Landing Safely in the Cloud: Automated Landing Zones Reduce Manual Configuration Problems MARKET TRENDS REPORT
Introduction Government agencies continue to move on-premises IT assets to the cloud, providing enterprises with robust new capabilities that are difficult to attain with legacy systems: greater flexibility, enhanced efficiency and responsive elasticity. Those capabilities – and other attributes of cloud computing – help agencies better serve constituents and reach mission goals. Yet the journey to cloud isn’t always easy. The path can be fraught with perils and hidden traps that can sidetrack, delay and otherwise undermine the transition. Particularly vexing is that critical part of the journey during which on-premises assets “land” in the cloud. The traditional approach — manually configuring landing zones — is rife with opportunities for errors that can slow transitions, compromise security and delay Authority to Operate (ATO) authorizations. Cloud landing environments must be configured to accommodate the characteristics and security parameters of IT assets being accepted. To learn more about overcoming these obstacles, GovLoop worked with T-Rex Solutions, LLC (T-Rex), an IT company with expertise in cloud adoption and infrastructure optimization, cybersecurity, and data analytics, system integrations, and mission critical systems. This report looks at ways to automate a critical aspect of cloud migrations to make the process of going to the cloud faster, more efficient and securer. Because the stakes and the complexity of migrations are high, cloud teams are eager to adopt tools and best practices that support the smoothest transitions possible. Use of automated, secure landing zones optimizes configuration of cloud environments, making it easier to “stick the landing.” Automated landing zones accelerate cloud migrations, allow for incorporation of best practices, eliminate security lapses — such as accidentally or maliciously public Amazon Web Services (AWS) Simple Storage Service (S3) buckets — and speed onboarding of staff in new cloud environments.
2
MARKET TRENDS REPORT
By The Numbers
$1.3 trillion 95% of IT spending will be affected by the shift to the cloud by 2022.
of security failures result from misconfiguration by the customer.
73%
7%
of 200 surveyed organizations were affected by manually misconfigured cloud environments, especially misconfiguration of identity and access management or storage policies.
of S3 buckets provide unrestricted public access.
28%
of S3 buckets are unencrypted.
35%
of spending in key IT segments will shift to the cloud by 2022.
15.1 billion
of reported records exposed were due to breaches in 2019, a 284% increase in the number of records exposed from 2018.
LANDING SAFELY IN THE CLOUD
3
Reducing Risk in Cloud Migrations The Challenge: Sticking the Landing A critical component of successful cloud migrations is AWS Well-Architected Review (WAR) landing zones — hospitable cloud environments defined by standard, secure cloud infrastructure; policies; best practices; guidelines and centrally managed services. Landing zones are safe ports of entry for migrated IT assets. Creating landing zones is inherently complex, and traditional methods of manual configuration often introduce errors that make migrations inefficient and less secure. To appreciate the importance and challenge of creating Well Architected landing zones, consider the analogy of a large group of people who decide, en masse, to resettle their community on another planet. Leaving behind the infrastructure of their lives on Earth — houses, jobs, roads, governance and a breathable atmosphere — they board a spacecraft and rocket toward a new home. If before departure the travelers arrange for the construction of a suitable landing zone on the new planet, they’ll experience a smooth transition and begin their new lives on firm footing. But what if the contractor has experience building landing zones suited to the environment on Venus but not that of Mars and the landing area is pocked with potholes or the landing strip is crooked or too short? “The way that you make a secure landing zone in each cloud is fundamentally different,” said Philip M. Gollucci, Director, Solutions Architecture and Centers of Excellence Cloud Lead at T-Rex Solutions, LLC. Space travelers and cloud migrations suffer when they rely on poorly configured landing zones. In both examples a crash is possible — but even that isn’t the worst-case scenario. “If you’re lucky, it ends with a crash,” Gollucci said. “If you’re average, it ends with an explosion: Crashes are recoverable; explosions not so much. The uncertainty that poorly conceived, manually configured landing zones introduce means that “you literally have no idea what’s going to happen next,” he said.
4
The Solution: More Automation, Fewer Errors To facilitate cloud migrations, government agencies are turning to solutions that automate the configuration of cloud landing zones. These prebuilt areas hold necessary capabilities and controls — for the benefit of people, processes and tools (DevSecOps teams) — required of IT assets migrating to the cloud from on-premises environments. “You really want to make sure you have the correct security, the correct configuration, and that it’s maintainable over time and monitored in the correct way,” said Jason Keplinger, Chief Technology and Innovation Officer at T-Rex Solutions, LLC.. A robust product can implement landing zones in multiple cloud environments in support of agencies’ hybrid, multicloud solutions. Automated configurations enable faster, simpler, securer and more efficient migrations. To that end, automated tools provide Secured, Managed, Infrastructures, Landing Zones, and Environments (SMILE). Features of the best tools incorporate use of Infrastructure as Code (IaC) and Continuous Configuration Automation (CCA), which align with and embed current best practices, before deployment. “It’s important to have processes laid out before you put applications or data into a cloud environment so that you’re setting yourself up for a good authority to operate,” Keplinger said. An expertly configured landing zone provides benefits well beyond the initial migration. Consider again our intrepid interplanetary travelers. A well-conceived, comprehensive landing zone will provide infrastructure to establish their colony and a path to prosperity with adequate shelter, security protocols, rules of engagement, community policies and enforcement, and means to centrally manage common community interests. Similarly, automated landing zones smooth the process of cloud migrations — during the initial transfer of on-premises assets to the cloud and extending into the operational phase.
MARKET TRENDS REPORT
Best Practices in Automated Landing Zones Multi-Account Landing Zones with Hubs and Spokes
Tiered Data Access for Logs and Audit Trails
Using multi-account landing zones with hub-and-spoke configuration simplifies management of landing zones and improves security. “If someone got access to one of your accounts, they would only have access to one of those environments. If you had an all-in-one account, they would have access to everything within an environment,” Keplinger said. “It’s a better way of managing your environment within the cloud to get better visibility and better security.”
Use of multi-vector data allows cloud teams to compare data from different areas of a system to identify when something has changed and whether the change was intentional and authorized.
Continuous Well-Architected Reviews (WARs) Ongoing reviews are necessary to make sure an agency is using the cloud as efficiently and securely as possible. Continuous reviews are necessary to use new services when they become available. “New services come out all the time that may provide you better security, better visibility and better management of data,” Keplinger said. “Consistent reviews over time ensure that you keep up.”
Near-Real-Time, Event-Driven Remediations Instead of relying on fallible human workers to constantly be in the security loop and expecting them to consistently identify and remediate security issues — including restoration of faulty configurations — automation provides the capability to make those corrections without human input. In some scenarios, this capacity is known as a selfhealing system.
Centralized Networking This feature essentially transforms networking into code. Using code in an automatically configured landing zone to establish a network in the cloud allows for creation of a trusted, centralized environment from the outset of a cloud migration. “You don’t need separate people to do it. The code establishes the environment,” Keplinger said. “In the past, you needed a network engineer, and a cloud engineer or a data center engineer to set up an environment. Here you’re doing it with one person.”
Empowered Teams This best practice is all about fine-tuned security controls — allowing systems managers to give access to people who need access and denying it to those who don’t. “When you’re in the cloud, you’re able to do a lot more of that fine-tuned, fine-grained access control,” Keplinger said.
LANDING SAFELY IN THE CLOUD
5
Case Study: Cloud Migration Under Pressure
In 2016, a government agency undertook a $1.6 billion mobile data collection project with an aggressive timeline and a mandate that results be highly accurate. To succeed, the agency would need to quickly increase its capacity for data transactions and migrate mission-critical workloads to the cloud. The agency would have to move 18 on-premises applications to the cloud within 18 months — while complying with Federal Information Security Management Act (FISMA) requirements. With no room for delays, the project needed rapid creation of automated, cost-effective and secure environment deployments to the cloud. Those cloud environments would have to support multiple IT systems and provide for rapid adoption of upgrades, avoidance of vendor lock-in and the use of cloud-native functionality.
T-Rex SMILE® solution, an IT modernization tool that enables faster, simpler, securer, cost-effective cloud migrations through continuous configuration automation grew out of this enormous undertaking. The T-Rex team developed repeatable processes and procedures to support cloud migration and adoption. To attain security goals and ATOs in a timely manner, T-Rex developed a customized ATO process with inputs from all relevant stakeholders. The team tracked progress using Agile methodologies. T-Rex succeeded in delivering a robust system that could handle more than 1 million concurrent calls. The agency met its data collection goals securely and on time. T-Rex has also cut the time to attain ATOs from more than 250 days to less than 50 days. “A lot of that had to do with automating the process,” Keplinger said.
HOW T- REX SO LUTI O NS HE L PS Before T-Rex SMILE® became a go-to solution for agencies moving on-premises applications and data to cloud, it was one of several Technology Lab Projects (TLP) under development at T-Rex. T-Rex SMILE® was the first TLP to be “productized” and released for use in the field, and it provides a platform for other T-Rex solutions that are nearing completion.
6
optimized to work with T-Rex SMILE®, is a cloud migration dashboard that shows cloud teams what has migrated, how many security vulnerabilities exist, how many have been fixed and the expected date of the next ATO.
“T-Rex SMILE® underpins those automations (under development) across all verticals because it makes the landing zone” that enables successful cloud migrations, Gollucci said. “The other TLPs will automate specific pieces of those verticals.”
T-Rex SMART® modernizes and secures cloud environments by using an Agile-like methodology that takes advantage of new platforms while also meeting critical missions. “T-Rex SMART® provides a white-glove approach for customers to address any problem with a cloud migration or digital modernization,” Gollucci said.
T-Rex Single Pane of Glass (TPOG), which is
For more information, click here.
MARKET TRENDS REPORT
Conclusion At a time when federal agencies are accelerating the migration of on-premises IT assets and functionality to the cloud, government IT teams are exploring how to improve the transfer of data and processes. For some agencies, the solution will be to automate the process of landing zone configuration as a way of limiting opportunities for human error and unintended consequences. Automated configuration of landing zones smooths cloud migrations and more quickly attains ATOs, in no small part because automation configures security controls in the new environment. Automated configuration of landing zones has many benefits, including incorporation of best practices into the new environment, mitigation of security threats and easier onboarding of people working in the new environment.
ABOUT T-REX S O LU T IO N S
A BOUT AWS
ABOUT GOVLOOP
T-Rex has designed, built, integrated, and operated some of the world’s largest mission-critical systems for government clients who need to leverage the power of data. The company implements complex IT modernization projects with critical data-protection requirements, aggressive schedules, and large size and scale. The company focuses on fostering innovation while mitigating risk, helping to save time and money, and improve benefit-to-cost ratios.
Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud platform. Millions of customers, including government agencies, are using AWS to lower costs, become more agile, and innovate faster while powering infrastructure and providing reliable, mission critical services.
GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 300,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government.
Learn more at www.aws.amazon.com.
Learn more at www.trexsolutionsllc.com.
For more information about this report, please reach out to info@govloop.com.
LANDING SAFELY IN THE CLOUD
7
1152 15th St. NW Suite 800 Washington, DC 20005 P: (202) 407-7421 | F: (202) 407-7501 www.govloop.com @GovLoop