Your address will show here +12 34 56 78
2020 Blog, Blog, Cloud Blog, Featured

Amazon WorkSpaces is a simple to use, cloud based, managed secure Desktop solution. It is a one click deployment product which is available on Windows and Linux operating systems. The main advantage of using Amazon WorkSpaces is as follows.

  • Easy to provision, Desktop as a Service (DaaS)
  • Provision, de-provision and lifecycle management using your existing ITSM (ServiceNow, Jira Service Desk or Freshservice)
  • Extend your existing On-Premise Desktops/Laptops with the AWS Workspaces and manage it centrally
  • Secured data with reliable, High Availability enabled Desktop solution
  • Cost effective and on-demand flexibility
  • Manage and scale up or scale down based on the business need in a centralized way
  • Accelerate deployment at scale

Need for a secured and effective Cloud End User Computing Model

Amazon WorkSpaces helps in adopting a secure, managed cloud-based virtual desktop model to fulfil your End User Computing (EUC) IT requirement needs. Also, it ensures Organizations move away from the pain of procurement, deployment, and management of a complex environment. The traditional method also has a challenge where the hardware and licenses can be scaled up with additional cost, in case of a need but cannot be scaled down and ends up with unwanted cost in case of seasonal spike. Amazon WorkSpaces help organizations scale up and scale down based on demand and deploy at scale with few click deployment models and with enhanced security of your cloud Desktop. Relevance Lab’s pre-baked solution helps your IT team who has minimal knowledge on AWS adopt DaaS solutions with usage of ITSM platforms or custom Cloud Portal.

Best Practices of Network design for Amazon WorkSpaces


VPC It is recommended to use a separate VPC for your WorkSpaces implementation. This helps us define the required governance and security guardrails by creating traffic separation.
Directory Service Each AWS Directory service build requires a pair of subnets for high availability across Amazon availability zones.
Subnet size Subnet sizes are permanent and cannot be modified and hence need to plan for future capacity. You can define a default security group to your directory services which implies it to all the WorkSpaces under this directory services. Additionally, you can have multiple directory services use the same subnet.
Network Connectivity Whether you are looking for a pure cloud solution for your AWS WorkSpaces or planning to integrate with your existing on-prem setup, AWS helps achieve both using multiple options as below.
Option 1 – Extend your existing directory to the AWS Cloud.
Option 2 – Utilize your existing on-premises Microsoft Active Directory by using AWS directory Service, AD Connector.
Option 3 – Integrate your on-premise server with AD Connector to provide multi-factor authentication (MFA) to your WorkSpaces.
Option 4 -Create a managed directory with AWS Directory Service, Microsoft AD or Simple AD, to manage your users and WorkSpaces.

Observability of AWS WorkSpaces

This deals with managing lifecycle from creation, usage and termination in an optimal manner. This covers following three areas.

  1. Security and Governance
  2. As per AWS best practices, every individual user account should be set up with AWS IAM roles with right permissions and enable multi-factor authentication (MFA) with each account. Different WorkSpaces on the same physical host are isolated from each other through the hypervisor as though they are on separate physical hosts.

  3. Health Monitoring
  4. CloudWatch Metrics for WorkSpaces gives an insight to the overall health and connection status of all WorkSpaces. This can be per Desktop or aggregated for all WorkSpaces within a Directory. Apart from the default metrics, you can also enable additional metrics.

  5. Cost Optimization
  6. AWS WorkSpaces billing is based on usage and there are 2 options to choose by default.

    • AlwaysOn – This is the best option when you are a monthly billing mode, and your usage is typically around 6 to 9 hours a day.
    • AutoStop – This is the ideal option when you are on hourly billing. You can have the WorkSpaces stop after a specified time of inactivity which stops the billing.

One of the best practices is to monitor the usage of the WorkSpaces running mode using Amazon WorkSpaces Cost Optimizer. This solution uses an Amazon CloudWatch event that invokes an AWS Lambda function every 24 hours. This can then convert your WorkSpaces to the most cost-effective model from the next billing cycle. (Hourly to Monthly or Monthly to Hourly) based on your usage pattern.



Automation

WorkSpaces provisioning can be automated using your existing ITSM platforms like ServiceNow, Jira, ServiceDesk or Freshservice. There are existing connectors like AWS Service Management Connector and RLCatalyst Service Management Connector providing end to end automation.


AWS Products Used


Relevance Lab is a specalist AWS partner for Desktop as a Service using AWS Workspaces. It has implemented Workspaces with its pre-integrated, secured and matured solutions for its clients using their existing ITSM tools. This has helped customers for a faster adoption of cloud and promoted the cost optimization journey. Relevance Lab’s DaaS solution offering starts with an assessment questionnaire that can help your organizations understand the need to migrate to a secured, scalable and matured solution. Based on the assessment scorecard, we recommend the right solution based on automation, security, governance and compliance model.

This blog refers to the standard Desktop as a Service using AWS Workspaces. In more advanced scenario’s adoption of DaaS also involves additional steps like Storage, Log Monitoring, Security Analytics (SIEM, SOAR), Mail and Office suite options, Container Deployment and Application security signing which will be covered in a separate blog.


For more details or for the assessment questionnaire please reach out to marketing@relevancelab.com



0

2020 Blog, Blog, Cloud Blog, Featured

Based on AWS recommended best practices, this blog articulates governance and management at scale for customers on cloud security implementation covering the following themes

  • Designing Governance at Scale
  • Governance Automation
  • Preventive Controls
  • Detective Controls
  • Bringing it all together

Need for a matured and effective Cloud Security Governance
To achieve agility, compliance and security customers cannot rely on the manual processes and hence automation plays a key role. This mandates the need for an integrated model called “Governance at Scale” which focuses on Account Management, Security, Compliance Automation, Budget and Cost Management. This model help customers to be on fast track, while ensuring the workloads meet security and compliance requirements. Governance at Scale is an orchestration framework which includes enablement, provisioning and operations.


  • Account Management: Governance at Scale processes streamline account management across multiple AWS accounts and workloads in an organization through centralization, standardization and automation of account maintenance. This can be achieved through policy automation, identity federation and account automation.

  • Security and Compliance Automation: Governance at Scale practices consists of three main goals
    • Identity and Access Automation: Customers can access their workloads based on their roles privileges, as defined by the organizations policies. Access to new services can be added to an OU level and the changes will apply across all cloud accounts on that level.
    • Security Automation: To maintain a secure position at scale, security tasks and compliance assessments also require automation. Automation helps in reduced implementation efforts, as templates ensure that services and projects are secure and compliant by default. Customers can also be more responsive when a policy violation occurs.
    • Policy Enforcement: AWS guidance to achieve Governance at Scale helps you to achieve policy enforcement on AWS Regions, AWS services and resource configurations. Policies enforcement happens at different levels like Region, services and resource configurations and also at an organizational level or the resource level. Enforcement is based on roles, responsibilities and compliance regulations (such as HIPAA, FedRAMP and PCI/DSS).

  • Budget and Cost Management: This framework helps Organizations to proactively make decisions on budget controls and allocation across their organizations and primarily consists of budget planning and enforcement.
    • Budget Planning: This allows allocation and subdivide the available budget from a given funding source appropriately across the company by the financial owners. Financial dashboards provide real-time insights to the decision makers over the lifetime of the funding source.
    • Budget Enforcement: Budget enforcement can happen at each layer, department or project in an organization as these can have different budgetary needs and limits. The governance framework allows the organization for budget assignment and defines the threshold, while monitoring spending in real time and can proactively notify the relevant stakeholders and trigger enforcement actions.

Some of this Intelligent Automation includes

  • Restricting the use of AWS resources to those that cost less than a specified price.
  • Throttle new resource provisioning.
  • Shut down, end or deprovision AWS resources after archiving configurations and data for future use.

Implementing Governance at Scale with Ideal Landing Zone architecture


Key Process and Services to implement Governance at Scale Framework

AWS Control Tower: It is a native service used for setup and governing a secure, compliant, multi-account AWS environment, automated using AWS best practices blueprints. It’s multi-account structure enables aggregated centralised logging, monitoring and operations.

  • Establish and Enable Guardrails: AWS Control Tower includes guardrails, which are high-level policies that provide constant governance. It allows you to adopt original best practices on security across the AWS environment managed by Control Tower.
  • Automate Compliant Account Provisioning: Automate account provision workflow using Account Factory.
  • Centralize Identity and Access: By using AWS SSO, the service can centralize access and identity management which follows the standard best practices.
  • Log Archive Account: The log archive centralizes logs and provides a single source of truth for all the account activities. The account works as a repository for API activity logs and resource configurations from all accounts in the landing zone. It contains the centralized logging for AWS CloudTrail and AWS Config.
  • Audit Account: The audit account is a restricted account. It is designed to provide security and compliance teams read and write access to all accounts in your landing zone. It can be a main account for security services such as Amazon GuardDuty and AWS Security Hub.

Governance Lifecycle with Services: An integrated model covering AWS Config, AWS Systems Manager, Amazon GuardDuty and AWS Security Hub.

These services work together and play a crucial role in the Governance at Scale framework. Together, they allow your customers to

  • Define security rules and compliance requirements.
  • Monitor infrastructure against the rules and requirements.
  • Detect violations.
  • Get notifications in real time.
  • Take action in an effective and rapid manner.

AWS Config: This enables customers to assess, audit and evaluate their AWS configurations in real-time. It also monitors and records AWS resource configurations. It also automates the evaluation of recorded configurations against desired configurations.

AWS Systems Manager: This gives customers visibility with a unified user interface and allows them to control their infrastructure on AWS by automating operational tasks. With AWS Systems Manager, customers can

  • Group resources by application.
  • View operational data for monitoring and troubleshooting and take action on groups of resources.
  • Streamlines resource and application management.
  • Shortens the time to detect and resolve operational issues.
  • Simplifies operations and management of the infrastructure – securely at scale.

Amazon GuardDuty: It protects AWS accounts, workloads and data with intelligent-threat detection, monitoring of malicious activity, unauthorized behavior to protect AWS accounts and the workloads. It uses machine learning, anomaly detection and integrated threat intelligence to identify and prioritize potential threats.
Customers enable GuardDuty from the AWS Management Console, where it analyzes billions of events across multiple AWS data sources, such as AWS CloudTrail Event logs, Amazon VPC flow log and DNS logs. By integrating with Amazon CloudWatch Events, GuardDuty alerts are actionable.

AWS Security Hub: This is the compliance and security center for AWS customers. Security Hub allows customers to centrally view and manage security alerts and automate security checks.
Security Hub automatically runs the account-level configuration and security checks based on AWS best practices and open standards. It consolidates the security findings across accounts and provider products and displays results on the Security Hub console. It also supports integration with Amazon CloudWatch Events. To automate remediation of specific findings, customers can define custom actions to take when a finding is received.


AWS Products Used


With AWS management and governance services, customers can improve their governance control and fast track their business objectives. However, solving these challenges are not straight and simple as many of the customers rely on a traditional IT management process which is manual and not scalable. Also, with lack of clarity on account management without clearly defined processes, they end up with multiple accounts provisioning and tracking becomes inefficient. This can also increase their security and financial risks. In some cases, due to these challenges, customers rely on third party tools or solutions which can further complicate and increase operational challenges.

Relevance Lab can help organizations to build or migrate existing accounts to a secured, compliant, multi account AWS environment enabled with automation to increase both operational and cost efficiency. The transition to this matured Governance at Scale framework can be implemented in four weeks using our specialised competencies, RLCatalyst automation framework and the Governance at Scale handbook.

For more details, please feel free to reach out to marketing@relevancelab.com



0

2020 Blog, Blog, Cloud Blog, Featured, RLCatalyst Blog

The adoption of Cloud and DevOps has brought changes in large enterprises around the traditional management methodology of Infra, Middleware and Applications lifecycle. There is a continuous “tension” to achieve the right balance between “security + compliance” vs “agility + flexibility” between Operations and Development teams. For large enterprises with multiple business units and global operations and having distributed assets across multiple cloud providers, these issues are more complex. While there is no “silver bullet” that can solve all these issues, every enterprise needs a broad framework for achieving the right balance.

The broad framework is based on the following criteria:

  • IT teams predominantly define the infrastructure components like images, network designs, security policies, compliance guardrails, standard catalogs etc. based on the organization’s policies and requirements.
  • Application teams have the flexibility to order and consume these components and to manage post provisioning lifecycle specific to their needs.

The challenge being faced by larger enterprises using multiple cloud workloads is the lack of a common orchestration portal to enable application teams to have self-service requests and flexible workflows for managing workload configuration and application deployment lifecycle. The standard Cloud management portals from the major cloud providers have automated most of their internal provisioning processes, yet don’t provide customers system-specific solutions or do workload placement across various public and private clouds. In order to serve the needs of Application groups a portal is needed with following key functionalities.


  • The self-service portal is controlled via role-based access.
  • Standard catalog of items for Infrastructure Management.
  • Flexible workflow for creating a full lifecycle of configurations management.
  • Microservices-based building blocks for consuming “INFRASTRUCTURE AS A CODE” and manage post provisioning lifecycle.
  • Ability to monitor the end to end provisioning lifecycle with proper error handling and interventions when needed.
  • Governance and management post provisioning across multiple workloads and cloud services.

Relevance Lab has come up with a microservices-based automation solution which automates enterprise multi-cloud provisioning, pre and post, provisioning workflows, workload management, mandatory policies, configurations, and security controls. The end to end provisioning is automated and made seamless to the user by integrating with ServiceNow, Domain server, configuration servers and various cloud services. There are multiple microservices developed to handle each stage of the automation, making it highly flexible to extend to any cloud resources.

The building blocks of the framework are as shown here:


The IAAC which is maintained in a source code repository can have the cloud templates for a variety of resources.


Resource Platform Automated Process
Compute – VM/Server VMWare, AWS, Azure, GCP Automated provisioning of VMs and the backup VMs
Compute – DB Server VMWare, AWS, Azure, GCP Automated provisioning of the DB servers and Backup servers – Oracle, PostgresSQL, MSSQL, MySQL, SAP
Compute – HA and DR VMWare, AWS, Azure, GCP Automated provisioning of HA and DR servers
Compute – Application Stack AWS, Azure Automated Provisioning of Application stack using CFTs and ARM templates
Network – VPC AWS, Azure, GCP Automated provisioning of VPCs and subnets
Storage AWS, Azure, GCP Automated provisioning of S3 buckets or Blob storage
Storage – Gateways AWS Automated provisioning of storage gateways
DNS Server AWS, Azure Automated provisioning of DNS servers


Getting Started with Hybrid Cloud Automation – Our recommendations:

  • Generate standard cloud catalogue and create reusable automated workflows for processes such as approval and access control.
  • To optimize the management of resources, limit the number of blueprints. Specific features can be provisioned in a modular fashion in the base image.
  • Use configuration management tool like Chef/Puppet/Ansible to install various management agents.
  • Use “INFRASTRUCTURE AS A CODE” principle to provision infrastructure in an agile fashion. It needs tools like Github, Jenkins and any configuration management tool.

Benefits:

  • Significantly reduce the Operations cost by reducing the manual effort and proactive monitoring services using a single platform.
  • Reduced time to market for new cloud services by enabling a single-click deployment of cloud services.

For more details, please feel free to reach out to marketing@relevancelab.com


0

2020 Blog, Blog, Cloud Blog

The industry has witnessed a remarkable evolution in Cloud, Virtualization, and Networking over the last decade. From a futuristic perspective, enterprises should structure the cloud including account creation, management of cloud; and provide VPC (Virtual Private Cloud) scalability and optimize network connectivity model for clouds.


Relevance Lab focuses on optimizing network connectivity model using AWS VPC and services. We are one of the premium partners of AWS and with our extensive experiense in cloud engineering including Account Management, AWS VPC and Services, VPC peering and On-premises connectivity. In this blog, we wil cover a more significant aspect of connectivity.


As an initial step, we help our customers optimize account management, including policies, billing, structuring the accounts and automate account and policy creations with pre-built templates. Thereby we help leverage AWS Control tower and landing zone.


Distributed Cloud Network and Scalability Challenges


As the AWS cloud Infrastructure and applications are distributed across the globe including North America, South America, Europe, China, Asia Pacific, South Africa, and the Middle East, it brings in much-anticipated scalability issues. Hense, we bring in the best practices while designing the cloud network, including:


  • Allocate VPC networks for each region; make sure this does not overlap with On-premises and across VPC peering.
  • Subnet sizes are permanent and cannot change, leave ample room for future growth.
  • Create EC2 instance growth chart considering your Organization, Customer, and partner’s requirements and their Global distribution. Forecast for the next few years.
  • Adapt to the Route scalability supported by AWS

AWS Backbone provides you private connectivity to AWS services, and hense no traffic leaves the backbone, and it avoids the need to set up NAT gateway to connect to the services from On-premises. This brings in enhanced security and cost-effectiveness.


Amazon S3 and DynamoDB services are the services supported behind Gateway Endpoint, and these are freely available to provision.


VPC Peering is the simplest and secure way to connect between two VPCs, and one VPC cannot transit the traffic for other VPCs. The number of peering requirements is very high among the enterprises due to these design challenges, and it grows as the VPC scales. hense, we suggest the VPC peering connectivity model if the number of VPC’s are limited to 10.


On-premises connectivity models for cloud – Our Approach


The traditional connectivity model which connects site-to-site VPN between VGW (Virtual Private Gateway) and Customer gateway provides lesser bandwidth, less elastic and cannot scale.


A direct connect gateway may be used to aggregate VPC’s across geographies. Relevance Labs recommends introducing a transit gateway between VGW and Direct Connect Gateway. This provides a hub and spoke design for connecting VPCs and on-premises datacentre or enterprise offices. TGW can aggregate thousands of VPCs within a region, and it can work across AWS accounts. If VPCs across multiple geographies are to be connected, TGW can be placed for each region. This option allows you to connect between the on-premises Data Center and up to three TGWs spanning across regions; each of them can aggregate thousands of VPCs.



This model allows connecting to the colocation facility between VPC & Customer Data Center and provides bandwidth up to 40 Gig through link aggregation.


Relevance Lab is evaluating the latest features and helping the Global Customers to migrate to this distributed cloud model which can provide high Scalability and bandwidth along with cost optimization and security.


For more information feel free to contact marketing@relevancelab.com


0