Federal CIO: Cloud Selection

Toolkit

Georgetown University:

Chris Radich

Dana Christiansen

Doyle Zhang

India Donald

Agenda

• Project Introduction

• Agency Cloud Challenges

• Toolkit Solution Overview

▫ Step 1: Data Gathering

▫ Step 2: Cloud Readiness Assessment

▫ Step 3: Vendor Selection

▫ Step 4: Preparing for Change and Risks

• Conclusion

Project Introduction

• Gartner defines cloud computing as "a style of computing where scalable and elastic IT-related capabilities are provided 'as a service' to customers using Internet technologies."

• For cloud computing to be successful, organizations require a thorough and rigorous adoption strategy:

▫ One that takes into account the risks and reaps the rewards

▫ Ad hoc methods result in increased risk, expenditures and liability

Cloud Computing Service Models

Infrastructure as a Service

Business Services

Information Services

Software as a Service

Platform As a Service

Cloud

Enablers

Data Center

Middleware

The provider optimizes everything

below the service boundary, and hides

complexity from the consumer.

The consumer accesses,

configures and/or

extends the service and

builds everything needed

above the service

boundary — or just uses

the service.

BPO

Packaged Apps

Information Feeds

Agency Cloud Challenges

• Funding for restructuring costs▫ No cost savings realized until 2nd year of cloud

projects

• Rebalance IT workforce and skill levels• FISMA compliance and C&A contract vehicles• Agencies must avoid compliance mode

▫ Three annual moves to Commercial or Gov’t clouds

▫ Use the 25 Point Plan as an opportunity to strategically plan for future IT success Federal CIO Cloud Selection Toolkit will

alleviate political pressures and reduce complexity of “cloud investment decisions”

Toolkit Solution OverviewDevelop a rigorous methodology to:

• Identify potential agency cloud candidates

• Determine cloud costs and ROI

• Determine impacts to the organization

• Identify and vet cloud providers

• Identify business impacts and risks

• Mitigate residual risks

Business Impact Determines Cloud

Investment Decisions

Challenges

Ben

efi

t

Low &

ManageableHigh or

Unmanageable

Hig

h &

Cle

ar

Lo

w o

r

Unce

rtain

Avoid

Embrace

Public

Experiment

Consider

Private

Step 1: Data Gathering

�‡Architecture �A�x�‡Work Load �A�x�A�x

Step 1: Data Gathering

• Technology ▫ OS, DB, Application stack vendor Include licensing cost based on model

▫ Load balancing between private and public cloud or disparate public clouds

▫ Integration of KPIs of app running on cloud with existing monitoring tools

▫ Solution type: transactional, reporting, analytic, etc.▫ Release cycle for app

• Organization▫ # of users▫ # of sites▫ # of vendors (contracted)▫ # of business units impacted▫ # of people impacted

Step 1: Data Gathering

• Security, Privacy & Compliance▫ Identity & Access Management of users in cloud▫ Cost to implement new controls (i.e. encryption)▫ Cost to maintain existing controls Include: log monitoring, access monitoring, forensic evidence

preservation, separation of duties, patching, etc.

• Demographics▫ # of components▫ # of environments▫ # of servers▫ # of releases per year▫ # of codes maintained▫ # of programming languages▫ # of COTS apps

Step 1: Data Gathering

• Operations▫ % annual budget spent on software maintenance &

training▫ Cost/revenue impact▫ Mission criticality▫ # of trouble tickets▫ # defects outstanding Include average severity of defects outstanding

• End user/Business user Requirements▫ Latency to connect to app▫ Frequency of information accessed▫ SLA requirements on availability & support

Step 2: Cloud Readiness AssessmentThe Assessment phase includes conducting a current state analysis, requirements definition, and

developing a vision. This phase will further refine and confirm the legacy system can benefit from

the joint service offering.

Current State Assessments

Requirements Definition

Define Vision

Understand legacy systemcurrent technical environment

Understand legacy system operational environment

Assess the fit of product offering

Assess organization data compliance and security needs.

Assess organization current IT infrastructure for continuity and application interdependencies.

Assess current organization risk tolerance and resource constraints.

Interview key stakeholders

Conduct requirements definition workshop

Validate requirements

Develop Requirements Document

Define compliance and security needs for new solution.

Define Goals

Define short term and long term vision

Define level of migration to the new solution.

Current state Document Requirements Document

Scope Statement

Vision Document

Key A

cti

vit

ies

Key

Delivera

ble

s

Current state

IT assessment

Current state

Financial

assessment

Current state

Operational

assessment

Requirements

Definition

Client Go

No-Go

Step 2: Cloud Readiness Assessment

Technical

Requirements

Application Complexity

Network Bandwidth

Infrastructure Requirements

Virtualization Candidate

Infrastructure Specialization

Business

Requirements

Application Criticality

User Impact

Service Level Requirements

Internal / External Facing

Security Concerns

Cost Benefit Analysis

Transition Costs

Operating Model Implications

Management Considerations

Future State

Analysis

Private

Public

Community

Hybrid

Cloud SolutionCurrent state IT

Assessment

Assessment Approach

- Low or moderate application criticality

- Minimal to some interdependencies on other apps / data

- Uses commodity hardware

- Bandwidth requirements

- Standalone environments or software stack

- Does not depend on specialized appliances

- Low / moderate SLA requirements

- No confidential data or data can be easily masked

Agencies must meet assessment criteria at each step prior to passing on to the next; in some cases technical and business requirements may

be evaluated concurrently. Agencies will be giving a scorecard for each criteria (red/yellow/green)

Even within each area, failure to meet fundamental evaluation criteria would mean that suitability is no longer viable and the application is not

suitable for cloud at this time

Agency applications exhibit the following attributes and will be assessed accordingly:

Current Legacy

System IT

Infrastructure

Current

Organization

Risk Tolerance

Current

Organization

Resource

Constraints

Step 2: Cloud Readiness AssessmentCloud Assessment Criteria

Criteria Explanation (Red/Yellow/Green)

Legacy System Criticality Defined by business for production environments,

Legacy System Complexity Architecture complexity, dependencies on other applications, databases, middleware

Virtualization Candidate Can the workload be virtualized? This depends on the platform OS and virtualization platform

Commodity Infrastructure Workload runs on commodity infrastructure

Technical Feasibility (Red/Yellow/Green)

Network Bandwidth LAN or WAN network bandwidth requirements when workload would run in the cloud

InfrastructureRequirements

The scale of requirements for compute, storage and network to support workload

Shared Environments Types that would be supported by a shared environment

Shared Software Software (e.g., databases, middleware) share with other software)

Specialized Infrastructure Dependency on special purpose proprietary appliances, devices, license , hardware, etc

Business Feasibility (Red/Yellow/Green)

Internal / External Facing Does the system provide a customer facing service or back office function (e.g., HR)?

User Impact Impact on the user community due to move of workload to cloud (e.g., lack of access to a subset of users)

Service Level Requirements Availability, response time, Recoverability , Disaster Recovery, etc

Customer / Confidential DataDoes the provider location or other characteristics of the cloud service meet the security requirements of how and where data needs be stored?

Business Case Analysis Cost / benefit analysis, including initial and migration costs, on-going costs and ROI timeframe

Detailed Technical Analysis What changes will be required for the application? What will the future application architecture look like?

Operational AnalysisWhat is the operational impact due to the workload moving to cloud? What is support model after workload is moved to cloud? What is provider vs. client responsibility and hand-offs?

Management ConsiderationsHow is the workload managed in the cloud? E.g., using internal and vendor provided tools, processes, and staff; Go – No/Go Based on Assessment Scorecard

Level 1

Current State

Assessment

Level 2

Determine

Suitability

for Cloud

Level 3

Business

Case and

Operational

Analysis

Step 2: Cloud Readiness Assessment

Cloud Assessment Decision Matrix

Red Yellow Green Go/No-Go

Decision

Level 1: Current State

Assessment

Level 2: Technical Feasibility

Level 3: Business Feasibility

Go / No Go Decision

• Acceptable quantity of Red rating for all categories is at most 1 red rating for Agency Go into the cloud solution,

otherwise No Go.

• Acceptable quantity of Yellow rating for all categories is at most 2 yellow ratings for Agency Go into the cloud

solution, otherwise No Go.

• Acceptable quantity of Green rating for all categories is at least 2 green ratings for Agency Go into the cloud

solution, otherwise No Go.

Step 3: Vendor Selection

1. Create a Detailed RFI/RFP

2. Review RFI/RFP Responses:

• Any vendor that cannot meet service requirements

should be removed from consideration

• May discover that no vendor can meet

requirements:

▫ Service is cloud-ready, but cloud is not ready for the

Service

Reassess requirements or maintain services internally

Step 3: Vendor Selection Criteria

Step 3: Vendor Selection

3. Select vendor and devise migration plan:• Some vendors may not respond to RFQ:

▫ Cloud model is pay-as-you-go; vendors may not negotiate

• Once vendor is selected, initiate migration planning, and add to cloud adoption road map

Step 4: Change and Risk Management

RISK ASSESMENT MATRIX

PROBABILITY

IMPACT Low Medium High

High L M H

Medium L M M

Low L L L

RISK

LEVELRISK DESCRIPTION & NECESSARY ACTIONS

HighIf an observation or finding is evaluated as a high

risk, there is a strong need for corrective measures.

Medium

If an observation is rated as medium risk, corrective

actions are needed and a plan must be developed to

incorporate these actions within a reasonable period

of time.

Low

If an observation is described as low risk determine

whether corrective actions are still required or decide

to accept the risk.

Step 4: Change and Risk Management

Risk Risk Level Mitigation

Costs H• Maintain strict budget• Clearly communicate requirements & needs to vendor

Privacy M• Establish authentication & access control procedures• Implement data encryption

Integrity H• Establish incident response program• Implement security & configuration best practices

Compliance L• Perform vulnerability scanning• Audit controls

Availability MEstablish security & disaster recovery processes & procedures

Step 4: Change and Risk Management

Change Management

Phased Approach

Transparency

Leadership

Education

Next Steps

Develop detailed business case, gain OMB and Agency approval

Upon approval, develop detailed transition plan

Measure project execution and monitor SLAs / contract performance

Conclusion

Successful transformation

begins with strategic selection of cloud

deployments

Moving away from ad-hoc selection

ensures alignment with solutions and reduction of risk

The proper portfolio of cloud projects

increases the project success rate

Disciplined and repeatable selection drives rapid cloud

adoption and increased success rates

References• Heiser, Jay, and Mark Nicolett. "Assessing the Security Risks of Cloud Computing."

Www.gartner.com. Gartner, Inc., 3 June 2008. Web. 26 July 2011. <http://my.gartner.com/portal/server.pt?open=512>.

• "HP and Deloitte Alliance - Federal Market Offering Overview." Cloud Computing Forecasting Change. HP and Deloitte, 1 Apr. 2011. Web. 10 July 2011. <https://kx.deloitteresources.com/G1000/lists/PublishedContent/dispform.aspx?id=107489&Source>.

• Jackson, Chris. "Implementing a Decision Framework for Cloud Migration." Cloud Computing in Healthcare. Cloud Computing in Healthcare Conference, 21 June 2011. Web. 1 Aug. 2011. <http://www.iibig.com/conferences/T1101/T1101_images/presentations/ChrisJackson_04.50.pdf>.

• Reeves, Drue. "Building a Solid Cloud Adoption Strategy: Success by Design." Www.gartner.com. Gartner, Inc., 19 May 2010. Web. 01 Aug. 2011. <http://my.gartner.com/portal/server.pt?open=512>.

• Stoneburner, Gary, Alice Goguen, and Alexis Feringa. "Risk Management Guide for Information Technology Systems." NIST: National Institute of Standards and Technology. 1 July 2002. Web. 19 July 2011. <http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf>.

• "Top Threats to Cloud Computing V1.0." Cloud Security Alliance. 1 Mar. 2010. Web. 20 July 2011. <https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf>.