© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Matthew McGuire, GSA, Director, Technology Solutions DivisionGuy Cavallo, TSA, Executive Director, IT Operations

Brian Anderson, AWS, Sr. Consultant, Professional Services

June 20, 2016

Governance Strategies for Cloud Transformation

Goals for the session• Definition and overview of cloud governance• Cloud center of excellence (CCoE)• Stages of cloud governance• Cloud governance best practices

• GSA — Review of business services platform (BSP)• TSA — Discussion of governance

• Question and answer

Definition of cloud governance

The decision-making criteria, processes, and policies involved in the planning, architecture, acquisition, deployment, operation and

management used for operating IT services in the cloud.

— Cloud governance allows IT to innovate, automate, and quickly deploy code and infrastructure while maintaining the necessary requirements for security, audit, control, and compliance.

Goals for cloud transformation

Continuous integration

Fail fast

Design for cost

Rapid deployment

Why governance?1. Reduction in access and security risks

2. Development of cloud standards — delivery, tools, process

3. Management of application design: CI and CD design

4. Cost optimization

5. Increased innovation for business units

6. Elimination of rogue IT and disparate cloud initiatives

7. Management of the consumption of cloud resources

Cloud governance opportunities

• Speed — Enable business at cloud speed and cost

• Integration — Complementary to existing enterprise IT governance processes, policies, and tools

• Balance — Appropriate coverage for key decisions, investments, and risks while achieving the benefits of the cloud

• Proactivity — Anticipate and prevent shadow clouds and unauthorized cloud activities that expose organizational risks

• Enablement — Appropriate cloud decision making without friction

Cloud center of excellence (CCoE)

Cloud center of excellence (CCoE)

The cloud center of excellence is a team of executives and IT area experts that authors cloud governance to enables business units to access a self-service model and provides a catalog of standardized and templated instances from which to select and autoprovision

Stages of cloud governance

Levels of cloud governance

L0 – Decentralized control

L1 – Centralized control

L2 – Decentralized control with automation

L3 – Centralized control with self-service

Three phases of cloud governance

Beginning• Minimal

integration• Reactive

environment• Cost overruns• Manual

deployments• No cloud

structure

Adopting• CCoE is in place

and policies are maturing

• Policies matched to process

• Designing for cost

• Rapid deployment

Mature• Full automation

and self-service• Benefits of cloud

services realized• Agility and control• Optimized for cost• Secure and

compliant environment

Phase 1: Beginning1. Create the CCoE to develop and own governance and its policies2. Develop governance model and establish policies for:

• Security • Account management • Cost • Network • Instance and storage • Service management • Monitoring and reporting

3. Begin to modify the deployment process and policies and look to automate• Develop governing policies to enable automated approval cycles• Develop financial policies to enable BUs to quickly stage POCs

Phase 2: Adopting

1. Develop self-service policies

2. Develop data governance policies

3. Develop continuous integration / deployment policy

4. Develop design-for-cost architecture guidelines

5. Develop cloud audit and compliance policies

6. Develop a common API design framework

Phase 3: Mature1. Develop advanced automation techniques and policies to promote further cost reduction, agility, and resiliency:

• Automated testing and code promotion from each tier to production

• Automated DR and recovery testing — Chaos Monkey / Chaos Gorilla

• Automated instance power down / power up for non-Reserved Instances

• Utilization of Spot Instances — when and where to use

2. Develop transition policies to define services and SOA

3. Develop policies allowing existing applications to test-for-cost (scale up / scale out)

Cloud governance best practices• Establish a CCoE and begin developing/updating policies

• Tailor your governance process to your organization’s particular risk tolerance

• Decide where to leverage existing processes versus establishing new ones

• Make the process as lightweight as possible and as informative as possible to create a positive user experience

• Start early in the transformation so you can get business and IT feedback and support

• Rely on use-case reviews to improve your processes

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Matthew McGuireDirector, Technology Solutions Division

June 20, 2016

GSA Business Services PlatformEnabling Greater Agency Agility to Drive Mission Impact

The GSA cloud transformation

”Worked fine in dev…” “...OPS has problems”

Then (data center)• Days/months to provision • Months to app ATO• One off configs for every app• Size to peak demand• Long, painful outages• Everything needs software

What is BSP and how does it transform IT

Now (BSP)• Minutes to provision• Weeks to app ATO• Standard app stacks/services• Automated scalability• Immediate server redeployment

• Automated — Infrastructure as code, continuous delivery

• Secure — Multitenant, security driven architecture

• Cost effective — Pay for what you use• Metrics — Visibility into usage and cost• Modernization platform — Get to the cloud

BSP is a modernization platformS

ecur

ity c

ontro

l inh

erita

nce

Degree of automation and cloud optimization

Mode 2OS

optimization

Mode 3

Fully automated

stack services

devops Orchestration

Infrastructure as code

• Choose the mode that best suits your application and level of cloud optimization

• Mode 3 apps inherit >85% of all ATO security controls

Mode 1Compute, network, storage

MIGRATED APPS OPTIMIZED APPS AUTOMATED APPS

1. Choose app stack

Template file

• Component Configs

• Cluster Sizes• Auto Scaling• Etc.

3. Stage content4. Run preconfigured

orchestration job

5. Application fully deployed

4. Autogenerate Amazon CloudFormation stack

6. Invoke Ansible callback

7. Run Ansible config roles, including app deployment

3. Create app IAM role and

store SSL certs for ELB

5. Deploy infrastructure

AWS IAM

1. Jenkins initiates deployment through Ansible Tower

2. Generate custom AWS Identity and Access Management (IAM) policy and Amazon

CloudFormation template

2. Customize stack

Developer experience

Orchestration workflow

Security & Reliability

Benefits

Enabling greater agency agility to drive mission impact

• Speed and flexibility• Configuration control• Scalability• Security• Reliability

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Guy CavalloExecutive Director, IT Operations

Transportation Security Administration

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Question and Answer