aws enterprise summit netherlands - workspaces & workmail

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Julien Lepine (lepine@amazon.fr) Chris Gerpheide (chrisge@amazon.com)

Pranesh Ramalingam (praneshr@amazon.com) Sep 21st 2016

Amazon Work Suite Managed Enterprise Applications in the Cloud

What Customers Are Telling Us

What’s not working?

Personal Computers §  Manage inventory §  Secure endpoints §  BYOD is complicated §  Data must be backed up §  Expensive to scale

On-Premises VDI §  Upfront investment §  Weeks to deploy §  Requires management §  Servers must be secured §  Expensive to scale

Embrace personal devices

Support contract workers

Access for Mobile

Workers

Data Security

Agility

Introducing Amazon Enterprise Applications

WorkSpaces

WA

WorkMail WorkDocs

Productivity

WorkSpacesApplication

Manager

Desktop & Apps

Secure, managed end-user computing services on the AWS cloud

A cost-effec*ve, managed cloud desktop

Secure Pay-as-you-go

Simple management

Highly interactive cloud desktops your users will love

Scale consistently

Desktop Experience Your Users Will Love

A formal BYOD policy is four times more likely to result in increased employee productivity and decreased IT support issues1.

Portable Desktop

Consistent Performance

Available on Any Device

1.  Enterprise Strategy Group: TechTruths: BYOD and Productivity, 2015

Supports Multiple Devices

Desktop, Laptop: PC, Mac

Tablets: iOS, Android, Kindle, Surface

Zero Clients

Thin Clients *

Chrome OS, Chromium Reuse your existing devices, or

acquire to fit your needs. * OEM-specific, OS-specific

Plays Well With Existing Tools

Microsoft Active Directory

Multifactor Authentication

(Radius) SCCM Intranet

Amazon WorkSpaces integrates easily with your on-premises tools and network

Improves Security

•  Data is stored on the AWS cloud, not on devices

•  Data is encrypted in in transit with 256-bit encryption

•  Volume encryption with AWS Key Management Service

•  Users authenticated against your corporate directory

•  Deploy multi-factor authentication (MFA) for additional security

•  Certification – SOC 1, SOC 2, ISO 9001 and ISO 27001 No sensitive data on users’

devices

Improve Flexibility and Scale

•  Quickly add or remove WorkSpaces as your business requires

•  Expand to new regions without additional costs

•  Easily support temporary and remote workers

•  Choose from several desktop configuration options

•  Bring your own licenses and applications or purchase from AWS

Simple Management

Centrally manage WorkSpaces using the AWS Management Console or

existing tools

•  Integrate your existing corporate network and directory

•  Auth and Policy: Active Directory, GPOs

•  Patching: WSUS, SCCM, 3rd-party

•  Distribution: SCCM, App Layering, App Virt

•  Profile Management: 3rd-party

•  Automation: Powershell, .NET, and more

No servers to manage

Scale on demand

Amazon WorkSpaces removes the burden of management, and scales instantly

Available globally

Cloud Economics

Pay only for what you use

Reduce Costs

•  Pay-as-you-go means no infrastructure acquisition cost

•  Eliminate underutilization of desktop management infrastructure

•  Expensive PCs can often be replaced with cheaper thin clients or

repurposed

•  CapEx can be switched to OpEx

•  Pay for what you use with Monthly and Hourly Options

Amazon WorkSpaces Use Cases

Call centers

Temporary workers

Dev/Test

Amazon WorkSpaces can help you realize benefits across many scenarios

Mergers and acquisitions

Securing data Compliance requirements

Mobile workers BYOD

Training and labs Demos

Amazon WorkSpaces Capabilities •  User Experience

§  Support for multiple devices including Tablets, Windows, MAC, Zero clients and Chrome devices

§  Local printing with Windows and Mac clients

§  High DPI device support

§  Audio input (Make Skype/WebEx calls from WorkSpaces)

•  Management §  Custom images

§  WorkSpaces Application Manager (WAM)

§  API support (via AWS SDK, CLI)

•  Monitoring §  Amazon CloudWatch and AWS CloudTrail integration

§  Network health checks and health check website

Amazon WorkSpaces Capabilities •  Performance, Cost, and Flexibility Enhancements

§  Value Bundle

§  Upgrade Standard Bundle at no additional cost

§  Bring your own license (BYOL) for Microsoft Windows 7

•  Security and Compliance §  Storage Volume Encryption

§  Multi-Factor Authentication

§  Certification – SOC 1, SOC 2, ISO 9001 and ISO 27001

WorkSpaces Monitoring

•  CloudWatch Alarms

•  CloudWatch Events/Rules

•  CloudWatch Logs to alert on specific events

•  Based on two dimensions: WorkSpaceID and DirectoryID

•  Units are Time and Count

•  Statistics Available: Average, Sum, Maximum, Minimum, Data

Samples

CloudWatch Dashboards

Network Flow - Connecting From Public Internet

Network Flow - Connecting From On-Premises

Utilities Bundle includes Internet Explorer 11, Firefox, and 7-Zip

Bring Your Own License and Save $4

Amazon WorkSpaces & WAM Pricing

Add Trend Micro and Microsoft Office Pro for an additional $15/month

Deliver applications with Amazon WorkSpaces Application Manager for $5/month

Value ($25 USD)

•  1 vCPU, 2 GB memory

•  10 GB storage

•  Utilities software bundle

•  50 GB Amazon WorkDocs storage

Standard ($35 USD)

•  2 vCPU, 4 GB memory

•  50 GB storage

•  Utilities software bundle

•  50 GB Amazon WorkDocs storage

Performance ($60 USD)

•  2 vCPU, 7.5 GB memory

•  100 GB storage

•  Utilities software bundle

•  50 GB Amazon WorkDocs storage

Amazon WorkSpaces Regions

Amazon WorkSpaces Customers and Partners

•  Endemol Shine Nederland uses contract video crews in locations around the world to create their shows

•  Preparing for a project took two weeks as the team had to set up, secure, and ship hardware to a production site

•  Endemol Shine Nederland decided to provide contract video crews with Amazon WorkSpaces to run on their own devices

•  The switch saved Endemol Shine Nederland 70% in PC capex, 30% in PC operations, and reduced preparation time to two hours.

Leon Backbier IT Manager, Endemol Shine Nederland

”

“

Endemol Shine Nederland is a world leading creator, producer and distributor of multiplatform entertainment with a

portfolio that includes Big Brother, MasterChef, Man vs. Food, The Biggest Loser, and Wipeout.

“With Amazon WorkSpaces, we are able to provide video crews with a secure cloud

desktop they can run on their own devices while onsite. By using Amazon WorkSpaces, we

have saved 70% on PC capital expenditure, and 30% on desktop operations, while reducing our preparation time from two weeks to two hours.”

Use Case | Contract Workers

Endemol Shine Nederland: Contract Workers

The Louisiana Department of Public Safety and Corrections manages nine state correctional

facilities housing 19,000 prisoners.

Rehabilitation through education is now a reality

thanks to ATLO and Amazon WorkSpaces.

•  State department of corrections wanted to improve inmate education and improve post-prison outcomes

•  Needed to replace on-premises learning solution

•  Using Amazon WorkSpaces allows LDoC to offer secure, cloud-based learning program

•  Enables better outcomes for inmates

•  Team can now launch new training labs in 90 minutes

”

“

ATLO Software is a software provider that partners with local and state organizations to offer virtual learning environments.

Dawson Andrews

IT Director, Louisiana Department of Corrections

Louisiana Department of Corrections: Secure Training

•  Provides fast, secure desktops with consistent performance that users will love

•  Simplifies desktop management

•  Scales globally within minutes

•  Plays well with existing tools

•  Provides flexibility and agility

•  Lowers complexity and cost

Summary

A secure, fully managed enterprise storage and sharing service with strong administrative controls and feedback capabilities

that improve user productivity

Amazon WorkDocs Benefits

•  Easy access to documents from anywhere, across devices

•  Share and comment directly on documents – no more attachments

•  Request feedback with deadlines, and control document versions

•  Set sharing rules and manage document access centrally

•  Store files securely on the AWS cloud in the regions of your choice

•  Use your corporate directory and MFA to authenticate users

Access and Sync From Any Device

•  Web application

•  iOS Phone and tablet apps

•  Android Phone and tablet apps

•  Amazon Fire app

•  Windows & Mac OS desktop sync

Securing Data

•  Your data is encrypted in transit and at rest

•  Choose your AWS region and adhere to data sovereignty laws

•  Implement policies and roles for site access and sharing behavior

•  Store content securely in WorkDocs instead of sending via email

•  Authenticate using corporate directory and MFA

Amazon WorkDocs Pricing

•  Pay-as-you-go: $5 per user per month for 200 GB

•  Bundled *: $2 per WorkSpaces user per month for 200 GB

•  Free trial for 50 users for 30 days

•  Additional storage available at regular S3 prices

* Amazon WorkSpaces users receive access to Amazon WorkDocs

for no additional charge. This includes 50 GB of storage per

WorkSpaces user.

WorkDocs Availability

A secure, fully managed business email and calendaring service

Managed business email and calendar service

•  Eliminate up-front investments to license and provision on-premises email servers

•  WorkMail automatically handles patches, back-ups, and upgrades.

•  Integrates with your existing on-premise directory.

•  As needs grow, add more users with a few clicks in the AWS Console

Enterprise grade security

Encryption using customer managed

keys

Regional data control

Secure mobile access

Protection from malware, spam, and

viruses

Anywhere access

From your PC/Mac

From any browser

From your phone

Microsoft Outlook on Windows

•  Support for Outlook 2007, 2010, 2013, 2016

•  Native support (Outlook Anywhere)

•  No additional software/plugins needed

•  Autodiscover for easy setup

Mac OS X support

•  Support for Exchange Web Services (EWS) protocol

•  Support for Outlook 2011 and Mac Mail

•  Outlook 2016 in progress

Mobile device support

•  Native mobile support through Exchange ActiveSync protocol

•  Supported devices:

•  iPhone, iPad

•  Android

•  BlackBerry 10

•  Windows Phone

•  Fire

WorkMail Features

•  Global Address Book

•  Shared calendars

•  Resource booking

•  Advanced permissions and delegation

•  Server-side rules

•  Out-of-office rules

•  Interoperability with Microsoft Exchange (launching soon)

•  Encryption using customer managed keys

Mobile Device Management

•  Policy support for:

•  Password required

•  Password strength

•  Automatic screen lock

•  Device encryption

•  Remote wipe when device is lost or stolen

WebMail client features

•  Access to your email, contacts, and

calendar

•  Shared calendars

•  Access to free/busy information

•  Amazon WorkDocs integration

•  Accessibility (support for screen readers &

keyboard-only usage)

Pricing and availability

•  Pay-as-you-go

•  Cost-effective -- $4/user/month for 50GB mailbox

•  Bundled with WorkDocs -- $6/user/month

•  30-day free trial for up to 25 users

•  Currently available in US East (N. Virginia), US West

(Oregon), and EU West (Ireland) regions

Amazon WorkMail Encryption

Amazon WorkMail Encryption – Pt 1

Amazon WorkMail Encryption – Pt 2

Key Hierarchy

Itemencryptedwithdatakey

Datakeyencryptedwithpublicmailboxkey

MailboxprivatekeyencryptedwithKMSkey

•  Master key for your organization

•  Asymmetric key per mailbox

•  Each item in mailbox encrypted by

symmetric key

Data decryption

Interoperability support with Microsoft Exchange

Integrate Amazon WorkMail with your existing email environment

•  Email routing between on-premises email system and WorkMail

•  Calendar free/busy lookups between on-premises email systems and WorkMail

•  Provide users with a unified global address book containing all users, groups, and

resources

AD Connector architecture

Availability Zone

Availability Zone

VPN connection

corporate data center

AD

LDAP & Kerberos

requests proxied to on-premises

over VPN AD Connector proxy instance

AD Connector proxy instance

Set up interoperability support

Add-AvailabilityAddressSpace -ForestName example.awsapps.com -AccessMethod OrgWideFB -Credentials <Credential>

•  Add all domains to WorkMail

•  Convert users on Microsoft Exchange to mail enabled users with external mail addresses

that point to Amazon WorkMail

•  Set up free/busy service accounts in Microsoft Exchange and Amazon WorkMail

•  Specify EWS URL for on-premise environment in Amazon WorkMail

•  Set up Availability Address Space in Microsoft Exchange

Email routing in an integrated environment

On-premises environment Amazon WorkMail

example.comexample.comexample.awsapps.com

Forwardto:john@example.awsapps.com

Primary:john@example.comAlias:john@example.awsapps.com

john@example.comtargetAddress:john@example.awsapps.com

To:john@example.com

Calendar free/busy interoperability

On-premises environment Amazon WorkMail

example.com4.Free/busylookupforMary

withWMserviceaccount

john

1.Free/busylookupforMary

targetAddress:mary@example.awsapps.com

Primary:mary@example.comAlias:mary@example.awsapps.com

23

5

Unified Global Address Book

•  Interoperability support will automatically sync all Microsoft Exchange users,

groups, and resources to WorkMail

•  Object changes must be done using Exchange Management Console

•  Enabling users for WorkMail still done through AWS Management Console

Julien Lepine (lepine@amazon.fr) Chris Gerpheide (chrisge@amazon.com) Pranesh Ramalingam (praneshr@amazon.com)