What is Kion?
Kion is a unique all-in-one solution for your cloud enablement needs. Our software helps you manage your cloud accounts, enforce your budgets to prevent cost overruns, identify savings opportunities, and automate compliance, helping align your organization with best practices and standards such as HIPAA or NIST. We work across multiple accounts and cloud service providers for enhanced visibility and control in one intuitive interface.
Why do I need cloud enablement?
To get full value from your cloud investments, you need both:
- Cloud governance to define the set of rules that say which buttons can be pushed when to perform specific actions in the cloud. If you want to simplify cloud account management, prevent blown budgets, and ensure your cloud complies with established security standards, you need cloud governance.
- Cloud management to push the right buttons to perform specific actions in the cloud. You could spend hundreds or even thousands of hours establishing, executing, and tracking these actions manually, which is why automated cloud management is needed.
Kion is a complete cloud enablement solution that brings together these two capabilities: the buttons that need to be pushed to perform actions and the set of rules that allow those actions to be performed with automation.
Cloud enablement is a fundamentally different approach that restores consistency and control while improving the enterprise cloud experience for all users and stakeholders.
Ultimately, cloud enablement shifts people from spending their time on the grunt work of managing and governing their cloud to performing meaningful work that transforms the organization.
How does Kion drive down cloud costs?
Kion minimizes labor costs associated with manual cloud governance and management and the potential costs of zero governance. Based on customer experience, we've typically seen 1-2 full-time personnel needed to perform each of the following activities manually: building and managing user and group structures, monitoring accounts, and managing and enforcing policies. Kion does all of this for you, and much more.
In addition, Kion includes savings opportunities, which are recommended changes to over-provisioned or abandoned cloud resources. Kion scans your cloud environment regularly to automatically suggest these savings opportunities based on the size of your cloud resources and their utilization over time.
Finally, if you neglect governance, there can be massive costs associated with budget overruns and policy/compliance violations.
What cloud service providers are supported with Kion?
Kion supports Amazon Web Services (AWS), including AWS GovCloud and AWS air-gapped partitions; Azure, including Azure Government; and Google Cloud.
Do I have to give you my AWS/Azure/Google Cloud login credentials to use Kion?
No. Kion is not a SaaS product. Our application and back-end database are installed in your environment, specifically in one of your cloud accounts, so your account info remains private and you have full control. We took this approach because we value your privacy and understand that many organizations do not want to share their cloud data with third parties.
What Sets Our Software Apart
How is Kion different from a cloud broker?
Kion provides native access to the cloud service provider (CSP) consoles and APIs. This means that once you log into Kion, you can manage your cloud accounts directly within AWS/Azure/Google Cloud. With a cloud broker, you access the CSP from their interface, so you must wait for the cloud broker to support any new features and APIs before they're available to you. With Kion, you get new features right away, all within a familiar interface. Kion also includes additional features to help you plan, track, and control cloud access, manage cost, and enforce continuous compliance.
How is Kion different from cloud reporting tools?
Cloud reporting tools help you analyze and visualize your cost and usage data with reports. Kion provides this type of cost-based reporting as well, but we also offer additional tools, such as budget enforcement, cost optimization, and financial management to help you plan, track, find savings opportunities, and control cloud access based on current spending. We also offer tools beyond your financial needs, such as continuous compliance enforcement and remediation.
How is Kion different from AWS Organizations?
Conceptually, both Kion and AWS Organizations provide mechanisms to manage a set of AWS accounts hierarchically. Here are the substantive differences in capabilities between the two offerings:
- Kion supports AWS, Azure, and Google Cloud, so you can manage them all within our software. AWS Organizations does not allow you to manage Azure or Google Cloud accounts.
- Kion supports multiple payer accounts. AWS Organizations supports only one payer account. This means companies or resellers that have multiple groups paying AWS monthly invoices can't use AWS Organizations to get a single view of their cloud presence.
- Kion supports hierarchical applications of cloud rules (a combination of AWS IAM policies, service control policies [SCPs], Azure role definitions, CloudFormation templates [CFTs], ARM templates, and additional scripts and executables) as opposed to SCPs alone, which are limited in features compared to IAM policies and role definitions. AWS Organizations does not have workflows that allow users to request changes to their account policies.
- Kion supports approved exceptions to cloud rules. AWS Organizations uses SCPs, which have limited overrides.
- Kion includes granular budget enforcement actions. AWS Organizations only aggregates costs.
- Kion includes multi-cloud compliance checks, a compliance dashboard, and automatic compliance remediation, which AWS Organizations does not. AWS does provide Security Hub and Config, but it requires custom code and is not multi-cloud.
- Kion provides continuous cost estimates. AWS Organizations provides cost estimates every 12 hours, and the data in these reports may be up to 24 hours old.
- Kion supports an unlimited depth of Organization Units in a hierarchy. AWS Organizations only support a depth of five Organization Units.
How is Kion different from AWS Control Tower?
AWS Control Tower is a tool for setting up and managing multi-account AWS environments. It comes with 40 mandatory, strongly-recommended, and elective service control policies (SCPs) that you can enforce in your AWS environments. Kion offers Control Tower integration within our software, which allows you to take advantage of everything Control Tower has to offer, with the added benefits of Kion's features, including:
- Kion supports AWS, Azure, and Google Cloud, so you can manage them all within our software.
- Kion supports hierarchical applications of cloud rules (a combination of AWS IAM policies, SCPs, CloudFormation templates [CFTs], and additional scripts and executables), as opposed to SCPs alone, which are limited in features compared to IAM policies and role definitions. Control Tower does not have workflows that allow users to request changes to their account policies.
- Kion supports approved exceptions to cloud rules, which SCPs do not.
- Kion includes budget enforcement features.
- Kion includes compliance checks and automatic compliance remediation.
License & Pricing
What is the licensing model for Kion?
Kion licensing has two parts: 1) an annual base subscription fee, and 2) a percentage of the cloud service provider (CSP) usage that Kion manages, purchased as "usage units." Usage units allow you to buy licenses based on your anticipated cloud spend. CSP usage units do not expire provided you maintain an active subscription where the CSP usage unit is applied. You can have an unlimited number of Kion user accounts and CSP accounts.
Is there a limit on the number of cloud services or cloud users that I can manage with Kion?
No. You can have an unlimited number of Kion user accounts and cloud service provider (CSP) accounts or subscriptions, including accounts across CSPs.
How much does the Kion license cost?
Please contact us for a quote or to discuss enterprise licensing options.
How much does Kion cost to run in my cloud account?
Kion is designed as a cloud-native application that can scale based on your requirements. The cost to run Kion in your account can vary depending on your organization's performance and security requirements, as well as the number of cloud accounts and the amount of spend data. The average monthly cloud service provider cost to run Kion starts as low as $300. Contact us for a more detailed estimate based on your organization's requirements.
Is Kion available in cloud marketplaces?
Yes. Kion is in the AWS Marketplace and the Azure Marketplace.
How do I deploy Kion?
Kion is a collection of microservices that are deployed in your cloud service provider (CSP) account; it is not a SaaS offering. Kion runs on a load-balanced series of instances with an RDS Aurora back-end for AWS and an Azure Database for MySQL back-end for Azure. We leverage a variety of cloud-native services for the database and the application. In AWS, we use CloudFormation templates to deploy the software. In Azure, we use Azure Resource Manager (ARM) templates.
If Kion is not a SaaS solution, do I need to install Kion for each cloud provider?
No, Kion is architected to install once and use everywhere. From one installation of Kion in a customer-owned/managed AWS account, Azure subscription, or Google Cloud project, you can easily manage and control costs, security, identity, and access across AWS Commercial, AWS GovCloud (IL4 and IL5), Microsoft Azure EA, CSP, MCA (coming soon!) within the commercial regions, as well as the Microsoft Azure for Government (MAG) region, and Google Cloud.
Does Kion work with AWS GovCloud and Azure Government?
Yes. Kion can manage AWS GovCloud (U.S.) accounts and Azure Government (U.S.) accounts.
We run secure workloads utilizing the AWS Secret and Top-Secret Regions. Can I use Kion?
Absolutely! As Kion is a cloud-native solution hosted within your environment, the installation uses services readily available in the AWS secret and top secret regions to give you and your users the same Kion experience. Our customers who span these regions as well as AWS Commercial and GovCloud (IL4 and IL5) love the "train once, use everywhere" approach that Kion takes with identical functionality available in the air-gapped regions.
We're using the Azure Secret region. Does Kion support this?
Soon! Kion is in development to operate on the Azure Secret region. Contact us to be notified at launch!
Can Kion integrate with my AD environment for SSO?
Kion can be configured to authenticate to active directory (AD) by adding an identity provider to the Kion system. You must provide some basic information (such as the service account that can be used to query the AD LDAP database for users and groups) to pre-populate the Kion system.
Does Kion work with Azure CSP and EA?
Yes. Kion supports both Azure CSP and Azure EA.
Can Kion integrate with a central identity provider, such as Active Directory?
Kion can be configured to authenticate using an Integrated Database Management System (IDMS) by adding an identity provider to the Kion system. This can include an internal IDMS, an Active Directory/LDAP, or a SAML IDMS. For SAML IDMS, Kion is the service provider that would use your identity provider (such as Google, Azure AD, Okta, OneLogin, PingFederate, and others) to authenticate login credentials.
Can Kion integrate with my financial, authentication, or security-based systems?
Via APIs and webhooks, Kion can be extended to integrate with other services and applications within your environment. Using SAML IDMS, Kion can use your identity provider (such as Google, Azure AD, Okta, OneLogin, PingFederate, etc.) to authenticate login credentials. Additionally, we integrate with AWS Control Tower (a free AWS service), Tenable, and AWS Security Hub.
Does Kion support MFA?
Yes. Kion currently integrates with the following multi-factor authentication (MFA) solutions: Google Authenticator, YubiKey tokens, and PKI-based smart cards. Additional MFA support can be added through a professional services engagement.
Does Kion depend on AWS Organizations?
No, Kion does not depend on AWS Organizations for its automation & orchestration, financial management, and continuous compliance features. In commercial AWS regions, Kion can leverage the AWS Organizations service to create AWS accounts programmatically. In isolated regions and other environments where access to AWS Organizations is not available, Kion still provides customers the ability to cache pre-created accounts that can be used when required.
How do the Kion compliance policies work?
Kion offers a comprehensive compliance solution using a variety of tools. We help you prevent compliance violations with our cloud rules, which set proactive, organizationally defined boundaries in the cloud (including a vast collection of no-coding-required plug-and-play cloud rules). Then, we allow you to create automated, reactive compliance checks for near real-time views of policy violations. Finally, we offer detailed reporting via a compliance dashboard and automatic compliance remediation to fix issues without manual intervention.
Compliance with regulations like HIPAA, FedRAMP, and PCI require collaborative efforts between your cloud service provider (CSP), your cloud enablement software, and your organization. We make this process easier by offering a solution to help you align with your security goals, including documentation to show which security controls are met by your CSP, Kion, or your organization.
How fresh is the cost/billing data in Kion?
Kion gathers billing data on fixed intervals from cloud provider-generated billing reports. Because the data contained within these reports may be up to 24 hours old, we also calculate the current costs for selected services in near real-time. This allows customers to have a more accurate view of their current cloud spending and enables Kion to take action when spending exceeds the thresholds defined on each project.
What AWS services are required to install Kion?
Kion runs on a load-balanced series of EC2 instances. The AWS services required to install Kion are:
- Elastic Load Balancing
- RDS (Aurora MySQL)
- Billing (Monthly Reports and Cost and Usage Reports)
What Azure services are required to install Kion?
Kion is a collection of microservices that run in a cluster on Azure. The Azure services required to install Kion are:
- 2-3 Virtual Machines, each in a separate availability zone
- Azure Database for MySQL
- Application Gateway
- Load Balancer
- Storage Accounts
- Virtual Network (VNET, Public/ Private IPs, etc.)
- Key Vault (optional; for storing SSL certificate and other secrets)
Refer to the Microsoft documentation for more information on each of these services.
Does Kion have any accreditations or certifications?
Since Kion isn’t a SaaS product but, rather, a product that a customer hosts inside of their AWS or Azure environment, we don’t have a formal accreditation status (such as being FedRAMP certified). Instead, Kion typically resides as a solution on a customer’s General Support Services (GSS) System Security Plan (SSP) and gets accredited at the level of the cloud environment. We have customers that use Kion in environments governed by various compliance regimes including HIPAA, FedRAMP Moderate, and FedRAMP High. Additionally, Kion helps customers partially satisfy certain technical security controls, making it easier to obtain an authorization to operate (ATO) in the cloud.
What support do I get with Kion?
Basic email support (2-business-day response time), software updates, and access to our Kion Success Center portal and community forums are provided during the license term.
Do you have a premium support option?
Premium Support can be purchased on an annual basis and provides you with phone support (4-hour response time from 9 AM to 4 PM, Monday through Friday, except for U.S. federal holidays) and an assigned Technical Account Manager to assist with answering questions and troubleshooting issues. Premium Support contracts are purchased on an annual basis based on the total license amount purchased.
What’s your typical release schedule?
We typically release new features several times per quarter. To update the software, you download the CloudFormation or Azure AKS upgrade files from the release notes section of our Success Center. The update process is quick and can be done during work hours because there is no downtime; we use rolling deployments to keep the application accessible during the process.
Can I get implementation support for Kion?
We have onboarding packages available as a fixed-price service to assist with your installation and setup of Kion. In addition, we offer professional services to help with design, implementation, configuration, testing, training, troubleshooting, and support of Kion. Review our license agreement.
What help is available for Kion?
Help documentation is available from directly within the Kion application. In addition, customers who have purchased a license can access our Success Center to submit a question and search our knowledge base.
What if I have more questions about Kion?
Let's talk! Reach out via our Contact form. We'd love to hear from you.