What should go to the Cloud and When. What should NOT go to the Cloud and Why

Size: px

Start display at page:

Download "What should go to the Cloud and When. What should NOT go to the Cloud and Why"

Tyler Potter
10 years ago
Views:

1 What should go to the Cloud and When What should NOT go to the Cloud and Why

2 Cloud a New Business Model for IT delivery in Federal Programmatic approach to Cloud Security (FedRAMP, DISA SRG) Cloud Service Providers have built and had their infrastructure audited (via a 3PAO) to the required baselines Now possible to deliver some IT workloads from the Cloud The Question is Which IT workloads? The answer is different for each agency (or company) Civilian agencies follow the FedRAMP baseline (moderate systems = 325 baseline security controls from NIST SP v4) DoD agencies based on DoD Impact Levels

3 DoD Impact Levels Originally 6 levels, there are now 4 (level 1 was moved into 2, and level 3 was moved into 4) Impact Level-2 = uncontrolled Unclass information (public facing information) Impact Level-4 = Controlled Unclass information PII, PHI, mission sensitive Impact Level-5 = Unclass National Security Systems Impact Level-6 = information upto Secret level DoD Cloud Service Provider requirements begin with FedRAMP Impact Level-2 requires FedRAMP Impact Levels 4, 5, 6 require FedRAMP + All FedRAMP controls PLUS additional security controls for the specific Impact Level plus any additional controls required of the mission

4 Responsibilities of Agencies/Missions Use Cloud Services for IT Delivery when: It is mission-effective and It is cost-effective Only use approved FedRAMP or DISA Cloud Service Providers Those with FedRAMP/DISA P-ATO (Provisional Authority To Operate) In DoD cloud service must be approved to appropriate Impact Level Perform a security controls gap analysis to determine if a given application/service requires additional security controls beyond those accounted for in the FedRAMP and FedRAMP + baselines. Grant an ATO to the Cloud Service Provider if appropriate

5 Typical Data Center, all IT services delivered on premise from the data center, important to know the TCO for this model Existing Apps/infrastructure New IT initiative Typical Data Centers Retired infrastructure now Test/Dev

6 Challenges with TCO calculations in agencies Primary measures: Cloud should be used when it s the most missioneffective and cost-effective means of IT delivery Determining the most cost-effective business model means knowing what it costs you (the agency), to deliver an IT service Can be difficult for agencies to determine their TCO because TCO calculations can span multiple budgets in Federal In Federal the infrastructure, network and facilities can all be different budget owners A net spending increase in one area could bring big savings in another so TCO is really important

7 Cloud brings New Possibilities for IT delivery AWS Azure VMware Existing Apps/infrastructure New IT initiative Retired Infrastructure Test/Dev

8 Cloud is a new Business Model Of your current IT, what could be more cost effective and/or efficient if delivered from a Cloud provider? Which is the best Cloud provider for a given IT app/service? AWS Azure VMware

9 How we determine what should or should not be delivered from a Cloud provider Some things to review: Characteristics of the application App cloud ready? Existing investment been realized? Licensing issues? (processor based) Data transfer Dependent systems First inspect each IT workload through a Business lens 3 Outputs List of workloads that should NOT go to the Cloud List of workloads that can not go to the Cloud now, but could be made to List of workloads that should be considered for delivery from a Cloud provider

10 Next review the Cloud ready list from the business review through a Security lens Review System Security Plans Compare against FedRAMP controls Determine if security control gaps can be accommodated by one or more CSPs Review first through a business lens and then through a security lens because the security review is tedious, specific and very important. It requires a very specific skill set. 3 Outputs List of IT Workloads that should NOT go to any Cloud provider List of IT workloads that can not currently go to any Cloud provider but could be made to List of IT workloads that CAN go to a Cloud provider Mission Effective

11 Review the Cloud candidate list to determine which Cloud service provider would be best for a given IT service. Determine if it is cost-effective to deliver that IT service from a Cloud Provider AWS Azure VMware Although each Cloud Provider builds their infrastructure to the same FedRAMP/DISA security controls, how they deliver services and how they charge for services can differ greatly

12 Final Points: Utilize Cloud when mission-effective and cost-effective Cloud is not the best delivery model for everything The cost of Cloud and the savings from Cloud can span multiple budgets so TCO is important A cost in one budget activity can lead to tremendous savings in a different budget activity Business considerations and security considerations, rule an IT app/service in or out as a cloud candidate first from business standpoint, then from a security standpoint Determine the best approved Cloud Provider for your particular needs/workloads What is best for one agency, could be very wrong for another

13 Thank You!

DISA releases updated DoD Cloud Requirements What are the impacts? James Leach January 2015

DISA releases updated DoD Cloud Requirements What are the impacts? James Leach January 2015 New leadership breeds new policies and different approaches to a more rapid adoption of cloud services for the