Shared Services Canada and Cloud Computing Architecture Framework Advisory Committee Transformation, Service Strategy and Design December 17, 2012
Agenda TOPICS PRESENTER(S) 9:00 9:15 Opening Remarks and Objective B. Long, Chair 9:15 9:55 Shared Services Canada and Cloud Computing SSC s Role in Cloud Computing Opportunities and Challenges 9:55 10:05 10:05 11:50 11:50 12:00 Health Break Open Discussion on Cloud Computing Basics of Cloud Computing Getting to the Next Level J. Danek P. Littlefield Timeline and Next Meeting January 28, 2013 (9:00 12:00) All 2
AFAC Forward Agenda Oct 2012 Nov 2012 Dec 2012 Jan 2013 Feb 2013 Mar 2013 Apr 2013 May 2013 Transformation Overview DCC and Telecom P2P Constraints, Dependencies, and Risks Architectural Framework P2P Cloud Computing/ Platforms Jan 28 Finalize for ITIR Identity, Credential and Access Management* X X Finalize for ITIR Converged Communications (Voice, Video, Data)* Assumptions: * only for discussion purposes; Advisory committee meets every 4-6 weeks and has core group of members from ICT industry and SSC. Advisory committee would have minimum of two meetings to develop product for consideration by IT Infrastructure Roundtable and one meeting to finalize product before presentation to IT Infrastructure Roundtable. X X 3
AFAC Forward Agenda: Next Meeting PROPOSED TOPICS Implementation Approach & Priorities (Best Practice) Security Reference Architecture NIST Presentation Service Level Definitions & Taxonomy NIST Presentation Cloud Service Broker Roles & Responsibilities Service Modeling Standards 4
Context For Cloud Computing SSC Mandate Consolidating data centres and their computing/storage platforms Large (> 5000 sq.ft.) 22 Medium (1000-4999 sq.ft.) 65 Small (100-999 sq.ft.) 386 Other server locations 2747 Objective Build and Buy Infrastructure as a Service () and Platform as a Service () If building and Community Cloud (e.g. GC SSC private cloud) If buying and e.g. Private or Hybrid Cloud Public cloud (e.g. GC public facing web presence) 5
SSC Core Mandate w/r TBS Profile of IT Services Standard service categories for management and accounting One of the outcomes of IT Expenditure Review Program (ERP) To ensure accurate accounting and reporting on IT expenditure Appropriated for these services to SSC and 43 Government of Canada departments/agencies 6
ICT Deployment Models and Evolving Degrees of Accountabilities : Infrastructure as a Service : Platform as a Service CIO managed : Software as a Service (non Dept/Agency program Applications) Applications Runtimes Security & Integration DBMS Servers Virtualization Server HW Storage Network CIO managed Managed by Shared Services Applications Runtimes Security & Integration DBMS Servers Virtualization Server HW Storage Network Managed by Shared Services Applications Runtimes Security & Integration Databases Servers Virtualization Server HW Storage Network Managed by Shared Services 7
SSC Consuming Cloud Services SSC Employees & Contractors with Protected B GCnet GC Cloud Computing GC-SRA CWA B2B GC-WiFi Domino R8 GC-LAN ILMS GEDS STSI Desktop 8 Note final decisions on email services pending completion of procurement process
GC Cloud Conceptual Public Cloud (GCnet-I*Net) e.g. Some public-facing GC presence e.g. Limited Development / Test capacity GCnet GCnet Remote Access Internet GCTravel Canada.gc.ca Pay GEDS Collab Jobs MySchool GCDocs Pension Mail & Messaging Intranet sites GCdrive Public-facing web sites Free / Busy Mobile Integration Directory External Community Cloud e.g. CANARIE Hybrid Cloud (GCnet over Secured Internet) Secured extension of GCnet to vendor Vendor-provided cloud services to the GC Non-SSC Private Cloud Community Cloud (GCnet) Internal services for GC community SSC-provided cloud services to the GC Secured perimeter Multi-Domain (Protected-B to Secret) 9
Cloud Computing: Defining Shared Services Canada s Role Internal Private Cloud and External Cloud services should be defined by the same Service Architecture? Cloud Consumer Cloud Auditor Security Audit Privacy Impact Audit Performance Audit Cloud Orchestration Service Layer Resource Abstraction and Control Layer Physical Resource Layer Hardware Facility Cloud Provider Cloud Carrier Cloud Service Management Business Support Provisioning / Configuration Portability /Interoperability Cross Cutting Concerns: Security, Privacy, etc. Cloud Broker Service Intermediation Service Aggregation Service Arbitrage SSC could be the Cloud Broker and could also be a Cloud Provider Some private cloud services could be provided by SSC This would be the Community Cloud The Cloud Broker would ensure multivendor management 10
Cloud Computing: Opportunities and Challenges Opportunities Challenges On-demand self service V storage Ubiquitous network access Community cloud (CWA, GCDocs) Resource pooling (location independence, homogeneity) Hybrid cloud - STSI Rapid elasticity Measured service Private clouds DCC and Telecommunications consolidations Data sovereignty, privacy and security Data in motion, data processing and data at rest Connecting resources across clouds and customer premises Managing identity, federation, and access control Isolating tenants in a multi-tenancy environment Extending on-premises security & operations management practices to the cloud Latency and other performancerelated considerations Network capacity and capability 11
Cloud Computing: Basics Specific Areas of Focus What We Think We Know Other Service Framework Architecture NIST Framework Are there other frameworks that NIST doesn t incorporate that we should consider? Service Models GSM Security UML SOMA SSC Security Domains and Zones Architecture CSEC ITSG33 NIST Security RA Getting to Next Level Detailed component service architectures Agreement on security framework & process Next Steps Do we need working groups? Governance structure? Are there any other standard service modeling tools that we should consider? Are there any other security frameworks that are not incorporated? Any other considerations? Other next steps? 12
Preliminary Sample GC Service Architecture DCS CRM.Net Cloud LAN Email Java Data Centre Services View Illustrates,, & Services Services can service Users, or other Services Services can be accessed internally or externally Internal services are on the DC LAN External Services are accessed via the I-Net Gate and the Net ISP This service model is described in detail in GSM* Oracle Net ISP1 x86 I-Net Gate MyKey SEC1 Firewall Load Bal z/os Store1 Cloud Brokerage Services Broker1 DC LAN Broker2 Broker3 Directory ETI ETI ETI USD5 SEC2 IDS/IPS Unix Sm ETI x86 Linux.Net Java Oracle DB2 Store1 Store2 Store Archive Unix Large *GSM - Generic Service Model, A generic framework for describing a Service in terms of its systematic hierarchy of related service objects. 13
Preliminary GC Sample Service Architecture DCS Linux Unix LAN Mgmt. Cloud2 Linux Cloud2 Unix Cloud2 LAN Cloud2 Mgmt. Cloud3 Linux Unix Cloud3 LAN Cloud3 Mgmt. Cloud4 Linux Unix Cloud4 LAN Cloud4 Mgmt. Net ISP1 Cloud Security Services SSC Data Centre Cloud Brokerage Services I-Net Gate MyKey SEC1 Firewall SEC2 IDS/IPS z/os Broker1 Broker2 Broker3 DC LAN Directory Unix Windows Linux Store1 Store2 Storage Archive Load Bal Mid-Range Platform Services *GSM - Generic Service Model, A generic framework for describing a Service in terms of its systematic hierarchy of related service objects. 14
Cloud Computing Model: United Kingdom Should SSC start as the UK did with the Broker Functions/? ICAM MyKey Cloud Auditor Security Audit Privacy Impact Audit Performance Audit Service Layer Resource Abstraction and Control Layer Physical Resource Layer Hardware Facility Cloud Provider Cloud Service Management Business Support Provisioning / Configuration Portability /Interoperability Security Privacy Cloud Broker (Apps Store) Service Intermediation Service Aggregation Service Arbitrage Apps Store deployment Manage deployments Manage SLAs across a multi-service provider environment Network 15
Cloud Computing Model: United States Should SSC start as the U.S. did with? Service Layer Resource Abstraction and Control Layer Physical Resource Layer Cloud Provider Cloud Service Management Business Support Provisioning / Configuration Security Privacy Cloud First policy FedRamp / Procurement and security certification Start with deployment Cloud Service Management per vendor Hardware Facility Portability /Interoperability ICAM in place, but not leveraged Network Other International examples? 16
For Discussion: Challenges Revisited Requirements Connecting resources across clouds and vendor premises Managing identity, federation, and access control Isolating tenants in a multi-tenancy environment Extending on-premises security & operations management practices to the cloud GC as one tenant Latency and other performance-related considerations Network capacity and capability 1. How should SSC address these challenges? 2. What architectural artefacts and supports are required to support SSC leveraging cloud services going forward? 3. What criteria should SSC use to decide which services would be best for cloud service models? 17
Timeline December 17, 2012 January 28, 2013 February 2013 March 2013 GCCC Architectures thoroughly discussed with AFAC members Revised GCCC architectures feedback Incorporated Platform strategy thoroughly discussed Revised GCCC architectures endorsed by AFAC Platform strategy - feedback incorporated Revised GCCC Platform endorsed by AFAC ICAM strategy thoroughly discussed with feedback 18
Annex 19
Cloud Computing Advance Reading Material 1. SSC Cloud Computing Vision 2. Security Domains & Zones Architecture 3. Security Domains & Zones Implementation Guidelines 4. Management Zone Implementation Guidelines 5. NIST Foundational Documents on Cloud Computing SSC will incorporate all input from AFAC members and release final versions to the industry 20
Cloud Standards Bodies Many standards bodies NIST is among the most mature and most often referenced NIST is open / public sector aligned Cloud Security Alliance (CSA) among most mature re security framework NIST has incorporated CSA s framework in their Security Framework Are there Canadian considerations? 21
Foundational Documents on Cloud Computing NIST - Definition of Cloud Computing SP-800-145 http://csrc.nist.gov/publications/nistpub s/800-145/sp800-145.pdf NIST - Cloud Computing Standards Roadmap SP-500-291 NIST - Cloud Computing Reference Architecture SP-500-292 NIST - USG Cloud Computing Technology Roadmap SP-500-293 http://www.nist.gov/itl/cloud/upload/sp_ 500_293_volumeI-2.pdf NIST Cloud Computing Security Reference Architecture (TBA Jan.13) http://www.nist.gov/manuscriptpublicationsearch.cfm?pub_id=909024 http://collaborate.nist.gov/twiki-cloudcomputing/bin/view/cloudcomputing/clou dsecurity NIST - Cloud Computing Service Levels (TBA Feb. 13) CSA TCI Reference Architecture https://cloudsecurityalliance.org/wp- content/uploads/2011/10/tci- Reference-Architecture-v1.1.pdf NIST Current Status Presentation (Dec.12) docbox.etsi.org/workshop/2012/201212.../nist_bohn.pd 22