Cloud, Amazon Web Services (AWS)
MN Pensioen is a Dutch financial service provider specializing in corporate and industry-wide pension funds and investments. The company manages over €175 billion in pension assets while serving two million people in the metal and technology, and motor vehicle sector. Responsible investing is at MN’s core, taking an environmental, social, and governance (ESG) model of business. Fiduciary analysis, management, and communication make up a large part of MN’s services. They also administer income insurance and work with Research and Development funds and social funds in their respective industries. MN has their headquarters in Den Haag with five business units.
Delivering a Secure IT Landscape
MN services follow stringent governance and protocols in line with legislation. As such, a certain level of security proved paramount in crafting a new IT architecture. Client and other sensitive information needed to be protected while IT needed to respond quickly and without security breaches or losing information. Facing these constraints, MN approached Xebia to come up with a suitable solution. Xebia opted for a hybrid cloud architecture, letting MN Pensioen retain its private cloud for legacy infrastructure as well as business-critical applications—particularly those with stewardship requirements. This new environment also fit with MN’s need to be fluid while managing fluctuations and meeting increased demands.
Defining a Course
The demands of the financial market change frequently depending on a number of factors. Not least of which is compliance with EU and Dutch legislation. Relying on large amounts of data to conduct sensitive day-to-day business, MN needed to modernize its IT architecture to remain competitive and put in place state-of-the-art security measures. The company turned to Xebia for its coaching abilities and deep knowledge of cloud architectures. Xebia guided MN through the entire process, taking an inventory of the data that needed to be moved and what could stay. Xebia then set up a roadmap for a hybrid cloud architecture that allowed for sharing of data and applications managed by a single IT architecture.
We created and temporarily staffed a newly established Cloud Competence Center. The Center maintains the Landing zone, provides guidance to Dev Teams, monitors alerts and regularly reviews the costs and provides recommendations to application owners to reduce costs. We provided a framework for costs management, adapted it to MN, and provided training on Cloud Costs Management to MN.
Most of these requirements were met by deploying Xebia's Cloud Foundation framework, a blueprint for an AWS cloud infrastructure landing zone, to architect the solution. We designed and implemented a mature AWS multi-account structure that serves as a highly resilient base, enabling a higher security level and seamless manageability based on the Well-Architected Framework. We built a highly automated environment using AWS CloudFormation and AWS CodeCommit, minimizing the risk of human error, reducing the time spent on administering the platform, and allowing fast Disaster Recovery with a low Recovery Time Objective, using AWS Elastic Disaster Recovery. Cloud security principles were designed based on AWS best practices and the CIS Framework. This resulted in a comprehensive security structure that leverages native AWS Services to support them. To streamline access control, we integrated existing SAML-based identity services so MN could use their known systems to authenticate and securely access AWS services, allowing a seamless transition.
The MN infrastructure is fully hosted in a single AWS Region, and our engineers implemented logical controls so that only this specific region can be used. This eliminates the risk of data leaving the EU, thus complying with the General Data Privacy Regulation (GDPR) and other regulations. To ensure that a complete audit trail is available for future audits, we made use of services like Amazon CloudTrail, VPC flow logs, AWS GuardDuty, and AWS Config. Based on the experience gained with using AWS, MN decided to exit their outsourcing agreement and migrate all Windows applications to AWS. As these are mostly stateful applications, we designed a solution on 2 layers. The first leverages EC2 Autorecovery to automatically restart failing EC2 local hosts. Whenever the hardware fails, the EC2 instance will be restarted on available hardware within the same Availability Zone (AZ). By restarting it in the same AZ, the impact is minimal as the specifications of the instance remain the same (such as the same IP, for example).
To protect against a failure of an entire AZ, we implemented AWS Backup for non-critical data and applications (RTO and RPO > 24 hours) and a combination of daily backups and continuous replication, using AWS Elastic Disaster Recovery for HA applications.
Benefits for MN in terms of business continuity: Better SLAs to their business, especially for critical applications: RTO improved from 8 hours to 2 and the required RPO of 15 minutes could be maintained at much lower costs. In addition, DR testing is much easier - in the past, failover and failback had to happen between Friday evening and Monday morning. As there is no need for failback, there is much more flexibility to plan and perform a test.
We supported this project from inception (feasibility and TCO analysis) to finish (all in-scope applications migrated, business case compared to actuals, recommendations on cost management).
Agile Cloud Migration
Once the ball got rolling, it took only three months to get MN up to the task with cloud migration. With a path carefully routed, MN worked closely with Xebia’s experts to build a highly automated, highly secure yet innovative cloud environment that prevented data from being compromised. They accomplished this by setting up regional controls with on-premise servers alongside the cloud system — a hybrid environment. The system also streamlined audits and communication between the cloud and local servers. In compliance with the GDPR, data would not be leaving the EU. Concurrently, Xebia’s consultants worked on getting the team up to par with an Agile mindset. Working in an agile way ultimately offered MN greater elasticity, saving costly fees and time.
Based on the experience gained with using AWS, MN decided to exit their outsourcing agreement and migrate all Windows applications to AWS. New patterns for backup and DR were developed (formerly done by the outsourcing company). We supported this project from inception (feasibility and TCO analysis), to finish (all in-scope applications migrated, business case compare to actuals, recommendations on cost management).