New Press Release Kion Showcases Vision for FinOps and CloudOps Integration at AWS re:Invent 2024 Learn more

FAQs

Types

Overview

  • Who is Kion?

    Kion automates CloudOps with a single platform providing policy-based identity, FinOps, and compliance for multicloud infrastructure. Kion helps organizations achieve ‘governance by default’ through improved visibility, automation, guardrails, and guidance across AWS, Azure, GCP, and OCI environments. This helps enterprises reduce complexity, eliminate chaos, and minimize manual work so they can innovate faster with less risk.

    Wherever they are on their cloud journey, Kion empowers organizations to confidently provision accounts, maintain financial control, and ensure compliance with security regulations. Kion serves leading commercial, higher education, and government agencies including Indeed Verizon, NASA, and the Centers for Disease Control and Prevention (CDC).

  • Why do I need CloudOps?

    CloudOps is essential for companies to maintain control, efficiency, and security as they scale their cloud environments. Many organizations face challenges such as:

    • Out-of-control cloud spend
    • Overprivileged cloud access
    • Cloud account sprawl without baselines
    • Existing tools generating more work
    • Time wasted on low-level tasks

    To rapidly scale cloud adoption, the future of Cloud Operations must be governed by default. This approach reduces complexity, eliminates chaos, and minimizes manual work.


  • How does Kion drive down cloud costs?

    Kion minimizes labor costs associated with manual cloud governance and management and the potential costs of zero governance. Based on customer experience, we've typically seen 1-2 full-time personnel needed to perform each of the following activities manually: building and managing user and group structures, monitoring accounts, and managing and enforcing policies. Kion does all of this for you, and much more.

    In addition, Kion includes savings opportunities, which are recommended changes to over-provisioned or abandoned cloud resources. Kion scans your cloud environment regularly to automatically suggest these savings opportunities based on the size of your cloud resources and their utilization over time.

    Finally, if you neglect governance, there can be massive costs associated with budget overruns and policy/compliance violations.

  • What cloud service providers are supported with Kion?

    Kion supports Amazon Web Services (AWS), including AWS GovCloud and AWS air-gapped partitions; Azure, including Azure Government; Google Cloud (GCP), and Oracle Cloud Infrastructure (OCI).

  • Do I have to give you my AWS/Azure/OCI/GCP login credentials to use Kion?

    No. Kion is not a SaaS product. Our application and back-end database are installed in your environment, specifically in one of your cloud accounts, so your account info remains private and you have full control. We took this approach because we value your privacy and understand that many organizations do not want to share their cloud data with third parties.

What Sets Our Software Apart

  • Is Kion FedRAMP Authorized?  

    Kion is a self-hosted software solution; not cloud-based SaaS hosted outside the agency’s environment. This allows Kion to meet more stringent security requirements including those established by FedRAMP. As such, Kion does not require FedRAMP authorization by a third-party assessment organization (3PAO) for our Federal Agency customers to receive Authority to Operate (ATO). Dozens of federal customers and affiliated entities have obtained an ATO for Kion through the traditional NIST Risk Management Framework (RMF) ATO process outlined by their Authorizing Official (AO) or Certificate to Field (CTF) process within their agency as you would for any other type of self-hosted software.

  • How is Kion different from a cloud broker?

    Kion provides native access to the cloud service provider (CSP) consoles and APIs. This means that once you log into Kion, you can manage your cloud accounts directly within AWS/Azure/Google Cloud. With a cloud broker, you access the CSP from their interface, so you must wait for the cloud broker to support any new features and APIs before they're available to you. With Kion, you get new features right away, all within a familiar interface. Kion also includes additional features to help you plan, track, and control cloud access, manage cost, and enforce continuous compliance.

  • How is Kion different from cloud reporting tools?

    Cloud reporting tools help you analyze and visualize your cost and usage data with reports. Kion provides this type of cost-based reporting as well, but we also offer additional tools, such as budget enforcement, cost optimization, and financial management to help you plan, track, find savings opportunities, and control cloud access based on current spending. We also offer tools beyond your financial needs, such as continuous compliance enforcement and remediation.

  • How is Kion different from AWS Organizations?

    Conceptually, both Kion and AWS Organizations provide mechanisms to manage a set of AWS accounts hierarchically. Here are the substantive differences in capabilities between the two offerings:

    • Kion supports AWS, Azure, and Google Cloud, so you can manage them all within our software. AWS Organizations does not allow you to manage Azure or Google Cloud accounts.
    • Kion supports multiple payer accounts. AWS Organizations supports only one payer account. This means companies or resellers that have multiple groups paying AWS monthly invoices can't use AWS Organizations to get a single view of their cloud presence.
    • Kion supports hierarchical applications of cloud rules (a combination of AWS IAM policies, service control policies [SCPs], Azure role definitions, CloudFormation templates [CFTs], ARM templates, and additional scripts and executables) as opposed to SCPs alone, which are limited in features compared to IAM policies and role definitions. AWS Organizations does not have workflows that allow users to request changes to their account policies.
    • Kion supports approved exceptions to cloud rules. AWS Organizations uses SCPs, which have limited overrides.
    • Kion includes granular budget enforcement actions. AWS Organizations only aggregates costs.
    • Kion includes multi-cloud compliance checks, a compliance dashboard, and automatic compliance remediation, which AWS Organizations does not. AWS does provide Security Hub and Config, but it requires custom code and is not multi-cloud.
    • Kion provides continuous cost estimates. AWS Organizations provides cost estimates every 12 hours, and the data in these reports may be up to 24 hours old.
    • Kion supports an unlimited depth of Organization Units in a hierarchy. AWS Organizations only support a depth of five Organization Units.
  • How is Kion different from AWS Control Tower?

    AWS Control Tower is a tool for setting up and managing multi-account AWS environments. It comes with 40 mandatory, strongly-recommended, and elective service control policies (SCPs) that you can enforce in your AWS environments. Kion offers Control Tower integration within our software, which allows you to take advantage of everything Control Tower has to offer, with the added benefits of Kion's features, including:

    • Kion supports AWS, Azure, and Google Cloud, so you can manage them all within our software.
    • Kion supports hierarchical applications of cloud rules (a combination of AWS IAM policies, SCPs, CloudFormation templates [CFTs], and additional scripts and executables), as opposed to SCPs alone, which are limited in features compared to IAM policies and role definitions. Control Tower does not have workflows that allow users to request changes to their account policies.
    • Kion supports approved exceptions to cloud rules, which SCPs do not.
    • Kion includes budget enforcement features.
    • Kion includes compliance checks and automatic compliance remediation.

License & Pricing

  • What is the licensing model for Kion?

    Kion is a single SKU with enterprise pricing tiers that is licensed via an annual dollar-limited subscription. This subscription is based on the aggregate consumption of annual public cloud spend that flows through Kion. Kion allows you to have an unlimited number of user and cloud service provider (CSP) accounts. The license comes with basic support and software updates. Customers can upgrade to Premium Support and add-on professional services as needed.

  • Is there a limit on the number of cloud services or cloud users that I can manage with Kion?

    No. You can have an unlimited number of Kion user accounts and cloud service provider (CSP) accounts or subscriptions, including accounts across CSPs.

  • How much does the Kion license cost?

    Please contact us for a quote or to discuss enterprise licensing options.

  • How much does Kion cost to run in my cloud account?

    Kion is designed as a cloud-native application that can scale based on your requirements. The cost to run Kion in your account can vary depending on your organization's performance and security requirements, as well as the number of cloud accounts and the amount of spend data. The average monthly cloud service provider cost to run Kion starts as low as $300. Contact us for a more detailed estimate based on your organization's requirements.

  • Is Kion available in cloud marketplaces?

    Yes. Kion is in the AWS Marketplace and the Azure Marketplace.

Technical

  • How do I deploy Kion?

    Kion is a collection of microservices that are deployed in your cloud service provider (CSP) account; it is not a SaaS offering. Kion runs on a load-balanced series of instances with an RDS Aurora back-end for AWS and an Azure Database for MySQL back-end for Azure. We leverage a variety of cloud-native services for the database and the application. In AWS, we use CloudFormation templates to deploy the software. In Azure, we use Azure Resource Manager (ARM) templates.

  • If Kion is not a SaaS solution, do I need to install Kion for each cloud provider?

    No, Kion is architected to install once and use everywhere. From one installation of Kion in a customer-owned/managed AWS account, Azure subscription, or Google Cloud project, you can easily manage and control costs, security, identity, and access across AWS Commercial, AWS GovCloud (IL4 and IL5), Microsoft Azure EA, CSP, MCA (coming soon!) within the commercial regions, as well as the Microsoft Azure for Government (MAG) region, and Google Cloud.

  • Does Kion work with AWS GovCloud and Azure Government?

    Yes. Kion can manage AWS GovCloud (U.S.) accounts and Azure Government (U.S.) accounts.

  • We run secure workloads utilizing the AWS Secret and Top-Secret Regions. Can I use Kion?

    Absolutely! As Kion is a cloud-native solution hosted within your environment, the installation uses services readily available in the AWS secret and top secret regions to give you and your users the same Kion experience. Our customers who span these regions as well as AWS Commercial and GovCloud (IL4 and IL5) love the "train once, use everywhere" approach that Kion takes with identical functionality available in the air-gapped regions.

  • We're using the Azure Secret region. Does Kion support this?

    Soon! Kion is in development to operate on the Azure Secret region. Contact us to be notified at launch!

  • Can Kion integrate with my AD environment for SSO?

    Kion can be configured to authenticate to active directory (AD) by adding an identity provider to the Kion system. You must provide some basic information (such as the service account that can be used to query the AD LDAP database for users and groups) to pre-populate the Kion system.

  • Does Kion work with Azure CSP and EA?

    Yes. Kion supports both Azure CSP and Azure EA.

  • Can Kion integrate with a central identity provider, such as Active Directory?

    Kion can be configured to authenticate using an Integrated Database Management System (IDMS) by adding an identity provider to the Kion system. This can include an internal IDMS, an Active Directory/LDAP, or a SAML IDMS. For SAML IDMS, Kion is the service provider that would use your identity provider (such as Google, Azure AD, Okta, OneLogin, PingFederate, and others) to authenticate login credentials.

  • Can Kion integrate with my financial, authentication, or security-based systems?

    Via APIs and webhooks, Kion can be extended to integrate with other services and applications within your environment. Using SAML IDMS, Kion can use your identity provider (such as Google, Azure AD, Okta, OneLogin, PingFederate, etc.) to authenticate login credentials. Additionally, we integrate with AWS Control Tower (a free AWS service), Tenable, and AWS Security Hub.

  • Does Kion support MFA?

    Yes. Kion currently integrates with the following multi-factor authentication (MFA) solutions: Google Authenticator, YubiKey tokens, and PKI-based smart cards. Additional MFA support can be added through a professional services engagement.

  • Does Kion depend on AWS Organizations?

    No, Kion does not depend on AWS Organizations for its automation & orchestration, financial management, and continuous compliance features. In commercial AWS regions, Kion can leverage the AWS Organizations service to create AWS accounts programmatically. In isolated regions and other environments where access to AWS Organizations is not available, Kion still provides customers the ability to cache pre-created accounts that can be used when required.

  • How do the Kion compliance policies work?

    Kion offers a comprehensive compliance solution using a variety of tools. We help you prevent compliance violations with our cloud rules, which set proactive, organizationally defined boundaries in the cloud (including a vast collection of no-coding-required plug-and-play cloud rules). Then, we allow you to create automated, reactive compliance checks for near real-time views of policy violations. Finally, we offer detailed reporting via a compliance dashboard and automatic compliance remediation to fix issues without manual intervention.

    Compliance with regulations like HIPAA, FedRAMP, and PCI require collaborative efforts between your cloud service provider (CSP), your cloud enablement software, and your organization. We make this process easier by offering a solution to help you align with your security goals, including documentation to show which security controls are met by your CSP, Kion, or your organization.

  • How fresh is the cost/billing data in Kion?

    Kion gathers billing data on fixed intervals from cloud provider-generated billing reports. Because the data contained within these reports may be up to 24 hours old, we also calculate the current costs for selected services in near real-time. This allows customers to have a more accurate view of their current cloud spending and enables Kion to take action when spending exceeds the thresholds defined on each project.

  • What AWS services are required to install Kion?

    Kion runs on a load-balanced series of EC2 instances. The AWS services required to install Kion are:

    • EC2
    • S3
    • Elastic Load Balancing
    • IAM
    • KMS
    • VPC
    • RDS (Aurora MySQL)
    • CloudFormation
    • CloudWatch
    • Billing (Monthly Reports and Cost and Usage Reports)
  • What Azure services are required to install Kion?

    Kion is a collection of microservices that run in a cluster on Azure. The Azure services required to install Kion are:

    • 2-3 Virtual Machines, each in a separate availability zone
    • Azure Database for MySQL
    • Application Gateway
    • Load Balancer
    • Storage Accounts
    • Virtual Network (VNET, Public/ Private IPs, etc.)
    • Key Vault (optional; for storing SSL certificate and other secrets)

    Refer to the Microsoft documentation for more information on each of these services.

  • Does Kion have any accreditations or certifications?

    Kion has successfully undergone an audit process and earned its System and Organization Controls (SOC) 2 Type 1 attestation. Our full SOC 2 Type 1 audit report is available to customers and prospects under NDA upon request. To request a copy and get additional details on Kion’s current security compliance status and Corporate Security Policies, visit our Trust Center.

    Kion has achieved CSA's STAR Level 1.

    Kion has completed the Higher Education Community Vendor Assessment Tool (HECVAT) created by EDUCAUSE's Higher Education Information Security Council (HEISC) in collaboration with Internet2 and the REN-ISAC. Our completed assessment can be requested via the REN-ISAC index.

    Kion has also successfully completed the Internet2 NET+ program service evaluation.

    Kion has achieved the Security Software, Cloud Operations, and Government Software competencies from AWS, distinctions awarded to AWS partners with validated solutions and deep technical expertise in key cloud disciplines.

    Because Kion is hosted within a customer's AWS or Azure environment (vs a SaaS delivery model), FedRAMP certification does not apply to the Kion solution. Instead, Kion typically resides as a solution on a customer’s General Support Services (GSS) System Security Plan (SSP) and gets accredited at the level of the cloud environment. We have customers that use Kion in environments governed by various compliance regimes including HIPAA, FedRAMP Moderate, and FedRAMP High. Additionally, Kion helps customers partially satisfy certain technical security controls, making it easier to obtain an authorization to operate (ATO) in the cloud.

Support

  • What support do I get with Kion?

    Basic email support (2-business-day response time), software updates, and access to our Kion Success Center portal and community forums are provided during the license term.

  • Do you have a premium support option?

    Premium Support can be purchased on an annual basis and provides you with phone support (4-hour response time from 9 AM to 4 PM, Monday through Friday, except for U.S. federal holidays) and an assigned Technical Account Manager to assist with answering questions and troubleshooting issues. Premium Support contracts are purchased on an annual basis based on the total license amount purchased.

  • What’s your typical release schedule?

    We typically release new features several times per quarter. To update the software, you download the CloudFormation or Azure AKS upgrade files from the release notes section of our Success Center. The update process is quick and can be done during work hours because there is no downtime; we use rolling deployments to keep the application accessible during the process.

  • Can I get implementation support for Kion?

    We have onboarding packages available as a fixed-price service to assist with your installation and setup of Kion. In addition, we offer professional services to help with design, implementation, configuration, testing, training, troubleshooting, and support of Kion. Review our license agreement.

  • What help is available for Kion?

    Help documentation is available from directly within the Kion application and via our Success Center. In addition, customers who have purchased a license can access our Success Center to submit a question.

  • What if I have more questions about Kion?

    Let's talk! Reach out via our Contact form. We'd love to hear from you.

Start your cloud operations journey.

Request a demo today,