at least twice for floor access

‣ Physical access logged and audited

HW, SW, Network

‣ Systematic change management

‣ Phased updates deployment

‣ Safe storage decommission

‣ Automated monitoring and self-audit

‣ Advanced network protection

Built for Enterprise Security Standards

28

Physical Security of Data Centers‣ Amazon has been building large-scale data centers for many years

‣ Important attributes

• Non-Descript facilities

• Robust perimeter controls

• Strictly controlled physical access

• 2 or more levels of two-factor auth

‣ Controlled, need-based access

‣ All access is logged and reviewed

‣ Separation of Duties

• Employees with physical access don’t have logical privileges

29

EC2 Security‣ Host operating system

• Individual SSH keyed logins via bastion host for AWS admins

• All accesses logged and audited

‣ Guest (a.k.a. Instance) operating system

• Customer controlled (customer owns root/admin)

• AWS admins cannot log in

• Customer- generated keypairs

‣ Stateful firewall

• Mandatory inbound firewall, default deny mode

• Customer controls configuration via Security Groups

‣ Signed API calls

• Require X.509 certificate or customer’s secret AWS key

30

Amazon EC2 Instance Isolation

Physical Interfaces

Customer 1

Hypervisor

Customer 2 Customer n…

… Virtual Interfaces

Firewall

Customer 1Security Groups

Customer 2Security Groups

Customer nSecurity Groups

31

Network Traffic Flow Security

OS

Fire

wal

l

Amaz

on S

ecur

ity G

roup

s

Inbound Traffic

Headline: Always use VPC!

Encrypted File System

Encrypted Swap File

‣ Security Groups

• Inbound traffic must be explicitly specified by protocol, port, and security group

• VPC adds outbound filters

‣ VPC also adds Network Access Control Lists (ACLs): inbound and outbound stateless filters

‣ OS Firewall (e.g., iptables) may be implemented

• Completely user controlled security layer

• Granular access control of discrete hosts

• Logging network events

32

Network Security Considerations

‣ Distributed Denial of Service (DDoS):

• Standard mitigation techniques in effect

‣ Man in the Middle (MITM):

• All endpoints protected by SSL

• Fresh EC2 host keys generated at boot

‣ IP Spoofing:

• Prohibited at host OS level

‣ Unauthorized Port Scanning:

• Violation of AWS TOS

• Detected, stopped, and blocked

• Inbound ports blocked by default

‣ Packet Sniffing:

• Promiscuous mode is ineffective

• Protection at hypervisor level

33

AWS Customer Data on AWS

Data Security Example

‣ All storage devices follow process

• DoD 5220.22-M (“National Industrial Security Program Operating Manual”)

• NIST 800-88 (“Guidelines for Media Sanitization”)

‣ Upon decommission

• Degaussed

• Physically destroyed

‣ S3 data encrypted at rest

‣ No public interface to servers/data

‣ All Datacenter traffic is encrypted

‣ File System and/or database encryption available as needed

Network Security Considerations

34

‣ Users and Groups within Accounts

‣ Unique security credentials

• Access keys

• Login/Password

• Optional MFA device

‣ Policies control access to AWS APIs

‣ API calls must be signed by either:

• X.509 certificate

• Secret key

‣ Deep integration into some Services

• S3: policies on objects and buckets

• Simple DB: domains

‣ AWS Management Console Supports User log on

‣ Not for Operating Systems or Applications

• Use LDAP, Active Directory/ADFS, etc….

35

AWS Multi-Factor Authentication

‣ Helps prevent anyone with unauthorized knowledge of your e-mail address and password from impersonating you

‣ Additional protection for account information

‣ Works with

• Master Account

• IAM Users

‣ Integrated into

• AWS Management Console

• Key pages on the AWS Portal

• S3 (secure Delete)

A recommended opt-in security feature!

36

AWS Security and Compliance Center(http://aws.amazon.com/security/)

‣ Answers to many security & privacy questions

• Security whitepaper

• Risk and Compliance whitepaper

‣ Security bulletins

‣ Customer penetration testing

‣ Security best practices

‣ More information on:

• AWS Identity & Access Management (AWS IAM)

• AWS Multi-Factor Authentication (AWS MFA)

37

Foundation Concepts

38

High Availability on AWS

‣ Plan for failure at any level

‣ Services within a Datacenter (AZs) can fail

‣ Regions are N+2 (minimum)

‣ Reserve capacity (the other side of Reserved Instances)

‣ Use AWS Services that scale across AZs

• -VPC, S3, ELB, RDS, etc.

‣ Chaos Monkey- now available

39

Fault-Tolerant Front-end Systems

Auto Scaling

Amazon CloudFront

Amazon CloudWatch

Amazon Route 53

Elastic IPAWS ElasticBeanstalk

Elastic LoadBalancer

‣ Addressing: Roue53, EIP

‣ Distribution: Multi-AZ, ELB, CloudFront

‣ Redundancy: Auto-Scaling

‣ Monitoring: Cloudwatch

‣ Platform: Elastic Beanstalk

40

Fault-Tolerant Front-end Systems

Amazon Relational Database Service

(RDS)

Amazon Simple Storage Service

(S3)

Amazon Elastic MapReduce

Amazon SimpleDB

Amazon ElastiCache

Amazon DynamoDB

‣ S3

‣ SimpleDB

‣ EMR

‣ DynamoDB

‣ RDS

41

VPC

42

AWS Virtual Private Cloud

‣ Virtual Private Cloud (VPC) enables two important things:

• Local Subnet addressing

• Virtual Private Network (VPN) connections

‣ There are 4 possible VPC scenarios:

• Public Subnet Only

• Public and Private Subnets

• Public and Private Subnets with VPN

• Private Subnet Only with VPN

43

Use VPC to add CapacityUse AWS VPC to connect via IPSec VPN to your existing Datacenter

Users orCustomers

Customer Datacenter

VPN

EC2 Instances

EC2 Instances

Availability Zone 1

44

Use VPC to host customer facing applications

Users orCustomers

Availability Zone 1

EC2 Instances

EC2 Instances

Availability Zone 2

VPN

Use AWS as a production hosting platform

Customer Datacenter

45

VPC = Additional Security

‣ Create an Access Control List (ACL) for EC2 Instances

‣ Create groups to manage types of servers• Example:

- Website Tier

- Database Tier

‣ Use Network Security Groups to secure subnet traffic• Example:

- Trusted

- Untrusted

46

Connect your VPC via VPNCorporate

Data Center

Corporate Headquarters

Branch Offices

VPN Gateway

Internet Gateway

Availability Zone 1

Availability Zone 2

S3 SQS/SNS/SES SWF ElasticBeanstalk

SimpleDB DynamoDB

Now supports

static routes!

47

VPC + Cloud Formation =

‣ Build your VPC, Security Groups, Instances, etc., and use Cloud Formation to build out a template once you reach Gold State

‣ Run Cloud Formation Template to replicate environment for Dev, Test, Staging or other environments

‣ Makes your infrastructure build repeatable

‣ Use source control to track changes

48

Disaster Recovery

49

Disaster Recovery on AWS

Classes of RTOs AWS Solution

‣ Critical-Real-time availability or near real-time (minutes) – Tier 0 infrastructure, critical apps

‣ Major- Applications to run the business (hours) – Tier 1 infrastructure and apps

‣ Minor- Applications that can withstand a longer downtime (hours- days)

‣ High Availability or Warm Standby

‣ Pilot Light DR in AWS

‣ Backup and Recovery in AWS

50

Other DR Considerations on AWS

‣ “SAN like snapshots” of EBS storage allow recovery to a point in time within seconds – replicated across the entire region (3+ datacenters)

‣ Autoscaling and scripting allow backup server to be fully cost optimized

• Example: 2W Backup Server < $1 per month

‣ Pilot Light scenarios

51

HA Example

‣ HA at each tier

‣ Autoscaling at web and API tier to suport dynamic site load

‣ High Data security requirements – HA at IDS, Log Mgmt and auditing tiers

‣ Can lose entire datacenter and maintain production load

Notes:

52

Q&A

Brian L WhittSenior Cloud Executive

Contact Us

2nd Watch, Inc.Brian@2ndwatch.com602-690-3880www.2ndwatch.com

Product ListTCOTCO.2ndwatch.comtcosupport@2ndwatch.com

2W Insight2WInsight.cominsight.support@2ndwatch.com

2W SharePoint2WSharePoint.com2wsharepoint@2ndwatch.com

SPOKANE AREA OFFICE2310 N MolterSuite 103Liberty Lake, WA 99019

SEATTLE OFFICE603 Stewart StreetSeattle, WA 98101

NEW YORK OFFICE1350 Ave of the Americas2nd FloorNew York, NY 10019

SAN FRANCISCO OFFICE505 Montgomery StreetSuite 1037San Francisco, CA 94111