AWS Cloud Migration for Global Travel Company’s Legacy HR Application
Case Study: Cloud & Operations
SITUATION & BUSINESS CHALLENGE
The human resources information systems (HRIS) division of a large global travel company was facing a hard deadline to migrate a legacy data application into the Amazon Web Services (AWS) cloud. The application was a repository of personally identifiable information (PII) employee data in four SQL databases with 52 attached drives.
The HR IT group started the AWS migration but had challenges. The internal team was not aware of best practices around deployment automation and security, specifically in cloud environments. After setting up an initial lab environment and a failed security review, the project was blocked from forward progress.
While other IT groups within the company possessed sufficient knowledge to set up this environment, HRIS was wary of exposing the sensitive employee data to workers outside its division. The group needed expertise from outside the company and searched for a consulting firm to lead the project.
AIM Consulting had a large on-site consulting presence at the travel company, and had earned a solid reputation in cloud after numerous large-scale AWS engagements in its IT group, and providing ServiceNow expertise to HRIS. Based on this reputation, HRIS chose AIM to lead the migration.
A cloud architect from AIM’s Cloud & Operations practice worked closely with the HRIS team to engineer a solution that corrected the lab environment and built the foundation for the production environment, evangelizing AWS best practices and educating the team to manage and maintain the solution in the future.
AIM led the engagement through three distinct phases:
Working with the client team’s primary system admin and a data scientist, AIM analyzed the current application environment, which was laden with old human-readable config files, while helping the team to discover suitable AWS resources for the migration.
During this phase, AIM helped to demystify the cloud by introducing several concepts:
- Cloud Fundamentals: Starting with small building blocks and walking the team through the process of creating the base network in the AWS cloud. AIM planned to componentize the application to enable a smooth migration.
- Lift-and-Shift: Migrating SQL instances to EC2 while showing how to attach storage in the cloud.
- Infrastructure as Code: Using Infrastructure as Code (IaC), CloudFormation templates, and version control for IaC artifacts so the team could step away from unnecessary documentation.
- Evangelizing Cloud Scalability: Providing knowledge transfer to the client team on scalability concepts, such as autoscaling and the use of Amazon Machine Images (AMIs) as backup mechanisms for fully configured servers.
- DevSecOps: Embedding security into the entire process, teaching the concepts of application firewall rules known as AWS security groups, and identity and access management (IAM) roles. By baking security into the CloudFormation templates, security rules could be easily updated as the team moved more application components to the cloud. This also enabled the team to easily pass security reviews prior to production release and launch.
AIM began to migrate the solution using these foundational concepts, involving the client team more as the project evolved. Toward the end of this phase, the client was able to own much of the migration process while AIM served as more of a subject matter expert for AWS.
AIM’s architecture design for the lab/dev environment passed its security design review, enabling the team to learn and experiment more with AWS under less pressure. AIM deployed the lab/dev environment servers in the cloud, troubleshooting which ports to open and showing how to lock them down properly.
Next, the security design review for the production environment was approved within 24 hours of its submittal. Subsequently, AIM deployed the network in the Amazon Virtual Private Cloud (VPC), and then guided the team in migrating the production servers via CloudFormation templates, using the lessons learned from the lab/dev environment. The environment hosted both the legacy application and a newer serverless application leveraging Lambda, API gateways, and Dynamo DB, set up in a scalable multi-availability zone format (one of the benefits of the elastic cloud evangelized by AIM) so that if one datacenter goes offline, the application can still run in the other.
AIM highly emphasized SecDevOps best practices during implementation, following the company’s enterprise risk and security (ERS) protocols. This proved challenging, particularly with the requirement that any outbound traffic to the Internet be routed through a proxy server and only to a dynamically changing whitelist of accessible URLs. AIM solved the problem with the use of a secondary proxy server and leveraging blue/green deployment methodology with CloudFormation stack updates to dynamically change the outbound routes to a secondary proxy server.
Knowledge Transfer Phase
At this point the project was fully handed off to the internal client team, which completed the migration under AIM’s continuing supervision. AIM ensured that all IaC artifacts were fully checked into version control and that every aspect of the project was fully documented, providing a clear picture of the solution architecture, resources and dependencies.
AIM also had one-on-one meetings with every team member to review documentation, the end-to-end deployment process, troubleshooting, and cover any questions.
The team had brought in an assistant to the primary system administrator, a junior tech worker with no cloud experience. Through reading material, offline technical reviews and hands-on practice, AIM fully trained the new admin resource on AWS administration best practices and on the solution itself, quickly bringing the worker to sufficient competency.
To conclude the engagement, AIM provided a roadmap of recommended elements to improve the environment over time, including additional monitoring and notifications, a list of 20 best practices to address greater scalability, redundancy, enhanced automation functions, and cost-saving tips like implementing Amazon’s EC2 Scheduler for powering down the solution during non-business hours.
The legacy data application is now running in production in AWS, expertly architected, configured, embedded with security, and managed by a well-trained internal team embracing best practices. The client organization had full support from the leadership team to embrace the cloud and devops throughout the division. This enabled team members to learn and led to a smooth engagement throughout.
AIM’s engagement represented the turning point for the team toward embracing the cloud in every aspect, leading to a positive culture change. Additionally, the HR department now has a much better reputation with the company’s security group for completing the due diligence in ensuring that all levels of security are managed for the implementation.
A critical side-effect from the project came from AIM’s work with the data scientist, who discovered during the security design review that many more people within the company had access to the PII data than was necessary. This has made the team more vigilant about access to the data, and the data scientist has implemented a company-wide set of best practices for PII data and compliance standards as a result.