Fannie Mae (FNMA) is a leading source of mortgage financing in the United States. Fannie Mae helps make affordable housing accessible to homeowners, homebuyers, and renters across the country, achieving this with the help of their various housing partners. These partners include mortgage lenders and servicers, housing counselors, real estate agents, and other industry professionals. Together, Fannie Mae and their partners help millions of people throughout the U.S. find a place that they can call home.

FNMA is a large organization that deploys thousands of applications across a mix of on-premises data centers and external providers, serviced primarily by IBM and AWS. There are very high-volume applications that are hosted on IBM mainframes in IBM data centers, though those numbers are dwindling rapidly. Most deployed enterprise-class applications are deployed on Unix/Linux Operating Systems (OS) along with a sizable number of Windows server applications. The current number of AWS deployed applications is less than one-third of the multi-year goal, though 2023 is set to be the highest volume of production migrations and is expected to achieve close to 85% migrated.

Customer Challenge

Fannie Mae had a requirement to re-factor and re-host over 200 applications to AWS cloud in a short timeline while aligning Fannie Mae's AWS infrastructure with corporate and regulatory policy, ensuring that all security measures are properly enforced. FNMA lacked enough Enterprise and InfoSec Architects to support their aggressive timeline for migration and modernization. The successful implementation of this project would not only modernize the company's infrastructure but improve its security posture, which is of paramount importance in today's world of ever-evolving cyber threats.

Throughout the project, we encountered a variety of applications that introduced various challenges to overcome on the way to the cloud. One particularly difficult example involved a reporting application, whose users requested that it be designed and deployed on AWS in a way that would be operationally transparent for its users. This reporting application utilized Jupyter Notebooks deployed on a Kubernetes cluster on-prem, which was also managed by the application teams. The challenge was further exacerbated by the recent changes in their security posture, which required a more stringent adherence to corporate and regulatory policies.

Since the application teams managed the containers that housed the application components, the Kubernetes cluster in question had become over-provisioned. The end-users and data analysts who used this reporting application had concerns about deploying the application to AWS cloud resources and not being able to meet the time-to-market demands of their reporting data. In using this application, data analysts executed research code in a development environment and could promote the code to production via Bitbucket. Once the code was promoted, executions were orchestrated by Autosys. The Python code extracted data from upstream databases, then wrote the data to an Oracle database.

At the same time InfoSec architects identified risks, provided mitigation recommendations, and designed a compliant and secure AWS environment. VSO’s goal for this application were to:

• Securely migrate the application to AWS Cloud
• Eliminate the operational overhead of maintaining the containerized infrastructure
• Maintain or improve time-to-market of reporting data
• Identify risks associated with the infrastructure and provide mitigations methods
• Oversee implementation, testing, and maintenance of the AWS environment

If these challenges were not met, time would be spent unnecessarily on managing an over-provisioned and complex Kubernetes cluster, which would subsequently lead to higher costs of service, creating an inefficient and more costly solution to the customer’s preexisting issues.

Partner Solution

VSO, in partnership with AWS Proserve, provided Enterprise and InfoSec Architecture support for the migration of over 200 FNMA legacy on-premises applications to AWS Cloud. VSO architects worked directly with Fannie Mae project managers, product owners, and application teams to evaluate and document legacy on-premises applications. To prepare for migrations, VSO Enterprise Architects designed and documented AWS target state diagrams and worked with InfoSec architects to align application designs with Fannie Mae security policies. Each application was presented by VSO to Portfolio Architecture Review Boards (PARB) to gain approval for AWS production deployment. These roles gave VSO the unique opportunity to provide available, efficient, secure, and cost-effective AWS architecture to a Fortune 500 company.

VSO and AWS provided expert Enterprise and InfoSec Architects to fill Fannie Mae’s needs and integrated with product owners and application teams to clearly understand and document the customer needs and requirements of each application. We designed and documented AWS target state designs with a focus on being cost effective, available, and with as much of a seamless transition as possible for the application teams. To meet the security needs, VSO worked closely with Fannie Mae's team to develop a comprehensive AWS InfoSec Architecture plan that outlines the steps needed to achieve the objectives of their security requirements. These plans are regularly reviewed and updated as needed to ensure that Fannie Mae's security posture remains strong and compliant with regulations.

Our InfoSec architecture expertise allowed Fannie Mae confidently to migrate their applications to the AWS cloud with the knowledge that they are secure and compliant. By working together, we provided seamless solutions that enabled Fannie Mae to focus on their core business objectives without worrying about security risks or compliance issues.

To resolve the complex reporting application challenge noted above, VSO designed a cost-effective, high-performance architecture that met the “operationally transparent” requirement. This architecture uniquely utilized AWS SageMaker for a reporting application. AWS SageMaker is typically suited for Machine Learning workloads; however, with the ability to utilize Jupyter Notebooks on SageMaker Studio and execute Python code, it provided a perfect opportunity to introduce an AWS fully managed service into the design. In addition to providing a completely seamless transition for the users, VSO’s innovative design removed all backend Kubernetes and Jupyter Notebooks responsibilities from the application team. This allowed the team to focus 100% of their time performing reporting and analytical operations.

Results and Benefits

VSO has played a pivotal role in the design and implementation of complex AWS architecture and applications. The team successfully designed and documented these architectures, gaining approval from the Portfolio Architecture Review Board (PARB). By developing unique and efficient AWS target states for business-critical applications, VSO facilitated the smooth integration of Fannie Mae's business units and obtained production approval for migrating their applications to the AWS cloud.

Within the Developer functions, VSO excelled in refactoring applications, components, and interfaces. Through thorough testing and development, VSO diligently remediated all identified vulnerabilities, bugs, and process errors. VSO also took responsibility for the creation of comprehensive documentation for all objects in-code, utilizing the Confluence documentation management system. Our DevOps Engineers contributed by creating, configuring, and deploying FNMA applications using CI/CD pipelines developed in Jenkins and UrbanCode. These applications strictly adhered to enterprise standards, encompassing testing, vulnerability detection, source controls, access controls, and organizational change control processes and procedures.

VSO played a critical role in architecting the minimum viable architecture for 30+ applications to date. We developed tools, utilities, and templates that significantly expedited application development and implementation activities. Furthermore, VSO conducted acceleration workshops and provided coaching to project teams, equipping them with the necessary knowledge and strategies for successful AWS implementation and design. The architectures developed by VSO were resilient, reliable, cost-effective, and fully compliant with enterprise standards, with each architecture being thoroughly documented and approved by the Enterprise Architecture Review Board.

Key metrics illustrating VSO's accomplishments include their establishment of a 1:1 relationship with users and analysts. This allowed them to address all concerns related to migrating workloads to an AWS cloud infrastructure. By understanding and meeting the application needs, VSO built an innovative design that utilized AWS SageMaker in an analytical capacity, providing Data Analysts with a range of benefits. These included reducing the application footprint by leveraging AWS native services, performing Python development and execution on SageMaker Jupyter Notebook instances, promoting code to production via the Jenkins and UrbanCode CI/CD pipeline, orchestrating production executions via AWS CloudWatch, and meeting time-to-market requirements by enabling research applications to accelerate production code deployment.

In terms of security, VSO played a crucial role in defining the security controls for Fannie Mae's "lift-and-shift" AWS environment. These controls align the new AWS environment with Fannie Mae's policies and regulatory requirements. As part of their InfoSec activities, VSO took responsibility for establishing security controls that ensure the effective and secure migration of various workloads to AWS. This includes servers, databases, and virtual machines across different platforms, such as Windows and Linux. VSO also defined and implemented security controls to securely manage server-to-database communications across AWS accounts and platforms like MSSQL, MySQL, Oracle, and RDS.

Furthermore, VSO established, documented, and enforced security controls of over 30 applications by designing and implementing Security Group, NACL, IAM, and firewall requirements. These architectures encompass a wide range of systems and technologies, including EC2 SQL Native Backup, and various AWS Native Services such as AWS Resilience Hub, ElastiCache, AppFlow, RDS, Redshift, Athena, S3, EC2, AWS FSx NetApp OnTap and Fargate. We also perform Technology Service Assessments on AWS native services in addition to COTS products that need to be evaluated for Fannie Mae's AWS environment.

In support of AWS migration efforts, VSO provides InfoSec leadership in multiple lines of business within Fannie Mae to include Business Intelligence & Analytics, SpringBoard (AWS lift-and-shift environment), and Cloud Native domains. As part of the customers’ SpringBoard effort, VSO actively leads the development and enforcement of security controls to enforce micro & macro segmentation both within AWS and across AWS/On-prem environments. This involves analyzing VPC flow logs, implementing NACL, Security Group and firewall changes to ensure inter and intra application communication while enforcing security policy within AWS, across multi-cloud/on-prem infrastructure.

About the Partner

Virtual Service Operations (VSO) is a hybrid cloud and managed services company supporting traditional on-premises infrastructure, virtual, and cloud enterprise environments. We aid clients with IT modernization, cloud adoption, and operations by providing:

• A market-leading team of architects, engineers, and subject matter experts to plan, design, and implement solutions.
• Military veteran-led managed services team which employs proprietary tooling and automation to operate and maintain customer environments.

VSO works across numerous industries including government, healthcare, education, non-profit, and commercial. In our work with each of these industries, VSO leverages partnerships and certifications with Amazon Web Services (AWS), IBM, Microsoft, VMware, NetApp, and others to provide premier hybrid cloud services and superior customer experience. Some of our customers include Centers for Medicare and Medicaid Services, U.S. Army, U.S. Navy, John F. Kennedy Center for the Performing Arts, Federal Election Commission, Amtrak, Department of Veterans Affairs, Department of Energy, Howard University, Johns Hopkins University Applied Physics Lab, Raytheon, Honda, AAA Insurance, and Kaiser-Permanente.

VSO has a mature and established relationship with AWS and is proud to be a distinguished APN partner, VSO is an AWS Advanced Consulting partner providing hybrid cloud IT services to federal and commercial customers including DoD, DOJ, HHS, CMS, the Kennedy Center, and many others. As an Advanced consulting partner for 3+ years, VSO is proud to have earned the AWS Government Competency. VSO is also enrolled in the AWS Solution Provider Program, the AWS Public Sector Partner Program and is a part of the AWS Marketplace Seller Program. VSO is currently pursuing status as an APN Premier Partner.