Building Bulletproof Infrastructure on AWS
Post on 13-Dec-2014
1104 Views
Preview:
DESCRIPTION
Transcript
1
Building Bulletproof Infrastructure on AWS
2
What’s new at AWS?
Cloud Consumers / Cloud Adoption
Building Bulletproof Infrastructure
Q&A
Introduction to 2nd Watch
Lunch with 2W Insight Billing Application Demo
1Agenda
2
3
4
5
6
3
Our Mission“The mission of 2nd Watch is to bring enterprise Cloud technology to organizations of all sizes to enable cost and technology efficiencies and power innovation.”
‣ Cloud Enablement‣ Services (strategy, architecture,
build, migration and support) to enable Cloud adoption
‣ Software to optimize‣ Billing and Usage‣ Demand Management
4
2nd Watch Overview2nd Watch Associates
‣ Microsoft Certified
‣ Virtualization
‣ Remote Desktop Services
‣ ITIL Certified
‣ CISSP
‣ Enterprise Experience
‣ Microsoft – Toshiba - IBM
‣ Continental Airlines
‣ Iron Mountain
‣ Ambassadors Group
‣ Production Hosting
‣ Security and Compliance
‣ Technical Competency & Reseller
‣ Excellence in Operations
‣ Customer Testimonials
‣ Technical Competency
‣ Office 365
5
Microsoft and 2nd Watch‣ Recognized for expertise in implementing Office 365
‣ # of seats, # of deals, customer references, etc.
‣ SharePoint Online
‣ Implementing complex O365
‣ Hybrid Environment (Part on-premise, part cloud)
‣ Single Sign on with existing Active Directory
‣ Advance archiving, legal compliance
6
Strategy & Roadmaps
Support Services
Cloud Assessments
Cloud Architecture
Build & Migrations
‣ Identify Need
‣ Formulate the Strategy
‣ Identify goals
‣ Identify all considerations
‣ Get team buy in
‣ TCO
‣ Hardware
‣ Applications
‣ Customer experience
‣ Personnel needs
‣ Contract negotiations
‣ Security
‣ Deep dive
‣ Operational toolsets
‣ High level diagrams
‣ POC
‣ Cost analysis
‣ Enterprise designs
‣ Architect for failure
‣ Build HA
‣ Seamless migrations
‣ Testing
‣ As Built detailed doc
‣ Performance optimization
‣ Cost optimization
‣ Managed services
‣ Account management
Core Offering: Full Lifecycle
Examples of starting points‣ Web Applications
‣ Batch Processing systems
‣ Content Management Systems
‣ Digital Asset Management Systems
‣ Log Processing Systems
‣ Collaborative Tools
‣ Big Data Analytics Platforms
7
2nd Watch Cloud Migration Process
Deep Dives
High Level Design (HLD)
Detailed Design (DLD)
Build (Dev)
Data Migration
User Acceptance Testing
(UAT)
Go-Live Optimize
Business Requirements
1) Mockups2) Environment
Designs3) Data Flow
1) Wireframes2) As Built3) AWS Run-IT
Analysis
Project Builds Production Data
User Sign/off Go Live! Start maximizing savings
Project Deliverables
8
UpdateWHAT’S NEW AT AWS
Amazon Glacierinfinite archival storage
9
10
Amazon Glacier for Long Term Archive
‣ Secure and Cost effective Offsite data archiving
‣ Tape Replacement for backup and recovery
‣ Long term digital preservation for historical and digital information
11
2.9 Billion
Q4 2006
14 Billion
Q4 2007
40 Billion
Q4 2008 Q4 2009
102 Billion
262 Billion
Q4 2010
762 Billion
Q4 2011
905 Billion
1 Trillion
Peak Requests:750,000+
per second
Total Number of Objects Stored in Amazon S3
The Scale of AWS: Amazon S3 Growth
12
Other Recent “IT” Items‣ Elastic Load Balancing – Internal to VPN
‣ Support for Static Routes for VPC VPN
• Enables non BGP Based AWS Supported VPN connection
‣ Provisioned IOPs
• Enables High Performance Databases
‣ Reserved Instance Marketplace
13
TCO CalculatorTotal Cost of Ownership Comparison for Web Applications
14
AWS Global Infrastructure
AWS Regions
AWS Edge Locations
GovCloud(US ITAR Region)
US West(Northern California)
US West(Oregon)
US East(Northern Virginia)
South America(Sao Paulo)
EU(Ireland)
Asia Pacific(Singapore)
Asia Pacific(Tokyo)
15
CLOUD CONSUMERS / CLOUD ADOPTION
16
Powering the Most Popular Internet Businesses
17
Trusted by Enterprises
18
And Government Agencies
19
BusinessApplications
What Enterprises are Running on AWS
Web Applications
Big Data & High Performance Computing
Disaster Recovery & Archive
20
Concern: How we address:‣ AWS is a mystery
‣ Security
‣ Accessibility
‣ Control
‣ Cost
‣ All or nothing?
‣ Training and Certifications
‣ Shared Responsibility
‣ IAM, ACL’s, Logging, etc.
‣ You own the app!
‣ TCO support
‣ Hybrid Models
Common Concerns
21
AWS Architecture to Support Your Application
Architecture Templates for Common Patterns
aws.amazon.com/architecture
MICROSOFT SHAREPOINT
23
Building Bulletproof Infrastructure on AWS
24
AWS
‣ Facilities
‣ Physical Security
‣ Physical infrastructure
‣ Network Infrastructure
‣ Virtualization Infrastructure
2nd Watch or Customer
‣ Architecture Build
‣ Engineering Build
‣ Security Groups
‣ Firewalls
‣ Network Configuration
‣ Monitoring and Reporting
‣ Operating System
Customer
‣ Application
‣ Application Development
‣ Application Fixes/Patches
‣ Customer Contact
‣ Compliance
Shared Responsibilities
25
Security on AWS
26
1. Infrastructure SecuritySAS 70 Type II AuditISO 27001/2 CertificationPCI DSS 2.0 Level 1-5HIPAA/SOX ComplianceFISMA ModerateFEDRamp / GSA ATO
2. Application SecurityEncrypt data in transit
Encrypt data at restProtect your AWS Credentials
Rotate your keysSecure your OS and applications
3. Services SecurityEnforce IAM policiesUse MFA, VPC, Leverage S3 bucket policies,EC2 Security groups, EFS in EC2 Etc..
1
2
3
In the Cloud, Security is a Shared ResponsibilityHow we secure our infrastructure
How can you secure your application and what is
your responsibility?
What security options and features are available to you?
27
Certifications
‣ SOC 1 Type 2 (Formerly SAS-70)
‣ ISO 27001
‣ PCI DSS for EC2, S3, EBS, VPC, RDS, ELB, IAM
‣ FISMA Moderate Compliant Controls
‣ HIPAA & ITAR Compliant Architecture
Physical Security
‣ Datacenters in nondescript facilities
‣ Physical access strictly controlled
‣ Must pass two-floor authentication at least twice for floor access
‣ Physical access logged and audited
HW, SW, Network
‣ Systematic change management
‣ Phased updates deployment
‣ Safe storage decommission
‣ Automated monitoring and self-audit
‣ Advanced network protection
Built for Enterprise Security Standards
28
Physical Security of Data Centers‣ Amazon has been building large-scale data centers for many years
‣ Important attributes
• Non-Descript facilities
• Robust perimeter controls
• Strictly controlled physical access
• 2 or more levels of two-factor auth
‣ Controlled, need-based access
‣ All access is logged and reviewed
‣ Separation of Duties
• Employees with physical access don’t have logical privileges
29
EC2 Security‣ Host operating system
• Individual SSH keyed logins via bastion host for AWS admins
• All accesses logged and audited
‣ Guest (a.k.a. Instance) operating system
• Customer controlled (customer owns root/admin)
• AWS admins cannot log in
• Customer- generated keypairs
‣ Stateful firewall
• Mandatory inbound firewall, default deny mode
• Customer controls configuration via Security Groups
‣ Signed API calls
• Require X.509 certificate or customer’s secret AWS key
30
Amazon EC2 Instance Isolation
Physical Interfaces
Customer 1
Hypervisor
Customer 2 Customer n…
… Virtual Interfaces
Firewall
Customer 1Security Groups
Customer 2Security Groups
Customer nSecurity Groups
31
Network Traffic Flow Security
OS
Fire
wal
l
Amaz
on S
ecur
ity G
roup
s
Inbound Traffic
Headline: Always use VPC!
Encrypted File System
Encrypted Swap File
‣ Security Groups
• Inbound traffic must be explicitly specified by protocol, port, and security group
• VPC adds outbound filters
‣ VPC also adds Network Access Control Lists (ACLs): inbound and outbound stateless filters
‣ OS Firewall (e.g., iptables) may be implemented
• Completely user controlled security layer
• Granular access control of discrete hosts
• Logging network events
32
Network Security Considerations
‣ Distributed Denial of Service (DDoS):
• Standard mitigation techniques in effect
‣ Man in the Middle (MITM):
• All endpoints protected by SSL
• Fresh EC2 host keys generated at boot
‣ IP Spoofing:
• Prohibited at host OS level
‣ Unauthorized Port Scanning:
• Violation of AWS TOS
• Detected, stopped, and blocked
• Inbound ports blocked by default
‣ Packet Sniffing:
• Promiscuous mode is ineffective
• Protection at hypervisor level
33
AWS Customer Data on AWS
Data Security Example
‣ All storage devices follow process
• DoD 5220.22-M (“National Industrial Security Program Operating Manual”)
• NIST 800-88 (“Guidelines for Media Sanitization”)
‣ Upon decommission
• Degaussed
• Physically destroyed
‣ S3 data encrypted at rest
‣ No public interface to servers/data
‣ All Datacenter traffic is encrypted
‣ File System and/or database encryption available as needed
Network Security Considerations
34
‣ Users and Groups within Accounts
‣ Unique security credentials
• Access keys
• Login/Password
• Optional MFA device
‣ Policies control access to AWS APIs
‣ API calls must be signed by either:
• X.509 certificate
• Secret key
‣ Deep integration into some Services
• S3: policies on objects and buckets
• Simple DB: domains
‣ AWS Management Console Supports User log on
‣ Not for Operating Systems or Applications
• Use LDAP, Active Directory/ADFS, etc….
35
AWS Multi-Factor Authentication
‣ Helps prevent anyone with unauthorized knowledge of your e-mail address and password from impersonating you
‣ Additional protection for account information
‣ Works with
• Master Account
• IAM Users
‣ Integrated into
• AWS Management Console
• Key pages on the AWS Portal
• S3 (secure Delete)
A recommended opt-in security feature!
36
AWS Security and Compliance Center(http://aws.amazon.com/security/)
‣ Answers to many security & privacy questions
• Security whitepaper
• Risk and Compliance whitepaper
‣ Security bulletins
‣ Customer penetration testing
‣ Security best practices
‣ More information on:
• AWS Identity & Access Management (AWS IAM)
• AWS Multi-Factor Authentication (AWS MFA)
37
Foundation Concepts
38
High Availability on AWS
‣ Plan for failure at any level
‣ Services within a Datacenter (AZs) can fail
‣ Regions are N+2 (minimum)
‣ Reserve capacity (the other side of Reserved Instances)
‣ Use AWS Services that scale across AZs
• -VPC, S3, ELB, RDS, etc.
‣ Chaos Monkey- now available
39
Fault-Tolerant Front-end Systems
Auto Scaling
Amazon CloudFront
Amazon CloudWatch
Amazon Route 53
Elastic IPAWS ElasticBeanstalk
Elastic LoadBalancer
‣ Addressing: Roue53, EIP
‣ Distribution: Multi-AZ, ELB, CloudFront
‣ Redundancy: Auto-Scaling
‣ Monitoring: Cloudwatch
‣ Platform: Elastic Beanstalk
40
Fault-Tolerant Front-end Systems
Amazon Relational Database Service
(RDS)
Amazon Simple Storage Service
(S3)
Amazon Elastic MapReduce
Amazon SimpleDB
Amazon ElastiCache
Amazon DynamoDB
‣ S3
‣ SimpleDB
‣ EMR
‣ DynamoDB
‣ RDS
41
VPC
42
AWS Virtual Private Cloud
‣ Virtual Private Cloud (VPC) enables two important things:
• Local Subnet addressing
• Virtual Private Network (VPN) connections
‣ There are 4 possible VPC scenarios:
• Public Subnet Only
• Public and Private Subnets
• Public and Private Subnets with VPN
• Private Subnet Only with VPN
43
Use VPC to add CapacityUse AWS VPC to connect via IPSec VPN to your existing Datacenter
Users orCustomers
Customer Datacenter
VPN
EC2 Instances
EC2 Instances
Availability Zone 1
44
Use VPC to host customer facing applications
Users orCustomers
Availability Zone 1
EC2 Instances
EC2 Instances
Availability Zone 2
VPN
Use AWS as a production hosting platform
Customer Datacenter
45
VPC = Additional Security
‣ Create an Access Control List (ACL) for EC2 Instances
‣ Create groups to manage types of servers• Example:
- Website Tier
- Database Tier
‣ Use Network Security Groups to secure subnet traffic• Example:
- Trusted
- Untrusted
46
Connect your VPC via VPNCorporate
Data Center
Corporate Headquarters
Branch Offices
VPN Gateway
Internet Gateway
Availability Zone 1
Availability Zone 2
S3 SQS/SNS/SES SWF ElasticBeanstalk
SimpleDB DynamoDB
Now supports
static routes!
47
VPC + Cloud Formation =
‣ Build your VPC, Security Groups, Instances, etc., and use Cloud Formation to build out a template once you reach Gold State
‣ Run Cloud Formation Template to replicate environment for Dev, Test, Staging or other environments
‣ Makes your infrastructure build repeatable
‣ Use source control to track changes
48
Disaster Recovery
49
Disaster Recovery on AWS
Classes of RTOs AWS Solution
‣ Critical-Real-time availability or near real-time (minutes) – Tier 0 infrastructure, critical apps
‣ Major- Applications to run the business (hours) – Tier 1 infrastructure and apps
‣ Minor- Applications that can withstand a longer downtime (hours- days)
‣ High Availability or Warm Standby
‣ Pilot Light DR in AWS
‣ Backup and Recovery in AWS
50
Other DR Considerations on AWS
‣ “SAN like snapshots” of EBS storage allow recovery to a point in time within seconds – replicated across the entire region (3+ datacenters)
‣ Autoscaling and scripting allow backup server to be fully cost optimized
• Example: 2W Backup Server < $1 per month
‣ Pilot Light scenarios
51
HA Example
‣ HA at each tier
‣ Autoscaling at web and API tier to suport dynamic site load
‣ High Data security requirements – HA at IDS, Log Mgmt and auditing tiers
‣ Can lose entire datacenter and maintain production load
Notes:
52
Q&A
Brian L WhittSenior Cloud Executive
Contact Us
2nd Watch, Inc.Brian@2ndwatch.com602-690-3880www.2ndwatch.com
Product ListTCOTCO.2ndwatch.comtcosupport@2ndwatch.com
2W Insight2WInsight.cominsight.support@2ndwatch.com
2W SharePoint2WSharePoint.com2wsharepoint@2ndwatch.com
SPOKANE AREA OFFICE2310 N MolterSuite 103Liberty Lake, WA 99019
SEATTLE OFFICE603 Stewart StreetSeattle, WA 98101
NEW YORK OFFICE1350 Ave of the Americas2nd FloorNew York, NY 10019
SAN FRANCISCO OFFICE505 Montgomery StreetSuite 1037San Francisco, CA 94111
top related