Federal CIO: Cloud Selection Toolkit. Georgetown University: Chris Radich Dana Christiansen Doyle Zhang India Donald

Federal CIO: Cloud Selection Toolkit Georgetown University: Chris Radich Dana Christiansen Doyle Zhang India Donald

Agenda Project Introduction Agency Cloud Challenges Toolkit Solution Overview Step 1: Data Gathering Step 2: Cloud Readiness Assessment Step 3: Vendor Selection Step 4: Preparing for Change and Risks Conclusion

Project Introduction Gartner defines cloud computing as "a style of computing where scalable and elastic IT-related capabilities are provided 'as a service' to customers using Internet technologies." For cloud computing to be successful, organizations require a thorough and rigorous adoption strategy: One that takes into account the risks and reaps the rewards Ad hoc methods result in increased risk, expenditures and liability

Cloud Computing Service Models Middleware Data Center BPO Information Feeds Packaged Apps Infrastructure as a Service Business Services Information Services Software as a Service Platform As a Service Cloud Enablers The provider optimizes everything below the service boundary, and hides complexity from the consumer. The consumer accesses, configures and/or extends the service and builds everything needed above the service boundary or just uses the service.

Agency Cloud Challenges Funding for restructuring costs No cost savings realized until 2 nd year of cloud projects Rebalance IT workforce and skill levels FISMA compliance and C&A contract vehicles Agencies must avoid compliance mode Three annual moves to Commercial or Gov t clouds Use the 25 Point Plan as an opportunity to strategically plan for future IT success Federal CIO Cloud Selection Toolkit will alleviate political pressures and reduce complexity of cloud investment decisions

Toolkit Solution Overview Develop a rigorous methodology to: Identify potential agency cloud candidates Determine cloud costs and ROI Determine impacts to the organization Identify and vet cloud providers Identify business impacts and risks Mitigate residual risks

Low or Uncertain Benefit High & Clear Business Impact Determines Cloud Investment Decisions Consider Private Embrace Public Avoid Experiment High or Unmanageable Low & Manageable Challenges

Step 1: Data Gathering Architecture Centralized, distributed, localized, etc. Patterns: If legacy app = cost to move to cloud If new app = integration requirements and cost to integrate with another app Elasticity support = new tools required to support? Work Load Average work load requirements CPUs, Memory, Storage, bandwidth, etc. Peak work load requirements Variance of CPU, Memory, Storage, bandwidth, time duration of sustaining peak loads, etc.

Step 1: Data Gathering Technology OS, DB, Application stack vendor Include licensing cost based on model Load balancing between private and public cloud or disparate public clouds Integration of KPIs of app running on cloud with existing monitoring tools Solution type: transactional, reporting, analytic, etc. Release cycle for app Organization # of users # of sites # of vendors (contracted) # of business units impacted # of people impacted

Step 1: Data Gathering Security, Privacy & Compliance Identity & Access Management of users in cloud Cost to implement new controls (i.e. encryption) Cost to maintain existing controls Include: log monitoring, access monitoring, forensic evidence preservation, separation of duties, patching, etc. Demographics # of components # of environments # of servers # of releases per year # of codes maintained # of programming languages # of COTS apps

Step 1: Data Gathering Operations % annual budget spent on software maintenance & training Cost/revenue impact Mission criticality # of trouble tickets # defects outstanding Include average severity of defects outstanding End user/business user Requirements Latency to connect to app Frequency of information accessed SLA requirements on availability & support

Key Deliverable s Key Activities Step 2: Cloud Readiness Assessment The Assessment phase includes conducting a current state analysis, requirements definition, and developing a vision. This phase will further refine and confirm the legacy system can benefit from the joint service offering. Current state IT assessment Current State Assessments Requirements Definition Define Vision Client Go No-Go Current state Financial assessment Current state Operational assessment Requirements Definition Understand legacy system current technical environment Understand legacy system operational environment Assess the fit of product offering Assess organization data compliance and security needs. Assess organization current IT infrastructure for continuity and application interdependencies. Interview key stakeholders Conduct requirements definition workshop Validate requirements Develop Requirements Document Define compliance and security needs for new solution. Define Goals Define short term and long term vision Define level of migration to the new solution. Assess current organization risk tolerance and resource constraints. Current state Document Requirements Document Scope Statement Vision Document

Step 2: Cloud Readiness Assessment Assessment Approach Current state IT Assessment Current Legacy System IT Infrastructure Current Organization Risk Tolerance Current Organization Resource Constraints Technical Requirements Application Complexity Network Bandwidth Infrastructure Requirements Virtualization Candidate Infrastructure Specialization Business Requirements Application Criticality User Impact Service Level Requirements Internal / External Facing Security Concerns Future State Analysis Cost Benefit Analysis Transition Costs Operating Model Implications Management Considerations Cloud Solution Private Community Public Hybrid Agencies must meet assessment criteria at each step prior to passing on to the next; in some cases technical and business requirements may be evaluated concurrently. Agencies will be giving a scorecard for each criteria (red/yellow/green) Even within each area, failure to meet fundamental evaluation criteria would mean that suitability is no longer viable and the application is not suitable for cloud at this time Agency applications exhibit the following attributes and will be assessed accordingly: - Low or moderate application criticality - Minimal to some interdependencies on other apps / data - Uses commodity hardware - Bandwidth requirements - Standalone environments or software stack - Does not depend on specialized appliances - Low / moderate SLA requirements - No confidential data or data can be easily masked

Step 2: Cloud Readiness Assessment Cloud Assessment Criteria Level 1 Current State Assessment Criteria Legacy System Criticality Legacy System Complexity Virtualization Candidate Commodity Infrastructure Explanation (Red/Yellow/Green) Defined by business for production environments, Architecture complexity, dependencies on other applications, databases, middleware Can the workload be virtualized? This depends on the platform OS and virtualization platform Workload runs on commodity infrastructure Level 2 Determine Suitability for Cloud Network Bandwidth Infrastructure Requirements Shared Environments Shared Software Specialized Infrastructure Internal / External Facing User Impact Service Level Requirements Customer / Confidential Data Technical Feasibility (Red/Yellow/Green) LAN or WAN network bandwidth requirements when workload would run in the cloud The scale of requirements for compute, storage and network to support workload Types that would be supported by a shared environment Software (e.g., databases, middleware) share with other software) Dependency on special purpose proprietary appliances, devices, license, hardware, etc Business Feasibility (Red/Yellow/Green) Does the system provide a customer facing service or back office function (e.g., HR)? Impact on the user community due to move of workload to cloud (e.g., lack of access to a subset of users) Availability, response time, Recoverability, Disaster Recovery, etc Does the provider location or other characteristics of the cloud service meet the security requirements of how and where data needs be stored? Level 3 Business Case and Operational Analysis Business Case Analysis Detailed Technical Analysis Operational Analysis Management Considerations Cost / benefit analysis, including initial and migration costs, on-going costs and ROI timeframe What changes will be required for the application? What will the future application architecture look like? What is the operational impact due to the workload moving to cloud? What is support model after workload is moved to cloud? What is provider vs. client responsibility and hand-offs? How is the workload managed in the cloud? E.g., using internal and vendor provided tools, processes, and staff; Go No/Go Based on Assessment Scorecard

Step 2: Cloud Readiness Assessment Cloud Assessment Decision Matrix Level 1: Current State Assessment Level 2: Technical Feasibility Red Yellow Green Go/No-Go Decision Level 3: Business Feasibility Go / No Go Decision Acceptable quantity of Red rating for all categories is at most 1 red rating for Agency Go into the cloud solution, otherwise No Go. Acceptable quantity of Yellow rating for all categories is at most 2 yellow ratings for Agency Go into the cloud solution, otherwise No Go. Acceptable quantity of Green rating for all categories is at least 2 green ratings for Agency Go into the cloud solution, otherwise No Go.

Step 3: Vendor Selection 1. Create a Detailed RFI/RFP 2. Review RFI/RFP Responses: Any vendor that cannot meet service requirements should be removed from consideration May discover that no vendor can meet requirements: Service is cloud-ready, but cloud is not ready for the Service Reassess requirements or maintain services internally

Step 3: Vendor Selection Criteria

Step 3: Vendor Selection 3. Select vendor and devise migration plan: Some vendors may not respond to RFQ: Cloud model is pay-as-you-go; vendors may not negotiate Once vendor is selected, initiate migration planning, and add to cloud adoption road map

Step 4: Change and Risk Management RISK ASSESMENT MATRIX PROBABILITY IMPACT Low Medium High High L M H Medium L M M Low L L L RISK LEVEL High Medium Low RISK DESCRIPTION & NECESSARY ACTIONS If an observation or finding is evaluated as a high risk, there is a strong need for corrective measures. If an observation is rated as medium risk, corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time. If an observation is described as low risk determine whether corrective actions are still required or decide to accept the risk.

Step 4: Change and Risk Management Risk Risk Level Mitigation Costs Privacy Integrity Compliance Availability H M H L M Maintain strict budget Clearly communicate requirements & needs to vendor Establish authentication & access control procedures Implement data encryption Establish incident response program Implement security & configuration best practices Perform vulnerability scanning Audit controls Establish security & disaster recovery processes & procedures

Step 4: Change and Risk Management Phased Approach Education Change Management Transparency Leadership

Next Steps Develop detailed business case, gain OMB and Agency approval Upon approval, develop detailed transition plan Measure project execution and monitor SLAs / contract performance

Conclusion Disciplined and repeatable selection drives rapid cloud adoption and increased success rates Successful transformation begins with strategic selection of cloud deployments Moving away from ad-hoc selection ensures alignment with solutions and reduction of risk The proper portfolio of cloud projects increases the project success rate

References Heiser, Jay, and Mark Nicolett. "Assessing the Security Risks of Cloud Computing." Www.gartner.com. Gartner, Inc., 3 June 2008. Web. 26 July 2011. <http://my.gartner.com/portal/server.pt?open=512>. "HP and Deloitte Alliance - Federal Market Offering Overview." Cloud Computing Forecasting Change. HP and Deloitte, 1 Apr. 2011. Web. 10 July 2011. <https://kx.deloitteresources.com/g1000/lists/publishedcontent/dispform.aspx?id=1074 89&Source>. Jackson, Chris. "Implementing a Decision Framework for Cloud Migration." Cloud Computing in Healthcare. Cloud Computing in Healthcare Conference, 21 June 2011. Web. 1 Aug. 2011. <http://www.iibig.com/conferences/t1101/t1101_images/presentations/chrisjackson_04. 50.pdf>. Reeves, Drue. "Building a Solid Cloud Adoption Strategy: Success by Design." Www.gartner.com. Gartner, Inc., 19 May 2010. Web. 01 Aug. 2011. <http://my.gartner.com/portal/server.pt?open=512>. Stoneburner, Gary, Alice Goguen, and Alexis Feringa. "Risk Management Guide for Information Technology Systems." NIST: National Institute of Standards and Technology. 1 July 2002. Web. 19 July 2011. <http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf>. "Top Threats to Cloud Computing V1.0." Cloud Security Alliance. 1 Mar. 2010. Web. 20 July 2011. <https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf>.