Enterprise Transition to Private Cloud

© 2012 The SI Organization, Inc. This document may be copied and furnished to others provided that the above copyright notice and this section are included on all such copies. However, this document itself may not be modified in any way, including removal of the copyright notice or references to The SI Organization, Inc., without the permission of the copyright owners.

Innovating the IT Landscape

The SI Cloud

Steve DeLuca, CIO

The SI embarked on deploying a new enterprise

infrastructure as part of a divestiture. Enterprise systems

were stood up to execute business and leveraged Cloud

technologies to the full extent possible. This paper discusses

the landscape and lessons learned from this experience.

20 January 2012

© 2012 The SI Organization, Inc. 1

Table of Contents

1. Introduction .......................................................................................................................................... 2

2. Approach ............................................................................................................................................... 3

2.1 Simplify the IT Landscape.................................................................................................................... 4

2.2 Employ Next Generation Technologies............................................................................................... 4

2.3 Outsource Commodity Components Where Possible ........................................................................ 5

3. Constraints and Limitations .................................................................................................................. 5

3.1 Timeline ............................................................................................................................................... 5

3.2 Lack of Control over Legacy Environment .......................................................................................... 5

3.3 Limited Domain Expertise ................................................................................................................... 5

4. The SI Cloud Key Elements .................................................................................................................... 6

4.1 Server Virtualization ............................................................................................................................ 6

4.2 Desktop Virtualization ......................................................................................................................... 6

4.3 User Profile Virtualization ................................................................................................................... 7

4.4 Application Virtualization.................................................................................................................... 7

4.5 Storage ................................................................................................................................................ 8

5. The SI Cloud Benefits ............................................................................................................................ 9

6. Lessons Learned .................................................................................................................................... 9

7. Conclusion ........................................................................................................................................... 11

Appendix A – Cloud: Definition and Application ......................................................................................... 12

.................................................................................................................................................................... 13


1. Introduction

The SI Organization, Inc. (the SI) was purchased by a private equity firm and established as an

independent company on November 22, 2010. The company was sold with little enterprise IT

infrastructure and tasked with establishing a full enterprise operating environment, processes,

procedures, and business systems. The business separation began with an initial project to isolate the SI

in its former parent company’s systems to operate under a one-year transition services agreement that

provided for continuity of operations until a new IT infrastructure could be established. The sale of the SI

included only personal computers, voice and data telecommunications equipment that resided within SI

facilities and all equipment on closed program networks. Given experiences under the former parent

company and requirements gathered from the business prior to the divestiture, the CIO office

developed a strategic IT Vision which is depicted in Figure 1. The scope and constraints of the tactical IT

transition to a new IT Enterprise included, but was not limited to:

One year Transition Services Agreement (TSA) from the former parent company

Establishing operating environments for all categories of service including directory services, collaboration tools, desktop/laptop services, and remote access

Instantiating business systems to provide for finance, payroll, contracts, HR, benefits, business development, and other business operations

Provisioning and maintaining voice and data telecommunications service across 5 SI site locations

Design and deployment of a robust information security framework including technology and process

Data translation and migration from legacy systems

IT policy and governance

Approximately 2,000 employees and 1,200 subcontractors working for the SI, with the majority of the population residing in Northern VA, South Eastern PA and MD.


FIGURE 1: The SI IT Vision – IT on Demand

2. Approach

In establishing a direction for the new enterprise environment, the CIO team formed a business

stakeholder group to drive business requirements and shape the implementation along the way. The

team applied industry leading SI systems engineering and program management processes, along with

primarily in-house staff, to execute the development and deployment of a mission-critical enterprise.

Best practice reviews were conducted for each element including System Design Reviews (SDRs),

Transition Readiness Reviews (TRRs), and an Operational Readiness Review (ORR) before infrastructure

go-live. The team set and held to a fundamental goal of simplifying the IT systems landscape while

providing equivalent IT services to the legacy environment. Simplifying the IT landscape also included

leveraging commercial off the shelf (COTS) software products and avoiding customization to the full

extent possible.

Additionally, the CIO team set goals to deliver the new IT infrastructure and Enterprise Resource

Planning System (ERP) in 10 months from the divestiture, allowing for two months of contingency before

the Transition Services Agreement with the former parent company expired. The team executed a world

class transition of personnel, business, financial, network systems and infrastructure in a four day

weekend. This successful transition included:

© 2011 The SI Organization, Inc.


Migration of 10TB+ of operating data and separation from heritage systems

Conversion of 35,000 project IDs, 2000 employees and 1200 subcontract personnel

Standup of new network, re-imaging 2500 laptops/desktops, revised operating systems and

tools

Standup of new Virtual Desktop Infrastructure to enable full desktop to enable robust access

from inside or outside the corporate network

Replacing physical access and security systems

New Valley Forge (VF) phone system

New Enterprise Resource Planning tools (Time & Expense Reporting, Payroll, Accounting,

Benefits, Pension, Procurement and Contracts)

2.1 Simplify the IT Landscape

The terms of this divestiture presented the team with a rare opportunity to start the new infrastructure

from a clean slate, right size it and avoid a lot of complexities that existed in the legacy infrastructure

that evolved over a number of years. The team capitalized on this unique opportunity by standardizing

on an integrated set of technologies and vendors. The team’s choice of strategic technologies and

vendors enabled resources to work across technology domains, provide a more agile environment to

respond to dynamic business needs, and reduce long term sustainment costs by 15%. By increasing the

depth of commitment to a smaller set of vendors, the SI was also able to negotiate more favorable

support and pricing agreements with these vendors.

2.2 Employ Next Generation Technologies

Throughout the process of identifying solutions to meet the SI’s IT needs, the term “green field” came

up many times. In many respects, the CIO staff had the benefit of being able to deploy the latest and

greatest technologies given there were no heritage systems to contend with. This green field approach

provided the best opportunity to gain the most value. So as to take full advantage of this situation, the

team evaluated the latest proven technologies and deployed those that provided the most value and

aligned the SI for enterprise agility. The team modeled the infrastructure in line with the elements of a

private cloud and will evolve it to mature all the essential characteristics of cloud over time. The SI has

developed the Cloud Effectiveness Model1 which is being employed to guide its evolution.

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of

configurable computing resources (e.g., networks, servers, storage, applications, and services) that can

be rapidly provisioned and released with minimal management effort or service provider interaction.

This cloud model promotes availability and is composed of five essential characteristics, three service

models, and four deployment models which are defined in Appendix A2.

1 Feehs, Rich (The SI Organization). “Cumulo™ Cloud Effectiveness Model, version 24.” October 2011.

2 Mell, Peter and Grance, Tim (National Institute of Standards and Technology). “The NIST Definition of Cloud

Computing, version 15.” October 7 2009. http://www.nist.gov/itl/cloud/upload/cloud-def-v15.pdf

http://www.nist.gov/itl/cloud/upload/cloud-def-v15.pdf


2.3 Outsource Commodity Components Where Possible

With the public Cloud becoming an increasingly more viable means to source IT services, outsourcing

was embraced by the SI from the beginning as a means to deliver the most cost effective services. Each

component of the IT landscape was evaluated against its ability to be outsourced with a vigilant eye on

information security, export control, maintainability of the interfaces, cost and service level agreements.

In many ways, the outsourcing philosophy was very difficult for many IT staff members to accept as it

was a significant culture shift from their experience base. The process of evaluating hosted services

required a great deal of diligence up front to properly vet providers which led to a deeper understanding

of many implicit requirements and risks earlier in the development cycle. In the end, the SI only

outsourced the Benefits and Payroll services given the information security and export control

restrictions around government contracting. The SI also made a deliberate choice to staff an in-house IT

team to further develop hands on IT skills and gain invaluable experience with the latest technologies

which could then be leveraged to benefit customers.

3. Constraints and Limitations

3.1 Timeline

The most constraining factor to this enterprise IT deployment was time. The SI had a fixed 1 year

Transition Services Agreement with its former parent company and needed to balance leveraging the

latest technologies with proven maturity to execute contracts and a sufficient solution set to run the

business. Missing the deadline or deploying an unstable business infrastructure would have been

extremely costly. Taking this challenge head on, the team leveraged the SI’s strength in systems

engineering rigor to provide the checks and balances to control scope, manage risk and ensure success.

3.2 Lack of Control over Legacy Environment

Another major limiting factor in transitioning the SI to a new IT infrastructure was the lack of

administrative access to the former parent company’s infrastructure and the inability to deploy SI-

owned resources within their network as a staging ground. These constraints significantly complicated

interim operations, the deployment of new capability, tracking of assets, migration of data and user

desktop transition.

To overcome this major challenge of migration across completely disconnected networks (former parent

company and the new SI network), the team developed a set of innovative solutions that spanned from

custom development of migration applications to outsourcing a mass replication of new hard drives for

all unclassified desktops and laptops. The successful implementation of these strategies enabled the SI

to complete the entire transition from legacy IT infrastructure and services to new stand-alone SI

infrastructure in a single long 4-day weekend, disconnecting from all prior services to run the business.

3.3 Limited Domain Expertise

The SI had used centralized IT services from its former parent company in the past which posed a

significant challenge in a lack of experience depth and breadth across the multitude of IT components

needed to deploy, in the relatively short period of time. In order to mitigate this risk, the SI procured


outside professional services and training in targeted areas to compliment the internal domain expertise

already on board, and cover the breadth of services needing to be deployed.

4. The SI Cloud Key Elements

The SI team developed and deployed a highly accessible, virtualized and elastic environment utilizing

COTS products. This environment will continue to be matured over time to incorporate higher levels of

automation, self-service and service metering.

4.1 Server Virtualization

The SI was able to take full advantage of server virtualization and deployed 99% of the core

infrastructure components on virtual machines. A few components had to be deployed as physical

servers due to vendor supportability restrictions (e.g. proxy servers and VPN servers) and/or relation to

security architecture (e.g. intrusion detection, token validation, etc.). The SI architecture team

challenged all vendors of each component in the environment to run in the virtual space. As an

example, the ERP solution vendor initially insisted that their components needed to run on physical

servers. Upon deeper architectural review, it was determined that the vendor was relying on an

antiquated understanding of the impact that virtualization would have on the performance of their

product and the solution was successfully deployed in a virtual environment. The vendor has since come

back to the SI to consult their other clients interested in moving to virtual environments.

4.2 Desktop Virtualization

Virtual desktop Infrastructure (VDI) was a new capability to the SI which the legacy company had only

piloted on a limited scope. The SI team saw VDI as a tremendous opportunity to get another part of the

IT infrastructure on a strategic path to enhance performance, provide ubiquitous end-point support, and

reduce sustainment costs. The team started by deploying virtual desktops into all shared desktop spaces

(conference rooms and kiosks shared by multiple employees) at transition onto the new infrastructure,

and plan to expand deployment to all fixed desktops, remote sites and private enclaves as it moves

forward.

One area the Virtual Desktop has provided extreme value is when a user is not on the corporate

network and needs remote access to corporate IT capabilities. The SI provides multiple means to enable

offsite users to access the corporate network. This technology has allowed users to securely access a

fully featured SI desktop (e.g. user data, network shares, web and client based tools) from any Windows,

Mac, Linux, or iPad tablet with internet access. (Note: Local network configuration must allow the

standard PCoIP protocol/ports which may not be standard in some corporate environments.) As the SI

continues to expand its VDI deployment, it looks forward to additional benefits from the desktop

virtualization technology in its capability to adjust a virtual desktop’s bandwidth consumption to

optimize performance when network latency and limited bandwidth are concerns (e.g. remote sites).

From a VDI desktop hardware perspective, the SI initially leveraged the existing traditional legacy

desktop hardware (e.g. Dell personal computers) as “thin clients” due to time constraints. The down

side of this is that the business continues to have a Windows operating system at the desktop which


must be sustained (i.e. patched, etc…) to remain secure and compliant. The strategic direction is to

adopt Zero client technology, which are small-form-factor devices with an integrated proprietary

operating system. This non-traditional operating system is very lightweight, exclusively provides for

running the VDI software, and greatly reduces maintenance requirements given its very limited need for

desktop support and patching. The desired goal is an asymptotic decrease in physical desktops to the

point where the business achieves desktop performance, energy and operational savings, and optimal

user flexibility through desktop virtualization.

4.3 User Profile Virtualization

The SI team implemented “floating” virtual desktops as opposed to “dedicated” desktops given this was

the most cost-effective path in the current phase of deployment. A floating desktop differs from a

dedicated one in that a user may get any one of a pool of available floating virtual desktops, based on

availability at the time of login, and rarely would they get the same virtual desktop. This implementation

consumes less overall computing resources, given that the virtual desktop pool fluctuates in size based

on demand and only services those users that are actively logged in. Conversely in a dedicated desktop

implementation, a user would always obtain the same virtual desktop each time they login, and

computing resources remain tied up for users regardless of activity. This dedicated paradigm requires

more overall computing resources to service the business.

A derived requirement of the floating virtual desktop implementation is the user expectation that

certain settings remain consistent every time they login (e.g. desktop background, mail client

customizations, instant messaging groups, web browser favorites). The concept of abstracting and

applying these user profile settings so that they “follow” the user is referred to as profile virtualization.

The SI chose to deploy profile virtualization across the enterprise, including all physical and virtual

desktops. The desired goal was to create a unified experience for all users across the SI network, and

pave the way for further expansion of desktop virtualization.

Unfortunately, inconsistent performance of the profile virtualization product for mobile users across

varying network connectivity, coupled with subtleties of Windows 7 desktop operating system settings

inhibited the team’s ability to fully achieve the aggressive goal of a floating user profile. After the IT

Transition go-live, profile virtualization was backed out from all laptops due to this inconsistent

behavior. One remote site was also removed from the profile virtualization pool temporarily due to

performance until the desktop virtualization product and design can be matured.

4.4 Application Virtualization

To further enhance the benefits of a virtual infrastructure, the SI chose to virtualize non-standard

desktop applications (e.g. System Architect, Matlab) to allow these applications to “virtually” follow a

user from desktop to desktop. In order to enable this, applications must be decoupled from the desktop

operating system so that the application can run without a local “install” of that application.

Deployment of virtualized applications requires an up-front “packaging” process, which encapsulates

the resources an application will need in order to run virtually.


The traditional paradigm of pushing software to desktop hardware is obsolete in a virtualized

infrastructure. Software can now be deployed to a user rather than to a piece of hardware, thus making

it available to whatever corporate hardware or virtual desktop a user might logon from. However, this

technology is not without its shortfalls, and creative mechanisms were required to fully meet

established goals. The team found Application Virtualization software for packaging software is not

100% effective in some cases or applicable for all software needs. Some software just couldn’t be

virtually packaged or “thinned” for various reasons. In these cases, the SI chose to expose the majority

of these software products using a remote application (RemoteApp) capability available in the server

operating system. RemoteApp runs an application on a central terminal server and presents the

application’s display thinly back to the user like a local application. In the rare case where both

application virtualization and RemoteApp options are not viable, an application-specific virtual desktop

pool was created with that specific application preinstalled. This option requires additional

maintenance and patching outside of the standard desktop pool, but was warranted given these

situations requiring special consideration.

4.5 Storage

Storage is a key element in a highly virtualized environment and required significant planning to get the

most out of today’s storage technology. The virtualization of desktop and server operating systems

required keen attention be paid to the way data is distributed across storage arrays to ensure

performance. This storage planning also included the storage backup and recovery strategy which

guided storage allocation requirements, snapshotting techniques and off-site storage methods.

Given a comprehensive storage trade study as part of its heritage, the SI selected a storage vendor with

modular data structures, innovative data deduplication, avoidance of per gigabyte pricing model, and a

progressive line of fully-featured products in mind. This technology enhanced the architecture

significantly in allowing for rapid data duplication without consuming double the space, easy data

movement, and innovative management techniques. One example of proactive planning driving

significant value through this vendor’s technology is the SI user File Share drives. In the SI’s

implementation, data shares are backed up daily (“snapshots”) and made accessible to users for the

purposes of restoring deleted or modified data when the need arises on a self-service basis, without any

involvement from the technical support team.

Commitment to cloud technologies provides the opportunity to think about disaster recovery in new

and creative ways. One area of opportunity is that data in the storage structures represents not only

data, but the operating environments themselves. Moving and replicating that data is a critical

component of the SI disaster recovery and business continuity planning.

The SI established two geographically separated data centers, a primary and a backup. Each location has

a storage array network to store its primary data and a replicate of data from the other site. Primary

data was replicated to the remote site storage array once in full as a baseline, and then all subsequent

data changes are copied as point-in-time deltas (“snapshots”) from the initial baseline. This drastically

reduced the amount of network bandwidth consumed during the backup process, and storage required

as a whole.


5. The SI Cloud Benefits

• Storage: Data Deduplication of 30% and greater (depending on data type) across 28TB of

enterprise data; Server C drive data (OS) = 59%, Email data = 32%, Network share data = 30%.

• Server: Reduced physical Server counts and data center space footprint

• Power: Reduced power requirements for fewer physical servers

• Self-service: Ability to dynamically provision and consume IT services (infrastructure, platforms,

software, and business services) on demand

Information Assurance:

o Instantly secure and managed service provisioning process

o Greater percentages of company data residing in the data center verses out at end

points/clients (secure, backed up)

• Cost avoidance over traditional physical server architecture

o Reduced new enterprise server hardware/software startup cost by 58%

o Reduced electrical, heat load and air conditioner capacity required by 80%

o Estimate ongoing maintenance cost avoidance to be 15%

o Significant data center floor space savings are attainable however, floor space was not a

factor.

• Enhanced Maintainability and Service

o Improved server/sys-admin ratio by 60% over traditional environments

o Patching and image maintenance: Virtual desktops can be patched once and

recomposed to prevent missed nodes and network traffic associated with traditional

patching and maintenance methods

o Software licensing:

Application Virtualization allows software distribution and license compliance to

live under a more controlled environment in the data center

Application Virtualization allows a user’s application to be accessible regardless

of where they login

Virtual desktops provides mechanisms to prevent unapproved software from

residing on the network

Frequent virtual desktop re-composition and refresh enhances user satisfaction

and ensures license compliance

o Uptime/High Availability/Disaster Recovery

Virtual server and storage capabilities allow computing resources and data to be

moved from problem resources to healthy ones

Virtual Servers and desktops are just data. This data can be easily replicated to

a new physical server or disaster recovery sites so as to reconstitute entire

computing environments in the case of a failover scenario.

6. Lessons Learned

Adhere to sound systems engineering and program management practices to mitigate risk


Vet enterprise requirements to include: tools/capabilities, software products, employees,

subcontractors, users access methods and quantity accessing (local and remote), server

hardware, and desktop/endpoint hardware.

Understand infrastructure requirements and software vendor license bundling / enterprise

agreements in great detail to determine the most cost effective method to license products; e.g.

Consider number of CPU cores per virtual machine (VM), users verses device based licensing,

etc.. e.g. Server Virtualization vendors provide licensing options by both number of VM’s per

server host and CPU cores; other vendors provide licensing options by both user count and

device count.

Prototype/Pilot newer technologies in as close to production enterprise setup as possible to

fully vet.

Investment in high end Storage Area Network (SAN) technology is worthwhile provided time is

spent to learn technology in depth, plan and setup properly to get the full value from it.

Vet virtualization vendor roadmaps, investments, partnerships, and software compatibility with

various endpoint and server platforms.

Push Virtual Machine (VM) density per physical server host (VM’s/server) to maximize capacity

and to obtain optimum savings; must be aggressive but balance performance.

Network physical host servers to shared storage if you desire the flexibility to move VM’s

between different physical hosts

Incrementally implement “Cloud” characteristics (see Appendix A) by importance; i.e. self-

service provisioning and service monitoring may not be critical to get started.

Understand and plan data locality and the limits of replication/synchronization methodologies.

Major SAN providers can only provide active-active synchronization of data within 100 km. Data

that needs to exist outside this radius cannot be synchronized bi-directionally. Storage must be

architected such that unidirectional replication will not overwrite changed data, yet still provide

for sufficient geographical separation to make disaster recovery plans valuable.

Plan primary and backup data requirements carefully in conjunction with Networked Storage

replication/synchronization capabilities and limitations

Not all software can be virtualized (“thinned”) today. Creative means of maintaining user access

to software with these limitations must be implemented, including (but not limited to):

• Remote hosting in a server environment (e.g. RemoteApp)

• Custom VDI pools by role, application, or suite of applications

• Traditional deployment (e.g. SMS/SCCM) to non-virtualized or dedicated clients

Ensure a solid understanding of the network (bandwidth and latency) implications and tradeoffs

of a virtualized desktop and user profile environment. Monitoring, modeling, and simulation are

advisable.

Ensure the enterprise architecture design accounts for the location of all users, clients, servers,

and data. Where these items exist in a network topology will greatly impact the services you

can provide and how they will perform.

Do not become paralyzed by chasing ideals and what’s coming down the road, perform proper

trades/analysis, make design decisions and go.


Ensure time is allocated to test the performance of all system components from all vectors of

usage – small sites, large sites, remote locations, etc.

In a business transition scenario, do whatever it takes to gain appropriate administrative rights

over the source environment to ease migration

Communicate crisply and frequently with the user base

Understand the use cases for all major population centers in the environment.

Ensure all stakeholders are bought into a standard shared/multi-tenant infrastructure; unique

compute requirements may drive more than one standard compute cloud (e.g. high

performance needs) but multiple platform services should be minimized.

Don’t underestimate remote user needs, the value of mobility and ubiquitous access.

7. Conclusion

In a 10 month time period, the SI was able to deploy a full, independent, private cloud infrastructure and

transition off its former parent company’s IT services, enabling all employees to successfully execute

their jobs on day one. The private cloud framework positions the SI well to agilely grow and evolve into

the future. In successfully executing this deployment, numerous lessons were learned that are directly

applicable to any cloud or highly virtualized IT infrastructure deployment.

Most significantly, a high level of rigor and planning is required to successfully implement and migrate to

a cloud. Engaging stakeholders to understand use cases and requirements from across the enterprise,

evaluating technologies, understanding the associated technical roadmaps, and identifying technologies

on the horizon is paramount to ensuring the environment utility, sustainability, and cost effectiveness.

Attempting to meet all of the elements of the cloud in one new deployment is not recommended unless

required; full consideration should be given to established public clouds if information assurance

requirements allow for it. It is critical to prioritize the implementation of services in the environment in

order to minimize impact to the enterprise. While not always an option, a green field approach to cloud

where a new infrastructure can be stood up, and services deployed in, is highly recommended to

maximize strategic advantage. A well designed and engineered cloud infrastructure will be extensible,

enabling more rapid and cost effective change, even after deployment.


Appendix A – Cloud: Definition and Application

NIST defines a cloud architecture as one that includes the following essential characteristics:

• On-demand self-service. A consumer can unilaterally provision computing capabilities, such as

server time and network storage, as needed automatically without requiring human interaction with

each service’s provider.

• Broad network access. Capabilities are available over the network and accessed through standard

mechanisms that promote use by heterogeneous thin or thick client platforms (e.g. mobile phones,

laptops, and PDAs).

• Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using

a multi-tenant model, with different physical and virtual resources dynamically assigned and

reassigned according to consumer demand. There is a sense of location independence in that the

customer generally has no control or knowledge over the exact location of the provided resources

but may be able to specify location at a higher level of abstraction (e.g., country, state, or

datacenter). Examples of resources include storage, processing, memory, network bandwidth, and

virtual machines.

• Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically,

to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities

available for provisioning often appear to be unlimited and can be purchased in any quantity at any

time.

• Measured Service. Cloud systems automatically control and optimize resource use by leveraging a

metering capability at some level of abstraction appropriate to the type of service (e.g. storage,

processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and

reported providing transparency for both the provider and consumer of the utilized service.

Reference:




About The SI Organization, Inc. (The SI)

The SI Organization, Inc. is a leading provider of full life cycle, mission-focused systems engineering and

integration capabilities to the U.S. Intelligence Community, Department of Defense and other agencies. Our

scalable platform for modeling, simulation and analysis helps customers optimize resources and manage

risk. We have a 40-year history of successfully delivering unique system-of-systems technology solutions. In

November 2010, the SI separated from Lockheed Martin and became an independent company. The SI

employs approximately 2,000 people, with major locations in Chantilly, Va.; Laurel, Md.; and Valley Forge,

Pa. For more information, visit thesiorg.com.