Embracing Hybrid Cloud With AWS
Smarter, Better, Faster Business with the Cloud & Mobility
Changing The Status Quo Through Hybrid Cloud Strategies
Designing and Building Application Security and Layering it on top...
Thank you for Subscribing to CIO Applications Weekly Brief
Leveraging Amazon Web Services to Advance Democracy
By Chris Spence, CTO, National Democratic Institute for International Affairs (NDI)
It's important to examine a number of factors when considering a cloud strategy including technical resources and strengths/weaknesses, the projected costs of software and services, institutional culture, information security requirements and risk tolerance. As a result of our review, we devised a straightforward cloud strategy—we use SaaS when we can, and applications that can’t be migrated to a SaaS solution are virtualized in the cloud. We minimize on-premises infrastructure― used primarily for legacy applications that can't be virtualized yet, logging, some off-site data storage and a few network services.
The National Democratic Institute (NDI) conducts democracy strengthening programs in more than 60 countries around the world. For our field programs, the cloud provided new opportunities to better secure employee data and communications, clone and scale commonly used web applications, and expand services into low infrastructure environments without having to build technical infrastructure and capacity within political institutions in developing countries.
Managing an AWS Migration
We chose AWS as our cloud provider because it promised to be the easiest to deploy and manage at the lowest cost while offering improved security features. Our migration has been fairly smooth and following are some lessons.
The most important observation is that the cloud migration process becomes an opportunity to rethink and strengthen hosting and maintenance practices. It is advisable to start simple, such as moving small program applications and public-facing websites.
When confident with the AWS infrastructure, more complex services can be migrated. In our case, we moved complex J2EE applications with two-tier architectures and load balancer needs and introduced AWS tools such as RDS, Elasticache, Elastic Beanstalk and Cloudwatch. Our final cloud migration phase included creating a virtual private cloud (VPC) to act as our data center. This enabled us to move business apps to the cloud and connect them to on-premise authentication systems and other services in a single network.
Due to the political nature of our work, we face a wide range of cybersecurity challenges including APT against our staff and infrastructure and attacks against project websites. AWS has greatly simplified and strengthened our security posture. AWS has a “security first” posture ―which means even fresh instances are built with a solid security configuration out of the box. However, a better practice involves using AWS Security Groups to build “secure by design” models that meet your specific security needs and easily roll out standard, hardened instances for desired applications.
AWS facilitates layered security using a number of tools including: AWS routing tables, subnets, Cloud-watch and security groups that complement host-based defenses such as iptables, hostbased intrusion prevention systems, configuration managers, advanced policy firewalls, mod security, etc. In addition, leveraging the VPC architecture the AWS servers plug in to onpremise security monitoring and logging tools such as a SIEM. Finally, multi-factor authentication can still be used for server access via SSH and remote desktop on Windows, as well as web access to the AWS console.
Other Lessons Worth Sharing
● Migrate services in response to events such as upgrade cycles or hardware warranty expiration, rather than sequentially;
● Select appropriate sizing: due to the old IT model everyone tends to over-size; think small and scale up instances as needed to save money;
● Think differently about DevOps, turn off unused services (such as dev or staging servers if you still need them at all, which we don’t), use snapshots for quick restore when developing, troubleshooting and during QA cycles.
● Map out a security plan in advance, particularly if setting up a hybrid environment. Clarify the role of AWS Security Groups, firewalls, etc. or you’ll be left untangling things later.
NDI’s cloud strategy has produced real wins for democracy. It has allowed us to focus limited staff resources on mission-supporting activities, helped reduce IT costs and the complexity of our environment while improving security; and enhanced the impact of programs that leverage these new technologies. My hope is that some of these experiences can help other organizations realize similar benefits.