Origo’s Cloud Framework and Cloud Practices

A purpose built cloud framework sets the corner stone for a future-proof cloud environment. Origo’s cloud team has developed a cloud framework that includes several key elements and is built on best practice recommendation and well-architected principles from both Azure and AWS, providing the necessary foundation for any successful cloud journey. The framework provides flexibility, adaptability and agility that allows for and supports any cloud transformation.

Defense-in-depth

In security terms, defense-in-depth is a fundamental concept for securing infrastructure resources and applications at multiple levels. Origo’s cloud framework supports this concept by incorporating defense-in-depth principles at its core. At their lowest level, stateful security groups protect individual or groups of infrastructure components, controlling inbound and outbound network traffic to and from the components, while stateless network access control lists are leveraged to further control network traffic at the subnet level.

• Best practices also entail using public and private subnets for separating infrastructure and use SSL/TLS certificates at public termination endpoints, including load-balancers, webhosts, or edge situated components for traffic distribution.

• Only accepting external HTTPS traffic helps to prevent common security threats like man-in-the-middle attacks.

• When at rest, data volumes are encoded using symmetric AES-256 keys, that can either be stored and managed securely in the cloud or owned (and managed) by the customer. Regular key rotation helps to protect encrypted data, as is always recommended, or required.

Further up in the security hierarchy, a public cloud environment includes a basic DDoS protection that can be further enhanced by an advanced DDoS mitigation service providing 24/7 access to a response team if required. More protection for web applications can be included with web application firewalls (WAF) for common web exploits at Layer 7. A central cloud firewall manager can also be leveraged for managing rules across an entire cloud environment.

Workload segmentation

The Origo framework includes a clear workload segmentation, separating different workloads at a virtual private cloud network (VPC) and individual account levels. As an example, this can include workload or infrastructure segregation belonging to different segments, like shared-services, corporate services, production, development and staging environments. For communication between segmentations the framework includes network peering capabilities enabling encrypted traffic to flow seamlessly between different VPCs. Thus, traffic flow is kept within the cloud environmental boundaries, increasing its security posture.  

Access policies – least privilege & governance

Supporting principles of separation of duties, the framework includes a comprehensive layout of recommended user access policies with restricted access to different segmentations as well as inherently supporting Active Directory policy standards and SSO/SAML communication standards between supported identification and authorization platforms.

Tagging policies are also encouraged and enforced to keep a better overview of any resources in the cloud environment and for billing purposes. According to preferences, multiple additional policies can be set, e.g. for limiting regional cloud access, allowing access to creation of certain resources, sizes and so on. 

Organizational hierarchy

One of the strengths of the framework is to leverage hierarchical structure using logical entities like Management Groups, Organizational Units and Resource Groups to build and support segmentation and control of different resources in the cloud. The framework hierarchy allows for top-down segmentation and division of accounts containing resources that specifically belong to them.

• Incorporating the concept of “Landing Zones”, both for segration purposes and the grouping of resources inside logical units, helps to provide cross-account access and shared identity and access policies at account and resource level as needed.

Infrastructure as code

Modern cloud development and platform engineering is increasingly driven by writing infrastructure as code (IaC). The Origo cloud framework is entirely written as code, enabling maximum agility, flexibility and scalability. Minor changes can be done on code level and deployed instantly without impact on any other parts of the cloud infrastructure. It also provides a future proofed environment as any new application and resources can be incorporated into the framework, without needing to start from the beginning.

Furthermore, with public cloud platforms increased maturity, increasing emphasis is put on running resources at a higher level, alleviating infrastructure management, including operating systems, and patching management. This includes increasingly leveraging platform as a service (PaaS) and serverless services and writing cloud resources on a functional basis. Same goes with microservice, containers, including Kubernetes orchestration, for decoupled architecture using cloud-based messaging services and API gateways for supporting decoupled service infrastructure.

Origo’s modern cloud practices

The Origo cloud team utilizes modern cloud development practices, writing most of the infrastructure code using cloud-agnostic development tools and platforms like Terraform, Helm-charts and Git.

Using Devops practices, integrating cloud development with operational and monitoring capabilities and CI/CD pipelines for managing code lifecycle through code templates, testing, deployments, and artifacts creates a complete re-usable code cycle environment and efficient cloud management.