CalCloud Government End-User Group November 4, 2015 1.

CalCloud Government CalCloud Government End-User GroupEnd-User Group

November 4, 2015

1

Introducing…Introducing…

Chris CruzChris CruzChief Deputy Director, Operations

Department of Technology

2

AgendaAgenda

WelcomeIntroduction (Chris or myself)CDFA migration of 70 apps (Hence)Security (Dave)Technical Architecture (Scott And Kyle)Q/A

3

What is CalCloud? What is CalCloud?

CalCloud is a suite of cloud services offered by the Department of Technology, which includes:IaaS - A private cloud infrastructure service:

O/S Licenses with Security updates O/S Licenses (customer managed patching) Customer Provided O/S (customer managed patching)

SaaS - Vendor Hosted Subscription Services (VHSS): SalesForce Clarity Remedy on Demand

Lines of Business: Disaster Recovery Storage Email HR

4

CalCloud StrategyCalCloud Strategy

5

CalCloud Architectural DecisionsCalCloud Architectural DecisionsThe CalCloud is engineered for flexible, secure, cost efficient

enterprise class workloads

Personalization

Scalability

Security &Isolation TOM

Low-Cost Accommodation

ExtensibilityFlexible Self-Service

Enterprise-Class

Control

Cloud Service Provider Platform

CalCloud

The CalCloud provides Enterprise-Class availability and backup/restore

and disaster recovery capabilitiesCalCloud is designed to support the need for Low-cost Accommodation – the ability to combine low cost with the flexibility to accommodate a wide range of diverse government requirements

A Flexible Self-service model, which adapts to departmental needs and is able to bring future services on-board

CalCloud supports multiple Security standards and models and is a highly secure multi-tenancy architecture

The Usability model provides an intuitive, relevant, role-based and

customizable user interface

CalCloud is Extensible with other hypervisors and OS, other storage

solutions, and other compute tiers

CalCloud supports flexible dashboards, reporting

services and service catalogs- state cloud service consumers

will feel in Control

6


Robert SchmidtRobert SchmidtOffice of Technology (OTech)

Chief California Department of

Technology

7

Introduction of User GroupIntroduction of User Group User Group was implemented to:

Align IT Tactical efforts with IT Strategy; Ensure that the CalCloud achieves its

implementation roadmap; Recommend CalCloud requirements; Enhance CalCloud visibility while managing

implementation risk; Communicate the organization’s cloud

strategy to government business and IT leaders.

8

Introduction of User GroupIntroduction of User Group Members are responsible for:

Serve as change champion within their agency;

Aligning tactical IT implementation with IT strategy;

Assess business impact of moving IT services to the hybrid cloud.

9

New User Group LeadNew User Group Lead

Hence Phillips - CDFAHence Phillips - CDFACDFA has 70 applications running on

CalCloud.Time to deploy applicationsPerformance standards of applicationsEase of use for customersSecurityLessons Learned/Tips

10

User Group LeadUser Group Lead

Answer as a developer using CalCloud: How does CalCloud help me do my job? How does CalCloud solve my technical problem? What do developers most appreciate about

CalCloud? What technical benefit do I receive from using

CalCloud?

11

CDFA Network

CDFA CalCloud ArchitectureCDFA CalCloud Architecture

12

Mercury (Primary

Web)

Venus(Primary DB)

Earth (Utility)

Mars(Secondary

Web)

Jupiter(Sandbox)

CDFA Mail

Relay

Internet


Scott MacDonaldScott MacDonaldCalCloud Chief

California Department of Technology

Kyle E PribilskiKyle E PribilskiIBM

13

OverviewOverview of CalCloudof CalCloud

Dedicated private cloud (IaaS) for State. Service hosted on State data centers and behind State network (LAN/WAN)

and security. Provided by a cloud service vendor (IBM). CalCloud Vendor provides hardware, software, portal and OS administration

(patching). Usage based with no initial cost to the state. Self-Service business model (via web portal) and Low cost service offering.

Dedicated virtual private cloud

CalCloud

Shared cloud services

CalCloud

Flexibility Security and isolation

Multiple technology platforms

Control

CalCloud

CompetitivePay-as-you-go

14

““Shopping Cart” & Self-Provisioning ModelShopping Cart” & Self-Provisioning Model

Small Medium Large Extra Large

Select Base Server Size

Select OS

Select Extras

RAM StorageDisaster

Recovery BackupVirtual

AppliancesData

Encryption

Service Catalog and Shopping Cart

15

CalCloud “Shopping Cart” and self-provisioning CalCloud “Shopping Cart” and self-provisioning model(2)model(2)

1. Shopping and provisioning:Small, Medium, Large, or Extra Large VMsMicrosoft Windows Server, Red Hat OS or AIXAdd-ons including RAM, Storage and BackupInfrastructure Disaster Recovery servicesSelect IDR tier (0, 1, 2) Select Backup/Restore tier (0, 1, 2)Pick extra memory and storagePut into shopping cartBuild application templates and save in shopping cartPress “Submit”

2. Monitoring and reporting:Performance metricsCapacity metrics (total compute, storage, RAM, backup)Billing data broken down by consumerSee open trouble ticketsAll CalCloud Consumer servers along with up/down statusCurrent CPU, RAM, and storage usage for each serverTotal backup used and available

3. Management and modification:Upgrade or downgrade an existing VM to Small, Medium, Large, or Extra Large VMIncrease or decrease add-ons including RAM, Storage, and BackupStopping existing IDR Services

4. Decommissioning:Decommission a single image or an entire project

Comprehensive Self-Service Model

16

CalCloud FlexibilityCalCloud FlexibilityCalCloud

User Access Layer

CalCloudManagement &

AutomationLayer

CalCloud Physical Resource

Layer

CalCloud Resource

Abstraction &Control Layer

My User Roles My ShoppingCart

My ApprovalProcess

My Reports My Dashboards My TroubleTickets

My BillingStatus

Virtual Private Cloud

My Templates


My ApprovalProcess


My BillingStatus

My Templates


My ApprovalProcess


My BillingStatus

My Templates

+

+

+

StandardServices

StandardServices

StandardServices

Two-FactorAuthentication

Standard Reports

Service Catalog

Standard Approval Processes

Standard Dashboards

LDAP w/Standard user

rolesProvisioning Modifications

Usage & Accounting

Backup/RestoreMulti-tiered

IDR

CalCloud Standard Services



Department

Department

Department

CalCloud/IBM

17

CalCloud Logical Architecture DiagramCalCloud Logical Architecture Diagram

Layer 2<<Management &

Automation >>

Layer 4<<Modular Physical

Resources>>

Layer 3 <<Resource

Abstraction &Control>>

Compute Nodes

(Windows/RHELx86)

CommonCloud

Storage

Network

Backup Storage

VMware vSphere

CalCloud Managed Security

CalCloud Managed Services

Layer 1<<User Access –

CalCloud Portal>>

Reporting Warehouse

Storage and BackupManagement

IBM POWER VM/PowerVC

Compute Nodes(AIX on

POWER)

Layer 4<<Physical Resource –

Modular Addition>>

zLinux /DS8000

Tenant Managed

AIXEnvironments

** OTechInterfaces

Troubleticketing

LDAPs

Invoicing

SIEM

** OTech Interfaces

IBM StorageVirtualization

Center

STaaSBlock Storage

Service Automation Management

Usage and Accounting

Monitoring

Troubleticketing

LDAPs

Invoicing

SIEM

Service Catalog

ShoppingCart

ProvisioningImage

LifecycleMgmt

ReportingServices

EventsDashboard

Backup/Restore IDR

TroubleTickets

BillingStatus

2FAGuides/FAQs/

Videos

18

CalCloud Logical Architecture DiagramCalCloud Logical Architecture Diagram

** CDT/Departmental

Interfaces

Remedy

LDAP

Billing

LogLogicSIEM

CalCloud Managed Security

CalCloud Managed Services

User Access Layer Management & Automation

Layer

Physical Resource

Layer

Resource Abstraction &Control Layer

SmartCloud Control Desk

SmartCloud Managed Backup

Tivoli Common Reporting

Jazz/DASH Portal

ConsumerDashboard

Service Catalog

ShoppingCart

Provision-ing

LifecycleMgmt

Instant Backup

Reporting

Scheduled Backup

Tivoli Identity ManagerAuthentication /

Authorization

TroubleTickets

Tivoli Storage Manager

IBM Service Delivery Manager

Reporting Warehouse


Usage & Accounting

Monitoring

StorageMgmt

DeviceMgmt

StoragePoolsPolicies

IBM Flex System

CalCloud Portal and Management

VMs

CalCloud Tenant VMs

(x86 and POWER)

NetApp ONTAPCommon Cloud

Storage

IBM Flex Fiber Channel

Interconnect

TSM for VE

Backup Archive Agent

VMware

vCenter

vSRMHA/DRS

vSphere

VTL Backup Storage Arrays

PowerVM

PowerHAPowerVM

Live Partition Mobility

PowerSC

Remedy

LDAP

Billing

LogLogicSIEM

SmartCloud Control Desk

Jazz/DASH PortalConsumerDashboar

d

Service Catalog

ShoppingCart

Provision-ing

LifecycleMgmt

Instant Backup

Reporting

Scheduled

Backup

Tivoli Identity ManagerAuthentication /

Authorization

TroubleTickets

Tivoli Storage Manager

IBM Service Delivery Manager

Reporting Warehouse


Usage & Accounting

Monitoring

StorageMgmt

StoragePools

IBM Flex System

CalCloud Portal and Management

VMs

CalCloud Tenant VMs

(x86 and POWER)

NetApp ONTAPCommon Cloud

Storage

IBM Flex Fiber Channel

Interconnect

TSM for VE

Backup Archive Agent

VMware

vCenter

vSRMHA/DRS

vSphere

VTL Backup Storage Arrays

PowerVM

PowerHAPowerVM

Live Partition Mobility

PowerSC

19

CalCloud R&RCalCloud R&R

20

CalCloud Storage ServicesCalCloud Storage Services

21

CalCloud Tenant SpaceCalCloud Tenant Space

A TVN is created via a number of VLANs which implement the isolated network environment.

Only the DMZ tier has inbound access from the Internet. Across the four tiers

A standard TVN provides a pre-defined number of IP addresses (therefore a pre-defined number of VMs can be supported). For tenants who require additional VMs or environments, the TVN model can be extended.

Tier VLANs are all /25 (128 Tier VLANs are all /25 (128 addresses), except the Util VLAN is addresses), except the Util VLAN is /24 (256 addresses)/24 (256 addresses)

22

CalCloud Backup and RecoveryCalCloud Backup and Recovery

Tier 1 storage provides optional services that can be selected for the storage allocated to a VM (all storage for a VM shares the same characteristics).

Tier 1 Backup and Recovery (BUR): Tier 1 BUR provides a Recovery Point Objective (RPO) of 1 hour with a retention period of 24 hours. Tier 1 BUR is implemented via a snapshot captured within the storage disks.

Tier 2 Backup and Recovery (BUR): Tier 2 BUR provides a Recovery Point Objective (RPO) of 24 hours with a retention period of fourteen days. Tier 2 BUR is implemented via a whole VM backup to the TSM backup subsystem.

Restore operations are requested via the portal. For Tier 2 backups, either the entire VM or a selected file can be restored.

Encryption: Tier 1 storage can be encrypted on disk. Note that this is purely while the data resides on disk. As data is written to disk it is encrypted, and as it is read from disk it is decrypted. 23

CalCloud Infrastructure Disaster CalCloud Infrastructure Disaster Recovery (IDR)Recovery (IDR)

Tier 1• RTO = 1 hour• RPO = 1 hour

Tier 2• RTO = 96 hour• RPO = 24 hour

24


David LangstonDavid LangstonBranch Chief

Security Management California Department of

Technology

25

CalCloud SecurityCalCloud SecurityGeneral General

Provide services that meet the operational and compliance requirements of the State. SAM/SIMM NIST FedRAMP where applicable Other regulatory if/where applicable

Ensure that vendors are conforming to best security practice.

26

CalCloud IaaS SecurityCalCloud IaaS SecurityGoalsGoals

Provide a service that is equally or more secure to that which can be provided with a physical, dedicated infrastructure.

Support both mission-critical and non-mission-critical systems.

Provide an infrastructure that can meet the operational and compliance requirements of the State and supported agencies.

27

CalCloud IaaS Security CalCloud IaaS Security StackStack

28

The Federal Risk and Authorization Management ProgramThe Federal Risk and Authorization Management Program(FEDRAMP V2 – Includes NIST 800-53 Rev 4)(FEDRAMP V2 – Includes NIST 800-53 Rev 4)

Base Level

Security Profile

CalCloud provides a comprehensive and tiered security model

IBM + California Dept of Technology Security Controls (ISeC)IBM + California Dept of Technology Security Controls (ISeC)(CalCloud Information Security Controls)(CalCloud Information Security Controls)

Hosted inside the California Dept of Technology’s data Hosted inside the California Dept of Technology’s data centers and inside Department of Technology firewall(s)centers and inside Department of Technology firewall(s)

WorkloadSpecificSecurity(HIPAA)

WorkloadSpecificSecurity

(PCI DSS)


(IRS 1075)


(SSA)

WorkloadSpecificSecurity(other)

CalCloud IaaS SecurityCalCloud IaaS SecurityControlsControls

29

A formal security control program is in place (based on IBM ISeC processes, cloud experience, and FedRAMP V2).

~325 FedRAMP controls assessed against 25+ domains.

Compliance support to other authorities available (infrastructure controls only).

CalCloud security controls can be shared with customer security personnel under strict controls and agreements.

CalCloud IaaS SecurityCalCloud IaaS SecurityKey ElementsKey Elements

30

Encrypted Two-Factor

Authenticated Sessions

Cloud Border Security

Admin Access Only from Territorial U.S.

Log of AllAdministrative

Actions

Least Privilege and Separation of Duties

Practice

Data are Property of the State

InfrastructureHardening

Coordinated Security Incident Handling

Vendor(s) Background Checked

Encryption at Rest (Option)

Coordinated Change Control

Security Awareness Training Including

IRS Disclosure

Strong Tenant Isolation

Coordinated OS Patching

No Shared Credentials

Isolated SecurityTiers (network)

Configuration and Vulnerability Monitoring

Controlled Administrative

Access

CalCloud IaaS - SecurityCalCloud IaaS - SecurityCompliance StatusCompliance Status

CDT “Authorization to Operate” based on FedRAMP v2 signed in Sept 2015.

Major documents and processes in place.• System Security Plan

• Security Assessment Report

• POAM tracking process

• Privacy Threshold and Impact Report

Annual revue process.

31

CalCloud IaaS SecurityCalCloud IaaS SecurityThen and NowThen and Now

32

FedRAMP program contacted to begin formal recognition.

Currently, FedRAMP is very Federal Gov’t centric with no State provisions.

Formal recognition by FedRAMP generally requires a Federal agency sponsor.

FedRAMP “interested” in State/Local participation but specifics not yet determined.

Likely 18 - 36+ months to work with FedRAMP on a State version of FedRAMP and to obtain formal recognition.

CalCloud IaaS - SecurityCalCloud IaaS - SecurityDialog - Tenant SpaceDialog - Tenant Space

33

Questions & AnswersQuestions & Answers

34

For more information, visitFor more information, visit

35

marketing.dts.ca.gov/calcloudand

servicecatalog.dts.ca.gov/services/cloud/calcloud/calcloudoverview.html

Thank you for Coming!!Thank you for Coming!!

CalCloud Government End-User Group November 4, 2015 1.

Documents

Transcript of CalCloud Government End-User Group November 4, 2015 1.