Embed Size (px)
Citation preview
NYS Forum
What’s the real story on cloud?
July 14, 2015
Ralf Schlenker
CGI Global Practice Lead –Cloud and Infrastructure Services
703 267 8084
2
Agenda
Overview and level set- CGI
– Cloud definitions
– Current drivers for cloud adoption
– Compare different approaches
– Case studies
Q & A
3
The NIST Definition of Cloud Computing SP 800-145, Sept. 2011
Essential Characteristics:
• On-demand, self-service
• Broad network access
• Resource pooling
• Rapid elasticity
• Measured service
Service Models:
• Infrastructure as a Service
• Platform as a Service
• Software as a Service
Deployment Models:
• Private cloud
• Community cloud
• Public cloud
• Hybrid cloud
4
Enterprises and governments are being driven to the cloud…
… however security/privacy still tops their concerns
6
US Government - GSA Cloud Initiative (2010)
Several US Federal and State
agencies have adopted services
for simple web sites to complex
line of business applications
Challenges
• Significant IT spend – new budget cuts
• 1800 data centers and growing
• Inefficient use of capacity anddemand management
• Difficult to use private enterpriseservices
Process
• RFP for Cloud Infrastructure Services
• Very prescriptive RFP for catalogof services
• Security-certify multiple Cloud ServiceProviders
• Introduce “Cloud First Policy”
7
The security assessment process changed the behavior of Cloud Service Providers
Security Assessment Process• System Security Plan (SSP)
• 3rd party independent audit
• Documented results and follow-up
• Monthly Self Assessments
• Change Control / Authorization
• Incident Response
• Annual Re-certification
80% of US governments IT
workloads qualify for a FISMA-
moderate-certified cloud
8
Example: US Public Sector IaaS Cloud Security Elements
• VM templates hardened to Center for Internet Security (CIS) benchmarks for FISMA compliance. Regular compliance scans
• Regular VM (OS) vulnerability scanning / patching; reporting
• Antivirus at the VM and hypervisor level
• Multi-factor authentication, non-split tunneling secure VPN
• Web Application Firewall / Database Activity Monitoring appliance for PCI and HIPAA compliance
• FIPS 140-2 compliant network (firewalls, VPN); use of approved cryptographic algorithms; physical seals to protect cryptographic key
• SEIM – Security Event and Incident Management
• Network IDS / IPS; Penetration Testing
• File Integrity Monitoring (FIM)
• Annual audit by 3rd party auditor organizations (3PAO) auditing over 250 security controls required for FISMA-moderate certification
9
UK Government - G-Cloud Initiative (2011)
Objectives
• Achieve large, cross governmenteconomies of scale
• Good enough / best fit approach toselecting solution
• Dynamic and responsive supplier marketplace
• Transparency
Solution
• Introduced Cloud First Policy (May 2013)
• Very broad RFP for catalog of services
• Store Front Market Place updated every 6 months
• Approved multiple Cloud Service Providers
• Self-accreditation
Average procurement in UK Gov takes 468 days.
Under G-Cloud it now can take 4 days
The G-Cloud Program
10
UK G-Cloud Store Front
Shop for best fit solution
Compare Solutions
Easy access
Available at http://govstore.service.gov.uk/cloudstore
Major trends and implications for Cloud in 2015 / 2016
Case Studies
12
Case Studies - Summary
13
Client Cloud Type Solution
U.S. DHS FedRAMP
accredited virt priv
33 citizen-facing web sites, unlimited (elastic)
capacity, pay-for-use
New Jersey
DCA
FedRAMP
accredited virt priv
Rapid, agile, Hurricane Sandy Relief Funds
Management App; 15/60 days until live
City of Oslo Hybrid (virt priv +
public)
Hybrid set-up for dev/test vs prod; 200 edu
apps plus 170 school websites; hybrid
productivity suite; 90,000+ users
London
Underground
hyperscale public IoT remote equipment predictive diagnostics
and management (POC)
Thyssen Krupp hyperscale public IoT remote elevator predictive diagnostics and
management
Netherlands –
Stadtwerke
Düsseldorf
hyperscale public E-vehicle charging point network: closest
location and status (free / busy), Smart Phone
integration; card management payment / billing
Netherlands –
cities
hyperscale public Ability to control, monitor and manage public
infrastructure: Street lighting; Traffic Lights;
Water supply (hydrants); Disposal systems
14
Case Study: US Department of Homeland Security benefits from unlimited capacity and pay-for-use Cloud
Results
• Decommissioned 300+ servers
• No longer need to manage capacity and evergreeningof infrastructure
• Moved all 33 citizen facingsites to the Cloud
• Rapid access to unlimitedcapacity
15
Case Study: Hurricane Sandy Disaster Relief Application forNew Jersey’s Department of Community Affairs benefits from agility and security of public sector community cloud
Results
• Fully-managed Funds Management and Transparency website solution hosted on a FedRAMP-accredited Public Sector IaaS cloud. www.newjerseyrebuild.org
• DR architecture leverages two cloud sites (EDCs in AZ and PA).
• Interim solution live 15 days after contract award. 1st full release live in 60 days.
• > 23,000 relief checks sent to impacted citizens and > $400M in relief funds processed in first 9 months.
Case Study: Oslo, Norway’s Public School System’s Modernization of core ITC systems for >100,000 users benefits from modern hybrid SaaS and IaaS cloud solutions
16
Results
• Hybrid IaaS cloud (virt. private cloud hosted in-country 3rd party EDCs + hyper-scale public cloud)
• Integrated user portal; IT operation portal; exam application; >200 educational apps; individual schools’ websites;
• 90,000+ user migration to “public cloud productivity suite”; 170 schools; designed to scale as the number of users is expected to increase to nearly 300,000 in the next few years
• https://www.oslo.kommune.no/
Case Study: Cloud-based Internet of Things solution provides the London Underground with real-time data in a secured public cloud environment to increase its services
17
18
Questions
Ralf Schlenker
CGI Global Practice Lead –Cloud and Infrastructure Services
703 267 8084
Case Study: Cloud-based IoT solution delivers real-time global lift management capability to ThyssenKrupp
19
Results
• By connecting its lifts to the cloud, gathering data from its sensors and systems the solution provides TK with real-time intelligence through a secured hyper-scale public cloud environment to increase its ability to proactively maintain lifts.
• ThyssenKrupp is vastly improving operations — and offering something its competitors do not:
“We wanted to go beyond the industry standard of preventative maintenance, to offer predictive and even preemptive maintenance.”
Case Study: Electric mobility gets a boost in the Netherlands with cloud-based charge point management system
20
10,000 Charge Points
Netherlands
Key features
• Provides closest location
and status (free / busy )
• Smart Phone integration
• Card Management
• Payment / Billing
• Delivered through a hyper-
scale public cloud
Case Study: Cities in the Netherlands reduced costs through intelligent management of resources
21
COTS platform for: Integral
Management of Public Space
Ability to control, monitor and
manage public infrastructure:
• Street lighting
• Traffic Lights
• Water supply (hydrants)
• Disposal systems
Delivered through a hyper-scale
public cloud
22
Considerations and take-aways(Extra Slides)
23
How Governments Are Benefiting from Cloud Services
• Transfer of risk on to Cloud
Providers
• Focus delivering services
for Citizens vs. IT
• Accelerated delivery of business
capability
• Creates a competitive market
place for continuous evolution
of IT services
• Smaller agencies/jurisdictions can
access applications and resources
equivalent to the large ones
Its not A one Cloud Fits all Solution Many clients chose a hybrid mix customized for their needs
24
25
Cloud Usage Is Evolving
Emerging Cloud Usage
• Line of business applications
• Mobile enterprise & analytics
• Virtual Desktops / Workplaces
• Cloud Brokerage
• Hyper-scale cloud use cases
26
A Solid Process Is Critical
• Use an approach that takes a holistic view
• More than cost & risk: Organizational goals, requirements, constraints
• No single cloud will meet an organizations full needs
• Deep understanding of vendor landscape and offerings critical
• Not all applications are a good fit for Cloud or are ready
in their current state to move to the Cloud
Agencies choose the level of responsibility to meet their needs
27
28
Cloud Lessons LearnedEarly adopters had varying success
Cost + Performance + Features + Services + Value
• Test and Development, short duration projects, Web hosting show
promise
• Simple “Lift and Shift” of workloads is not producing tangible savings
• Reengineering applications to take advantage of Cloud is expensive
and time consuming
• Concerns over performance, features, services, costs
• Performance varies widely from vendor to vendor
• Features and services: Different definitions, different bundles
• How to find the right combination
29
Some Key Takeaways
• Develop Cloud First Policy
• Question why you are still buying
infrastructure (Servers/Storage)
• Don’t do it or pay for it yourself
– leverage partners
• Understand your Privacy, Security
and SLA Requirements for each
business domain / application
• Consider a Community Cloud
NYS Forum
Cloud – What’s the Real Story?Additional Benefits: Agility and Security
July 14, 2015
Mark RylandChief Solutions ArchitectAmazon Web [email protected]
Key benefits of utility computing
• Pay as you go
• Stop guessing needed capacity and over-provisioning
• Lower overall costs (TCO)
• Avoid undifferentiated heavy lifting
• Go global in minutes
• Agility and speed of innovation
• Enhanced security through shared responsibility and greater automation
Agility: dramatically improved speed of IT delivery
•Healthcare.gov
• Highly scalable and secure
• New security and governance practices
•City of Houston
• “Paradigm shift” putting them years ahead of the curve (https://youtu.be/gDtKhBEmQ8k)
•US Citizenship & Immigration Services
• Dev/ops meeting gov’t needs
• https://youtu.be/QwHVlJtqhaI
Agility: variable workloads
•Transportation
• Transport for London
• City of Seattle
•Lots of election use cases
• Australian Government
• Obama for America
•Education
• Common App in the US
• UCAS in the UK
Security advantages of cloud
1. Integration of compliance and security
2. Economies of scale apply• Scale means strong separation of duties, simple security policies
3. Customer refocus on systems and applications
4. Visibility, homogeneity, and automation
5. Cloud platforms as “systems containers”
6. Cloud, big data, security: cloud secures cloud
7. With cloud speed of innovation and increasing scale, the story will only get better – quickly!
Compare: “Why Commercial Cloud Are More Secure Than Federal Data Centers”, Roger Baker, http://bit.ly/1tMrUSp
Big data and going “all in” with enhanced security:
Financial Industry Regulatory Authority
•FINRA has deployed multiple Hadoop-based and Redshift-based analytics apps core to their regulatory mission
•Multi-petabyte clusters growing by terabytes per day
•Query times reduced from minutes to seconds
•Two year plan to go “all in” to cloud
“From a physical and logical security standpoint, I believe that, if done right, public cloud computing is as or more secure than self-hosting.”
– Steve Randich, EVP and CIO
36
36
Highly sensitive workloads
•Largest healthcare exchange in USA
•Federal Home Loan Bank of Chicago: going “all in”
•Many, many more customers in government, health, financial services, and others…
“Based on our experience, I believe that we can be even more secure in the [vendor name deleted] cloud than in our own datacenters.”
-Tom Soderstrom, CTO, NASA JPL
NYS Forum Insert Work Group
What’s the Real Story on Cloud?Additional Benefits
July 14, 2015
39
Challenges Utilizing Cloud
Embracing Bimodal
Containing Server Sprawl
Finding a home for Traditional Apps
Enabling Seamless DevOps Integration
No Need to Start Over
40
Ensuring Governance and Oversight
Enable ITaaS
Leverage Service Catalog
Advanced Orchestration
Set Resource Limits
Provide Chargeback
41
Can it also be Better, Faster, Cheaper?
Focus on YOUR Customers
Focus on YOUR Applications
Deploy in Minutes, not Hours/Days
Pay for ONLY what you Use
Automatic Scaling
42
Importance of Service Level Objectives
Integrate Existing Networks
Meet the Business Objectives
Portal Availability
Resource Level Availability
Performance Metrics
43
Case Studies
State Govt. Dept. of Transportation
Challenge:
Variety of disparate systems hosted In-
house; Public Cloud not an “approved”
option
Need to consolidate and aggregate data
for the purpose of packing for Public and
Private consumption
Outcomes:
• Achieved a Time to Market of under 4
weeks;
• Re-focused on core responsibilities;
• Lower TCO of doing it in-house and
created additional revenue streams
Public Transportation Authority
Challenge:
High-transaction, revenue generating site
was troubled with downtime, unpredictable
volumes and capacity constraints
Outcomes:
• Elastic Cloud platform to meet demand;
• 100% uptime since go-live;
• Survived multiple high impact events
and stress testing
• Repaired Image damaged by many
outages
The NYS ForumWhat’s the Real Story on Cloud?
July 14, 2015
Understanding the Security Implications of Different Cloud Service Models
Ian Morrison, Cloud Solution Strategist, Microsoft
Common Questions and Concerns
• Everyone has a “cloud” these days…How do you choose a trusted provider?
• How do you successfully maintain security and compliance when moving to the cloud?
• Where is my data stored? Is my data encrypted? Who has access to my data?
• The threat landscape is only getting worse…How do cloud providers prevent getting hacked?
• What about government snooping or subpoenas for my data?
Key Points: Security and Compliance
• The customer is ultimately responsible for ensuring their compliance obligations are met
• Compliance is a shared responsibility between the customer and the vendor
• Maintaining compliance can actually be simpler in the cloud, but you must perform due diligence, operationalize security practices, and periodically review audit reports
• You need to fully understand how a cloud provider operates and secures their datacenters and services
• There is a difference between IaaS, PaaS, and SaaS and how each service model impacts your security and compliance posture
• Regulation-centric service implementation guides are extremely helpful (e.g. HIPAA)
Public Cloud Service Models
• Other considerations:
• Identity Management, Authentication, and Authorization
• Device Security & Management
• Data Access and Encryption
Top Questions to Ask Cloud Providers
• Are privacy and security practices clearly and centrally documented? Do they address key concerns like datacenter security, data location, encryption, and subcontractors involved in service management?
• Who has access to my data, under what circumstances, and how are those individuals screened and background checked?
• Does the provider use customer data for anything other than delivering the service? Is customer data mined or scanned in any way?
• If the provider offers both enterprise and consumer services, is the data comingled in any way?
• Does the provider offer dedicated government cloud services?
• How is data ingress/egress and inter-datacenter transfer secured?
Lack of transparency on any of these items is a red flag
Datacenter and Operational Security
• Providers should have a comprehensive defense-in-depth strategy and should be able to explain in detail how they secure their services and your data
• Controls should address all types of security: physical, logical, data, etc. They should be well documented and mapped to standards such as ISO 27001
• Providers should have a sophisticated approach to threat defense and detection for both external and internal attacks
A Commitment to Compliance Matters
• Provider should demonstrate a long-standing and ongoing commitment and ability to maintain and improve regulatory compliance/certification
• Because compliance is a moving target and a shared customer responsibility, the same commitment should be true for service security features and customer controls
• Look for a public roadmap for the service that documents the vendor’s vision and strategy to meet evolving security and compliance needs
• Plan on a periodic review of audit reports and findings (they should be made available to you)
Privacy and Data Disclosure
• Understand your cloud provider’s contractual commitments related to privacy and data disclosure
• Who has access to data?
• How is data used?
• What happens if you decide to terminate the service?
• Understand what happens if the provider is approached or issued a subpoena for your data
• Will you be notified?
• Are there circumstances where you would not be notified?
• In what ways will the provider protect your data privacy?
• Understand the provider’s position on government snooping
Summary
• Cloud computing is mature and proven, but not all providers are created equal
• Proceed thoughtfully, but don’t get left behind
• Transparency is essential
• Look for providers that understand the unique requirements of government
• Compliance is not an end state
• Understand the shared responsibilities between you and your provider
NYS Forum What’s The Real Story on Cloud?
Watch out for the landmines –Lessons Learned from NY State Agency efforts
to Procure Cloud Services
July 14th, 2015
Richard Green, PMPPractice Area Manager – Technology Acquisitions
56
57
Agenda
Four lessons:
–Requesting FedRAMP compliance – be careful what you wish for
–Migrating from Cloud to Cloud – will you be so lucky?
–Control agencies – what do they worry about?
–Competition from within – what about the Govt. Data Center?
58
Recommended Reading
59
Requesting FedRAMP compliance – background
• Large NYS agency
• Large-scale project funded by a major Federal government grant
• Two separate RFPs used to establish vendor contracts
• Both RFPs open to Cloud solutions
• Both contain expectation that “multi-tenant hosting solutions” are compliant with FedRAMP
(PS – FedRAMP not fully operational when RFPs released)
60
Requesting FedRAMP compliance – background
“Leading Cloud Provider =
FedRAMP compliant Cloud
Service Provider (CSP)
Requesting FedRAMP compliance –specifics
• “FedRAMP security controls and enhancements have been selected from the NIST SP 800-53 Revision 3 catalog of controls.”
• “Cloud Service Providers (CSPs) will be required to use qualified, accredited Third Party Assessment Organizations to perform independent assessments on their service and systems.”
• “The vendor may propose to provide hosting services itself, or may propose the use of a subcontractor. Subcontracted hosting services do not count toward the subcontracting limit of sixty percent (60%) of the contract budget.”
61
62
Requesting FedRAMP compliance – specifics
FedRAMP - System Security Plan (SSP) Template
• details a cloud systems security controls
• written in accordance with NIST Special Publication (SP) 800-18, Revision 1, Guide for Developing Security Plans for Information Technology Systems.
63
Migrating from Cloud to Cloud –will you be so lucky?
Diagram to be added
64
Migrating from Cloud to Cloud –will you be so lucky?
Primary Vendor Primary Vendor Primary Vendor Primary Vendor
Integration Subcontractor
1
Integration Subcontractor
2
RFP 1 RFP 2
Not-for-ProfitService Provider
Leading Cloud Provider
Leading Cloud Provider
Leading Cloud Provider
Leading Cloud Provider
Leading Cloud Provider
Own hosting facility
65
Migrating from Cloud to Cloud –will you be so lucky?
Diagram to be added
66
Migrating from Cloud to Cloud –will you be so lucky?
Primary Vendor
Integration Subcontractor 1
Leading Cloud Provider
Agency
Integration Subcontractor 1
Leading Cloud Provider
67
Control agencies – what do they worry about?
• What State will the data center be located in? Will that State’s laws prevail?
• Can the data facility be audited?
• Who has access to the data? Do you need NDAs?
• What happens to the data at the end of the contract?
• Is the solution multi-tenant?
• Ensure a data classification of the data that will be stored has been performed
• Breach alert mechanisms?
• Does the vendor insist on terms that are in conflict with the State’s?
68
Competition from within – what about the Govt. Data Center?
• Are you permitted to seek a Cloud solution or is there an expectation that a government owned/operated data center be used?
• Will you be required to include the government data center as one of the options for hosting?
69
Lessons Learned
Four lessons:
–Requesting FedRAMP compliance – be careful what you wish for
–Migrating from Cloud to Cloud – will you be so lucky?
–Control agencies – what do they worry about?
–Competition from within – what about the Govt. Data Center?
70
Questions
Richard Green, PMPPractice Area Manager – Technology Acquisitions(518) 431-7024 - Desk(518) 225-2983 - [email protected]
www.nystec.com
