Cloud Computing Gov Conf 1209

8/14/2019 Cloud Computing Gov Conf 1209

1/21

Cloud ComputingCloud Computing -- A Practical ViewA Practical View

Mandeep DhamiMandeep Dhami


2/21

http://geekandpoke.typepad.com/geekandpoke/2009/03/let-the-clouds-make-your-life-easier.html


3/21

OverviewOverview

The Context

A specific project scenario

Why Cloud Computing? Economic drivers

Flexibility and agility

New capabilities

Why not Cloud Computing?

Regulatory constraints

Operational concerns

Technical issues

And the Practical Middle Way!

Services evaluated

Proposed engagement


4/21

The ContextThe Context

Cloud computing can meandifferent things to differentpeople

In this talk we evaluate thetrade-offs in context of thefollowing hypothetical scenario:

You work on a medicare/medicaideligibility system

Field workers use a web basedtool to input case details and tocheck status

Web server is implemented using

java/websphere on a WindowsServer

Backend eligibility sub-system isimplemented using COBOL on aIBM mainframe

You are tasked with evaluating a

cloud based solution for the webtoolhttp://www.nature.com/ki/journal/v62/n5/fig_tab/4493262f1.html


5/21

Many Layers of the CloudMany Layers of the Cloud


6/21

Some Initial Design ConstraintsSome Initial Design Constraints

Type of cloud service required - IaaS or Private Cloud

Since it is a custom software application, SaaS is not an option

Since the platform is also very custom (for libraries and versions) and has somenon-standard libraries (say websphere v6.5, DB2 v9.1, JCA for CICS, etc ),

PaaS is not an option either.

IaaS might be feasible as we own the software stack in that model

Private cloud can always be used, as we will own the cloud in that model!

Type of connectivity required VPN to VM

We will need secure encrypted connection to backend system for the webapplication to get/update case status. Conceptually this is like a VPN from theVM to the backend.

Any IaaS solution that does not provide secure connection from the server VM tointernal LAN can not be used


7/21

Why Cloud Computing?Why Cloud Computing?

To cloud or not to cloud, that is the questionTo cloud or not to cloud, that is the question


8/21

http://geekand

poke.typepad.c

om/geekan

dpoke/2009/11/simply-exp

lained-project-risk-update

.html


9/21

Economic DriversEconomic Drivers

Pay as you go

No upfront cost to acquireserver/network hardware

Only pay for dev and test systems

during dev and test phases

No upfront cost to try newfeatures like Web Firewalls

Lower support costs

The team does not have managehardware, network or storage forproduction system

No need to hire expensiveconsultants for non-core(infrastructure related) activities

Deterministic Project Costing More transparency regarding

infrastructure costs

Less risk from last minute capitalcost request related to productionusage

Not encumbered by internaltransfer accounting!

Lower hardware costs Typical server utilization is low,

pay only for what you use

Typical network utilization is low(routers, firewall, etc), pay onlyfor what you use


10/21

Flexibility and AgilityFlexibility and Agility

Rapid Scaling

Start small, scale as requiredbased on production performancemeasurements

Respond faster to customerdemand for capacity

Respond faster to features thatrequire more compute/storageresources

Dynamic Provisioning

Spin up more test-beds asrequired. Keep test executionmoving even as developers are

debugging on an existing setup Spin up systems to do load testing

as required. Pay only for the timeused to do the tests

Dynamic Infrastructure

Enable infrastructure changes withmouse clicks

Increase server pool for batchprocessing as required meet anybatch window (at some cost)

Developers can prototype atproduction scale and capacity

More Choice

Change infrastructure vendors forbetter SLA or price withoutimpacting/altering the application

Do Beta test for a few caseworkers on a small system, rollout new code incrementally

Roll back to a previous image, asa fallback option


11/21

New CapabilitiesNew Capabilities

Next Gen architectures Enable disaster recovery by using

a service provider with multiplephysical locations

Try new features likememcached, CDNs, etc. withoutnew investment in hardware orinfrastructure expertise

Accelerate innovation Shift from supporting the

infrastructure to innovating onapplication

Use cost transparency to innovateprocesses and reduce waste

Advanced infrastructurecapabilities

Change management to serverconfiguration is centrally managedand encapsulated

Self healing, hot backups etc.available

APIs available to infrastructurefor flow-thru automation

Green computing

Increase server utilization, reducepower usage

Use more efficient cooling, reducepower usage

Reduce number of servers andreduce waste


12/21

Why Not Cloud Computing?Why Not Cloud Computing?

There be dragonsThere be dragons


13/21

First, you sometimes hear some FUDFirst, you sometimes hear some FUD

We will have no liability to you for any unauthorized access or use,corruption, deletion, destruction or loss of Your Content or

ApplicationsCustomer Agreement, Amazon Web Services

Salesforce.com shall not be responsible or liable for the deletion,correction, destruction, damage, loss or failure to store anycustomer data

Master Subscription Agreement, Salesforce.com

but this is not really very different from software EULAbut this is not really very different from software EULA(So we believe that you can safely ignore this issue, except dur(So we believe that you can safely ignore this issue, except during contract negotiation)ing contract negotiation)


14/21

But there are Real Regulatory ConstraintsBut there are Real Regulatory Constraints

Privacy

Since this project handles medicaldata, HIPPA rules apply

If your cloud infrastructure can

not be HIPPA compliant, you cannot use it

Forensics and audit

If your cloud APIs can not beaudited for forensic investigation,you can not use it for sensitive

data If audit data is not

cryptographically secure, it lacksadequate controls

Governance mandate

Just because the application is oncloud, the governance mandatesdo not go away!

Can you produce reports on usageor controls that are comparable toa system with physical security?

PKI infrastructure

How are private keys stored andmanaged by the cloud based VMs?

Can you meet FIPS requirementsthat you currently meet withhardware/physical securityconstraints?


15/21

And Real Operational ConcernsAnd Real Operational Concerns

The Blame game When there is a problem today, it

is already painful to get fromdefect to defect ownership

When a problems occur in cloud,how do you get from the conf-callfrom hell discussing defect toproductive root cause analysisand taking defect ownership?

Priority management When you have a customer

situation, your tech team workson it as #1 priority till it isresolved

How do you set priority for thecloud vendors tech team to fixyour specific problem among theirpriorities?

SLA assurance

Can you measure service levels interms of the metrics used in theSLA in the contract?

Do you get reports on real SLAor on a synthetic benchmark?

Do you get continuous reportingof metrics that you can use fortrend analysis and planning?

Vendor lock-in

How real is the promise of choice?

To resolve the technical oroperational issues, are you tyinginto a proprietary API that limitsany real choice?


16/21

And Very Real Technical IssuesAnd Very Real Technical Issues

Visibility

Clear system boundary withadequate instrumentation

Tools to view infrastructure usage

by your application

Security

Encrypted VPN from Server VM tothe Backend network

SSO integration for admin/API

usage Safe sharing of shared resources

(like network, swap, crash dump,etc).

Diagnostics

On demand capture of data, trafficand performance statistics

Flow thru integration withautomation/tools

Automated data capture (blackbox) before the VM image is lost.

Network Services

No good model for applicationlevel network services (likefirewall, load balancer, etc)

We can use x86 VMs as virtualappliances, but they lack thehardware acceleration of typicalnetwork devices


17/21

The PracticalThe PracticalMiddle WayMiddle Way

In Buddhism, theIn Buddhism, the Middle WayMiddle Wayis the Nirvanais the Nirvana--bound path ofbound path ofmoderationmoderation -- away from the extremes of sensual indulgence andaway from the extremes of sensual indulgence and

selfself--mortification and toward the practice of wisdom, morality andmortification and toward the practice of wisdom, morality and

mental cultivation.mental cultivation.

FromFrom http://http://en.wikipedia.org/wiki/Middle_wayen.wikipedia.org/wiki/Middle_way


18/21

No I really did not mean that!No I really did not mean that!

From http://dilbert.com/strips/comic/2009From http://dilbert.com/strips/comic/2009--1111--1818


19/21

Cloud ServiceCloud Services Evaluation for This Specific Projects Evaluation for This Specific Project

NOTE: This is a sample evaluation. Your results will differ based on the assumptionsthat you make on the project and on the services them selves

OperationalConcerns*

RegulatoryConstraints

TechnicalIssues

ServiceProvider

Product

Amazon EC2

Solid performer, lots of 3rd party support

Rackspace Mosso

Solid performer, good enterprise support

Savvis Virtualization in the Cloud

Closest to a private cloud (VMware), verygood enterprise support

Appnexus Appnexus Cloud

Not clear how it will handle issues specific togovernment or HIPPA compliance

* Assuming appropriate relationship and contract/penalties


20/21

Engagement Proposed for This Specific ProjectEngagement Proposed for This Specific Project

First qualify the service providers offering for regulatory issues

HIPPA

PCI (if you accept credit cards for fees)

FIPS (for PKI)

Etc

Then qualify your relationship with the service provider so that you can handleoperational issues around blame game, priority management etc.

Then qualify the network, the virtual servers, and the storage for security, visibility,

manageability, diagnostics, etc. In particular, qualify the secure VPN to your virtualservers (like Amazons VDC)

Finally move development and test of next major upgrade to cloud service provider.Do a beta roll out first, and then scale incrementally as you build confidence.

With dev & test success behind you, use it as a model to transition the productionservers (for the web application) to the cloud.

Always, incremental build-up based on success of the previous step!


21/21

Documents

Cloud Computing Gov Conf 1209