How to Architect and Bring to Market SaaS on AWS GovCloud (US)

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Keith Brooks
Senior Manager, Amazon Web Services
David Cruley
Solutions Architecture Manager, Amazon Web Services
194340
How to Architect and Bring to Market
SaaS on AWS GovCloud (US)
Dave Packer
VP, Product and Alliance Marketing

Public cloud
trends are
accelerating
2
of cloud workloads
will be in public cloud
(35% CAGR from 2015
to 2020)
of cloud workloads
will be Software-as-
a-Service (SaaS)
by 2020
in public
cloud + SaaS
revenue by
2020
68%
74 %
236B$
B Y 2 0 2 0 :
Source: Cisco Global Cloud Index, 2015-2020 *
Workload = a virtual machine or a container

• 10-40% business applications developed in-house
• 30% open source/free software
• 70% COTS software
• ~200+ software product vendors
• Large EA/ELAs for top 50 vendors
• Long list of products not well known or tracked
• Upgrade cascades over 3-5 year cycle
• High potential for rationalization
Enterprise software
portfolio is in transition
S T A R T I N G P O S I T I O N
ON-PREMISE SOFTWARE CATALOG:
Cloud will
increasingly be
the default
option for
software
deployment.
“
“
The Federal Government spends
more than $6 billion on
software…..
—Tony Scott, Former U.S. Federal CIO

SOFTWARE PACKAGE
INSTALLATION AMAZON MACHINE IMAGE
SOFTWARE AS A SERVICE
(SAAS)
Traditional software installation on
an Amazon EC2 instance using
Windows Installer (.MSI), Linux-
based (.RPM), and Unix-based
packages.
Public or private software template
that provides the information
required to launch an AWS EC2
instance. Include root volume,
permissions, and block device
mappings.
Software licensing and delivery
model whereby software is
managed and hosted on AWS and
available to customers on a
subscription basis.
How do organizations implement software on AWS?
AWS SOFTWARE DEPLOYMENT OPTIONS

SOFTWARE PACKAGE
INSTALLATION AMAZON MACHINE IMAGE
SOFTWARE AS A SERVICE
(SAAS)
Traditional software installation on
an Amazon EC2 instance using
Windows Installer (.MSI), Linux-
based (.RPM) and Unix-based
packages.
Public or private software template
that provides the information
required to launch an AWS EC2
instance. Include root volume,
permissions and block device
mappings.
Software licensing and delivery
model whereby software is
managed and hosted on AWS and
available to customers on a
subscription basis.
How do organizations implement software on AWS?
AWS SOFTWARE DEPLOYMENT OPTIONS

What are the implications of SaaS for
public sector and highly regulated
organizations?

Hosting SaaS in the AWS GovCloud (US) Region
SAAS TO SUPPORT SENSITIVE AND REGULATED WORKLOADS
Isolated, secure, and
compliant IaaS and
services
Built for sensitive and
regulated data including
Controlled Unclassified
Information (CUI)
Mission and business
critical workload
delivery
Tools and resources to
accelerate time to
compliance

Hosting SaaS in the AWS GovCloud (US) Region
ACCELERATING TIME TO COMPLIANCE IN THE AWS CLOUD
International Traffic and
Arms Regulation
DOD Security Req’s
Guide IL 2, 4 and 5
Criminal Justice Information
Service Security Policy
Federal Information Processing
Standard Pub
IRS Publication 1075
FedRAMP Moderate
and High
SP 800-53 (rev 4)
SP 800-171
Health Insurance Portability &
Accountability Act

Key Considerations for SaaS in AWS GovCloud (US)
WHAT SAAS VENDORS NEED TO KNOW
1. CUSTOMERS, POLICIES, AND OPERATIONS MATTER
2. ARCHITECTURE INFLUENCES PRODUCT STRATEGY
3. COMPLIANCE. COMPLIANCE. COMPLIANCE.
4. ASSESS TENANCY, PRICING, AND DISTRIBUTION OPTIONS
5. CONSIDER ADJACENT SEGMENTS AND INDUSTRIES
6. LEVERAGE AWS PARTNER AND COMPETENCY PROGRAMS
7. GET THE MESSAGE OUT; BE EXPLICIT WITH MARKETING

So that’s the why… what about the how?
GETTING STARTED TECHNICALLY

Architecting for Compliance in the
AWS GovCloud (US) Region

Use AWS GovCloud’s compliant infrastructure and I am done!
Should I worry about compliance in AWS GovCloud?

AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure
Regions
Availability
Zones Edge
Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network, & Firewall Configuration
Customer applications & contentCustomers
Customers have
their choice of
security
configurations IN
the Cloud
AWS is
responsible for the
security OF
the Cloud
Security and compliance is a shared responsibility

International Traffic and
Arms Regulation
DOD Security Req’s
Guide IL 2, 4 and 5
Criminal Justice Information
Service Security Policy
Federal Information Processing
Standard Pub
IRS Publication 1075
FedRAMP Moderate
and High
SP 800-53 (rev 4)
SP 800-171
OTHERS….?
What are your actual compliance requirements?

Architectural Considerations

What’s your starting point…?
On premise deployment Another AWS region
OR
Migration to GovCloud Architecture Portability Compliance Foundation
Migrating data, servers or entire
application stacks?
Lift and shift?
Optimizing on cloud-native
services?
Can existing compliance audits
be leveraged?

Assess AWS service availability and compliance status
Service availability in AWS GovCloud AWS service compliance posture
Service availability varies by AWS region
Refer to AWS Region Table for availability details
… and the AWS GovCloud (US) User Guide
Some compliance is region based (e.g., ITAR)
Others are service by service (e.g. FedRAMP, SRG)
Refer to AWS Services in Scope for details

GovCloud is an isolated region – cross region functionality disabled
VPN is viable for cross region access.
For apps with sensitive data -- Is direct internet access allowed?
Be aware of encryption requirements for data leaving of the region.
ITAR: Ensure no restricted data is leaving the region (see the GovCloud Users Guide).
FedRAMP and SRG: Carefully document the security controls
Ensure access to GovCloud is clearly defined (who, when, where, and how).
VPN
Be cognizant of system boundaries and data egress

Corporate Network?
Internet?
End user access path…

Do either of these acronyms mean anything to you?

Trusted Internet Connection (TIC)
OMB Mandate M-08-05
Initiative to optimize and standardize the security of individual external network
connections currently in use by federal agencies, including connections to the
Internet. Reduces and consolidates external connections and provides enhanced
monitoring and situational awareness of external network connections.
DOD Cloud Access Point (CAP)
Defense Information Systems Agency
A system of network boundary protection and monitoring devices, otherwise
known as a cybersecurity stack, through which CSP infrastructure will connect to
a DoD Information Network (DODIN) service, the NIPRNet, or the Secret Internet
Protocol Router Network (SIPRNet).

Customer Network
InternetTIC Provider
Secure Connection
Direct Connect (w/VPN) or
VPN Over the Internet
Secure Connection
Direct Connect (w/VPN) or
VPN Over the Internet
SaaS Infrastructure
TIC and CAP requirements may impact architecture

GovCloud Users Guide
https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-us-ug.pdf
AWS service compliance
https://aws.amazon.com/compliance/services-in-scope/
AWS services by region
https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/
NIST 800-53 standardized architecture quick start
https://aws.amazon.com/about-aws/whats-new/2016/01/nist-800-53-standardized-architecture-on-the-
aws-cloud-quick-start-reference-deployment/
Architecture and security recommendations for FedRAMP compliance
https://d0.awsstatic.com/whitepapers/compliance/aws-architecture-and-security-recommendations-for-
fedramp-compliance.pdf
Resources

Enterprise
Customers
4,000+
Data Under
Management
100PB+
Amazon Storage
Partner
Top 5
“ With Druva we gained data visibility while reducing costs
and complexity, simplifying, and reinforcing our entire data
protection strategy.” Brian Bagwell, Director of IT

The Data Center is No Longer the Center of Data
50%
ofdataexistsoutsidethe
corporatefirewallby
2020
Public Cloud – IaaS &
PaaS
Branch
Offices
Office 365, Google, Salesforce,
Box
SaaS
Endpoints
Source: Gartner

Druva Vision: Data Management as-a-Service

Druva Cloud Platform: One Platform to Protect it All
inSync
Endpoints & SaaS Applications
Office 365, Google G Suite, Box and Salesforce
Phoenix
Data Centers & Branch Offices
Physical Servers, Databases, VMware,
Hyper-V and NAS
CloudRanger
AWS IaaS/PaaS Services
EC2, RDS, EBS and RedShift

Why AWS GovCloud (US)?
• Existing government customers and contractors
• Market gap for a GovCloud-hosted data protection
vendor
• Increasing market interest for cloud solution (cloud
first)
• Cloud-native, security-focused, zero-knowledge
design made it a natural fit, or so we thought…

GovCloud & FedRAMP ATO
Road to FedRAMP
• Initiated FedRAMP in early 2014 for inSync
• Achieved moderate ATO Nov. 2017 (3.5 years later)
• Sponsored by NCI (National Cancer Institute)
• DoD IL-2 Designation
Lessons Learned
• You don’t know what you don’t know
• AWS was a great partner through the whole process
• Re-architecting was minimal
• Long Poles: Process changes, FIPS, AWS Service ATOs
• Oh, and the documentation & reviews, ………
Next Steps
• Phoenix services FIPS compliance
• Should take much less time once initiated

Druva FedRAMP Architecture
KMS
Route53 SES
US-EAST-REGION-1
CUSTOMER
SITE
CLOUD
OPS
RDS
CloudWatchCloudTrail
Internet
Private SubnetPublic Subnet Private SubnetPublic Subnet
Private SubnetPublic Subnet
MASTER VPC NODE VPC
MGMT VPC
GovCloud (US)
Configuration Mgmtgovcloud.druva.com Storage Nodes S3 / DynamoDB
Mgmt &
Monitoring

Port of New Orleans
Streamlines critical data protection
Challenges
• Manually intensive legacy data protection infrastructure
• Widespread end-user productivity issues; high rate of help desk calls
• Complex state and federal-mandated data compliance demands
• Data vulnerability concerns: natural disasters like Hurricane Katrina
Solution
• Druva inSync on endpoints to protect against ransomware, device loss, or
failure; Druva Phoenix to manage backup and disaster recovery for on-premises
and cloud
Hyper-V environments
Benefits with Druva
• Central visibility, security, and controls
• Calls to the IT department have dropped by 60–70%
• Multi-day server restores now only take seconds to complete
• Reduced backup window—from day-long to 30 minutes or less;
built-in security and controls enabling cloud compliance
• One of world’s busiest port systems
• Critical to US national economy
• 30M tons of goods, millions
of passengers
• $500M national impact if the
port went down for 3 days

National Cancer Institute
Challenges
• Highly distributed, mobile staff carrying sensitive data
• Data loss concerns
• Embracing Cloud First in a highly regulated environment
• Clinical researchers’ concerns with using cloud for their intellectual property
• Needing to align with FedRAMP for cloud data handling
Solution
• Druva inSync for end user data, which provides data protection for over 8,000
users and aligns to FedRAMP Moderate compliance requirements
Benefits with Druva
• Compliance alignment with FedRAMP across SaaS and infrastructure
• Staff data is protected around the clock, with zero-productivity impact
• Protection against catastrophic data loss
• Centralized accessibility & visibility to data when needed
• Increased user satisfaction around data handling, protection and management needs
• Solution offers availability, durability and scalability offered by AWS
• Founded in 1937, part of the National
Institutes of Health (NIH)
• Focus on cancer research, training,
health info dissemination related to
the causes, prevention & diagnosis of
cancer
• $5B+ in annual funding

Thank You!

How to Architect and Bring to Market SaaS on AWS GovCloud (US)

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie How to Architect and Bring to Market SaaS on AWS GovCloud (US)

Ähnlich wie How to Architect and Bring to Market SaaS on AWS GovCloud (US) (20)

Mehr von Amazon Web Services

Mehr von Amazon Web Services (20)

How to Architect and Bring to Market SaaS on AWS GovCloud (US)