FAQs

Kion is a unique all-in-one solution for your cloud enablement needs. Our software helps you manage your cloud accounts, enforce your budgets to prevent cost overruns, identify savings opportunities, and automate compliance, helping align your organization with best practices and standards such as HIPAA or NIST. We work across multiple accounts and cloud service providers for enhanced visibility and control in one intuitive interface.

To get full value from your cloud investments, you need both:

• Cloud governance to define the set of rules that say which buttons can be pushed when to perform specific actions in the cloud. If you want to simplify cloud account management, prevent blown budgets, and ensure your cloud complies with established security standards, you need cloud governance.

and

• Cloud management to push the right buttons to perform specific actions in the cloud. You could spend hundreds or even thousands of hours establishing, executing, and tracking these actions manually, which is why automated cloud management is needed.

Kion is a complete cloud enablement solution that brings together these two capabilities: the buttons that need to be pushed to perform actions and the set of rules that allow those actions to be performed with automation.​

Cloud enablement is a fundamentally different approach that restores consistency and control while improving the enterprise cloud experience for all users and stakeholders.​

Ultimately, cloud enablement shifts people from spending their time on the grunt work of managing and governing their cloud to performing meaningful work that transforms the organization.

Kion minimizes labor costs associated with manual cloud governance and management and the potential costs of zero governance. Based on customer experience, we've typically seen 1-2 full-time personnel needed to perform each of the following activities manually: building and managing user and group structures, monitoring accounts, and managing and enforcing policies. Kion does all of this for you, and much more.

In addition, Kion includes savings opportunities, which are recommended changes to over-provisioned or abandoned cloud resources. Kion scans your cloud environment regularly to automatically suggest these savings opportunities based on the size of your cloud resources and their utilization over time.

Finally, if you neglect governance, there can be massive costs associated with budget overruns and policy/compliance violations.

Kion supports Amazon Web Services (AWS), including AWS GovCloud and AWS air-gapped partitions; Azure, including Azure Government; and Google Cloud.

No. Kion is not a SaaS product. Our application and back-end database are installed in your environment, specifically in one of your cloud accounts, so your account info remains private and you have full control. We took this approach because we value your privacy and understand that many organizations do not want to share their cloud data with third parties.

Kion provides native access to the cloud service provider (CSP) consoles and APIs. This means that once you log into Kion, you can manage your cloud accounts directly within AWS/Azure/Google Cloud. With a cloud broker, you access the CSP from their interface, so you must wait for the cloud broker to support any new features and APIs before they're available to you. With Kion, you get new features right away, all within a familiar interface. Kion also includes additional features to help you plan, track, and control cloud access, manage cost, and enforce continuous compliance.

Cloud reporting tools help you analyze and visualize your cost and usage data with reports. Kion provides this type of cost-based reporting as well, but we also offer additional tools, such as budget enforcement, cost optimization, and financial management to help you plan, track, find savings opportunities, and control cloud access based on current spending. We also offer tools beyond your financial needs, such as continuous compliance enforcement and remediation.

Conceptually, both Kion and AWS Organizations provide mechanisms to manage a set of AWS accounts hierarchically. Here are the substantive differences in capabilities between the two offerings:

• Kion supports AWS, Azure, and Google Cloud, so you can manage them all within our software. AWS Organizations does not allow you to manage Azure or Google Cloud accounts.
• Kion supports multiple payer accounts. AWS Organizations supports only one payer account. This means companies or resellers that have multiple groups paying AWS monthly invoices can't use AWS Organizations to get a single view of their cloud presence.
• Kion supports hierarchical applications of cloud rules (a combination of AWS IAM policies, service control policies [SCPs], Azure role definitions, CloudFormation templates [CFTs], ARM templates, and additional scripts and executables) as opposed to SCPs alone, which are limited in features compared to IAM policies and role definitions. AWS Organizations does not have workflows that allow users to request changes to their account policies.
  
• Kion supports approved exceptions to cloud rules. AWS Organizations uses SCPs, which have limited overrides.
  
• Kion includes granular budget enforcement actions. AWS Organizations only aggregates costs.
  
• Kion includes multi-cloud compliance checks, a compliance dashboard, and automatic compliance remediation, which AWS Organizations does not. AWS does provide Security Hub and Config, but it requires custom code and is not multi-cloud.
  
• Kion provides continuous cost estimates. AWS Organizations provides cost estimates every 12 hours, and the data in these reports may be up to 24 hours old.
  
• Kion supports an unlimited depth of Organization Units in a hierarchy. AWS Organizations only support a depth of five Organization Units.
  

AWS Control Tower is a tool for setting up and managing multi-account AWS environments. It comes with 40 mandatory, strongly-recommended, and elective service control policies (SCPs) that you can enforce in your AWS environments. Kion offers Control Tower integration within our software, which allows you to take advantage of everything Control Tower has to offer, with the added benefits of Kion's features, including:

• Kion supports AWS, Azure, and Google Cloud, so you can manage them all within our software.
• Kion supports hierarchical applications of cloud rules (a combination of AWS IAM policies, SCPs, CloudFormation templates [CFTs], and additional scripts and executables), as opposed to SCPs alone, which are limited in features compared to IAM policies and role definitions. Control Tower does not have workflows that allow users to request changes to their account policies.
• Kion supports approved exceptions to cloud rules, which SCPs do not.
• Kion includes budget enforcement features.
• Kion includes compliance checks and automatic compliance remediation.

Kion is licensed via an annual dollar-limited subscription. This subscription is based on the aggregate consumption of annual public cloud spend that flows through Kion. Kion allows you to have an unlimited number of user and cloud service provider (CSP) accounts.

No. You can have an unlimited number of Kion user accounts and cloud service provider (CSP) accounts or subscriptions, including accounts across CSPs.

Please contact us for a quote or to discuss enterprise licensing options.

Kion is designed as a cloud-native application that can scale based on your requirements. The cost to run Kion in your account can vary depending on your organization's performance and security requirements, as well as the number of cloud accounts and the amount of spend data. The average monthly cloud service provider cost to run Kion starts as low as $300. Contact us for a more detailed estimate based on your organization's requirements.

Yes. Kion is in the AWS Marketplace and the Azure Marketplace.

Kion is a collection of microservices that are deployed in your cloud service provider (CSP) account; it is not a SaaS offering. Kion runs on a load-balanced series of instances with an RDS Aurora back-end for AWS and an Azure Database for MySQL back-end for Azure. We leverage a variety of cloud-native services for the database and the application. In AWS, we use CloudFormation templates to deploy the software. In Azure, we use Azure Resource Manager (ARM) templates.

No, Kion is architected to install once and use everywhere. From one installation of Kion in a customer-owned/managed AWS account, Azure subscription, or Google Cloud project, you can easily manage and control costs, security, identity, and access across AWS Commercial, AWS GovCloud (IL4 and IL5), Microsoft Azure EA, CSP, MCA (coming soon!) within the commercial regions, as well as the Microsoft Azure for Government (MAG) region, and Google Cloud.

Yes. Kion can manage AWS GovCloud (U.S.) accounts and Azure Government (U.S.) accounts.

Absolutely! As Kion is a cloud-native solution hosted within your environment, the installation uses services readily available in the AWS secret and top secret regions to give you and your users the same Kion experience. Our customers who span these regions as well as AWS Commercial and GovCloud (IL4 and IL5) love the "train once, use everywhere" approach that Kion takes with identical functionality available in the air-gapped regions.

Soon! Kion is in development to operate on the Azure Secret region. Contact us to be notified at launch!

Kion can be configured to authenticate to active directory (AD) by adding an identity provider to the Kion system. You must provide some basic information (such as the service account that can be used to query the AD LDAP database for users and groups) to pre-populate the Kion system.

Yes. Kion supports both Azure CSP and Azure EA.

Kion can be configured to authenticate using an Integrated Database Management System (IDMS) by adding an identity provider to the Kion system. This can include an internal IDMS, an Active Directory/LDAP, or a SAML IDMS. For SAML IDMS, Kion is the service provider that would use your identity provider (such as Google, Azure AD, Okta, OneLogin, PingFederate, and others) to authenticate login credentials.

Via APIs and webhooks, Kion can be extended to integrate with other services and applications within your environment. Using SAML IDMS, Kion can use your identity provider (such as Google, Azure AD, Okta, OneLogin, PingFederate, etc.) to authenticate login credentials. Additionally, we integrate with AWS Control Tower (a free AWS service), Tenable, and AWS Security Hub.

Yes. Kion currently integrates with the following multi-factor authentication (MFA) solutions: Google Authenticator, YubiKey tokens, and PKI-based smart cards. Additional MFA support can be added through a professional services engagement.

No, Kion does not depend on AWS Organizations for its automation & orchestration, financial management, and continuous compliance features. In commercial AWS regions, Kion can leverage the AWS Organizations service to create AWS accounts programmatically. In isolated regions and other environments where access to AWS Organizations is not available, Kion still provides customers the ability to cache pre-created accounts that can be used when required.

Kion offers a comprehensive compliance solution using a variety of tools. We help you prevent compliance violations with our cloud rules, which set proactive, organizationally defined boundaries in the cloud (including a vast collection of no-coding-required plug-and-play cloud rules). Then, we allow you to create automated, reactive compliance checks for near real-time views of policy violations. Finally, we offer detailed reporting via a compliance dashboard and automatic compliance remediation to fix issues without manual intervention.

Compliance with regulations like HIPAA, FedRAMP, and PCI require collaborative efforts between your cloud service provider (CSP), your cloud enablement software, and your organization. We make this process easier by offering a solution to help you align with your security goals, including documentation to show which security controls are met by your CSP, Kion, or your organization.

Kion gathers billing data on fixed intervals from cloud provider-generated billing reports. Because the data contained within these reports may be up to 24 hours old, we also calculate the current costs for selected services in near real-time. This allows customers to have a more accurate view of their current cloud spending and enables Kion to take action when spending exceeds the thresholds defined on each project.

Kion runs on a load-balanced series of EC2 instances. The AWS services required to install Kion are:

• EC2
• S3
• Elastic Load Balancing
• IAM
• KMS
• VPC
• RDS (Aurora MySQL)
• CloudFormation
• CloudWatch
• Billing (Monthly Reports and Cost and Usage Reports)

Kion is a collection of microservices that run in a cluster on Azure. The Azure services required to install Kion are:

• 2-3 Virtual Machines, each in a separate availability zone
• Azure Database for MySQL
• Application Gateway
• Load Balancer
• Storage Accounts
• Virtual Network (VNET, Public/ Private IPs, etc.)
• Key Vault (optional; for storing SSL certificate and other secrets)

Refer to the Microsoft documentation for more information on each of these services.

Kion has successfully undergone an audit process and earned its System and Organization Controls (SOC) 2 Type 1 attestation. Our full SOC 2 Type 1 audit report is available to customers and prospects under NDA upon request. To request a copy and get additional details on Kion’s current security compliance status and Corporate Security Policies, visit our Trust Center.

Kion has achieved CSA's STAR Level 1.

Kion has completed the Higher Education Community Vendor Assessment Tool (HECVAT) created by EDUCAUSE's Higher Education Information Security Council (HEISC) in collaboration with Internet2 and the REN-ISAC. Our completed assessment can be requested via the REN-ISAC index.

Kion has also successfully completed the Internet2 NET+ program service evaluation.

Kion has achieved the Security Software, Cloud Operations, and Government Software competencies from AWS, distinctions awarded to AWS partners with validated solutions and deep technical expertise in key cloud disciplines.

Because Kion is hosted within a customer's AWS or Azure environment (vs a SaaS delivery model), FedRAMP certification does not apply to the Kion solution. Instead, Kion typically resides as a solution on a customer’s General Support Services (GSS) System Security Plan (SSP) and gets accredited at the level of the cloud environment. We have customers that use Kion in environments governed by various compliance regimes including HIPAA, FedRAMP Moderate, and FedRAMP High. Additionally, Kion helps customers partially satisfy certain technical security controls, making it easier to obtain an authorization to operate (ATO) in the cloud.

Basic email support (2-business-day response time), software updates, and access to our Kion Success Center portal and community forums are provided during the license term.

Premium Support can be purchased on an annual basis and provides you with phone support (4-hour response time from 9 AM to 4 PM, Monday through Friday, except for U.S. federal holidays) and an assigned Technical Account Manager to assist with answering questions and troubleshooting issues. Premium Support contracts are purchased on an annual basis based on the total license amount purchased.

We typically release new features several times per quarter. To update the software, you download the CloudFormation or Azure AKS upgrade files from the release notes section of our Success Center. The update process is quick and can be done during work hours because there is no downtime; we use rolling deployments to keep the application accessible during the process.

We have onboarding packages available as a fixed-price service to assist with your installation and setup of Kion. In addition, we offer professional services to help with design, implementation, configuration, testing, training, troubleshooting, and support of Kion. Review our license agreement.

Help documentation is available from directly within the Kion application and via our Success Center. In addition, customers who have purchased a license can access our Success Center to submit a question.

Let's talk! Reach out via our Contact form. We'd love to hear from you.