Date post: | 21-Jan-2018 |
Category: |
Technology |
Upload: | cloudhealth-technologies |
View: | 155 times |
Download: | 0 times |
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENTLev er ag in g a C lo u d P o l i cy F r amew o r k - F r o m Ze r o t o We l l G o v e r n edV i k r a m P i l l a i , C h i e f A r c h i t e c tC l o u d H e a l t h T e c h n o l o g i e s
E N T 3 1 8
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Who is CloudHeal th Technologies?• Deep Domain Expertise
• $86 Million in Venture Capital Raised
• 600+ Direct Customers
• 1,500+ Channel Customers through
• 85+ Partners
• 200+ Employees
• Headquartered in Boston, MA
• Offices located in San Francisco,
Washington DC, London,
Amsterdam, Tel Aviv, Sydney & Singapore
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
G lobal Customer Success
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to Expect f rom Sess ion
• Problem & Organizational Impact
• Solution: Cloud Policy Framework
• How CloudHealth implements the Cloud Policy Framework
• Governance as Code
• Examples (Security, Reliability, Cost/Performance)
• Next Steps
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• AWS Cloud has enabled business transformation
• Pace of change is accelerating
Benef i t s of AWS
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What i s the Problem?
• As you scale your AWS environment a thoughtful governance approach becomes more and more important
• Governance : People, criteria, processes, tools to ensure secure, effective, efficient use of IT resources
• Solved today: brute force
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What i s the so lu t ion?
• Technology, not labor
• Continuous monitoring and action
• Capture Business rules
• Establish defined processes
• Automate business policies
• Adopt best practices
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Journey to Governance
Governance
Management
Scaling
Adoption
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Establish Strategy• Decentralized Management• Central Governance
Focused team / expertise• Cloud Steward• Center of Excellence
Definition/Adoption• Definition and management of
policies • Communication and buy-in
Tooling• Capturing and Managing policies• Data integration
Runbook• Define Response • Automation of workflow
Reporting• Executive level health• Enterprise level adoption• Operational view for management
Dr iv ing Successfu l Governance
AGILITY CONTROL
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Services• AWS Config & Config Rules• AWS CloudTrail• AWS CloudWatch• AWS Lambda • ...
Open Source Tools• Cloud Custodian
Custom Applications• Large investment• Typically incomplete• Continued commitment
Commercial Tools• Domain Specific (Security)• Broader Platforms
Current Solu t ion (BYOT)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Chal lenges to BYOT• Data Integrations
• Extensibility
• Maintainability
• Capturing business priorities
• Adopting best practices
• Customizing for multiple targets
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Se t Unique Pol ic ies per Environment
Production
Staging
QA
Research
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Types of Bes t Pract ice Pol ic ies to Consider
Financial management policies
Performance Management Policies
This image cannot currently be displayed.
Security and Incident Management Policies
Operational Governance Policies
This image cannot currently be displayed.
Asset & Configuration Management Policies
This image cannot currently be displayed.
Cost optimization Policies
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Pol icy• Data being operated on
• A clearly defined condition
• Evaluation : True or False
• Actions to be taken
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Po l icy Execut ion Flow
This image cannot currently be displayed.
This image cannot currently be displayed.
This image cannot currently be displayed.
This image cannot currently be displayed.
Data Streams
Trigger
Evaluation Action
Rule
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Components of pol icy : Inputs / Data Sources
Cloud Assets Metrics Logs Event
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Components of pol icy : Tr iggers
Schedules Event-Based State-Driven
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Components of Pol icy : Rules• Upon the occurrence of a trigger, perform some logic against the input data
• Composite with many clauses • (A OR B)• ((A OR B) AND C)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Components of Pol icy A c t i o n s & R e m e d i a t i o n
Email the owner of an asset Terminate EC2 Instance
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Governance as Code• Need a centralized, programmatic approach
• Capture entire policy as a self-contained, descriptive unit• Data, Trigger, Condition, Action, Targets
• Portable and Universal
• Serves as system of record
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example: Secur i ty
Recommendation
1.3 Ensure credentials unused for 90 days or greater are disabled (Scored)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Ensure Credent ia ls Unused for 90 Days or Greater are Disabled
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Audi t
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Remedia t ion
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example 1 : CIS Unused Credent ia ls
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Po l icy Ident i ty & Source
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Po l icy Documenta t ion
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Po l icy Data Sources
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Po l icy Tr iggers
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Po l icy Condi t ion
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Po l icy Act ion
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example 2 : Wel l -Archi tec ted Framework
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example 2 : Wel l -Archi tec ted Framework
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Data Source
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tr igger
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Condi t ion
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Act ions
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example 3 : Custom Cost & Usage Pol icy
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example 3 : Custom Cost & Usage Pol icy
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Example 3 : Custom Cost & Usage Pol icy
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bes t Pract ices for Pol icy Author ing and ManagementIterate• Start with basic elements and add/evolve
Manage like any code• Use Version control to understand history and rollback
Leverage best practices• Implemented once and kept up-to-date
Share• Build a community library• Open repository (with reviews)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Governance Repor t ing: Measur ing SuccessOperational
• Snapshot at time of violation (enough data to justify the occurrence of the event)• Kept for historical analysis
Business Unit• List of assets that are non-compliant with a given policy
• Grouped by owners
Executive/Health• BU level aggregate stats (# of assets out of compliance)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to Get S tar ted
• Establish strategy
• Define Governance Policies
• Adopt best practices
• Automate evaluation of policies
• Systematically become more aggressive in remediation over time
• Track and trend governance metrics