A purpose built cloud framework sets the corner stone for a future-proof cloud environment. Origo’s cloud team has developed a cloud framework that includes several key elements and is built on best practice recommendation and well-architected principles from both Azure and AWS, providing the necessary foundation for any successful cloud journey. The framework provides flexibility, adaptability and agility that allows for and supports any cloud transformation.
In security terms, defense-in-depth is a fundamental concept for securing infrastructure resources and applications at multiple levels. Origo’s cloud framework supports this concept by incorporating defense-in-depth principles at its core. At their lowest level, stateful security groups protect individual or groups of infrastructure components, controlling inbound and outbound network traffic to and from the components, while stateless network access control lists are leveraged to further control network traffic at the subnet level.
Further up in the security hierarchy, a public cloud environment includes a basic DDoS protection that can be further enhanced by an advanced DDoS mitigation service providing 24/7 access to a response team if required. More protection for web applications can be included with web application firewalls (WAF) for common web exploits at Layer 7. A central cloud firewall manager can also be leveraged for managing rules across an entire cloud environment.
The Origo framework includes a clear workload segmentation, separating different workloads at a virtual private cloud network (VPC) and individual account levels. As an example, this can include workload or infrastructure segregation belonging to different segments, like shared-services, corporate services, production, development and staging environments. For communication between segmentations the framework includes network peering capabilities enabling encrypted traffic to flow seamlessly between different VPCs. Thus, traffic flow is kept within the cloud environmental boundaries, increasing its security posture.
Supporting principles of separation of duties, the framework includes a comprehensive layout of recommended user access policies with restricted access to different segmentations as well as inherently supporting Active Directory policy standards and SSO/SAML communication standards between supported identification and authorization platforms.
Tagging policies are also encouraged and enforced to keep a better overview of any resources in the cloud environment and for billing purposes. According to preferences, multiple additional policies can be set, e.g. for limiting regional cloud access, allowing access to creation of certain resources, sizes and so on.
One of the strengths of the framework is to leverage hierarchical structure using logical entities like Management Groups, Organizational Units and Resource Groups to build and support segmentation and control of different resources in the cloud. The framework hierarchy allows for top-down segmentation and division of accounts containing resources that specifically belong to them.
Modern cloud development and platform engineering is increasingly driven by writing infrastructure as code (IaC). The Origo cloud framework is entirely written as code, enabling maximum agility, flexibility and scalability. Minor changes can be done on code level and deployed instantly without impact on any other parts of the cloud infrastructure. It also provides a future proofed environment as any new application and resources can be incorporated into the framework, without needing to start from the beginning.
Furthermore, with public cloud platforms increased maturity, increasing emphasis is put on running resources at a higher level, alleviating infrastructure management, including operating systems, and patching management. This includes increasingly leveraging platform as a service (PaaS) and serverless services and writing cloud resources on a functional basis. Same goes with microservice, containers, including Kubernetes orchestration, for decoupled architecture using cloud-based messaging services and API gateways for supporting decoupled service infrastructure.
The Origo cloud team utilizes modern cloud development practices, writing most of the infrastructure code using cloud-agnostic development tools and platforms like Terraform, Helm-charts and Git.
Using Devops practices, integrating cloud development with operational and monitoring capabilities and CI/CD pipelines for managing code lifecycle through code templates, testing, deployments, and artifacts creates a complete re-usable code cycle environment and efficient cloud management.