WIXLIB

Cloud Migration, Application Modernizationand Security for PartnersTom LaszewskiMatt Yanchyshyn 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved

AWS Migration Methodology

Migration ChallengesNot PrimaryBusiness ActivityKnowledge &TrainingMigrationExperienceAttempting TooMuch at OncePeople,Process,TechnologyFear

Migration MethodologyPlanDiscoverBuildDesign Assessment & Detailedmigration planProfiling Estimate effort Prioritization Security & risk Dataassessmentrequirements &classification Business logic& InfrastructuredependenciesApp MigrationAssessmentTransform Networktopology Migrate Deploy ValidateTransition Pilot testing Transition tosupport Releasemanagement Cutover &DecommissionRe-hosting(Lift & Shift)Re-platforming(Lift & Reshape)RunOperate Staff Training Monitoring IncidentManagement ProvisioningOptimize Monitoringdrivenoptimization ContinuousIntegration andContinuousDeploymentApp Portfolio Optimization

Planning your MigrationMigrating to the cloud can take one of many pathsRebuild ApplicationArchitectureRefactorfor AWSAWS VM ImportDecommissionDo Not MoveMove the AppInfrastructureCreate CloudStrategyLift and Shift(MinimalChange)Design, Build AWSEnvironmentDiscover,Assess (EnterpriseArchitecture andApplications)DetermineMigrationProcessManually MoveApp and DataDetermineMigration PathVendorS/PaaS(if available)3rd Party ToolsApplicationLift and shiftDetermineMigration ProcessMove theApplicationRecode AppComponentsRefactorfor AWSChangeManagementPlanIdentifyOps ChangesMigration andUAT TestingPlan Migrationand Sequencing3rd Party Migration ToolManually Move App and DataArchitect AWS Environmentand Deploy App, Migrate DataReplatform(typically perate

End-state Architecture

Architecting your AWS EnvironmentDesign and architecture of the cloud environment is important to enablecloud benefits such as agility and cost savingsNetworking Convergence ofon-premises andcloud Cloud-orientedprotocols IP scheme andaddressing VPC and AccountconfigurationSecurity SSO Access policies Least privilege AuditsGovernanceData Management Billing & costmanagement RPO/RTO Servicecatalogs Compliance Configurationmanagement Intrusion detection& prevention ArchitectureStandards Logging SLA/SLO Procurement Monitoring Notifications &alertingRetention policies Application levelReplicationawarenessStorage Thresholdsoptimization Service deskILMintegrationData quality

On-Premises Infrastructure Mapped to AWSTechnologyOn-PremisesAWSNetworkVPN, MPLSAmazon VPC, AWS Direct ConnectStorageDAS, SAN, NAS, SSDAmazon EBS, Amazon S3, Amazon EC2 Instancestorage, distributed & clustered FS on Amazon EC2ComputeHardware, virtualizationAmazon EC2, Amazon ECS, Amazon LambdaContent delivery3rd party CDNAmazon CloudFrontDatabasesMS SQL Server, MySQL, Oracle, DB2,PostgreSQL, MongoDB,. Amazon RDS, Amazon DynamoDB, AmazonAmazon ElastiCache, DB software on Amazon EC2Load balancingHardware and software load balancersAmazon ELB, software load balancersScaling & clustermanagementHardware and software clustering toolsAuto Scaling, software clustering solutionsDNSBIND, Windows Server, 3rd-partyAmazon Route 53, 3rd-party DNS software on EC2

On-Premises Infrastructure Mapped to AWSTechnologyOn-PremisesAWSAnalytics & DataWarehouseHadoop, Vertica, Cassandra, specializedhardware and softwareAmazon EMR, Amazon Redshift, software on AmazonEC2Messaging and workflowRabbitMQ, ActiveMQ, Kafka, Amazon SQS, Amazon SNS, Amazon SWF, software onEC2CachingRedis, Memcached, Amazon ElastiCache, Memcached, SAP HanaArchivingTape library, off-site data storageAmazon S3, Amazon GlacierEmailEmail softwareAmazon SESIdentity, authoritzation &authenticationAD/ADFS, LDAP, SAML, 3rd-party AWS IAM/STS, Amazon Cognito, Amazon DirectoryService, AD & LDAP on Amazon EC2Deployment & ConfigurationManagementChef, Puppet, Salt, Ansible, PowerShell DSCAWS CloudFormation, AWS OpsWorks, AWS ElasticBeanstalk, AWS CodeDeploy, AWS ECS,Management andmonitoringCA, BMC, RightscaleAmazon CloudWatch, Amazon Config, AmazonCloudTrail, AWS Trusted Advisor

Security comes first!

AWS is responsible for the security of thecloudAWS Foundation ServicesComputeAWS esRegionsNetworkingEdgeLocations

CustomersCustomers configure their security in the cloudCustomer applications & contentPlatform, Applications, Identity & Access ManagementOperating System, Network, & Firewall ConfigurationClient-side DataEncryptionServer-sideData EncryptionNetwork TrafficProtectionAWS Foundation ServicesComputeAWS esRegionsNetworkingEdgeLocations

AWS Security OfferingsAuditability CompliancereportsVisibility AWS CloudWatchAWS CloudTrailAWS Config“Describe” APIsControl AWS IAMAWS CloudHSMAWS CloudFormationAWS KMS

AWS ComplianceProgramThird PartyAttestationsHardened AMIsSystem SecurityPhysicalDefense-in-DepthOS and AppPatch Mgmt.IAM Roles for EC2IAM CredentialsSecurity GroupsWeb ApplicationFirewallsBastion HostsEncryptionIn-TransitData SecurityNetworkVPC ConfigurationLogical AccessControlsUser AuthenticationEncryptionAt-Rest

Encryption: Data at RestVolume EncryptionEBS EncryptionAWSMarketplace/PartnerOS toolsObject EncryptionS3 Server SideEncryption (SSE)S3 SSE w/ CustomerProvided KeysClient-Side EncryptionDatabase EncryptionRDS SRedshiftEncryptionEBS

Built-In Firewall: Security Groups and NACLs VPC Security Groups (mandatory)––––Instance level, statefulSupports ALLOW rules onlyDefault deny inbound, allow outboundUse as “whitelist” – least privilegeCustomer 1Customer 2 Customer nHypervisorVirtual Interfaces VPC NACLs (optional)–––– Subnet level, statelessSupports ALLOW and DENYDefault allow allUse as “blacklist”/“guardrails”(port 135,21,23 )Separation of dutiesChanges audited via AWS CloudTrailAdditional cost for SGs/NACLs: 0Customer 1Security GroupsCustomer 2Security Groups FirewallPhysical InterfacesSecurity GroupsCustomer nSecurity Groups

AWS partner solutions extend & enhance security Some examples:––––––––Cisco CSR (VPN)Sophos UTM (firewall, )Alert Logic Web Security Manager (WAF)Alert Logic Threat Manager (NIDS)Trend Micro Deep Security (IDPS)Trend Micro SecureCloud (encryption)Dome9 SecOps (security group audit & management)

Migration Approach & Best Practices

Identifying Applications to MoveStandalone applications are easy to moveApplication with loosely coupled SOA-basedintegrations are good candidatesTightly integrated application needs more planning‘Low hanging fruit’ Dev/Test applications, Self-contained Web Applications (LAMP stack), social Media ProductMarketing Campaigns, training Envrionments, Pre-sales Demo Portal, Software Downloads,Trial ApplicationsWatch out for 32 bit, non-Linux/Windows, multi-cast (Oracle RAC), client/server applications, engineeredsystems (Exadata, Netezza), massive file servers, vertically challenged software/applications

Getting a bread box estimate: Minimum informationCompute : Number of servers/VMs including RAM,CPU, OS, and boot drive size (Amazon EC2)Storage mapping to transactional, backup, archival,and log/file system/applications (Amazon EBS, Amazon Glacier, and Amazon S3)Region where processing is happeningData transfer out for NetworkingInternet or dedicated Networking including securityrequirements (Amazon Direct Connect and VPN)

Getting a bread box estimate: Nice to haveBackup requirements for each workload that cannot be supported by EBS SnapshotsHA requirements for each workload (ELB, Route53)Scalability requirements for each workload (ELB,Route53, Auto Scaling, CloudFront)DR requirements for each workloadStorage IOPS requirements for each workloadCompute requirements for management/monitoring

Getting a bread box estimate: Really NiceWorkload stratification file servers, security, RDBMS,ERP, Big data, security, management/monitoring etc.HIPPA and PCI requirements for each workloadHPC requirements for each workloadExtremely high CPU, Memory requirementsTop 3rd party vendors for packaged appsIDS/IPS, WAF, management, monitoring, logging, etc.)

Invest in Proof of Concept EarlyProof of concept will answer tons of questions and get yourfeet wet with AWS quicklyWill help identify gaps and touch pointsGive you a good estimation of the migration costsGive you a good estimation of the AWS runtime costs

Migrating Data into AWS Cloud File transfer to Amazon S3 or EC2 using S/FTP, SCP, UDP, Attunity NFS mount accessible from on premise and AWS Configure on-premises backup application (like NetBackup, CA,CommVault, Riverbed) to use Amazon S3 AWS Storage Gateway for asynchronous backup to Amazon S3 AWS Import/Export service: Ship your disk to AWS Database backup tools like Oracle Secure Back Database replication tools like GoldenGate, DbVisit AWS Direct Connect 100 Mbps to 10 Gbps

Migrating Data onto AWSData Velocity RequiredGBsOne-time upload w/constant delta updatesTransfer to S3Over InternetTBsUDP Transfer Software(e.g., Aspera, Tsunami, )Attunity CloudbeamAWS Storage Gateway,Riverbed, NFSHoursDaysAWS Import / ExportData Size** relative to internet bandwidth and latency

Enforce consistent security on your hostsConfigure and harden EC2 instances based on security and compliance needsUser administrationHost-based Protection SoftwareWhitelisting and integrityMalware and HIPSRestrict Access Where PossibleVulnerability managementAudit and loggingConnect to Existing ServicesHardeningOperating systemLaunchinstanceEC2ConfigureinstanceYour instanceAMI catalogRunning instance

Separate static assets& move servers away from the edgeAmazon S3AppAppInbound HTTPDynamicCloudFrontWAFPeeringApp

Identity & Access ManagementCreate appropriate principles, authorization and privileges for AWS resourcesAWS Identify andAccess ManagementUserUserMulti-Factor esPrinciple of Least PrivilegeIAM AWS Administrative UsersRoot AccountNote: Always associate the account owner ID withan MFA device and store it in a secured place!

AWS IAM Hierarchy of PrivilegesEnforce principle of least privilege with Identity and Access Management (IAM)users, groups, and policies and temporary credentialsAWS Account Owner(root)AWS estricted access to allenabled services andresources.Action: *Effect: AllowResource: *(implicit)Access restricted byGroup and User policiesAction:[‘s3:*’,’sts:Get*’]Effect: AllowResource: *Access restricted bygenerating identity andfurther by policies usedto generate tokenAction: [ ‘s3:Get*’ ]Effect: AllowResource:‘arn:aws:s3:::mybucket/*’

Principle of least privilege with IAM Login to an account with a less privileged user– Read-only– EC2 Launch-only Change role for privileged action– Administer IAM– Terminate Instance– Delete snapshotsProtection against accidents or mistakes(e.g. similar to DisableApiTermination true)

Consolidate your IAM users Put all IAM users and groups inone account All other accounts use AWS IAMRolesBest Practices: Tie into consolidated billing hierarchyUsers in IAM account are onlyauthorized to assume roles in otheraccountsNo AWS-billable resources in thisaccount

Governance through IAM policies."Effect": "Deny","Action": "ec2:RunInstances","Resource": ,"Condition": {"ArnNotEquals": {"ec2:Subnet": "}}Deny RunInstances withoutappropriate subnet},{"Effect": "Allow","Action": "ec2:RunInstances","Resource": "Condition": {"StringEquals": {"ec2:ResourceTag/BillingCode": “4000"},"StringEquals": {"ec2:ResourceTag/Environnent": “Prod”.Require RunInstances tohave specific AMI, subnet,Security Group, Require RunInstances tohave specific Tags

Implementing “smart” AWS policies The 5 W’s of auditability:– Who?– What?Controlled by AWS IAM– Where?– When?Not Controlled by IAM– Why? What we really want is an “if and only if” statement:– You can deploy this change in production “if and only if” itactually worked in test

Federate with AWS Directory Service & IAMMgmt AcctAWS Directory ServicesDirectory UsersDirectory GroupsIAM AdminsIAM Role MappingIAM AdminRead OnlyRead OnlyEC2 Admin EC2 AdminGroup ‘n’Role ‘n’

Case Studies

Case study 1: Cognizant & HIPAA