Upload
mandeepdhami
View
217
Download
0
Embed Size (px)
Citation preview
8/14/2019 Cloud Computing Gov Conf 1209
1/21
Cloud ComputingCloud Computing -- A Practical ViewA Practical View
Mandeep DhamiMandeep Dhami
8/14/2019 Cloud Computing Gov Conf 1209
2/21
http://geekandpoke.typepad.com/geekandpoke/2009/03/let-the-clouds-make-your-life-easier.html
8/14/2019 Cloud Computing Gov Conf 1209
3/21
OverviewOverview
The Context
A specific project scenario
Why Cloud Computing? Economic drivers
Flexibility and agility
New capabilities
Why not Cloud Computing?
Regulatory constraints
Operational concerns
Technical issues
And the Practical Middle Way!
Services evaluated
Proposed engagement
8/14/2019 Cloud Computing Gov Conf 1209
4/21
The ContextThe Context
Cloud computing can meandifferent things to differentpeople
In this talk we evaluate thetrade-offs in context of thefollowing hypothetical scenario:
You work on a medicare/medicaideligibility system
Field workers use a web basedtool to input case details and tocheck status
Web server is implemented using
java/websphere on a WindowsServer
Backend eligibility sub-system isimplemented using COBOL on aIBM mainframe
You are tasked with evaluating a
cloud based solution for the webtoolhttp://www.nature.com/ki/journal/v62/n5/fig_tab/4493262f1.html
8/14/2019 Cloud Computing Gov Conf 1209
5/21
Many Layers of the CloudMany Layers of the Cloud
8/14/2019 Cloud Computing Gov Conf 1209
6/21
Some Initial Design ConstraintsSome Initial Design Constraints
Type of cloud service required - IaaS or Private Cloud
Since it is a custom software application, SaaS is not an option
Since the platform is also very custom (for libraries and versions) and has somenon-standard libraries (say websphere v6.5, DB2 v9.1, JCA for CICS, etc ),
PaaS is not an option either.
IaaS might be feasible as we own the software stack in that model
Private cloud can always be used, as we will own the cloud in that model!
Type of connectivity required VPN to VM
We will need secure encrypted connection to backend system for the webapplication to get/update case status. Conceptually this is like a VPN from theVM to the backend.
Any IaaS solution that does not provide secure connection from the server VM tointernal LAN can not be used
8/14/2019 Cloud Computing Gov Conf 1209
7/21
Why Cloud Computing?Why Cloud Computing?
To cloud or not to cloud, that is the questionTo cloud or not to cloud, that is the question
8/14/2019 Cloud Computing Gov Conf 1209
8/21
http://geekand
poke.typepad.c
om/geekan
dpoke/2009/11/simply-exp
lained-project-risk-update
.html
8/14/2019 Cloud Computing Gov Conf 1209
9/21
Economic DriversEconomic Drivers
Pay as you go
No upfront cost to acquireserver/network hardware
Only pay for dev and test systems
during dev and test phases
No upfront cost to try newfeatures like Web Firewalls
Lower support costs
The team does not have managehardware, network or storage forproduction system
No need to hire expensiveconsultants for non-core(infrastructure related) activities
Deterministic Project Costing More transparency regarding
infrastructure costs
Less risk from last minute capitalcost request related to productionusage
Not encumbered by internaltransfer accounting!
Lower hardware costs Typical server utilization is low,
pay only for what you use
Typical network utilization is low(routers, firewall, etc), pay onlyfor what you use
8/14/2019 Cloud Computing Gov Conf 1209
10/21
Flexibility and AgilityFlexibility and Agility
Rapid Scaling
Start small, scale as requiredbased on production performancemeasurements
Respond faster to customerdemand for capacity
Respond faster to features thatrequire more compute/storageresources
Dynamic Provisioning
Spin up more test-beds asrequired. Keep test executionmoving even as developers are
debugging on an existing setup Spin up systems to do load testing
as required. Pay only for the timeused to do the tests
Dynamic Infrastructure
Enable infrastructure changes withmouse clicks
Increase server pool for batchprocessing as required meet anybatch window (at some cost)
Developers can prototype atproduction scale and capacity
More Choice
Change infrastructure vendors forbetter SLA or price withoutimpacting/altering the application
Do Beta test for a few caseworkers on a small system, rollout new code incrementally
Roll back to a previous image, asa fallback option
8/14/2019 Cloud Computing Gov Conf 1209
11/21
New CapabilitiesNew Capabilities
Next Gen architectures Enable disaster recovery by using
a service provider with multiplephysical locations
Try new features likememcached, CDNs, etc. withoutnew investment in hardware orinfrastructure expertise
Accelerate innovation Shift from supporting the
infrastructure to innovating onapplication
Use cost transparency to innovateprocesses and reduce waste
Advanced infrastructurecapabilities
Change management to serverconfiguration is centrally managedand encapsulated
Self healing, hot backups etc.available
APIs available to infrastructurefor flow-thru automation
Green computing
Increase server utilization, reducepower usage
Use more efficient cooling, reducepower usage
Reduce number of servers andreduce waste
8/14/2019 Cloud Computing Gov Conf 1209
12/21
Why Not Cloud Computing?Why Not Cloud Computing?
There be dragonsThere be dragons
8/14/2019 Cloud Computing Gov Conf 1209
13/21
First, you sometimes hear some FUDFirst, you sometimes hear some FUD
We will have no liability to you for any unauthorized access or use,corruption, deletion, destruction or loss of Your Content or
ApplicationsCustomer Agreement, Amazon Web Services
Salesforce.com shall not be responsible or liable for the deletion,correction, destruction, damage, loss or failure to store anycustomer data
Master Subscription Agreement, Salesforce.com
but this is not really very different from software EULAbut this is not really very different from software EULA(So we believe that you can safely ignore this issue, except dur(So we believe that you can safely ignore this issue, except during contract negotiation)ing contract negotiation)
8/14/2019 Cloud Computing Gov Conf 1209
14/21
But there are Real Regulatory ConstraintsBut there are Real Regulatory Constraints
Privacy
Since this project handles medicaldata, HIPPA rules apply
If your cloud infrastructure can
not be HIPPA compliant, you cannot use it
Forensics and audit
If your cloud APIs can not beaudited for forensic investigation,you can not use it for sensitive
data If audit data is not
cryptographically secure, it lacksadequate controls
Governance mandate
Just because the application is oncloud, the governance mandatesdo not go away!
Can you produce reports on usageor controls that are comparable toa system with physical security?
PKI infrastructure
How are private keys stored andmanaged by the cloud based VMs?
Can you meet FIPS requirementsthat you currently meet withhardware/physical securityconstraints?
8/14/2019 Cloud Computing Gov Conf 1209
15/21
And Real Operational ConcernsAnd Real Operational Concerns
The Blame game When there is a problem today, it
is already painful to get fromdefect to defect ownership
When a problems occur in cloud,how do you get from the conf-callfrom hell discussing defect toproductive root cause analysisand taking defect ownership?
Priority management When you have a customer
situation, your tech team workson it as #1 priority till it isresolved
How do you set priority for thecloud vendors tech team to fixyour specific problem among theirpriorities?
SLA assurance
Can you measure service levels interms of the metrics used in theSLA in the contract?
Do you get reports on real SLAor on a synthetic benchmark?
Do you get continuous reportingof metrics that you can use fortrend analysis and planning?
Vendor lock-in
How real is the promise of choice?
To resolve the technical oroperational issues, are you tyinginto a proprietary API that limitsany real choice?
8/14/2019 Cloud Computing Gov Conf 1209
16/21
And Very Real Technical IssuesAnd Very Real Technical Issues
Visibility
Clear system boundary withadequate instrumentation
Tools to view infrastructure usage
by your application
Security
Encrypted VPN from Server VM tothe Backend network
SSO integration for admin/API
usage Safe sharing of shared resources
(like network, swap, crash dump,etc).
Diagnostics
On demand capture of data, trafficand performance statistics
Flow thru integration withautomation/tools
Automated data capture (blackbox) before the VM image is lost.
Network Services
No good model for applicationlevel network services (likefirewall, load balancer, etc)
We can use x86 VMs as virtualappliances, but they lack thehardware acceleration of typicalnetwork devices
8/14/2019 Cloud Computing Gov Conf 1209
17/21
The PracticalThe PracticalMiddle WayMiddle Way
In Buddhism, theIn Buddhism, the Middle WayMiddle Wayis the Nirvanais the Nirvana--bound path ofbound path ofmoderationmoderation -- away from the extremes of sensual indulgence andaway from the extremes of sensual indulgence and
selfself--mortification and toward the practice of wisdom, morality andmortification and toward the practice of wisdom, morality and
mental cultivation.mental cultivation.
FromFrom http://http://en.wikipedia.org/wiki/Middle_wayen.wikipedia.org/wiki/Middle_way
8/14/2019 Cloud Computing Gov Conf 1209
18/21
No I really did not mean that!No I really did not mean that!
From http://dilbert.com/strips/comic/2009From http://dilbert.com/strips/comic/2009--1111--1818
8/14/2019 Cloud Computing Gov Conf 1209
19/21
Cloud ServiceCloud Services Evaluation for This Specific Projects Evaluation for This Specific Project
NOTE: This is a sample evaluation. Your results will differ based on the assumptionsthat you make on the project and on the services them selves
OperationalConcerns*
RegulatoryConstraints
TechnicalIssues
ServiceProvider
Product
Amazon EC2
Solid performer, lots of 3rd party support
Rackspace Mosso
Solid performer, good enterprise support
Savvis Virtualization in the Cloud
Closest to a private cloud (VMware), verygood enterprise support
Appnexus Appnexus Cloud
Not clear how it will handle issues specific togovernment or HIPPA compliance
* Assuming appropriate relationship and contract/penalties
8/14/2019 Cloud Computing Gov Conf 1209
20/21
Engagement Proposed for This Specific ProjectEngagement Proposed for This Specific Project
First qualify the service providers offering for regulatory issues
HIPPA
PCI (if you accept credit cards for fees)
FIPS (for PKI)
Etc
Then qualify your relationship with the service provider so that you can handleoperational issues around blame game, priority management etc.
Then qualify the network, the virtual servers, and the storage for security, visibility,
manageability, diagnostics, etc. In particular, qualify the secure VPN to your virtualservers (like Amazons VDC)
Finally move development and test of next major upgrade to cloud service provider.Do a beta roll out first, and then scale incrementally as you build confidence.
With dev & test success behind you, use it as a model to transition the productionservers (for the web application) to the cloud.
Always, incremental build-up based on success of the previous step!
8/14/2019 Cloud Computing Gov Conf 1209
21/21