Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Cloud in government:
Risks, myths, and misconceptions
Lindsay Holmwood
Head of Technology
@auxesis
dta.gov.au
dta.gov.au
Digital
Transformation
Agency
dta.gov.au
We're here to make government
services simpler, clearer and faster
for everyone
dta.gov.au
1/
We collaborate with agencies to
transform services so that they
meet user needs
dta.gov.au
2/
We create whole-of-government
platforms to support service
transformation
dta.gov.au
3/
We develop policies and
standards to help government
transform services consistently
dta.gov.au
We run
EVERYTHING
in the cloud
dta.gov.au
Dev
Staging
QA
Production
dta.gov.au
☁ What even is it?
dta.gov.au
Software,
Platform,
Infrastructure,
dta.gov.au
Software
Infrastructure
Platform
dta.gov.au
Software
Infrastructure
Platform
Office365
Google Apps
Salesforce
dta.gov.au
Software
Infrastructure
Platform
Cloud Foundry
OpenShift
Google App Engine
dta.gov.au
Software
Platform
Amazon Web Services
Azure
Google Cloud Platform
Infrastructure
dta.gov.au
✅ Low barrier of entry
Has an API
Quick to make changes
Scalable, imperceptibly-infinite capacity
Opex
dta.gov.au
Virtualisation != Cloud
dta.gov.au
Myths
dta.gov.au
“We can’t store
data securely”
dta.gov.au
On ASD’s CCSL
dta.gov.au
Certified services:
Compute
Storage
Network
dta.gov.au
AWS:
EBS + EC2 + S3 + VPC
You can run a lot of workloads on this.
dta.gov.au
ASD acknowledges risks of
in-house systems
dta.gov.au
“Organisations need to perform a
risk assessment and implement
associated mitigations before
using cloud servic...
dta.gov.au
“Risks vary depending on factors such as the
sensitivity and criticality of data to be stored or
processed, how...
dta.gov.au
“Organisations need to compare these
risks against an objective risk assessment
of using in-house computer syst...
dta.gov.au
Please read:
Cloud Computing Security for
Tenants
http://www.asd.gov.au/publications/protect/Cloud_Computing_Se...
dta.gov.au
There are strategies for making
data available in the cloud
dta.gov.au
id name email medicare
Protected row
❌ Can’t store this in the cloud
dta.gov.au
id name email medicare
Unclassified columns
✅ Can store this in the cloud
dta.gov.au
dta.gov.au
Misconceptions
dta.gov.au
“We’ll run it like
physical infrastructure”
dta.gov.au
*buy RIs for 3 years*
dta.gov.au
Yes, you’ll get a cost saving
dta.gov.au
👊👊 BUT 👊👊
dta.gov.au
Value of the cloud
is not low cost compute
dta.gov.au
Value of the cloud
is on-tap capacity
dta.gov.au
We can’t extract this value
unless we build and run services
like the cloud providers recommend
dta.gov.au
We have to think differently
about our architecture
dta.gov.au
Buying RIs is a risk if you
don’t know your workloads
dta.gov.au
You don’t know
what your workloads are going to be
3 years from now
dta.gov.au
You might:
Optimise your code to run in
parallel, across many cheaper
instances
dta.gov.au
You might:
Shift your workloads to spot
instances, for on-demand
calculations
dta.gov.au
How to control spend:
dta.gov.au
How to control spend:
Start with on-demand instances
dta.gov.au
How to control spend:
Track your spend over multiple
months, identify instance types
that are constantly used
dta.gov.au
How to control spend:
Then buy RIs for a year
dta.gov.au
How to control spend:
If you’re really keen,
go for 3 years
dta.gov.au
You don’t know
what your workloads are going to be
3 years from now
dta.gov.au
How to control spend:
Sell unused RIs on the
marketplace
dta.gov.au
Risks
dta.gov.au
“Our spend is getting
out of control!”
dta.gov.au
Use sub accounts to segment
and control spend
dta.gov.au
Logically separate services
you’re delivering
across accounts
dta.gov.au
See costs
in one place
dta.gov.au
Reduce your cost by buying RIs
and using blended rates
*on AWS
dta.gov.au
Handy when the
service is mogged
dta.gov.au
Automatically shut down
environments every night
dta.gov.au
Encourages a culture of technical
resilience
dta.gov.au
Better security posture
through short lived environments
dta.gov.au
*attackers are getting faster
dta.gov.au
“Our stuff is
getting hacked!”
dta.gov.au
We can’t extract this value
unless we build and run services
like the cloud providers recommend
dta.gov.au
✅ Low barrier of entry
Has an API
Quick to make changes
Scalable, imperceptibly-infinite capacity
Opex
dta.gov.au
Extract maximum value by
giving your developers
direct access
dta.gov.au
create & update & destroy
dta.gov.au
Encourages a culture of technical
resilience
dta.gov.au
Heavily use IAM
users, roles, and groups
*on AWS
dta.gov.au
👊👊 BUT 👊👊
dta.gov.au
Services and data can be
accidentally exposed to the world
dta.gov.au
Regularly & automatically
audit exposed services
dta.gov.au
“We aren’t getting the
reliability benefits!”
dta.gov.au
We can’t extract this value
unless we build and run services
like the cloud providers recommend
dta.gov.au
Build highly reliable systems
from unreliable components
dta.gov.au
Use autoscaling groups heavily
*on AWS
dta.gov.au
Pre-bake your applications
into images
dta.gov.au
dta.gov.au
dta.gov.au
Build a strong continuous
delivery capability
deploy to productionacceptance testsintegrateunit testscode done
Traditional
delivery
ManualManualManualAuto
deploy to productionacceptance testsintegrateunit testscode done
Continuous Delivery
ManualAutoAutoAuto
deploy to productionacceptance testsintegrateunit testscode done
Continuous Deployment
AutoAutoAutoAuto
dta.gov.au
Everything goes to production
through the pipeline
0
30
60
90
120
150
2015-
10-29
2015-
11-02
2015-
11-09
2015-
11-15
2015-
11-22
2015-
11-25
2015-
11-29
GOV.AU deploys over...
dta.gov.au
non-event
smoke tests
acceptance tests integratecode done
environment change deploy to productionbuild images
dta.gov.au
Satisfy regulatory requirements
more easily
dta.gov.au
Get scalability for free
ASG
environment
application
image
instance
instance
instance
instance
instance
ELB
dta.gov.au
Heavily restrict automation’s
access with IAM
*on AWS
dta.gov.au
Ship all logs off site
dta.gov.au
Check out
Packer &
Terraform
dta.gov.au
Case study
cloud.gov.au outage
dta.gov.au
dta.gov.au
4 minutes
dta.gov.au
12 minutes
dta.gov.au
0
dta.gov.au
The system self-healed
dta.gov.au
Took longer than if we were
building against one cloud
dta.gov.au
It’s a tradeoff we’re willing to
accept for multi-cloud capability
dta.gov.au
Principles are the same
dta.gov.au
The opportunity is
immense
dta.gov.au
doing the right thing easy
dta.gov.au
people are dear
dta.gov.au
Cloud eliminates
classes of problems
dta.gov.au
Cloud frees up your
the bigger picture
dta.gov.au
help org learn
dta.gov.au
Australia can become the best
in the world at delivering
clearer, simpler, faster
government services.
dta.gov.au
Thank you!
❤ @auxesis @DTO
Lindsay Holmwood - New platform to make delivering and operating digital services easier – cloud.gov.au - GovInnovate 2016
Upcoming SlideShare
Loading in …5
×

Lindsay Holmwood - New platform to make delivering and operating digital services easier – cloud.gov.au - GovInnovate 2016

209 views

Published on

GovInnovate 2016
ICT Reforms – Dealing with the technical and implementation aspects of service delivery

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Lindsay Holmwood - New platform to make delivering and operating digital services easier – cloud.gov.au - GovInnovate 2016

  1. 1. Cloud in government: Risks, myths, and misconceptions Lindsay Holmwood Head of Technology @auxesis dta.gov.au
  2. 2. dta.gov.au Digital Transformation Agency
  3. 3. dta.gov.au We're here to make government services simpler, clearer and faster for everyone
  4. 4. dta.gov.au 1/ We collaborate with agencies to transform services so that they meet user needs
  5. 5. dta.gov.au 2/ We create whole-of-government platforms to support service transformation
  6. 6. dta.gov.au 3/ We develop policies and standards to help government transform services consistently
  7. 7. dta.gov.au We run EVERYTHING in the cloud
  8. 8. dta.gov.au Dev Staging QA Production
  9. 9. dta.gov.au ☁ What even is it?
  10. 10. dta.gov.au Software, Platform, Infrastructure,
  11. 11. dta.gov.au Software Infrastructure Platform
  12. 12. dta.gov.au Software Infrastructure Platform Office365 Google Apps Salesforce
  13. 13. dta.gov.au Software Infrastructure Platform Cloud Foundry OpenShift Google App Engine
  14. 14. dta.gov.au Software Platform Amazon Web Services Azure Google Cloud Platform Infrastructure
  15. 15. dta.gov.au ✅ Low barrier of entry Has an API Quick to make changes Scalable, imperceptibly-infinite capacity Opex
  16. 16. dta.gov.au Virtualisation != Cloud
  17. 17. dta.gov.au Myths
  18. 18. dta.gov.au “We can’t store data securely”
  19. 19. dta.gov.au On ASD’s CCSL
  20. 20. dta.gov.au Certified services: Compute Storage Network
  21. 21. dta.gov.au AWS: EBS + EC2 + S3 + VPC You can run a lot of workloads on this.
  22. 22. dta.gov.au ASD acknowledges risks of in-house systems
  23. 23. dta.gov.au “Organisations need to perform a risk assessment and implement associated mitigations before using cloud services.”
  24. 24. dta.gov.au “Risks vary depending on factors such as the sensitivity and criticality of data to be stored or processed, how the cloud service is implemented and managed, how the organisation intends to use the cloud service, and challenges associated with the organisation performing timely incident detection and response.”
  25. 25. dta.gov.au “Organisations need to compare these risks against an objective risk assessment of using in-house computer systems which might: be poorly secured; have inadequate availability; or, be unable to meet modern business requirements.””
  26. 26. dta.gov.au Please read: Cloud Computing Security for Tenants http://www.asd.gov.au/publications/protect/Cloud_Computing_Security_for_Tenants.pdf
  27. 27. dta.gov.au There are strategies for making data available in the cloud
  28. 28. dta.gov.au id name email medicare Protected row ❌ Can’t store this in the cloud
  29. 29. dta.gov.au id name email medicare Unclassified columns ✅ Can store this in the cloud
  30. 30. dta.gov.au
  31. 31. dta.gov.au Misconceptions
  32. 32. dta.gov.au “We’ll run it like physical infrastructure”
  33. 33. dta.gov.au *buy RIs for 3 years*
  34. 34. dta.gov.au Yes, you’ll get a cost saving
  35. 35. dta.gov.au 👊👊 BUT 👊👊
  36. 36. dta.gov.au Value of the cloud is not low cost compute
  37. 37. dta.gov.au Value of the cloud is on-tap capacity
  38. 38. dta.gov.au We can’t extract this value unless we build and run services like the cloud providers recommend
  39. 39. dta.gov.au We have to think differently about our architecture
  40. 40. dta.gov.au Buying RIs is a risk if you don’t know your workloads
  41. 41. dta.gov.au You don’t know what your workloads are going to be 3 years from now
  42. 42. dta.gov.au You might: Optimise your code to run in parallel, across many cheaper instances
  43. 43. dta.gov.au You might: Shift your workloads to spot instances, for on-demand calculations
  44. 44. dta.gov.au How to control spend:
  45. 45. dta.gov.au How to control spend: Start with on-demand instances
  46. 46. dta.gov.au How to control spend: Track your spend over multiple months, identify instance types that are constantly used
  47. 47. dta.gov.au How to control spend: Then buy RIs for a year
  48. 48. dta.gov.au How to control spend: If you’re really keen, go for 3 years
  49. 49. dta.gov.au You don’t know what your workloads are going to be 3 years from now
  50. 50. dta.gov.au How to control spend: Sell unused RIs on the marketplace
  51. 51. dta.gov.au Risks
  52. 52. dta.gov.au “Our spend is getting out of control!”
  53. 53. dta.gov.au Use sub accounts to segment and control spend
  54. 54. dta.gov.au Logically separate services you’re delivering across accounts
  55. 55. dta.gov.au See costs in one place
  56. 56. dta.gov.au Reduce your cost by buying RIs and using blended rates *on AWS
  57. 57. dta.gov.au Handy when the service is mogged
  58. 58. dta.gov.au Automatically shut down environments every night
  59. 59. dta.gov.au Encourages a culture of technical resilience
  60. 60. dta.gov.au Better security posture through short lived environments
  61. 61. dta.gov.au *attackers are getting faster
  62. 62. dta.gov.au “Our stuff is getting hacked!”
  63. 63. dta.gov.au We can’t extract this value unless we build and run services like the cloud providers recommend
  64. 64. dta.gov.au ✅ Low barrier of entry Has an API Quick to make changes Scalable, imperceptibly-infinite capacity Opex
  65. 65. dta.gov.au Extract maximum value by giving your developers direct access
  66. 66. dta.gov.au create & update & destroy
  67. 67. dta.gov.au Encourages a culture of technical resilience
  68. 68. dta.gov.au Heavily use IAM users, roles, and groups *on AWS
  69. 69. dta.gov.au 👊👊 BUT 👊👊
  70. 70. dta.gov.au Services and data can be accidentally exposed to the world
  71. 71. dta.gov.au Regularly & automatically audit exposed services
  72. 72. dta.gov.au “We aren’t getting the reliability benefits!”
  73. 73. dta.gov.au We can’t extract this value unless we build and run services like the cloud providers recommend
  74. 74. dta.gov.au Build highly reliable systems from unreliable components
  75. 75. dta.gov.au Use autoscaling groups heavily *on AWS
  76. 76. dta.gov.au Pre-bake your applications into images
  77. 77. dta.gov.au
  78. 78. dta.gov.au
  79. 79. dta.gov.au Build a strong continuous delivery capability
  80. 80. deploy to productionacceptance testsintegrateunit testscode done Traditional delivery ManualManualManualAuto
  81. 81. deploy to productionacceptance testsintegrateunit testscode done Continuous Delivery ManualAutoAutoAuto
  82. 82. deploy to productionacceptance testsintegrateunit testscode done Continuous Deployment AutoAutoAutoAuto
  83. 83. dta.gov.au Everything goes to production through the pipeline
  84. 84. 0 30 60 90 120 150 2015- 10-29 2015- 11-02 2015- 11-09 2015- 11-15 2015- 11-22 2015- 11-25 2015- 11-29 GOV.AU deploys over time
  85. 85. dta.gov.au non-event
  86. 86. smoke tests acceptance tests integratecode done environment change deploy to productionbuild images
  87. 87. dta.gov.au Satisfy regulatory requirements more easily
  88. 88. dta.gov.au Get scalability for free
  89. 89. ASG environment application image instance instance instance instance instance ELB
  90. 90. dta.gov.au Heavily restrict automation’s access with IAM *on AWS
  91. 91. dta.gov.au Ship all logs off site
  92. 92. dta.gov.au Check out Packer & Terraform
  93. 93. dta.gov.au Case study cloud.gov.au outage
  94. 94. dta.gov.au
  95. 95. dta.gov.au 4 minutes
  96. 96. dta.gov.au 12 minutes
  97. 97. dta.gov.au 0
  98. 98. dta.gov.au The system self-healed
  99. 99. dta.gov.au Took longer than if we were building against one cloud
  100. 100. dta.gov.au It’s a tradeoff we’re willing to accept for multi-cloud capability
  101. 101. dta.gov.au Principles are the same
  102. 102. dta.gov.au The opportunity is immense
  103. 103. dta.gov.au doing the right thing easy
  104. 104. dta.gov.au people are dear
  105. 105. dta.gov.au Cloud eliminates classes of problems
  106. 106. dta.gov.au Cloud frees up your the bigger picture
  107. 107. dta.gov.au help org learn
  108. 108. dta.gov.au Australia can become the best in the world at delivering clearer, simpler, faster government services.
  109. 109. dta.gov.au Thank you! ❤ @auxesis @DTO

×