Cloud Architecture Plan

Instructor’s Name: Molstad, Christopher

Student’s Name: Sri Giri

Date Submitted: April 29, 2024

 TABLE OF CONTENTS

Abstract..........................................................................................................................................................................3
Introduction ...................................................................................................................................................................4
Statement of Need .........................................................................................................................................................4
Designing Resilient Architecture: .............................................................................................................................5
Designing Secure Applications and Architectures: ..................................................................................................7
Assumptions ..................................................................................................................................................................8
Proposed AWS Infrastructure ........................................................................................................................................9
Technical Description ..................................................................................................................................................11
Cloud Security .............................................................................................................................................................12
Conclusion ...................................................................................................................................................................16
References ...................................................................................................................................................................17
ABSTRACT

This report outlines a comprehensive strategy for modernizing the data infrastructure of

Goldman Sachs (GS), a leading global financial institution, in collaboration with Amazon Web

Services (AWS). The project aims to enhance competitiveness in the dynamic financial

landscape by leveraging cloud technologies and AWS services to design resilient and cost-

optimized architectures. The report discusses the challenges faced by GS and proposes solutions

through cloud adoption, focusing on designing resilient architecture and cost-optimized

architectures. Assumptions regarding strategic partnerships, regulatory compliance, and security

priorities are established to provide context for the proposed architecture plan.

The proposed AWS infrastructure, named the Goldman Sachs Cloud (GSC), is designed as a

cloud-native solution, integrating various AWS services to deliver comprehensive data

management and analytics capabilities tailored for financial services organizations. Key

components include cloud-native solutions, data management and analytics tools, integration

with AWS Data Exchange, real-time data processing capabilities, security, compliance, and a

collaborative ecosystem. Technical descriptions detail the utilization of core AWS services such

as Amazon EC2, S3, Redshift, EMR, Lambda, and Data Exchange to build the GSC platform,

ensuring scalability, security, and high performance.

The report also discusses cloud security within the AWS Shared Responsibility Model,

emphasizing GS's responsibilities in managing configurations, applications, security settings, and

compliance with regulations. By understanding and adhering to their responsibilities, GS can

effectively secure their cloud environment and maintain trust with clients and regulatory

authorities.

INTRODUCTION

Our project focuses on modernizing the data infrastructure of Goldman Sachs (GS), a global

financial institution founded in 1869, to maintain competitiveness in today's dynamic financial

landscape. The current structure of GS encompasses its diversified business segments, including

investment banking, securities, and investment management. Over its 150-year history, GS has

built a legacy of growth, innovation, and market expertise. With experience in capital markets

and technology development, GS is committed to delivering cutting-edge solutions to meet the

evolving needs of its clients. GS aims to enhance scalability, agility, and security in handling

vast volumes of financial data with cloud technologies. This strategic partnership underscores

GS's dedication to innovation and underscores its commitment to providing clients with best-in-

class services and insights to navigate today's complex financial landscape.

STATEMENT OF NEED

GS, despite its longstanding reputation and expertise in the financial industry, faces several

challenges that can be addressed through cloud adoption, particularly leveraging Amazon Web

Services (AWS). GS aims to design a resilient architecture and designing secure applications

and architectures.
 DESIGNING RESILIENT ARCHITECTURE:

Resilient architecture ensures that even in the event of hardware failures, network outages, or

other disruptions, essential financial services can continue without interruption (Malhotra, 2022).

In the highly competitive and regulated financial industry, any downtime can result in significant

financial losses and reputational damage. Jhawar and Piuri (2017) noted resilient architecture

enables GS to recover quickly from disasters or service disruptions, minimizing the impact on

operations and customers. For GS, uninterrupted operation is critical to maintaining trust with

clients and meeting regulatory requirements.

Figure 1 Cloud Computing Remains a Top Priority of Integration for Banking and Capital Management Service Providers (Source: Malhotra,
2022)

Implementation of Resilient Architecture on AWS:

Multi-AZ Deployments: GS leverages AWS's multiple Availability Zones (AZs) to distribute

their application workload across geographically separate data centers. This redundancy ensures

that if one AZ becomes unavailable due to a hardware failure or other issues, traffic can be

automatically routed to a healthy AZ, maintaining service availability.

Auto Scaling: GS utilizes AWS Auto Scaling to dynamically adjust the capacity to handle

sudden spikes in traffic without performance degradation or downtime. By automatically adding

or removing EC2 instances based on predefined scaling policies, they can optimize resource

utilization and maintain consistent performance levels.

Data Replication and Backup: GS implements data replication and backup strategies on AWS

including Amazon S3 for durable object storage and Amazon RDS for automated backups and

multi-AZ replication of relational databases. This ensures that even in the event of data

corruption or accidental deletion, they can quickly restore data from backups and maintain

business continuity.

Continuous Improvement and Testing:

GS conducts regular testing of their resilient architecture to validate its effectiveness and identify

potential weaknesses. This includes conducting failover tests, simulating disaster scenarios, and

performing chaos engineering experiments to proactively identify and address vulnerabilities.

Resilient architecture helps GS meet regulatory requirements and industry standards related to

business continuity and disaster recovery. This ensures they can demonstrate compliance with
regulations such as Sarbanes-Oxley (SOX), Payment Card Industry Data Security Standard (PCI

DSS), and General Data Protection Regulation (GDPR).

DESIGNING SECURE APPLICATIONS AND ARCHITECTURES:

Security is paramount for GS due to the sensitive nature of financial data and the regulatory

requirements of the industry. GS implements security best practices on AWS, such as encryption

at rest and in transit using AWS Key Management Service (KMS) and AWS CloudHSM. They

also utilize AWS Identity and Access Management (IAM) for fine-grained access control and

AWS Security Hub for centralized security management and compliance monitoring.

GS encrypts sensitive data stored in AWS using AWS Key Management Service (KMS). KMS

allows them to create and manage encryption keys, ensuring that data remains protected even if

storage devices are compromised (AWS KMS, 2022).

When data is transmitted between GS' systems and AWS services, they use encryption protocols

like SSL/TLS to safeguard data in transit. This prevents unauthorized access or interception of

data during transmission (AWS Whitepaper, 2023).

AWS Identity and Access Management (IAM) is used by GS to manage access to AWS

resources securely. AWS IAM (2022) documentation identified that IAM enables them to create

and manage AWS users and groups, assign granular permissions, and control access to resources

based on the principle of least privilege. This ensures that only authorized individuals can access

sensitive data or perform specific actions within their AWS environment.

GS employs AWS Security Hub, a comprehensive security and compliance service, to centrally

manage and monitor their security posture in the AWS cloud. Security Hub aggregates and

prioritizes security findings from various AWS services, third-party tools, and custom checks,

providing them with a unified view of their security status and compliance with industry

standards and regulations. This helps GS identify and remediate security vulnerabilities or

compliance violations promptly.

ASSUMPTIONS

1. Strategic Partnership with AWS: The assumption is that GS has a strategic partnership

with Amazon Web Services (AWS) for cloud services.

2. Regulatory Compliance Standards: Given the highly regulated nature of the financial

industry, compliance with regulations such as GDPR, PCI DSS, and others is crucial for

ensuring data security and privacy.

3. Data Privacy and Security Priority: Data privacy and security are paramount

considerations in all aspects of the architecture design.

4. High Availability and Fault Tolerance: The proposed infrastructure is designed to

support high availability and fault tolerance to ensure uninterrupted operations.

5. Cloud-Native Solutions: The proposed architecture leverages cloud-native solutions

provided by AWS such as Amazon S3 for scalable storage, AWS Lambda for serverless

computing, and others, which are optimized for cloud environments.

PROPOSED AWS INFRASTRUCTURE

The proposed architecture for the GS cloud (GSC) involves a collaboration between GS and

Amazon Web Services (AWS) to create a cloud-native data management and analytics solution

for financial services organizations.

Figure 2 Proposed AWS Architecture Plan (source: author’s own)

The following are the key components and features of this architecture:
1. Cloud-Native Solution: The architecture is designed to be cloud-native, leveraging the

scalability, agility, and reliability of AWS's public cloud infrastructure as recommended

by Razumnikov and Prankevich (2016). Amazon EC2, Amazon S3, and AWS Lambda,

GS aims to deliver a flexible and scalable solution that can meet the dynamic needs of

financial institutions.

2. Data Management and Analytics: It integrates GS's front-office analytics tools, such as

PlotTool Pro and GS Quant, with AWS services like Amazon Redshift and Amazon

EMR for data management and analytics capabilities tailored for hedge funds, asset

managers, and institutional clients.

3. AWS Data Exchange Integration: AWS Data Exchange simplifies the discovery,

subscription, and usage of third-party data in the cloud. AWS marketplace (2022)

explains this integration allows clients to access select third-party data products through

the GSC platform, enhancing the breadth and depth of available datasets for analysis.

4. Real-Time Data Processing: Naseer (2023) recommended the architecture supports real-

time data processing and integration, capable of handling tick-level financial data across

hundreds of different assets.

5. Collaborative Ecosystem: The architecture fosters collaboration within the financial

services ecosystem, allowing clients to leverage the combined expertise of GS, AWS, and

other industry partners. Chakravarty (2022) explained partnerships with organizations

like Wellington Management, Millennium, and MSCI allows clients to access additional
 insights, solutions, and capabilities to enhance investment outcomes and portfolio

analytics.

The proposed architecture for the GS Financial Cloud for Data represents a collaborative effort

between GS and AWS to deliver a cloud-native, scalable, and secure data management and

analytics solution for financial services organizations.

TECHNICAL DESCRIPTION

Amazon EC2 (Elastic Compute Cloud): EC2 provides scalable compute capacity in the cloud,

allowing GS to deploy and manage virtual servers to run applications and workloads. Dancheva

et al. (2023) concluded this service is essential for processing financial data, running analytics

algorithms, and supporting the infrastructure requirements of the GSC platform.

Amazon S3 (Simple Storage Service): S3 offers scalable object storage for storing and

retrieving large volumes of data securely (Bucur et al., 2018). The durability, availability, and

scalability of S3 ensure reliable data storage for the GSC platform.

Amazon Redshift: Redshift is a fully managed data warehouse service that allows GS to analyze

large datasets using SQL queries. Amazon AWS (2023) concluded it provides fast query

performance and scalability for analytics workloads, enabling efficient data processing and

insights generation for financial decision-making.

Amazon EMR (Elastic MapReduce): EMR is a managed big data platform that simplifies the

processing of large-scale data using open-source frameworks like Apache Hadoop and Apache
Spark (Amazon, 2022). GS can leverage EMR to perform data processing, transformation, and

analysis tasks on massive datasets.

AWS Lambda: Lambda is a serverless compute service to execute custom business logic,

perform data processing tasks, and automate workflows within the GSC platform, improving

operational efficiency and agility.

AWS Data Exchange: Data Exchange facilitates the discovery, access, and consumption of

third-party data products in the cloud. GS can leverage Data Exchange to source additional

financial datasets, market insights, and industry-specific data feeds, enriching the analytics

capabilities of the GSC platform and providing more comprehensive insights to clients.

GS can accelerate innovation, enhance data-driven decision-making, and drive value for its

institutional clients in the rapidly evolving financial industry landscape.

CLOUD SECURITY

The AWS Shared Responsibility Model outlines the division of security responsibilities between

AWS and the customer as elucidated by AWS (2022).

 Figure 3 AWS Recommended Shared Responsibility Model (Source: AWS (2022))

1. Security in the Cloud (Customer Responsibility):

• The customer is responsible for managing the guest operating system, including

updates and security patches, of the instances they deploy, such as Amazon EC2

(Singh & Sharma, 2021).

• They are also responsible for any application software or utilities installed on the

instances (Singh & Sharma, 2021).

• Configuration of the AWS-provided firewall (security group) on each instance is

the customer's responsibility (Singh & Sharma, 2021).

 • For abstracted services like Amazon S3 and Amazon DynamoDB, customers

manage their data, including encryption options, asset classification, and applying

appropriate permissions using IAM tools (Singh & Sharma, 2021).

2. IT Controls (Customer Responsibility):

• The management, operation, and verification of IT controls are shared between

AWS and the customer.

• Customers may shift management of certain IT controls to AWS, especially those

associated with the physical infrastructure.

• Customers utilize AWS control and compliance documentation for evaluation and

verification procedures as required.

3. Examples of Customer Responsibilities:

• Patch Management: Customers are responsible for patching their guest OS and

applications, while AWS handles patching and fixing flaws within the

infrastructure (AWS, 2022).

• Configuration Management: Customers configure their guest operating systems,

databases, and applications, while AWS maintains the configuration of its

infrastructure devices (Penwell, 2023).

• Awareness & Training: Customers are responsible for training their employees,

while AWS trains its own employees.

Within the AWS Shared Responsibility Model, GS bears significant responsibility for managing

the configurations, applications, and security settings of their cloud resources.

Configurations and Applications Management:

GS must ensure that all configurations within their AWS environment align with their security

policies and best practices. Penwell (2023) explains this includes properly configuring access

controls, network settings, and encryption protocols. They are responsible for managing the

applications deployed on AWS, ensuring they are up-to-date with security patches and adhering

to secure coding practices.

Security Settings:

GS must configure and maintain security settings for their cloud resources, including IAM

policies, security groups, and network ACLs, to protect against unauthorized access and data

breaches as explained by AWS docs (2022). They are responsible for implementing security

measures such as encryption for data at rest and in transit to safeguard sensitive information.

Compliance with Regulations:

GS must ensure that their AWS environment complies with relevant regulations and industry

standards, such as PCI DSS, GDPR, and SOX.

They are responsible for implementing controls and practices to protect customer data and

maintain data privacy and confidentiality.

Continuous Monitoring and Compliance:

GS should implement robust monitoring and logging mechanisms to detect and respond to

security incidents promptly.

They are responsible for conducting regular audits and assessments to ensure compliance with

internal policies and regulatory requirements.

CONCLUSION

The project to modernize GS's data infrastructure through a strategic partnership with Amazon

Web Services (AWS) represents a significant step towards maintaining competitiveness in the

ever-evolving financial landscape. GS aims to enhance scalability, agility, and security in

managing vast volumes of financial data while empowering advanced analytics tailored for

institutional clients. Moving forward, it is imperative for GS to continue prioritizing security,

compliance, and innovation in their cloud initiatives and GS is prescribed the following

recommendations as best practices for the future:

1. Continuous Improvement: GS should regularly assess and enhance their cloud

infrastructure to adapt to emerging technologies, industry trends, and regulatory

requirements as recommended by Narayan 2022).

2. Investment in Talent and Training: GS should invest in continuous staff training so

that staff members are well-versed in cloud best practices, security protocols, and

emerging technologies will empower GS to maximize the value derived from their cloud

investments.
 3. Partnership Expansion: GS should explore opportunities to expand partnerships beyond

AWS to leverage additional expertise, resources, and solutions to better serve clients and

stay ahead of the competition.

4. Enhanced Security Measures: GS should continually evaluate and strengthen security

measures within their AWS environment. Narayan (2022) recommended implementing

advanced threat detection, encryption technologies, and robust access controls can help

mitigate security risks and safeguard sensitive financial data.

5. Customer-Centric Approach: GS should maintain a customer-centric approach in the

development and evolution of the GSC platform. Soliciting feedback from clients,

understanding their evolving needs, and tailoring solutions to address specific pain points

will enhance client satisfaction and drive long-term success.

By embracing these recommendations and remaining committed to innovation, collaboration,

and excellence, GS can continue to lead the way in modernizing data infrastructure and

delivering cutting-edge solutions in the financial services industry. The journey towards digital

transformation is ongoing, and with a strategic focus on leveraging cloud technologies, GS is

well-positioned to navigate the complexities of today's financial landscape and drive sustainable

growth and success.

REFERENCES
Amazon AWS . (2023). Cloud Data Warehouse - Amazon Redshift - AWS.
https://aws.amazon.com/redshift/

Amazon. (2022). Overview of amazon EMR architecture - amazon EMR. Amazon EMR
Management Guide. https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-
overview-arch.html

AWS docs. (2022). Security best practices for Amazon S3 - Amazon Simple Storage Service.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html

AWS IAM. (2022). Security best practices in IAM - AWS identity and access management.
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

AWS KMS. (2022). Security of AWS Key Management Service - AWS Key Management Service.
AWS Key Management Service.
https://docs.aws.amazon.com/kms/latest/developerguide/kms-security.html

AWS marketplace. (2022). What is AWS Data Exchange?. AWS Data Exchange user guide.
https://docs.aws.amazon.com/data-exchange/latest/userguide/what-is.html

AWS. (2022). Shared responsibility model - amazon web services (AWS). Amazon Web Services
(AWS). https://aws.amazon.com/compliance/shared-responsibility-model/

AWS Whitepaper. (2023). Encrypting data-at-rest and data-in-transit - logical separation on

AWS. https://docs.aws.amazon.com/whitepapers/latest/logical-separation/encrypting-data-
at-rest-and--in-transit.html

Bucur, V., Dehelean, C., & Miclea, L. (2018). Object storage in the cloud and multi-cloud: State
of the art and the research challenges. 2018 IEEE International Conference on Automation,
Quality and Testing, Robotics (AQTR). https://doi.org/10.1109/aqtr.2018.8402762

Chakravarty, A. (2022). AWS well-architected for financial services | AWS architecture blog.
https://aws.amazon.com/blogs/architecture/aws-well-architected-for-financial-services/

Dancheva, T., Alonso, U., & Barton, M. (2023). Cloud benchmarking and performance analysis
of an HPC application in Amazon EC2. Cluster Computing, 27(2), 2273–2290.
https://doi.org/10.1007/s10586-023-04060-4

Jhawar, R., & Piuri, V. (2017). Fault tolerance and resilience in cloud computing environments.
Computer and Information Security Handbook, 165–181. https://doi.org/10.1016/b978-0-
12-803843-7.00009-0
Malhotra, Y. (2022). How you can implement well-architected ‘zero trust’ hybrid-cloud
computing beyond ‘lift and shift’: Cloud-enabled Digital Innovation at Scale with
infrastructure as code (IAC), DevSecOps and MLops. SSRN Electronic Journal.
https://doi.org/10.2139/ssrn.4131044

Narayan, D. (2022). Platform capitalism and cloud infrastructure: Theorizing a hyper-scalable

computing regime. Environment and Planning A: Economy and Space, 54(5), 911–929.
https://doi.org/10.1177/0308518x221094028

Naseer, I. (2023). AWS Cloud Computing Solutions: Optimizing implementation for businesses.
STATISTICS, COMPUTING AND INTERDISCIPLINARY RESEARCH, 5(2), 121–132.
https://doi.org/10.52700/scir.v5i2.138

Penwell, T. (2023). Who is responsible again? Beginning AWS Security, 33–60.

https://doi.org/10.1007/978-1-4842-9681-3_2

Razumnikov, S., & Prankevich, D. (2016). Integrated model to assess cloud deployment
effectiveness when developing an IT-strategy. IOP Conference Series: Materials Science
and Engineering, 127, 012018. https://doi.org/10.1088/1757-899x/127/1/012018

Singh, U. K., & Sharma, A. (2021). Cloud computing security framework based on shared
responsibility models. Cyber-Physical, IoT, and Autonomous Systems in Industry 4.0, 39–
55. https://doi.org/10.1201/9781003146711-3