AWS Organizations, Security, & Networking
About Knock CRM
Knock is an award-winning CRM (customer relationship management) and performance management SaaS platform for multifamily property managers. Hundreds of the leading apartment managers and owners across North America rely on Knock’s automation, integrations, and data transparency tools to maximize occupancy, rent growth, and customer satisfaction in every community. Knock is based in Seattle and was founded in 2014.
Knock launched its first product in 2016 hosted on Amazon Web Services (AWS). Since then, the company’s customer base has grown to include thousands of properties, and today, Knock is the multifamily industry’s leading CRM with multiple product offerings. However, with the growth of the company and products, the underlying AWS environment was still based around the idea of Knock being a single product company. Knock needed a partner in and plan for building a secure, performant, and scalable AWS environment that matched its maturing product portfolio and operational goals.
Why Amazon Web Services and 1Strategy
Knock had partnered with AWS since the beginning; there was never any question that future workloads would also be built and run on AWS. Running SaaS lean, though, meant that Knock didn’t staff the full-time AWS Solutions Architect that would be necessary to design and plan a project of this complexity. “It was a very easy decision to go with 1Strategy,” said Paul Campbell, Senior Director of Security & Privacy at Knock. “1Strategy is well known for delivering exceptional AWS design support and they presented the most thorough and tailored statement of work.” Additionally, Knock’s DevOps team lead was familiar with multiple 1Strategy staff through CoffeeOps; a Seattle area DevOps networking group founded by a 1Strategy team member.
Requirements and Design
“The best part of outsourcing architecture and planning for these large, complex, one-off projects is that you can benefit from a proven playbook,” said Matt Hillman, VP Engineering at Knock. Indeed, 1Strategy was able to bring a proven playbook for identifying requirements to transition from a single-account architecture to one based on multiple AWS accounts. It started by reviewing the existing environment and interviewing Engineering team leads and ended with a proposed architecture addressing all foreseeable requirements of the business.
Development and Implementation
By leveraging Terraform infrastructure as code and AWS Control Tower, 1Strategy was able to assist Knock in developing and implementing an AWS environment and architecture consistent with recognized best practices. This included aligning accounts with data sensitivity, implementing commensurate preventative and detective controls for Organizational Units (OU), and configuring AWS Single Sign-on (SSO) to provide for fast role selection and switching. “Compared to traditional role switching, AWS SSO makes operating in a multi-account environment easy,” said Justin Martenstein, DevOps Lead at Knock.
Secure by Design
Knock relied on 1Strategy’s extensive experience with securing AWS workloads as they collaborated on the preventative, detective, and response-oriented control design and validation. 1Strategy was able to suggest controls which scaled much more efficiently in a multi-account environment while still meeting the company’s security commitments. A great example can be found in using Control Tower to automatically centralize AWS CloudTrail event streams so that new accounts are monitored with no additional effort.
Much like the account structure, Knock’s networking layer wasn’t optimized for a multi-product company. “We’re excited to realize a number of network-level benefits such as centralized VPN and simplified DNS management. As well as shifting all network infrastructure to code for modularization and version control,” said Knock DevOps Lead, Justin Martenstein.
The icing on the cake for the project was a centralized ingress/egress networking architecture for sensitive workloads. By utilizing AWS Transit Gateway, Knock can control access to workloads through a single network entry point. Separate Transit Gateway route tables enable sensitive data networks to be isolated from regular networks and permit the efficient deployment of network traffic inspection, intrusion prevention, and data-loss prevention systems.
Having a centrally managed networking architecture, Knock will now be able to maintain a set of VPCs that can be shared to current and future workload accounts using AWS Resource Access Manager (RAM). Sharing the same network allows for lower operational overhead and still allows workloads to be logically isolated by AWS accounts with their associated Service Control Policies (SCP).
On every project 1Strategy strives to leave the customer with the knowledge and understanding needed to maintain their solution over time. Through several training sessions, 1Strategy helped Knock achieve greater autonomy and develop a vision for how to scale AWS resources over the next 5 years.
“From my perspective, this project would be between an A and A+. This experience was altogether very positive. From scoping discussions to project management to working directly with 1Strategy’s consultant on implementation, this project went as well as any project I’ve ever done,” said Campbell. “1Strategy’s AWS specific networking expertise was very valuable. The training sessions went great, and we appreciated 1Strategy’s ability to answer technical questions from various teams. We now have an architecture that will work well for us for many years.”
1Strategy is a Premier Consulting Partner within the AWS Partner Network (APN). Focusing exclusively on AWS, 1Strategy helps businesses architect, migrate, and optimize their workloads on AWS, creating scalable, cost-effective, secure, and reliable solutions. 1Strategy also helps customers get real value from their data using comprehensive machine learning models and artificial intelligence. 1Strategy holds the AWS DevOps, Migration, Data & Analytics, Machine Learning, and Security Competencies, and is a partner of the AWS Public Sector Program and the Well Architected Program. With experts having deployed AWS solutions since 2007, 1Strategy is a leader in custom training—providing customers with the knowledge, tools, and best practices to manage those solutions over time. 1Strategy is a TEKsystems Global Services company with teams in Seattle and Salt Lake City, supporting customers throughout the US and across every vertical.
For more information about how 1Strategy can assist your company migrate to AWS, optimize AWS solutions including security and backup strategies, and receive custom training, visit 1Strategy.com.
To read about other companies we’ve helped in their AWS journey, CLICK HERE.