Shared Services Canada
and
Cloud Computing
Architecture Framework Advisory Committee
Transformation, Service Strategy and Design December 17, 2012
2
Agenda
TOPICS PRESENTER(S)
9:00 – 9:15 Opening Remarks and Objective B. Long, Chair
9:15 – 9:55 Shared Services Canada and Cloud
Computing
•SSC’s Role in Cloud Computing
•Opportunities and Challenges
J. Danek
P. Littlefield
9:55 –
10:05
Health Break
10:05 –
11:50
Open Discussion on Cloud Computing
• Basics of Cloud Computing
• Getting to the Next Level
All
11:50 –
12:00
Timeline and Next Meeting
January 28, 2013
(9:00 – 12:00)
3
Constraints, Dependencies, and Risks
Oct
2012
Nov
2012
Dec
2012
Jan
2013
Feb
2013
Mar 2013 Apr 2013 May 2013
Transformation
Overview
DCC and Telecom
P2P
Architectural
Framework P2P
Cloud Computing/
Platforms Jan 28
Finalize
for ITIR
Identity, Credential
and Access
Management*
X X Finalize
for ITIR
Converged
Communications
(Voice, Video, Data)*
X X
AFAC Forward Agenda
Assumptions: * only for discussion purposes; Advisory committee meets every 4-6 weeks and has core group of members
from ICT industry and SSC. Advisory committee would have minimum of two meetings to develop product for consideration by
IT Infrastructure Roundtable and one meeting to finalize product before presentation to IT Infrastructure Roundtable.
4
PROPOSED TOPICS
Implementation Approach & Priorities (Best Practice)
Security Reference Architecture
NIST Presentation
Service Level Definitions & Taxonomy
NIST Presentation
Cloud Service Broker Roles & Responsibilities
Service Modeling Standards
AFAC Forward Agenda: Next Meeting
Context For Cloud Computing
• SSC Mandate Consolidating data centres and their computing/storage platforms
− Large (> 5000 sq.ft.) – 22
− Medium (1000 - 4999 sq.ft.) – 65
− Small (100 - 999 sq.ft.) – 386
− Other server locations – 2747
• Objective
Build and Buy Infrastructure as a Service (IaaS) and
Platform as a Service (PaaS) – If building IaaS and PaaS Community Cloud (e.g. GC SSC private cloud)
– If buying IaaS and PaaS e.g. Private or Hybrid Cloud
Public cloud (e.g. GC public facing web presence)
5
6
SSC Core Mandate w/r TBS Profile of IT Services
• Standard service categories
for management and
accounting
• One of the outcomes of IT
Expenditure Review Program
(ERP)
• To ensure accurate
accounting and reporting on
IT expenditure
• Appropriated for these
services to SSC and 43
Government of Canada
departments/agencies
7
Storage
Server HW
Network
Servers
Virtualization
Runtimes
Applications
Security & Integration
Ma
na
ged
by
Sh
ared
Serv
ices
Storage
Server HW
Network
Servers
DBMS
Virtualization
Runtimes
Applications
Security & Integration
Storage
Server HW
Network
Servers
Databases
Virtualization
Runtimes
Applications
Security & Integration
IaaS PaaS SaaS
CIO
ma
na
ged
M
an
ag
ed b
y S
ha
red S
ervices
Ma
na
ged
by
Sh
ared
Serv
ices
CIO
ma
na
ged
DBMS
ICT Deployment Models and Evolving
Degrees of Accountabilities
•IaaS: Infrastructure as a Service
•PaaS: Platform as a Service
•SaaS: Software as a Service (non
Dept/Agency program
Applications)
8
Domino R8
GC Cloud Computing
CWA
STSI
Desktop
SSC Employees &
Contractors with
B2B
ILMS
GEDS
GC-SRA
GC-WiFi
GC-LAN
GCnet Protected “B”
SSC Consuming Cloud Services
Note – final decisions on email services pending completion of procurement process
9
Non-SSC Private Cloud
Directory
Free / Busy
Mobile Integration
External Community Cloud
e.g. CANARIE
GCnet
GCnet
Internet
GCTravel
Public-facing web sites
GCdrive
Pay
Pension
Collab
Intranet sites
Canada.gc.ca
Jobs
Mail & Messaging
GEDS
GCDocs MySchool
Community Cloud (GCnet)
• Internal services for GC community
• SSC-provided cloud services to the GC
• Secured perimeter
• Multi-Domain (Protected-B to Secret)
Remote
Access
Public Cloud (GCnet-I*Net)
• e.g. Some public-facing GC
presence
• e.g. Limited Development / Test
capacity
Hybrid Cloud (GCnet over Secured Internet)
• Secured extension of
GCnet to vendor
• Vendor-provided cloud
services to the GC
GC Cloud Conceptual
10
Cloud Computing: Defining Shared Services Canada’s Role
• SSC could be the
Cloud Broker and
could also be a Cloud
Provider
• Some private cloud
services could be
provided by SSC
• This would be the
“Community Cloud”
• The Cloud Broker
would ensure multi-
vendor management
Internal Private Cloud and External Cloud services should be defined by the same Service Architecture?
SaaS
PaaS
IaaS
SaaS
PaaS
IaaS
Resource Abstraction and
Control Layer
Physical Resource Layer
Hardware
Facility
Cloud Service
Management
Service Layer
Business
Support
Provisioning /
Configuration
Portability
/Interoperability
Cloud Provider Cloud Broker
Service
Intermediation
Service
Aggregation
Service
Arbitrage
Security
Audit
Cloud Auditor
Privacy
Impact Audit
Performance
Audit
Cloud
Consumer
Cloud Carrier
Cross Cutting Concerns: Security, Privacy, etc.
Cloud Orchestration
11
Cloud Computing: Opportunities and Challenges
Opportunities
• On-demand self service
V storage
• Ubiquitous network access
Community cloud (CWA, GCDocs)
• Resource pooling (location
independence, homogeneity)
Hybrid cloud - STSI
• Rapid elasticity
• Measured service
• Private clouds
DCC and Telecommunications
consolidations
• Data sovereignty, privacy and security Data in motion, data processing and
data at rest
Challenges
• Connecting resources across clouds and customer premises
• Managing identity, federation, and access control
• Isolating tenants in a multi-tenancy environment
• Extending on-premises security & operations management practices to the cloud
• Latency and other performance-related considerations
• Network capacity and capability
Cloud Computing: Basics
Specific Areas of Focus What We Think We Know Other
Service Framework
Architecture
NIST Framework
Are there other frameworks that
NIST doesn’t incorporate that
we should consider?
Service Models GSM
UML
SOMA
Are there any other standard
service modeling tools that we
should consider?
Security SSC Security Domains and Zones
Architecture
CSEC ITSG33
NIST Security RA
Are there any other security
frameworks that are not
incorporated?
Getting to Next Level • Detailed component service
architectures
• Agreement on security
framework & process
Any other considerations?
Next Steps • Do we need working groups?
Governance structure?
Other next steps?
12
13
IaaS DC LAN IaaS
I-Net
Gate
IaaS
Net
ISP1
IaaS
Cloud
LAN
SaaS
Cloud1
CRM
SaaS
Cloud1
PaaS
Cloud1
.Net
PaaS
Cloud1
Java
PaaS
Cloud1
Oracle
IaaS
Cloud1
x86 PaaS
SEC1
Firewall
PaaS
SEC2
IDS/IPS
SaaS
MyKey SaaS
Broker1
SaaS
Broker2
SaaS
Broker3
SaaS
ETI PaaS
ETI IaaS
ETI
PaaS
Directory
USD5
PaaS
Store1
IaaS
z/OS
IaaS
Store
Archive
IaaS
Store2 IaaS
Store1
PaaS
DB2
PaaS
Oracle
PaaS
Java
PaaS
.Net
IaaS
Linux
IaaS
x86
SaaS
ETI
IaaS
Unix
Sm
IaaS
Unix
Large
PaaS
Load Bal
• Data Centre Services View
• Illustrates IaaS, PaaS, & SaaS Services
• Services can service Users, or other Services
• Services can be accessed internally or externally
• Internal services are on the DC LAN
• External Services are accessed via the I-Net Gate and
the Net ISP IaaS
• This service model is described in detail in GSM*
Cloud Brokerage Services
*GSM - Generic Service Model, A generic framework for describing a Service in terms of its systematic hierarchy of related service objects.
Preliminary Sample GC Service Architecture DCS
14
Preliminary GC Sample Service Architecture DCS
IaaS DC LAN
IaaS
I-Net
Gate
IaaS
Net
ISP1
PaaS
SEC1
Firewall
PaaS SEC2
IDS/IPS
SaaS
MyKey SaaS
Broker1
SaaS
Broker2
SaaS
Broker3
IaaS
Linux PaaS
Directory
IaaS
z/OS
IaaS Storage Archive
IaaS
Store2 IaaS
Store1
IaaS
Windows IaaS
Unix
PaaS
Load Bal
Cloud Brokerage Services
*GSM - Generic Service Model, A generic framework for describing a Service in terms of its systematic hierarchy of related service objects.
IaaS
Cloud1
LAN
IaaS
Cloud1
Linux
SaaS
Cloud1
Mgmt.
IaaS
Cloud1
Unix
IaaS
Cloud2
LAN
IaaS
Cloud2
Linux
SaaS
Cloud2
Mgmt.
IaaS
Cloud2
Unix
IaaS
Cloud3
LAN
IaaS
Cloud3
Linux
SaaS
Cloud3
Mgmt.
IaaS
Cloud1
Unix
IaaS
Cloud4
LAN
IaaS
Cloud4
Linux
SaaS
Cloud4
Mgmt.
IaaS
Cloud1
Unix
SSC Data Centre
Mid-Range Platform Services
Cloud Security Services
15
SaaS
PaaS
IaaS
SaaS
PaaS
IaaS
Resource Abstraction and
Control Layer
Physical Resource Layer
Hardware
Facility
Cloud Service
Management
Service Layer
Business
Support
Provisioning /
Configuration
Portability
/Interoperability
Sec
uri
ty
Pri
vac
y
Cloud Provider Cloud Broker
(Apps Store)
Service
Intermediation
Service
Aggregation
Service
Arbitrage
Security
Audit
Cloud Auditor
Privacy
Impact Audit
Performance
Audit
Cloud Computing Model: United Kingdom
Network
• Apps Store
• SaaS deployment
• Manage deployments
• Manage SLAs across a
multi-service provider
environment
Should SSC start as the UK did with the Broker Functions/SaaS?
ICAM
MyKey SaaS SaaS SaaS SaaS
SaaS SaaS SaaS SaaS
PaaS
IaaS
PaaS
IaaS SaaS SaaS SaaS
PaaS
IaaS
PaaS
IaaS SaaS SaaS SaaS
SaaS
SaaS
16
SaaS
PaaS
IaaS IaaS
Resource Abstraction and
Control Layer
Physical Resource Layer
Hardware
Facility
Cloud Service
Management
Service Layer
Business
Support
Provisioning /
Configuration
Portability
/Interoperability
Sec
uri
ty
Pri
vac
y
Cloud Provider
Cloud Computing Model: United States
Network
• “Cloud First” policy
• FedRamp / Procurement
and security certification
• Start with IaaS
deployment
• Cloud Service
Management per vendor
• ICAM in place, but not
leveraged
• Other International
examples?
Should SSC start as the U.S. did with IaaS?
IaaS IaaS
IaaS IaaS
For Discussion: Challenges Revisited – Requirements
• Connecting resources across clouds and vendor premises
• Managing identity, federation, and access control
• Isolating tenants in a multi-tenancy environment
• Extending on-premises security & operations management practices to the
cloud
• GC as one tenant
• Latency and other performance-related considerations
• Network capacity and capability
17
1. How should SSC address these challenges?
2. What architectural artefacts and supports are required to support SSC
leveraging cloud services going forward?
3. What criteria should SSC use to decide which services would be best for
cloud service models?
18
December 17, 2012 January 28, 2013 February 2013
GCCC
Architectures
thoroughly
discussed with
AFAC members
Revised GCCC
architectures
feedback
Incorporated
Platform
strategy
thoroughly
discussed
Revised GCCC
architectures
endorsed by
AFAC
Platform
strategy -
feedback
incorporated
March 2013
Revised GCCC
Platform
endorsed by
AFAC
ICAM strategy
thoroughly
discussed with
feedback
Timeline
Annex
19
20
Cloud Computing Advance Reading Material
1. SSC Cloud Computing Vision
2. Security Domains & Zones Architecture
3. Security Domains & Zones Implementation Guidelines
4. Management Zone Implementation Guidelines
5. NIST Foundational Documents on Cloud Computing
SSC will incorporate all input from AFAC members
and release final versions to the industry
21
Cloud Standards Bodies
• Many standards bodies
• NIST is among the most
mature and most often
referenced
• NIST is open / public sector
aligned
• Cloud Security Alliance
(CSA) among most mature
re security framework
• NIST has incorporated
CSA’s framework in their
Security Framework
• Are there Canadian
considerations?
22
Foundational Documents on Cloud Computing
NIST - Cloud Computing Reference Architecture SP-500-292
NIST - USG Cloud Computing Technology Roadmap SP-500-293
NIST - Definition of Cloud Computing SP-800-145
NIST - Cloud Computing Standards Roadmap SP-500-291
NIST - Cloud Computing Service Levels (TBA Feb. 13)
NIST – Cloud Computing Security Reference Architecture (TBA Jan.13)
CSA – TCI Reference Architecture
http://collaborate.nist.gov/twiki-cloud-
computing/bin/view/CloudComputing/Clou
dSecurity
https://cloudsecurityalliance.org/wp-
content/uploads/2011/10/TCI-
Reference-Architecture-v1.1.pdf
docbox.etsi.org/Workshop/2012/201212.../NIST_BOHN.pd
NIST Current Status Presentation (Dec.12)
http://csrc.nist.gov/publications/nistpub
s/800-145/SP800-145.pdf
http://www.nist.gov/manuscript-
publication-
search.cfm?pub_id=909024
http://www.nist.gov/itl/cloud/upload/SP_
500_293_volumeI-2.pdf