A large non-bank financial services company considers adopting public cloud services to enhance speed of delivery to their customers. The non-bank financial services company helps businesses to control costs, protect their employees and provide health and wellness benefits.
The non-bank financial services company launched an initiative to migrate from their on-premises data centers to Amazon Web Services (AWS) cloud over the next five years. The corporation’s main goals for cloud adoption are to improve the customer experience and increase internal efficiency. Like other enterprise customers looking to adopt AWS, this corporation faced the challenge of where to start their cloud journey.
The client felt it was important to define the roadmap for cloud adoption while considering the benefits and complexities that come with an initiative of this size. Drawing upon their on-premises experience, they understood that to meet these challenges it was important to establish a cloud presence in a rigorous, disciplined manner. Many companies rush to the cloud, focusing on top-of-mind topics like application migration, and by moving too quickly, organizations neglect fundamental steps in their cloud adoption journey.
Enterprise cloud migration necessitates adopting new policies and frameworks to govern cloud usage and mitigate potential risks. Specifically, the client understood that when it comes to establishing a new presence in the cloud, it’s important to establish patterns of security, networking and shared services while keeping costs manageable and preserving environment agility. In addition, upskilling staff and updating processes to work and maintain the new cloud infrastructure are equally important.
The client asked WWT how we could help them on their cloud journey. As an AWS Advanced Consulting Partner, WWT was positioned to help the customer navigate the complexities of the cloud journey.
WWT was engaged to deliver the Cloud Adoption Readiness Service (aka Cloud Foundation offering) for the client. This offering is a comprehensive and interactive project, designed to accelerate a company’s adoption of AWS. The WWT cloud delivery team worked collaboratively with key IT staff to outline requirements and priorities to meet their objectives and devise a plan and timeline. Below are some of the objectives determined during the engagement:
- An assessment of existing enterprise policies, methodologies and technologies.
- Roadmap for cloud journey including increased adoption of DevOps concepts, methodologies and tooling across their organization.
- Develop a customized AWS Landing Zone (LZ); consisting of the relevant frameworks and policies to support a next-generation data platform and cloud adoption.
- Train and upskill their staff in relevant cloud technologies to ensure a clean handoff and long-term maintenance.
- Safely drive cloud consumption for multiple business units, security and cost containment being top of mind.
Overall success criteria, defined by key results and deliverables were agreed upon, and the collective team got to work. Some of the methodologies used to accomplish the objectives are outlined throughout this case study. By no means is this a comprehensive list, but it should provide the reader a feel for the complexity, challenges, outcome and rewards.
The goal of the AWS cloud adoption engagement was to establish a secure and well-architected LZ for AWS workloads customized with the client’s specific policies, frameworks and enterprise requirements in mind. These frameworks and procedures are based on AWS best practices but have been fully tailored to the client. The LZ customizations helped the client safely drive cloud consumption for multiple business units. This set of foundational services enabled the client to consume the flexible, on-demand and elastic ecosystem of AWS and related cloud services.
Gap analysis and customer enablement
WWT’s cloud experts worked closely with the client’s stakeholders to understand business needs, requirements and goals to facilitate agility and success. WWT helped the client identify key areas to focus on while developing a roadmap to strengthen the client’s overall cloud strategy. In addition, WWT and the client discussed the people and processes that comprise the operational model to understand relevant gaps that would need to be closed to ensure successful cloud adoption. This joint participation in the visualization of the desired end state allowed WWT and the client to smoothly work together on the journey map, ensuring that both parties were aimed at the same target.
Here is a sample of recommendations from the gap analysis, providing near and long-term focal points.
- Establish a Cloud Center of Excellence (CCoE).
- Deploy the customized AWS Landing Zone.
- Maintain a regular cadence of evaluating cloud services and aligning with the CCoE to see if the client is aligned to their cloud operating model and strategy.
- Train and upskill relevant staff as part of the engagement.
- Prior to migrating select workloads, create a strong business case with detailed costs and benefits for migrating the applications. Use these initial set of criteria to determine candidacy.
- Once workloads have been selected from these criteria, the client is ready to start planning the migration. Adjust migration requirements as requirements change.
- Move the organizational IT operating model towards automation of workload deployments, disaster recovery, business continuity planning, service catalog integration, cost management, and cloud-ready operational processes and run books.
To assist a client in making informed decisions, part of the WWT process is to enable the technical staff during delivery of the engagement. Cloud is an expansive topic, no one individual can be an expert in all aspects of cloud. To help spread cloud knowledge throughout the customer’s IT department, WWT hosted AWS Immersion Days with the client’s IT staff. The Immersion Day provided a baseline of cloud terms and definitions which brought WWT and the client together with a common language. Before and during the engagement, best efforts were made to upskill the client’s architects and engineers, to equip them on maintaining the environment as it scales.
Architectural framework and policy for cloud adoption
The key to the success of cloud adoption is establishing a governing body to help guide an organization during their cloud transformation. WWT helped the client establish a Cloud Center of Excellence (CCoE) with members from different disciplines and practices and included executive sponsorship. After the CCoE members had been defined, the team worked together to identify the cloud champion stakeholders.
After clear roles and responsibilities were identified, work began on customizing the client’s AWS Landing Zone architecture. Technical customizations occurred over multiple working sessions spread over two-week sprints.
Through a series of sprint-driven workshops, with a technical focus on security, networking and shared services, WWT worked with the customer’s CCoE, cloud champions and SMEs to translate the business requirements and business considerations into technical policies, requirements and considerations relevant to an initial cloud buildout. The artifacts from these working sessions helped shape the AWS Landing Zone to the client’s specific requirements.
As part of the Security sprint, WWT ensured that the Center for Internet Security (CIS) benchmarks and the National Institute of Standards and Technology (NIST) standards were followed. WWT also recommended the customer adopt the "least privilege model" while enforcing cloud security posture through data classification. Lastly, WWT helped the client define and implement tagging policies and IAM policies.
During the network sprint, WWT and the client reviewed the cloud traffic flow requirements and traffic inspection needs. We worked together to build policy covering East/West, North/South traffic flow and inspection, firewall requirements and Zero Trust policies. In addition to the net flow and firewall requirements, the team discussed site-to-site connectivity options, inter- and intra-VPC connectivity options and third party vendor connectivity options. During this sprint, high-level network diagrams were generated to facilitate visualizing the proposed multi-account network architecture and supporting framework. In addition to the overall internal network design WWT leveraged our technical background in cloud networking and re-architected the clients DirectConnect solution in less than one week.
After establishing the security and networking policies and frameworks, the team moved on to the topic of shared services, and in particular, authentication requirements. The team designed and defined the client’s cloud Active Directory requirements and Single Sign-On (SSO) integration. These components play a critical role in establishing a multi-account centralized Domain Name System (DNS) for the client’s services to consume.
Landing Zone design
WWT utilized AWS Control Tower to provide the baseline for the client’s multi-account Architecture. AWS Control tower helps organizations set up and administer multi-account environment, provides ongoing governance with preventive and detective guardrails and the dashboard enables a single pane of glass for accounts and compliance within the landing zone.
Throughout the technical sprints, WWT and the client identified desired modifications and customizations within the Control Tower environment to meet the client’s enterprise requirements. WWT’s goal was to make sure that the client’s Landing Zone was sustainable and scalable. Below is a couple of example diagrams of an AWS recommended Landing Zone, organization structure and centralized logging solution utilizing AWS Control Tower.
This image is a generic example of a typical AWS organizational structure with multiple accounts. Guardrails provided by AWS Control Tower and custom guardrails deployed by WWT will be applied at the organizational unit (OU) level of the AWS organization service to enforce governance.
During the Control Tower setup process, a log archive account is provisioned to collect logs centrally from all the other accounts. AWS CloudTrail and Config logs are stored in a S3 bucket with built-in digest for validating the integrity of log files. In addition, the CCoE will define a policy for other log storage that will utilize this central bucket from all AWS adopters, including considerations for storage lifecycles and other future data lake opportunities.
After this engagement, the client is in an excellent position to begin realizing the benefits cloud computing offers in a secure, governed, and scalable environment. By working side-by-side with our cloud experts, the client’s technical teams have a solid conceptual understanding of the components deployed in their customized Landing Zone. The provided in-depth architectural framework and governance policy documents can be used as reference and refined as the client’s use cases evolve.
In the near-term, customer objectives were met on schedule, but the journey is far from complete. WWT continues to work with them as a trusted advisor on their long-term goals as they mature in their cloud knowledge and tackle the difficult tasks of organizational transformation and workload migration.