KPMG LLP is the U.S. firm of the KPMG global organization of independent professional services firms providing Advisory, Tax and Audit services. KPMG firms operate in 145 countries and territories serving some of the top Global 500 companies around the world. Within KPMG is the Digital Nexus Cloud Engineering team which supports moving on-prem workloads to the Azure cloud as quickly, seamlessly, and securely as possible. Faced with one of the most consistent requests involving the remediation of end-of-life issues for on-prem applications, the KPMG Digital Nexus Cloud Engineering team needed to act swiftly to deliver a secure pre-development landing zone that offered a smooth cloud migration path. By adopting the Cloud Adoption Framework Azure landing zones & Azure Security Benchmark (ASBv3) policy-as-code, KPMG was able to successfully develop a pre-development landing zone to empower app development teams to test/build their own cloud infrastructure all the while helping internal clients reduce their time to market, enable automated governance, maintain security posture, optimize costs, and fast track their workloads to production.
“This approach embodies our cloud journey by thoughtfully enabling development teams to access pre-configured patterns and components to develop workloads quickly in the cloud.”
Tom Hackemer, Chief Technology Officer, KPMG U.S.
A modernized lab environment built to empower App Developers
The Digital Nexus Cloud Engineering team aims to provide exceptional service by delivering high-quality and secure cloud platform solutions that enable internal clients to effectively meet their business goals. As part of this initiative, there existed a consistent demand for empowering KPMG application developers to rapidly build their own cloud infrastructure while maintaining the firm’s security posture. Although our legacy lab environment offers great flexibility and speed for testing cloud services, there are trade-offs concerning secure tenant-level policies, flexible access controls, and data classification restrictions. Moreover, challenges increased when needing to support training, proof of concepts, and application demos to internal clients that included cloud services that have not been vetted by KPMG security.
To mitigate this issue, a pre-development Azure landing zone was introduced with self-auditable security guardrails which allow developers elevated privileges to safely experiment with cloud services and build their applications in the cloud using KPMG proprietary data. This pre-dev landing zone functions as a modernized lab environment that still offers the flexibility of a Sandbox environment but with value-added features such as elevated developer privileges, self-auditable security guardrails, rapid infrastructure provisioning, and fast track promotion to production. In essence, this landing zone combines the best features of both a sandbox and development environment to offer a flexible but secure testing environment.
Caption: A true pre-dev lab environment that incorporates elements from both Sandbox and Dev environments to empower KPMG AppDev teams to build the cloud infrastructure they need to test their applications.
Secure prototyping unlocked
KPMG Cloud Engineering, Security & Risk teams collaborated to deliver the pre-dev landing zone using Microsoft tools & frameworks. To align with Cloud Adoption Framework (CAF) practices, the pre-dev landing zone adopted a DevSecOps model using the Azure landing zone design principles and the Azure landing zone terraform module. Additionally, Azure Security Benchmark (ASBv3) policy-as-code was enforced to help ensure Azure governance and guardrails adhered to internal security requirements while supporting the developer self-service model.
Unprecedented speed to market
This newly introduced pre-dev landing zone has become a true game-changer for allowing KPMG app dev teams to spin up cloud workloads before a formal project is even initiated, therefore saving the team valuable resources and time. It allows for automated governance by incorporating the developer self-service model in which a robust easy-to-read API-style documentation is made available to app developers to provision their own cloud infrastructure. To support rapid prototyping and an accelerated path to production, the certified cloud component library is used which serves as a reusable code repository that has been security-hardened to provision resources in the Azure platform.
One of the additional advantages of a pre-dev landing zone is the dedicated promotion process that is designed to move workloads to production faster. The Cloud Support Pod is responsible for assisting the KPMG app dev teams in planning their promotion path, validating the workload for production, and helping the team navigate the demand and project intake process.
Caption: The benefits provided by the pre-dev landing zone allow KPMG AppDev teams to spin up workloads before a formal project is even initiated, therefore saving the team valuable resources and time.
Enabling Data Scientists
As an additional value add, a dev-friendly landing zone has been built on top of the pre-dev framework to support experimenting with highly classified data such as artificial intelligence (AI) and machine learning (ML) workloads. It introduces production-grade policy guardrails and requires the use of Cloud support PODs and the certified component library. This landing zone enables data scientists to fine-tune their AI & ML models with rapid prototyping, increased agility, and reduced time to market.
Caption: Dev-friendly landing zone supports the use of highly classified data for AI & ML workloads, enabling developers to create and fine-tune models.
Value-add to Clients
To mitigate the SQL 2012 “end of lifecycle” issues, KPMG app dev teams have adopted the pre-dev Azure landing zone to migrate to the cloud in just 8 days. The Cloud engineering team set up the baseline infrastructure for the application in less than 1 day. Soon after, web code was re-platformed and migrated to the cloud to leverage PaaS services like App Service and Azure SQL.
Leveraging the Azure landing zones along with the cloud infrastructure orchestration tool has proved to significantly reduced time to market by 50-60%. KPMG business functions that have adopted to these landing zones can attest to an improvement in build time, developer enablement, cost optimization, maintenance of KPMG security posture, and smooth path to production.
Caption: Value-added benefits of pre-dev Azure landing zones
“To operate in today’s environment, our cloud platforms have to be delivered fast and securely. This new capability allows KPMG to meet both needs.”
Matt Posid, Chief Information Security Officer, KPMG U.S.
Follow Microsoft