A Perfect Landing: Building a successful CCoE for SMS Digital

Building and managing AWS accounts on top of a solid CCoE platform enables operations, auditing and compliance workflows at SMS digital today.

SMS digital is a leading digital solution provider in the metals industry. As the digital unit of the SMS group GmbH, the market-leading constructor of metallurgical plants and machinery, they create innovative solutions in the fields of digitalization. Their digital applications will lift your plants and machines into the world of Industry 4.0.

The team consist of various experts who can be flexibly assembled, work agilely and develop user-centric software solutions together with the customer on site.

The project

SMS group is a global, leading partner in the metal industry. As a family-owned business headquartered in Germany, quality and innovation is in their DNA. For over 140 years, they have been committed to the success of their customers and striven to add value along the entire value chain of the global metal industry.

SMS digital is the digital daughter of SMS group, taking up the challenges of digital transformation and Industry 4.0. Their innovative products for the industry are created in close collaboration with their customers from the very beginning. With state-of-the-art innovation methods, know-how of metallurgical processes and technological expertise, they ensure that their products are perfectly tailored for their customers’ needs.

The challenge

SMS digital manages software in various complex environments such as their own AWS accounts, customer owned AWS accounts, as well as various on-premise data centers. In parallel, these environments are geographically distributed and subject to various local and industry regulations that require auditing and security controls.

This creates two distinct challenges for SMS digital: establishing an organizational perspective on the managed accounts, as well as providing the building blocks to support software development in these accounts. Effectively the challenges ahead required the bootstrapping of an internal managed service provider or Cloud Centre of Excellence (CCoE).

Our approach to CCoE building is built on a number of pillars:

  • Commit to fully automated infrastructure (e.g. CloudFormation), image (e.g. Docker) and host (e.g. SSM-driven Ansible) provisioning to enable pre-deployment auditing workflows
  • Deploy this automation using CI/CD pipelines to enable transparency and audibility of deployments
  • Allow members of your organization to access the underlying source code and make pull-requests in order to contribute e.g. new features
  • Enable a multi-party code-review flow by the CCoE team in order to get new features into the pipeline

This approach solves one of the most critical issues with centralized stewardship over CCoE managed infrastructure, such as compliance controls or network accounts: through shared ownership, the speed and flexibility required by software development teams can be retained while keeping control and ownership firmly in the hands of the CCoE team.

The solution

Since the resulting CI/CD workflows can naturally be extended to software development in general, building a CCoE on top of CI/CD pipelines was an ideal match for SMS digital.

AWS Control Tower was picked as governance product, offering automated ongoing policy management with AWS config, viewing policy-level summaries of environments and the bootstrapping of new organizational units and AWS accounts through the AWS Service Catalog.

Similar in scope to the previously released Landing Zone solutions from AWS, Control Tower was the first real product release to deal with multi-account governance. Since Control Tower does not enable customization workflows out-of-the-box (yet), we introduced the AWS Deployment Framework ProServe serverless application, which enables multi-account, multi-region and multi-environment CI/CD workflows. These workflows target organizational customizations (such as backup configurations), which are open for contribution but need merge approval by the CCoE, as well as account and/or region specific delegated workload pipelines.

Additional effort was invested to keep deployed infrastructure protected against modification by using some of the protection mechanisms put in place by AWS Control Tower.

The upshot

Building and managing AWS accounts on top of a solid CCoE platform enables operations, auditing and compliance workflows at SMS digital today. The ability to quickly deploy compliant environments and workloads align with SMS digital’s vision to quickly iterate through ideation, testing, MVP implementation and design thinking phases of software development efforts.

This workflow enables SMS digital to perform as a lean startup and support creating additional value and digital products for the over 2,000 plants and over 10,000 employees at 95 locations around the world.