Cerebrum successfully migrates its platform to AWS
Cerebrum, an intelligent, lab workflow solution, partners with Zuggand to migrate its platform to AWS and changes its delivery model from on-premise to Software-as-a-Service.
“The experts at Zuggand were instrumental in making our migration to AWS a success. Not only did they understand the technology, but they dove deep into our business processes, finances and operations to help us make a smooth transition to a pure, SaaS-based organization.”
-Gregg Lahti (Founder)
Cerebrum develops and sells Laboratory Information Systems software for the Healthcare IT space. Their solutions serve the small to medium Anatomic Pathology (AP) labs that provide tissue testing and pathology reporting in the clinical (patient), clinical trials (research) and molecular genetics fields. Cerebrum’s products enable workflow management of the lab, ensure HIPAA, CLIA, CAP and FDA 21 CFR part 11 lab compliancy and increase overall lab personnel productivity by up to 4X.
Historically, Cerebrum deployed its solutions on servers at a customer’s site, putting the responsibility on the customer to manage and maintain the hardware required to run its solution. As its business began to grow, Cerebrum’s leadership recognized that it could not meet customer demand and scale its business with this deployment model. As a result, Cerebrum engaged with Zuggand to re-architect its platform in AWS and transform its offering to a Software-as-a-Service (SaaS) model.
High Level Requirements:
- Create individual customer accounts that are connected to a hub account for shared services.
- Maintain HIPAA compliance by isolating customer data.
- Ensure the onboarding of new customers is an easy process.
- Incorporate strong fiscal and budgetary billing isolation between customers.
- Automate provisioning of environments using Infrastructure as Code.
- Provide a simple and robust mechanism to maintain adequate separation, as well as interconnectivity, between different AWS and on-premise networks.
- Secure and encrypt data at rest and in transit.
- Monitor and inspect all ingress and egress traffic using third party tools.
- Leverage AWS Multiple Account Strategy to provide security isolation and minimize blast radius.
- Implement strong isolation of auditing data in an account separate from where workloads are deployed.
- Deploy Internet Protocol Security (IPSec) Virtual Private Network (VPN) connectivity between AWS and on-premise networks.
Proposed Solution & Architecture
In order to ensure proper cost allocation, agility, and security across different customers, separate AWS accounts were provisioned for every customer. Accounts were also provisioned for Development and Production environments. A Shared Services account was created for services such as directory services and Single Sign-On. The Logging account contains a central Amazon S3 bucket for storing copies of all AWS CloudTrail and AWS Config log files in a log archive account. A Security Account was created with the intent of it to be used by a security and compliance team to audit or perform emergency security operations in case of an incident. A Security Account is also the master Amazon GuardDuty account.
A Transit account was created to serve as a hub for connectivity with all the other accounts, VPC peering was utilized to manage connectivity and routing between VPCs belonging to different accounts. The Aviatrix VPN solution was used to provide connectivity from on-premise client machines into the Transit hub account and then into spoke accounts over a VPC peering connection.
AWS Managed Active Directory with AWS SSO integration was used to manage user logins to the AWS Console.
CloudFormation templates were utilized extensively for the provisioning of new customer accounts and VPCs. This provides a quick and reliable process for onboarding new customers.
The following are the different accounts that were created as part of the solution:
- Transit: Account for a central Transit VPC that serves as a global network transit hub to interconnect multiple spoke VPCs running in different accounts that might be geographically disparate, as well as on-premises networks over an IPSec VPN connection.
- Non-Production: Account to host non-production workloads.
- Production: Account to host production workloads.
- Customer Account: Account to host customer workloads and data.
- Shared Services: Account to manage all users in a single account and enable user and group access to resources in other accounts. This account also houses Active Directory to centrally manage and store user identities and federate IAM users.
- Security: Account for collecting and analyzing security-related data, running compliance scripts and configuring security services.
- Logging: Account to centrally store, secure, and process infrastructure and application logs and configuration data.
List of AWS Services Used
The following AWS Services were implemented as part of the solution:
- AWS Organizations: AWS Organizations helps you to centrally manage billing; control access, compliance, and security; and share resources across your AWS accounts. You can use Organizations to define central configurations and resource sharing across accounts in your organization.
- AWS Landing Zone: AWS Landing Zone is a solution that helps customers more quickly set up a secure, multi-account AWS environment based on AWS best practices. With the large number of design choices.
- AWS Single Sign-On: AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS accounts and business applications.
- Amazon RDS PostgreSQL: A managed relational database service that provides six familiar database engines to choose from, including Amazon Aurora, MySQL, MariaDB, Oracle, Microsoft SQL Server, and PostgreSQL. Here It was used as the backend database for the Dashboard Application.
- Amazon Simple Storage Service (S3): An object storage built to store and retrieve any amount of data from anywhere.
- AWS Lambda: AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume – there is no charge when your code is not running. Lambda was used for provisioning AWS accounts along with Landing Zone.
- AWS Config: WS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
- AWS CloudFormation: AWS CloudFormation provides a common language for you to describe and provision all the infrastructure resources in your cloud environment. CloudFormation allows you to use a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts.
- AWS Systems Manager: AWS Systems Manager gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources. Systems Manager was used for automated maintenance and deployment tasks on EC2 Instances.
- AWS Certificate Manager: AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.
- Amazon GuardDuty: Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats.
List of Third Party Services Used
Third Party Services that were implemented as part of the solution
Cerebrum now has a reliable and streamlined process to onboard new customers. This solution saves time by automating the set-up of an environment for running secure and scalable workloads while implementing an initial security baseline through the creation of core accounts and resources.
- Moving from a CapEx to OpEx model has given agility to the business along with an efficient use of resources.
- Automation of new customer account creation has significantly reduced time to market.
- Intelligent and cost-efficient threat detection and continuous monitoring with Amazon GuardDuty.
- More time and resource have become available to focus on innovation and delivery instead of maintenance and operations.
Alignment to Well Architected Framework (WAF)
By optimizing the architecture around the five (5) WAF pillars, Cerebrum was able to gain the benefits of a well-architected design in the Cloud:
- Match supply of resources with demand by provisioning resources dynamically and maximizing utilization.
- Optimize costs by using managed services like RDS, Lambda, Route 53, Certificate Manager, AWS Single Sign-On etc.
- Monitor AWS spend using billing alarms.
- Use Trusted Advisor for optimizing resources – instance types and sizes.
- Made architectural choices based on cost/budget, business needs and benchmarking.
- Selection of compute resources, instance family, type and size based on characteristics, cost and business needs.
- Selection of storage solution bases on access patterns, characteristics and requirements.
- Proactively record and monitor performance related metrics and generate alarm-based notifications.
- Determine priorities by extensively evaluating customer and compliance needs.
- Implement application and user activity telemetry that feed live dashboards as well as trigger notifications when anomalies are detected.
- Mitigate deployment risks by implementing automated integration and deployment using Jenkins and GitHub.
- Ensure operational readiness by training personnel to support production workloads.
- Monitor the performance of resources through metrics collected in CloudWatch.
- Enforce multi-factor authentication through AWS single sign-on
- Centrally manage identities using AWS Directory Service.
- Control human access by granting least privileges.
- Defend against emerging security threats and monitor malicious activity with Amazon GuardDuty.
- Protect compute resources by defining fine-grained security group rules and by regularly scanning for vulnerabilities and patching using AWS Systems Manager.
- Protect all data at rest using KMS keys for encrypting EBS volumes, Snapshots and S3 buckets.
- Protect all data in transit by enforcing SSL encryption and managing SSL Certificates inside AWS Certificate Manager.
- Regularly monitor and manage service limits with AWS Trusted Advisor.
- Procure compute resources dynamically by provisioning using Auto Scaling Groups.
- Utilizing managed services from AWS where possible to improve the reliability and availability of the entire solution in AWS.
- Automated change deployment process to make it more reliable using Jenkins and GitHub.
- Perform data backups automatically and encrypt it using KMS keys.
- Define recovery objectives for downtime and data loss use recovery strategies to meet the recovery objectives.
Lessons Learned / Outcomes
The successful migration of Cerebrum’s platform from on-premise to AWS was about more than just the technology. It was critical for Cerebrum to speed up its time-to-market to remain competitive in its space. This meant Cerebrum had to completely change its business model so it can scale as its business grows. Zuggand worked closely with the Cerebrum leadership team to ensure the new business model was fiscally sound and sustainable.
As a result of working with Zuggand, Cerebrum is now able to meet the demands of its customers by moving its platform to a SaaS offering. In addition, the Cerebrum technical staff can now put more focus on adding business value instead of managing infrastructure. As with all its customers, Zuggand recommended to Cerebrum that it periodically engage to perform AWS Well-Architected Reviews to ensure they are getting the most out of AWS.