How Federal Home Loan Bank of Chicago Maintains Control in the Cloud (ENT207) | AWS re:Invent 2013
-
Upload
amazon-web-services -
Category
Technology
-
view
742 -
download
2
description
Transcript of How Federal Home Loan Bank of Chicago Maintains Control in the Cloud (ENT207) | AWS re:Invent 2013
© 2013 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent of Amazon.com, Inc.
How Federal Home Loan Bank of Chicago
Maintains Control in the Cloud
Eric Geiger, Federal Home Loan Bank of Chicago
Federal Home Loan Banks
• Created by Congress in 1932
• Each is a cooperative owned by members in its district
• Members include banks, thrifts, credit unions, insurance
companies, and housing finance institutions
• As of September 30, 2013, almost 7,500 members in the
FHLBank System
• Each FHLBank is registered with the SEC
• Each FHLBank is governed by a separate board of directors, but
regulated by a single regulator, Federal Housing Finance Agency
Why Did FHLBC Start Using AWS
• Exploring infrastructure options – Faster server provisioning
– Required options and flexibility to replace existing hardware
– Wanted to reduce hardware expense
• What brought us to Amazon – Leader in the space
– Vast array of options
– Easy entry into the services
– Quickly observable results
• Our initial concerns – Security
– Performance
– Reliability/durability/availability
Due Diligence is Key
Communicate
Proof of Concept
Framework
Cost
Monitoring
Befo
re
Security
Disaster Planning
Afte
r
CONTINUOUS
Communicate with Your Organization • We had many preconceived notions
– Amazon is just a bookstore, isn’t it?
– The “cloud” isn’t secure!
• Get educated – Read the whitepapers
• http://aws.amazon.com/whitepapers
• “Overview of Amazon Web Services”
• “AWS Risk and Compliance” whitepaper
• “Auditing Security Checklist for Use of AWS”
– Review the AWS security and compliance sites
• http://aws.amazon.com/security
• http://aws.amazon.com/compliance
• This is more than simply moving infrastructure
• Is there guidance from governance bodies
• Ensure business buy-in early
Try a Small POC
• Level set your expectations
• What are you planning to use AWS for – Only web services
– Core infrastructure
– Data and database services
• Explore the service options
• Important basics to consider – Pick a region/zone that’s close
– Set up a VPC
– Test your network connectivity and see if it’s sufficient
Evaluate with a Framework
• AWS has many certifications and accreditations: HIPPA, SOC 1, SOC
2, SOC 3, PCI, ISO 27001, FISMA, FedRAMP, ITAR, FIPS 140-2
• How do the certifications pertain to you? – Certification need to be mapped back to your own compliance and control framework
– The bank used the Cloud Security Alliance framework as our starting point
• https://cloudsecurityalliance.org/
• Time-consuming process to map associations – Will draw attention to areas your own control framework needs revision
– Should be done by multiple areas in your organization
• IT security
• IT operations
• Internal audit
Aligning Your Framework to AWS • Our example using the Security Guidance for Critical Areas of Focus in Cloud Computing
Inte
rnal C
on
trols
Alig
nm
en
t of A
WS
with
Inte
rna
l
Co
ntro
ls
Inte
rnal R
isk
Ratin
g
Team
Co
mm
en
ts
Arc
hite
ctu
ral
Rele
van
ce
Alig
nm
en
t with
Ind
ustry
Co
ntro
l
Fra
mew
ork
s
Consider All of Your Costs • We definitely saw a reduction in expense
• The cost equation is not simply instances*hours*price
• Your AWS instance usage needs monitoring – Elastic provisioning makes it easy to generate instance creep increasing cost
– Reserved might be cheaper over time
– On-demand instances need to be reviewed regularly for conversion to reserved
• You still need to support your AWS infrastructure – Standard infrastructure jobs still apply: provisioning, patching, software installs, backups, anti-virus
and tools
• Moving can generate new workloads for additional costs – Managing client side IDS and firewalls
• Useful considerations – Auto start/stop can save considerable money
– Amazon CloudWatch can be configured to report on spending thresholds
– AWS Trusted Advisor can find significant cost savings based on usage stats
Infrastructure Monitoring
• CloudWatch is your first resource – Pay for “Detailed Monitoring”
– Set up CloudWatch alarms on basic thresholds: CPU, network, disk usage, spend
• Monitor your events – Watch for unexpected instance reboots and maintenance
– Use the AWS API to automate event monitor when possible
• Expand CloudWatch with your existing third-party monitoring – CloudWatch will not replace your existing tool set
– You can run your agents on the AWS instances
• Can allow you to recycle existing scripts and code
• Monitor OS-level activity, events, services, logs, etc
Security Monitoring • AWS security works best when you are building apps to leverage AWS services
• AWS has some limitations for traditional security monitoring – Limited Inspection and auditing of your traffic
– Limited traditional integration with third-party vendor products
– Better (targeted) service offerings to support “traditional” application environments
• You can do some things to mitigate certain limitations – Always use VPCs when possible to help control traffic
• Separate dev/test, prod and Internet apps to their own VPCs
– Consider host-based firewalls and IDS
– All traffic flows through your traditional data center when possible
– Terminate AWS Direct Connect at firewalls to assist with traffic inspection
• Locked-down AWS console – Multifactor authentication
– Permission restrictions
– Limited access
Disaster Planning
• Consider your real uptime need – Amazon SLA is 99.95% availability for EC2 infrastructure each month
– That’s 3.6 hours per month of downtime
• Your zone will be degraded
• Quick recovery and redundancy can be architected – Create an AMI (Amazon machine image) of your working, patched
server on a regular basis
– Take snapshots of your instances on a regular basis
– Use Amazon S3 service to keep images and snapshots available in
multiple regions and zones
Thank You
• Questions?
Please give us your feedback on this
presentation
As a thank you, we will select prize
winners daily for completed surveys!
ENT207