Customer Overview
A Retail company is a prominent player in the retail industry, known for its extensive portfolio of over 25 homegrown brands, including household names like Max, Splash, Baby shop, Centrepoint, Shoe Mart, Home Centre, Emax, Fitness First, and Fun City. These brands span across a wide range of sectors such as fashion, home goods, food, and leisure, significantly enriching the lives of families over the decades.
The group has also been at the forefront of digital transformation. Nearly a decade ago, customer embarked on a strategic digital shift, embracing modern technologies to streamline operations and enhance customer experiences. This included the integration of retail applications, Oracle applications, ERP systems, and SAP Rise solutions, enabling them to offer an omnichannel retail experience that has made them one of the largest in the region. Customer commitment to innovation and customer-centric growth has allowed them to remain a leading force in the competitive retail landscape.
Business Requirements
A Retail company encountered several key challenges in managing their AWS accounts, including:
- Lack of Centralized Control: Difficulty in managing complex multi-account structures, especially with separate AWS accounts for SAP RISE workloads and other business applications.
- Inconsistent Security Policies: Ensuring standardized and centralized governance and security controls across all accounts.
- Maintaining Compliance: Meeting regulatory requirements across multiple accounts.
One significant challenge was managing the complex multi-account structure, necessitating centralized governance and security controls, as well as a standardized approach to account provisioning and configuration.
Additionally, the company faced network connectivity complexities. They required secure and reliable connectivity between remote locations and AWS-hosted SAP applications while ensuring consistent network architecture and robust security controls. Managing complex routing and security policies across distributed locations added further difficulty.
Customer needed standardized security controls and compliance policies to be implemented across all accounts to ensure regulatory compliance and maintain a robust security posture.
Quadra at Work
Understanding Customer’s business and technical challenges, Quadra, as a trusted AWS partner, implemented a solution for their AWS Control Tower setup that provides a robust foundation for managing AWS infrastructure.
This solution enhances security, operational efficiency, and scalability, addressing the group's key requirements while supporting their growing business needs.
- AWS Control Tower and Landing Zone was configured in a management account as the primary administrative account, complemented by dedicated log archive and audit accounts for centralized logging.
- Account Factory: Automated account provisioning was implemented, along with guardrails for security and compliance.
- IAM Identity Center: The solution also enabled centralized user access management using AWS IAM Identity center with Microsoft Entra ID (Azure AD) integration, streamlining access controls across the environment.
- Centralized security architecture: A dedicated security account for overseeing network security controls. The solution incorporated Fortinet Firewall instance in this security account, with primary deployment in the Mumbai region and a disaster recovery (DR) setup in Hyderabad. This allowed for centralized inspection of all inbound and outbound traffic and the enforcement of standardized security policies across all accounts, ensuring consistent protection.
- Network connectivity: AWS Transit Gateway was deployed in the security account to facilitate a hub-spoke architecture. Transit Gateway sharing was enabled using AWS Resource Access Manager (RAM), linking all workload accounts, including the SAP RISE AWS accounts, through Transit Gateway attachments. Consistent routing policies were implemented to ensure efficient traffic inspection and secure communication across all connected accounts.
- Multi-account structure: We organized A Retail company accounts into logical Organizational Units (OUs) for better management. These included SAP workload accounts, security and shared services accounts, application workload accounts, and development and testing accounts, ensuring a clear segregation of responsibilities and workloads.
- Governance framework: Incorporated both preventive and detective guardrails, establishing compliance standards across all accounts. Automated compliance reporting was enabled, along with centralized audit logging and monitoring to maintain visibility and ensure regulatory adherence.
Quantifiable Improvements
Using AWS Control Tower and Landing Zone, Customer benefitted in the following ways:
- Automated account provisioning and centralized governance cut manual management tasks by 50%, allowing teams to focus on strategic initiatives.
- Automated compliance checks, standardized network connectivity, and streamlined account creation accelerated deployment times for new applications and services by 40%, speeding up time to market.
- Customer reduced network management overhead by 40%, significantly easing the IT team's burden.
- Optimizing routing led to a 25% reduction in network transit costs, enhancing overall cost efficiency.
- The implementation reduced security policy inconsistencies by 95%, strengthening the security posture across the infrastructure.
