View
139
Download
0
Tags:
Embed Size (px)
Citation preview
Cloud ProcurementBest Practices for Public Sector Customers
David DeBrandt, Business Development
AWS Worldwide Public Sector
Agenda – Cloud Procurement
• Cloud Procurement Overview
• Procurement Models
• Solicitation Details
• Budget and Pricing
• Security and Cyber Controls
• Legal and Legislative Issues
Characteristics of Cloud
Old World IT New World of Cloud Computing
Price lock Low variable costs
Vendor lock-in No required minimum commitments
Rigid structure Rapid innovation
CapEx OpEx
Budget for tech refresh Cloud providers continually upgrading
Months to plan and order Rapid deployments
Design lock-in Agile architecture
Successful Public Sector Adoption Has Several Steps
Security and Compliance
Procurement
Culture
Broad Adoption
Business Uses/Definition
Policy
Government Organizations Should Plan Early
• Involve all key stakeholders at an early stage:– Procurement
– Legal
– Budget/finance
– Security
– IT
– Business leadership
• Get comfortable with the cloud model
Understand Different Cloud Models
Networking
Storage
Servers
Virtualization
Operating System
Middleware
Runtime
Data
Applications
Infrastructure(as a Service)
Networking
Storage
Servers
Virtualization
Data
Applications
Platform(as a Service)
Operating System
Middleware
Runtime
Networking
Storage
Servers
Virtualization
Software(as a Service)
Operating System
Middleware
Runtime
Data
Applications
Provider Responsible Consumer Responsible
Government Sponsor
(CIO, etc.)
Gov Cust1
Gov Cust2
Gov Cust3
Gov Custn
AWS
Tra
inin
g
Stra
teg
y &
Ro
ad
ma
p
Solu
tion A
rch &
Desig
n
Te
ch R
evie
w &
Au
dit
Re
qA
naly
sis
Ap
p D
evlp
Su
pt
Professional Services
Se
rvic
e D
esk
Pro
gra
m M
gm
t
Billin
g &
Acco
un
t Mg
t
Program Support
Imp
lem
en
t/Mig
ratio
n
Co
nfig
Mg
t/ CO
OP
IT O&M
Go
ve
rna
nce
Se
curity
Controls
Infrastructure
Direct
Providers
Reselling
Cloud Migration and Service Providers
All-Inclusive System Integrators
Cloud Brokers
Packaging/Bundling of Cloud IaaS/PaaS
Typical
Project
Packages
Vendor/
Owner
Types
Cloud Service
ProviderGovernment
Customer
Array of Cloud Project/Program Services
Cloud Governance
• Ownership and sovereignty– Public Sector entity owns all data
• No long term contracts or exclusivity– Public Sector entity can terminate at any time
• Choose location of your data– E.g.; Region in Brazil
Separate Infrastructure from Services/Labor
• Separate the purchase of infrastructure from
services (planning, development,
implementation, and maintenance).
• Results in maximum pricing efficiencies
Procurement Approach
• Indirect purchase:– Managed Service Provider (MSP)
– Independent Software Vendor (ISV)
– Consultant/System Integrator/Reseller
• Direct purchase from CSP
Broad Eco-System of Partners
Procurement Models
• Understand different procurement models to buy
cloud:– Cloud catalogue procurements
– Solution procurement
– Immediate cloud needs
Procurement Models – Cloud Catalogues
A pre-approved catalogue that can be used by multiple purchasers – a ‘license to hunt’
• Commercial Item: a utility-type service with no custom-built deliverables
• Flexible pricing models: cloud vendors have different approaches
• Quantities: not known in advance
Procurement Models – Solution Procurement
• Traditional IT procurement – cloud infrastructure
is only a component
• Seek best value of cloud resources
Procurement Models – Immediate Needs
• On-demand infrastructure
• Emergent or temporary needs
• Use cloud catalogue, existing vendor contract
Don’t Be Overly Prescriptive
• Focus on overall performance
• Do no dictate specific methods, hardware or
equipment
• Leverage commercial best practices
New and Updated Services
• Take advantage of new and improved services
• Avoid including restrictions or consent
requirements for CSPs ability to change/improve
services (and related terms)
Cloud Provider Evaluation CriteriaEvaluation Question to Ask AWS Value
Experience How long has the vendor been providing cloud related
services?
AWS has been building and managing its cloud services since
2006.
Service Breadth and
Depth
Provide details on how deep and wide the set of
services provided go?
40+ services to support any cloud computing workload
Pace of Innovation How does the vendor continue to innovate its offerings? AWS has released over 1,100 new services or major features
since 2008 (including 516 in 2014).
Global Footprint How large is the vendor’s global footprint? AWS serves customers through our 11 Regions, 28 Availability
Zones, and 52 Edge Locations.
Pricing Philosophy
and History
How does the vendor offer its pricing? Is there a long-
term lock in? What is the history of price reductions?
For each AWS service, you pay for exactly the amount of
resources you actually need in a utility-style pricing model.
AWS has lowered prices 48 times in the last eight years.
Total Cost of
Ownership (TCO)
Does the vendor provide a complete TCO analysis (not
just an “apples to apples” approach measuring potential
hardware expense alongside utility pricing)?
AWS offers the following TCO tool: http://aws.amazon.com/tco-
calculator/
Ecosystem How extensive is the ecosystem of vendors that work
with the CSP?
8,000+ SIs and ISVs; 2,000+ AWS Marketplace products.
Security and Audit
Certifications
Does the CSP have industry-acknowledged
certifications and accreditations?
AWS can cite many security frameworks, best practices, audit
standards, and standardized controls, including: SOC 1, SOC 2,
SOC 3, PCI DSS, ISO 27001, ISO 9001, and U.S. FedRAMP,
Industry Analysis How is the provider assessed by independent analysts? AWS has been assessed by multiple independent analysts,
including Gartner, Inc., Forrester Research, and IDC
Flexible Pricing Model
• Pay as you go model
• Fluctuating/variable prices
• Accept multiple pricing models from CSPs– Don’t compare ‘apples to apples’
• Transparency
Supervising and Controlling Budget and
Consumption
• Utilizing Resellers/Solution Providers to manage consumption of CSP Infrastructure and Platforms
• Create internal control organization to manage utilization
• Explore existing contract models such buying electricity for models
Certifications and accreditations for workloads that matter
Architected for Government Security Requirements
Leverage 3rd Party Accreditations for
Security, Privacy, & Audit
• Leverage industry best practices on security and
audit
• Avoid mandating your unique security protocols
• Take into account levels of security required
AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Identity Data Infrastructure
Customer applications & content
You You get to
define your
controls IN the
Cloud
AWS takes care
of the security
OF
the Cloud
Understand Security is a Shared Responsibility
Terms & Conditions
• Commercial item: an item sold, leased, licensed, or
otherwise offered for sale to the general public
• Evolving terms and conditions– Take advantage of continuous evolution of cloud’s enhanced
features and efficiencies
• Avoid unnecessary restrictions or change consent
• Identify only relevant requirements and terms
Service Level Agreements
• Accept Commercial Cloud Provider SLAs– The scalability and low cost of the cloud is directly linked to a
single model for all customers
• If required, additional SLAs could be handled by
reseller or solution partner
Minimized Admin Burdens
• Minimize needs for project requirements– If working with CSP directly, avoid, project meetings, customized
reporting, non standard notifications
– Rely on resellers/partners for add-on project requirements
Legislative Issues
• Understand how existing laws and policy can
affect this approach:– Security standards;
– Audits;
– Pricing controls;
– Inability to accept changing terms;
Cloud Procurement Best Practices
April 9, 2015
• CSPs provide foundational services to build solutions/house workloads.
• Accept different vendor approaches – CSP offerings are not apples to apples.
• Understand different ways to buy SaaS v. IaaS/PaaS.
• Focus on application-level and performance-based requirements – not
dictating specific methods, infrastructure or hardware. Ultimately, you are not
buying a physical asset.
• Embrace on-demand, utility-like, OpEx model cloud pricing. Traditional IT
pricing approaches can reduce or eliminate benefits of cloud.
• Accept different vendor pricing models – do not create single pricing model.
• Shared security/compliance model between the CSP & end user.
• Leverage industry best practices on security and audit.
• View cloud as a commercial item and consider appropriate terms & conditions
• A mechanism to incorporate CSP’s unique terms and conditions.
• Leverage CSP’s commercial SLAs, i.e. uptime, durability, reliability etc.
• A model to obtain cloud services directly from CSP and/or an indirect model in
which cloud services are procured through partners or reseller.
• Do not consider or treat CSPs as System Integrators (SIs).
Cloud Models
Performance Based
Requirements
Pricing
Security/Assurance/Audit
Terms & Conditions and SLAs
Vendor Types and
Partner Ecosystem
• Separate purchase of cloud infrastructure from the purchase of services and
labor for planning, developing, and executing, migrations & workloads. Services vs. Infrastructure
Cloud Procurement Next Steps
• Understand the cloud model, security and how it
is different from traditional IT
• Understand working with partners/resellers
• Understand Cloud pricing and SLA constructs
• Focus on requirements that are cloud specific –
not traditional IT