The adoption of Cloud and DevOps has brought changes in large enterprises around the traditional management methodology of Infra, Middleware, and Applications lifecycle. There is a continuous “tension” to achieve the right balance of “security + compliance” vs “agility + flexibility” between Operations and Development teams. For large enterprises with multiple business units and global operations and having distributed assets across multiple cloud providers, these issues are more complex. While there is no “silver bullet” that can solve all these issues, every enterprise needs a broad framework for achieving the right balance.
The broad framework is based on the following criteria:
IT teams predominantly define the infrastructure components like images, network designs, security policies, compliance guardrails, standard catalogs etc. based on the organization’s policies and requirements.
Application teams have the flexibility to order and consume these components and to manage the post-provisioning lifecycle specific to their needs.
The challenge being faced by larger enterprises using multiple cloud workloads is the lack of a common orchestration portal to enable application teams to have self-service requests and flexible workflows for managing workload configuration and application deployment lifecycle.
The standard Cloud management portals from the major cloud providers have automated most of their internal provisioning processes, yet don’t provide customers system-specific solutions or do workload placement across various public and private clouds. In order to serve the needs of Application groups, a portal is needed with the following key functionalities.
The self-service portal is controlled via role-based access.
Standard catalog of items for Infrastructure Management.
Flexible workflow for creating a full lifecycle of configurations management.
Microservices-based building blocks for consuming “Infrastructure As A Code” and manage post provisioning lifecycle.
Ability to monitor the end-to-end provisioning lifecycle with proper error handling and interventions when needed.
Governance and management post-provisioning across multiple workloads and cloud services.
Relevance Lab has come up with a microservices-based automation solution which automates enterprise multi-cloud provisioning, pre and post, provisioning workflows, workload management, mandatory policies, configurations, and security controls. The end-to-end provisioning is automated and made seamless to the user by integrating with ServiceNow, Domain servers, configuration servers and various cloud services. There are multiple microservices developed to handle each stage of the automation, making it highly flexible to extend to any cloud resources. The building blocks of the framework are as shown below:
The IAAC, which is maintained in a source code repository can have the cloud templates for a variety of resources.
Compute – VM/Server
VMWare, AWS, Azure, GCP
Automated provisioning of VMs and the backup VMs
Compute – DB Server
VMWare, AWS, Azure, GCP
Automated provisioning of the DB servers and Backup servers – Oracle, PostgresSQL, MSSQL, MySQL, SAP
Compute – HA and DR
VMWare, AWS, Azure, GCP
Automated provisioning of HA and DR servers
Compute – Application Stack
Automated Provisioning of Application stack using CFTs and ARM templates
Network – VPC
AWS, Azure, GCP
Automated provisioning of VPCs and subnets
AWS, Azure, GCP
Automated provisioning of S3 buckets or Blob storage
Storage – Gateways
Automated provisioning of storage gateways
Automated provisioning of DNS servers
Getting Started with Hybrid Cloud Automation – Our Recommendations:
Generate standard cloud catalogue and create reusable automated workflows for processes such as approval and access control.
To optimize the management of resources, limit the number of blueprints. Specific features can be provisioned in a modular fashion in the base image.
Use configuration management tools like Chef/Puppet/Ansible to install various management agents.
Use “Infrastructure As A Code” principle to provision infrastructure in an agile fashion. It needs tools like GitHub, Jenkins, and any configuration management tool.
Significantly reduce the Operations cost by reducing the manual effort and proactive monitoring of services using a single platform.
Reduced time to market for new cloud services by enabling a single-click deployment of cloud services.
Cloud is no longer a “good-to-have” technology but rather a must-have for enterprises. Although cloud-led digital transformation has been a buzzword for years, enterprises had their own pace of cloud adoption. However, the pandemic necessitated the acceleration of cloud adoption. Enterprises are faced with a new normal of operation that requires the speed and agility of the cloud.
In this blog, we will discuss the ground realities and challenges. We will also explore how Relevance Lab (RL) offers the right mix of experience and proven approaches to grow in today’s hyper-agile industry environment.
A Changed Ground Reality
Pandemic has accelerated how organizations look at IT infrastructure spending. It has also permanently changed their cloud strategies & spending habits. Online reports suggest that 38% more companies took a cloud-first approach compared to 2020 with an increased focus on IaaS and PaaS-based approaches.
According to a Gartner online survey, enterprises have preponed their cloud adoption by several years and this is expected to continue in the near future. The survey also predicts that enterprises will spend more on a just-in-time, value-based adoption to match the demands of a hyper-competitive environment.
Migration and modernization with the cloud is a long-term trend, especially for enterprises with a need to scale up. As CAPEX takes a back seat, OPEX is now at the forefront. Cloud as an industry has matured and evolved over a period of time, enabling faster and better adoption with hyper accelerator tools.
Criteria for the Successful Cloud Journey
The success of an enterprise’s cloud adoption journey can be evaluated by setting and measuring against the right KPIs. A successful cloud journey would help an enterprise achieve “business as usual” along with enhanced business outcomes and customer experience. It standardizes the framework for maintainability and traceability, improves security, and optimizes the cost of ownership, as shown in the image below.
Common Cloud Migration Challenges
Planning for and meeting all the criteria of a successful cloud journey has always been an uphill task. Some of the common challenges are:
Large Datasets: Businesses today are dealing with larger and more unstructured datasets than ever before.
Selection of Right Migration Model: Many enterprises, starting their cloud journey, have to choose the right migration model for adoption as per their needs, such as legacy re-write, lift & shift, and everything in between. The decision is based on various different factors like cost, business outlook, etc, and can impact business performance and operations in the longer run.
Change Management for Adopting a New Way of Operation: Cloud migration requires businesses to expand their knowledge at a rapid rate along with real-time analytics & personalization.
Security Framework: The risk of hackers & security attacks is growing across most industries. To keep up with the security while successfully moving to the cloud, enterprises need robust planning and an action list. Also, enterprises must choose a security framework depending on their size, industry, compliance, and governance needs.
Lack of Proper Planning: Rushed application assessments give rise to a lot of gaps that can affect the cloud environment. As a move into the cloud impacts different verticals and businesses as a whole, all stakeholders must be on the same page when it comes to an adoption plan.
Profound Knowledge: Cloud migration requires a dedicated and experienced team to troubleshoot any problems. While building an in-house team is a time-consuming, costly and tumultuous task, working with partners with knowledge branching into different technologies may not be a beneficial idea as well. Enterprises may need a partner with a focused understanding of the cloud migration niche as they will have assimilated knowledge from their engagement with various customers.
Continuous Effort: Cloud is ever-changing with new developments and evolving paradigms. Thus, cloud migration is not a one-time task but rather requires continuous effort to automate and innovate accordingly.
Solutions to Cloud Migration Challenges
Some of the potential solutions that an enterprise can adopt to overcome common challenges of cloud migration are:
Reassessing cloud business & IT plans
Identify and remediate risks and gaps in data, compliance, and tech stack
Detailed migration approaches with self-sufficient virtual ecosystems
Helps build, deliver and fail fast
Data-driven analysis enables stakeholders to make quick and effective decisions
Planning the solutions requires extensive experience and knowledge to implement. They can reap the benefits of the cloud easily with the combination of the right approach and solution.
How Relevance Lab Helps Businesses Accelerate their Cloud Journey
Relevance Lab (RL) is a specialist company in helping customers adopt cloud “The Right Way”. It covers the full lifecycle of migration, governance, security, monitoring, ITSM integration, app modernization, and DevOps maturity. We leverage a combination of services and products for cloud adoption. Helping customers on a “Plan-Build-Run” transformation, we drive greater velocity of product innovation, global deployment scale, and cost optimization.
Building Mature Cloud Journey
Moving to the cloud opens up numerous opportunities for enterprises. To reap all the benefits of cloud migration, enterprises need a comprehensive strategy focused on building value, speed, resilience, scalability, and agility to optimize business outcomes. Having worked with businesses across the globe for over a decade, our teams have seen a common trend that enterprises are often unaware of unprecedented adoption challenges, the “day-after” surprises and complexities, or the chronology of their occurrence.
This begs the question – how enterprises can overcome such surprises? Relevance Lab helps you answer it with a comprehensive and integrated approach. Combining cloud expertise and experience, we help enterprises overcome any challenge or surprise coming their way. Meeting the current needs of the clients, we help you build a cohesive and well-structured journey. Here are a few ways Relevance Lab helps you achieve it:
1. Assess the Current State & Maturity of the Cloud Journey
Any enterprise must get a clear picture of its current state before they build a cloud strategy. At Relevance Lab, we help clients assess their structures and requirements to identify their current stage on the cloud maturity journey. The cloud maturity model has 5 stages, namely, Legacy, Cloud Ready, Cloud Friendly, Cloud Resilient, and Cloud Native, as shown in the image below. This helps us to adopt the right approach that matches the exact needs of our clients.
Once the current stage is determined after an assessment, RL helps in designing an effective cloud strategy with a comprehensive and integrated approach keeping a balance between cloud adoption and application modernization. We ensure that all elements of cloud adoption move together, i.e, cloud engineering, cloud security, cloud governance & operating model, application strategy, engineering & DevSecOps, and Cloud Architecture, as shown in the image below.
2. Execute & Deliver through a Cross-Functional Collaboration and Gating Process
After the approach is defined and the strategy is designed, workstreams that integrate people, tools, and processes are identified. Cloud adoption excellence is delivered through cross-functional collaboration and gating across workstreams and stages, as shown in the image below.
How We Helped a Publishing Major Migrate “The Right Way”
Let’s explore a detailed account of how we implemented them for a global publishing major to maximize cloud benefits.
The publishing major was heavily reliant on complex legacy applications and outdated tech stack resulting in security & legal liabilities. There was a pressing need to scale IT and Product engineering to meet market demands driven by usage uptick (triggered by pandemic). Another immediate requirement was the need for better data gathering & analytics to enable faster decision making.
Relevance Lab provided an enterprise cloud migration solution with a data-driven plan and collaboration with business stakeholders. A comprehensive framework prioritizing customer-centric applications for scale and security was put in place. RL helped in implementing an integrated approach leveraging cloud-first and secure engineering & deployment practices along with automation to accelerate development, deployment, testing & operations.
To further learn about the details of how RL helped the above global publishing giant, download our case study.
Given the current times, cloud adoption strategy requires a data-backed understanding of the current systems and logical next steps, ensuring business runs as usual. There are many challenges that an enterprise may face throughout its cloud journey. Most of these may come as surprise as teams often are unaware of the chronological order in which the complexities occur.
Relevance Lab, an AWS partner, has an integrated approach and offerings developed through years of experience in delivering successful cloud journeys to clients across all industries and regions. Like the global publishing major discussed in the blog, we have helped clients significantly reduce costs by implementing modernizations backstage parallelly while their businesses run as usual.
To know more about cloud migration or implement the same for your enterprise, feel free to connect with firstname.lastname@example.org
Compliance on the Cloud is an important aspect in today’s world of remote working. As enterprises accelerate the adoption of cloud to drive frictionless business, there can be surprises on security, governance and cost without a proper framework. Relevance Lab (RL) helps enterprises speed up workload migration to the cloud with the assurance of Security, Governance and Cost Management using an integrated solution built on AWS standard products and open source framework. The key building blocks of this solution are.
Why do enterprises need Compliance as a Code?
For most enterprises, the major challenge is around governance and compliance and lack of visibility into their Cloud Infrastructure. They spend enormous time on trying to achieve compliance in a silo manner. Enterprises also spend enormous amounts of time on security and compliance with thousands of man hours. This can be addressed by automating compliance monitoring, increasing visibility across cloud with the right set of tools and frameworks. Relevance Labs Compliance as a Code framework, addresses the need of enterprises on the automation of these security & compliance. By a combination of preventive, detective and responsive controls, we help enterprises, by enforcing nearly continuous compliance and auto-remediation and there-by increase the overall security and reduce the compliance cost.
Key tools and framework of Cloud Governance 360°
AWS Control Tower: AWS Control Tower (CT) helps Organizations set up, manage, monitor, and govern a secured multi-account using AWS best practices. Setting up a Control Tower on a new account is relatively simpler when compared to setting it up on an existing account. Once Control Tower is set up, the landing zone should have the following.
2 Organizational Units
3 accounts, a master account and isolated accounts for log archive and security audit
20 preventive guardrails to enforce policies
2 detective guardrails to detect config violations
Apart from this, you can customize the guard rails and implement them using AWS Config Rules. For more details on Control Tower implementation, refer to our earlier blog here.
Cloud Custodian: Cloud Custodian is a tool that unifies the dozens of tools and scripts most organizations use for managing their public cloud accounts into one open-source tool. It uses a stateless rules engine for policy definition and enforcement, with metrics, structured outputs and detailed reporting for Cloud Infrastructure. It integrates tightly with serverless runtimes to provide real time remediation/response with low operational overhead.
Organizations can use Custodian to manage their cloud environments by ensuring compliance to security policies, tag policies, garbage collection of unused resources, and cost management from a single tool. Custodian adheres to a Compliance as Code principle, to help you validate, dry run, and review changes to your policies. The policies are expressed in YAML and include the following.
The type of resource to run the policy against
Filters to narrow down the set of resources
Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well managed Cloud Infrastructure, that’s both secure and cost optimized. It consolidates many of the ad hoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.
Security Hub: AWS Security Hub gives you a comprehensive view of your security alerts and security posture across your AWS accounts. It’s a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Identity and Access Management (IAM) Access Analyzer, and AWS Firewall Manager, as well as from AWS Partner solutions like Cloud Custodian. You can also take action on these security findings by investigating them in Amazon Detective or by using Amazon CloudWatch Event rules to send the findings to an ITSM, chat, Security Information and Event Management (SIEM), Security Orchestration Automation and Response (SOAR), and incident management tools or to custom remediation playbooks.
Below is the snapshot of features across AWS Control Tower, Cloud Custodian and Security Hub, as shown in the table, these solutions complement each other across the common compliance needs.
AWS Control Tower
Easy to implement or configure AWS Control Tower within few clicks
Light weight and flexible framework (Open source) which helps to deploy the cloud policies
Gives a comprehensive view of security alerts and security posture across AWS accounts
It helps to achieve “Governance at Scale” – Account
Management, Security, Compliance Automation, Budget
and Cost Management
Helps to achieve Real-time Compliance and Cost
It’s a single place that aggregates, organizes, and prioritizes
your security alerts, or findings, from multiple AWS services
Predefined Guardrails based on best practices – Establish / Enable Guardrails
We need to define the rules and Cloud Custodian will enforce them
Continuously monitors the account using automated
security checks based on AWS best practices
Guardrails are enabled at Organization level
If an account has any specific requirement to either include
or exclude certain policies, those exemptions can be
With a few clicks in the AWS Security Hub console, we can connect multiple AWS accounts and consolidate findings across those accounts
Automate Compliant Account Provisioning
Can be included in Account creation workflow to deploy the
set of policies to every AWS account as part of the
Automate continuous, account and resource-level
configuration and security checks using industry standards
and best practices
Separate Account for Centralized logging of all activities
Offers comprehensive logs whenever the policy is executed
and can be stored to S3 bucket
Create and customize your own insights, tailored to your
specific security and compliance needs
Separate Account for Audit. Designed to provide security
and compliance teams read and write access to all accounts
Can be integrated with AWS Config, AWS Security Hub, AWS
System Manager and AWS X-Ray Support
Diverse ecosystem of partner integrations
Single pane view dashboard to get visibility on all OU’S, accounts and guardrails
Needs Integration with Security Hub to view all the policies
which have been implemented in regions / across accounts
Monitor your security posture and quickly identify security
issues and trends across AWS accounts in Security Hub’s
Relevance Lab Compliance as a Code Framework
Relevance Lab’s Compliance as a Code framework is an integrated model between AWS Control Tower (CT), Cloud Custodian and AWS Security Hub. As shown below, CT helps organizations with pre-defined multi-account governance based on the best practices of AWS. The account provision is standardized across your hundreds and thousands of accounts within the organization. By enabling Config rules, you can bring in the additional compliance checks to manage your security, cost and account management. To implement events and action based policies, Cloud Custodian is implemented as a complementary solution to the AWS CT which helps to monitor, notify and take remediation actions based on the events. As these policies run in AWS Lambda, Cloud Custodian enforces Compliance-As-Code and auto-remediation, enabling organizations to simultaneously accelerate towards security and compliance. The real-time visibility into who made what changes from where, enables us to detect human errors and non-compliance. Also take suitable remediations based on this. This helps in operational efficiency and brings in cost optimization.
For eg: Custodian can identify all the non tagged EC2 instances or EBS volumes that are not mounted to an EC2 instance and notify the account admin that the same would be terminated in next 48 to 72 hours in case of no action. Having a Custom insight dashboard on Security Hub helps admin monitor the non-compliances and integrate it with an ITSM to create tickets and assign it to resolver groups. RL has implemented the Compliance as a Code for its own SaaS production platform called RLCatalyst Research Gateway, a custom cloud portal for researchers.
Common Use Cases
How to get started
Relevance Lab is a consulting partner of AWS and helps organizations achieve Compliance as a Code, using the best practices of AWS. While enterprises can try and build some of these solutions, it is a time consuming activity and error prone and needs a specialist partner. RL has helped 10+ enterprises on this need and has a reusable framework to meet the security and compliance needs. To start with Customers can enroll for a 10-10 program which gives an insight of their current cloud compliance. Based on an assessment, Relevance Lab will share the gap analysis report and help design the appropriate “to-be” model. Our Cloud governance professional services group also provides implementation and support services with agility and cost effectiveness.
Amazon WorkSpaces is a simple to use, cloud based, managed secure Desktop solution. It is a one click deployment product which is available on Windows and Linux operating systems. The main advantage of using Amazon WorkSpaces is as follows.
Easy to provision, Desktop as a Service (DaaS)
Provision, de-provision and lifecycle management using your existing ITSM (ServiceNow, Jira Service Desk or Freshservice)
Extend your existing On-Premise Desktops/Laptops with the AWS Workspaces and manage it centrally
Secured data with reliable, High Availability enabled Desktop solution
Cost effective and on-demand flexibility
Manage and scale up or scale down based on the business need in a centralized way
Accelerate deployment at scale
Need for a secured and effective Cloud End User Computing Model
Amazon WorkSpaces helps in adopting a secure, managed cloud-based virtual desktop model to fulfil your End User Computing (EUC) IT requirement needs. Also, it ensures Organizations move away from the pain of procurement, deployment, and management of a complex environment. The traditional method also has a challenge where the hardware and licenses can be scaled up with additional cost, in case of a need but cannot be scaled down and ends up with unwanted cost in case of seasonal spike. Amazon WorkSpaces help organizations scale up and scale down based on demand and deploy at scale with few click deployment models and with enhanced security of your cloud Desktop. Relevance Lab’s pre-baked solution helps your IT team who has minimal knowledge on AWS adopt DaaS solutions with usage of ITSM platforms or custom Cloud Portal.
Best Practices of Network design for Amazon WorkSpaces
It is recommended to use a separate VPC for your WorkSpaces implementation. This helps us define the required governance and security guardrails by creating traffic separation.
Each AWS Directory service build requires a pair of subnets for high availability across Amazon availability zones.
Subnet sizes are permanent and cannot be modified and hence need to plan for future capacity. You can define a default security group to your directory services which implies it to all the WorkSpaces under this directory services. Additionally, you can have multiple directory services use the same subnet.
Whether you are looking for a pure cloud solution for your AWS WorkSpaces or planning to integrate with your existing on-prem setup, AWS helps achieve both using multiple options as below.
Option 1 – Extend your existing directory to the AWS Cloud.
Option 2 – Utilize your existing on-premises Microsoft Active Directory by using AWS directory Service, AD Connector.
Option 3 – Integrate your on-premise server with AD Connector to provide multi-factor authentication (MFA) to your WorkSpaces.
Option 4 -Create a managed directory with AWS Directory Service, Microsoft AD or Simple AD, to manage your users and WorkSpaces.
Observability of AWS WorkSpaces
This deals with managing lifecycle from creation, usage and termination in an optimal manner. This covers following three areas.
Security and Governance
As per AWS best practices, every individual user account should be set up with AWS IAM roles with right permissions and enable multi-factor authentication (MFA) with each account. Different WorkSpaces on the same physical host are isolated from each other through the hypervisor as though they are on separate physical hosts.
CloudWatch Metrics for WorkSpaces gives an insight to the overall health and connection status of all WorkSpaces. This can be per Desktop or aggregated for all WorkSpaces within a Directory. Apart from the default metrics, you can also enable additional metrics.
AWS WorkSpaces billing is based on usage and there are 2 options to choose by default.
AlwaysOn – This is the best option when you are a monthly billing mode, and your usage is typically around 6 to 9 hours a day.
AutoStop – This is the ideal option when you are on hourly billing. You can have the WorkSpaces stop after a specified time of inactivity which stops the billing.
One of the best practices is to monitor the usage of the WorkSpaces running mode using Amazon WorkSpaces Cost Optimizer. This solution uses an Amazon CloudWatch event that invokes an AWS Lambda function every 24 hours. This can then convert your WorkSpaces to the most cost-effective model from the next billing cycle. (Hourly to Monthly or Monthly to Hourly) based on your usage pattern.
WorkSpaces provisioning can be automated using your existing ITSM platforms like ServiceNow, Jira, ServiceDesk or Freshservice.
There are existing connectors like AWS Service Management Connector and RLCatalyst Service Management Connector providing end to end automation.
Relevance Lab is a specalist AWS partner for Desktop as a Service using AWS Workspaces. It has implemented Workspaces with its pre-integrated, secured and matured solutions for its clients using their existing ITSM tools. This has helped customers for a faster adoption of cloud and promoted the cost optimization journey. Relevance Lab’s DaaS solution offering starts with an assessment questionnaire that can help your organizations understand the need to migrate to a secured, scalable and matured solution. Based on the assessment scorecard, we recommend the right solution based on automation, security, governance and compliance model.
This blog refers to the standard Desktop as a Service using AWS Workspaces. In more advanced scenario’s adoption of DaaS also involves additional steps like Storage, Log Monitoring, Security Analytics (SIEM, SOAR), Mail and Office suite options, Container Deployment and Application security signing which will be covered in a separate blog.
We do not collect and sell your personal information.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.