Loading content

Please standby, while we are retrieving your information

Platform Foundation

Automated provisioning for Cloud Data Infra as a Platform along with Onion Ring security framework and DevOps pipeline

Platform Governance and Management

Automated provision of Infra-as-Code using Terraform, with auto-scaling and high availability. Enables auto healing from failures , network and platform security, and Dev-Ops automation.
Platform Governance and Management

Platform foundation build is the key step to the Next Gen IDEA platform, which would ensure network design, service configurations, disaster recovery strategy, and the app specific pre-requisite setups. This solution would help in implementing a network and an initial security baseline through the creation of core accounts and resources. It also provides a baseline environment to get started with a multi-account architecture, identity and access management, governance, data security, network design, and logging. The solution enables Dev-Ops pipeline, Dev-Sec-Ops, Infrastructure as a code and provide session management capability.

Idea migration

PLATFORM FOUNDATION

The Platform Governance framework is based on the Hub and Spoke model. The Hub is a virtual network (VNet) that acts as a central point of connectivity to IDEA's on-premises network. Spokes are VNets that connect to the hub and can be used to isolate different workloads (web, apps, etc.). Traffic flows between on-premises data centres and the hub through an ExpressRoute or VPN gateway connection.
It includes

  • Regional Hubs
  • Target cloud's SDN firewalls
  • Firewall & Threat Protection


Platform Foundation Features

A brief summary

Platform
Management

User
Management

Platform Control
Plane

Platform Telemetry
Plane

Platform Security
Plane

Threat Detection
Service

Kubernetes
Observability

CloudTrail

Platform Management

This service enables the user to keep track of and handle projects. User can create projects, update projects, and delete projects too. User can also assign project modules, create a role for a particular project ,assign permission, etc.

  • MongoDB collections to keep a track of all the projects.
  • Modules’ collection that will store all the permission details as master metadata.
  • Role collection which will have all the role details.

User Management

This service enables the storage and management of users’ data. It ensures that the password is protected using hash encryption in the database.

The Users collection schema would look like

  • An unique ID assigned to each user

  • User name as per the registration

  • User email address as per the registration

  • A timestamp value generated when you update or create a user

  • A timestamp value of the start date of the project

  • A Binary object created at the time creating user which is encrypted using a hash

  • A timestamp value of the creation date-time of the user

Platform Control Plane

This service helps to deploy, run, and manage large clusters of containerized applications, even at the hardware layer , and allows the user to focus on other important aspects such as software development.

The control plane ensures that every component in cluster is performing on desirable scale. It processes the data which is received through internal cluster events, external systems, and third-party applications and then takes decisions according to it.

It manages and maintains the nodes which have the containerized applications. It also manages the lifecycle of the containers.

It has key components

  • It transmits data both within the cluster and with external services

  • Handles resource sharing among the nodes

  • Manages the state of the nodes

  • To keep configurations

  • A controller manager and a cloud controller manager to manage control loops

It also offers dashboard which is a general purpose, web-based UI for the clusters. It allows users to manage and troubleshoot applications running in the cluster, as well as the cluster itself. User can get overview of applications running on the cluster, can create or modify individual resources such as Deployments, Jobs, etc.

It is essential service of Platform Foundation, it manages, maintains and control every element of the cluster. It handles all operations and control the cluster’s configuration.

Platform Telemetry Plane

Telemetry uses software tools to record and analyze information about IT infrastructure that would otherwise be difficult to gather.

For cloud, telemetry is critically important. IT infrastructure looks very similar whether the hardware is performing optimally or not. Telemetry gives the ability to observe components and monitor applications in a deeper way, with metrics that track

  • Performance
  • Utilization
  • Energy consumption and many more
  • It shows telemetry information at various levels

  • Node
  • Pods
  • CPU
  • Network
  • Namespace
  • Prometheus can be considered as the king of all the monitoring tools out there as of today. Prometheus on Kubernetes is used for metrics-based monitoring and alerting. It pulls the real-time metrics, compresses and stores them in a time-series database.

    Grafana is a visualisation and analytics software. It helps user to visualise massive amounts of data with the help of an excellent customisable dashboard. Therefore, it helps us study, monitor, and analyse data over a period. It connects with a lot of data source like Prometheus, Graphite, Influx DB, Elasticsearch etc.

    Platform Security Plane

    It provides a secured environment on a public cloud platform. This will enable users to have seamless, secure ,and faster access to IDEA's products hosted in cloud – AWS / Azure / GCP ;/ Snowflake.

    Platform Security covers

  • Audit logging enabled
  • Enhanced VPC routing enabled
  • Hosted in a private subnet with access controlled and tightened via IAM, security groups
  • Encryption enabled with Encryption Key
  • Automatic snapshots & backups Enabled
  • Public access disabled
      • Private connectivity to AWS / GCP / Azure services
      • Dedicated VPC for security and better isolation
      • All data processing clusters & services are launched in private subnet
      • Databases are deployed in its own dedicated subnet and can be accessed only from data processing subnets
      • IAM based policies, user, group & role creation to control access to cloud infrastructure
      • Multi-factor authentication for better security
      • IAM based protection to control access
      • Blocked all Public Access
      • Encryption – Server Side encryption enabled
      • IAM Policies – Resource Based policies, user based policies for bucket access
      • Secure connectivity Via Pprivate link

    Threat Detection Service

    It protects the platform with intelligent threat detection and continuously monitor instances, workloads, users, and storage for potential threats. It also exposes threats quickly using anomaly detection, machine learning, behavioural modelling, and leading third parties.

    It also helps to mitigate threats early by initiating automated responses.

    It categorizes the severity of the threat on three levels i.e., Low, Medium, and High so that user can prioritize the action to be taken in response to these threats.

    • Low suspicious activity that was stopped before any compromise to platform resources.
    • Medium suspicious or malicious activity.
    • High resource is compromised and is being used for unauthorized purposes.
    • Continuous monitoring of resources on platform
    • Categorizing threats for efficient action taking
    • Easy deployment with one click
    • Threat optimization

    For AWS cloud, we use AWS Guard duty which emphasises on following use cases

    • Improve security operations visibility.
    • Assist security analysts in investigations.
    • Identify files containing malware.

    Kubernetes Observability

    This service gives infrastructure great observability. It incorporates various tools for alerting and notification, multi-tenant log query and collection, and multi-dimensional monitoring metrics. It enables user to use visualization and take decisions regarding resources and containers utilization in efficient manner.

    On basis of container-based microservices landscapes, we have three types of tools

    • Platform monitoring provides K8s control plane and telemetry plane.
    • Resource utilization/usage by workspace and project.
    • Application resources monitoring for CPU, memory, network and storage metrics.
    • Component monitoring for users to detecting components failure.
    • Multi-level log queries include projects, workloads, Pods, containers and keywords.
    • Multi-tenant log management it ensures that tenants can view and access information in only their accounts.
    • Alerting rules based on above features such as multi-tenant and control plane metrics.
    • Flexible alerting rules allows you to customize an alerting policy that contains multiple alerting rules.

    CloudTrail

    AWS CloudTrail monitors and records account activity across AWS infrastructure, giving control over storage, analysis, and remediation actions. It helps to enable governance, compliance, and operational and risk auditing of the AWS account.

    It’s a service that enables risk auditing, governance, and compliance of AWS account. Actions are recorded as events which are taken by user, role or an AWS service. This includes actions which are taken on management console, AWS SDKs and APIs and AWS Command Line Interface.

    Every activity that occurs in account is recorded and can be viewed by going to event history on CloudTrail console.

    Visibility and transparency into the account along with IDEA’s onion ring security network strengthens the security of platform. This services allows user to view , search, download , archive, analyze, and respond to account activity.

    CloudTrail Insights

    Within CloudTrail, user can also enable CloudTrail Insights. This optional feature allows CloudTrail to automatically detect unusual API activities in AWS account.

    It could detect if any unusual activity occurred, let’s say if higher number of EC2 instances are being used then this service will inform and gives detailed report so that user can determine which actions need to be taken.

    CloudTrail can be integrated with other applications using API and enables the automation, status check, control and management of trail creation on our platform.




    Design for Industrialization

    Service Benefits

    Faster speed and consistency



    IaC / SaC templates enable faster Data Infra Platform deployment by eliminating manual processes and eliminating the slack in the process. Developers can start focusing on the data product development.

    Secure and industrialised data landing zone provisioning

    Cloud infrastructure provisioning becomes more secure and reliable through Onion Ring Security Framework.

    Iterate quickly and more often


    Consistency is another vital benefit of IaC. Data platform operations teams can implement changes across environments in the enterprise while based on tried and tested data landing zone design.

    Keeping pace with PaaS Services


    Capgemini through its partnership with Hyperscalers; is keeping track of their advisory on new PaaS services. These services are regularly adopted by Data Platform operations team in IaC/ SaC templates for the data landing zone.
    Blog-post Thumbnail

    Platform Governance

    An end-to-end platform governance and user management, granting organizations freedom and provide flexibility via robust microservices architecture kubernates portable, extensible and accessible.

    At vero eos et accusamus et iusto odio dignissimos ducimus qui blanditiis praesentium voluptatum deleniti atque corrupti quos dolores et quas molestias excepturi sint occaecati cupiditate non provident, similique sunt in culpa qui officia deserunt mollitia animi, id est laborum et dolorum fuga.
    At vero eos et accusamus et iusto odio dignissimos ducimus qui blanditiis praesentium voluptatum deleniti atque corrupti quos dolores et quas molestias excepturi sint occaecati cupiditate non provident, similique sunt in culpa qui officia deserunt mollitia animi, id est laborum et dolorum fuga.
    IDEA’s modular design provides organizations with a flexible and customizable approach to bring in the required platform foundation components. And our Cloud Infra SMEs can customise the template to cater to end to end platform based on engagement context.
    By default, IDEA CI-CD automation is based on Bitbucket (Code repository), Terraform (Scripting for infra and security provisioning/ configurations), Jenkins (Run the build pipeline) and xPaaS (Capegemini Offering). However, we can also support other options such as GitHub based on client specific requirements.
    Jenkins is integrated with SonarQube for static code analysis and with Whitesource to detect security and compliance issues with Open Source Components
    Data At Rest secured through Role Based Access Control, Data in motion secured through SSL encryption/ HTTPS, AWS KMS for securely storing and accessing secrets
    Security hardening configuration as part of onion ring security framework takes care of Network, Platform Security, Application and Data Security. Security-as-code templates also support PaaS services for Unified infrastructure security management, Security monitoring and Threat Intelligence: AWS Network Firewall, AWS Shield, AWS Web Application Firewall, AWS Firewall Manager for centralized protection of web applications, NGNIX (reverse proxy) AWS Security Hub, Amazon GuardDuty, Amazon Inspector etc.
    Next Steps

    To learn more about IDEA by Capgemini and how we can help make data your competitive edge.
    Visit : www.capgemini.com/ideabycapgemini

    • Mukesh Jain
      IDEA Head
      mukesh.jain@capgemini.com


    • Harsh Vardhan
      IDEA Chief Digital Leader & Chief Technology Architect
      harsh.c.vardhan@capgemini.com

    • Eric Reich
      Offer Leader and Global Head AI & Data Engineering VP
      eric.reich@capgemini.com

    • Aurobindo Saha
      IDEA Principal Sales Architect
      aurobindo.saha@capgemini.com


    • Sameer Kolhatkar
      IDEA GTM Lead
      sameer.kolhatkar@capgemini.com


    • Sandip Brahmachari
      IDEA D&S Lead sandip.brahmachary@capgemini.com


    • Anupam Srivastava
      IDEA Engineering Lead
      anupam.a.srivastava@capgemini.com


    • Subramanian Srinivasan
      IDEA Shared Services Lead
      subramanian.srinivasan@capgemini.com