International Transportation (69) 1 | 2017 34 PRODUCTS & SOLUTIONS Cloud Services Deutsche Bahn Group is shifting to the DB Enterprise Cloud A Compliant cloud architecture on AWS seemed to be a good choice Service provider, Infrastructure as a Service (IaaS), Internet of Things (IoT), network monitoring, multicloud strategy The lack of IT standardization across subsidiaries, the complexity of organizational structures, and the high cost of maintaining legacy environments was hampering DB Group’s growth plans. The group was not as agile as competitors in rolling out new applications and improving the customer experience, which meant some of the subsidiaries were losing market share. Others even had initiated dangerous paths towards “shadow IT”. Thus, DB Systel contracted e.g. AWS to provide managed and unmanaged cloud services to the group and implemented a cloud-first strategy. Bertram Dorn D eutsche Bahn Group is one of the largest transport operators in the world, with EUR 40.5 billion in revenue in 2015 and with more than ten business units generating over EUR 1 billion a year in revenue. The group consists of around 450 subsidiaries, ranging from DB Schenker (international logistics) to DB Netze Energie (delivery of electricity and gas). Of those subsidiaries, at least fifty have significant IT spending. Overall, the group has around 308,000 employees, of whom more than 100,000 are regular IT users. DB Systel is the subsidiary dedicated to providing IT and telecommunications services to the rest of the group. The unit is responsible for a broad range of areas, from helpdesk support to telephony, and from maintaining the ticketing system to running the proprietary network that DB Group uses to connect stations and offices. DB Systel is in effect a managed service provider, being paid by other subsidiaries with formalized contracts. It generated a revenue of EUR 825 million and employed 3,600 staff in 2015. From a data center point of view, it owns and operates three physical data centers in Berlin, running around 8,000 physical and virtual servers overall. Importantly, in 2013 DB Systel was greenlighted by the group board to start offering IT services for third-party companies, leveraging its expertise in areas such as mission-critical logistic back-end and network monitoring. Conversely, the largest of the other group subsidiaries also host IT staff of their own in their business units. Based on those aspects and on the legacy, subsidiaries have a fairly high degree of independence around when and how they trigger investments in ‘their’ IT systems. Overall, the DB Group IT architecture managed by DB Systel is imposing. The service provider is responsible for more than 630 applications in production. 60 % of those have been written from scratch inhouse over the years, whereas 40 % are built on standard software such as SAP or Oracle PeopleSoft. However, more often even those third-party applications are heavily customized, with tens if not hundreds of DB Systel developers whose only task is to maintain and customize them further. Establishing the DB Enterprise Cloud At the end of 2014, the situation began to evolve. In February 2015, DB Systel started to explore cloud infrastructure options that could help the group achieve agility and cost savings. In April 2015, the DB Systel board created a small, independent task force led by René Schneider to formally define requirements and engage with an external Infrastructure as a Service (IaaS) provider. Interestingly, being a service provider itself, DB Systel had the luxury of foregoing research on managed service capabilities or IaaS integration partners. All of the implementation and operation skills would come from DB Systel itself. After discounting IaaS suppliers that didn’t meet requirements, only Microsoft Azure and AWS remained as options, and only AWS had full control of its German data center infrastructure. At that point, the decision was made to test AWS’ capabilities. With the intention of quickly responding to business needs, DB Systel and AWS worked together on the first proof of concept, which consisted of setting up a full virtual data center on AWS, including policies and network connectivity. The AWS technical team provided extra support and the proof of concept was completed successfully within a week. The second step was to assess AWS’ ability to comply with the regulations impacting DB Group, which is a partly state-owned company. In particular, the IaaS provider has to comply with the German federal regulation for data protection - ‘Bundesdatenschutzgesetz’. Following the assessment, DB Systel was able to ascertain that AWS did comply. This provided the backing for DB Systel to select AWS as the preferred supplier, and in May 2015 the formal contracting process kicked off. With the contract signed, DB Systel became the compliant, compulsory provider of AWS services to the whole of the DB Group. The managed AWS-powered services became officially available to DB Group on January 1, 2016. Two types of service were offered on AWS: DB Enterprise Cloud ‘Managed’ and DB Enterprise Cloud ‘Unmanaged’. International Transportation (69) 1 | 2017 35 Cloud Services PRODUCTS & SOLUTIONS The ‘managed’ cloud offers application hosting, development and maintenance based on AWS infrastructure, similarly to how it offers those services based on the onpremise data center infrastructure it owns. This means the subsidiary has no direct point of contact with AWS services, which are used by DB Systel technical staff. DB Systel is responsible for every layer of the stack, with the exception of the data protection layer that remains the responsibility of the subsidiary. The ‘unmanaged’ Cloud is enabled by AWS’ advanced capabilities in terms of identity and access management rights. DB Systel is the owner of AWS’ contract, receives the bill for any expense occurring on it and operates with administrator rights on the AWS environment. It then sets up fully compliant “User accounts” that can be requested and employed by the various subsidiaries. User accounts have a restricted set of rights, with limitations around network connectivity and service catalogue. Successful usage of the AWS-based cloud In the first couple of months of operation, there were several successful projects within Deutsche Bahn Group. For example, DB Systel is currently using AWS basic and advanced services (e. g., AWS RedShift and AWS Dynamo DB) to set up a vast Open Data platform. The goal is to collect all nonconfidential information from the DB Group (e. g., location of stations, travel schedules, length of tracks) and make it available freely in the form of APIs so that local governments, app makers et cetera can leverage them to innovate. Another example is the strong usage of the Internet of Things (IoT) platform for cargo train tracking and for escalator maintenance. The group is equipping a first batch of cargo trains with small, inexpensive devices transmitting location via GPS. DB Systel is using the AWS IoT service for data ingestion and data collection back-end, with the goal of offering corporate customers real time information on cargo position. Real time information also helps with the maintenance of escalators. Because there are thousands of them in operation daily across German railway stations. Due to their sheer numbers, the DB Station und Services AG, the subsidiary responsible for managing station facilities, had a very hard time detecting problems, with faults going undetected in some cases for weeks. Combining sensors (currently being installed in escalators across the country) with AWS IoT services allows DB Group to monitor status in real time and dispatch maintenance much more quickly. DB Systel reports that most of the workloads deployed in the “unmanaged” service have been Web-based application space. For example, bahn.de, the main consumer portal for the group, including online ticketing and real time information on the train status, is running a hybrid infrastructure on AWS, managed by the responsible business unit. The application is complex and multitier, including several Java layers and connectivity to other on-premise systems. Also DB Regio Bus, a subsidiary responsible for local bus services operating 13,000 buses countrywide, decided to migrate most of its IT load to DB Enterprise Cloud “Unmanaged.” It went through the process to receive AWS user accounts from DB Systel and moved its full load to AWS capacity. It had planned for a 21 % reduction in overall monthly infrastructure costs, and ended up with a 28 % decrease - now gunning for additional reductions thanks to rationalization of the application landscape. DB Regio Bus is now running a “serverless” infrastructure, with 100 % of the loads sitting on AWS. Exceeding all expectations When it set off with AWS-based services at the beginning of 2016, DB Systel had a goal to generate at least EUR 1 million in revenue per year from the other subsidiaries, linked to those AWS environments. As of August 2016, DB Systel reported that the target had already been exceeded, and in fact it is now facing some pressure to quickly expand the cloud task force team to deal with demand. DB Systel was impressed by AWS’ technical capabilities and IaaS/ PaaS portfolio, the geographical reach and readiness of the AWS engineers to quickly set up POC environments and help kick-start the process was also appreciated. In terms of benefits for the DB Group at large, the business plan for moving to a cloud-first approach was built on cost saving expectations of 15-30 % versus the on-premise data center environment. Costs included both capital expenses (annualized) and operating expenses, as long as they were linked to infrastructure elements replaced by AWS IaaS/ PaaS solutions. Costs included staff, energy, hardware Capex, system management software licenses, and hardware maintenance fees. All implementations executed so far fell in that bracket of savings, according to DB Systel. One can also see that the AWS migration is starting to exert a positive influence at a strategic level. Not only is DB Systel gaining lots of respect from the other subsidiaries and boosting its image as a business-enabler (e.g., with the IoT system for escalator maintenance). More concretely, the division is now able to use that expertise to offer managed AWS cloud services to thirdparty customers, increasing revenue outside of the DB Group. The compliance and security departments can work with a centralized, corporate-wide data location strategy, logging services and policies. It now can do without shadow IT and avoid the creation of dangerous “black holes.” DB Group as a whole can now leverage large public-cloud capabilities in a compliant fashion to experiment with digital transformation initiatives and fight back against the expanding list of competitors in the mobility service arena. Looking into the future While much has been accomplished in the first half of 2016, it looks like the journey to flexible cloud infrastructure for DB Systel and the broader group has just started. A mid-term goal is definitely the migration of ever larger portions of workloads onto AWS. DB Systel does not have a set target for this, and the option of DB Group-owned infrastructure will remain for the foreseeable future. Ultimately, it is the subsidiaries and business units that have to decide on which back-end to host their applications. This game of demand and supply will lead to continued flip of the balance of workloads towards AWS. Other long-term goals include the standardization of applications and a multicloud strategy: The expanding popularity of standard IaaS/ PaaS services is leading IT professionals across the group to rethink the approach between custom applications and standard applications. DB Systel leadership is empowering staff with the concept of standardizing applications that bring no differentiation to the group, and allocated the resources to developing new cloud-enabled business models. On the strength of the experience around AWS, the DB Systel cloud team is now starting to assess multicloud strategies, especially for SaaS environment types in SAP and Oracle cornerstone areas. ■ Bertram Dorn Solutions Architect EMEA, Amazon Web Services Germany GmbH, Munich (DE) anfrage-aws@amazon.com