Ssc cloud computing vision afac dec17 12 final english


Published on

Shared Services Canada and Cloud Computing. Slide Deck from the SSC Architecture Framework Advisory Committee

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Ssc cloud computing vision afac dec17 12 final english

  1. 1. Shared Services Canada and Cloud Computing Architecture Framework Advisory CommitteeTransformation, Service Strategy and DesignDecember 17, 2012
  2. 2. Agenda TOPICS PRESENTER(S)9:00 – 9:15 Opening Remarks and Objective B. Long, Chair9:15 – 9:55 Shared Services Canada and Cloud J. Danek Computing P. Littlefield •SSC’s Role in Cloud Computing •Opportunities and Challenges9:55 – Health Break10:0510:05 – Open Discussion on Cloud Computing All11:50 • Basics of Cloud Computing • Getting to the Next Level11:50 – Timeline and Next Meeting January 28, 201312:00 (9:00 – 12:00) 2
  3. 3. AFAC Forward Agenda Oct Nov Dec Jan Feb Mar 2013 Apr 2013 May 2013 2012 2012 2012 2013 2013Transformation  OverviewDCC and Telecom  P2P Constraints, Dependencies, and RisksArchitectural  Framework P2P FinalizeCloud Computing/  Jan 28 for ITIRPlatformsIdentity, Credential Finalizeand Access X X for ITIRManagement*ConvergedCommunications X X(Voice, Video, Data)*Assumptions: * only for discussion purposes; Advisory committee meets every 4-6 weeks and has core group of membersfrom ICT industry and SSC. Advisory committee would have minimum of two meetings to develop product for consideration byIT Infrastructure Roundtable and one meeting to finalize product before presentation to IT Infrastructure Roundtable. 3
  4. 4. AFAC Forward Agenda: Next Meeting PROPOSED TOPICSImplementation Approach & Priorities (Best Practice)Security Reference ArchitectureNIST PresentationService Level Definitions & TaxonomyNIST PresentationCloud Service Broker Roles & ResponsibilitiesService Modeling Standards 4
  5. 5. Context For Cloud Computing• SSC Mandate  Consolidating data centres and their computing/storage platforms − Large (> 5000 sq.ft.) – 22 − Medium (1000 - 4999 sq.ft.) – 65 − Small (100 - 999 sq.ft.) – 386 − Other server locations – 2747• Objective  Build and Buy Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) – If building IaaS and PaaS  Community Cloud (e.g. GC SSC private cloud) – If buying IaaS and PaaS  e.g. Private or Hybrid Cloud  Public cloud (e.g. GC public facing web presence) 5
  6. 6. SSC Core Mandate w/r TBS Profile of IT Services • Standard service categories for management and accounting • One of the outcomes of IT Expenditure Review Program (ERP) • To ensure accurate accounting and reporting on IT expenditure • Appropriated for these services to SSC and 43 Government of Canada departments/agencies 6
  7. 7. ICT Deployment Models and EvolvingDegrees of Accountabilities IaaS PaaS SaaS managed CIO Applications Applications Applications CIO managed Runtimes Runtimes Runtimes Managed by Shared Services Managed by Shared Services Security & Integration Security & Integration Security & Integration•IaaS: DBMS DBMS DatabasesInfrastructure as a Service Managed by Shared Services Servers Servers Servers•PaaS: Virtualization Virtualization VirtualizationPlatform as a Service Server HW Server HW Server HW•SaaS:Software as a Service (non Storage Storage StorageDept/Agency program Network Network NetworkApplications) 7
  8. 8. SSC Consuming Cloud Services SSC Employees & Protected “B” GCnet GC Cloud Computing Contractors with GC-SRA B2B CWA GC-WiFi Domino R8 GC-LAN ILMS GEDS STSI Desktop 8Note – final decisions on email services pending completion of procurement process
  9. 9. GC Cloud Conceptual Internet Public-facing web sitesPublic Cloud (GCnet-I*Net) Remote• e.g. Some public-facing GC Access presence GCTravel• e.g. Limited Development / Test capacity GCnet External Community Cloud Pay GEDS e.g. CANARIE Collab Jobs MySchool GCDocs Pension Mail & Messaging Intranet sites GCdrive Hybrid Cloud (GCnet over Secured Internet) Free / Busy Mobile Integration • Secured extension of Directory GCnet to vendor • Vendor-provided cloud GCnet services to the GC Community Cloud (GCnet) • Internal services for GC community • SSC-provided cloud services to the GC • Secured perimeter Non-SSC Private Cloud • Multi-Domain (Protected-B to Secret) 9
  10. 10. Cloud Computing: Defining Shared ServicesCanada’s RoleInternal Private Cloud and External Cloud services should be definedby the same Service Architecture? • SSC could be the Cloud Provider Cloud Broker Cloud Broker and Cloud Orchestration Cloud Consumer Service Layer could also be a Cloud Cloud Service SaaS SaaS Management Service Provider Intermediation PaaS PaaS Cloud Auditor Business Support • Some private cloud IaaS IaaS Security Audit Service services could be Aggregation Resource Abstraction and Provisioning / provided by SSC Control Layer Configuration Privacy Impact Audit Physical Resource Layer Portability Service Arbitrage • This would be the Hardware Performance /Interoperability “Community Cloud” Audit Facility • The Cloud Broker Cloud Carrier would ensure multi- vendor management Cross Cutting Concerns: Security, Privacy, etc. 10
  11. 11. Cloud Computing: Opportunities andChallengesOpportunities Challenges • On-demand self service • Connecting resources across clouds  V storage and customer premises • Managing identity, federation, and • Ubiquitous network access access control  Community cloud (CWA, GCDocs) • Isolating tenants in a multi-tenancy • Resource pooling (location environment independence, homogeneity) • Extending on-premises security & operations management practices to  Hybrid cloud - STSI the cloud • Rapid elasticity • Latency and other performance- • Measured service related considerations • Network capacity and capability • Private clouds  DCC and Telecommunications consolidations • Data sovereignty, privacy and security  Data in motion, data processing and data at rest 11
  12. 12. Cloud Computing: BasicsSpecific Areas of Focus What We Think We Know OtherService Framework  NIST Framework Are there other frameworks that NIST doesn’t incorporate thatArchitecture we should consider?Service Models  GSM Are there any other standard  UML service modeling tools that we  SOMA should consider?Security SSC Security Domains and Zones Are there any other security Architecture frameworks that are not  CSEC ITSG33 incorporated?  NIST Security RAGetting to Next Level • Detailed component service Any other considerations? architectures • Agreement on security framework & processNext Steps • Do we need working groups? Other next steps? Governance structure? 12
  13. 13. Preliminary Sample GC Service Architecture DCS • Data Centre Services View • Illustrates IaaS, PaaS, & SaaS Services • Services can service Users, or other ServicesSaaS SaaS • Services can be accessed internally or externallyCloud1 Cloud1 CRM Email • Internal services are on the DC LAN IaaS • External Services are accessed via the I-Net Gate and Cloud PaaS LAN PaaS the Net ISP IaaS Cloud1Cloud1 .Net Java • This service model is described in detail in GSM* PaaS IaaS Cloud Brokerage ServicesCloud1 Cloud1Oracle x86 SaaS PaaS PaaS PaaS SaaS PaaS IaaS PaaS SaaS SaaS SaaS IaaS MyKey SEC1 Directory ETI ETI Load Bal z/OS Store1 Broker1 Broker2 Broker3 ETI Firewall IaaS Net IaaS ISP1 IaaS DC LAN I-Net Gate PaaS IaaS SaaS IaaS IaaS PaaS PaaS PaaS PaaS IaaS IaaS IaaS USD5 SEC2 Unix ETI x86 Linux .Net Java Oracle DB2 Store1 Store2 Store IDS/IPS Sm Archive IaaS Unix Large *GSM - Generic Service Model, A generic framework for describing a Service in terms of its systematic hierarchy of related service objects. 13
  14. 14. Preliminary GC Sample Service Architecture DCS IaaS SaaS IaaS SaaS IaaS SaaS IaaS SaaS Cloud1 Cloud1 Cloud2 Cloud2 Cloud3 Cloud3 Cloud4 Cloud4 Linux IaaS Mgmt. Linux IaaS Mgmt. Linux IaaS Mgmt. Linux IaaS Mgmt. Cloud1 Cloud2 Cloud3 Cloud4 IaaS LAN IaaS LAN IaaS LAN IaaS LAN Cloud1 Cloud2 Cloud1 Cloud1 Unix Unix Unix Unix IaaS Net ISP1 SSC Data Centre Cloud Brokerage Services Cloud Security Services SaaS PaaS PaaS SEC2 IaaS SaaS SaaS SaaS IaaS MyKey SEC1 IDS/IPS z/OS Broker1 Broker2 Broker3 I-Net Firewall Gate IaaS DC LAN PaaS IaaS IaaS IaaS IaaS IaaS IaaS PaaS Unix Windows Linux Store1 Store2 Storage Load Bal Directory Archive Mid-Range Platform Services*GSM - Generic Service Model, A generic framework for describing a Service in terms of its systematic hierarchy of related service objects. 14
  15. 15. Cloud Computing Model: United KingdomShould SSC start as the UK did with the Broker Functions/SaaS? Cloud Provider ICAM Cloud Broker (Apps Store) • Apps Store Service Layer SaaS SaaS SaaS SaaS MyKey SaaS Cloud Service SaaS Management • SaaS deployment Service PaaS Intermediation PaaS SaaS SaaS SaaS Business SaaSCloud Auditor IaaS Support IaaS Security Privacy Security Audit Service Aggregation • Manage deployments ResourcePaaS PaaS and Abstraction Control Layer Provisioning / SaaS SaaS SaaS Configuration SaaS Privacy IaaS IaaS Physical Resource Layer Impact Audit Portability Service Arbitrage • Manage SLAs across a Hardware PaaS Performance PaaS SaaS SaaS /Interoperability SaaS multi-service provider Facility SaaS Audit IaaS IaaS environment Network 15
  16. 16. Cloud Computing Model: United StatesShould SSC start as the U.S. did with IaaS? • “Cloud First” policy Cloud Provider Service Layer • FedRamp / Procurement IaaS IaaS SaaS Cloud Service Management and security certification IaaS IaaSPaaS Business • Start with IaaS IaaS Support deployment Security IaaS Privacy Resource Abstraction and Control Layer Provisioning / • Cloud Service Configuration Physical Resource Layer Management per vendor Hardware Portability /Interoperability • ICAM in place, but not Facility leveraged • Other International Network examples? 16
  17. 17. For Discussion: Challenges Revisited –Requirements• Connecting resources across clouds and vendor premises• Managing identity, federation, and access control• Isolating tenants in a multi-tenancy environment• Extending on-premises security & operations management practices to the cloud• GC as one tenant• Latency and other performance-related considerations• Network capacity and capability 1. How should SSC address these challenges? 2. What architectural artefacts and supports are required to support SSC leveraging cloud services going forward? 3. What criteria should SSC use to decide which services would be best for cloud service models? 17
  18. 18. Timeline December 17, 2012 January 28, 2013 February 2013 March 2013 GCCC  Revised GCCC  Revised GCCC  Revised GCCC Architectures architectures architectures Platform thoroughly feedback endorsed by endorsed by discussed with Incorporated AFAC AFAC AFAC members  Platform  Platform  ICAM strategy strategy strategy - thoroughly thoroughly feedback discussed with discussed incorporated feedback 18
  19. 19. Annex 19
  20. 20. Cloud Computing Advance Reading Material1. SSC Cloud Computing Vision2. Security Domains & Zones Architecture3. Security Domains & Zones Implementation Guidelines4. Management Zone Implementation Guidelines5. NIST Foundational Documents on Cloud Computing SSC will incorporate all input from AFAC members and release final versions to the industry 20
  21. 21. Cloud Standards Bodies • Many standards bodies • NIST is among the most mature and most often referenced • NIST is open / public sector aligned • Cloud Security Alliance (CSA) among most mature re security framework • NIST has incorporated CSA’s framework in their Security Framework • Are there Canadian considerations? 21
  22. 22. Foundational Documents on CloudComputing NIST - Definition of Cloud NIST - Cloud Computing NIST - Cloud Computing Computing Standards Roadmap Reference Architecture SP-800-145 SP-500-291 SP-500-292 s/800-145/SP800-145.pdf publication- search.cfm?pub_id=909024 NIST - USG Cloud Computing NIST – Cloud Computing NIST - Cloud Computing Technology Roadmap Security Reference Service Levels SP-500-293 Architecture (TBA Jan.13) (TBA Feb. 13) 500_293_volumeI-2.pdf computing/bin/view/CloudComputing/Clou dSecurity CSA – TCI Reference NIST Current Status Presentation (Dec.12) Architecture content/uploads/2011/10/TCI- Reference-Architecture-v1.1.pdf 22