A Medical Organization's Journey Into Multicloud
A large Healthcare Institution decided that they wanted to begin utilizing the power of the public cloud. They needed a trusted consulting partner with AWS expertise to assist them in building out their multicloud foundation strategy, roadmap and architectural frameworks and policies.
Recently, WWT was engaged to assist a Healthcare Organization with their AWS cloud adoption journey. Founded in the early 1900s, this organization is a large health insurer that services hundreds of thousands of members. Working together with employers, partners, physicians and other healthcare providers, their goal is to provide care and be an advocate for the health of both families and the environment in the areas they service.
Due to their unique locale, cloud adoption for this organization has been challenging due to their distinct operating location and the resulting latency issues to the nearest public cloud data centers. Nevertheless, organizations in the service area still rely on cloud services to operate and improve speed to market for their customers.
As many organizations already rely on SaaS and hosted solutions locally, the customer realized that providing the ability to build workloads in a public cloud space has the potential to bring many benefits not just to the organization itself, but to their customer offerings. As a pioneer of using technology to improve health care in their service area, this customer decided to make the move to the cloud and chose AWS as the logical landing zone for its workloads, inheriting the benefits of improved scalability, availability and cost control inherent on the platform.
However, moving and migrating to the cloud is not an easy journey to accomplish without detailed strategy, planning and roadmap considerations for an organization. The customer wanted to ensure that they had the right strategy in place to align to corporate business requirements. In addition, they wanted to ensure they had education around best practices, caveats and lessons learned from a technical framework and policy perspective.
After evaluating current hosting solutions for their applications and comparing that to the cost of running workloads in AWS with the elasticity and flexibility it brings, they decided that working towards an adoption of AWS would not only allow them to scale more efficiently, but if done correctly, could be done in a cost effective manner.
Unfortunately many companies rush to the cloud without understanding what is involved from a strategy, operational and business perspective and wind up with large unaccounted for expenses, deployment practices that do not align to company policies or in a worst case scenario, a weakened security posture. Many companies know the benefits of cloud, however, knowing the benefits and obtaining them are two different things.
As such, this customer wanted to ensure that when they were ready to move workloads into AWS, they had a solid foundation, strategy and roadmap for their business. They wanted to confirm they had input from various technical and leadership teams around standard architectures, policies, staffing and governance of their environment from Day 1.
They understood the importance of proper planning, from both a business as well as a technical focus, when operating in a shared responsibility model space such as the public cloud. They also understood that moving to the cloud requires new roles, skillsets and direction when it came to their personnel. The cloud journey can be very daunting for enterprise customers; luckily they didn’t have to embark on it alone.
As such, they reached out to WWT as a long time partner to assist them with establishing a solid cloud foundation. The objective was to work together to develop strategies, processes and methodologies to iterate and build upon, with the goal of establishing a path to follow on their cloud adoption journey.
WWT has a rich background in infrastructure, application development and migration, which has led to a proven methodology for IT transformation that has been adapted to help customers incorporate cloud into their ecosystem. Working with this organization's leadership to establish a cross team collaborative environment, WWT cloud consultants and architects quickly assessed where the customer was currently positioned in terms of its people, process and policies.
The synced team worked to plan future direction in terms of what, why and how they want to use the AWS Cloud and their long term vision and strategy for their organization as it relates to a multicloud environment. Key gaps were identified in their current state versus their ideal state, which allowed for a clear scorecard on areas that needed focus in the near, mid and long term. Some of these items included: devising a strategy to fold in existing IAM policies in a hybrid cloud manner, enabling operations teams to provide automation and no-touch deployments and determining future service catalog states.
A key component of driving cloud adoption is the formation of a Cloud Center of Excellence (CCoE), sometimes referred to as the Cloud Business Office (CBO). This is a group that is responsible for ensuring that the cloud strategy aligns with the business plans and goals. This team also establishes and maintains the cloud framework, policies and standards for cloud service usage. Any new technical services and architectural variances from the framework should be reviewed by this group, and the members of this team should be comprised of representatives from multiple IT verticals across the organization.
WWT worked with the customer to form a CCoE/CBO accelerator by identifying key stakeholders from across the business and engaging them to help educate around best practices and processes, with respect to CCoE and enabling their business through it. The team established a regular cadence for communication and began the work of laying out architectural and technical guidelines for their organization to optimally utilize the AWS platform.
Following an iterative methodology, the team aligned the organization’s business requirements and recommendations with technical requirements, recommendations and considerations. This flow took the form of a never ending feedback loop, which propelled the customer in its journey towards successful cloud adoption:
Once this phase of the project was complete, the output was fed into another constant feedback loop to deploy the requirements into a minimum viable product (MVP) for AWS Cloud, which included utilizing AWS Control Tower, and modifications inside of the accounts provisioned by Control Tower to align to their business and technical requirements.
These include items such as establishing custom guardrails outside of Control Tower, establishing integration points into their Okta IAM solution for Single Sign-On (SSO) and a authentication policy and framework. In addition, the team worked to enhance the landing zone’s security by creating custom Service Control Policy (SCP) guardrails alongside those deployed by Control Tower, establishing a framework for security group centralization and management, S3 Bucket management, tagging strategies and data protection, to name a few.
A landing zone is not complete without identifying a baseline network topology. Working with the customer’s network infrastructure team, a phased approach was established to get started in AWS quickly, with VPN followed up by a planned implementation of Direct Connect in the future. The team developed an addressing strategy for the AWS private VPC space including the VPC main CIDR blocks, subnet blocks and reservation blocks for elastic private resources.
Proper planning of network address allocation, especially when there are plans to incorporate a hybrid environment, is critical to prevent expansion concerns, address space conflicts and allow resizing and growth, preventing headaches in the future.
In addition, to future-proof their cloud network topology management, a centralized Ingress and Egress network architecture was established leveraging Transit Gateway, which allowed for segmentation of traffic, increasing their security posture and yet still being modular to allow other architectures to be integrated if desired. The design is extensible to allow break off points in each VPC, yet still allow micro-segmentation of network traffic as required.
Managing Private DNS in a cloud environment can be challenging and as such, the WWT team along with the customer’s infrastructure services team setup a Centralized DNS and Active Directory infrastructure leveraging AWS Managed AD, VPC Endpoints, Route 53 and Transit Gateway. The base of this infrastructure was established via an AWS solution blog post, but modified to include Managed Active Directory and optimizations specific to the customer.
Lastly, when required, custom automation was created to improve the MVP. For example, custom Lambda Functions were developed to ensure that logs such as VPC flow logs are automatically created upon VPC creation, and that they are sent via Kinesis and Cloudwatch Log Subscriptions to a centralized bucket for retention and future analysis. This was established via the use of CloudFormation Stack Sets in every AWS account, as well as a CloudFormation Stack that established the CloudWatch Subscription in the centralized account.
At WWT, we like to say that WWT and AWS are better together for our customers. For this Medical Institution, this holds true. Thanks to our engagement, we helped identify potential blockers in their speed to adopt the cloud from both a business and process perspective, but we also followed up with providing roadmaps to tear those blockers down.
In addition, we helped deploy an MVP landing zone based off requirements that they specified throughout our engagement, and assisted in aligning them to well-architected best practices and processes to ensure that as they grow into the cloud, they will continue to iterate, revise and grow in their application and product needs, as well as in the platform itself.
WWT acted as a catalyst to bring together business requirements and direction with the technical direction of moving towards AWS. As such, the customer feels much more confident in and around AWS; they have a solid footprint in place to begin migrating applications and understand the importance of establishing governance within their environment and the tools and methods to ensure that a guiding body can be in place to course correct when new features are released. In addition, by establishing an MVP and guidelines around them, their developers now have an account strategy to begin utilizing and building with the power of AWS.
But this is just one phase in the overall journey towards cloud adoption. At WWT, we have a multi-track approach towards getting a customer to their ideal cloud state. This begins with a solid foundation, such as the one we provided here, but also goes into evaluating and enhancing networking and security around the platform, application candidacy and migration, application development, automation enhancements and IT cloud operations augmentation.