Happy 2018 everyone! We hope you are having a fantastic start to your new year. And what’s a new year without some resolutions? Projects you can start from scratch, or improve upon from last year, or in some cases, totally avoid. While there are many examples of personal resolutions you can read about or create for yourself, what about resolutions for organizations—specifically around your technology practices?
Most organizations start the year with a plan in place for achieving their goals with company targets, budgets and growth strategy. Companies that are already "in the cloud" can often forget to revisit areas where they've been leveraging cloud technology for a while already, although there's still more that could be done to help achieve these company goals. For 2018, here are 3 cloud resolutions for you to consider to ensure you're getting the most out of your cloud solutions!
#1: Audit and Review Your Security
By Mency Woo
We all know about the advantages of the cloud (scalability, availability, resilience … to name just a few), but with freedom also comes responsibility. Even when you have not heard about the exposure of the horrible security breaches and leaks last year (Equifax, Yahoo!, Pentagon)—which is unlikely given the incidents are so high profile and extensive—it does not take much to imagine the damage if your critical business and personal data is exposed to the public, or the repercussions on reputation and long term aftermath of data thefts.
Gladly security is one of the core pillars of Amazon Web Services (AWS), so much so that “cloud security at AWS is the highest priority”. To kick off the year, it is time for everyone to review their infrastructure to uphold the necessary security posture. To name a few quick actions amongst a multitude:
- Data: Lock down your storage tier (Amazon S3 being one of the key storage services) to ensure only minimal access to the resources. For sensitive data, consider encryption at rest: AWS Key Management Service is a very useful service to create dynamic encryption keys to encrypt your EBS volumes and Amazon RDS database instances.
- Passwords: AWS Systems Manager hosts a myriad of services to support the AWS ecosystem, in which the AWS Systems Manager Parameter Store plays the role of a serverless secrets management service. Instead of storing the Amazon RDS master password in plain text somewhere, it is time to use the Parameter Store (supported by AWS KMS encryption) to store the sensitive data!
- Defense against malicious traffic and DDoS attacks: We love how scalable AWS is to handle dynamic load, but it is still important to ensure we are servicing only legitimate requests to avoid unnecessary resource consumption. AWS WAF and AWS Shield are two services to defend against malicious traffic. Using user-defined rules, AWS WAF can block traffic from blacklisted IPs and filter out common attack patterns such as cross-site scripting and SQL injection. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service to detect uncommon traffic and automatically mitigate the risks and protect the resources behind the service.
- Network Access: Revise the rules (source IPs and ports) on the security groups. Some “0.0.0.0/0” rules are necessary, but quite often hardcoded IP ranges can be replaced by security group IDs to make access more locked down and nimble to update. Similarly, locking down layer 2 access through tightening network ACL rules also helps block malicious access!
- IAM: Revise the IAM policies to ensure minimal access by users, groups and services. Also, it is time to rotate passwords, access key and secret access keys. For access keys and secret access keys, do also consider leveraging AWS Security Token Service to generate temporary ones in order to reduce the number of credentials you must actively manage.
While limiting access and adding encryption sounds like a one-off exercise, it is in fact more important to be consistent with the security implementations. Luckily AWS provides a few services to help maintain long term security integrity: AWS Config is helpful to keep track of configuration changes to AWS resources, AWS CloudTrail is a logging service that keeps track of the origin of API requests to a number of AWS services within the account, and AWS Trusted Advisor can be used to monitor security settings of your AWS account. While these services focus on AWS resources, Amazon Inspector can be used to assess applications for vulnerabilities and potential deviations from best practices, therefore ensuring the full stack security compliance.
Security can be challenging, but it is a critical tenent of AWS best practices. The above only consists of some of the examples on how uphold the “confidentiality” and “integrity” pillars of the CIA triad. We all need a good kickoff to start the year, to provide us an opportunity to earn that badge of the security consciousness!
#2: Add Value to Your Business With Machine Learning
By Mike Fisher
Machine Learning (ML) is currently the most promising approach to implementing generalized Artification Intelligence (AI). Instead of creating step-by-step instructions for a computer on how to solve a specific task, if you provide it with a sufficient amount of data, it should be able to learn for itself (using an appropriate ML algorithm) how to make predictions from future datasets. Although extremely complex to implement from scratch, the advent of cloud computing—and the newer addition of managed ML services on top of those platforms—is starting to make ML practical for any business to use.
AWS now provides a whole suite of managed services that allow customers with any level of experience to take advantage of ML. You can use one of their simple APIs to access AWS-trained and provided models for image, video, and audio (including speech) recognition and natural language processing (i.e. actually understanding that speech). These services include Amazon Rekognition, Amazon Comprehend, Amazon Translate, Amazon Transcribe, and Amazon Polly. Amazon Lex, the technology that powers Alexa, is also available for creating powerful chatbots. For use cases that are more proprietary to your business, you can use one of their more generalized platforms—the original Amazon Machine Learning or their latest, most complete offering, Amazon SageMaker—to build, train, and deploy custom ML models. This could be for internal uses such as fraud detection or making market predictions, or for enhancing end-user experiences like providing more intelligent search results or personalized product recommendations.
Make the commitment in 2018 to find at least one place to start using ML to add value to your business!
#3: DR on the Cloud… or Hybrid Cloud Migration Instead?
By Urs Brasser
Customers often approach us about replicating virtual machines to the cloud. This is typically a topic broached by IT departments that have an existing investment in Disaster Recovery (DR) products that are nearing end of life, and their renewal incentives include some type of “cloud” licensing.
Because very few applications are stand alone, more often than not the act of simply replicating a virtual machine to the cloud doesn’t actually provide any gains in terms of service availability, and the reality is that DR plans, if not periodically tested, can often fail (or at least partially).
Many DR projects are in fact hybrid cloud deployments, typically setup with a basic VPN connection (or AWS Direct Connect for a more performant, reliable connection). If we looked at this architecture through the lense of building a hybrid cloud deployment to serve highly available production traffic, less money could be spent on DR product licensing and more resources could be invested in building a highly available, fault tolerant, Multi-AZ (or even multi-region) replicated application on AWS.
Revisit your DR plans in 2018 and decide if a hybrid cloud solution may offer a higher return-on-investment for your company.
We could have gone on and on with cloud resolutions, but in the spirit of keeping it simple, we listed three we considered most important for making your venture on the cloud a little more successful. If you have any feedback, suggestions, or would like to discuss implementing your own 2018 cloud resolutions, we’d love to hear from you!