Embed Size (px)
Citation preview
1
Data Center Optimization Update and
Cloud Computing in the DON
• Data Center Optimization Update- USMC
• Data Center Optimization Update- Navy
• DON/DoD Cloud Computing Overview
• DCAO Cloud Update
• NAVRES/NEN Commercial Cloud Pilot
• Panel Discussion/Questions
Agenda
2
Data Center Optimization Update to DON CIO Conference
(AFCEA West)
HQMC C4 Department Network Plans & Policy Division
22 February 2017
Briefer: Mr. Henry “Hank” Costa 20170118 v1.0
Point of Contact:
Mr. Henry Costa
571-256-9081
DISTRIBUTION STATEMENT A. Approved for Public Release
20170118 v1.0
Agenda
C4 C2 Strategy
Domain Consolidation & Elimination
MCICOM & Installation Engagements
DCIMS Status
Cloud Way ahead
Acquisition Strategy
4
20170118 v1.0
C4 C2 Strategy
Update Authoritative data sources to support DCOI reporting
• DADDMS / DITPR-DON
• INFADS (real property)
Synchronize DCOI efforts with
• Portfolio rationalization
• Domain Consolidation
• Move to cloud (O365)
Seamless MCEN
JIE
• JRSS
• CEDCs
DCO Front End Analysis by P&R
• March MROC Decision
5
20170119 v.2
Strategic Goals
3
20170119 v.2
Sum of the Parts…
4
C2 Strategy
20170118 v1.0
Domain Consolidation & Elimination
• Scope: 62 domains identified
• Enterprise-wide visibility/management of all security boundaries
• Having all Marine Corps users in a single management domain:
• Decreases response time to global cyber threats
• Supports efficient security management
• Reduces attack surface
• Provides the greatest opportunity for USMC-wide standardization
• Enables the rollout and use of enterprise services (GPOs)
• Consolidation provides better applications security
• Infrastructure-related savings
• Decreased responsibility for USMC work force (less HW to maintain and or
procure)
• Target completion September 2019
• PSTO awarded
8
20161012 v1
Legacy Domain Locations
9
3
2
2
6
2
2
26
20170118 v1.0
MCICOM & Installation Engagements
Data Center Optimization - Three phase effort
• Discovery (every installation)
• Validation (purpose)
• Consolidation
Support DCIMS reporting
• Update real property records
• Validate costs used in DCIMS (Cost / sqft, power KWH)
• Provide SME validation, requirements vs. capabilities (IPNs)
• Revise USMC data center end state (DCOI reporting)
• Provide SME to lead Rate Card development and maintenance
Tiered data centers
• Working with HQMC and DOD identification
• Solution – integration with overall installation metering efforts
10
20170118 v1.0
DCIMS Status
C4 SharePoint (front end)
• Support DCOI projected savings by FY
• Provide DCIO Marine Corps situational awareness
– Progress – Metrics
– Data Center Optimization Plan – End state adjustments as they occur
– Provide an automated process to issue waivers or provide POA&M for closure
• Waiver Process
– Standard DC evaluation form (requirements vs. capabilities)
– Provide template to issue waivers base on POR or DC
– Workflows
– Records Management in support of future audits
11
20170118 v1.0
Cloud Way Ahead
Program Analysis and Evaluation study Oct 2016
• Consolidation of IT support contracts
• Mandate virtualization
• Establish commercial cloud and third party hosting to augment CEDC/IPNs
Marine Corps Managed Services Organization (MCMSO)
• Support the management and execution of cloud computing services
Pilot projects
• Standardize and capture BCA (storage, hosting, commercial providers)
• Establish USMC ATO process
• Partner with Navy (CEDC or leveraging CAP)
12
20170118 v1.0
Acquisition Strategy
Marine Corps Managed Services Organization (MCMSO)
• MCEITS
• SONIC
• NGEN
DCAO
NGEN Recompete
DEOS WayAhead
13
20170118 v1.0
References
OMB Data Center Optimization memo 1 Aug 2016
DoD CIO Acquisition and Use of Commercial Cloud Computing
Services 15 Dec 2014
DON CIO Acquisition and Use of Commercial Cloud Computing
Services 15 May 2015
USMC Data Center Consolidation Policy 4 May 2016
Data Center Reporting SharePoint
• https://eis.usmc.mil/sites/espm/DC/default.aspx
14
20170223 Mr. Joe Salazar
Director, Enterprise Policy & Management
NAVY BRIEF
DISTRIBUTION STATEMENT A. Approved for Public Release
▼Data Center Optimization Initiative:
On August 1, 2016 Office of Management and Budgeting (OMB) released the Data Center Optimization Initiative (DCOI), which supersedes the Federal Data Center Consolidation Initiative (FDCCI)
The DCOI set forth three goals for the Data Centers optimization effort:
Optimization
Cost Savings and Avoidance
Closed Data Centers
▼Cybersecurity ATO Accreditation NAVADMIN:
DDCIO Navy authored the FISCAL YEAR 2017 AND 2018 GUIDANCE FOR Cybersecurity Accreditation of Navy Information Technology Systems Migrating to Data Centers
▼Baseline Freeze and User Acceptance Testing Memorandum:
DDCIO Navy released the Data Center Consolidation policy memo for User Acceptance Testing and enhanced configuration control measures, which applies to IT Systems/Applications directed to consolidate or close 16
▼DoD Joint Assessment Team:
To help meet the goals of the DCOI, DoD CIO established a Joint DoD Data Center Assessment Team for conducting on-site visits of all "open" data centers (IPNs & SPPNs) on a base. The team is comprised of representatives from DoD, the Services, and DISA
To date, Data Centers in the Charleston, SC area have been assessed by the DoD Assessment team
The next scheduled DoD Joint Assessment Team visit will be in San Antonio, TX (February/March 2017)
▼DCIM Quarterly Validation:
DDCIO Navy continues to conduct a quarterly validation of Data Center inventory in DCIM to ensure we report the most up to date information
▼DCIM Training:
DDCIO Navy will conduct DCIM training with Navy Echelon II DCIM Points of Contract in March 2017
(i.e. Data Center records validation, Data Center designations, Navy Data Center SharePoint Portal Site, etc.)
17
▼Significant Changes & Issues:
DoD budget marks reduced data center optimization execution budgets
Federal Information Technology Acquisition Reform Act (FITARA) and OMB DCOI impose additional “unfunded mandates” to meet Goal #1 of the DCOI (i.e. Energy Metering, Power Usage Effectiveness, Virtualization, etc)
DoD Special Purpose Processing Node (SPPN) Data Centers that contain non-severable IT hardware & cannot close and should be “out of scope” for OMB consolidation progress reporting metrics
▼Consolidation & Optimization Plans:
Maximize use of available Commercial Cloud
DDCIO (N) recently released a Cloud Strategy, Policy & BCA Memorandum
Develop Joint DoD Strategy to meet FITARA & DCOI DCIM Tool & Energy Metering unfunded requirements in a prioritized & phased approach within limited execution resources
18
▼Hosting Standards:
DDCIO Navy Promulgated SPAWAR’s Application and Commercial Cloud Hosting Standards to ECH II CIO’s
o Should be leveraged by Application owners migrating from a legacy environment
▼Fiscal Year 2017 Data Center Consolidation/Closure Target Closure List:
DDCIO Navy approved the FY17 Data Center Consolidation/Closure List and FY18 Data Center Consolidation/Closure Candidates list
19
▼The Navy has implemented a “Cloud First” strategy with a goal to move all possible Navy IT capabilities to commercial cloud computing environments/services; and to build new IT capabilities based on cloud technologies and for those environments.
▼High-Level Documents Drafted:
Navy Cloud Strategy – outlines CNO’s vision for Cloud and the basic tenets for migrating the Navy enterprise to a Commercial Cloud Service model
Cloud First Policy and BCA Memo
o Reduce investment in traditional on-premises “legacy” data centers
o Eliminate BCA requirement for commercial cloud investments while requiring BCA for traditional DC hosting
o Transitioning systems with a current ATO will only require a security assessment
o Assigns a MSO/Cloud Broker for the Navy; promotes flexibility through use of delegated MSOs
▼Near term actions and way forward
Implementation Plan IPT
20
Reference(s)
The following reference links can be found at the DDCIO (N) public SharePoint site:
OMB Data Center Optimization Initiative: https://portal.secnav.navy.mil/orgs/OPNAV/N2N6/DDCION/N2N6BC1/DCC/SitePages/Home.aspx
Data Center Reference Architecture: https://portal.secnav.navy.mil/orgs/OPNAV/N2N6/DDCION/N2N6BC1/DCC/SitePages/Home.aspx
Navy Enterprise Data Center (NEDC) and Commercial Cloud Hosting Standards: https://portal.secnav.navy.mil/orgs/OPNAV/N2N6/DDCION/N2N6BC1/DCC/SitePages/Home.aspx
UAT and Baseline Freeze Memorandum: https://portal.secnav.navy.mil/orgs/OPNAV/N2N6/DDCION/N2N6BC1/DCC/SitePages/Home.aspx
2017-18 Target Closure List Memorandum: https://portal.secnav.navy.mil/orgs/OPNAV/N2N6/DDCION/N2N6BC1/DCC/SitePages/Home.aspx
21
DON/DoD Cloud Computing Overview
22
Susan Shuryn Cloud Lead
PEO EIS
DISTRIBUTION STATEMENT A. Approved for Public Release
WHY CLOUD?
Congressional, OMB and Federal CIO Cloud
Computing Strategy, including ‘Cloud First’ guidance
Standardized cloud security controls (e.g.,
FEDRAMP)
DOD CIO Cloud Computing Strategy
Direction to reduce IT/data center footprint and costs
Additional interest in cloud as data/network security
enabler (in support of maintaining "cyber hygiene“)
DoD cloud provider accreditation process
Industry begins to
invest in limited
number of federal
cloud offerings
Vendors build services
to support DoD cloud
demand and pursue
DoD authorization
Oct 2013 DCC R3B set goal: 75% of Navy’s systems will be hosted by
commercial providers, in support of IT Efficiencies / Cost Targets
Reduce Cyber Vulnerabilities
Mobility Strategy (enabled by cloud)
Single integrated ashore IT infrastructure with unified command & control
DoD
Cloud
Strategy
Federal
Cloud
Strategy
Navy
Cloud
Strategy
23
• Educate: yourselves and others about Cloud Computing in DoD
• Invest: in training for operational and support manpower
• Understand: roles for providers, integrators, government
• Read: policy and regulations; stay current
• Determine: data ownership responsibilities/requirements
• Develop: designs with cybersecurity requirements in mind
• Collaborate: with your AO Office early in the development
24
Cloud Computing Readiness
Basic Definitions and Terminology
NIST Definition of Cloud Computing
A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services)
Can be rapidly built and released with minimal management effort or service provider interaction
Composed of five essential characteristics, three service models, and four deployment models:
Essential Characteristics: 1. On-demand self-service
2. Broad network access 3. Resource pooling
4. Rapid elasticity
5. Measured service
Service Models: 1. Software as a Service (SaaS)
2. Platform as a Service (PaaS)
3. Infrastructure as a Service (IaaS)
Deployment Models: 1. Public cloud
2. Community cloud
3. Private cloud
4. Hybrid cloud
NIST Definitions:
Business and Technical Brokerage
• A Business Broker only provides business and relationship services, and does not have any contact with the cloud Consumer’s data, operations, or artifacts (e.g., images, volumes, firewalls) in the cloud.
- Can offer value-added intermediation services such as: service catalogue lookups, subscription handling, customer relation management, usage reporting and centralized billing
• Technical Broker does interact with a Consumer’s assets: the Technical Broker aggregates
services from multiple cloud Providers and adds a layer of technical functionality by addressing single-point-of-entry and interoperability issues.
- Can offer single or cross-provider technical services such as orchestration, load management and cloud-bursting, integrated identity and authorization management, security brokerage and integrated security management and metrics retrieval
• Managed Services provides management responsibilities and functions as well as a
strategic method for improving operations and increasing efficiencies. - DISA’s Trusted Cloud Credential Manager: Cloud Credential Manager to enforce Role Based Access Control (RBAC) and least privileged access, preventing internet backdoor and unauthorized VPC peerings
DISTRIBUTION STATEMENT A. Approved for Public Release
Revised Information Impact Levels
SRG v1r2 Imp
Level
Maximum Data Type Information Characterization Separation
2
Non-Controlled
Unclassified Information
Unclassified information approved for public release. Unclassified, not designated as controlled unclassified information (CUI) or critical mission data.
Virtual/Logical Public/Community; Internet connect
4 Controlled
Unclassified Information
Requires protection from unauthorized disclosure as established by Executive Order 13556 (Nov 2010); PII, PHI, SSN, Credit card information for individuals, Export Control, FOUO, Law Enforcement Sensitive, Email
Virtual/Logical Public/Community; Strong Virtual separation between tenants; NIPRNet via CAP
5
Controlled Unclassified Information
+ NSS
National Security Systems and other information requiring a higher level of protection as deemed necessary by the information owner, public law, or other government regulations
Virtual/Logical Fed. Gov. Community; Dedicated multi-tenant infrastructure; NIPRNet via CAP
6
Classified up
to/including SECRET
Pursuant to EO 12958 as amended by EO 13292; classified national security information or pursuant to the Atomic Energy Act of 1954, as amended to be Restricted Data (RD)
Virtual/Logical Fed. Gov. Community; Dedicated multi-tenant infrastructure; SIPRNet
27
Definition: Impact Levels are defined by a combination of 1) level of data to be stored/processed and 2) potential impact of an event resulting in the loss of confidentiality, integrity or availability of data, systems, or networks. The security control baseline for all Impact Levels is based on moderate confidentiality and moderate integrity (FIPS - 199). Categorize systems IAW DoDI 8510.01 and CNSSI 1253. Availability is determined by mission owner and should be specified in the contract.
FedRAMP / DoD Certification Cloud Security Requirements Guide (CSRG)
► Navy Information Systems are still required to meet all DoD Instructions (e.g., 8500), Joint Chiefs Instructions (e.g., 6510) and USCC CTOs (e.g., 07-12/HBSS) Migrating to the cloud does not eliminate any standing policy requirement
► The FedRAMP and DISA evaluations are intended to be used in a reciprocity-based fashion by the Navy Authorizing Official Navy does not have to perform IV&V and audit of the cloud providers infrastructure –
the assessment can be re-used saving significant time/labor/funding
► DISA will collaborate with the Services to allow Services IV&V and audit results of a CSP to inform a DISA Authorization
► DISA CSRG documentation: http://iase.disa.mil/cloud_security/Pages/index.aspx
Pending release of FedRAMP High controls
Required by FAR update, DISA grants L2 PA to all FedRAMP approved CSOs
Data Impact
Level
FedRAMP DISA
Authorization
Navy 8500
ATO
CAP Usage Physical
Isolation
CSRG L2
CSRG L4
CSRG L5
CSRG L6
28
CSP Offering Type Lvl Scope Phase Navy
ATO? Assessor DoD PA Issued
Amazon AWS GovCloud IaaS 4 FedRAMP+DoD Complete YES DISA July 2016 (1 yr )
Oracle Service Cloud
(DoD OSC) SaaS 4 FedRAMP+DoD Complete NO DISA Aug 2015 (2 yr)
IBM CMS-G IaaS 5 FedRAMP+DoD Complete NO DISA/Army Aug 2016 (3yr)
Microsoft O365 DITAR SaaS 5 FedRAMP+DoD Complete Pilots in
Process DISA/AF/DLA
Dec 2016 (3yr)
Microsoft Azure
L4, L5 PaaS
4
5 FedRAMP+DoD Complete NO DISA/AF/DLA
Jun 2016 (3 yr)
Jan 2017 (3yr)
Salesforce Government
Cloud PaaS 4 FedRAMP+DoD Complete NO DISA Feb 2017 (1yr)
Oracle FMCS PaaS 5 FedRAMP+DoD SSP/SAP/SAR NO DISA Expected Feb 2017
Box SaaS 4 FedRAMP+DoD SSP/SAP/SAR NO DISA/AF Expected Mar 2017
SAP Learning
Management System
(LMS)
SaaS
4
FedRAMP+DoD
SSP/SAP/SAR
NO DLA/DISA
Expected Mar 2017
29
Cloud Service Providers:
Level 4-5 DoD Provisional Authorizations
Current DISA/DoD Efforts
• Cloud Security Requirements Guide V1R2 published in March 2016; new version targeted for early March 2017
• DISA Secure Cloud Computing Architecture (SCCA) ; begin pilot in Q2 FY17
• Functional DODI 8530.01 "Cybersecurity Activities Support to DoD Information Network Operations" was released in March 2016
• Cloud Connection Process Guide collaborative effort
• Contracting language - DFARS subpart 239.76 revised Oct 2016
• Integrating CSP Cloud Service Offering information into tools such as eMASS to support RMF package inheritance
30
31
COMMERCIAL CLOUD COMPUTING
DCAO
Presented by:
Mr. Duong Hang Director
Feb. 23, 2017
DISTRIBUTION STATEMENT A. Approved for Public Release
Business Model Maturity Meeting Cloud Capabilities
Maturity
32
Commercial Cloud Hosting Cost
Commercial Cloud Hosting Maturity
(↑apps hosted, ↑ rules and regulation
stability)
Growing Commercial Maturity Increases Cost-effectiveness of Commercial Cloud Hosting
Commercial Pilots
FY16 - Q1 FY17
Cloud Store 1.0
Q2 FY16 - Q1 FY17
Cloud Store 2.0
Q1 FY17 – Q1 FY21
PO
RTF
OLI
O O
F C
APA
BIL
ITIE
S
Cloud Store 3.0 and Beyond
Q2 FY19+ Integrate commercial cloud
into DCAO’s hosting
process
Develop service catalog,
cost rate card, service
level agreement
Document commercial cloud
lessons learned from pilots
Identified and integrated
Navy commercial cloud
hosting efforts
Established process to
identify commercial cloud
candidates
Kicked-off commercial cloud
pilots
Released commercial
Cloud SLA, service
catalog
Developed initial fee-for-
service model for other-
customer funded
organizations
Implemented government management service organization (MSO) needed
for DoD PA IL4+
Opened Cloud Store 1.0
Awarded IaaS DoD PA
Impact Level (IL) 2
Commercial Hosting
Services (CHS) contract
for Navy to Smartronix
Added commercial cloud
pilot apps
Built interim Navy Cloud
Access Point and Peering
Points needed for DoD PA
IL4+
GO
VER
NA
NC
E &
P
RO
CES
S
Implemented cloud broker
management processes
Opened Cloud Store 2.0
Awarded IaaS DoD PA IL4
CHS contract to cloud
service broker Red River
Inc. ($48M over 5 years)
• Implement cloud app
development & test
environment
• Build backup interim CAP
(TBD)
• Implement fee-for-service for all organizations (TBD)
• Implement app owner self-service, self-provisioning, self-management process
• Open Cloud Store 3.0
• Award IaaS & PaaS DoD PA IL5, IL6 contract(s)
• Award SaaS contracts for office productivity, unified comms, procurement system, ERP, personnel management
• Implement self-service cloud provisioning and monitoring tools
Cloud Onboarding Timeline
33
Notional Cloud Onboarding Step
Comparison
Commercial (Days – Weeks) Navy (Months – Years)
Rationalize
(Days-Weeks)
•Execute targeted business process re-engineering
•Choose best-of-breed app to fit new processes
Develop Biz Case
(Days)
•Determine business & technical requirements, develop business case (out-source/in-source, buy, build, modernize), initiate project
Contract
(Days)
•Contract for cloud broker or particular CSP
•Approve service level agreements with monetary incentives or penalties
Build/Modernize & Test
(Days-Weeks)
•Determine & setup cloud resources & accounts
•Build new app in cloud, or install legacy app in cloud & modernize as needed
•Test and accredit system for operations
Migrate
(Days)
•Migrate users
•Decommission legacy environment
Gather Reqts
(Weeks)
•Determine system requirements, develop contract, award contract
•DDCIO(N) Jan 17 memo: no business case required to go to cloud
Contract
(9-12 months)
•Contract for cloud broker with accredited CSP(s)
Modernize
(3-24 months)
•Modernize system to be cloud ready (with optional DCAO support)
Build & Test
(6-12 months)
•Determine & setup cloud resources & accounts
•Setup cloud access point connection (cybersecurity)
•Install apps and patch
•Test and accredit apps
Migrate
(Days)
•Migrate users
•Decommission legacy environment
Opportunities for Improvement /
Help Needed
Government
• Cloud first, but not always: accept that not all apps in the cloud saves money
• Accept that savings are downstream
• Translate mission risk to cybersecurity requirements versus cost
• Use business process re-engineering to eliminate non-value added processes and duplications of effort across enterprise
• Develop data strategy to meet business processes while optimizing cost
• Evaluate whether to buy, build, or renovate—when does it make sense to outsource versus continue to insource?
• Re-define cloud services as a utility; firm-fixed price contracts are not the answer
• Re-tool governance to balance centralized control (standards, acquisitions) against decentralize innovation
• Use re-accreditation timelines to encourage continuous business process re-engineering and app modernization
Commercial
• Continue to educate government on most sought after cloud services & dev tools
• Learn how long it really takes to get your service offerings available for gvt use
• Propose changes to specific government policies & processes to increase speed of delivery
• Invest in accreditation by obtaining FEDRAMP & DISA PA upfront
• Secure a contract through Navy or delegated managed service organization
• Invest to develop Navy accreditation artifacts including a detailed incident response plan
35 Navy Reserve Ready Now. Anytime, Anywhere.
Lessons Learned
NAVRES Commercial Cloud Pilot “Reserve Cloud Connect” powered by MS O365
Presented By:
CAPT J David Britt
RESFOR CTO
36 Navy Reserve Ready Now. Anytime, Anywhere.
Engineering Challenge
URL Transformation
Navy CAP SSCLANT
DCAO
Charleston, SC
Navy MSFT
Meet-Me
Point
SSCLANT
DCAO
Ashburn, VA
Navy Reserve DADF + Security RESFOR (IaaS)
Contract Support
Amazon Web Services
Microsoft Azure Environment
RESFOR (SaaS / PaaS)
Microsoft
Microsoft Cloud
Home User
NMCI User
A B A
13 ‘break / fix’ transactions for each action This architecture is working well for MSFT O365
Exchange Online (mail) services.
This approach may not be robust enough
for follow-on services.
Navy CAP URL to O365 URL to Navy CAP URL
URL = mail.webapps.mil
URL = mail.usnavycloud.navy.mil
AWS
MSFT
37 Navy Reserve Ready Now. Anytime, Anywhere.
Program Challenges
• Evolve RESFOR cloud help desk / identify tiered seams
• SOP
• Service management roles
• Connectivity / Cloud Access Point (CAP)
• Capacity of Navy CAP, support for large numbers of users/services
• Availability of second CAP (Navy or DISA), contractual requirement
• Future engineering for Cloud architecture (Direct Connect vs. CAP & DEOS)
• Enterprise Level Contract Vehicle for O365
• Current funding for Cloud will not support more than 8,000 users
• Utilizing Army BPS Chess vehicle for (funding provided for licenses only)
• Independent vehicle for Azure PaaS
• Navy Reserve only pilot pursuing “home user” use case
• Outside the DoDIN user is extremely challenging
38 Navy Reserve Ready Now. Anytime, Anywhere.
IaaS /e.g. Azure VNET/
SaaS /e.g. Office 365/
Customers consume finished applications and features Customers build solutions
Primarily user facing Primarily IT facing
Focused on standard user collaboration experiences within
and across organization boundaries
Focused on customer specific solutions within narrower
organization boundaries
Highly distributed (not location specific) – gravitates where the
users are
Location specific – customer decided where to put it
Optimized for standardization Optimized for customization and solution building
Tenant isolation at the application level Tenant isolation is at the infrastructure and network levels
PaaS /e.g. Azure SQL/
Engineering Lessons
Learned
Configuration Management - BCR Policies / Engineering - Elasticity
URL Transformation
39
NEN Productivity Services Strategy
Objective: Provide Enterprise Productivity Services Offering
Productivity Services offer end users the ability to conduct business
activities on end user devices (including mobile devices) such as: • Office solutions
• Web conferencing
• Online knowledge sharing
• Mobile device asset management
• Strategy: • Pilot capability in current environments (NGEN, RESFOR)
• Apply lessons-learned from pilots and other cloud implementations
• Future Service provisioning, delivery and integration to use multi – sourcing
approach
• Ensure availability of Productivity offering via Service Management,
Integration, and Transport (SMIT)
Industry input will inform NGEN – R Transition Plan and will guide the
governments migration strategy from SMIT to the Cloud
DISTRIBUTION STATEMENT A. Approved for Public Release
Panel Discussion/Questions
40
