The American Cancer Society expects more than 1.7 million new cancer cases this year, with 606,880 Americans — or 1,660 people per day — expected to die of cancer. Addressing this serious challenge is our biopharmaceutical customer whose key weapon in the battle is data. In fact, industry research finds that a single cancer patient can generate up to one terabyte of data. Yet, synthesizing this data and finding meaningful insights can be challenging. Thus, this premier biopharmaceutical organization reached out to the NTT DATA AWS consulting team to help it design a network and resource infrastructure for Tableau Server cluster deployment for true data intelligence.
Our customer chose Tableau for its data analysis needs as it is a powerful, secure, and flexible end-to-end analytics platform that effectively scales to meet its enterprise needs. Tableau Server empowers its employees to explore data with natural language questions (and without being limited to pre-defined questions, wizards, or chart types). Moreover, with its AI-based, advanced statistical models, it helps find insights that may have otherwise gone uncovered. Tableau Server users can create workbooks and views, dashboards, and data sources in Tableau Desktop, and then publish this content to the server.
With over 300 users, we were given the challenge to build Tableau Server for scale, integrate with back-end data as Tableau is used as the visualization tool, and create a CloudFormation template and repository. As the service will be exposed externally, we were also tasked with ensuring its security.
AWS infrastructure for enhanced scalability, availability
As an online solution for sharing, distributing, and collaborating on business intelligence content, the Tableau Server must scale to serve hundreds of employees. The Tableau Server structure, as a result, is a multi-node cluster deployment that installs Tableau Server on Microsoft Windows Server within AWS.
Specifically, we created the Tableau application as infrastructure as code and merged it to a source code management (SCM) system so that end users can deploy infrastructure repeatedly. Spread across two AWS Availability Zones (AZs), the team created a Virtual Private Cloud (VPC) with Public and Private Subnets — one for the Tableau Primary instance and one for two worker instances designed to support high availability. And, to ensure end users can consistently provision VPCs, we created a VPC template in the firm’s SCM.
While we created a new AWS Account for the initiative, using separate VPCs, we segregated it for Development, User Acceptance Testing and Production environments so that end users have isolated stages to test and promote new versions and configurations of the Tableau product. Using the Tableau Server on AWS Quick Start, our AWS consultants used AWS CloudFormation Templates to create the network and Tableau infrastructure.
To ensure we were able to meet a variety of system demands, we enabled parameter availability for EBS volume size and deployed Amazon’s Application Load Balancer to ensure system flexibility and performance. And, for enhanced security, requests to instances are directed through the application load balancer using a Secure Sockets Layer (SSL) certificate.
AWS integrations for enhanced security
The AWS environment is integrated with the biopharmaceutical company’s on-premises identity provider so that end users can use their existing credentials to access AWS resources. Moreover, our AWS consultants matched the service gateway to the map provided by Tableau, thereby providing minimum access with maximum availability. Last, we worked closely with the customer team to ensure that end users have DNS and SSL set up correctly to easily and securely access Tableau from their web browsers.
We built security in through a couple main initiatives: AWS Security Hub and AWS Config Rules, and best practice security controls with CIS Hardening among others.
AWS Security Hub and AWS Config
AWS Security Hub provides a comprehensive view of high-priority security alerts and compliance status across AWS accounts. With Security Hub, we sought to provide this pharma customer with a single place that aggregates, organizes, and prioritizes their security alerts from multiple AWS services. AWS Security Hub compliance checks use the configuration items recorded by AWS Config, Amazon’s service that continuously audits AWS resource configurations.
As a result, we started by setting up a repository with AWS CloudFormation templates to enable AWS Config in the AWS account. AWS configuration rules were set up on all four of the firm’s accounts, giving them a recording of events for forensics and alerting.
CIS Hardening and other best-practice security
We set up the Tableau accounts hardened to CIS standards thereby meeting AWS security best-practices. Also, the AWS consulting team added:
- Instance recovery alarms to all bare instances so that an instance with a hardware malfunction is recovered automatically.
- To work with legacy on-premises firewall systems, we specified instance IP addresses to maintain a constant IP list for the on-premise firewall.
- And all outbound traffic is routed through AWS Direct Connect (an AWS service that establishes a dedicated network connection from the client premises to AWS) so that existing on-premise security rules can be applied.
- Logs are shipped to an audit account, simultaneously providing a central location for log analysis and log integrity in the event of an incident. Amazon CloudWatch Logs organize these audit logs while providing a pre-defined log path so the customer can model posting additional logs to CloudWatch Logs based on this work. Last, we pre-defined error conditions for the customer, providing them with an alarm should an error in the uploaded logs meet these conditions. If so, they can take action.
In addition to the security best practices put into place for this customer, we created a best practice Tableau backup solution as well.
Tableau Backup on AWS
For our state of the art backup solution, we created an AWS CloudFormation template that deploys AWS SSM Automation Document, which in turn has commands to upload Tableau backup and Tableau logs backup to Amazon S3 and clean up the instance of those logs.
Curbing cancer takes research and deep data analytics. Coupled with a host of security features and controls, our customer now has a highly available, scalable Tableau application infrastructure developed as code. This platform provides them with business continuity that gives them a stark advantage in their fight to beat cancer.
*This was originally written by Flux7 Inc., which has become Flux7, an NTT DATA Services Company as of December 30, 2019
Post Date: 2019-12-20