240 likes | 410 Views
Government Transparency: Cross-cutting Business Use Cases for Cloud Computing. Dr. Richard L. Klobuchar, SAIC August 17 , 2011. Introduction. “Cloud-First” Strategy and 25-Point Plan Important Role of NIST – Definitions, FedRAMP , Reference Architecture, SAJACC, Business Use Cases
E N D
Government Transparency: Cross-cutting Business Use Cases for Cloud Computing Dr. Richard L. Klobuchar, SAIC August 17, 2011
Introduction • “Cloud-First” Strategy and 25-Point Plan • Important Role of NIST – Definitions, FedRAMP, Reference Architecture, SAJACC, Business Use Cases • Why, When, and Where does it make good business sense to migrate to a cloud? • Cross-cutting business use cases – What business functions make sense? • Role of GSA Infrastructure-as-a-Service (IAAS) and Email-as-a-Service (EAAS) – NEW!!! • Observations and final thoughts to ponder • Late breaking news from the Cloud PMO
Federal Government Drivers and Trends: 25-Point Plan including “Cloud-First” Strategy (Dec 9, 2010) • “Cloud First” Strategy • Begins immediately with three (3) parts: • Use commercial cloud technologies where feasible • Launchprivate government clouds • Utilizeregional clouds with state and local governments • Default to cloud-based solutions • 3.1 Publish cloud strategy • Federal CIO will publish a strategy to accelerate the safe and secure adoption • NIST will facilitate and lead the development of standards • 3.2 Jump-start the migration to cloud technologies • …required to identify three “must move” services and create a project plan for migrating each of them to cloud solutions and retiring the associated legacy systems. Of the three, at least one of the services must fully migrate to a cloud solution within 12 months and the remaining two within 18 months. PART I: ACHIEVING OPERATIONAL EFFICIENCY A. Apply “Light Technology "and Shared Solutions • Complete detailed implementation plans to consolidate at least 800 data centers by 2015 • Create a government-wide marketplace for data center availability • Shift to a “Cloud First” policy • Stand-up contract vehicles for secure IaaS solutions • Stand-up contract vehicles for commodity services • Develop a strategy for shared services Federal Cloud Computing Strategy subsequently published on Feb 8, 2011
Platform-as-a-Service(Geospatial) Primary Activities within the Federal Cloud PMO Software-as-a-ServiceEmail Apps.gov FedRAMP Federal Data Center Consolidation Initiative Infrastructure-as-a-Service(IAAS) 1st Federal storefront offering commoditized cloud services “Authorize Once, Use Many” approach tosecurity for CloudService Providers Assist agencies to consolidate at least 800 data centers byFY15 Commodity computingresources madeavailable through GSA BPA Cloud Email to be made available (Summer 2011)through BPA Geospatial PAAS work currently underway • Other related: • Trusted Internet Connections (TIC) • Green IT • IPv6 Business Use Cases Addressed Here
Reinforcing the Federal Strategic Decision re Cloud Computing • Federal Cloud Computing Strategy called out the important role of NIST in promoting standards and security measures for cloud computing: • Cloud Definitions and Guidance: • Formal Definition of Cloud Computing in Special Publication SP800-145 • Security and Privacy Guidelines for Public Cloud Computing in SP800-144 • Industry/Government Working Groups/Committees established for: • FedRAMP (Federal Risk Assessment Management Program) for cross agency C&A with utilization of NIST SP800-53 as a tech basis under FISMA • SAJACC (Standards Acceleration to Jumpstart Adoption of Cloud Computing) • Reference Architecture definition • Business Use Cases definition Recently established Cloud “Best Practices” Working Group(now addressing details of how business use cases should be implemented)
NIST 3-Part Cloud Definition Service Models Deployment Models Essential Characteristics Cloud infrastructureoperated solely for asingle organization;can be 3rd party; on-or off-premises Software-as-a-Service is access to virtualizedapplications via thin clients (e.g., Web browser) On-DemandSelf-Service Platform-as-a-Service Is access to programmingenvironments and tools Broad NetworkAccess Cloud infrastructure sharedby multiple organizationswith similar mission orinterest; can be 3rd party; on-or off-premises Infrastructure-as-a-Service Is access to an operating environment (e.g., servers, storage, network) Resource Pooling Cloud infrastructure isproperty of the cloud provider and opento everyone Rapid Elasticity(scale up/down) Most organizations perform a common set of business functions that are amenable to a cloud-based approach within the 4 NIST deployment models – Cross-cutting BUCs Combination of two (2)or more deployment types;enabling portability andcloud bursting Measured Service
Important to Appreciate the Tradeoffs between Cost and Security for the Cloud Deployment Models Public Cost Savings Community Private Risk Reduction
Why GovernmentIs Turning to the Cloud? • Agility, speed, and flexibility • Rapid deployment and change management(Minutes vs. months to provision IT resources) • Adaptable to changing/unpredictable business needs • Ideal for cyclical or episodic circumstances • User self-service capabilities possible • Financial benefits • Cost savings vs. legacy (some perceived, some real) • “Pay-as-you-go” model reduces financial risk and exposure • Move from capital (CapEx) to operating expense (OpEx) • A “natural” for Green IT and data center consolidation mandates
Why GovernmentIs Turning to the Cloud? • Simplicity and convenience • Easy, on-demand procurement of cloud services “promised” • Encourages use of standardized resources/applications • Easy mobile access to applications globally • New capabilities • New integrated solutions not feasible before • Most security risks well mitigated and being addressed by FedRAMP • New citizen services opportunities facilitated by wide cloud adoption Besides, “Cloud-First” is now mandated for Government!!!
Mission Areas for Government Business Use Cases Leveraging NIST Cloud Characteristics. Agencies with: • Large eGovernment, public, info dissemination mission, and those subject to “flash” crowds should be among the first adopters. NO BRAINER! with minimalsecurity risk • A cyclical and seasonal set of requirements (e.g., Census, IRS, NOAA, DOE, Agriculture) • Large databases and statistical responsibility requiring large-scale scientific and technical computing resources (to largely be on standby)
Mission Areas for Government Business Use Cases Leveraging NIST Cloud Characteristics. Agencies with: • Episodic requirements which can benefit from rapid, on-demand cloud provisioning • Emergency management per the Federal Response Plan with 28 agencies and FEMA • International support (e.g., Japanese Earthquake and Tsunami; Middle East crises, etc.) • e-Filing, complex multi-directional object submission, public collaboration, benefits transfer, and grants management -- “eGovernment Applications”
Mission Areas for Government Business Use Cases – Leveraging NIST Cloud Characteristics Agencies with: • Broad and distributed defense, international, financial, and intelligence responsibility needing to: • Gather information, collaborate, analyze, visualize, develop situational awareness, and deliver information • Also includesmobile delivery • Examples: border surveillance; financial market surveillance, environmental monitoring
Mission Areas for Government Business Use Cases Leveraging NIST Cloud Characteristics. Agencies with: • Well-defined communities and regulatory responsibility to adopt a “push/pull” scenario for secure access to “regulated distributed databases” • Collaboration with states, localities, and regulated industries (within 1 - 2 years) • Examples: “Smartgrid”, Healthcare, Energy, Financial, Environmental, Emergency Management, etc. • Well-defined business functions that can be typically out-sourced and acquired as SaaS, such as HR and Financial Management (FM)
Cross-cutting Business Use Cases Most organizations perform a common set of business functions that areamenable to a cloud-based approach within the 4 NIST delivery models: • Development and test • Search and retrieval • Records management services and digital notary • Information dissemination • e-Filing – electronic submission of documents/data with receiptsand validation (“electronic mailroom”) • Benefits and grant transfer • Collaboration and information sharing • Social networking • Mobile access / delivery • Communications (email & messaging) • eDiscovery, statistical analysis, and analytics • Geospatial services (PAAS) • Workflow management • Archiving and data storage • Document management • Backup and Recovery and Continuity of Operations (COOP) • Data gathering and situational awareness • FOIA support services • ITIL and SLA Management-as-a-Service • Managed Security Services (e.g., Identity Mgmt, Penetration Testing, Persistent PKI , Continuous Monitoring, Intrusion Detection, Managed Endpoint Security)
Secure eFiling with Records Management and Interchange Across Business Partners Infrastructure-as-a-Service
GSA IAAS Provides the Infrastructure for Hosting the BUCs • Apptis Inc. partnered with Amazon Web Services • AT&T • Autonomic Resources partnered with Carpathia, Enomaly, and Dell • CGI Federal • Computer Literacy World partnered with Electrosoft, XO Communications and Secure Networks • Computer Technology Consultants partnered with Softlayer, Inc. • Eyak Tech LLC • General Dynamics Information Technology (GDIT) partnered with Carpathia • Insight Public Sector partnered with Microsoft • Savvis Federal Systems • Verizon Federal Inc (now with Terremark). Issues and Observations: • Number of awardees is very high. Looks like every firm/organization that applied received an award • Awardees currently striving to achieve FISMA Moderate security assessment via FedRAMP. • The GSA BPA for IAAS DID NOT provide for SI services, nor any labor services for actual development and migration of agency apps/data/use cases to the cloud • IAAS was pure, low-cost, commodity cloud services BPA for servers, storage, and network resources • Agencies are beginning to be inundated and perplexed as to whom to select? Why? How do they get to the promised land? What functions and business use cases should they implement?
Major Agency Systems Integration Concerns Needing to be Addressed Under GSA IAAS • “What should agencies do?” (Especially, in light of the OMB 25-Point Federal IT Reform Plan) • “How should they do it?” • “How should they interact with FedRAMP?” • “Which cloud vendor(s) should they select and why?” SLA differences? • “What applications and data should be migrated?” • “How much is it going to cost?” • “How do they manage and govern the process of cloud migration?” • “What are the key risks and mitigation measures?” • “Should they use existing contract vehicles or issue a new development/migration purchase order?”
NEW: GSA EAAS Embeds Many NIST Business Use Cases • Even more competitors are expected with $2.5B ceiling • Now containsapplications migration and integration services with 11 labor categories • FedRAMP up to FISMA HIGH • Many NIST cross-cutting business use cases now incorporated in lots: • Email and collaboration • eDiscovery and searching • Archiving, storage, backup and restore services • Social networking (ala Web page development) • Records management services • Mobile delivery • Five (5) service offerings: • Lot 1: Email-as-a-Service • Lot 2: Office Automation • Lot 3: Electronic Records Management • Lot 4: Migration Services • Lot 5: Integration Services • Four (4) categories of cloud computing: • Government community cloud • Provider-furnished equipment private cloud • Secret enclave • Public cloud
Observations and Final Thoughts To Ponder… • NIST Business Use Cases are viable for implementation in a cloud. Several implementations already exist as exemplars with lessons learned • Many organizations are beginning with a private cloud--a safe but less cost-effective starting point. • Many IT organizations view a cloud computing roadmap as a technology implementation rather than a change agent for business processes. • They need to partner with the CFO and other internal stakeholders to deliver business process value first and foremost • More of a business transformation than a technology revolution • An enlightened design can securely integrate internal and external resources – learn and appreciate the standards – especially security and interoperability
Observations and Final Thoughts To Ponder… • The public cloud will become more secure and less risky as time goes on. Virtually every organization has something like information dissemination or e-learning that can be a test case for the public cloud • Besides you can always encrypt and store the keys in your trusted private environment • Community clouds will initially form around classes of users. Over time, however, communities will align to feature certain capabilities (like financial management providers) in clouds optimized to provide that kind of service. • Prescient organizations will redefine the role of the IT department as part of a move to cloud computing. Personnel will need training and eventual redeployment to harness the talent and achieve efficiencies.
Late-Breaking News…. • NIST Business Use Cases, Best Practices, Reference Architecture, and Standards • Infrastructure-as-a-Service (IAAS) Availability • E-Mail-as-a-Service (EAAS) • FedRAMP Implementation
Contact Info Dr. Richard L. Klobuchar SAIC VP and Chief Scientist/Engineer Homeland and Civilian Solutions Richard.L.Klobuchar@saic.com (757) 560-5590