Challenge: DevOps Support and a Complex Governance Model
When OneTick contacted Mission Cloud, they were already five years into their cloud journey and working with some of the largest financial institutions in the world. But now that they were scaling their product lines rapidly, they wanted assistance to support their DevOps practice and to establish an architecture that would meet SOC 2 compliance requirements. OneTick's architecture was complex — their customers, individually, had sub-accounts under their OU to deploy OneTick on their environment. The company wanted a governance structure and infrastructure that could support this use case while helping them to maintain SOC 2 standards. They also wanted to document their infrastructure from the perspective of Amazon Web Services (AWS) practitioners to better assist customers in deploying and operating OneTick.
Proposal: A 2-Phase Approach to Modernization
Mission Cloud proposed an Assess report, which would summarize the current state of the environment and design a modernization effort to be handled by Mission Cloud Elevate, a fractional team of DevOps engineers and other specialists that would implement this design. The Assess report would design a Landing Zone for newly proposed infrastructure, demonstrate how its components would fulfill OneTick’s objectives and perform a Total Cost of Ownership analysis to help OneTick better understand the ongoing costs of their architecture after modernizing.
In the second phase, Mobilize, the Elevate team would implement the designs as outlined and assist with numerous tasks. These tasks included the containerization of the workloads, establishing the governance model and access management, migrating the databases, updating to OneTick’s CI/CD process, testing disaster-recovery implementations, configuring security services, establishing aggregated logging and monitoring, and helping to create cost controls by assessing utilization for right-sizing and implementing auto-scaling where possible. All of this would be completed rapidly, over a six-month timeline.
Solution: Technical Details
In order to achieve OneTick’s goals, several bespoke implementations of AWS services were created. A custom VPC was built to configure network access, allow for disaster-recovery best practices, and help with auditing and monitoring. Security Groups were defined to control traffic between OneTick clients and their own infrastructure. EKS was used to orchestrate the deployment of EKS clients and ECR was used to templatize the deployment of OneTick applications and ensure compliance. IAM was used to provide fine-grained access to the EKS clusters. CloudWatch was used for infrastructure monitoring and infrastructure change management. S3 is used to store client information, with a Terraform module to control permissions, before the data is transferred to EFS (via DataSync) for consumption by Lambda.
Results: A Modernized and Compliance-Ready Architecture
Over six months, Mission Cloud helped OneTick to achieve this extensive modernization effort, implementing best practices for operations, security, governance and more across their architecture. A robust architecture, addressing OneTick’s chief enterprise-scale financial workloads, is now completing knowledge transfer and handoff. OneTick can now independently operate a more automated and fault-tolerant infrastructure. The result is an Amazon Web Services (AWS) environment that helps them to meet their compliance objectives, reduces the operational burdens of the prior design and continues to protect the sensitive financial data of their customers.