moving to the cloud hhs directions in cloud computing mary forbes, chief enterprise architect scott...
TRANSCRIPT
Moving to the CloudHHS Directions in Cloud Computing
Mary Forbes, Chief Enterprise ArchitectScott Cory, Capital Planning and Investment Control Officer
4/27/2011
V3b rpc
-2-
Agenda• Why Cloud Computing• HHS Cloud Computing Participants• Understanding Cloud Computing as a
Utility• Choices of Computing Models
– Ownership-based model (Current Vision)– Utility-based Cloud model (Future Vision)
• Benefits of the Cloud Model• What about Security?• Understanding the Cloud
– Understanding the service models– Understanding the deployment models– Cloud Model Challenges
• How does HHS Move to the Cloud• Long term self-service vision• HHS Cloud Planning Strategies• HHS Cloud Acquisition Strategies• What must Acquisition Professionals
Do?• What must Project and Program
Managers Do?
-3-
Why Cloud Computing?Because we Should
• Potential for 20-30% Cost Savings• Potential for rapid acquisition and deployment• Increase agency agility and focus on mission• Provide entirely new capabilities with on-demand vision• Leverage interagency and Government-wide work such as GSA BPA’s
Because we Must• OMB-based “Cloud First” Policy• OMB 25-point IT Management Reform, including:
• CloudFirst Policy and movement to other light on-demand technologies• Data Center consolidation (aided by cloud)• Government-wide acquisition vehicles such as GSA Cloud BPA’s for infrastructure and
EMail• Strategies for shared services• Best practices collaboration
-4-
HHS Cloud Computing Participants
HHS Cloud Computing Activities
HHS Security Group
HHS Enterprise Planning
Lifecycle Group
HHS Acquisitions Community Others…
CTO CouncilChair: John
Teeter
Cloud Computing Advisory Council
Chair: Jaspal Sagoo
HHS Enterprise
Architecture
Federal Cloud Computing
Advisory CouncilLiaison: Mary
Forbes
-5-
Understanding Cloud Comp5 5, uting as a Utility
Cloud Data Centers
Generationas a shared regulatedutility at large scale
DistributionUbiquitous infrastructure at large scale
MeteringStandards based, at individual scale
UsageOn demand at individual scale
App UsersAgency Usage-Based BillingInternet / Intranet
Distribution
Cloud Services Agency Usage
-6-
Computing Model(Current Vision)
• Agency acquires and operates discrete resources• Agency IT manages all phases of computing• Discrete activities per application system, with consequent
inefficiencies
Infrastructure Platform
Application
AcquireAnd Operate
Configure and Maintain
Deploy, Maintain and OperateAgency IT
Once Per Application…
App Users
Use
-7-
Utility-Based Cloud Computing Model
(Future Vision)• Up-front agency or organization acquisition• On demand usage through common contracts• Services span application systems
Cloud Provider
Agency ITInfrastructure
Cloud PlatformCloud Services
Cloud
Provision on Demand
Deploy on Demand Use
OnDemand
Acquire Once per Agency, Use as Needed
Use
Manage Cloud
-8-
Benefits of the Cloud Model
Acquisition
• Reduced effort and expense – acquire once, use on demand• Improved negotiation leverage through consolidated acquisitions• Drives industry standards, especially when coordinated across agencies
Operations
• Faster deployment through provisioning on demand• Reduced cost by using only services as needed• Opportunities for standardization and consolidation at all levels of cloud• Opportunities for improved Records Management through standardization and consolidation
Agility
• Reduced acquisition and configuration time• Improved reuse through common catalog and interfaces• Opportunities for shared and collaborative services
-9-
What about Security?Chief Cloud
Security Challenges
•Multitenancy –What new exposures and controls are there?•Certification – how can I efficiently certify massive infrastructure?•Scale – how many systems does a potential breach affect?•Process – adapting existing processes and standards to the cloud?
Chief Cloud Security Benefits•Efficiency – hardening fixes many targets at once!•Standardization – consistent policies are easier to administer•Leverage – Certifications can be done once and used by many agencies•Process – revisiting process can focus on effectiveness over form
FEDRamp and Cloud Security•FEDRamp (Federal Risk and Authorization Management Program): cross-agency standard approach to Assessing and Authorizing (A&A)•Cloud is the first target thru GSA IaaS BPA•Cloud Computing Security Requirements Baseline•Continuous Monitoring•Assessment and Authorization Approach
-10-
Understanding the Cloud Service Models
Cloud Service Model
Offers On Demand:
Who Uses It Directly?
What’s it For
Infrastructure as a Service (IaaS)
•Virtual Machines•Raw Storage•Network access
Hardware managersSystems managers
Hosting platforms
Platform as a Service (PaaS)
Platforms for:•Testing•Development•Deployment
•Application deployers•Testing Managers•Dev. Managers
Deploying software applications
Software as a Service (SaaS)
Direct application or (SOA) Service Access
•End Users of apps•End users of SOA services
Direct everyday end usage
-11-
Understanding Cloud Deployment Models
Cloud Deployment Model
Operated By Chief Benefits Chief Liabilities
Public Cloud Commercial entities • Cost savings• Rapid access• Mature market
• Security concerns from the other tenants
• Complex accreditation
Private Cloud • Individual agencies or organizations
• Commercial entities under contract
• Eliminates exposure to co-tenants
• Cost savings for very large storage or compute
Requires setup and management
Community Cloud Consortium of agencies • Known co-tenants• Shared expenditure
Requires (shared) setup and management
-12-
Cloud Model ChallengesAcquisition Requirements
• Efficient acquisition policies to avoid “cloud sprawl” and fragmentation• New agreement provisions, including security reporting, outage management and distribution of resources• Provisions to ensure portability and avoid vendor lock-in, both contractually and technically• Sufficient scope to ensure best pricing across operating divisions and staff divisions
Security Requirements
• Details of FEDRamp controls, processes and business models• Details of transitional policies for shared security models• Details of impact on privacy policies
Agility Requirements
• Efficient on-boarding mechanisms to give operating divisions and staff divisions access to the agency acquisitions• Collaborative portals and catalogs to publicize what exists and ensure reuse• Best practices and techniques for migrating existing applications to quickly capture benefits
Operations and Cost Considerations
• Determine and implement enterprise services, particularly Executive Branch Identity and Access Management• Account for and detail transition and ancillary costs, e.g. increased network bandwidth, training, migration• Communicate regarding initial investments required to realize savings• Develop efficient billing mechanisms for just-in-time cost tracking• Define triggers and limits to prevent cost overruns• Define integrated control and provisioning mechanisms for ease of use and management
-13-
How does HHS Move to the Cloud?
HHS Cloud Computing
Establish IT Strategic
GoalsFor using Cloud
Computing
Leverage & Enhance
Current IT Management and Governance
Leverage & Enhance
Existing EA, CPIC and Security Processes &
Tools
-14-
Long Term Agency Self-Service Vision
• Catalog of deployable cloud services driven by Agency Enterprise Architecture inventory
• Agency business managers directly select and provision services on demand
• Includes infrastructure, platforms and applications
• Integrated identity management, billing and help
• Deploy to public or private cloud based on requirements
-15-
HHS Cloud Planning Strategies
IT CapitalPlanning
Security Drivers
Financial Drivers
Functionality
Drivers
Cloud / No CloudAppropriate
Service ModelAppropriate Deployment Model
Prototypes
Pilots
Deploy-ments
Architect Invest Implement
Colla
bora
tion Po
rtal
En
terp
rise A
rchite
cture
HH
S C
loud S
trate
gy
-16-
HHS Cloud Acquisition Strategies
RFI-Driven Information Gathering
•Determine and analyze marketplace through HHS Request for Information•Analyze utility and applicability of existing purchase agreements, e.g. GSA IaaS and EMail BPA•Determine specific acquisition strategies and priorities for both short and long term requirements
Acquisition Execution
•Determine required service agreements and parameters to avoid acquisition risks•Coordinate acquisitions across operating divisions and staff divisions to avoid proliferation, and achieve benefits of scale and ease of provisioning•Acquire resources in coordination with overall Cloud Computing Advisory Committee transition and implementation plan
-17-
What must Acquisition Professionals Do?
Understand …
• What Cloud solutions and acquisitions have been approved for HHS and Federal Use
Participate…
• In Stage Gate and Program Critical Partner Reviews
Collaborate…• With Enterprise Architecture, Capital Planning and IT Security Critical partners• To understand how Cloud computing may (or may not) be an appropriate solution for a project or program
Ensure…• That Alternative Analyses and Acquisition Strategies include approved Cloud Computing solutions and
acquisition vehicles
-18-
What must IT Project and Program Managers Do?
Operational Analysis• Identify gaps in performance and Agency technical architecture where Cloud Computing may be an appropriate
solution
Alternative Analysis
• Propose and evaluate Cloud Computing solutions against other alternatives
Acquisition Strategy
• Propose use of approved Cloud Computing acquisition vehicles
Project Process Agreement
• Propose tailored approach to take advantage of benefits of rapid prototyping and on-demand provisioning