5-¾ Things We Learned Brokering CloudsWhy you should trust your Broker more than your Banker

2 Booz Allen Cloud Solutions

Why you should trust your Broker more than your Banker

5-¾ Things We Learned Brokering Clouds

#5—Open is more closed than you thinkCode evolves. New features and bug fixes are a fact of IT. Sometimes, portions of open source projects diverge. There are times when the fragments trend in a direction that the original consumer did not anticipate. All of these changes may create upgrade issues, especially when the newer software releases will not operate with the custom “glue” code implemented in-house. The original code author may no longer be available, and now the “open” system cannot even be patched. What’s missing is the framework that allows code interchange for extendibility and extensibility.

At the core of the Booz Allen brokerage experience is a suite of open source tools in a modular Cloud Broker Reference Architecture (CBRA) called the Open Cloud Broker (OCB). This architecture gives Booz Allen customers the flexibility and vendor-agnostic technology to keep up with the fast-moving cloud target.

Developed with Red Hat, the most trusted open source corporation, CRBA uses Red Hat’s Cloud Forms, Enterprise Linux, and JBoss. This combination, packaged with other Apache projects for messaging and orchestration, provides a basis for future flexibility.

Published in 2014, OCB’s messaging and orchestration enables truly open

modularity. As new technologies become available, new lower cost Cloud Service Providers (CSP) overtake incumbents, or client requirements dictate custom development, modules can be replaced at will without risk of damaging the architecture. Combined with templates for simple extensions to other vendors and customizations, the OCB truly gives the community brokerage access and control.

#4—Customers always NEED more…Scope creep—it’s more than real, it’s expected, along with cost overruns, delivery delays, and just plain overall discomfort. An achievable Statement of Work with well-defined goals is a cornerstone for Project Managers, especially in proofs of concept. Scope creep could mean adding “just one more” use case, server type, feature, etc. For a broker, ease of use, good documentation, and an extendable solution are paramount to success. If they are coupled with the published, open source code, these needs may be effectively self-serviced.

#3—Stickiness Kills!The first goals of sales are to plant a stake with an attractive product,

demonstrate mastery, become a trusted advisor, and expand your territory. Your advantage becomes insurmountable when your service is sticky—simply put, when your customer’s processes rely so heavily on your systems and your products are so deeply embedded that the costs could never justify your removal.

Have you ever researched how easy it is to get a virtual machine disk (VMDK) image into AWS? A migration tool will convert a VMDK and store it in a Simple Storage Service (S3) bucket. What about extraction of an Amazon Machine Image (AMI) from the same environment?

It’s not just Amazon—each CSP offers sticky services. The ease of use is built-in; you don’t have to think about it. As a user, it is hard to pass up the promise of eleven 9’s reliability or automatic revisioning. However, taking advantage amounts to vendor lock-in.

There are plenty of tools out there for cloud orchestration. Implementing them might not be as cheap as using a sticky service, because you’ll likely need to set up a separate master, charm, or other orchestration server, resulting in computing, storage, and network costs. But the headaches avoided later will make it well worth it when a new CSP has better/cheaper/faster service and your existing provider tries to hold you hostage.

#2—Broker algorithms deal ALL the cardsThe NIST Reference Architecture, SP 500-292, defines a Cloud Broker as an entity that manages the use, performance, and delivery of cloud services, and negotiates relationships between CSPs and Cloud Consumers.

Autom

ation Monitoring

Rules Engine Service Bus

BPMS & Enterprise

AdministratorPortal

IaaSBroker

XaaSBroker

PaaSBroker

TaaSBroker

DataBroker

User PortalMarketplace

SaaSBroker

Cloud Orchestration

Engine

After 5 years of enterprise automation, the subsequent move to cloud over the past couple years renamed our efforts brokering. During that time, we learned a few things. Here are the top 5:

Figure 1: Cloud Broker Reference Architecture

3Booz Allen Cloud Solutions

The whole point of a cloud broker is the “s.” Without cloud serviceS and multiple CSPs, a broker is simply a middleman adding additional cost with limited advantages. With the “s,” a broker can search for price arbitrage, security remediations, and risk reductions. A customer pays for the specialized knowledge, probably assuming the broker knows best.

What if a reseller agreement exists that’s more advantageous to the broker than the consumer? Maybe the broker automates the CSP choice with algorithms and ignores more complicated calculations? Could a broker ever claim ignorance of alternative CSPs?

Automated system sizing and elasticity are perfect examples. Imagine the price difference between 1,000 micro-instances versus 700 mid-sized servers. Could spot-instances provide benefits even with their instability? The transparency of a broker’s back-end processes and knowledge of the entire marketplace pays client dividends, measurable in cold, hard cash.

#1—Security’s an opportunity not a hurdleSecurity is more than Governance, Risk, and Compliance. There are opportunities for higher levels of fit and finish within IT—there would be no Patch Tuesday or Computer Incident Response Team (CIRT) if fault tolerances were perfected.

With the ease of use of the cloud and corresponding Shadow IT, anything can be stuffed into configurations. Knowing where your product starts or is updated from is not just configuration management (CM) or continuous monitoring. There is a level beyond CM.

A few questions of note:• What’s your source? How do you know

your AMI or VMDK stems from a reputable location?

• How much confidence do you have in your update repositories?

• How were your systems configured after installation? Were scripts pulled off the web? Were they reviewed?

• Are you simplifying post configuration to avoid last-minute “work-arounds”?

All of these questions can be answered with the appropriate controls, amounting to Provenance and Pedigree. Validated AMIs, trusted Linux repositories, validated Puppet Security Technical Information Guide (STIG) scripts, and verified loggings are all aspects of this service, allowing cloud assurances heretofore unreachable.

Knowledge of which CSP service offerings inherit security and which need augmented controls is tantamount to using a cookbook: you might get lucky or you might end up with egg on your face. The quality and consistency is what earns you a “Michelin star.”

Provenance & Pedigree: Going beyond CMComputer science’s promise of a known-state computing environment was at best elusive. Security researchers and hackers consistently demonstrate injection techniques that undermine even the best, purpose-built systems such as ATMs or kiosks. Attempts with Gold-disk images provide some solace in the enterprise, but the self-service nature of the cloud, corresponding Shadow IT development circumventing chief information security officer (CISO) initiatives, and the constant pressure to “get it done” always encourage shortcuts. How many times

has a laboratory environment gone to live production without additional checks?

Provenance and Pedigree (P&P) at least provides knowledge of where all the parts originate and how they were assembled. Instead of gathering automation scripts off the Web, or grabbing the closest matched AMI from the marketplace, P&P validates the operating system starting points, the update repositories used, and the customization (i.e., Puppet/Chef) scripts.

Booz Allen’s P&P research extends the internal, “drinking our own champagne” effort, putting hash calls and identity checks into the CBRA at the orchestration level. Customers receive a validated service consisting of trusted update repositories, code testing, and authentication credentials to truly place faith in their deployments...

#¾—Trust: It’s common sense Know your customer. Know your market. Know your product. The biggest thing to keep in mind when you’re brokering— and in business in general—don’t make up answers!

The cloud’s a huge space. No one will know every answer to every question. The research and preparation you demonstrate will take you a long way—but especially when there’s a question you can’t possibly know. Simply respond, “I’ll get back to you on that.” There’s always the possibility the customer knows the answer, and speculation could quite possibly scuttle the deal and even irreparably damage the relationship.

A Broker’s trusted third-party role is the most important and simultaneously least quantifiable. To gain in the business, that trust is necessary for success.

Booz Allen Hamilton has been at the forefront of strategy and technology consulting for 100 years. Today, Booz Allen is a leading provider of management consulting, technology, and engineering services to the US government in defense, intelligence, and civil markets, and to major corporations and not-for-profit organizations. In the commercial sector, the firm serves US clients primarily in financial services, healthcare, and energy markets, and international clients primarily in the Middle East. Booz Allen helps clients achieve success today and address future needs by applying functional expertise spanning consulting, analytics, mission operations, technology, systems development, cybersecurity, engineering, and innovation to design, develop, and implement solutions. The firm’s management consulting heritage is the basis for its unique collaborative culture and operating model, enabling Booz Allen to anticipate needs and opportunities,

rapidly deploy talent and resources, and deliver enduring results. Booz Allen helps shape thinking and prepare for future developments in areas of national importance, including cybersecurity, homeland security, healthcare, and information technology. Booz Allen is headquartered in McLean, Virginia, employs nearly 23,000 people, and had revenue of $5.48 billion for the 12 months ended March 31, 2014. Over the past decade, Booz Allen’s high standing as a business and an employer has been recognized by dozens of organizations and publications, including Fortune, Working Mother, Forbes, and G.I. Jobs. In 2014, Booz Allen celebrates its 100th anniversary year. More information is available at www.boozallen.com. (NYSE: BAH)

About Booz Allen

©2014 Booz Allen Hamilton Inc.

Contact Information:

08.053.14

Jon-Michael C. Brook Lead Technologistbrook_jon-michael@bah.com727.215.6465

Brokerage HistoryOver the past 5 years, Booz Allen Hamilton developed an automated deployment framework. The solution, originally focused on virtualization, was adapted by Booz Allen for Amazon Web Services™ (AWS) and OpenStack® while maintaining backward compatibility with enterprise infrastructure environments such as Hyper-V® and VMware®.

Booz Allen’s OCB employs an open cloud management framework capable of adapting and integrating with a customer’s evolving portfolio of technologies and platforms. Based on our CBRA, which defines a set of technical capabilities and vendor-neutral implementation options, Booz Allen enables cloud consumers to select, provision, and manage on-premise and off-premise resources based on a

Additional InformationFor a copy of this presentation or more information, please check out http://boozallen.com/cloudbroker or scan the QR code below.

choice of vendor-agnostic infrastructure technology and platforms.

Currently in its fifth generation, Broker is being used by Booz Allen clients that include Department of Defense (DoD), commercial, and government healthcare organizations, with tens of thousands of self-service users administered with the efficiencies of the cloud. In addition, our own internal Digital Platform Infrastructure R&D, Demonstration, and Proof of Concept efforts use this same infrastructure capability for providing private and public Infrastructure as a Service (IaaS) computational needs

Jarid CottrellChief Technologistcottrell_jarid@bah.com703.984.0081

Samy BouhoualaChief Technologistbouhaouala_samy@bah.com703.984.7465

Munjeet SinghPrincipalsingh_munjeet@bah.com703.984.1320