From Custom Stove Pipes to a Common AWS Platform

While each of the applications (Permits and EM) serve different needs, they are made available to the same government and civilian end-users. Both systems needed to be accounted for separately and do not share data. The challenge was to create a common platform to easily deploy and manage both applications. NMFS was working with a limited budget and required a platform where both applications could be deployed efficiently while reducing total cost of ownership (TCO). Additionally, government deployments require Center for Internet Security (CIS) and NIST controls, which are extensive and far reaching and can drive up operation and management (O&M) costs. Therefore, minimizing the amount of duplicative work on the benchmarks could have a significant reduction to the overall cost of the projects.

The technical requirements for both applications were the same: web-based application, Oracle database, secured remote access for: system administrators, vulnerability monitoring and varying access levels (certified information systems security officer (CISSO), system administrators, system operators and database administrators). Therefore, one solution was used as a platform for both applications.

The Permits application started as a development level, proof-of-concept to demonstrate the viability of using AWS as a common platform. Once the system was thoroughly vetted by all stakeholders, it needed to be re-architected using best-practice security standards. A new architecture was designed and implemented in parallel to the existing development infrastructure. The application service level agreement (SLA) only allowed for system downtime during non-core hours. The entire system was migrated to the new architecture and brought back up within an hour. With the successful migration complete, the new architecture became the approved template for future applications used by NMFS.

The architecture for Permits served as a common template ultimately used to deploy the EM application, as shown in Figure 1: Common Platform. However, the systems required separate AWS GovCloud accounts for cost accounting. Meeting this requirement did not represent additional costs because of the utilities available in AWS. Due to the similar nature of applications, the AWS Elastic Cloud Computer (EC2) instances were converted into private Amazon Machine Images (AMIs) and then shared to the new, EM AWS GovCloud account. Having preconfigured the AWS Virtual Private Cloud (VPC) infrastructure, new instances were created from the shared AMIs and deployed into the proper VPC Subnets. After some minor reconfiguration and installation of application specific resources, the entire development system was operational, ready for testing and eventual production.

Both applications are powered by GovCloud Relational Database Service (RDS) instances for both the development and production environments. With GovCloud’s capable VPC Access Control Lists (ACLs) and Security Groups, the system was efficiently designed to only allow required traffic between the various instances and subnets, or block traffic where necessary. Examples of this would be the communications between the production and development subnets as well as the transactions between the RDS instances and all other non-application specific resources. Secured remote access is also controlled with Security Groups and only allows for required systems administrator controls.

V2 Systems architected a flexible solution using AWS GovCloud VPC, EC2 and RDS that allowed the system developers to customize an environment for stove pipe applications on a common platform. Further, security was not sacrificed, since the EC2 instances can be turned into AMIs for cloning, ensuring that the CIS and NIST security standards are met on all systems.

AWS tools such as CloudFormation and AMI provided efficiencies that reduced deployment costs by 75% and increased deployment frequency 500%. V2 Systems’ cloud-based solution in AWS reduced other direct costs (ODCs) by 55% over a three-year period. V2 Systems’ innovative approach of building a common platform for custom applications simplified support requirements, resulting in a reduction of labor costs by 45%.