Moving to the CloudHHS Directions in Cloud Computing

Mary Forbes, Chief Enterprise ArchitectScott Cory, Capital Planning and Investment Control Officer

4/27/2011

V3b rpc

-2-

Agenda• Why Cloud Computing• HHS Cloud Computing Participants• Understanding Cloud Computing as a

Utility• Choices of Computing Models

– Ownership-based model (Current Vision)– Utility-based Cloud model (Future Vision)

• Benefits of the Cloud Model• What about Security?• Understanding the Cloud

– Understanding the service models– Understanding the deployment models– Cloud Model Challenges

• How does HHS Move to the Cloud• Long term self-service vision• HHS Cloud Planning Strategies• HHS Cloud Acquisition Strategies• What must Acquisition Professionals

Do?• What must Project and Program

Managers Do?

-3-

Why Cloud Computing?Because we Should

• Potential for 20-30% Cost Savings• Potential for rapid acquisition and deployment• Increase agency agility and focus on mission• Provide entirely new capabilities with on-demand vision• Leverage interagency and Government-wide work such as GSA BPA’s

Because we Must• OMB-based “Cloud First” Policy• OMB 25-point IT Management Reform, including:

• CloudFirst Policy and movement to other light on-demand technologies• Data Center consolidation (aided by cloud)• Government-wide acquisition vehicles such as GSA Cloud BPA’s for infrastructure and

EMail• Strategies for shared services• Best practices collaboration

-4-

HHS Cloud Computing Participants

HHS Cloud Computing Activities

HHS Security Group

HHS Enterprise Planning

Lifecycle Group

HHS Acquisitions Community Others…

CTO CouncilChair: John

Teeter

Cloud Computing Advisory Council

Chair: Jaspal Sagoo

HHS Enterprise

Architecture

Federal Cloud Computing

Advisory CouncilLiaison: Mary

Forbes

-5-

Understanding Cloud Comp5 5, uting as a Utility

Cloud Data Centers

Generationas a shared regulatedutility at large scale

DistributionUbiquitous infrastructure at large scale

MeteringStandards based, at individual scale

UsageOn demand at individual scale

App UsersAgency Usage-Based BillingInternet / Intranet

Distribution

Cloud Services Agency Usage

-6-

Computing Model(Current Vision)

• Agency acquires and operates discrete resources• Agency IT manages all phases of computing• Discrete activities per application system, with consequent

inefficiencies

Infrastructure Platform

Application

AcquireAnd Operate

Configure and Maintain

Deploy, Maintain and OperateAgency IT

Once Per Application…

App Users

Use

-7-

Utility-Based Cloud Computing Model

(Future Vision)• Up-front agency or organization acquisition• On demand usage through common contracts• Services span application systems

Cloud Provider

Agency ITInfrastructure

Cloud PlatformCloud Services

Cloud

Provision on Demand

Deploy on Demand Use

OnDemand

Acquire Once per Agency, Use as Needed

Use

Manage Cloud

-8-

Benefits of the Cloud Model

Acquisition

• Reduced effort and expense – acquire once, use on demand• Improved negotiation leverage through consolidated acquisitions• Drives industry standards, especially when coordinated across agencies

Operations

• Faster deployment through provisioning on demand• Reduced cost by using only services as needed• Opportunities for standardization and consolidation at all levels of cloud• Opportunities for improved Records Management through standardization and consolidation

Agility

• Reduced acquisition and configuration time• Improved reuse through common catalog and interfaces• Opportunities for shared and collaborative services

-9-

What about Security?Chief Cloud

Security Challenges

•Multitenancy –What new exposures and controls are there?•Certification – how can I efficiently certify massive infrastructure?•Scale – how many systems does a potential breach affect?•Process – adapting existing processes and standards to the cloud?

Chief Cloud Security Benefits•Efficiency – hardening fixes many targets at once!•Standardization – consistent policies are easier to administer•Leverage – Certifications can be done once and used by many agencies•Process – revisiting process can focus on effectiveness over form

FEDRamp and Cloud Security•FEDRamp (Federal Risk and Authorization Management Program): cross-agency standard approach to Assessing and Authorizing (A&A)•Cloud is the first target thru GSA IaaS BPA•Cloud Computing Security Requirements Baseline•Continuous Monitoring•Assessment and Authorization Approach

-10-

Understanding the Cloud Service Models

Cloud Service Model

Offers On Demand:

Who Uses It Directly?

What’s it For

Infrastructure as a Service (IaaS)

•Virtual Machines•Raw Storage•Network access

Hardware managersSystems managers

Hosting platforms

Platform as a Service (PaaS)

Platforms for:•Testing•Development•Deployment

•Application deployers•Testing Managers•Dev. Managers

Deploying software applications

Software as a Service (SaaS)

Direct application or (SOA) Service Access

•End Users of apps•End users of SOA services

Direct everyday end usage

-11-

Understanding Cloud Deployment Models

Cloud Deployment Model

Operated By Chief Benefits Chief Liabilities

Public Cloud Commercial entities • Cost savings• Rapid access• Mature market

• Security concerns from the other tenants

• Complex accreditation

Private Cloud • Individual agencies or organizations

• Commercial entities under contract

• Eliminates exposure to co-tenants

• Cost savings for very large storage or compute

Requires setup and management

Community Cloud Consortium of agencies • Known co-tenants• Shared expenditure

Requires (shared) setup and management

-12-

Cloud Model ChallengesAcquisition Requirements

• Efficient acquisition policies to avoid “cloud sprawl” and fragmentation• New agreement provisions, including security reporting, outage management and distribution of resources• Provisions to ensure portability and avoid vendor lock-in, both contractually and technically• Sufficient scope to ensure best pricing across operating divisions and staff divisions

Security Requirements

• Details of FEDRamp controls, processes and business models• Details of transitional policies for shared security models• Details of impact on privacy policies

Agility Requirements

• Efficient on-boarding mechanisms to give operating divisions and staff divisions access to the agency acquisitions• Collaborative portals and catalogs to publicize what exists and ensure reuse• Best practices and techniques for migrating existing applications to quickly capture benefits

Operations and Cost Considerations

• Determine and implement enterprise services, particularly Executive Branch Identity and Access Management• Account for and detail transition and ancillary costs, e.g. increased network bandwidth, training, migration• Communicate regarding initial investments required to realize savings• Develop efficient billing mechanisms for just-in-time cost tracking• Define triggers and limits to prevent cost overruns• Define integrated control and provisioning mechanisms for ease of use and management

-13-

How does HHS Move to the Cloud?

HHS Cloud Computing

Establish IT Strategic

GoalsFor using Cloud

Computing

Leverage & Enhance

Current IT Management and Governance

Leverage & Enhance

Existing EA, CPIC and Security Processes &

Tools

-14-

Long Term Agency Self-Service Vision

• Catalog of deployable cloud services driven by Agency Enterprise Architecture inventory

• Agency business managers directly select and provision services on demand

• Includes infrastructure, platforms and applications

• Integrated identity management, billing and help

• Deploy to public or private cloud based on requirements

-15-

HHS Cloud Planning Strategies

IT CapitalPlanning

Security Drivers

Financial Drivers

Functionality

Drivers

Cloud / No CloudAppropriate

Service ModelAppropriate Deployment Model

Prototypes

Pilots

Deploy-ments

Architect Invest Implement

Colla

bora

tion Po

rtal

En

terp

rise A

rchite

cture

HH

S C

loud S

trate

gy

-16-

HHS Cloud Acquisition Strategies

RFI-Driven Information Gathering

•Determine and analyze marketplace through HHS Request for Information•Analyze utility and applicability of existing purchase agreements, e.g. GSA IaaS and EMail BPA•Determine specific acquisition strategies and priorities for both short and long term requirements

Acquisition Execution

•Determine required service agreements and parameters to avoid acquisition risks•Coordinate acquisitions across operating divisions and staff divisions to avoid proliferation, and achieve benefits of scale and ease of provisioning•Acquire resources in coordination with overall Cloud Computing Advisory Committee transition and implementation plan

-17-

What must Acquisition Professionals Do?

Understand …

• What Cloud solutions and acquisitions have been approved for HHS and Federal Use

Participate…

• In Stage Gate and Program Critical Partner Reviews

Collaborate…• With Enterprise Architecture, Capital Planning and IT Security Critical partners• To understand how Cloud computing may (or may not) be an appropriate solution for a project or program

Ensure…• That Alternative Analyses and Acquisition Strategies include approved Cloud Computing solutions and

acquisition vehicles

-18-

What must IT Project and Program Managers Do?

Operational Analysis• Identify gaps in performance and Agency technical architecture where Cloud Computing may be an appropriate

solution

Alternative Analysis

• Propose and evaluate Cloud Computing solutions against other alternatives

Acquisition Strategy

• Propose use of approved Cloud Computing acquisition vehicles

Project Process Agreement

• Propose tailored approach to take advantage of benefits of rapid prototyping and on-demand provisioning