Shared Services Canada

and

Cloud Computing

Architecture Framework Advisory Committee

Transformation, Service Strategy and Design December 17, 2012

2

Agenda

TOPICS PRESENTER(S)

9:00 – 9:15 Opening Remarks and Objective B. Long, Chair

9:15 – 9:55 Shared Services Canada and Cloud

Computing

•SSC’s Role in Cloud Computing

•Opportunities and Challenges

J. Danek

P. Littlefield

9:55 –

10:05

Health Break

10:05 –

11:50

Open Discussion on Cloud Computing

• Basics of Cloud Computing

• Getting to the Next Level

All

11:50 –

12:00

Timeline and Next Meeting

January 28, 2013

(9:00 – 12:00)

3

Constraints, Dependencies, and Risks

Oct

2012

Nov

2012

Dec

2012

Jan

2013

Feb

2013

Mar 2013 Apr 2013 May 2013

Transformation

Overview

DCC and Telecom

P2P

Architectural

Framework P2P

Cloud Computing/

Platforms Jan 28

Finalize

for ITIR

Identity, Credential

and Access

Management*

X X Finalize

for ITIR

Converged

Communications

(Voice, Video, Data)*

X X

AFAC Forward Agenda

Assumptions: * only for discussion purposes; Advisory committee meets every 4-6 weeks and has core group of members

from ICT industry and SSC. Advisory committee would have minimum of two meetings to develop product for consideration by

IT Infrastructure Roundtable and one meeting to finalize product before presentation to IT Infrastructure Roundtable.

4

PROPOSED TOPICS

Implementation Approach & Priorities (Best Practice)

Security Reference Architecture

NIST Presentation

Service Level Definitions & Taxonomy

NIST Presentation

Cloud Service Broker Roles & Responsibilities

Service Modeling Standards

AFAC Forward Agenda: Next Meeting

Context For Cloud Computing

• SSC Mandate Consolidating data centres and their computing/storage platforms

− Large (> 5000 sq.ft.) – 22

− Medium (1000 - 4999 sq.ft.) – 65

− Small (100 - 999 sq.ft.) – 386

− Other server locations – 2747

• Objective

Build and Buy Infrastructure as a Service (IaaS) and

Platform as a Service (PaaS) – If building IaaS and PaaS Community Cloud (e.g. GC SSC private cloud)

– If buying IaaS and PaaS e.g. Private or Hybrid Cloud

Public cloud (e.g. GC public facing web presence)

5

6

SSC Core Mandate w/r TBS Profile of IT Services

• Standard service categories

for management and

accounting

• One of the outcomes of IT

Expenditure Review Program

(ERP)

• To ensure accurate

accounting and reporting on

IT expenditure

• Appropriated for these

services to SSC and 43

Government of Canada

departments/agencies

7

Storage

Server HW

Network

Servers

Virtualization

Runtimes

Applications

Security & Integration

Ma

na

ged

by

Sh

ared

Serv

ices

Storage

Server HW

Network

Servers

DBMS

Virtualization

Runtimes

Applications

Security & Integration

Storage

Server HW

Network

Servers

Databases

Virtualization

Runtimes

Applications

Security & Integration

IaaS PaaS SaaS

CIO

ma

na

ged

M

an

ag

ed b

y S

ha

red S

ervices

Ma

na

ged

by

Sh

ared

Serv

ices

CIO

ma

na

ged

DBMS

ICT Deployment Models and Evolving

Degrees of Accountabilities

•IaaS: Infrastructure as a Service

•PaaS: Platform as a Service

•SaaS: Software as a Service (non

Dept/Agency program

Applications)

8

Domino R8

GC Cloud Computing

CWA

STSI

Desktop

SSC Employees &

Contractors with

B2B

ILMS

GEDS

GC-SRA

GC-WiFi

GC-LAN

GCnet Protected “B”

SSC Consuming Cloud Services

Note – final decisions on email services pending completion of procurement process

9

Non-SSC Private Cloud

Directory

Free / Busy

Mobile Integration

External Community Cloud

e.g. CANARIE

GCnet

GCnet

Internet

GCTravel

Public-facing web sites

GCdrive

Pay

Pension

Collab

Intranet sites

Canada.gc.ca

Jobs

Mail & Messaging

GEDS

GCDocs MySchool

Community Cloud (GCnet)

• Internal services for GC community

• SSC-provided cloud services to the GC

• Secured perimeter

• Multi-Domain (Protected-B to Secret)

Remote

Access

Public Cloud (GCnet-I*Net)

• e.g. Some public-facing GC

presence

• e.g. Limited Development / Test

capacity

Hybrid Cloud (GCnet over Secured Internet)

• Secured extension of

GCnet to vendor

• Vendor-provided cloud

services to the GC

GC Cloud Conceptual

10

Cloud Computing: Defining Shared Services Canada’s Role

• SSC could be the

Cloud Broker and

could also be a Cloud

Provider

• Some private cloud

services could be

provided by SSC

• This would be the

“Community Cloud”

• The Cloud Broker

would ensure multi-

vendor management

Internal Private Cloud and External Cloud services should be defined by the same Service Architecture?

SaaS

PaaS

IaaS

SaaS

PaaS

IaaS

Resource Abstraction and

Control Layer

Physical Resource Layer

Hardware

Facility

Cloud Service

Management

Service Layer

Business

Support

Provisioning /

Configuration

Portability

/Interoperability

Cloud Provider Cloud Broker

Service

Intermediation

Service

Aggregation

Service

Arbitrage

Security

Audit

Cloud Auditor

Privacy

Impact Audit

Performance

Audit

Cloud

Consumer

Cloud Carrier

Cross Cutting Concerns: Security, Privacy, etc.

Cloud Orchestration

11

Cloud Computing: Opportunities and Challenges

Opportunities

• On-demand self service

V storage

• Ubiquitous network access

Community cloud (CWA, GCDocs)

• Resource pooling (location

independence, homogeneity)

Hybrid cloud - STSI

• Rapid elasticity

• Measured service

• Private clouds

DCC and Telecommunications

consolidations

• Data sovereignty, privacy and security Data in motion, data processing and

data at rest

Challenges

• Connecting resources across clouds and customer premises

• Managing identity, federation, and access control

• Isolating tenants in a multi-tenancy environment

• Extending on-premises security & operations management practices to the cloud

• Latency and other performance-related considerations

• Network capacity and capability

Cloud Computing: Basics

Specific Areas of Focus What We Think We Know Other

Service Framework

Architecture

NIST Framework

Are there other frameworks that

NIST doesn’t incorporate that

we should consider?

Service Models GSM

UML

SOMA

Are there any other standard

service modeling tools that we

should consider?

Security SSC Security Domains and Zones

Architecture

CSEC ITSG33

NIST Security RA

Are there any other security

frameworks that are not

incorporated?

Getting to Next Level • Detailed component service

architectures

• Agreement on security

framework & process

Any other considerations?

Next Steps • Do we need working groups?

Governance structure?

Other next steps?

12

13

IaaS DC LAN IaaS

I-Net

Gate

IaaS

Net

ISP1

IaaS

Cloud

LAN

SaaS

Cloud1

CRM

SaaS

Cloud1

Email

PaaS

Cloud1

.Net

PaaS

Cloud1

Java

PaaS

Cloud1

Oracle

IaaS

Cloud1

x86 PaaS

SEC1

Firewall

PaaS

SEC2

IDS/IPS

SaaS

MyKey SaaS

Broker1

SaaS

Broker2

SaaS

Broker3

SaaS

ETI PaaS

ETI IaaS

ETI

PaaS

Directory

USD5

PaaS

Store1

IaaS

z/OS

IaaS

Store

Archive

IaaS

Store2 IaaS

Store1

PaaS

DB2

PaaS

Oracle

PaaS

Java

PaaS

.Net

IaaS

Linux

IaaS

x86

SaaS

ETI

IaaS

Unix

Sm

IaaS

Unix

Large

PaaS

Load Bal

• Data Centre Services View

• Illustrates IaaS, PaaS, & SaaS Services

• Services can service Users, or other Services

• Services can be accessed internally or externally

• Internal services are on the DC LAN

• External Services are accessed via the I-Net Gate and

the Net ISP IaaS

• This service model is described in detail in GSM*

Cloud Brokerage Services

*GSM - Generic Service Model, A generic framework for describing a Service in terms of its systematic hierarchy of related service objects.

Preliminary Sample GC Service Architecture DCS

14

Preliminary GC Sample Service Architecture DCS

IaaS DC LAN

IaaS

I-Net

Gate

IaaS

Net

ISP1

PaaS

SEC1

Firewall

PaaS SEC2

IDS/IPS

SaaS

MyKey SaaS

Broker1

SaaS

Broker2

SaaS

Broker3

IaaS

Linux PaaS

Directory

IaaS

z/OS

IaaS Storage Archive

IaaS

Store2 IaaS

Store1

IaaS

Windows IaaS

Unix

PaaS

Load Bal

Cloud Brokerage Services

*GSM - Generic Service Model, A generic framework for describing a Service in terms of its systematic hierarchy of related service objects.

IaaS

Cloud1

LAN

IaaS

Cloud1

Linux

SaaS

Cloud1

Mgmt.

IaaS

Cloud1

Unix

IaaS

Cloud2

LAN

IaaS

Cloud2

Linux

SaaS

Cloud2

Mgmt.

IaaS

Cloud2

Unix

IaaS

Cloud3

LAN

IaaS

Cloud3

Linux

SaaS

Cloud3

Mgmt.

IaaS

Cloud1

Unix

IaaS

Cloud4

LAN

IaaS

Cloud4

Linux

SaaS

Cloud4

Mgmt.

IaaS

Cloud1

Unix

SSC Data Centre

Mid-Range Platform Services

Cloud Security Services

15

SaaS

PaaS

IaaS

SaaS

PaaS

IaaS

Resource Abstraction and

Control Layer

Physical Resource Layer

Hardware

Facility

Cloud Service

Management

Service Layer

Business

Support

Provisioning /

Configuration

Portability

/Interoperability

Sec

uri

ty

Pri

vac

y

Cloud Provider Cloud Broker

(Apps Store)

Service

Intermediation

Service

Aggregation

Service

Arbitrage

Security

Audit

Cloud Auditor

Privacy

Impact Audit

Performance

Audit

Cloud Computing Model: United Kingdom

Network

• Apps Store

• SaaS deployment

• Manage deployments

• Manage SLAs across a

multi-service provider

environment

Should SSC start as the UK did with the Broker Functions/SaaS?

ICAM

MyKey SaaS SaaS SaaS SaaS

SaaS SaaS SaaS SaaS

PaaS

IaaS

PaaS

IaaS SaaS SaaS SaaS

PaaS

IaaS

PaaS

IaaS SaaS SaaS SaaS

SaaS

SaaS

16

SaaS

PaaS

IaaS IaaS

Resource Abstraction and

Control Layer

Physical Resource Layer

Hardware

Facility

Cloud Service

Management

Service Layer

Business

Support

Provisioning /

Configuration

Portability

/Interoperability

Sec

uri

ty

Pri

vac

y

Cloud Provider

Cloud Computing Model: United States

Network

• “Cloud First” policy

• FedRamp / Procurement

and security certification

• Start with IaaS

deployment

• Cloud Service

Management per vendor

• ICAM in place, but not

leveraged

• Other International

examples?

Should SSC start as the U.S. did with IaaS?

IaaS IaaS

IaaS IaaS

For Discussion: Challenges Revisited – Requirements

• Connecting resources across clouds and vendor premises

• Managing identity, federation, and access control

• Isolating tenants in a multi-tenancy environment

• Extending on-premises security & operations management practices to the

cloud

• GC as one tenant

• Latency and other performance-related considerations

• Network capacity and capability

17

1. How should SSC address these challenges?

2. What architectural artefacts and supports are required to support SSC

leveraging cloud services going forward?

3. What criteria should SSC use to decide which services would be best for

cloud service models?

18

December 17, 2012 January 28, 2013 February 2013

GCCC

Architectures

thoroughly

discussed with

AFAC members

Revised GCCC

architectures

feedback

Incorporated

Platform

strategy

thoroughly

discussed

Revised GCCC

architectures

endorsed by

AFAC

Platform

strategy -

feedback

incorporated

March 2013

Revised GCCC

Platform

endorsed by

AFAC

ICAM strategy

thoroughly

discussed with

feedback

Timeline

Annex

19

20

Cloud Computing Advance Reading Material

1. SSC Cloud Computing Vision

2. Security Domains & Zones Architecture

3. Security Domains & Zones Implementation Guidelines

4. Management Zone Implementation Guidelines

5. NIST Foundational Documents on Cloud Computing

SSC will incorporate all input from AFAC members

and release final versions to the industry

21

Cloud Standards Bodies

• Many standards bodies

• NIST is among the most

mature and most often

referenced

• NIST is open / public sector

aligned

• Cloud Security Alliance

(CSA) among most mature

re security framework

• NIST has incorporated

CSA’s framework in their

Security Framework

• Are there Canadian

considerations?

22

Foundational Documents on Cloud Computing

NIST - Cloud Computing Reference Architecture SP-500-292

NIST - USG Cloud Computing Technology Roadmap SP-500-293

NIST - Definition of Cloud Computing SP-800-145

NIST - Cloud Computing Standards Roadmap SP-500-291

NIST - Cloud Computing Service Levels (TBA Feb. 13)

NIST – Cloud Computing Security Reference Architecture (TBA Jan.13)

CSA – TCI Reference Architecture

http://collaborate.nist.gov/twiki-cloud-

computing/bin/view/CloudComputing/Clou

dSecurity

https://cloudsecurityalliance.org/wp-

content/uploads/2011/10/TCI-

Reference-Architecture-v1.1.pdf

docbox.etsi.org/Workshop/2012/201212.../NIST_BOHN.pd

NIST Current Status Presentation (Dec.12)

http://csrc.nist.gov/publications/nistpub

s/800-145/SP800-145.pdf

http://www.nist.gov/manuscript-

publication-

search.cfm?pub_id=909024

http://www.nist.gov/itl/cloud/upload/SP_

500_293_volumeI-2.pdf