Daemon was tasked with building a secure Landing Zone for WHSmith, in preparation for the establishment of a Cloud Centre of Excellence (CCoE). Previously, WHSmith’s workloads were in AWS accounts owned and managed by third parties. This gave little control over their infrastructure and applications, and they initiated a programme to migrate these workloads to their own infrastructure platform. The new cloud platform would also be designed for hybrid workloads, those applications in the cloud that have dependencies on-premises, and vice-versa.

To become more self-reliant, WHSmith required assistance with upskilling engineers and solutions architects so that reliance on third parties could be reduced.

 

The Solution

Daemon leveraged AWS Control Tower with additional customisations to provide a secure landing zone for WHSmith. AWS Control Tower is a service that makes it easy to set up a new, secure multi-account environment in the AWS Management Console. It provides a landing zone, which is a new, secure, and compliant environment pre-configured with best practices for security and compliance.

Daemon has extensive experience in building secure landing zones for our customers. We utilised our expertise to implement the necessary security and compliance controls using AWS Control Tower, including multi-factor authentication, guardrails, and security tools, including AWS Security Hub, and AWS GuardDuty.

To implement the Landing Zone, Daemon’s design used the following AWS services:

• AWS Control Tower: to set up the multi-account environment, security and compliance controls, and landing zone.
• AWS Organizations: to create and manage the accounts within the Landing Zone.
• AWS Service Catalog: to provision products and services in a controlled manner.
• AWS SSO: to provide a centralised and managed single sign-on experience for WHSmith users.
• AWS Account Factory: to automate the creation of new accounts and the deployment of the landing zone in the new accounts.
• AWS Transit Gateway: to route all traffic between the accounts in the Landing Zone.

Daemon designed a micro-segmentation based scalable AWS account structure which improved security by containing an application’s “blast radius” within a single account. Additional account customisations were implemented using an Infrastructure-as-Code pipeline using Terraform, which streamlined the process of making infrastructure changes to multiple accounts.

Through several workshops with WHSmith’s technical stakeholders, we carried out technical handover by working through proposed changes, their architectural impact, and their benefits and opportunity costs.

 

The Outcome

Daemon's implementation of AWS Control Tower and the associated services has provided WHSmith with a secure and compliant landing zone that meets their business requirements. WHSmith can continue to move additional workloads in the future, knowing that the landing zone provides a secure and compliant foundation for their cloud journey.

Most importantly, our enablement workshops significantly boosted WH Smith’s cloud capabilities by educating their technical stakeholders in AWS cloud. WH Smith feels confident about undertaking a large-scale migration to AWS cloud.