Case Study Automation & Orchestration Continuous Compliance Financial Management Commercial
Last updated on April 21st, 2023 at 1:18pm
Connecting and supporting networks of hundreds of millions of global endpoints in the new “work-from-anywhere” world is no easy task; however, this is the challenge that Kion’s customer, a large security solution provider, tackles every day. With thousands of customers and millions of endpoints, this organization is no stranger to solving complicated problems with high stakes.
For this customer, control is the bedrock of confidence. This same desire for confidence from visibility and control permeates other areas of the organization, including their infrastructure and cloud architecture teams. After implementing Kion, this customer has:
- Reduced cloud provisioning time from days to hours, eliminating manual effort and decreasing time to value in the cloud with Kion’s automation capabilities.
- Effectively prevented drift and built confidence in compliance – before, during, and after an audit – through Kion’s continuous compliance engine.
- Achieved visibility of cloud spend, instituted a cost-conscious culture in the cloud, and realized savings in annual cloud spend through Kion’s reporting and enforcement functionality.
Challenges to Adopt and Scale
Incorporating Amazon Web Services (AWS), Azure, and Google Cloud allows developers at this customer to select the best-fit tools and services to create world-class products and experiences.
However, their cloud team faced the daunting challenge that many cloud engineers face as their organizations adopt and scale in the cloud. Specifically, understanding cloud costs, satisfying and maintaining cloud compliance, and managing the entire cloud account lifecycle – including user access and permissions, across AWS, Azure, and Google Cloud.
“As the owner of the cloud environments, I need to understand who has access to them, how compliant they are, how much money they’re spending, and what they’re spending it on,” said their Senior Manager of Cloud Engineering.
Understanding Costs, Maintaining Compliance, and Managing the Lifecycle
A big concern was ensuring they monitored and controlled the costs of their cloud environments as much as possible. The team started with native tools but determined they needed more as they matured. Their goals to improve the visibility of their financials included:
- Allowing individual teams to see billing insights and make decisions based on those insights
- Understanding the source of changes in spend and the impact of changes on spend within the given environment
- Translating cost data from the cloud providers to how the organization operates and understands costs
Alongside costs, the organization knew continuous compliance was a priority. As more teams adopted the cloud and the accounts began to sprawl, it became too difficult to monitor and remediate drift manually.
By default, provisioning and retiring cloud accounts was a very manual process for this Kion customer, taking days or up to 1-2 weeks for more complicated accounts to be provisioned.
Managing access is also complicated.
“Every account is its own authentication environment,” said their senior manager. “There isn’t an easy way to define permissions and access at the top and then trickle down where you want people to have roles.”
Given the specificity of the provisioning and access management challenges, the team thought that custom tooling would need to be written and maintained to achieve the desired outcomes.
Looking for Cost Optimization But Finding Shortcomings
As the team evaluated tools, they struggled to find solutions that addressed all their needs. Many vendors were nothing more than glorified spreadsheets or Python scripts that the team could replicate. The major roadblock that prevented these tools from being useful was that they failed to understand the context of the environments they were reporting and optimizing. Most tools didn’t know the difference between production and development, or which team owned those resources. The tools couldn’t map the information back to the organization’s structure to make it actionable.
A Single Platform for Visibility and Control
On our introductory call, the team saw how Kion displays spend reports data mapped to how the organization operates and preserves the context even when savings plans are used.
“ When I saw Kion it was like a blindfold was taken off of my eyes. There was this really great platform that solved two things I know I needed and a third that I couldn’t have even dreamed of. I knew there were platforms for cloud costs and compliance, but this burden of managing access and provisioning was always a problem I thought we would need to solve with custom coding. ”
Completely Cloud Enabled
Cloud enablement means that rather than the cloud being something you wrangle, the cloud is a means to faster development, speedier implementations, and more secure operations. What began as a search for a cost analysis tool has become a fundamental shift in how this organization manages their cloud and approaches cloud adoption.
Creating a Cost-Conscious Culture
The first desired outcome was cost visibility. They needed to know what caused changes in cloud spend and view it in a way that could be easily understood. They also wanted to equip the teams working on the projects themselves to make their own decisions by showing the growth rate of the spend and projected growth rate depending on the changes users make to the environment.
Kion provides this complete view of cloud spend, as well as recommendations for rightsizing and decommissioning resources. Cloud rules power financial enforcements to prevent overspending by freezing or terminating resources if they exceed a threshold.
More than visibility, Kion has created a cost-conscious culture. Almost every action taken in a cloud account comes with an associated cost. Kion helps to remind every person who builds and innovates in the cloud that their actions carry consequences. Upon logging in to Kion, users are greeted by a dashboard that displays their current cloud spend to give real-time awareness of their project costs.
“When users log in and see their actual costs on the dashboard, it’s like seeing your bank or credit card balance go up. It’s much more effective than a periodic report you see infrequently.”
With Kion helping to drive a cost-conscious culture in the cloud, the organization has realized savings in annual cloud spend.
Becoming Continuously Compliant
Compliance is a moving target. It can seem impossible to keep track of your compliance posture in between audits while the environments are frequently changing. Using cloud rules and Kion’s built-in compliance engine, the team can automate compliance baselines and enforce them on individual accounts, projects, organization units (OUs), and even the entire organization if desired. Kion has helped the team effectively prevent drift and build confidence that not only would they be able to pass an audit, but that those requirements remain satisfied outside of audit time.
Kion continuously scans the environments to report findings mapped to different requirements in ISO 27001 and CIS, giving the team a real-time view of its compliance posture and what needs to be remediated. Team members spend less time figuring out what to do and more time remediating findings and moving forward.
Managing the Entire Account Lifecycle at Scale
With Kion, the team has achieved full cloud enablement and has exponentially grown its cloud footprint. In AWS, for example, they implemented Kion with nine accounts and now manage over seventy. How is growth like this possible?
“Before Kion, it would take two or three days to provision a simple development account, sometimes weeks for more complicated accounts. Now the entire process takes less than four hours.”
The ability to create many accounts only means more work unless you easily define roles and access into those accounts. To ensure that only the right people have access to cloud accounts, Kion uses cloud rules and cloud access roles to ensure that least-privileged access is maintained throughout the environment. Place a project in an OU and define the level of access at the OU level with cloud rules and cloud access roles, and the accounts in the project automatically inherit access from the parent OU.
Kion also integrates with identity providers like Azure Active Directory and other SAML providers to eliminate duplicate efforts and map existing roles into your accounts. If a user leaves your organization and is removed from your identity provider, they will no longer be able to authenticate into Kion or federate into accounts. This happens without admins lifting a finger.
“ Kion is the arbiter of every account that we have. It creates them. It enforces compliance on them. It enforces budgeting on them. It gives us spending reports for the individual teams. It’s hooked up to our own authentication layer, so it’s fully SAML driven. It’s such a no-brainer. ”