2016 AWS Healthcare Days | Nashville, TN – May 3,2016

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Mark Johnston, Director of Global Business Development,
Healthcare and Life Sciences
May 3rd, 2016
AWS Healthcare Days
Nashville, TN

Payers PatientsProviders
Health Information
Exchanges
Healthcare data
security Precision
medicine
Healthcare
ERP
EHR
Revenue Cycle
Management
Connected Health

Ecosystem of established healthcare partners and new
entrants…..

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Scott Whyte
SVP, Growth & Innovation - ClearDATA
May 3, 2016
Healthcare Cloud: Opening Remarks
AWS Healthcare Days | Nashville

What I Hear…Often
“I think in 5 years, all providers will want to get out of the data center
business” - National Provider CIO
“I want my team to focus on innovation, not plumbing” – SaaS CTO
“We need competitive advantage - really fast” – Payer CTO
“We want to help providers take on risk – they need HIE and
analytics.” – Chief Analytics Officer, Payer

Agility
After moving to the cloud, Forbes found 60 per cent of
business leaders say they have reduced their IT
maintenance requirements, allowing them to focus more
on strategy and innovation, with 59 per cent seeing
increased business agility.

Community
Physicians
Participating
Practices and
Physicians
Quality Measures
Population management
Increased care coordination
Business model becomes more
focused on wellness
Financial Alignment
Shared risk/shared rewards
Cost reduction incentives
Shift from encounter-focus to
patient-focus
Clinical Integration Shared Services
Data
Acquisition
Clinical Data
Repository
Extract clinical data
Extract claims data
Data
Integration
Patient EMPI
Provider EMPI
Data Standardization
Quality Metrics
Analytics and
Reports
Health Team
Communications
Physician
communication
Provider-patient
Provider-provider
Technology aspects are critical underpinnings to success
Clinician Knowledge
Find actionable activities (gaps)
Decision support
Enhance communications with
patients and other providers
Clinical
Integration
Solutions
Overview
Hospitals
Inpatient clinical
quality metrics
Payer
s
Physician-Led
Entities
Governing body
(Participating
Practices and
Physicians)
Payer
negotiations
Distribute
shared savings
Clinical quality
Reports
Participating
Community
Physician clinical
data
Coordinated
Care
Collaboration

Thank You.
Scott Whyte
SVP, Growth & Innovation - ClearDATA

Embracing DevSecOps while improving your
compliance and security agility and posture
Chris McCurdy
Healthcare and Life Sciences Specialist AWS

Agenda
• DevOps to DevSecOps Primer
• Observed industry cloud techniques with AWS
• Tools, processes and frameworks to assist
• Example Compliance Workflows

Big Company, Big Challenges
Thousands of
Systems
Complex IT Ops
Limited Financial
Impact
Cloud Patterns and
Acceleration
Automated IT Cost Transparency
Current State of Enterprise IT Cloud Strategy Offers Agility

DevOps Level Set
Development
Quality
Assurance
Operations
DevOps

DevOps Toolchain
Plan
Configure
Verify
Preprod
Monitor
Create
Release
Define and plan; business value, application requirements and metrics
Building, coding and configuration
Ensuring quality; acceptance, regression testing
Infrastructure and application
Approval/certification, triggered releases, release staging and holding
Process, application and infrastructure
Release coordination, promotion, scheduling, rollback and recovery

DevOps Principles
• Collaborate with all stakeholders
• Codify everything
• Test everything
• Automate everything
• Measure and monitor everything
• Deliver business value with continual feedback
Manual Hacking

Drivers for DevSecOps
Embedding Security into DevOps was not successful
because…
• Compliance checklists didn’t take us far before we
stopped scaling…
• We couldn’t keep up with deployments without
automation…
• Standard Security Operations did not work…
• And we needed far more data than we expected to help
the business make decisions…

DevSecOps: Security as Code
Establishing these principles…
• Customer focused mindset
• Scale, scale, scale
• Objective criteria
• Proactive hunting
• Continuous detection and response

DevOps Toolchain
Plan
Configure
Verify
Preprod
Monitor
Create
Release
Define and plan; business value, application requirements, security, compliance
and metrics
Build, code and configuration
Ensuring quality; acceptance, regression, security and compliance testing
Infrastructure and application
Approval/certification, triggered releases, release staging and holding
Process, application, infrastructure, security and compliance
Release coordination, promotion, scheduling, rollback and recovery

Observed industry cloud techniques with AWS

Consult internally before implementing
The following slides are practices we
have seen used in industry. As security
and industry compliance is determined
by the customer before implementing
please:
• Consult with your internal best
practices
• Consult with with your Cloud Center of
Excellence
• Consult with your Information Security
group
• Consult with your Compliance
organization
• Do your due diligence

AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Customers
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall
Customer content
Client-side encryption implementation, Server-side encryption,
Network Traffic Protection
A Word on Security
Security
in the
cloud
Security
of the
cloud

Example: Simplified Claims Workflow
Validation
/ Edit
System
(EC2)
Insight
System
(EMR)
Inbound
Claim
Archive
(Glacier)
Inbound
Claim Store
(S3)
Claim History
(Redshift)
1
Claims
Adjudication
System
(EC2)
Data Lake
(S3)6
Insights
2 3 4
55
5
7
HIPAA Eligible
Architecture
Consult with compliance and security organizations before implementing

AWS Service
Amazon
EC2
Amazon
EMR
Amazon
Glacier
Amazon
S3
Amazon
DynamoDB
Amazon
RDS (MySQL
and Oracle)
Amazon
Redshift
Amazon
EBS
Elastic Load
Balancing
Amazon ECS AWS Elastic
Beanstalk
AWS
CodeCommit
AWS
CodeDeploy
AWS
CodePipeline
SQS
SNS
AWS Config
AWS
Device Farm
AWS HIPAA Eligible Services
(as of 4/21)
AWS Non-HIPAA Eligible Services

General Strategies
AWS
CodeCommit
AWS
CodeDeploy
AWS
CodePipeline
• Decouple PHI data from the processing
or orchestration
• Do not check PHI data into your source
or artifact repositories
• Use indirection when orchestrating PHI
flow
• Separate PHI and non-PHI containing
logical boundries
• Monitor the flow of PHI

Separate Virtual Private Cloud (VPC) Strategy
Amazon
EC2
Amazon
EMR
Amazon
S3
PHI Eligible VPC
Amazon
EC2
Non-PHI VPC
AWS Directory
Service
AWS
Device Farm
PHI

Indirection Strategy
Validation
/ Edit
System
(EC2)
Inbound
Claim Store
(S3)
HTTPS
Send
SQS
SNS
Claims
PHI Data

Example: Simplified Claims Workflow
Validation /
Edit System
(EC2)
Insight
System
(EMR)
Inbound
Claim
Archive
(Glacier)
Inbound
Claim Store
(S3)
Claim
History
(Redshift)
Claims
Adjudication
System
(EC2)
Data
Lake
(S3)
Insights
Non-PHI
Insights AWS
Lambda
Amazon
SES
Non-PHI
Insights
Email to
Business
Users
SQS
SQS
AWS
CodeCommit
AWS
CodeDeploy
AWS
CodePipeline
PHI Insights
Non-PHI Insights

Compliance Example Workflow (using DevSecOps)
CloudFormation
templateSecurity /
Compliance Admin
1
Define
AWS Service Catalog
2
Publish
CloudFormation
stack
Healthcare
Developers
4
Browse and Launch
AWS CloudTrail Amazon S3
11
Monitors
Logs all API calls
AWS CloudWatchalarm
8
Monitors
10
Initiates
12
Notifies
AWS Config
Track changes
3
Git push
6
AWS CodeCommit
5
Provisions
9
7

Example: Fortune 500 Life Science Company

The Vision
• Self Service
• Rapid Provisioning
• Capacity Management
• Full Stack Availability
Enable Agility
• AD Integration
• Golden AMIs
• Enterprise Logging
• Backup and Retention
• Firewall and Security Rule
Ensure Policy
• Monitoring and Alerts
• VM Scheduling
• Encryption
• Software Configuration Management
Accelerate Best Practices

What they did…
Assurance Monitors
Compliance Database
Console
Billing Roll up
Administrative
Services
Access Control with
AD Integration
User Help
HPC
Workspaces
Big Data

and Healthcare Analytics
Ujjwal Ratan
Healthcare and Life Sciences Solutions Architect
Amazon Web Services

Data
Warehousin
g
Databases
Object and
File Storage
Managed Big
Data Platform
AWS Data Pipeline
Data management ecosystem Analytical tooling ecosystem
Machine
Learning
Analysi
s
Data Ingestion
Storag
e
Archiving
Structured Unstructured Streaming
Data
Visualization
Typical Analytics Workflow

Retrospective Analysis & Reporting
Amazon S3
Amazon
DynamoDB
Amazon RDS
Ingest Store Process Visualize
Amazon Mobile
Analytics
Amazon
EC2
AWS
Import/Export
Amazon EMR
Amazon Redshift
Amazon
Lambda
Amazon
QuickSight

Three Essential Services for Analytics on AWS
Amazon S3 Amazon
Redshift
Amazon
Elastic
MapReduce
(EMR)
All three are HIPAA eligible services

Store anything
Object storage
Scalable
Designed for 99.999999999%
durability
Amazon S3

Transferring data into Amazon S3
AWS Import/ Export
AWS Direct Connect
Internet
Amazon S3
Data Lake
AWS Region
Institutional Data
Center
Amazon
Analytics
Services
Availability Zone

Aggregate all of your data in Amazon S3 Data
Lake
EMR Kinesis
Redshift DynamoDB RDS
Data Pipeline
Spark StreamingCassandra Storm
Amazon S3

Petabyte scale
Massively parallel
Relational data warehouse
Fully managed; zero admin
Amazon
Redshift
a lot faster
a lot cheaper
a whole lot simpler

When is Amazon Redshift the Right Choice for Healthcare Analytics?
Institutional metrics
Utilize massive datasets with existing SQL skill sets
Queries that involve heavy aggregation such as financial reporting
Clinically actionable gene mutation research
 Combine gene variant data with phenotypes and run GWAS/PWAS
analysis using SQL queries
Large population public health studies
 Find trends over millions of CMS claims in seconds

Amazon Redshift Architecture
Leader Node
 SQL endpoint
 Stores metadata
 Coordinates query execution
Compute Nodes
 Local, columnar storage
 Execute queries in parallel
 Load, backup, restore via S3
 Parallel load from DynamoDB or SSH
HW optimized for data processing
 DW1: HDD; scale from 2TB to 1.6PB
 DW2: SSD; scale from 160GB to 256TB
10 GigE
(HPC)
Ingestion
Backup
Restore
JDBC/ODBC

Copy Data Into Redshift From S3
COPY <table_name> from 's3://<bucket_name>/<file_name>' CREDENTIALS
'aws_access_key_id=<access_key_ID>; aws_secret_access_key=<secret_access_key_id>' DELIMETER ','
IGNOREHEADER 1;
Table_name: Redshift Table Name
Bucket_name: S3 bucket name
File_name: CSV file name in S3 bucket
Access_key_if, secret_access_key_id: AWS security credentials

Hadoop 1.x & 2.x / HDFS clusters
Easy to use; fully managed
Support for EC2 Spot Instances
S3, DynamoDB, Redshift
& Kinesis Integration
Amazon
Elastic
MapReduce
(EMR)

Process – Amazon EMR
• Hadoop - An open-source framework for parallel
processing huge amounts of data on a cluster of
machines
• Amazon EMR - Fully managed Hadoop cluster with
direct integration into Amazon S3 and burstable
capacity

Aggregate the
results from all
nodes and know
what each user did
Process – Amazon EMR Use Case
Large amount of
click logs of user
actions in Amazon
S3 bucket
(e.g TBs)
Amazon EMR cluster
splitting logs into
small pieces working
in parallel

Process – Amazon EMR
• Amazon EMR supports all common Hadoop Frameworks
such as:
• Spark, Pig, Presto, Hive
• etc.
• Decouples storage from compute
• Allows independent scaling
• Direct Integration with DynamoDB and S3
Amazon S3Amazon
DynamoDB
Amazon EMR

S3, Redshift & EMR forms the backbone of most
analytical workflows on AWS.
When used with other AWS services,
this is how the final architecture would look like …......

EC2
Amazon EC2
Instances
Amazon
Kinesis
Amazon S3
Amazon
EMR
Amazon
Redshift
BI Tool
Amazon
Machine
Learning
Amazon
DynamoDB
Amazon Mobile
Analytics
Amazon
Lambda
AWS
Import/Export

Security and Compliance
Visibility for Healthcare
AWS Nashville Event – May 2016
Adam C. Greenfield
Director of Engineering

HEALTHCARE
Exclusive
CLOUD
Experts
CERTIFIED
Experience
• BAA with the most coverage of any
leading provider
• Incorporates existing infrastructure
BAAs into a single BAA
THE CLEARDATA DIFFERENCE
ENHANCED
BAA

Deployment Tools
• Configuration Management Tools
• Orchestration Tools
• Auditing and Governance Tools

59PROPRIETARY & CONFIDENTIAL
Objectives
Strong and
Secure Audit
Trail
No tight
coupling to
orchestration
tools
External
Managed
Services
Highly
Automated

Traditional Platforms
• Platforms normally sit between your
application and tools to translated API
calls into AWS functions.
• This creates vendor lock in, but
obscures AWS value and reduces agility
• Vendors must integrate new services
quickly to give customers access to AWS
features
Customer Applications & Tools
Vendor Platform & Custom API’s
DB on instance
instance with AMI

Rethinking the model
• Observe
• Orient
• Decide
• Act

Objectives
Credits: Patrick Edwin Moran https://commons.wikimedia.org/wiki/File:OODA.Boyd.svg

AWS ConfigAWS CloudTrail
AWS CloudWatch
Customer Account
AWS SNS
Amazon API
Gateway
Management Account
AWS
Lambda
Amazon
Kinesis

Kinesis Streams
SensuCMDB
Backups Vuln Scanning
SlackPagerDuty
Ticketing
CloudTrail / CloudWatch EventsEC2 Events Auditing / Governance
AlertingSEIM
Remediation
Amazon
DynamoDB
Amazon
Redshift

Trusted Advisor
• Catches common account misconfigurations
• Suggests cost reductions
• Evaluates fault tolerance

CloudWatch
• Monitor performance of AWS resources
• Aggregate and process log files (non-PHI)
• Requires instance profile or distributed credentials

Emerging AWS-native Solutions
AWS Config Rules
https://github.com/awslabs/aws-config-rules/
Community-Based Rules• Constantly watch for account changes
• Remediate in near real-time
• Incredibly flexible and extendable
• Lambda based

Emerging AWS-native Solutions

Extending OODA inside the instance
• Observe
• Orient
• Decide
• Act

Objectives
Strong and
Secure Audit
Trail
Unobtrusive
External
Managed
Services
Highly
Automated

ClearDATA Dynamic Cloud Platform
AWS Environment
• Compute
• Storage
• Network / Cloud
Operating Environment
• Hardened AMIs
• Configuration management engine
• Patch management
• Managed backup
• Monitoring & alerts
• Consolidated account info
• Isolated dev & test environments
Security & Compliance
• Hardened encryption configuration
• Key management
• Intrusion detection system
• Login and access tracking
• Event log management
• File integrity monitoring
• ClearDATA security appliance
• VPNs / Address translation
• Anti-virus
24/7 Managed Services
Delivered by AWS Certified Personnel
Over 30 additional services automatically attached to AWS infrastructure

• First of it’s kind in the
industry – service based
real-time HIPAA compliance
dashboard
• At a glance system status
plus trending over time
• Detailed history available for
attestation during audits
Continuous security and compliance
monitoring mapped directly to
HIPAA guidelines delivered across
cloud and private environments via
interactive dashboard and individual
asset scorecards.
Security & Compliance Dashboard

Cloud Platform BAA Coverage
AWS Global
Infrastructure
Availability Zones
Regions
Edge
Locations
Network Traffic
Protection
Server-Side
Encryption
Client-Side Data
Encryption
Operating Systems, Network & Firewall Configurations
Platform
Customer Data
Applications Identity & Access Management
AWS Global
Infrastructure
Availability Zones
Regions
Edge
Locations
Network Traffic
Protection
Server-Side
Encryption
Client-Side Data
Encryption
Operating Systems, Network & Firewall Configurations
Customer Data
ClearDATA
Platform
Applications Identity & Access Management
Amazon Web Services Infrastructure ClearDATA Cloud Platform

HEALTHCARE
Exclusive
CLOUD
Experts
CERTIFIED
Experience
• Current Projects
• Pilots or POCs
• Backup / DR
• Compliance Dashboard
• SRA / SRAaaS
• Cloud Assessment
THANK YOU!
ENHANCED
BAA
LET’S WORK
TOGETHER

Data Storage for the Long Haul
Compliance and Archive
Erik Durand
Amazon Web Services

Amazon EFS
File
Amazon EBS
Amazon EC2
Instance Store
Block
Amazon S3 Amazon Glacier
Object
Data Transfer
AWS Direct
Connect
AWS
Snowball
ISV Connectors Amazon
Kinesis
Firehose
S3 Transfer
Acceleration
Storage
Gateway
Storage is a platform

Patient data – Philips Healthcare
• HealthSuite digital platform powered by AWS
• 15 petabytes of patient data
• Archived for decades (beyond the lifetime of patients)
• Uses AWS HIPAA eligible services in the BAA

Public sector – King County
• Most populous county in Washington state
• Replace tape solution for backup from 17 agencies
• Meet compliance requirement
• Saved $1MM in first year, no more tape refresh or
management churn

Archive:
Data retained for the long term,
for compliance or potential
future reference
Data archiving needs are growing everywhere
• Media assets, 4K, 8K
• Health care / life sciences
• Financial services
• Regulated industries
• Oil and gas / geospatial
• Digital preservation
• Long-term backups
• Logs

Traditional archiving approaches
• Storage arrays / disk arrays
• Tape silos / tape libraries
• Tape drives (LTO-X / DLT / etc.)
• Virtual tape libraries (VTLs)
• Tape out / vaulting
• Specialized software and personnel

How can AWS help with your archival?
Metered usage:
Pay as you go
No capital investment
No commitment
No risky capacity planning
Avoid risks of physical
media handling
Control your
geographic locality for
performance and
compliance

Archive Options – Storage Tiers and Data Lifecycle

Object Storage Options
S3 Standard
Active data Archive dataInfrequently accessed data
S3 Standard - Infrequent
Access
Amazon Glacier
Milliseconds 3-5 hoursMilliseconds
$0.03/GB/mo $0.007/GB/mo$0.0125/GB/mo

A Closer Look: S3-IA and Amazon Glacier
S3 - IA
• Same durability and throughput as S3 Standard
• Instant access
• $0.01/GB on each data retrieval
Amazon Glacier
• Same 11 9s durability as S3 Standard
• 3-5 hour data retrieval latency
• Suitable for cold archive such as offsite tapes
S3 Standard - Infrequent
Access
Amazon Glacier

- Transition Standard to Standard-IA
- Transition Standard-IA to Amazon Glacier
- Expiration lifecycle policy
- Versioning support
Data lifecycle management
T T+3 days T+5 days T+ 15 days T + 25 days T + 30 days T + 60 days T + 90 days T + 150 days T + 250 days T + 365 days
Data access frequency over time

Transition older records to Standard-IA

Archive to S3-IA after 30 days
Lifecycle policy
Standard Storage -> Standard-IA
<LifecycleConfiguration>
<Rule>
<ID>sample-rule</ID>
<Prefix>documents/</Prefix>
<Status>Enabled</Status>
<Transition>
<Days>30</Days>
<StorageClass>STANDARD-IA</StorageClass>
</Transition>
<Transition>
<Days>365</Days>
<StorageClass>GLACIER</StorageClass>
</Transition>
</Rule>
</LifecycleConfiguration>

Archive to Amazon Glacier after 365 days
Lifecycle policy
Standard Storage -> Standard-IA
<LifecycleConfiguration>
<Rule>
<ID>sample-rule</ID>
<Prefix>documents/</Prefix>
<Status>Enabled</Status>
<Transition>
<Days>30</Days>
<StorageClass>STANDARD-IA</StorageClass>
</Transition>
<Transition>
<Days>365</Days>
<StorageClass>GLACIER</StorageClass>
</Transition>
</Rule>
</LifecycleConfiguration>
Standard-IA Storage -> Amazon Glacier

Save money on storage
58% saving over S3 Standard
44% saving over S3 Standard-IA
* Assumes the highest public pricing tier

Example backup software integration
• CommVault – Native Integration
with Amazon S3 and
Amazon Glacier
• Deduplication and encryption
• Single console management
Amazon S3 Amazon Glacier

Compliance Use Case 1 – Regulatory Retention

Amazon Glacier Vault Lock allows you to easily
set compliance controls on individual vaults and enforce them via a
lockable policy
Time-based retention
MFA authentication
Controls govern all
records in a Vault
Immutable policy
Two-step locking
Compliance storage with Vault Lock

Vault Lock for compliance storage
• Non-overwrite, non-erasable records
• Time-based retention with “ArchiveAgeInDays” control
• Policy lockdown (strong governance)
• Legal hold with vault-level tags
• Configure optional designated third-party access and grant
temporary access

Amazon Glacier received a third-party assessment
from Cohasset Associates on how Amazon Glacier
with Vault Lock can be used to meet the requirements
of SEC Rule 17a-4(f) and CFTC 1.31(b)-(c).

Example control: 1 year record retention
• Deny delete archive operation
• From anybody (root, administrators, users, business partners)
• When ArchiveAgeInDays is <= 365 days
Archive age computed from the time an archive lands in a vault

Example control: 1 year record retention

Vault Lock: Two-step locking
• InitiateVaultLock
– Effectuates a retention policy for testing (in-progress state)
– Returns a unique lock ID (expires after 24 hours)
• AbortVaultLock
– Deletes an in-progress policy
– Ability to modify a policy before locking it down
• CompleteVaultLock
– Locks down the vault with the appropriate lock ID
– Vault Lock cannot be aborted afterwards

Legal hold with vault-level tags
• Set up a legal hold tag
– Configure a vault-level tag “LegalHold”
– Set initial value to “False”
• Add compliance control for legal hold in a Vault Lock policy
– Deny delete archive operation
– From anybody (root, administrators, users, business partners)
– When LegalHold tag = “True”
• Place/lift legal hold by updating the tag value

Vault Lock in the Amazon Glacier console

Compliance Use Case 2 – Auditing and Alerts

Audit logging with AWS CloudTrail
• Amaozn S3 and Amazon Glacier can log
API calls for audit via CloudTrail
• Enable CloudTrail in the AWS console and
designate your log bucket
• S3 logs bucket-level activities; object
activities supported via event notification
• Amazon Glacier logs all APIs calls for
vault and archives

Access policy for a storage container
• Control access to a storage container in a single location
– S3 bucket or Amazon Glacier vault access policy
– Grant/revoke access to internal business units/teams
– “Marketing_Vault” has a distinct access policy from “DevOps_Vault”
• Easily manage cross-account access for your business partner
– Simply add a section for your business partner in the same policy
– Cross-account activities (API calls) also show up in CloudTrail logs

Amazon S3 event notifications
Events
SNS topic
SQS
queue
Lambda
function
• Notification when objects are
created via PUT, POST, Copy, or
Multipart Upload, DELETE
• Filtering on prefixes and suffixes
for all types of notifications

Request specific notifications
Request notifications on specific
PUT APIs
Request notifications on specific
DELETE APIs
s3:ObjectCreated:*
s3:ObjectCreated:Put
s3:ObjectCreated:Post
s3:ObjectCreated:Copy
s3:ObjectCreated:CompleteMultipartUpload
s3:ObjectRemoved:*
s3:ObjectRemoved:Delete
s3:ObjectRemoved:DeleteMarkerCreated

Compliance Use Case 3 – Geographic Redundancy

Remote replicas managed
by separate AWS accounts
Secure
Distribute data to regional
customers
Lower Latency
Store hundreds of
miles apart
Compliance
Amazon S3 cross-region replication
Automated, fast, and reliable asynchronous replication of data across AWS regions

• Usual charges for
storage, requests, and
inter-region data transfer
for the replicated copy of
data
• Replicate into Standard-IA
or Amazon Glacier
Cost
HEAD operation on a source
object to determine replication
status
• Replicated objects will not be
re-replicated
• Use Amazon S3 COPY to
replicate existing objects
Replication status
DELETE without object
version ID
• Marker replicated
DELETE specific object
version ID
• Marker NOT replicated
Delete operation
Cross-region replication: Details
Object ACL updates are
replicated
• Objects with Amazon-
managed encryption key
replicated
• AWS KMS encryption not
replicated
Access control

Versioning with cross-region replication
A
B
Vid1- v2
Vid1- v1
Key: A/vid1 Key: B/vid1
Vid1- v2
Vid1- v1
Vid1- v3
Vid1- v3
Vid1- v4
Vid1- v4
A

Cross-region replication with lifecycle archiving
S3
Bucket A
Amazon Glacier
S3
Bucket B

AWS Import/Export Snowball
• Accelerate PBs with AWS-
provided appliances
• 80 TB model, global availability
AWS Storage Gateway
• Instant hybrid cloud
• Up to 120 MB/s cloud upload rate
(4x improvement), and
Data ingestion into AWS storage services
Amazon Kinesis Firehose
• Ingest data streams directly into
AWS data stores
AWS Direct Connect
• COLO to AWS
ISV Connectors
• CommVault
• VERITAS
• etcetera
Amazon S3 Transfer Acceleration
• Move data up to 300% faster
using AWS’s private network

What is AWS Snowball? Petabyte scale data transport
E-ink shipping
label
Ruggedized
case
“8.5G Impact”
All data encrypted
end-to-end
50TB or 80 TB
10G network
Rain & dust
resistant
Tamper-resistant
case & electronics

Introducing Amazon S3 transfer acceleration
S3 Bucket
AWS Edge
Location
Uploader
Optimized
Throughput!
Typically 50%–400% faster
Change your endpoint, not your code
54 global edge locations
No firewall exceptions
No client software required

Amazon
Route 53
Resolve
b1.s3-accelerate.amazonaws.com
HTTPS PUT/POST
upload_files.zip
HTTP/S PUT/POST
“upload_files.zip”
Service traffic flow
Client to S3 Bucket example
S3 Bucket
b1.s3-accelerate.amazonaws.com
EC2 Proxy
AWS Region
AWS Edge Location
Customer Client
1
2
3
4

AWS Snowball S3 transfer acceleration
When do I use what?
Large, infrequent uploads
Tens of TBs of upload from a
centralized location
7–10 day tolerance
Recurring, frequent uploads
GBs or TBs of upload from distributed
locations
Long geographic distances

Q&A
Learn more at: http://aws.amazon.com/s3/
http://aws.amazon.com/glacier/
http://aws.amazon.com/importexport/
eddurand@amazon.com

2016 AWS Healthcare Days | Nashville, TN – May 3,2016

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (20)

Ähnlich wie 2016 AWS Healthcare Days | Nashville, TN – May 3,2016

Ähnlich wie 2016 AWS Healthcare Days | Nashville, TN – May 3,2016 (20)

Mehr von Amazon Web Services

Mehr von Amazon Web Services (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

2016 AWS Healthcare Days | Nashville, TN – May 3,2016