Government Transparency:Cross-cutting Business Use Cases for Cloud Computing

Dr. Richard L. Klobuchar, SAICAugust 17, 2011

Introduction• “Cloud-First” Strategy and 25-Point Plan• Important Role of NIST – Definitions, FedRAMP, Reference

Architecture, SAJACC, Business Use Cases• Why, When, and Where does it make good business sense to

migrate to a cloud?• Cross-cutting business use cases – What business functions

make sense?• Role of GSA Infrastructure-as-a-Service (IAAS) and

Email-as-a-Service (EAAS) – NEW!!!• Observations and final thoughts to ponder• Late breaking news from the Cloud PMO

What is the Cloud (Really) and Where is It Useful?

Federal Government Drivers and Trends: 25-Point Plan including “Cloud-First” Strategy (Dec 9, 2010)

PART I: ACHIEVING OPERATIONAL EFFICIENCY A. Apply “Light Technology "and Shared

Solutions 1. Complete detailed implementation

plans to consolidate at least 800 data centers by 2015

2. Create a government-wide marketplace for data center availability

3. Shift to a “Cloud First” policy 4. Stand-up contract vehicles for

secure IaaS solutions5. Stand-up contract vehicles for

commodity services6. Develop a strategy for shared

services

“Cloud First” Strategy– Begins immediately with three (3) parts:

• Use commercial cloud technologies where feasible

• Launch private government clouds• Utilize regional clouds with state and local

governments– Default to cloud-based solutions

3.1 Publish cloud strategy• Federal CIO will publish a strategy to accelerate

the safe and secure adoption• NIST will facilitate and lead the development of

standards3.2 Jump-start the migration to cloud technologies– …required to identify three “must move”

services and create a project plan for migrating each of them to cloud solutions and retiring the associated legacy systems. Of the three, at least one of the services must fully migrate to a cloud solution within 12 months and the remaining two within 18 months.

Federal Cloud Computing Strategy subsequently published on Feb 8, 2011

Primary Activities within the Federal Cloud PMO

Business Use Cases Addressed Here

Other related:• Trusted Internet

Connections (TIC)• Green IT• IPv6

Apps.gov FedRAMPFederal Data

CenterConsolidation

Initiative

Infrastructure-as-a-Service

(IAAS)

Software-as-a-Service

Email

Platform-as-a-Service(Geospatial)

1st Federal storefrontoffering commoditizedcloud services

“Authorize Once, Use Many” approach tosecurity for CloudService Providers

Assist agencies to consolidate at least 800 data centers byFY15

Commodity computingresources madeavailable through GSA BPA

Cloud Email to be made available (Summer 2011)through BPA

Geospatial PAAS work currently underway

Reinforcing the Federal Strategic Decision re Cloud Computing• Federal Cloud Computing Strategy called out the important role of NIST in

promoting standards and security measures for cloud computing:• Cloud Definitions and Guidance:

• Formal Definition of Cloud Computing in Special Publication SP800-145• Security and Privacy Guidelines for Public Cloud Computing in SP800-144

• Industry/Government Working Groups/Committees established for:• FedRAMP (Federal Risk Assessment Management Program) for cross

agency C&A with utilization of NIST SP800-53 as a tech basis under FISMA• SAJACC (Standards Acceleration to Jumpstart Adoption of Cloud Computing)• Reference Architecture definition• Business Use Cases definition

Recently established Cloud “Best Practices” Working Group(now addressing details of how business use cases should be implemented)

Most organizations perform a common set of business functions that are amenable to a cloud-based approach within the 4 NIST deployment models – Cross-cutting BUCs

NIST 3-Part Cloud DefinitionService Models Deployment Models Essential

Characteristics

Software-as-a-Serviceis access to virtualizedapplications via thin clients (e.g., Web browser)

Platform-as-a-ServiceIs access to programmingenvironments and tools

Infrastructure-as-a-ServiceIs access to an operating environment (e.g., servers, storage, network)

Cloud infrastructureoperated solely for asingle organization;can be 3rd party; on-or off-premises

Cloud infrastructure sharedby multiple organizationswith similar mission orinterest; can be 3rd party; on-or off-premises

Cloud infrastructure isproperty of the cloud provider and opento everyone

Combination of two (2)or more deployment types;enabling portability andcloud bursting

On-DemandSelf-Service

Broad NetworkAccess

Resource Pooling

Rapid Elasticity(scale up/down)

Measured Service

Important to Appreciate the Tradeoffs between Cost and Security for the Cloud Deployment Models

Risk Reduction

Cos

t Sav

ings Public

Private

Community

Why Government Is Turning to the Cloud?• Agility, speed, and flexibility

• Rapid deployment and change management(Minutes vs. months to provision IT resources)

• Adaptable to changing/unpredictable business needs

• Ideal for cyclical or episodic circumstances• User self-service capabilities possible

• Financial benefits• Cost savings vs. legacy (some perceived, some real)• “Pay-as-you-go” model reduces financial risk and exposure• Move from capital (CapEx) to operating expense (OpEx)• A “natural” for Green IT and data center consolidation

mandates

Why Government Is Turning to the Cloud?• Simplicity and convenience

• Easy, on-demand procurement of cloud services “promised”

• Encourages use of standardized resources/applications

• Easy mobile access to applications globally

• New capabilities• New integrated solutions not feasible before• Most security risks well mitigated and being

addressed by FedRAMP• New citizen services opportunities facilitated by

wide cloud adoption

Besides, “Cloud-First” is now mandatedfor Government!!!

Mission Areas for Government Business Use Cases Leveraging NIST Cloud Characteristics. Agencies with:

• Large eGovernment, public, info dissemination mission, and those subject to “flash” crowds should be among the first adopters. NO BRAINER! with minimal security risk

• A cyclical and seasonal set of requirements (e.g., Census, IRS, NOAA, DOE, Agriculture)

• Large databases and statistical responsibility requiring large-scale scientific and technical computing resources (to largely be on standby)

Mission Areas for Government Business Use Cases Leveraging NIST Cloud Characteristics. Agencies with:

• Episodic requirements which can benefit from rapid, on-demand cloud provisioning• Emergency management per the Federal Response

Plan with 28 agencies and FEMA• International support (e.g., Japanese Earthquake and

Tsunami; Middle East crises, etc.)

• e-Filing, complex multi-directional object submission, public collaboration, benefits transfer, and grants management -- “eGovernment Applications”

Mission Areas for Government Business Use Cases – Leveraging NIST Cloud Characteristics Agencies with:

• Broad and distributed defense, international, financial, and intelligence responsibility needing to:• Gather information, collaborate, analyze, visualize,

develop situational awareness, and deliver information

• Also includes mobile delivery• Examples: border surveillance; financial market

surveillance, environmental monitoring

Mission Areas for Government Business Use Cases Leveraging NIST Cloud Characteristics. Agencies with:

• Well-defined communities and regulatory responsibility to adopt a “push/pull” scenario for secure access to “regulated distributed databases” • Collaboration with states, localities, and regulated

industries (within 1 - 2 years)• Examples: “Smartgrid”, Healthcare, Energy, Financial,

Environmental, Emergency Management, etc.

• Well-defined business functions that can be typically out-sourced and acquired as SaaS, such as HR and Financial Management (FM)

Most organizations perform a common set of business functions that areamenable to a cloud-based approach within the 4 NIST delivery models:

Development and test Search and retrieval Records management services

and digital notary Information dissemination e-Filing – electronic submission of

documents/data with receiptsand validation (“electronic mailroom”)

Benefits and grant transfer Collaboration and information sharing Social networking Mobile access / delivery Communications (email & messaging)

eDiscovery, statistical analysis, and analytics Geospatial services (PAAS) Workflow management Archiving and data storage Document management Backup and Recovery and Continuity of

Operations (COOP) Data gathering and situational awareness FOIA support services ITIL and SLA Management-as-a-Service Managed Security Services (e.g., Identity

Mgmt, Penetration Testing, Persistent PKI , Continuous Monitoring, Intrusion Detection, Managed Endpoint Security)

Cross-cutting Business Use Cases

Secure eFiling with Records Management and Interchange Across Business Partners

Infrastructure-as-a-Service

1. Apptis Inc. partnered with Amazon Web Services

2. AT&T

3. Autonomic Resources partnered with Carpathia, Enomaly, and Dell

4. CGI Federal

5. Computer Literacy World partnered with Electrosoft, XO Communications and Secure Networks

6. Computer Technology Consultants partnered with Softlayer, Inc.

7. Eyak Tech LLC

8. General Dynamics Information Technology (GDIT) partnered with Carpathia

9. Insight Public Sector partnered with Microsoft

10. Savvis Federal Systems

11. Verizon Federal Inc (now with Terremark).

Issues and Observations:• Number of awardees is very high. Looks

like every firm/organization that applied received an award

• Awardees currently striving to achieve FISMA Moderate security assessment via FedRAMP.

• The GSA BPA for IAAS DID NOT provide for SI services, nor any labor services for actual development and migration of agency apps/data/use cases to the cloud

• IAAS was pure, low-cost, commodity cloud services BPA for servers, storage, and network resources

• Agencies are beginning to be inundated and perplexed as to whom to select? Why? How do they get to the promised land? What functions and business use cases should they implement?

GSA IAAS Provides the Infrastructure for Hosting the BUCs

Major Agency Systems Integration Concerns Needing to be Addressed Under GSA IAAS

• “What should agencies do?” (Especially, in light of the OMB 25-Point Federal IT Reform Plan)

• “How should they do it?”• “How should they interact with FedRAMP?”• “Which cloud vendor(s) should they select and why?” SLA differences?• “What applications and data should be migrated?”• “How much is it going to cost?”• “How do they manage and govern the process of cloud migration?”• “What are the key risks and mitigation measures?”• “Should they use existing contract vehicles or issue a new

development/migration purchase order?”

• Even more competitors are expected with $2.5B ceiling

• Now contains applications migration and integration services with 11 labor categories

• FedRAMP up to FISMA HIGH• Many NIST cross-cutting business

use cases now incorporated in lots:• Email and collaboration• eDiscovery and searching• Archiving, storage, backup and

restore services• Social networking

(ala Web page development)• Records management services• Mobile delivery

• Five (5) service offerings:• Lot 1: Email-as-a-Service• Lot 2: Office Automation• Lot 3: Electronic Records

Management• Lot 4: Migration Services• Lot 5: Integration Services

• Four (4) categories of cloud computing:

• Government community cloud• Provider-furnished equipment

private cloud• Secret enclave• Public cloud

NEW: GSA EAAS Embeds Many NIST Business Use Cases

Observations and Final Thoughts To Ponder…

• NIST Business Use Cases are viable for implementation in a cloud. Several implementations already exist as exemplars with lessons learned

• Many organizations are beginning with a private cloud--a safe but less cost-effective starting point.

• Many IT organizations view a cloud computing roadmap as a technology implementation rather than a change agent for business processes.

• They need to partner with the CFO and other internal stakeholders to deliver business process value first and foremost

• More of a business transformation than a technology revolution

• An enlightened design can securely integrate internal and external resources – learn and appreciate the standards – especially security and interoperability

Observations and Final Thoughts To Ponder…• The public cloud will become more secure and less risky as time

goes on. Virtually every organization has something like information dissemination or e-learning that can be a test case for the public cloud

• Besides you can always encrypt and store the keys in your trusted private environment

• Community clouds will initially form around classes of users. Over time, however, communities will align to feature certain capabilities (like financial management providers) in clouds optimized to provide that kind of service.

• Prescient organizations will redefine the role of the IT department as part of a move to cloud computing. Personnel will need training and eventual redeployment to harness the talent and achieve efficiencies.

21

Late-Breaking News….

• NIST Business Use Cases, Best Practices, Reference Architecture, and Standards

• Infrastructure-as-a-Service (IAAS) Availability• E-Mail-as-a-Service (EAAS)• FedRAMP Implementation

22

Transparency in Government

Contact Info

Dr. Richard L. KlobucharSAICVP and Chief Scientist/EngineerHomeland and Civilian SolutionsRichard.L.Klobuchar@saic.com(757) 560-5590