Transcription
Cloud Migration, Application Modernizationand Security for PartnersTom LaszewskiMatt Yanchyshyn 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
AWS Migration Methodology
Migration ChallengesNot PrimaryBusiness ActivityKnowledge &TrainingMigrationExperienceAttempting TooMuch at OncePeople,Process,TechnologyFear
Migration MethodologyPlanDiscoverBuildDesign Assessment & Detailedmigration planProfiling Estimate effort Prioritization Security & risk Dataassessmentrequirements &classification Business logic& InfrastructuredependenciesApp MigrationAssessmentTransform Networktopology Migrate Deploy ValidateTransition Pilot testing Transition tosupport Releasemanagement Cutover &DecommissionRe-hosting(Lift & Shift)Re-platforming(Lift & Reshape)RunOperate Staff Training Monitoring IncidentManagement ProvisioningOptimize Monitoringdrivenoptimization ContinuousIntegration andContinuousDeploymentApp Portfolio Optimization
Planning your MigrationMigrating to the cloud can take one of many pathsRebuild ApplicationArchitectureRefactorfor AWSAWS VM ImportDecommissionDo Not MoveMove the AppInfrastructureCreate CloudStrategyLift and Shift(MinimalChange)Design, Build AWSEnvironmentDiscover,Assess (EnterpriseArchitecture andApplications)DetermineMigrationProcessManually MoveApp and DataDetermineMigration PathVendorS/PaaS(if available)3rd Party ToolsApplicationLift and shiftDetermineMigration ProcessMove theApplicationRecode AppComponentsRefactorfor AWSChangeManagementPlanIdentifyOps ChangesMigration andUAT TestingPlan Migrationand Sequencing3rd Party Migration ToolManually Move App and DataArchitect AWS Environmentand Deploy App, Migrate DataReplatform(typically perate
End-state Architecture
Architecting your AWS EnvironmentDesign and architecture of the cloud environment is important to enablecloud benefits such as agility and cost savingsNetworking Convergence ofon-premises andcloud Cloud-orientedprotocols IP scheme andaddressing VPC and AccountconfigurationSecurity SSO Access policies Least privilege AuditsGovernanceData Management Billing & costmanagement RPO/RTO Servicecatalogs Compliance Configurationmanagement Intrusion detection& prevention ArchitectureStandards Logging SLA/SLO Procurement Monitoring Notifications &alertingRetention policies Application levelReplicationawarenessStorage Thresholdsoptimization Service deskILMintegrationData quality
On-Premises Infrastructure Mapped to AWSTechnologyOn-PremisesAWSNetworkVPN, MPLSAmazon VPC, AWS Direct ConnectStorageDAS, SAN, NAS, SSDAmazon EBS, Amazon S3, Amazon EC2 Instancestorage, distributed & clustered FS on Amazon EC2ComputeHardware, virtualizationAmazon EC2, Amazon ECS, Amazon LambdaContent delivery3rd party CDNAmazon CloudFrontDatabasesMS SQL Server, MySQL, Oracle, DB2,PostgreSQL, MongoDB,. Amazon RDS, Amazon DynamoDB, AmazonAmazon ElastiCache, DB software on Amazon EC2Load balancingHardware and software load balancersAmazon ELB, software load balancersScaling & clustermanagementHardware and software clustering toolsAuto Scaling, software clustering solutionsDNSBIND, Windows Server, 3rd-partyAmazon Route 53, 3rd-party DNS software on EC2
On-Premises Infrastructure Mapped to AWSTechnologyOn-PremisesAWSAnalytics & DataWarehouseHadoop, Vertica, Cassandra, specializedhardware and softwareAmazon EMR, Amazon Redshift, software on AmazonEC2Messaging and workflowRabbitMQ, ActiveMQ, Kafka, Amazon SQS, Amazon SNS, Amazon SWF, software onEC2CachingRedis, Memcached, Amazon ElastiCache, Memcached, SAP HanaArchivingTape library, off-site data storageAmazon S3, Amazon GlacierEmailEmail softwareAmazon SESIdentity, authoritzation &authenticationAD/ADFS, LDAP, SAML, 3rd-party AWS IAM/STS, Amazon Cognito, Amazon DirectoryService, AD & LDAP on Amazon EC2Deployment & ConfigurationManagementChef, Puppet, Salt, Ansible, PowerShell DSCAWS CloudFormation, AWS OpsWorks, AWS ElasticBeanstalk, AWS CodeDeploy, AWS ECS,Management andmonitoringCA, BMC, RightscaleAmazon CloudWatch, Amazon Config, AmazonCloudTrail, AWS Trusted Advisor
Security comes first!
AWS is responsible for the security of thecloudAWS Foundation ServicesComputeAWS esRegionsNetworkingEdgeLocations
CustomersCustomers configure their security in the cloudCustomer applications & contentPlatform, Applications, Identity & Access ManagementOperating System, Network, & Firewall ConfigurationClient-side DataEncryptionServer-sideData EncryptionNetwork TrafficProtectionAWS Foundation ServicesComputeAWS esRegionsNetworkingEdgeLocations
AWS Security OfferingsAuditability CompliancereportsVisibility AWS CloudWatchAWS CloudTrailAWS Config“Describe” APIsControl AWS IAMAWS CloudHSMAWS CloudFormationAWS KMS
AWS ComplianceProgramThird PartyAttestationsHardened AMIsSystem SecurityPhysicalDefense-in-DepthOS and AppPatch Mgmt.IAM Roles for EC2IAM CredentialsSecurity GroupsWeb ApplicationFirewallsBastion HostsEncryptionIn-TransitData SecurityNetworkVPC ConfigurationLogical AccessControlsUser AuthenticationEncryptionAt-Rest
Encryption: Data at RestVolume EncryptionEBS EncryptionAWSMarketplace/PartnerOS toolsObject EncryptionS3 Server SideEncryption (SSE)S3 SSE w/ CustomerProvided KeysClient-Side EncryptionDatabase EncryptionRDS SRedshiftEncryptionEBS
Built-In Firewall: Security Groups and NACLs VPC Security Groups (mandatory)––––Instance level, statefulSupports ALLOW rules onlyDefault deny inbound, allow outboundUse as “whitelist” – least privilegeCustomer 1Customer 2 Customer nHypervisorVirtual Interfaces VPC NACLs (optional)–––– Subnet level, statelessSupports ALLOW and DENYDefault allow allUse as “blacklist”/“guardrails”(port 135,21,23 )Separation of dutiesChanges audited via AWS CloudTrailAdditional cost for SGs/NACLs: 0Customer 1Security GroupsCustomer 2Security Groups FirewallPhysical InterfacesSecurity GroupsCustomer nSecurity Groups
AWS partner solutions extend & enhance security Some examples:––––––––Cisco CSR (VPN)Sophos UTM (firewall, )Alert Logic Web Security Manager (WAF)Alert Logic Threat Manager (NIDS)Trend Micro Deep Security (IDPS)Trend Micro SecureCloud (encryption)Dome9 SecOps (security group audit & management)
Migration Approach & Best Practices
Identifying Applications to MoveStandalone applications are easy to moveApplication with loosely coupled SOA-basedintegrations are good candidatesTightly integrated application needs more planning‘Low hanging fruit’ Dev/Test applications, Self-contained Web Applications (LAMP stack), social Media ProductMarketing Campaigns, training Envrionments, Pre-sales Demo Portal, Software Downloads,Trial ApplicationsWatch out for 32 bit, non-Linux/Windows, multi-cast (Oracle RAC), client/server applications, engineeredsystems (Exadata, Netezza), massive file servers, vertically challenged software/applications
Getting a bread box estimate: Minimum informationCompute : Number of servers/VMs including RAM,CPU, OS, and boot drive size (Amazon EC2)Storage mapping to transactional, backup, archival,and log/file system/applications (Amazon EBS, Amazon Glacier, and Amazon S3)Region where processing is happeningData transfer out for NetworkingInternet or dedicated Networking including securityrequirements (Amazon Direct Connect and VPN)
Getting a bread box estimate: Nice to haveBackup requirements for each workload that cannot be supported by EBS SnapshotsHA requirements for each workload (ELB, Route53)Scalability requirements for each workload (ELB,Route53, Auto Scaling, CloudFront)DR requirements for each workloadStorage IOPS requirements for each workloadCompute requirements for management/monitoring
Getting a bread box estimate: Really NiceWorkload stratification file servers, security, RDBMS,ERP, Big data, security, management/monitoring etc.HIPPA and PCI requirements for each workloadHPC requirements for each workloadExtremely high CPU, Memory requirementsTop 3rd party vendors for packaged appsIDS/IPS, WAF, management, monitoring, logging, etc.)
Invest in Proof of Concept EarlyProof of concept will answer tons of questions and get yourfeet wet with AWS quicklyWill help identify gaps and touch pointsGive you a good estimation of the migration costsGive you a good estimation of the AWS runtime costs
Migrating Data into AWS Cloud File transfer to Amazon S3 or EC2 using S/FTP, SCP, UDP, Attunity NFS mount accessible from on premise and AWS Configure on-premises backup application (like NetBackup, CA,CommVault, Riverbed) to use Amazon S3 AWS Storage Gateway for asynchronous backup to Amazon S3 AWS Import/Export service: Ship your disk to AWS Database backup tools like Oracle Secure Back Database replication tools like GoldenGate, DbVisit AWS Direct Connect 100 Mbps to 10 Gbps
Migrating Data onto AWSData Velocity RequiredGBsOne-time upload w/constant delta updatesTransfer to S3Over InternetTBsUDP Transfer Software(e.g., Aspera, Tsunami, )Attunity CloudbeamAWS Storage Gateway,Riverbed, NFSHoursDaysAWS Import / ExportData Size** relative to internet bandwidth and latency
Enforce consistent security on your hostsConfigure and harden EC2 instances based on security and compliance needsUser administrationHost-based Protection SoftwareWhitelisting and integrityMalware and HIPSRestrict Access Where PossibleVulnerability managementAudit and loggingConnect to Existing ServicesHardeningOperating systemLaunchinstanceEC2ConfigureinstanceYour instanceAMI catalogRunning instance
Separate static assets& move servers away from the edgeAmazon S3AppAppInbound HTTPDynamicCloudFrontWAFPeeringApp
Identity & Access ManagementCreate appropriate principles, authorization and privileges for AWS resourcesAWS Identify andAccess ManagementUserUserMulti-Factor esPrinciple of Least PrivilegeIAM AWS Administrative UsersRoot AccountNote: Always associate the account owner ID withan MFA device and store it in a secured place!
AWS IAM Hierarchy of PrivilegesEnforce principle of least privilege with Identity and Access Management (IAM)users, groups, and policies and temporary credentialsAWS Account Owner(root)AWS estricted access to allenabled services andresources.Action: *Effect: AllowResource: *(implicit)Access restricted byGroup and User policiesAction:[‘s3:*’,’sts:Get*’]Effect: AllowResource: *Access restricted bygenerating identity andfurther by policies usedto generate tokenAction: [ ‘s3:Get*’ ]Effect: AllowResource:‘arn:aws:s3:::mybucket/*’
Principle of least privilege with IAM Login to an account with a less privileged user– Read-only– EC2 Launch-only Change role for privileged action– Administer IAM– Terminate Instance– Delete snapshotsProtection against accidents or mistakes(e.g. similar to DisableApiTermination true)
Consolidate your IAM users Put all IAM users and groups inone account All other accounts use AWS IAMRolesBest Practices: Tie into consolidated billing hierarchyUsers in IAM account are onlyauthorized to assume roles in otheraccountsNo AWS-billable resources in thisaccount
Governance through IAM policies."Effect": "Deny","Action": "ec2:RunInstances","Resource": ,"Condition": {"ArnNotEquals": {"ec2:Subnet": "}}Deny RunInstances withoutappropriate subnet},{"Effect": "Allow","Action": "ec2:RunInstances","Resource": "Condition": {"StringEquals": {"ec2:ResourceTag/BillingCode": “4000"},"StringEquals": {"ec2:ResourceTag/Environnent": “Prod”.Require RunInstances tohave specific AMI, subnet,Security Group, Require RunInstances tohave specific Tags
Implementing “smart” AWS policies The 5 W’s of auditability:– Who?– What?Controlled by AWS IAM– Where?– When?Not Controlled by IAM– Why? What we really want is an “if and only if” statement:– You can deploy this change in production “if and only if” itactually worked in test
Federate with AWS Directory Service & IAMMgmt AcctAWS Directory ServicesDirectory UsersDirectory GroupsIAM AdminsIAM Role MappingIAM AdminRead OnlyRead OnlyEC2 Admin EC2 AdminGroup ‘n’Role ‘n’
Case Studies
Case study 1: Cognizant & HIPAA
Case study 2: ScienceLogic & Kellogg
SAN FRANCISCO
Analysis Identify Ops Changes Change Management Plan. End-state Architecture. . Network VPN, MPLS Amazon VPC, AWS Direct Connect Storage DAS, SAN, NAS, SSD Amazon EBS, Amazon S3, Amazon EC2 Instance . DB software on Amazon EC2 Load balancing Hardware and software load balancers Amazon ELB, software load balancers .