Case studies
How Six Offene Systeme got started in the AWS cloud
Six Offene Systeme recognized the potential of AWS and decided to migrate. Skaylink was there to advise.
Setting up a Control Tower and enablement for the AWS cloud
Six Offene Systeme GmbH is an owner-managed company with more than 30 years of expertise in the field of software product development. Currently, Six employs around 50 people at its two locations in Stuttgart and Berlin.
Six Offene Systeme recognized the potential of AWS and the advantages of cloud usage and decided to migrate to the cloud. Previously, the company had hosted its data under its own responsibility, but in the future the on-premises systems were to be replaced by the AWS cloud.
In the search for a suitable partner, Six Offene Systeme contacted Skaylink. Together, we quickly arranged an appointment for our Cloud Advisory Workshop. Here, our experts Lennart Tunze and Kathleen Lorenz explained the basics of the cloud in detail. Various questions were also addressed, such as “What can the cloud do?” and “What are the benefits for our company?”. Six saw their goal confirmed by the answers and decided to continue on the path to the cloud.
The Cloud Advisory Workshop established the most important basics. The customer then had many more questions. Examples included “How do we get started in the AWS Cloud?” and “What about multi-accounts in the future?”. Six of course also received satisfactory answers to these questions during the course of our further collaboration.
Just 3 days to a successful start in the cloud
Our Skaylink experts conducted another 3-day workshop as a basis for a structured, secure and scalable start in the AWS cloud. This consisted of content presentations, joint technical implementation and open discussion rounds in which all topics and questions were dealt with in detail.
Lennart Tunze and Kathleen Lorenz were responsible for the technical implementation. The technical basics, such as Key Management System (KMS), encryption and logging, were taught by our colleagues Nickolas Webb and Bianca Sprätz. This allowed us to respond more directly to the individual needs of Six Offene Systeme in the spirit of “customer obsession”.
In our content presentations, we explained what is needed to set up and understand the Control Tower. This newly acquired knowledge was put to direct use during the joint technical implementation.
The core topics of the workshop included:
- Centralized billing
- Audit logging
- Identity and access management
- Security monitoring and threat detection
- Encryption mechanisms in AWS
- Multi-account architecture
- AWS account creation
All the topics were discussed openly and every question – from both a technical and a safety perspective – was answered.
“Important questions were clarified and answered in the joint workshop. There was a pleasant atmosphere, and there was good chemistry between the two companies right from the start. We are delighted to have found the right solution for our requirements and needs with Skaylink.”
Technologies used
- AWS Organizations and Control Tower for the centralized management of AWS accounts and resources
- Amazon CloudTrail and Amazon S3 for centralized recording and archiving of audit logs
- Integration of AWS IAM with Azure AD for centralized identity management
- AWS Security Hub and Amazon GuardDuty for centralized security monitoring and threat detection
- AWS Key Management Service (KMS) for modern key management
- Infrastructure as code (IaC) with CloudFormation templates for the automated provision of infrastructure
- AWS multi-account architecture for maximum isolation between workloads
- Customizations for Control Tower solution for a structured implementation and management of the Control Tower
The topics
The customer received an overview of the different AWS areas, all of which are important for centralized governance and scalability. For a basic understanding, the following topics and AWS services were covered:
- Centralization of AWS invoices via AWS Organizations and Control Tower. This makes it possible to centrally view which AWS account incurs which costs. The accounting department receives a collective AWS invoice. In addition, a “total monthly AWS budget” can be set centrally.
- Creation of a centralized audit log archive via Amazon CloudTrail and Amazon S3. This means that the user activities of all Six’s AWS accounts are collected in a central Amazon S3 bucket. The audit logs are stored for 365 days and can be forwarded to SIEM tools for analysis in the future if needed.
- Centralization of IAM in AWS via an AWS role concept and integration of AWS IAM Identity Center with the existing Six Azure AD. Thanks to the integration, Six does not have to create its own “AWS-specific” onboarding, offboarding, authorization assignment or recertification processes. Instead, they can use the processes already established in Azure AD.
- Centralization of security monitoring measures via AWS Security Hub and Amazon GuardDuty in a dedicated Audit AWS account. This makes it possible to check from a central location whether the Amazon security best practices are being adhered to. Amazon GuardDuty can also detect unusual behavior at the AWS level and trigger an alarm.
- Encryption mechanisms in AWS and how state-of-the-art key management can be achieved with the AWS Key Management Service (KMS) and Customer Managed KMS Keys. In particular, AWS’s envelope encryption concept was discussed. Typical attack patterns that can be fended off by various encryption measures were presented.
- The entire infrastructure was set up via infrastructure as code using CloudFormation templates. We also provided a basic understanding of this during the workshop by discussing the structure and creation of CloudFormation. This will be used as the basis for Terraform templates in the future. The templates relevant for the Control Tower were stored in a structured CodeCommit (Git) repository using the “Customizations for Control Tower” solution.
- On a conceptual level, options for a centralized network in a dedicated AWS network account were presented. Containerization options in a multi-account AWS architecture were also explained, but not implemented.
During the joint technical implementation, the theory learned was put into practice. Error handling was also a topic that was addressed in practice.
The multi-account architecture of AWS was also explained in detail. We gave the customer an understanding of the diversity of the structure and demonstrated what is possible with this architecture – in part because maximum isolation between workloads can be utilized thanks to the multi-account architecture.
Conclusion
We were able to impart relevant knowledge to our customer with an optimal mix of theory and practice as well as a combination of ready-made templates and templates developed in the workshop. Six Offene Systeme can now independently gather experience in a centrally manageable framework, roll out automation centrally and take its future in the AWS cloud into their own hands. The documentation in the form of notes and videos allows Six to repeat and reapply the content of the workshop at any time.
“The atmosphere in the workshop was very pleasant throughout. From the very first minute, the teams were on good terms. This allowed us to talk about content and other topics without any issues. Throughout the workshop, we clearly recognized the motivation of our colleagues from Six Offene Systeme. That made the collaboration a lot of fun.”