Draft Recommended Cloud Best Practices

  • 1,597 views
Uploaded on

 

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,597
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
76
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Extended Draft: Government Cloud Best PracticesRecommendationsTable of Contents Introduction ..............................................................................................................2 Implementation Best Practices ...................................................................................3 1. Design for Future Portability and Interoperability across Multiple Clouds...........3 2. Define Government Approved Data Interfaces and Formats for Creating, Reading, Updating, Deleting, and Batch Movement of Cloud Data and Documents.4 3. Use Emerging Standards (e.g. DMTF’s Open Virtual Format) for Moving VMs between Infrastructure as a Service (IaaS) Clouds...................................................5 4. Implement a Federated Authentication Capability across Clouds........................6 5. Use Portable Tools for Monitoring and Managing Cloud Resources if possible 6 .... 6. Develop a Framework for Orchestrating Processes across Multiple Clouds and Enterprise Systems................................................................................................7 7. Choose Non-mission Critical Applications for initial Cloud deployments. ...........7 Policy Best Practices ..................................................................................................8 8. Develop an Enterprise Catalog to Enable the Discovery of Existing and Available Cloud Resources....................................................................................................8 9. Document Business Use Cases using the Template from the Business Use Case Working Group......................................................................................................9 10. Document Standardized Ways of Comparing Cloud Capabilities for Procurements and Cloud Brokers .........................................................................10 11. Use Simulated-based Acquisition for Cloud Solutions if possible...................11 12. Establish a Data Governance Policy for When and How Specific Types of Data can be Stored on Externally Hosted Clouds ..........................................................11 13. The US Government should work with other Governments and International Organizations to develop Policies and Standards enabling future Interoperability and Portability across Clouds while preserving national security and legal requirements .......................................................................................................12 14. Maintain Updated Reference Documents including Cloud Standards Catalogs, Reference Architectures, Technology Roadmaps, and Best Practices.....................13 Organizational Best Practices..................................................................................14 1
  • 2. 15. Designate a Government Cloud Standards Group to act as a Liaison between the Government and Cloud Standards Organizations...........................................14 16. Create an Inter-agency Cloud Policy, Organization, and Resource Sharing Committee ...........................................................................................................15 17. Create a Cloud Security, Privacy, Auditing, Regulatory Compliance, and Risk Management Group.............................................................................................16 18. Create Cloud Procurement Support Group to define SLAs, Contractual Language, and Penalty Enforcement. ....................................................................16 19. Create a Cloud Center of Excellence to Provide Technical Guidance to Projects on Emerging Technologies ...................................................................................17 20. Create a Cloud Community of Practice Group to Share Experiences and Collect Best Practices......................................................................................................18 Primary References.................................................................................................19 Additional References.............................................................................................20 Guidance References (Patterns) ...............................................................................21 Cloud Patterns .....................................................................................................21 SOA Patterns ........................................................................................................21 Vendor-Specific Cloud Design Patterns ................................................................21 A. IntroductionThe U.S. government has initiated the rapid deployment of Cloud services for internaland public use. There are many risks associated with possible lack of interoperability,portability, and proven security for existing Cloud implementations. In the future,emerging standards as documented in the Standards Roadmap document will helpsolve this problem. While these standards are maturing, best practices can be used toavoid vendor lock-in, Cloud silos, and security gaps.The purpose of this draft is to list some best practices for Cloud implementation andorganizational support based on past experience with similar technologies e.g. serviceoriented architectures. Accompanying each recommendation will be References to theNIST Cloud Synopsis and Recommendations Draft (Draft-NIST-SP 800-146), the NISTCloud Working Group outputs, and major external documents to provide context. Seethe Primary References section for references including NIST, US Government, UKGovernment, Open Data Center Alliance, Cloud Standards Customer Council, andEuropean sources. Associated with each recommendation, there is also suggested 2
  • 3. support from Cloud Providers and a link to guidance in implementing therecommended best practice. The next step should be to expand and extend thecurrent content to provide detailed guidelines (e.g. patterns) for public sector CloudComputing. B. Implementation Best PracticesIt is possible to reduce the cost and implementation time for individual projects usingCloud resources. However best practices for implementation will be needed to ensurethat downstream costs for system integration, migration, operations, and maintenancedo not overwhelm the advantages of the initial deployment. The general principle is toconsider potential future requirements when planning Cloud projects.1. Design for Future Portability and Interoperability across Multiple Clouds a) For SaaS, ensure that data, documents, and other resources can be moved in and out of the Cloud using government-approved formats b) For PaaS, avoid proprietary single Cloud tools and languages for application development, monitoring, and management c) For IaaS, enable multiple external Clouds to be used for Cloud bursting and hybrid Clouds C. These recommendations will probably require the use of adaptors and brokers while standards are emerging.1.1 References: • Cloud Standards Roadmap Draft 11 (Section 6.4 Use Case Analysis 2, 4, 5 )  •  Draft  Cloud Reference Architecture (Slide 23 Cloud Brokers) • Cloud Synopsis and Recommendations (Suggest Multiple Cloud Extension to Section 9 General Recommendations) • Federal Cloud Computing Strategy (Section IV. 4 Establishing Cloud Computing Standards) • UK Government ICT Strategy (Point 33 and Point 34 and Point 35) • TechAmerica’s Cloud2 Buyers Guide (Agency Preparation 2) • Open Data Center Alliance (Usage: Virtual Machine Interoperability)1.2 Possible Support from Cloud Providers a) Support standard well-defined formats for importing and exporting data for SaaS 3
  • 4. b) Support application generation from multiple tools and standard models c) Support standardized VM movement and interfaces between IaaS Clouds and enterprise systems1.3 Guidance - Choosing delivery models • Cloud Computing Delivery Models from Technofriend http://m.technofriends.in/2011/03/17/cloud-computing-delivery- models/1.4 Practical Guide to Cloud Computing (Step 4. Select a Cloud Service Model)2. Define Government Approved Data Interfaces and Formats for Creating,Reading, Updating, Deleting, and Batch Movement of Cloud Data and Documents.a. Transferring data between Clouds will be necessary for future interoperability and portability. Official standards e.g. Storage Networking Industry Associations’ (SNIA) Cloud Data Management Interface (CDMI) and Open Grid Forum’s (OGF) Open Cloud Computing Interface (OCCI) will simplify this transfer in the future. In the short run, the government should define approved interfaces and formats that can migrate to emerging official standards. Adaptors may be necessary to proprietary Cloud interfaces and formats. Cloud providers should be requested to supply these adaptors as part of the procurement process.b. Contractual agreements should be used to penalize Cloud Providers for failure to support data operations (e.g. data deletion) using government approved data interfaces and formats.2.1 References: • Cloud Standards Roadmap Draft 11 (Section 6.4 Use Case Analysis 3)  • Cloud Synopsis and Recommendations (Section 9.2 Data Governance and 7.5.6 Data Erase Practices) • Federal Cloud Computing Strategy (Section II. 2 Provisioning Cloud Services • Effectively and Section IV. 6 Laying a Solid Governance Foundation) • UK Government ICT Strategy (Point 39 and Part 3 Action 15) • TechAmerica’s Cloud2 (Recommendation 10) • TechAmerica’s Cloud2 Buyers Guide (Agency Preparation 4).2 Possible Support from Cloud Providers • Support standards for accessing and moving Cloud data and files 4
  • 5. 2.3 Guidance: Choosing Formats for Moving Data into and out of Clouds- Linked Datahttp://en.wikipedia.org/wiki/Linked_Data- A JSON supporterhttp://devcentral.f5.com/weblogs/macvittie/archive/2011/04/27/the-stealthy-ascendancy-of-json.aspx3. Use Emerging Standards (e.g. DMTF’s Open Virtual Format) for Moving VMsbetween Infrastructure as a Service (IaaS) CloudsOVF is an ANSI standard that is becomingly increasing mature. See the NIST SAJACCWG’s VM Portability White Paper for a detailed discussion. OVF 1.1 is ANSI INCITS 4692010 is being submitted to JTC 1 as a PAS submission. DMTF is engaged inconsideration of a subsequent version that may have relevance in the not too distantfuture.3.1 References: • NIST SAJACC WG VM Portability White Paper (http://collaborate.nist.gov/twiki- cloud-computing/bin/view/CloudComputing/SAJACCVMPortability) • Cloud Standards Roadmap Draft 11 (Section 6.4 Use Case Analysis 2)  • Cloud Synopsis and Recommendations (7.6 Recommendations for Infrastructure as a Service) • Federal Cloud Computing Strategy (Section IV. 4 Establishing Cloud Computing Standards) • Open Data Center Alliance (Usage: Virtual Machine Interoperability)3.2 Possible Support from Cloud Providers- Support OVF standards for VM movement between IaaS Clouds3.3 Guidance - Using Emerging Standards (Standards Roadmap)- Status update on OCCI and CDMIhttp://www.ogf.org/SAUCG/materials/2342/Cloud+Standards+Interoperability+-+Status+Update+on+OCCI+and+CDMI+Implementations.pdf- Cloud Standards advice from David Linthicumhttp://www.ebizq.net/blogs/cloudsoa/2011/02/the-truth-behind-standards-soa-and-cloud-computing.php 5
  • 6. 4. Implement a Federated Authentication Capability across CloudsA federated authentication mechanism will enable more efficient access to multipleClouds. This could be accomplished by the use of a cloud broker layer or futurestandards.4.1 References: • Cloud Synopsis and Recommendations (Suggest addition to Section 9.3 Security and Reliability) • Cloud Standards Roadmap Draft 11 (Section 6.4 Use Case Analysis 6)  • Federal Cloud Computing Strategy (Section IV. 2 Ensuring a Secure Trustworthy Environment) • TechAmerica’s Cloud2 Report (Recommendation 2)4.2 Possible Support from Cloud Providers • Support common authentication standards (e.g. OpenID).4.3 Guidance - Choosing a Federated Authentication Capability • Choosing the Right federation from GFIPM http://gfipm.net/choosing- the-right-federation.html5. Use Portable Tools for Monitoring and Managing Cloud Resources if possibleThe use of portable tools will facilitate portability if necessary across Cloud providers(e.g. IaaS). It will also be useful for multiple Cloud architectures.5.1 References: • Cloud Synopsis and Recommendations (Suggest addition to Section 7.6 • Recommendations for Infrastructure as a Service) • Cloud Standards Roadmap Draft 11 (Section 6.4 Use Case Analysis 4)  • Open Data Center Alliance (Usage: Virtual Machine Interoperability)5.2 Possible Support from Cloud Providers • Support common error messages, notifications, and alerts from Cloud applications5.3 Guidance - Selecting tools for development, deployment, monitoring, andmanaging Clouds • How to Select Tools for Managing the Clouds 6
  • 7. http://www.cioupdate.com/trends/article.php/3919446/How-to-Select- Tools-to-Manage-the-Cloud.htm6. Develop a Framework for Orchestrating Processes across Multiple Clouds andEnterprise SystemsOne of the most difficult tasks will be orchestrating processes across multipleheterogeneous Clouds and possibly including enterprise systems. A pre-definedframework to support these process will reduce deployment complexity, cost, andtime. The framework should utilize standards when possible. If there are no standards,cloud brokers and adaptors can be used following government policies to avoid lock-in.6.1 References: • Cloud Synopsis and Recommendations(Suggest addition to Section 9 General Recommendations) • Cloud Standards Roadmap Draft 11 (Section 6.4 Use Case Analysis 7) 6.2 Possible Support from Cloud Providers • Develop adaptors to support standardized interfaces to core functionality. Develop Cloud Brokers with standardized interfaces that enable orchestrating processes across multiple Clouds.6.3 Guidance - Role of Cloud Broker • Cloud Brokers Presentation http://www.soasymposium.com/home2011/pdf_brazil/ Pethuru_Cheliah_and_Zaigham_Mahmood_Cloud_Brokerages.pdf7. Choose Non-mission Critical Applications for initial Cloud deployments.It is prudent to gain experience and confidence in Cloud resources before migratingmission-critical applications. Some examples include productivity applications (SaaS),test and development (IaaS), offloading high transient processing (IaaS), and hostingWeb sites (PaaS or IaaS)7.1 References: 7
  • 8. • Cloud Computing Business Use Case Examples (http:// collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/ BusinessUseCases ) • Federal Cloud Computing Strategy (Section II. 1 Selecting Services for Move to the Cloud) • UK Government ICT Strategy(Part 2 Action 12) See External References 5 and 6 • TechAmerica’s Cloud2 Buyers Guide (Agency Preparation 1)7.2 Possible Support from Cloud Providers • Create a Maturity Model that will enable customers to determine the type of Cloud deployments that are most suitable based on their current experience and expertise7.3 Guidance - Choosing the first Cloud ApplicationDevelopment and Testing is a good first choice.http://www.cio.com/article/505660/Your_First_Cloud_App_Dev_Test_a_Smart_Choice7.4 Practical Guide to Cloud Computing (Step 8. Develop a Proof-of-Conceptbefore Moving to Production) D. Policy Best PracticesThe efficient deployment of multiple Cloud Computing solutions acrossgovernment (or any large enterprise) departments will require a common policyframework to enable future interoperability, portability, reuse of resources, andtrusted security.8. Develop an Enterprise Catalog to Enable the Discovery of Existing and AvailableCloud ResourcesOne of the advantages of Cloud computing is the ability to share resourcesacross projects and agencies. A catalog of existing resources and accessprocedures will add value and reduce costs as the number of Clouddeployments increase. An “application store” capability can be used to makeexisting resources available to new projects. 8
  • 9. 8.1 References:-Cloud Synopsis and Recommendations(7.4.3 Portability, Interoperability with Legacy Applications)-Cloud Standards Roadmap Draft 11 (Section 6.4 Use Case Analysis 8) -UK Government ICT Strategy( Points 17 and Point 31 and Part 2 Action 1 and Part 2 Action 14) -Open Data Center Alliance (Usage: Service Catalog)8.2 Possible Support from Cloud Providers- Create and support a standard format for describing Cloud resources in acatalog8.3 Guidance - Utilization of Existing Resources - Data Center Consolidation and Cloud Computing Presentation http://www.actgov.org/events/managementofchange/MOC2011/MOC%202011%20Documents%20and%20Presentations/federal%20cloud%20computing%20and%20data%20center%20consolidation.pdf8.4 Practical Guide to Cloud Computing (Step 6. Integrate with Existing EnterpriseServices)9. Document Business Use Cases using the Template from the Business Use CaseWorking GroupThe Business Use Case Working Group has developed a template for describingUse Cases and used it to document several examples. Employing a standardtemplate will foster a more standardized development process and make iteasier to exchange information across projects.9.1 References:- Cloud Synopsis and Recommendations (Suggest addition to Section 9 GeneralRecommendations)-Cloud Computing Business Use Case Template (http://collaborate.nist.gov/ twiki-cloud-computing/pub/CloudComputing/TemplateCoordinationSG/ Cloud_Computing_Business_Use_Case_Template.pdf )- Federal Cloud Computing Strategy (Section IV. 1 Leveraging Cloud ComputingAccelerators) 9
  • 10. - TechAmerica’s Cloud2 Buyers Guide (Agency Preparation 3)9.2 Possible Support from Cloud Providers- Develop business use case templates in a standard format that can be madeavailable to customers planning Cloud deployments9.3 Guidances - Determining Benefits- Open Group Building ROI with Cloudshttp://www.opengroup.org/cloud/whitepapers/ccroi/roi.htm9.4 Practical Guide to Cloud Computing (Step 2. Develop Business Justificationand a Strategic Plan)10. Document Standardized Ways of Comparing Cloud Capabilities forProcurements and Cloud BrokersA standard way of comparing product offerings and prices will be valuable forprocurement decisions.10.1 References: • Cloud Synopsis and Recommendations (Section 7.4.2 Flexible, Efficient Renting of Computing Hardware and suggest addition to Section 8.3 Economic Goals) • Cloud Standards Roadmap Draft 11 (Section 6.4 Use Case Analysis)  • Federal Cloud Computing Strategy (Section II. 2 Provisioning Cloud Services Effectively and IV. 3 Streamlining Procurement Process) • TechAmerica’s Cloud2 Buyers Guide (Agency Preparation) • Open Data Center Alliance (Usage: Standard Units of Measurement for IaaS)10.2 Possible Support from Cloud Providers- Create and support a common Cloud capability and pricing description forIaaS resources.10.3 Guidance - Standards for SLAs- SLA@SOI publications 10
  • 11. http://sla-at-soi.eu/results/publications/10.4 Practical Guide to Cloud Computing (Step 7. Develop and Manage ServiceLevel Agreements)11. Use Simulated-based Acquisition for Cloud Solutions if possible.Simulation-based acquisition is a procurement practice that uses simulated testevaluations before finalizing procurement and full scale development. It has beenadvocated in the past but in many cases full scale simulation was prohibitively costly intime and resources. Cloud environments for test and evaluation can significantlyreduce these costs and enable early simulation-based evaluations of potential Cloudsolutions. It is also possible to evaluate Cloud solutions on internal simulation testbeds e.g. NIST’s Koala..1 References: • Simulation-based Acquisition Overview from Navy http:// nawctsd.navair.navy.mil/Resources/Library/Acqguide/sba.htm • NIST’s Cloud Simulation Testbed http://www.nist.gov/itl/antd/upload/ Koala.pdf • UK Government ICT Strategy (Point 28)11.2 Possible Support from Cloud Providers • Create and make available testbeds to enable customers to evaluate performance and capabilities of planned Cloud deployments.11.3 Guidance - Implementing Simulation-based Acquisition • Simulation-based Acquisition Implementation Strategy from NASA http://aeronautics.arc.nasa.gov/assets/pdf/ SBAStrategy_Final_w_signatures.pdf12. Establish a Data Governance Policy for When and How Specific Types of Datacan be Stored on Externally Hosted Clouds 11
  • 12. Maintaining strict control of critical data is essential for security, privacy, and trustedgovernment operations. A clearly stated policy should be documented and enforcedinternally and contractually with external resource providers12.1 References:-Cloud Synopsis and Recommendations (9.2 Data Governance)-Federal Cloud Computing Strategy (Section IV. 2 Ensuring a Secure, Trustworthy Environment and Section IV. 6 Laying a Solid Governance Foundation)-TechAmerica’s Cloud2 (Recommendation 3)12. 2 Possible Support from Cloud Providers- Provide customers the ability to audit and evaluate their data managementand protection capabilities12.3 Guidance - Choosing Deployment Models- Cloud Deployment Optionshttp://www.zlti.com/wp-content/content/docs/Data%20Sheets/ZL%20Cloud%20Deployment%20Schemes.pdf-Tips for Choosing a Cloud Deployment Modelhttp://kalirajanl.wordpress.com/2011/05/12/tips-for-choosing-the-cloud-deployment-model/12.4 Practical Guide to Cloud Computing (Step 3. Select a Cloud DeploymentModel)13. The US Government should work with other Governments and InternationalOrganizations to develop Policies and Standards enabling future Interoperabilityand Portability across Clouds while preserving national security and legalrequirementsIn the future, there will be applications and data that will be shared acrossinternational public sector Clouds for multinational collaboration initiatives (e.g.scientific research). It will be necessary to work with other governments andinternational organizations (e.g. ISO) to ensure that Clouds will support interoperability 12
  • 13. and portability requirements. This will require coordination at the technical level (e.g.standards) and policy agreements.13.1 References: • Cloud Synopsis and Recommendations (8.4.2 Physical Data Location) • Cloud Standards Roadmap Draft 11 (Annex D Standards Developing Organizations) • Federal Cloud Computing Strategy (Section IV. 2 Ensuring a Secure, Trustworthy Environment, Section IV. 4 Establishing Cloud Computing Standards, and Section V. 5 Recognizing the International Directions of Cloud Computing)) • UK Government ICT Strategy (Point 40) • TechAmerica’s Cloud2 Report (Recommendation 1 and Recommendation 8) • SIENA Roadmap (International Coordination)13.2 Possible Support from Cloud Providers- Organize international Cloud providers associations to work with customersin enabling interoperability across national and regional boundaries.13.3 Guidance - Issues requiring International Agreements- European Perspective from EC Executivehttp://blogs.ec.europa.eu/neelie-kroes/public-authorities-and-cloud/14. Maintain Updated Reference Documents including Cloud Standards Catalogs,Reference Architectures, Technology Roadmaps, and Best Practices.Since Cloud technology and related standards are changing rapidly, it will be necessaryto update Cloud information document periodically during the next few years (e.g.once a year). Experience with specific Cloud tools, services and resources should becaptured and made available for future government Cloud projects.14.1 References: • NIST Cloud Synopsis and Recommendations • NIST Cloud Standards Roadmap Draft 11 • Federal Cloud Computing Strategy (Section IV. 4 Establishing Cloud Computing Standards) • UK Government ICT Strategy (Part 3 Action 21 and Part 3 Action 22) 13
  • 14. • SIENA Roadmap (IRecommendations)14.2 Possible Support from Cloud Providers- Supply accurate information to customers on current technology capabilitiesand support of standards.14.3 Guidance - Development of Cloud Roadmaps- Creating a Cloud Roadmaphttp://soamag.com/I47/0211-1.php E. Organizational Best PracticesIn order to ensure that best practices are followed, it will be necessary to have asupporting organizational structure. The Cloud organizations can coordinatethe sharing of information, resources, and guidelines across agencies andprojects. The examples are a logical breakdown of responsibilities which canbe allocated to groups chosen by government IT executives. See Federal CloudComputing Strategy (Section IV. 6 Laying a Solid Governance Foundation)15. Designate a Government Cloud Standards Group to act as a Liaison betweenthe Government and Cloud Standards Organizations.This Group should have the following responsibilities:a) Monitoring the status of Cloud standards activitiesb) Update SAJACC’s Cloud Interface Catalog and the Cloud Standards Roadmap WG’s Cloud Standards Inventoryc) Tracking the standardization requirements of government Cloud deployments and determine prioritiesd) Disseminate information about standards to projects and convey prioritized government standards requirements to standards development organizationse) Recommend standardizations to be used on government Cloud deploymentsf) Define compliance tests to verify conformance of Cloud resources with standards specificationsStandards that should be monitored include SNIA’s Cloud Data ManagementInterface (CDMI) and OGF’s Open Cloud Computing Interface (OCCI).15.1 References:-Cloud Standards Roadmap Draft 11 (7.2 Standardization Priorities Based on USG Priorities and 8.2 Recommendations for Accelerating the Development and Use of Cloud Computing Standards) 14
  • 15. -Cloud Synopsis and Recommendations (8.3.3 Portability of Workloads and 8.3.4 Interoperability between Cloud Providers and Suggest Extension to Section 9General Recommendations)-SAJACC Cloud Interface Catalog Draft (http://collaborate.nist.gov/twiki-cloud- computing/bin/view/CloudComputing/CloudInterfaceCatalog)-UK Government ICT Strategy (Part 2 Action and Point 36)- Cloud Standards Roadmap WG Cloud Standards Inventory (http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/StandardsInventory)-SIENA Roadmap (Standards Coordination)15.2 Possible Support from Cloud Providers- Participate in or monitor SDOs discussions and provide information on plansfor supporting future standards. If Cloud resource providers believe that futurestandards are unnecessary in specific areas, they should explain if and howcustomers can avoid being locked-in to proprietary Cloud products.15.3 Guidance - Creating a Government Cloud Standards Group- U.S. NIST Cloud Computing Programhttp://www.nist.gov/itl/cloud/16. Create an Inter-agency Cloud Policy, Organization, and Resource SharingCommitteeThis Committee should set policies, organizational responsibilities, and maintain aCatalog of government available Cloud resources and access procedures16.1 References: • Cloud Synopsis and Recommendations (Section 9.1 Management) • UK Government ICT Strategy (Point 32 and Point 59) • TechAmerica’s Cloud2 Buyers Guide (Best Practices CIO/CISO)16.2 Possible Support from Cloud Providers • Support customer policies if possible. Provide specifications and usage descriptions for vendor interfaces. 15
  • 16. 16.3 Guidance - Cloud Governance and Management •G-Cloud Service Management, Organization & Governance Approachhttp://www.cabinetoffice.gov.uk/sites/default/files/resources/06-G-CLOUD-ServiceManagement-OrganisationandGovernance-Approach.pdf17. Create a Cloud Security, Privacy, Auditing, Regulatory Compliance, and RiskManagement GroupThis Group should be in charge of ensuring that all Cloud deployments satisfygovernment security, privacy, auditability, and regulatory compliance rules. It alsoissue periodic updates on risks and avoidance recommendations.17.1 References:-Cloud Synopsis and Recommendations (Section 8.4 Compliance and Section 8.5 Information Security)-Cloud Standards Roadmap Draft 11 (Section 6.4 Use Case Analysis 10) -Federal Cloud Computing Strategy (Section IV. 2 Ensuring a Secure, Trustworthy Environment)-UK Government ICT Strategy (Part 3 Action 25)-TechAmerica’s Cloud2 Report (Recommendation 2 , Recommendation 5 , Recommendation 6 and Recommendation 9- TechAmerica’s Cloud2 Buyers Guide (Agency Preparation 3 and Best Practices CIO/CISO) -Open Data Center Alliance (Usage: Regulatory Framework, Security Monitoring, and Provider Security Assurance)-SIENA Roadmap (Recommendations)17.2 Possible Support from Cloud Providers- Enable auditing of Clouds to meet regulatory and policy requirements17.3 Guidances - Evaluating Risks (CSA)- Top Threats to Cloud Computing from CSAhttps://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf- Security Guidance from CSAhttps://cloudsecurityalliance.org/csaguide.pdf18. Create Cloud Procurement Support Group to define SLAs, ContractualLanguage, and Penalty Enforcement. 16
  • 17. This Group should develop government standards for core contractual language inprocurements (e.g. service level descriptions) including penalty clauses. Projectsshould be able to extend and/or modify the core if necessary18. 1 References: • Cloud Synopsis and Recommendations (Section 8.2 Cloud Reliability) • Cloud Standards Roadmap Draft 11 (Section 6.4 Use Case Analysis 9)  • Federal Cloud Computing Strategy (Section II. 2 Provisioning Cloud Services Effectively, Section II .3 Managing Services rather than Assets and Section IV. 3 Streamlining Procurement Process) • TechAmerica’s Cloud2 Buyers Guide (Best Practices Acquisition Manager)18.2 Possible Support from Cloud Providers- Support standardized SLA descriptions that can be used for evaluating Cloudcapabilities18.3 Guidances -  Documenting functional and performance requirements andspecifying contract requirements- Cloud Contract Advice from Law.com. net-security.org, and Bizcloud Networkhttp://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202476608022&slreturn=1&hbxlogin=1http://www.net-security.org/secworld.php?id=11056http://bizcloudnetwork.com/cloud-procurement-best-practices-to-reduce-risk-in-cloud-contracts18.4 Practical Guide to Cloud Computing (Step 7. Develop and Manage ServiceLevel Agreements)19. Create a Cloud Center of Excellence to Provide Technical Guidance to Projectson Emerging TechnologiesThe Center of Excellence should consist of Cloud technical experts who can adviseprojects on emerging Cloud technologies. This group will be necessary due to therapid growth in Cloud products, services, tools, and open source implementations. 17
  • 18. 19.1 References: • Cloud Synopsis and Recommendations (Add to Section 9 General Recommendations) • UK Government ICT Strategy (Point 19 ,Point 38, Point 55 and Part 2 Action 11) • TechAmerica’s Cloud2 (Recommendation 4) • Open Data Center Alliance’s (Usage: Input/Output [IO]Controls)19.2 Possible Support from Cloud Providers • Provide information on current and future technology capabilities to customer technical staff. Work with customers to perform test evaluations of Cloud capabilities.19.3 Guidance - Creating a Cloud Computing Center of Excellence • US Airforce creating Cloud Computing Center of Excellence http://www.cloudcomputingzone.com/2010/05/air-force-to-establish- cloud-computing-research-center-of-excellence/19.4 Practical Guide to Cloud Computing (Step 5. Determine Who Will Develop,Test and Deploy the Cloud Services)20. Create a Cloud Community of Practice Group to Share Experiences and CollectBest PracticesThe Community of Practice should maintain ongoing discussions with agencies,government Cloud groups, industry, and vendors to determine the status oftechnology, standards, best practices, and risks. There should be periodic meetings toshare this information with groups responsible for planning Cloud deployments.20.1 References: • Cloud Synopsis and Recommendations (Add to Section 9 General Recommendations) • Federal Cloud Computing Strategy(Section III Case Examples to Illustrate Framework) • Federal Cloud Computing Strategy (Section IV. 1 Leveraging Cloud Computing Accelerators) • UK Government ICT Strategy (Part 2 Action 3 and Part 2 Action 9) • TechAmerica’s Cloud2 Report (Recommendation 14 18
  • 19. • TechAmerica’s Cloud2 Buyers Guide (Best Practices: Program Manager and Agency Leadership)20.2 Possible Support from Cloud Providers • Provide suggested best practices and industry case studies to help customers planning Cloud deployments..3 Guidance - Creating Communities of Practice • Building Communities of Practice http://www.adb.org/Documents/ Information/Knowledge-Solutions/Building-Communities-Practice.pdf F. Primary References 1. NIST Draft Cloud Computing Synopsis and Recommendations http://csrc.nist.gov/publications/drafts/800-146/Draft-NIST-SP800-146.pdf (See Appendix F NIST Publications for additional security-related documents) 2. NIST Cloud Computing Standards Roadmap Draft http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/ StandardsRoadmap/ NIST_CCSRWG_040_4th_Draft_02_16_11_NIST_Cloud_Computing_Standards_Roa dmap.pdf (See Bibliography for multiple external references) 3. Federal Cloud Computing Strategy http://www.cio.gov/documents/Federal-Cloud-Computing-Strategy.pdf (See Appendix 2. Agency Resources for Cloud Computing for additional government links) 4. UK Government ICT Strategy http://www.cabinetoffice.gov.uk/resource-library/uk-government-ict-strategy- resources 5. TechAmerica’s Cloud2 Report from the TechAmerica Foundation’s Commission on the Leadership Opportunity in U.S. Deployment of the Cloud http:// www.techamericafoundation.org/content/wp-content/uploads/2011/07/ TechAmerica’s Cloud2.pdf 6. TechAmerica’s Cloud2 Cloud Buyers Guide http://www.cloudbuyersguide.org/the-guide/ 7. Open Data Center Alliance’s Usage Models http://www.opendatacenteralliance.org/publications 19
  • 20. 8. SIENA European Roadmap on Grid and Cloud Standards for e-Science and Beyond http://www.sienainitiative.eu/Repository/FileScaricati/8ee3587a- f255-4e5c-aed4-9c2dc7b626f6.pdf9. Practical Guide to Cloud Computing from the Cloud Standards Customer Council (To be published 4Q 2011)G. Additional References1. Cloud Best Practices Website http://www.cloudbestpractices.info/2. Cloud Interoperability and Best Practices from Computerworld http://www.computerworld.com/s/article/9217158/ Cloud_interoperability_Problems_and_best_practices3. Best Practices for Cloud Computing from Gartner Group http://www.gartner.com/it/page.jsp?id=16899144. Architecting for the Cloud: Best Practices from Amazon http://media.amazonwebservices.com/AWS_Cloud_Best_Practices.pdf5. Summary of Planned Agency Cloud Projects http://www.fiercegovernmentit.com/story/agencies-have-identified-78- services-cloud-migration-says-omb/2011-05-256. Details of Planned Agency Cloud Projects http://assets.fiercemarkets.com/public/sites/govit/ agencieshaveidentifiedsystems.pdf7. Ten Papers on Best Practices in Cloud Computing from 2010 http://www.datacenterknowledge.com/archives/2010/12/16/best-practices- in-cloud-computing-for-2010/8. Cloud Security Alliance Governance, Risk Management And Compliance Stack https://cloudsecurityalliance.org/research/projects/grc-stack/9. G-Cloud Phase 2 Documents from the UK http://www.cabinetoffice.gov.uk/ resource-library/g-cloud-programme-phase-210.An Open Interoperable Cloud (OGF, CDMI, OCCI) http://www.infoq.com/articles/open-interoperable cloud;jsessionid=7EE0D90CD3A4E0968FF5C411C68BAC5911.The Future of Cloud Computing:Opportunities for European Cloud Computing 2010 and Beyond http://cordis.europa.eu/fp7/ict/ssai/docs/cloud-report- final.pdf12.Upcoming international public sector Cloud event http://events.oasis-open.org/home/cloud/2011/about 20
  • 21. 13.Cloud-Standards.org http://cloud-standards.org H. Guidance References (Patterns)Design pattern (computer science) - Wikipedia, the free encyclopediahttp://en.wikipedia.org/wiki/Design_patternCloud Patterns • Many Cloud App Design Patterns http://www.slideshare.net/shl0m0/many-cloud-app-design-datterns • Lockheed Martin Deployment Cloud Design Patterns http://www.slideshare.net/kvjacksn/lockheed-martin-deployment-cloud- design-patterns • Patterns For Cloud Computing http://www.slideshare.net/simonguest/patterns-for-cloud-computing • SOA Design Patterns in the Cloud | SOA World Magazine http://soa.sys-con.com/node/1654420  • Cloud Computing Design Patterns | Bob on Medical Device Software http://rdn-consulting.com/blog/2009/06/28/cloud-computing-design- patterns/ SOA Patterns • SOA Patterns http://www.soapatterns.org/ • SOA Patterns article http://www.soabooks.com/soa_patterns/soa_patterns_article.pdf Vendor-Specific Cloud Design Patterns • Design Patterns in the Windows Azure Platform | Cloud Computing Journal http://cloudcomputing.sys-con.com/node/1627248  • AWS Architecting Cloud Apps - Best Practices and Design Patterns  http://www.slideshare.net/AmazonWebServices/aws-architectingjvariafinal  • VMware: VMware vCloud Blog: Cloud Architecture Patterns: Overview 21
  • 22. http://blogs.vmware.com/vcloud/2010/10/cloud-architecture-patterns- overview.html• Force.com Architecture Design Principles | Force Architects: Delivered Innovation Blog http://forcearchitects.deliveredinnovation.com/2011/03/07/force-com- architecture-design-principles/ • Cloud Computing Patterns, Architectures, and Best Practices from Sun http://wikis.sun.com/display/cloud/Patterns• Design Patterns Conference | Cloud Connect 2011 http://www.cloudconnectevent.com/cloud-computing-conference/design- patterns.php• SOA Design Patterns in the Cloud (Oracle, Amazon) http://srinivasansundararajan.sys-con.com/node/1654420/mobile 22