Chris Spence, CTO, National Democratic Institute for International Affairs (NDI)
As an international non-profit working in the political arena, our organization is challenged to curb technology costs while facing increased internal demands for innovation, rising external competition and relentless security concerns. In response, we have pursued an aggressive cloud strategy including an "all in" approach to SaaS and Amazon Web Services (AWS). The approach outlined below brought lower operational costs, improved internal procedures, better adherence to standards and policies, improved security, and more time to focus on the organization’s core mission.
It's important to examine a number of factors when considering a cloud strategy including technical resources and strengths/weaknesses, the projected costs of software and services, institutional culture, information security requirements and risk tolerance. As a result of our review, we devised a straightforward cloud strategy—we use SaaS when we can, and applications that can’t be migrated to a SaaS solution are virtualized in the cloud. We minimize on-premises infrastructure― used primarily for legacy applications that can't be virtualized yet, logging, some off-site data storage and a few network services.
The National Democratic Institute (NDI) conducts democracy strengthening programs in more than 60 countries around the world. For our field programs, the cloud provided new opportunities to better secure employee data and communications, clone and scale commonly used web applications, and expand services into low infrastructure environments without having to build technical infrastructure and capacity within political institutions in developing countries.
Managing an AWS Migration
We chose AWS as our cloud provider because it promised to be the easiest to deploy and manage at the lowest cost while offering improved security features. Our migration has been fairly smooth and following are some lessons.
The most important observation is that the cloud migration process becomes an opportunity to rethink and strengthen hosting and maintenance practices. It is advisable to start simple, such as moving small program applications and public facing websites. Unlike legacy hosting infrastructures, AWS facilitates allocating a separate server for each website, which can simplify management, in our case internal billing processes and consultant access to specific servers. Even simple applications generated immediate wins including the ability to spin up instances quickly with standard, pre-configured application stacks (including hardened security configurations); the ability to optimize the resources dedicated to each site and thus better manage costs; and deploy security features such as Cloudfront and autoscaling for short spike periods during political events such as elections when DDOS attacks are most likely to occur―services that are turned off during less sensitive periods, saving on costs.
When confident with the AWS infrastructure, more complex services can be migrated. In our case, we moved complex J2EE applications with two-tier architectures and load balancer needs and introduced AWS tools such as RDS, Elasticache, Elastic Beanstalk and Cloudwatch. Our final cloud migration phase included creating a virtual private cloud (VPC) to act as our data center. This enabled us to move business apps to the cloud and connect them to on-premise authentication systems and other services in a single network.
Due to the political nature of our work, we face a wide range of cyber security challenges including APT against our staff and infrastructure, and attacks against project websites. AWS has greatly simplified and strengthened our security posture. AWS has a “security first” posture ―which means even fresh instances are built with a solid security configuration out of the box. However, a better practice involves using AWS Security Groups to build “secure by design” models that meet your specific security needs and easily roll out standard, hardened instances for desired applications.
AWS facilitates layered security using a number of tools including: AWS routing tables, subnets, Cloudwatch and security groups that complement host-based defenses such as iptables, hostbased intrusion prevention systems, configuration managers, advanced policy firewalls, mod security, etc. In addition, leveraging the VPC architecture the AWS servers plug in to onpremise security monitoring and logging tools such as a SIEM. Finally, multi-factor authentication can still be used for server access via SSH and remote desktop on Windows, as well as web access to the AWS console.
Other Lessons Worth Sharing
● Migrate services in response to events such as upgrade cycles or hardware warranty expiration, rather than sequentially;
● Select appropriate sizing: due to the old IT model everyone tends to over-size; think small and scale up instances as needed to save money;
● Think differently about DevOps, turn off unused services (such as dev or staging servers if you still need them at all, which we don’t), use snapshots for quick restore when developing, troubleshooting and during QA cycles.
● Map out a security plan in advance, particularly if setting up a hybrid environment. Clarify the role of AWS Security Groups, firewalls, etc. or you’ll be left untangling things later.
NDI’s cloud strategy has produced real wins for democracy. It has allowed us to focus limited staff resources on mission-supporting activities, helped reduce IT costs and the complexity of our environment while improving security; and enhanced the impact of programs that leverage these new technologies. My hope is that some of these experiences can help other organizations realize similar benefits.