Structure
Domain – Area
1.0. Situation and Context
2.0. Ideas and Scenario Planning
3.0. Research and Knowledge Gathering
4.0. Experiments and Outcomes
5.0. Decisions and Further Improvements
APAC – NAS – On-Premise
|
#
|
Aspect
|
Remarks
|
|---|---|---|
| 1.0. | Situation and Context | Utilisation of NetApp provided technology and operational components to support NAS related use cases.
Constraints migration to cloud due to technical, operational, and commercial mechanics. Migration out of current NAS platforms are constrained by technical and operational interdependencies with end-user workstation components, messaging management, identity and access management, parallel initiatives in migrating to SaaS solutions for VDI and Communications, and overall timing constraints. |
| 2.0. | Ideas and Scenario Planning | Retain NetApp but using cloud specific offerings (ONTAP).
Retain NetApp, as is, migrate to colocation facility. |
| 3.0. | Research and Knowledge Gathering | Ongoing Discovery |
| 4.0. | Experiments and Outcomes | Ongoing Discovery |
| 5.0. | Decisions and Further Improvements | Ongoing Discovery |
APAC – SAN – On-Premise
|
#
|
Aspect
|
Remarks
|
|---|---|---|
| 1.0. | Situation and Context | Utilisation of Dell-EMC provided technology and operational components to support SAN related use cases.
Constraints migration to cloud due to technical, operational, and commercial mechanics. Migration out of current SAN platforms must happen en masse to be commercially and operationally viable. Phased migration of smaller discrete components has been discussed to yield minimal impact in benefits. This consideration is applicable from retaining required networking infrastructure, subscribing to specific telecommunications connectivity infrastructure, maintaining needed SAN-specific control and data plane components, to retaining similar SAN-related components in the colocation facilities. |
| 2.0. | Ideas and Scenario Planning | Migrate SAN to the cloud, as is, using virtual counterparts from vendors, if available.
Migrate SAN to a colocation facility, as is. Migrate out of SAN dependency within reasonable phasing and parameters:
If options, components, or offerings available on the cloud (IaaS, PaaS, SaaS) are discovered and tested to solve the requirements, even if not exactly apples-to-apples, these should be considered. |
| 3.0. | Research and Knowledge Gathering | Discussions with SAN vendor yielded and proven key assumption that SAN may not be ‘exactly’ supported in the cloud. Even the vendors themselves proposes uses of raw volumes of different types or the utilization of PaaS level services in the cloud.
Ongoing research and discovery into working and proven SAN alternatives in the cloud may not be feasible, given time constraints. |
| 4.0. | Experiments and Outcomes | Ongoing Discovery |
| 5.0. | Decisions and Further Improvements | Ongoing Discovery |
APAC – Volumes – On-Premise
|
#
|
Aspect
|
Remarks
|
|---|---|---|
| 1.0. | Situation and Context | Volumes attached and used by servers, whether by physical or virtual servers are internally and practically grouped by whether it is using SAN storage or direct attached volumes.
Volumes not hosted on SAN, while still requires a high level of preparation and migration work, have more straight-forward paths to the cloud. Volumes hosted on SAN, whether for system and file level utilization or for critical database disk and volume management, requires further investigation, verification, and planning. |
| 2.0. | Ideas and Scenario Planning | Migrate SAN to the cloud, as is, using virtual counterparts from vendors, if available.
Migrate SAN to a colocation facility, as is. Migrate out of SAN dependency within reasonable phasing and parameters:
If options, components, or offerings available on the cloud (IaaS, PaaS, SaaS) are discovered and tested to solve the requirements, even if not exactly apples-to-apples, these should be considered. |
| 3.0. | Research and Knowledge Gathering | Discussions with SAN vendor yielded and proven key assumption that SAN may not be ‘exactly’ supported in the cloud. Even the vendors themselves proposes uses of raw volumes of different types or the utilization of PaaS level services in the cloud.
Ongoing research and discovery into working and proven SAN alternatives in the cloud may not be feasible, given time constraints. |
| 4.0. | Experiments and Outcomes | Ongoing Discovery |
| 5.0. | Decisions and Further Improvements | Ongoing Discovery |
APAC – Volumes – Cloud
|
#
|
Aspect
|
Remarks
|
|---|---|---|
| 1.0. | Situation and Context | Ongoing Discovery |
| 2.0. | Ideas and Scenario Planning | Ongoing Discovery |
| 3.0. | Research and Knowledge Gathering | Ongoing Discovery |
| 4.0. | Experiments and Outcomes | Ongoing Discovery |
| 5.0. | Decisions and Further Improvements | Ongoing Discovery |
APAC – Object Storage – Cloud
|
#
|
Aspect
|
Remarks
|
|---|---|---|
| 1.0. | Situation and Context | Â Not applicable at the moment. |
| 2.0. | Ideas and Scenario Planning | Â Not applicable at the moment. |
| 3.0. | Research and Knowledge Gathering |  Not applicable at the moment. |
| 4.0. | Experiments and Outcomes | Â Not applicable at the moment. |
| 5.0. | Decisions and Further Improvements | Â Not applicable at the moment. |
/ /
/ /
Sample Cost Estimation Matrix
| CSP | AWS | AWS | AWS | GCP | GCP |
|---|---|---|---|---|---|
| Parameters: Â Common | Instance Count: 24 Nodes | ||||
| Parameters:  Common | Instance Uptime Characteristics: 24 Nodes, Each  running 1 Hour Per Day For Maintenance, Deployments, Cleanup, Backup, and  other system/cloud administration requirements. Can be objectively used as an extrapolation of Production Uptime Requirements (Above Average Aggressive Minimum) | ||||
| Parameters:  Common | Instance Type: Homogeneous Like For “Almost Like” 4-Core, 16 GiB RAM, Xeon 2.3 GHz E5-2686 v4 Haswell Baseline (Above Average Aggressive Minimum) | ||||
| Parameters:  Common | Network: 10 TiB Network Regional Egress Aggregated for All Nodes Baseline (Above Average Aggressive Minimum) ||| 0TiB Network Intra-Region or Peering Egress | ||||
| Parameters: Â Common | Storage Capacity: 140 TiB | ||||
| Parameters: Â Specific | Storage Type: 100% Slowest Available Magnetic Disks
Not Advisable, For Baseline Only |
Storage Type: 100% Slowest Available SSDs
For Baseline Only |
Storage Type: 100% Slowest Available Provisioned IOPS SSDs
Closest Like-For-Like with dedicated SAN-like Fibre Channel Interconnects  to Storage Array Mesh |
Storage Type: 50% Slowest Available SSD Persistent, 50% Standard Persistent Disk, Non-Regional Volume Type
Baseline Only Closest Like-For-Like with dedicated SAN-like Fibre Channel Interconnects  to Storage Array Mesh |
Storage Type: 100% Slowest Available SSDs, Non-Regional Volume Type
Closest Like-For-Like with dedicated SAN-like Fibre Channel Interconnects  to Storage Array Mesh |
| Cost  Estimation (USD) / Month | 11046.14 | 21169.63 | 23931.94 | 18846.31 | 18846.31 |
| Cost  Estimation (GBP) / Month | 8395.07 | 16088.92 | 18188.27 | 14323.20 | 14323.20 |
| Breakdown | AWS | AWS | AWS | GCP | GCP |
| Network | 1009.44 | 1009.44 | 1009.44 | 1136.64 | 1136.64 |
| Compute | 1291.68 | 1291.68 | 1291.68 | 1151.65 | 1151.65 |
| Storage | 7742.00 | 17203.00 | 19784.80 | 16558.08 | 26808.32 |
| Basic Non  Enterprise Support | 1003.02 | 1665.31 | 1846.02 | 0.00 | 0.00 |
| Cost  Estimation (USD) | 11046.14 | 21169.43 | 23931.94 | 18846.37 | 29096.61 |
| Cost  Estimation (GBP) | 8395.07 | 16088.77 | 18188.27 | 14323.24 | 22113.42 |
As of 2018 07 25 : DMC
Noteworthy data point is not just storage capacity but storage throughput and characteristics (IOPS, SSD or Magnetic, 100% Magnetic, 100% SSD, Rightly Distributing what can be SSD and what can be Magnetic, etc).
Additional historical and industry benchmark, purely from IaaS compute perspective: Typically like for “like” for standard workloads, GCP is 10-15% less expensive than AWS; AWS is 10%-15% less expensive than Azure.
Variances happen when you start utilising key infrastructure and platform components where certain CSPs are better than others.
Above estimations did not consider
- volume discounts, reserved instances, or sustained use discounts which allow for significant estimation reductions;
- and dynamically provisioned and de-provisioned resources which also improve both development and operational characteristics of most cloud architectures compared to purely on-premise infrastructure.
E.g.
GCP has the best disk array mesh and global fibre network hands down to support their own globally-oriented data requirements; AWS will have more costs once cross-region activities are needed vs GCP; Azure is generally more expensive but has the best enterprise package integrations (e.g. Office 365 applications + Azure is more manageable and cheaper than Office 365 applications with Azure + GCP).
Other variations can occur when distinct offerings are used at varying degrees, like, Reserved Instances (1 or 3 years?) to cover for median workload requirements and dynamically allocated instances for known and unknown capacity surge. This is highly dependent on the software architecture and deployment maturity.
/ /
to start of metadata
Types of Identity
|
Aspect |
User  Accounts |
Service  Accounts |
Groups |
Domain |
|---|---|---|---|---|
| Identity | Human | Robot | Both | Cloud  Identity Accounts |
| Authentication | Google Password / SSO | Keys | Via User | Via User |
| Authorization | IAM Roles | IAMÂ Roles | IAM Roles | IAM Roles |
| Management | Admin Console | Cloud Console | Admin Console | Admin Console |
Identities. Roles. Resources.
Cloud Resource Manager Structure and Enterprise Structure.
Cloud Resource Manager – Organization
The Organization resource is the root node in the Google Cloud Platform resource hierarchy and the hierarchical super-node of projects.
It allows for the following controls to be set across an entire collection of projects:
- Defining IAM policies
- Determining the initial folder structure of the resource hierarchy
- Delegating responsibility over critical components such as networking, billing, resource hierarchy through IAM roles
An Organization has a single Cloud Identity directory containing users and groups associated with the organization.
Cloud Resource Manager – Folder
Folders are nodes in the Cloud Platform organization hierarchy. A folder can contain projects, folders up to four levels deep, or a combination of both.
Folders are used to:
- Control access to the resources in the folder through folder-level IAM policies
- Enforce constraints on allowed resource configurations through the Organization Policy Service
Cloud Resource Manager – Project
- A resource container
- An IAM enforcement point
- Projects are completely separate from one another
- Resources are part of a project
- Projects can be part of an organization
Project and Organization Structure Considerations
|
 Attribute
|
Few Projects |
Many Projects |
|---|---|---|
| Project Complexity | Low | High |
| IAM Complexity | High | Low |
| Cross-Project Network Traffic | None to Less Frequent | More Frequent to VPN / Shared VPC |
| Least Privilege | More Difficult | Less Difficult |
Project Design Considerations
- Separation of Duties
- Billing Breakdown
- CI / CD Pipelines and Workflows
- Administrative Complexity
- Quotas and Limits
- Blast Radius
|
Pros
|
Cons
|
|---|---|
|
Pros
|
Cons
|
| Different Billing Accounts per Project
Separate Quotas and Limits Based on Needs and Budgets Access Management Rules can be separated by Environment Type, e.g. Production vs Non-Productions Configuration Issue and Impact Isolation |
Potential increase in management coordination |
Project Organization Recommendations
One project per application or service for each workstream
Consistent naming scheme for all company projects.
I.e.
{company}-{location-or-region}-{department-or-group}-{application-or-system-or-product}-{environment-type}
|
1
|
{company}-{location-or-region}-{department-or-group}-{application-or-system-or-product}-{environment-type} |
|
Company |
Location or Region |
Department or Group |
Application or System or Product |
Environment Type |
|---|---|---|---|---|
|
Company |
Location or Region |
Department or Group |
Application or System or Product |
Environment Type |
| nwm | ldn
sin tyo hkg . . . eu apac na . . . others |
corp
shared sec fin fx cp cwg twg . . . others |
sharedcache
cmdb something . . . fxtrader centralpricing middleware . . . others |
development
dev testing test tst uat staging stage stg production prod prd dr . . . others |
E.g.
|
Project
|
Development |
Testing |
UAT
|
Staging |
Production |
DR |
|---|---|---|---|---|---|---|
|
Project
|
Development |
Testing |
UAT
|
Staging |
Production |
DR |
| App Group 1 | nwm-sin-fx-trading-dev | nwm-sin-fx-trading-testing | nwm-sin-fx-trading-uat | nwm-sin-fx-trading-staging | nwm-sin-fx-trading-production | nwm-sin-fx-trading-dr |
| App Group 2 | nwm-sin-cp-trading-dev | nwm-sin-cp-trading-testing | nwm-sin-cp-trading-uat | nwm-sin-cp-trading-staging | nwm-sin-cp-trading-production | nwm-sin-cp-trading-dr |
| App Group … | . . . | . . . |  . . . | . .  . | . . . | . . . |
| App Group N | . . . | . . . |  . . . | . . . | . . . | . . . |
/ /
Domains
Identity and Privileged Access Management
Detection and Diagnostics
Infrastructure Level Protection Controls
Data Level Protection Controls
Application Code Level Protection Controls
Incident Management
Key Guiding Principles
Authentication
Role-Based Access Controls
Separation of Duties
Least Privilege
Appropriate Authorisation
Audit and Traceability
Automation of Security Components and Practices
Data Governance and Stewardship
Multi-Layer and Multi-Modal Defence
Preparations and Simulations
Supporting Services – On-Premise
Supporting Services – Cloud – Azure
Supporting Services – Cloud – Google
Activities
/ /
/ /
/ /
Core Functions
Identify
Business Context
Resources
Related Cybersecurity Risks
Categories
Asset Management
Business Environment
Governance
Risk Assessment
Risk Management Strategy
Protect
Categories
Access Control
Awareness and Training
Data Security
Info Protection Processes and Procedures
Maintenance
Protective Technology
Detect
Categories
Anomalies and Events
Security Continuous Monitoring
Detection Processes
Respond
Categories
Response Planning
Communications
Analysis
Mitigation
Improvements
Recover
Categories
Recovery Planning
Improvements
Communications
Implementation Tiers
1:Â Partial
Risk Management Process
Not formalised
Ad hoc
Prioritisation of cybersecurity activities
not directly informed by organisational
risk objectives, threat environment, or
business/mission requirements
Integrated Risk Management Program
Limited awareness at organisational level
Irregular, case-by-case basis
Varied experience or information gained
from outside source
May not have cybersecurity processes that
enable cybersecurity information to be
shared within the organisation
External Participation
Does not understand its role in the
larger ecosystem, dependencies/dependents
Does not collaborate with or receive
information from other entities
Does not share information
Generally unaware of cyber supply chain risks
of products and services provided and used
2:Â Risk Informed
Risk Management Process
Approved by management
Not established as organisation-wide policy
Prioritisation directly informed by
organisationl risk objectives,
theat environment, or
business/mission requirements
Integrated Risk Management Program
Organisational awareness of cybersecurity risks
Approach to managing cybersecurity risks
not yet established
Cybersecurity information is shared
in organisation on an informal basis
Cyber risk assessment of organisational and
external assest occur but typically
not repeatable or reocurring
External Participation
Understands its role in the larger
ecosystem either with dependencies
or dependents but not both
Collaborates and receives some information
from other entities
Generates some of its own information
but may not share with others
Aware of the cyber supply chain risks associated
with products and services provided and used
but does not act consistently or formally
3:Â Repeatable
Risk Management Process
Formally approved and expressed as policy
Cybersecurity practices are regularly
updated based on application of
risk management processes to
changes in business/mission requirements
and changing threat and technology landscape
Integrated Risk Management Program
Organisation-wide approach to manage
cybersecurity risk
Risk-informed policies, processes, and procedures
are defined, implemented as intended, and reviewed
Consistent methods in place to respond
effectively to changes in risk
Personnel possess the knowledge and skills
to perform their appointed roles/responsibilities
Consistently and accurately monitors
cybersecurity risk of organisational assets
Senior cybersecurity and non-cybersecurity
executives regularly communicate regarding
cybersecurity risk
Senior executives ensure consideration of
cybersecurity through all lines of operations
External Participation
Understands its role, dependencies, and dependents
in the larger ecosystem
May contribute to the community’s
broader understanding of risks
Collaborates with and receives information from
other entities regularly that complements
internally generated information, and shares
information with other entities
Aware of cyber supply chain risk associated with
products and services provided or used;
formally acts upon risks, including mechanisms
such as written agreements to communicate
baseline requirements, governance structures,
and policy implementation and monitoring
4:Â Adaptive
Risk Management Process
Adapts its cybersecurity practices based on previous
and current cybersecurity activities, including
lessons learned and predictive indicators
Through a process of continuous improvement,
incorporates advanced cybersecurity
technologies and practices;
actively adapts to a changing threat
and technology landscape
Timely and effectively responds to
evolving, sophisticated threats
Integrated Risk Management Program
Organization-wide approach to managing cybersecurity
risks, using risk-informed policies, processes,
and procedures to address potential
cybersecurity events
Relationship between cybersecurity risk and
organisational objectives is clearly understood
and considered in decision making
Senior executives monitor cybersecurity risk in the
same context as financial and other risk
Budget is based on an understanding of current and
predicted risk environment and tolerance
Business units implement executive vision and
analyse system-level risks in the context of
organizational risk tolerances
Cybersecurity risk management is part of the
organisational culture, evolves from previous
and ongoing activities on systems and networks
Can quickly and efficiently account for changes
to business/mission objectives in how risk is
approached and communicated
External Participation
Understands its role, dependencies, and dependents
in the larger ecosystem
Contributes to the community’s broader
understanding of risks
Receives, generates, and reviews prioritised information
that informs continuous analysis of its risks as
threats and technology landscape evolves
Shares information internally and externally
Uses real-time or near real-time information to
understand and consistenly act upon cyber
supply chain risks associated with products and
services provided and used
Communicates proactively using formal and informal
mechanisms to develop and maintain strong
supply chain relationships
/ /
20180808
Move List
Key Drivers and Strategic Plans
Known Parameters
Critical Constraints
Blockers
Unknowns
Contingency Plans
Paths Forward
Organisational Restructuring
Property Repurposing
? ? ?
Current Infrastructure & Application Landscape
Current Personnel, Roles, Leadership, and Hierarchies
Global Considerations
Regional Considerations
Local Considerations
Vendors
? ? ?
Global Services
Location
Middleware
Miscellaneous
MS SQL Server
Multicast
SAN Replication
Others
External Dependencies
Internal Dependencies
Timeline
Budget
Technical Incompatibilities
Actual TCO
Downsides and Consequences
Opportunities for Improvements
Opportunities for Optimisation
Opportunities for Transformation
Commitments
Future Preparedness
Contingency Plans
Organisational Restructuring
Extend or Move Forwards Timetables
 Increase Organisational Preparedness
Property Repurposing
Colocation Facilities
Constraints
Further Due Diligence
 Further Enablement
Ideas – Perspectives
Existing Non-Critical Execution and Data Paths
What We Don’t See In The List
Non-Existent, Future Systems
Non-Existent, Future Architectures and Design
/ /
Account Structure
|
Provider
|
Decision Required
|
References
|
Decision
|
|---|---|---|---|
| All | Who will own the credentials for the master CSP accounts ? | ||
| All | What security controls should we implement for the master accounts (e.g secrets store, password rotation, hardware MFA etc) ? | Yubikey | |
| GCP | What domain name will we use for the GCP Cloud Identity Organization resource ? | GCP Organization Resource Overview | |
| GCP | Will we use a folder hierarchy and, if so, what should be the structure ? | GCP Resource Hierarchy | |
| GCP | What naming and identification conventions will we use for Folders ? | Cloud Identity Structure – Google | |
| GCP | What naming and identification conventions will we use for Projects ? | Cloud Identity Structure – Google | |
| GCP | How will user accounts, service accounts (robots) & groups be created (e.g. GCDS, Directory API, 3rd Party) ? | GCP GCDS | |
| GCP | How will Folders & Projects be created (e.g Terraform) ? | Terraform GCP Provider |
Billing
|
Provider
|
Decision Required
|
References
|
Decision
|
|---|---|---|---|
| All | How will resource utilisation be tracked ? | ||
| GCP | What billing accounts are required ? | GCP Billing Concepts | Defer to Nigel Snow for Billing WG input ? |
| GCP | How will budgets / alerts be used ? | ||
| All | Will billing need to be integrated with existing systems ? | ||
| All | What reporting is required ? | Defer to Nigel Snow for Billing WG input ? | |
| GCP | What labels (tags) are required and where (resources) from a billing perspective ? |
IAM
|
Provider
|
Decision Required
|
References
|
Decision
|
|---|---|---|---|
| GCP | How will Cloud Identity be implemented ? | GCP Cloud Identity | |
| All | What naming conventions will we use for user accounts, service accounts (robots) & groups ? | ||
| GCP | What authentication method will be used for users (e.g Google Auth, SSO, MFA) ? | ||
| Azure | What will the default IAM policy be and where will it be applied ? | ||
| GCP | What will the default IAM policy be and where will it be applied ? |
Networking
|
Provider
|
Decision Required
|
References
|
Decision
|
|---|---|---|---|
| GCP | Are we going to use the Shared VPC approach (XPN) ? | GCP Shared VPC Overview | Defer to  Lee Smart for Networks WG  input ? |
| All | Are we going to have network isolation between environments ? | ||
| GCP | Are we going to have network isolation between Projects ? | ||
| GCP | What strategy will be used to connect to the Corp network ? | Defer to Lee Smart for Networks WG input ? | |
| GCP | Will Cloud resources connect to the internet and, if so, how ? | ||
| GCP | How do we achieve resilience for connectivity ? | Defer to  Lee Smart for Networks WG  input ? | |
| All | How will we implement name resolution (DNS) ? | Defer to  Lee Smart for Networks WG  input ? | |
| GCP | Do we enable VPC Flow Logs ? | GCP Flow Logs |
Security
|
Provider
|
Decision Required
|
References
|
Decision
|
|---|---|---|---|
|  All | How will we manage and encrypt secrets (e.g service account keys etc) ? | ||
| All | How will least-privileged access be implemented ? | ||
| All | How will access be audited ? |
Logging
|
Provider
|
Decision Required
|
References
|
Decision
|
|---|---|---|---|
| GCP | Which tools will be used for logging and monitoring ? | Â GCP audit logging guide | |
| All | Are there security / compliance rules affecting logging (e.g encryption, access etc) ? | ||
| GCP | Will logging integration/export to an external platform be stored and/or analysed? | ||
| All | What retention policy is need for logs ? |
Services
|
Provider
|
Decision Required
|
References
|
Decision
|
|---|---|---|---|
| All | Will we take a “whitelisting” approach to CSP services ? | ||
| All | What initial services will be available for use ? | ||
| All | How will whitelisted services be enabled ? |
Compliance
|
Provider
|
Decision Required
|
References
|
Decision
|
|---|---|---|---|
| Â All | What tools will we use for pro-active and retrospective compliance (e.g Hashicorp Sentinel, Chef Inspec) ? | Hashicorp Sentinel | |
| All | How will we run these CaC tools ? |
IaaS
|
Provider
|
Decision Required
|
References
|
Decision
|
Notes
|
|---|---|---|---|---|
| GCP | Will we use the GCP Org Policy compute.trustedImageProjects Constraint to restrict which disk images can be used and, if so, which Project shall we use ? | GCP Restricting Image Access | Grant Webb to demo with Terraform
Need input from Gerrard Rose& Mark Clementson what we will have available here |
|
| GCP | Will we use the GCP Org Policy compute.vmExternalIpAccess Constraint to restrict the use of External IP addresses on GCE Instances ? | GCP Disable External IP Access | Grant Webb to demo with Terraform | |
| GCP | What encryption approach should we use for GCE Disks ? | GCP Encryption at Rest |
Operational Process
|
Provider
|
Decision Required
|
References
|
Decision
|
|---|---|---|---|
|
Provider
|
Decision Required
|
References
|
Decision
|
| GCP | Who is responsible for creating Folders & Projects ? | ||
| GCP | What is our process for requesting new Projects (onboarding) ? | ||
| All | Who is responsible for administering user accounts, service accounts (robots) & groups ? | ||
| All | Whats is our process for requesting new user accounts, service accounts (robots) & groups ? | ||
| All | Who administers the compliance tools and policies ? | ||
| All | How will we deal with compliance policy violations (e.g notification, auto-remediate etc) ? | ||
| All | Who is responsible for whitelisting services ? | ||
| All | How do new services get requested for whitelisting ? | ||
| All | Who administers billing accounts ? | GCP Billing Access |
|
/ /
Most CSP will have their own take of organisational accounts structure, given. No extremes but there are nuances.
AWS and Azure enforces heavy first with hierarchy for accounts/billing then augments lightly with IAM roles, service policies, and token-based auth/auth.
GCP espouses opposite ethos: enforces lightly on account hierarchy, some differences in billing structural associations, and augments heavily with roles, resource grouping, and swarms of projects.
This is in a way a reflection of organisational cultures underpinning providers themselve where none is really better than another, in the purest sense. Strategies are best aligned first with end user organisation contextual structures. Are we more of GCP’s ‘natural’ structure or Azure’s?
Guess, we choose one with most alignment with linchpin components (Servers? Services? Office 365? On-premise AD structures?).
How will we be using GCP services vs Azure services, by the way, apart from IaaS, PaaS, and SaaS qualifications? Will there be overlaps?
Does everyone in AD (on-premise or otherwise) really require accounts in GCP? Or will full sync happen only between AD (multi-purpose) and AAD (primarily for Office365, then others)? Possible to have subsets of roles / accounts only in GCP Cloud Identity?
There will always be a level impedance, regardless if bias exist between 2 providers or if this is refereed by a 3rd service as arbiter (e.g. Ping; Okta; Etc.).
/ /
Technically, there are tactical structures, thinking, and activity with AWS and Azure that are intrinsically driven by underlying service component.
E.g.
VPC and Subnet and etc structures are driven by shaped by how AWS and Azure typically have regional networks with zonal subnetting features. A lot of environment structure strategies, shared vpc peerings, and VPN (IPSec / SSL) / Direct Lines, are following paths of least resistance based on network features. This is both driven by their organisational business fault lines and their use of 3rd party internet-scale data centre land lords.
Some of these considerations may not be relevant in GCP where networks are global and subnets/other networking components are logically and easily regional or zonal, owing to its natural SDN-defined global networks and data centres are primarily owned by Google itself.
/ /
Not an opinion, mostly what we have seen or have done in last couple of years for GCP/GAE/Hybrid. Surely, many many other ways.
Have only seen so far, startups, enterprises, governments, and even with Googlers at least either:
Project per application/system per environment type (all permutations)
Project per application/system with primary grouping for Non-Production (x-build, x-test), Production (Staging, Production, Disaster Recovery), Tooling (e.g. Deployment tools […], Management tools, Monitoring tools, etc)
One big thing (in some contexts, everything is “production-like” in regulatory/technical treatment and environment segregation are very loose/dynamic)
Main aspect considered are three things:
Billing structure concepts in GCP and easy changes that can be made in association with “projects” (for good and bad)
Greenfield or Migration parameters
Internal and External interactions of people/service accounts
Practically, by people or by software, which is more complex:
thingamagigs-3141592
whatchamacallit-2718281
fx-this-dev-etc-then-some-id
fx-this-test-etc-then-some-id
cp-this-dev-etc-then-some-id
cp-this-test-etc-then-some-id
fx-this-dev-etc-then-some-id/:api-here
fx-this-dev-etc-then-some-id/:api-there
fx-this-test-etc-then-some-id/:api-here
fx-this-test-etc-then-some-id/:api-there
cp-this-dev-etc-then-some-id/:tcp-that
cp-this-dev-etc-then-some-id/:tcp-that
cp-this-dev-etc-then-some-id/:upd-that
cp-this-test-etc-then-some-id/:upd-that
Regardless of patterns/conventions, Delimiters always make it easier to parse (by humans or software, with no need for complex mapping that requires complex tooling, etc)
The “project” in GCP is like Accounts in AWS and Azure. It is not “project” in the typical/logical notion we use the word for. Practically, a final complete structure may not be feasible at this very point, though.
Transition phases are always the trickiest bit, organisationally and technically. But decision has to be made appreciating that some tactical aspects of this will change, as long as we don’t break key fundamentals and that we are sensitive to the nuances and differences of various services.
1>
How is everyone over there currently running provisioning and orchestration scripts? Via cloud shell only? Jump/bastion server? Permitted workstations / roles?
2>
Moving forward, how will this work? Do we provision jump/bastion hosts from which we rotate RSA keys on for allowed staff/robot/automation OS accounts? Or purely depend on cloud shell / triggered scripts (how if Terraform? Internal tool available to front it or controlled SSH)?
3>
For MFA / 2FA / FIDO U2F, what will be the user/service-bot tiering, assignments, rotation? Supplemented by Yubikeys / G Auth mobile?
CyberArk, as mentioned above, proven in our context to work already in the MFA / 2FA workflow with GCP?
4>
How will control of the lifecycle be managed/relayed (process[create, update, delete] x roles [robot, cloud admin, cloud support, etc])?
E.g.
A tool or script or person provisions instances/services (GCP/Azure console, or script, or tool that calls SDK/API/Script) then what/who (or same instances/services),
relays information/access to next step in process (updates/patches on top of current OS build?),
relays stable instance ready state for application / system deployment (with tool [teamcity, jenkins, scripts, msdeploy, etc] or console or custom script?)
relays to optional time of day operational lifecycle, considered at the moment or assume active instance 24/7)
Decommissioning steps and parameters
. . .
. . .
. . .
Any suggestions for further assessment and preparations, very much appreciated.
/ /
Cloud Relevant Domain Considerations
| # | Domain | Remarks |
|---|---|---|
| 1 | Identity and Privileged Access Management | . . . |
| 2 | Detection and Diagnostics | . . . |
| 3 | Infrastructure Level Protection Controls | . . . |
| 4 | Data Level Protection Controls | . . . |
| 5 | Application Code Level Protection Controls | . . . |
| 6 | Incident Management | . . . |
Cloud – Key Guiding Disciplines
| # | Discipline | Remarks |
|---|---|---|
| 1 | Authentication | . . . |
| 2 | Role-Based Access Controls | . . . |
| 3 | Separation of Duties | . . . |
| 4 | Least Privilege | . . . |
| 5 | Appropriate Authorisation | . . . |
| 6 | Audit and Traceability | . . . |
| 7 | Automation of Security Components and Practices | . . . |
| 8 | Data Governance and Stewardship | . . . |
| 9 | Multi-Layer and Multi-Modal Defence | . . . |
| 10 | Preparations and Simulations | . . . |
Cloud – Supporting Services – On-Premise
| # | Category | Supporting Service | Remarks |
|---|---|---|---|
| 1 | . . . | ||
| 2 | . . . | ||
| 3 | . . . | ||
| 4 | . . . | ||
| 5 | . . . |
Cloud – Supporting Services – Azure
| # | Category | Supporting Service | Remarks |
|---|---|---|---|
| 1 | . . . | ||
| 2 | . . . | ||
| 3 | . . . | ||
| 4 | . . . | ||
| 5 | . . . |
Cloud – Supporting Services – Google
| # | Category | Supporting Service | Remarks |
|---|---|---|---|
| 1 | Hardware Infrastructure | Security of Physical Premises
Hardware Design and Provenance Secure Boot Stack and Machine Identity |
. . . |
| 2 | Service Deployment | Service Identity, Integrity, Isolation
Inter-Service Access Management Encryption of Inter-Service Communication Access Management of End User Data |
. . . |
| 3 | User Identity | Authentication
Login Abuse Protection |
. . . |
| 4 | Storage Services | Encryption at Rest
Deletion of Data |
. . . |
| 5 | Internet Communication | Google Front End
DoS Protection |
. . . |
| 6 | Operational Security | Intrustion Detection
Reducing Insider Risk Safe Employee Devices & Credentials Safe Software Development |
. . . |
Cloud – Key Activities – Azure
| # | Category | Key Activities | Remarks |
|---|---|---|---|
| 1 | . . . | ||
| 2 | . . . | ||
| 3 | . . . | ||
| 4 | . . . | ||
| 5 | . . . |
Cloud – Key Activities – Google
| # | Category | Key Activities | Remarks |
|---|---|---|---|
| 1 | . . . | ||
| 2 | . . . | ||
| 3 | . . . | ||
| 4 | . . . | ||
| 5 | . . . |
/ /
Sample
Leverage various channels GCP allows for cognitive hooks; they, like most cloud providers, understand that there are no one-size-fits-all and redundancy is needed for convenience.
name: Human-readable, Functionally easy to discuss
projectID: More structurally consistent in terms of taxonomy and hierarchy
projectNumber: Service-Oriented, Inventory and Lifecycle Management Oriented
Other labels/tags: Redundancy, Extensible Tooling and Aspects Management, Non-Destructive and Non-Disruptive Change Hooks
{
"name": "myproject",
"projectId": "my-project-123",
"labels":
{
"my-label": "prod"
},
"projectNumber": "464036093014",
"lifecycleState": "ACTIVE",
"createTime": "2016-01-07T21:59:43.314Z"
}
|
Something to think about and decide on at some point.
/ /
http://www.techguru.cloud/post/terraform-gcp/
http://www.techguru.cloud/post/terraform-gcp/
http://www.techguru.cloud/post/terraform-gcp/
http://www.techguru.cloud/post/terraform-gcp/
http://www.techguru.cloud/post/terraform-gcp/
http://www.techguru.cloud/post/terraform-gcp/
http://www.techguru.cloud/post/terraform-gcp/
http://www.techguru.cloud/post/terraform-gcp/
http://www.techguru.cloud/post/terraform-gcp/
http://www.techguru.cloud/post/terraform-gcp/
http://www.techguru.cloud/post/terraform-gcp/
/ /
Summary Principles
- Exit first, Optimisation second
- Buy Infrastructure Services over Building and Managing it ourselves
- Automate Everything
- Cloud Portability
- Minimise Legacy, upgrade and standardise
- Optimise for Infrastructure Cost
- Optimise for Operational Cost
- Least Access Privileges
Detailed Principles
|
No
|
Name
|
Statement
|
Rationale
|
Implications
|
Considerations
|
|---|---|---|---|---|---|
| 1 | Exit first, Optimise second | We will prioritise solutions that enable NWM to meet DC exit dates over optimal solutions if optimal solutions put DC exit dates at risk | The absolute priority is to exit London DC’s by the end of 2020 which requires all applications to be in the cloud. It is generally agreed it is much easier to optimise applications once they are in the cloud. |
|
Strategies such as containerisation may enable us to have more flexibility.
IaaS and BMaaS should be considered if application migration otherwise is not possible in the timeframe. |
| 2 | Buy Services over Building and Managing them ourselves | We will procure services rather than running products in-house unless competitive business advantage or material costs saving can be gained from NMW | This is a high-level principle and very general rule.
We don’t want to lease data centres, look after servers, maintain OS builds, do patching, run thousands of databases, look after storage arrays etc. These are not differentiating services for our employees to manage. These should be commodity services that we can purchase and have provided for us, at a better service level than we currently have. The motivation is longer term operational cost reduction. Consuming services from providers will allow NWM to focus expertise on areas that will provide NWM with a competitive advantage. See Principles: 2.2.1 Buy non-differentiating services or packages |
Where vendor SaaS offerings exist, are mature, and both the vendor and the offering meet all NWM InfoSec and Risk & Control requirements, then:
Otherwise:
Where commercials demonstrate that BMaaS is NOT cost effective:
|
Vendor products are preferable to us creating a proprietary solution. Open source is preferable to us creating low-level services or components.
In respect of SaaS, we need to be cognisant of InfoSec and Risk & Controls constraints on the bank. Investigations to date around use of SaaS for source code control (gitlab) and development tools (Atlassian JIRA and Confluence) have concluded that SaaS offerings are not fit-for-purpose (not secure enough, not enough ownership over data). The C&M project also ruled out SaaS collateral/settlement systems as none were mature enough. So although SaaS appears commercially compelling the reality for a regulated investment bank for many (not all) SaaS offerings appears to be that few would be allowable. O365 and other Microsoft tools are the only real exception identiifed to date where they could be made to work. In respect of BMaaS and IaaS, for some loads (for example grid computing and any other large scale homogenous infrasructure requirements) both IaaS and BMaaS can look commercially appealing. So in these use cases (eg EG) we need to examine the XaaS commercials thoroughly. |
| 3 | Automate Everything | We will strive to automate as much as possible in the new NWM environment. | High levels of automation improve NWM’s organisational agility, system reliability and cost efficiency.
See Principles: 2.1.2 Build in manageability These apply to shared IaC (Infrastructure as Code): 2.3.1 Uniform coding style guidelines across company |
|
Likely depenedncy on applications onboarding to the new CI/CDpipeline/toolset. |
| 4 | Cloud Portability | We will prioritise choices that allow NWM to avoid cloud vendor lock-in where appropriate. | If a chosen cloud provider no longer provides services that are priced competitively, or changes terms so that they are no longer agreeable, NWM needs to be able to transition between cloud providers with minimal impact. In addition, FCA guidelines stipulate organisations should have an exit plan for transitioning to another cloud provider. Solutions based on open technologies minimise the impact of transitioning between cloud providers.
See Principles: 2.1.11 Loose coupling 2.2.5 Prefer to remain vendor agnostic |
|
Consider abstractions where it makes sense. Sometimes there are open source APIs that abstract over vendor products eg Apache Beam. Sometimes we may choose to wrap a stack and package/deploy/manage it ourselves eg an ELK deployment. Sometimes we may augment a technology with our own setup, configuration, procedures etc eg kubernetes.
The cost of transitioning to another technology should be considered when evaluating the use of a proprietary technology. |
| 5 | Minimise Legacy, upgrade and standardise | New systems will not be populated with unnecessary configuration or data from the legacy on-prem platform | NWM has a unique opportunity to build a new environment from the ground up. We want to leave behind as much of our legacy environment as possible.
Where the temporary use or transfer of legacy information and configuration is unavoidable, our strategy will include steps to clean up the new environment when the transition from old-to-new is complete |
|
Consider sensible enterprise wide standardisation and homogeneity.
Eg
Application Development & Infrastructure Design Group action to define. |
| 6 | Optimise for Infrastructure Cost | We will design solutions that enable NWM to meet infrastructure cost optimisation objectives. | The lower the cost of the NWM environment, the more sustainable NWM will be as a business in the future.
See Principles: 1.4.3 Balance cost, performance, and resilience |
|
|
| 7 | Optimise for Operational Cost | We will design solutions that enable NWM to meet infrastructure-related people cost optimisation objectives. | The solutions and designs for NWM Cloud (the Cloud Target Operating Model) must reduce the people overhead of maintaining the technology infrastructure estate. The resultant design must require the minimum number of people. Longer term cost saves will then be required by needing fewer people, less manual processes, less manual tasks, less need for manual intervention.
See Principles: 1.2.1 Optimise Business Processes 1.2.2 Eliminate Inefficiencies 1.3.4 Align to Operating Model 1.5.3 Self-service Potential |
Related to Automate Everything | |
| 8 | Least Access Privileges | Services deployed should have privileges applied to ensure the minimum amount of connectivity and access is enabled. | Reducing the attack surface by eliminating unnecessary privileges that can result in network exploits and the compromise of systems. |
|
References
- https://confluence.dts.fm.rbsgrp.net/display/NWMC/Guiding+Principles
- https://confluence.dts.fm.rbsgrp.net/display/NWMC/Migration+Principles
- https://confluence.dts.fm.rbsgrp.net/display/TWG/Principles
- PCA – Design – Principles
/ /
List of trainings available on RBS Skillport
An Introduction to Basic Cloud Concepts
https://rbs.skillport.com/skillportfe/main.action?path=summary/COURSES/cc_uccf_a01_it_enus
Cloud System Architecture – Concepts and Design
https://rbs.skillport.com/skillportfe/main.action?path=summary/COURSES/cl_csip_a01_it_enus
Cloud Computing Fundamentals: Overview
https://rbs.skillport.com/skillportfe/main.action?path=summary/COURSES/cl_cctf_a01_it_enus
Cloud Computing Fundamentals: Storing and Managing Cloud Data
https://rbs.skillport.com/skillportfe/main.action?path=summary/COURSES/cl_cctf_a03_it_enus
Cloud Computing Fundamentals: Cloud Security
https://rbs.skillport.com/skillportfe/main.action?path=summary/COURSES/cl_cctf_a06_it_enus
Cloud Computing Fundamentals: Migrating to the Cloud
https://rbs.skillport.com/skillportfe/main.action?path=summary/COURSES/cl_cctf_a04_it_enus
Cloud Computing Fundamentals: Virtualization and Data Centers
https://rbs.skillport.com/skillportfe/main.action?path=summary/COURSES/cl_cctf_a02_it_enus
Cloud Computing Fundamentals: Identity, Presence, and Privacy
https://rbs.skillport.com/skillportfe/main.action?path=summary/COURSES/cl_cctf_a05_it_enus
Cloud Computing for the Business User: Concepts and Moving to the Cloud
https://rbs.skillport.com/skillportfe/main.action?path=summary/COURSES/cl_ccbu_a01_it_enus
Google Cloud Basics
https://rbs.skillport.com/skillportfe/main.action?path=summary/COURSES/it_clgcar_01_enus
Google Cloud Platform Fundamentals
https://rbs.skillport.com/skillportfe/main.action?path=summary/COURSES/cl_gcde_a01_it_enus
Container, Compute, and App Engine with Networking Services
https://rbs.skillport.com/skillportfe/main.action?path=summary/COURSES/cl_gcpf_a02_it_enus
Google Cloud Design
https://rbs.skillport.com/skillportfe/main.action?path=summary/COURSES/it_clgcar_02_enus
Google Cloud Network Components
https://rbs.skillport.com/skillportfe/main.action?path=summary/COURSES/it_clgcar_03_enus
Google Cloud Data Storage
https://rbs.skillport.com/skillportfe/main.action?path=summary/COURSES/it_clgcar_05_enus
/ /