Key Questions and Concepts When

Considering the Cloud

Hemanth Setty, CTORecovery Accountability and Transparency Board

Humans Have Always Desired Connecting

1962, a computer pioneer said, "There is no reason to suppose the average boy or girl cannot be master of a personal computer."

Soon after, PCs arrived and have kept changing and changing.

THEN

NOW

History Repeats Itself

With Risk there Is OpportunityWith Opportunity there is Innovation

Shawn Kingsberry, CIORecovery Accountability and Transparency Board

Comfort Level vs Security

We’ve come a long way but the journey continues.

Confusion Helps Sell or Does it? Have Your Taste of Technology Soup!

What should be public, private, and hybrid cloud environments?

• Every Agency and Industry company has a Program of Work “POW”.• The POW should be the body of work being executed which should consist of;

• Vision / Strategy / Mission• Budget• Programs• Objectives• Discrete projects to meet program objectives

• Risk flagged in your portfolio require solution alternatives.

SOLUTION ALTERNATIVES = PEOPLE / PROCESS / TECHNOLOGY

• THIS IS WHERE TECHNOLOGY COMES INTO PLAY

What should be public, private, and hybrid cloud environments? Cont..

• Comfort level vs security• Data Classification• FISMA – HIGH / MED / LOW

Once you are ready to assess “SOLUTION ALTERNATIVES” You now live in two key area:

What should be public, private, and hybrid cloud environments? Cont..

Mobile

CloudComputing &Virtualization

InformationAssurance

Cloud, Mobile, and Information Assurance areEnablers of Data.

It’s All About the DATA

NIST Cloud Definitions

• Private CloudThe cloud infrastructure is provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units). It may be owned, managed, and operated by the organization, a third party, or some combination of them, and it may exist on or off premises.

• Public CloudThe cloud infrastructure is provisioned for open use by the general public. It may be owned, managed, and operated by a business, academic, or government organization, or some combination of them. It exists on the premises of the cloud provider.

• Community CloudThe cloud infrastructure is provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises.

• Hybrid CloudThe cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).

Special Publication 800-145

What operational and security issues arise when using public cloud services?

Several issues may arise when government agencies consider transitioning to cloud computing. Here are some prominent concerns:

• Control• Security• Reliability• Quality• Ownership• Interoperability• Portability• Standards• Vendors• Governance• Culture• Compliance

What are some of the infrastructure issues that come from additional bandwidth requirements and cause increases in the latency of applications?

• A critical message to keep in mind when searching cloud services as “SOLUTION ALTERNATIVES”, its important to remember that services have to be reached.

• Requirements for Architecture development best practices still exist.

• “IT’S ALL ABOUT THE DATA”. If you have a geographically disperse customer base and you would like to run specific services in any “Cloud Method”, there are considerations.

• Authentication and Authorization• Large Data Sets• Virtual Desktop Infrastructure “VDI”• Business Applications (e.g. Time and Attendance, Registration)

What are some of the infrastructure issues that come from additional bandwidth requirements and cause increases in the latency of applications?

Five layers of complexity that are unpredictable in nature and must therefore be considered when migrating applications to the cloud.

• Distributed computing

• Lack of Measurement Tools

• Virtualization

• Prioritizing traffic and QoS

• Evasive cloud providers

Can we truly secure the data and servers in the cloud?

• You can secure data and servers leveraging Cloud Services.

• It seems when ever we talk cloud services and security we assume we’re talking about “Public Cloud”

• All cloud providers providing infrastructure as a service “do not” provide the same level of service.

• Isolate your data to the United States• The contiguous United States is the 48 adjoining U.S. states on the continent of North America that are

south of Canada and north of Mexico, plus the District of Columbia. The term excludes the non-contiguous states of Alaska and Hawaii, and all off-shore U.S. territories and possessions, which include American Samoa, Guam, the Northern Mariana Islands, Puerto Rico, and the United States Virgin Islands.

• Make it a network problem• Control the net flow

• Encryption• Trusted Internet Connection• Cloud Service Provider provided encryption

What should one consider when contracting cloud services from a public carrier?

• Recognize and communicate to key decision-makers that the Federal Acquisition Regulation (FAR) is flexible enough to leverage and optimize Cloud.

• From the outset, plan your procurement with your CIO, Chief Financial Officer (CFO), security, IT, contracts, legal, law enforcement, program and other specialists. Keep them involved every step through award and initial implementation.

• Consider issuing a Request for Information to determine if the market can meet your needs.• If you choose the IaaS BPA, which doesn’t fully cover all Cloud services, craft your Request for Proposal (RFP) to allow

a creative response to meet all of your service needs.• Investigate and consider using all vehicles and avenues, including Application as a Service (AaaS) contracts, GSA

schedules, small business vehicles, and full and open competitive contracts.• It’s easy to purchase more services than necessary, so ensure your contract is flexible enough to scale back as your

needs change.• Make sure you have a detailed and clear exit path, with costs clearly spelled out, that allows you to take your data

with you if you decide to leave that Cloud.• Service Level Agreements (SLAs) can’t be too clear. Establish precisely your responsibilities and those of the Cloud

Service Provider.• Consider purchasing services for five to six servers to test your application (it won’t cost a lot).• Don’t take anything for granted; if it’s not in the contract, you won’t get it.

What performance measures should we use to evaluate the public cloud?

With the understanding that “BUSINESS DRIVES TECHNOLOGY”, performance measures should be driven by the service migrated to the cloud service provider. Performance measures will vary based on the respective service.

If you migrate “EMAIL SERVCE” from being hosted on premise to a cloud service provider, you should use your existing performance requirements as you baseline.

If you are migrating your physical servers to a cloud service provider, each system being migrated should have current performance requirements. Use the currently performance requirements as the baseline. To truly match or exceed existing performance requirements you will need to leverage cloud capabilities.

What performance measures should we use to evaluate the public cloud?

Key factors for evaluating services

• Performance

• Technology stack

• SLA’s and reliability

• API’s: Lock-in

• Security and compliance

• Cost

Key Questions and Concepts When Considering the Cloud

Questions?