Category: Zocalo


Amazon WorkMail – Managed Email and Calendaring in the AWS Cloud

by Jeff Barr | on | in Amazon WorkDocs, Amazon WorkMail, AWS Directory Service, AWS IAM, Key Management Service, Zocalo | | Comments

Have you ever had to set up, run, and scale an email server? While it has been a long time since I have done this on my own, I do know that it is a lot of work! Users expect to be able to access their email from the application, device, or browser of their choice. They want to be able to send and receive large files (multi-megabyte video attachments and presentations often find their way in to my inbox). Email administrators and CSO’s are looking for robust security measures.

Paradoxically, email is both mission-critical and pedestrian. Everyone needs it to work, but hardly anyone truly understands what it takes to make this happen!

Introducing Amazon WorkMail
Today I would like to introduce Amazon WorkMail. This managed email and calendaring solution runs in the Cloud. It offers a unique set of security controls and works with your existing desktop and mobile clients (there’s also a browser-based interface). If your organization already has a directory of its own, Amazon WorkMail can make use of it via the recently introduced AWS Directory Service. If not, Amazon WorkMail will use Directory Service to create a directory for you as part of the setup process.

Amazon WorkMail was designed to work with your existing PC and Mac-based Outlook clients including the prepackaged Click-to-Run versions. It also works with mobile clients that speak the Exchange ActiveSync protocol.

Our 30-day free trial will give you the time and the resources to evaluate Amazon WorkMail in your own environment. As part of the trial, you can serve up to 25 users, with 50 gigabytes of email storage per employee. In order to help you to move your organization to Amazon WorkMail, we also provide you with a mailbox migration tool.

Amazon WorkMail makes use of a number of AWS services including Amazon WorkDocs (formerly known as Amazon Zocalo), the Directory Service, AWS Identity and Access Management (IAM), AWS Key Management Service (KMS), and Amazon Simple Email Service (SES).

Amazon WorkMail Features
You can set up Amazon WorkMail for a new organization in a matter of minutes. As I mentioned earlier, you can use your existing directory or you can have Amazon WorkMail set one up for you. You can send and receive email through your existing domain name by adding a TXT record (for verification of ownership) and an MX record (to route the mail to Amazon WorkMail to your existing DNS configuration).

As a Amazon WorkMail user, you have access to all of the usual email features including calendaring, calendar sharing, tasks, contact lists, distribution lists, resource booking, public folders, and out-of-office (OOF) messages.

The browser-based interface has a full array of features. It works with a wide variety of browsers including Firefox, Chrome, Safari, and newer (IE 9 and higher) versions of Internet Explorer. The interface gives you access to email, calendars, contacts, and tasks. You can access shared calendars and public folders, book resources, and manage your OOF.

Amazon WorkMail was designed to work in today’s data-rich, email-intensive environments. Each inbox has room for up to 50 gigabytes of messages and attachments. Messages can range in size all the way up to 25 megabytes.

As part of this launch we are renaming Amazon Zocalo to Amazon WorkDocs! Amazon WorkMail can be used in conjunction with WorkDocs for simple, controlled distribution of documents that contain sensitive information.

Amazon WorkMail Security Controls

Let’s talk about security for a bit. Amazon WorkMail includes a number of security features and controls that will allow it to meet the needs of many types of organizations. Here’s an overview of some of the most important features and controls:

  • Location Control – The Amazon WorkMail administrator can choose to create mailboxes in any supported AWS region. All mail and other data will be stored within the region and will not be transferred to any other region. During the Preview, Amazon WorkMail will be supported in the US East (Northern Virginia) and Europe (Ireland) regions, with more to follow over time.
  • S/MIME – Data in transit to and from Outlook clients and certain iPhone and iPad apps is encrypted using S/MIME. Data in transit to other clients is encrypted using SSL.
  • Stored Data Encryption – Data at rest (messages, contacts, attachments, and metadata) is encrypted using keys supplied and managed by KMS.
  • Message Scanning – Incoming and outgoing email messages and attachments are scanned for malware, viruses, and spam.
  • Mobile Device Policies & Actions – The Amazon WorkMail administrator can selectively require encryption, password protection, and automatic screen locking for mobile devices. The administrator can also remotely wipe a lost or mislaid mobile device if necessary.

Getting Started with Amazon WorkMail
Let’s walk through Amazon WorkMail while wearing our email administrator hats! I need to create a Amazon WorkMail organization. In most cases, I would use a single organization for an entire company.

I start by opening up the AWS Management Console and choosing Amazon WorkMail:

I click the Get started button. At this point I can choose between a Quick setup (Amazon WorkMail will create a new directory for me)  or a Custom setup (Amazon WorkMail will use an existing directory that I configure):

I’ll go for the quick setup today. I need to pick a unique name for my organization:

This will automatically create a directory and then create and initialize my organization. It will also initiate the Amazon SES domain verification process (for jeffbarr.awsapps.com in this case) and create a set of DKIM keys so that I can send DKIM-signed mail. The entire process takes 10 to 20 minutes and requires no additional work on my part. The organization’s status will start out as creating and will transition to active before too long:

After the creation process completes I can begin to add Amazon WorkMail users to my organization (if I had used an existing directory in the previous step I could simply select them from a list at this point). I’ll begin by adding myself:

Then  I specify the email address and password. If I have associated one or more domain names with the organization, I can use the name as the basis for the email address:

I can browse all of the organization’s users:

I can also create groups, attach domains, and manage mobile device policies, all from the Console.

The Amazon WorkMail Browser-Based Interface
Let’s take a look at the browser-based interface to Amazon WorkMail. Here’s my inbox:

And my calendar:

This is just a sampling of the features that are available in the Amazon WorkMail.

Pricing and Availability
We are launching a Preview of Amazon WorkMail in the US East (Northern Virginia) and Europe (Ireland) regions today and you can sign up for the Preview if you are interested in joining.

After the 30-day free trial (25 users and 50 gigabytes of storage per user), pricing is on a per-user, pay-as-you-go basis. You will be charged $4 per month for a 50 gigabyte Amazon WorkMail mailbox, or $6 per month for a bundle that includes Amazon WorkMail and WorkDocs. There is no separate charge for the use of SES to send messages.

Jeff;

New AWS Directory Service

by Jeff Barr | on | in Amazon EC2, Amazon WorkSpaces, AWS Directory Service, Zocalo | | Comments

Virtually every organization uses a directory service such as Active Directory to allow computers to join domains, list and authenticate users, and to locate and connect to printers, and other network services including SQL Server databases. A centralized directory reduces the amount of administrative work that must be done when an employee joins the organization, changes roles, or leaves.

With the advent of cloud-based services, an interesting challenge has arisen. By design, the directory is intended to be a central source of truth with regard to user identity. Administrators should not have to maintain one directory service for on-premises users and services, and a separate, parallel one for the cloud. Ideally, on-premises and cloud-based services could share and make use of a single, unified directory service.

Perhaps you want to run Microsoft Windows on EC2 or centrally control access to AWS applications such as Amazon WorkSpaces or Amazon Zocalo. Setting up and then running a directory can be a fairly ambitious undertaking once you take in to account the need to procure and run hardware, install, configure and patch the operating system, and the directory, and so forth. This might be overkill if you have a user base of modest size and just want to use the AWS applications and exercise centralized control over users and permissions.

The New AWS Directory Service
Today we are introducing the AWS Directory Service to address these challenges! This managed service provides two types of directories. You can connect to an existing on-premises directory or you can set up and run a new, Samba-based directory in the Cloud.

If your organization already has a directory, you can now make use of it from within the cloud using the AD Connector directory type. This is a gateway technology that serves as a cloud proxy to your existing directory, without the need for complex synchronization technology or federated sign-on. All communication between the AWS Cloud and your on-premises directory takes place over AWS Direct Connect or a secure VPN connection within a Amazon Virtual Private Cloud. The AD Connector is easy to set up (just a few parameters) and needs very little in the way of operational care and feeding. Once configured, your users can use their existing credentials (user name and password, with optional RADIUS authentication) to log in to WorkSpaces, Zocalo, EC2 instances running Microsoft Windows, and the AWS Management Console. The AD Connector is available in Small (up to 10,000 users, computers, groups, and other directory objects) and Large (up to 100,000 users, computers, groups, and other directory objects).

If you don’t currently have a directory and don’t want to be bothered with all of the care and feeding that’s traditionally been required, you can quickly and easily provision and run a Samba-based directory in the cloud using the Simple AD directory type. This directory supports most of the common Active Directory features including joins to Windows domains, management of Group Policies, and single sign-on to directory- powered apps. EC2 instances that run Windows can join domains and can be administered en masse using Group Policies for consistency. Amazon WorkSpaces and Amazon Zocalo can make use of the directory. Developers and system administrators can use their directory credentials to sign in to the AWS Management Console in order to manage AWS resources such as EC2 instances or S3 buckets.

Getting Started
Regardless of the directory type that you choose, getting started is quick and easy. Keep in mind, of course, that you are setting up an important piece of infrastructure and choose your names and passwords accordingly. Let’s walk through the process of setting up each type of directory.

I can create an AD Connector as a cloud-based proxy to an existing Active Directory running within my organization. I’ll have to create a VPN connection from my Virtual Private Cloud to my on-premises network, making use of AWS Direct Connect if necessary. Then I will need to create an account with sufficient privileges to allow it handle lookup, authentication, and domain join requests. I’ll also need the DNS name of the existing directory. With that information in hand, creating the AD Connector is a simple matter of filling in a form:

I also have to provide it within information about my VPC, including the subnets where I’d like the directory servers to be hosted:

The AD Connector will be up & running and ready to use within minutes!

Creating a Simple AD in the cloud is also very simple and straightforward. Again, I need to choose one of my VPCs and then pick a pair of subnets within it for my directory servers:

Again, the Simple AD will be up, running, and ready for use within minutes.

Managing Directories
Let’s take a look at the management features that are available for the AD Connector and Simple AD. The Console shows me a list of all of my directories:

I can dive in to the details with a click. As you can see at the bottom of this screen, I can also create a public endpoint for my directory. This will allow it to be used for sign-in to AWS applications such as Zocalo and WorkSpaces, and to the AWS Management Console:

I can also configure the AWS applications and the Console to use the directory:

I can also create, restore, and manage snapshot backups of my Simple AD (backups are done automatically every 24 hours; I can also initiate a manual backup at any desired time):

Get Started Today
Both types of directory are available now and you can start creating and using them today in the US East (Northern Virginia), US West (Oregon), Asia Pacific (Sydney), Asia Pacific (Tokyo), and Europe (Ireland) Regions. Prices start at $0.05 per hour for Small directories of either type and $0.15 per hour for Large directories of either type in the US East (Northern Virginia) Region. See the AWS Directory Service page for pricing information in the other AWS Regions.

Jeff;

Amazon Zocalo – Document Storage and Sharing for the Enterprise

by Jeff Barr | on | in Zocalo | | Comments

I have been writing this blog for almost ten years! For most of that time, my workflow for writing and reviewing drafts has revolved around my email inbox. I write a draft and then hand it off to the Product Manager for review. The Product Manager, in turn, will hand the draft off to their team and to other stakeholders and reviewers within the company. Given the pace of AWS development, I often have between five and ten drafts underway at any given time. Reconciling overlapping suggestions for edits, sometimes spread across multiple drafts is tedious and error-prone. It is clear to me (and to my colleagues) that email inboxes are not appropriate venues for efficiently and securely sharing and reviewing complex documents. We decided to “scratch our own itch” and to create a document hub that would relieve the load on our inboxes and also add some structure to the process. Given that our enterprise customers have been asking us to provide them with secure storage and sharing, we decided to build a new product!

Introducing Zocalo
Today we are introducing Amazon Zocalo. This is a fully managed, secure document storage and sharing service designed specifically for the needs of the enterprise. As you will see as you review this post, Zocalo provides users with secure access to documents, regardless of their location, device, or formal relationship to the organization. As the owner of a document, you can selectively share it with others (inside or outside of your organization), and you can ask them for feedback, optionally subject to a deadline that you specify.

Zocalo gives you simple, straightforward access to your documents anytime and from anywhere, regardless of location or device. Zocalo supports versioned review and markup of a multitude of document types, and was designed to allow security-conscious administrators to control and audit access to accounts and documents.

With centralized user management (optionally linked to your existing Active Directory) and tight control over sharing, Zocalo prevents boundaries from becoming accidentally blurred. All documents are stored in a designated AWS Region and transmitted in encrypted form. You, as the document owner, can even opt to disallow downloading for extra protection.

You can install the Zocalo client application on your desktop and laptop computers running Windows 7 or MacOS (version 10.7 or later) and designate a folder for syncing. Once you do so, saving a file to the folder will automatically upload them to Zocalo across an encrypted connection and sync them to your other devices. You can also access Zocalo from your iPad, Kindle Fire, and Android tablets.

In the remainder of this post I will take a look at Zocalo from three points of view. You will see what it is like to be a document owner, a reviewer, and a Zocalo administrator.

Zocalo for Users
Assuming that you are already known to Zocalo (see Zocalo for Administrators to learn more about accounts and passwords), you can simply visit your organization’s Zocalo site and log in. The URL to the site is specific to the organization. Here’s where I started:

And here’s what I saw after I logged in:

I can create folders and sub-folders as needed and I can add documents to the folder by simply dragging and dropping. I uploaded an early draft of this post:

Zocalo can accommodate files of up to 5 GB. You can upload files of any type; Zocalo will render Office documents, PDFs, images, and text files.

I shared the draft with Paul and Cynthia (two of my colleagues) and asked them to review it for me:

Zocalo shows me their status:

As you may have noticed earlier, I can create folders in Zocalo and store my documents inside. Permissions applied to a folder apply to all of the documents within it, making it easy for me to use folders to organize my documents by project or by team.

I took a short break to check on my garden (it was doing fine) and waited for some feedback. I clicked on Activity to see how things were going. Paul and Cynthia had both left comments within a few minutes (we work at lightning speed at Amazon):

Then I clicked on Feedback to see what they had to say about my first draft. The feedback is organized by version, and is further broken down into an overall comment and individual items, grouped by page:

Then I clicked to see what Paul had to say:

As you can see, clicking on a piece of feedback highlights the target area in the document and also connects it to the comment. Each reviewer has their own, unique color code as well.

The next step for me would be to read and digest all of the comments, edit the document, and upload another version for further review using the menu at the top:

If the document is in Microsoft Word format, I can also download a version that includes all of the comments entered by the reviewers.

There’s a lot more to cover, but I’m just getting started and this post is already kind of long! You can try this out for yourself through the Zocalo Limited Preview.

Zocalo for Reviewers
Now I’d like to take a look at the sharing and reviewing process from the other side of the fence. I can easily see the documents that have been shared with me for review:

I can click on any document and open it up to read and comment on it. Zocalo shows me how to give feedback in a handy popup:

I simply highlight any text or any region of the document and enter my feedback:

When I have finished my review I need to send the comments to the owner of the document with a click of the Send button:

As you saw earlier, the owner of the document will be able to see my edits and will (with any luck) use them to produce another version.

Once again, I have just scratched the surface of the document sharing and review features that are available in Zocalo. Let’s take a look at the administrative side of Zocalo!

Zocalo for Administrators
Each Zocalo account must have at least one administrator. The administrator is responsible for creating and managing user accounts, setting up security policies, managing storage limits, and generating auditing and activity reports.

As the administrator in charge of setting up and running Zocalo, you will begin with the AWS Management Console:

You can choose Quick Start to get going quickly or Full Setup to connect to your on-premises user directory.

I chose the Quick Start and entered a few parameters to get started:

Minutes later my site was all set up and I was ready to go, with notification via a convenient email:

I set up a password and become the official administrator of my very own Zocalo site!

I logged in and explored the Dashboard:

The Dashboard allows me to set the amount of storage per Zocalo user. By default, new users get 200 GB of storage for free. The administrator can choose to allow additional storage, which is billed on a per-GB, per-month basis.

I can control the level of document sharing for the site — unlimited external sharing, sharing to a short list of domains, or no external sharing:

Here’s how I enter a list of domains:

I can also manage the invitation model. Users can be allowed to invite others within any domain or in a short list of domains, or this entire feature can be restricted to users with administrator privileges:

I can invite people to become new Zocalo users:

Once my Zocalo site has some users, I can monitor and control their storage utilization, and see an audit log of document activity.

Pricing and Availability
You can join the Zocalo Limited Preview to experience Zocalo on your own.

Zocalo was designed to work smoothly with Amazon WorkSpaces. Each WorkSpaces user has access to 50 GB of Zocalo storage, the Zocalo web application, the tablet apps, and document review at no additional charge. The Zocalo administrator can upgrade these users to 200 GB of storage for just $2 per user per month.

If you don’t use Amazon WorkSpaces, Zocalo is priced at $5 per user per month, including 200 GB of storage for each user. Additional storage is billed on a per-GB, per-month basis using a tiered pricing model. See the Zocalo Pricing page for more info.

Zocalo is currently available in the US East (Northern Virginia), US West (Oregon), and Europe (Ireland) Regions. All documents for a particular Zocalo site are stored in encrypted form within the chosen Region.

Jeff;