Knowledge. Advice. Clarity. Presented by DLT Solutions Discover how the public sector can leverage cloud computing to draw better efficiencies within the IT environment. Written with contributions by David Blankenhorn, Van Ristau and Caron Beesley
Cloud computing is a global phenomenon. Its promise of rapid procurement of information technology (IT) services, scaled up or down as needed and released when finished, is like a magic potion for public sector CIOs and program managers looking to save money and improve service delivery. The problem is that cloud computing is so new that very few individuals or organizations have enough experience or insight into cloud deployments or know how to put them in place. This guide will explain the basics of cloud enabling technologies and will help you determine the best cloud fit for your needs. We ll also touch on some of the pros, cons, and cautions that you should bear in mind as you seek to deploy cloud computing in your government agency or organization. Understand what solutions actually make up cloud computing. Discover how the public sector can leverage cloud computing to draw better efficiencies within the IT environment Find out more about cost savings, consolidation and modernization of legacy operations and the major benefits of moving to cloud-based solutions. Cloud computing can be a difficult technology to envision and the same solution doesn t work for every agency. DLT Solutions understands that and it is the reason why we have gathered a team of experienced engineers The DLT Cloud Advisory Group to help. Whether you are in the beginning stage of cloud computing or getting serious about your implementation, the DLT Cloud Advisory Group can provide the knowledge, advice, and resources you need to shape a cloud environment that meets your current mandates. Contact us at 1-855-cloud01 or cloud@dlt.com
Knowledge. Advice. Clarity. Presented by DLT Solutions
Copyright Cloud Computing for Govies Published by DLT Solutions, LLC 13861 Sunrise Valley Drive, Ste 400 Herndon, VA 20171 www.dlt.com Copyright 2015 by DLT Solutions, LLC, Herndon, Virginia All Rights Reserved. This publication may not be modified, copied, distributed, framed, reproduced, republished, displayed, posted, transmitted, or sold in any form or by any means, in whole or in part, without prior written permission from DLT Solutions, LLC. DLT Solutions and for Govies are trademarks of DLT Solutions, LLC and may not be used without written permission. All other trademarks, logos or product references are the property of their respective owners. DLT Solutions, LLC and the authors make no representations or warranties with respect to the accuracy or completeness of the contents of this work. The information, services, products, and materials referenced in this book or available through our services, including, without limitation, all text, graphics, and links, are provided on an as is basis. The advice and strategies contained herein may not be suitable for every situation. This publication or subsequent variations are not for sale. Organizations or websites referred to in this work as a citation and/or a potential source of further information does not mean that DLT Solutions, LLC or the authors endorse the information that the organization or website may provide or recommendations it may make. Further, readers should be aware that internet websites listed in this work may have changed or disappeared between when this work was written and when it is read. For general information about products and services, please contact DLT Solutions at 800-262-4DLT (4358) or at sales@dlt.com. Manufactured in the United States of America
Table Of Contents Chapter 1 - An Introduction to Cloud Computing... Page 1 - The Origins of the Cloud - What About Virtualization? - The Cloud Defined - A Few Points to Consider Before Journeying to the Cloud Chapter 2 Cloud Service Models: Software as a Service (SaaS)... Page 15 - How SaaS Differs from PaaS and IaaS - Examples of SaaS Applications - The Pros and Cons of SaaS - Cautions and Considerations Chapter 3 Cloud Service Models: Infrastructure as a Service (IaaS)... Page 27 - What Problems does IaaS Solve? - Should I Go Public or Private? - The Pros and Cons of IaaS - Cautions and Considerations Chapter 4 Cloud Service Models: Platform as a Service (PaaS)... Page 39 - What Problems does PaaS Solve? - The Typical Features of a PaaS Service - The Pros and Cons of PaaS - Cautions and Considerations Chapter 5 Securing the Cloud... Page 47 - Current Data Center Models: It s All Inside - The Public Cloud Who is Responsible for What? - Cloud Threats and How to Combat Them - Balance Security Controls with Acceptable Risk Chapter 6 Final Thoughts - A Path to the Cloud... Page 63 - Top 5 Takeaways - Key Words and Terms - Useful References
1 Chapter 1 An Introduction to Cloud Computing Learn about: The Origins of the Cloud What about Virtualization? The Cloud Defined A Few Points to Consider Before Journeying to the Cloud By way of an introduction to cloud computing, this chapter focuses on how we got to where we are today. We ll cover the drivers for cloud computing, why virtualization is a cloud-enabling technology, and what that means with respect to the various cloud definitions. We ll also examine what you should look for in a cloud offering and take a high level peek at how you might use the main cloud service models (SaaS, PaaS, and IaaS) to achieve your goals. All organizations have different challenges and cautions when it comes to cloud computing. This guide outlines some of the most prevalent concerns and suggests ways in which you can account for them prior to leveraging the cloud. Primary Cloud Service Models SaaS - Software-as-a- Service: Access and use third-party applications, such as e-mail and collaboration, running on a provider-managed cloud infrastructure. PaaS - Platform-as-a- Service: Deploy your own applications onto a provider-managed cloud infrastructure using programming languages and tools supported by that provider. IaaS - Infrastructure-as-a- Service: Provision and control your own processing, storage, networks, and other fundamental computing resources while deploying operating systems and applications on a provider-managed cloud infrastructure.
2 An Introduction to Cloud Computing The Origins of the Cloud How did we get where we are today? Well, the evolution of cloud computing wasn t really planned. Early versions of what we now know of as enterprise IT came about in the 1960s and 1970s, with the advent of mainframe data centers privileged inner-sanctum communities that served organizations on a job-by-job basis. By the early-1980s a new individual freedom was born in the form of personal computers, which became the tool of choice for knowledge workers. Next, we saw the still ubiquitous client-server model, which connects server-hosted applications via a Local Area Network (LAN) to client PCs. The client-server model had the unintended side effect of driving an unfortunate behavior that exists in many data centers today the-one-server-perapplication, or one-server-per-function model. Over the past five to ten years, this client-server model quickly scaled and evolved into complex data centers engineered to handle large amounts of Internet-enabled data on behalf of private and public sector enterprises. Given this data center culture, why does cloud computing seem so appealing? Slowly but surely, several limitations in the client-server model have become apparent and are now top of mind for government CIOs: 1. Complexity and Cost a. Data centers are labor-intensive operations that often lack standardization. The resulting complexity continuously pushes up training and maintenance costs. b. As the demand for more IT services grows, more applications and infrastructure are needed to support it. c. The capital cost of application licenses and hardware refreshes have increased. d. Energy costs have soared while server and storage utilization levels remain low. 2. Multiplicity of Data Centers While geographically-dispersed data centers add a layer of redundancy and application resiliency, multiple data centers are costly to maintain. These data centers often only support a couple of email servers, a file server, and many applications yet the labor and support footprint is high, while server utilization is low.
An Introduction to Cloud Computing 3 3. IT Project Disappointments Approximately half of the IT projects that are undertaken within most organizations will fail or under-deliver on their objectives. In 2013, for example, after six months of high-profile experimentation San Jose State University dismissed plans to deliver a low-cost, online education system. Many more IT projects either fail or are never really utilized to the level of expectation that the funders and originators had in mind. 4. The Need for Agility IT is being increasingly pressured to do more with less. As if that weren t a significant enough challenge, they are also tasked with being better aligned with the agency mission, and to react more quickly to the needs of end users and staff. The old method of acquiring and deploying hardware and software assets is not agile enough to respond quickly to new business needs. What about Virtualization? In addition to the aforementioned drivers, new virtualization technologies entered the IT scene. This new technology allowed IT to begin breaking down the one-server-per-application mode of thinking by allowing disparate applications to peacefully co-exist on the same physical server. Virtualization has also been a great enabler of cloud computing and is one of the underlying technologies used in building clouds. In fact, so inextricably linked have the terms virtualization and cloud computing become, that it is a common misperception that you can t have one without the other. However, it s important to note that virtualization is a means to an end; it is not the end itself. Virtualization in a Nutshell In simplest terms, virtualization is an abstraction of the infrastructure from its physical components be it servers, storage, or network. From a business perspective, virtualization allows for the consolidation of services or applications that may have resided on highly underutilized infrastructure (again, servers, storage, and network components) while segregating those applications from other departments applications. The most likely inhibitor to consolidation prior to the advent of virtualization was the fear that somewhat different applications could adversely affect one another.
4 An Introduction to Cloud Computing If you consider a traditional IT architecture, you ll find that the services are hardware dependent and a single operating system owns all of the server resources (processors, memory, storage, and network interfaces) with one or more applications running atop the operating system. In a virtualized server environment, however, a new layer of software, the hypervisor, is added atop the physical server. This hypervisor abstracts the physical resources of the server (CPU, memory, storage, and network) and allows multiple guest operating systems to run atop it. The hypervisor controls access to the physical resources and manages the guests access to the resources. This allows multiple applications to run safely within the guest instances while mitigating any negative impact that one application might have on other applications running on the system. The end result of this method is that more applications can be safely run on a physical server, each running in their own guest operating system atop the hypervisor, and greater utilization of IT resources can be realized. In the past, the business manager was often too concerned with which physical server was running their applications, and the fear of someone else s application negatively impacting their services. Whereas, with the isolation and resource management capabilities of a virtualized platform, the focus is shifting to the Service Level Requirements (SLR) and the necessary levels of availability, performance, and overall health of the service. Ideally, the physical infrastructure becomes less important to the manager than the quality of service they receive from their IT services. This change in focus by business owners allows CIOs to shift their attention to technologies like virtualization, enabling them to lower their Total Cost of Ownership (TCO) and increase their asset utilization and Return on Asset (ROA) value. The combination of virtualization technologies with newer multi-core processors neutralizes both the technical and business mentality of oneapplication-per-server. Fewer machines results in smaller data center footprint, lower overall capital investment, and lower support and utility costs. These reductions often translate into lower power, cooling, floor space, and hardware maintenance costs and potentially even lower software licensing and support costs. So virtualization begins to look attractive from the CIO s point of view as a technology that, assuming it is stable and very reliable, might solve some budget constraints.
An Introduction to Cloud Computing 5 Beyond Virtualization The challenge with virtualization is that it is not the universal remedy for truly mission-driven IT, or even the top of mind CIO concerns mentioned previously. Virtualization allows for the pooling of resources and the consolidation of applications into a smaller footprint. However, virtualization in and of itself will not fully address the organization s need for agile, elastic, self-serviceable and on-demand IT. Fortunately, virtualization is an excellent foundation for building out mission-centric, services based IT infrastructures. Combining virtualization with Service Oriented Architecture (SOA), application hosting models, utility computing, and Web 2.0, results in a whole new way of delivering value to users Cloud Computing. The Cloud Defined When discussing cloud computing, it seems as though everyone has their own spin on what cloud means. When having a meaningful discussion about cloud computing, using the same terms in different ways can become problematic. To help alleviate this problem, in September 2011 the National Institute of Standards and Technology (NIST) released the official government definition of cloud computing. 1. NIST defined cloud computing as: a model for enabling ubiquitous, convenient, ondemand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models. 1 The NIST Definition of Cloud Computing, Recommendations of the National Institute of Standards and Technology, Peter Mell and Timothy Grance, September 2011. NIST Special Publication 800-145.
6 An Introduction to Cloud Computing What the Cloud Looks Like Figure 1 below represents NIST s and, by extension, the U.S. government s viewpoint of cloud computing and the five essential characteristics, three service models, and four deployment models as defined by NIST in its Definition of Cloud Computing. Hybrid Clouds Deployment Models Private Cloud Community Cloud Public Cloud Service Models Software as a Service (SaaS) Platform as a Service (SaaS) Infrastructure as a Service (SaaS) Essential Characteristics On Demand Self-Service Broad Network Access Rapid Elasticity Resource Pooling Measured Service Common Characteristics Source: NIST Massive Scale Homogeneity Virtualization Low Cost Software Resilient Computing Geopraphic Distribution Service Orientation Advanced Security Figure 1: Cloud Models and Characteristics What Goes Into the Cloud? Digging a little deeper into the terminology, you ll see some common characteristics of cloud computing. Virtualization, for example, plays a role in the architecture. Geographic distribution, utilized by infrastructure providers to balance resource requirements across physical resource locations, is also a component and is particularly relevant to government usage, which requires that data be stored in the continental United States. To meet the on-demand requirements of service delivery (increased users, more storage, more computing power, etc.), massive scale is also critical and the cloud service needs to be able to respond to that. Moving up-the-stack, we come to the five essential characteristics of cloud computing that NIST describes.
An Introduction to Cloud Computing 7 On-demand self service enables IT administrators to use portals to provision computing capabilities, such as server time and storage, as well as add users, without having to interact with the service provider. Measured service is also critical and is done automatically in the cloud. This provides you or the service provider with access to the metrics you need to charge back or show usage to the appropriate cost centers using the service. Rapid elasticity is synonymous with the cloud. If you need to go from 50 to 100 users in a day and back again without any hiccups or configuration headaches, a robust pool of storage, computing resources, network access and all of the things that make a virtual data center tick are vital. It is also worth noting that for NIST to consider a platform or service a cloud service that service must incorporate all five essential characteristics. The Capabilities that the Cloud Delivers Nearer the top of the stack we encounter service models, which essentially determine how and for what the cloud is used. Key Terms To Know On-demand Service Enables IT administrators to use portals to provision computing capabilities, such as server time and storage, as well as add users, without interaction with the service provider. Measured Service Provides you or the service provider with access to the metrics you need to charge or show back usage to the appropriate cost centers using the service. Rapid Elasticity Being able to quickly scale users or instances in a short time frame, without any configuration issues or service disruptions. Who Uses It? What Services Are Available? Why Use It? SaaS Business Users Email, Office Automation, CRM, Website Testing, Wiki, Blog, Virtual Desktop To complete business tasks PaaS Developers and Deployers Service and application test, development, integration and deployment Create or deploy applications and services for users IaaS System Managers Vitual machines, operating systems, message queues, networks, storage, CPU, memory, backup services Create platforms for service and application test, development, integration and deployment Source: GSA Figure 2: Cloud Service Models - Typical Case Uses
8 An Introduction to Cloud Computing As you can see from figure 2, there are three service models Software-as-a- Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) that break down into the following capability scenarios. We will dive into these with more detail in the upcoming chapters: SaaS In its current state, SaaS has been focused on the delivery of cloud-based productivity applications for office or IT users and includes such services as email, blogs, collaboration tools, Customer Relationship Management (CRM), HR applications and even IT tools like penetration testing and ediscovery. SaaS applications are becoming more sophisticated, but the core need today is office automation. Examples of SaaS applications include Google Apps, BMC RemedyForce, Informatica, Oracle Service Cloud, Symantec ediscovery Platform powered by Clearwell, and Workday. PaaS This service model is targeted at developers. If you want to build an application in the cloud, the service provider supplies the tools, development environment, and testing capabilities; all of the things you need that would otherwise be costly to buy and deploy internally. PaaS developed applications are deployed in the cloud in the form of a SaaS offering. PaaS technologies include Google App Engine, Microsoft Azure, Red Hat OpenShift, CloudBees, and Amazon s Elastic Beanstalk. IaaS In a typical IaaS vendor offering a pull-down menu appears when you sign in, offering virtual machines, operating systems (Linux or Windows), bandwidth requirements any or all of the assets to build a virtual data center are literally available through your web browser. From here you can add applications, security and all of the things you need to manage your operations from the cloud. IaaS vendors are numerous and include Amazon Web Services, Rackspace, and Terremark. How the Cloud is Deployed Going back to the component parts of cloud computing, at the top of the stack in Figure 1 we have the cloud deployment models including public, private, community, and hybrid clouds. Next we ll break these down to define what each one means (according to NIST definitions) and how they are typically used in the public sector.
An Introduction to Cloud Computing 9 Public Cloud This cloud is available to the general public and is owned by the organization providing the cloud services. Basically, it doesn t matter who owns, manages or operates a public cloud so long as it is open to the public. Thus, the owner can be a business (Google or Amazon Web Services), academic or government organization. The public cloud gives instant access to state-of-the-art applications and services, without a significant investment in resources. An appropriate example, for a government agency, is Data.gov or agency blogs that share unclassified citizen or customer-facing data. Private Cloud This model is dedicated solely to the needs of a particular organization. Like public clouds, these clouds may be owned, managed, and operated by a government organization, a private company or some combination. In the case of an internal private cloud, an organization can consist of many individual internal business units. However, in the case of an external private cloud, like Google Apps for Government or Amazon GovCloud this organization consists of all government agencies. Community Cloud The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed internally or outsourced and can exist on or off-premises. Community clouds are emerging in public sector agencies. For example, DISA has created two cloud services available to the various departments of the armed services. Two of DISA s offerings are RACE and Forge.mil. Hybrid Cloud A composition of two or more clouds that span across two or more of the deployment models (private, community, or public). The most common use case considered is private to public (or community). In this case, one would have a private cloud and the orchestration software would allow for workloads to be moved between both the private and public clouds. An example of a hybrid cloud includes a Red Hat Enterprise Virtualization (RHEV) based internal private cloud coupled with Amazon Web Services (AWS). Another example is a VMware based internal private cloud coupled with Terremark for periods of peak resource requirements beyond the limits of the internal cloud.
10 An Introduction to Cloud Computing The Challenges of Cloud Computing Given the multi-faceted benefits of cloud computing the promise of scalable, on-demand, and relatively inexpensive IT and the increased focus on cloud directives and strategies from the federal CIO s office, the U.S. government is abuzz with the promise of the cloud. In fact, many agencies are either already researching cloud computing options, or have actively embraced some form of cloud services. Some successful early adopters of private clouds include the Defense Information Systems Agency (DISA) who built a cloud for the Department of Defense (DoD) community named RACE and the National Aeronautics and Space Administration (NASA) who built their own cloud named Nebula. Despite this early adoption and buzz, IT managers, program managers, and even end users are still on the fence about cloud adoption and what the cloud represents. Let s touch on some of those concerns. Storing and Securing Data Undoubtedly, data security is one of the biggest concerns the government has with cloud computing, particularly as it relates to the interaction between the cloud and legacy systems. However, data privacy ranks high as well. After all, some control is given up to a cloud service provider in a multi-tenant environment so the question becomes where does your responsibility for data privacy and data loss end and theirs begin? Leading to the issue of data sovereignty - where, geographically, is a citizen s data stored - and the challenge of defining protocols and best practices for said data transport and storage. Data protection deals with the ownership of data that is loaded into a cloud service - this is where Service Level Agreements (SLAs), Terms of Service (ToS), and cloud computing all go hand-in-hand. Government IT is seemingly focusing as much, if not more, on legal and policy issues as it is on technical ones.
An Introduction to Cloud Computing 11 Interaction with Legacy Systems If you have an application in the cloud that needs to access data on an existing on-premises application back in the data center how will you account for this? How will that legacy hosted data be accessed and will web services be available for that data? It s All About Standards Another key area that may hamper cloud adoption is a lack of standardization within the government IT environment. A standardized operating environment can definitely help agencies with cloud services adoption, as can uniform standards on cloud adoption across government agencies. The lack of a universal set of standards can result in the risk of vendor lock-in. NIST is working on this, however it is likely that cloud providers will have to enhance their existing governance, compliance, and risk mitigation policies, processes, and procedures, as well as their actual IT services to comply with emerging standards. Dealing with the Unexpected Unplanned outages are another very public challenge that cloud providers face. In fact, outages are rare and less of an issue than they are in the average data center, but when they do happen they tend to impact many customers. As such, some cloud services may represent a valid continuity of operations concern. Of course, these outages also have a tendency of garnering considerable national press attention when they do fail, which results in wary customers. Connecting with the Cloud Another consideration is how users and IT staff access the cloud. Cloud-based SaaS applications are browser- or mobile device based, and can be adversely affected by network latency. Likewise, the virtual desktop method also relies on the network for access and can also fall foul to network delay. Ensuring that applications are geographically distributed or are front-ended by content delivery accelerators can help alleviate this issue.
12 An Introduction to Cloud Computing Cultural Resistance One of the biggest obstacles of moving to the cloud is a cultural one resistance to change. There are two groups that will generally resist moving to the cloud. One is the IT staff; nobody likes change, and this is a big one. In a typical IT organization, there s the group with the gung-ho, let s do it, and march off to get it done attitude. On the other hand, there s the group that would rather retire or go find another job than put up with this change to the way they have always done things. Then there are the end-users; they ve grown accustomed to what they are using, and something with a different interface may be hard for them to accept. So how do you address resistance to change? Well hopefully this guide will help, so too will knowledge-share and best practices from those who support migration to the cloud. Existing skills will need to be refined as IT adjusts to the cloud paradigm. For example, the focus on SLAs and ToS, historically, may not have been a huge factor in government IT. It is, however, a necessary evil in the cloud space that IT will need to align itself with, particularly as it pertains to data protection. IT Staff Skills The use of cloud services requires the adoption of new skills. To leverage a cloud service being provided by someone else, there is the need to learn the new platform, how services are deployed and managed, how they are patched, and how they are monitored. There may also be a need to learn new provisioning and orchestration tools to successfully manage the new cloud services. Finally, to enable granular control, monitoring and integration with existing administration tools, developers and administrators should learn how to use the new cloud provider s Application Programming Interfaces (API). Key Terms To Know Application Programming Interface (API) Method of software communication that allows multiple components to interface. For a self-managed private cloud infrastructure, even more new skills will be needed to manage all of the new components layered atop the virtualized environment. Some of these new components include provisioning, orchestration, metering, user portals, security, and monitoring. Developers will also need new skills when it comes to developing new applications that can leverage cloud services. This may include new development tools, new APIs, and possibly even new development languages.
An Introduction to Cloud Computing 13 A Few Points to Consider before Journeying to the Cloud In the next few chapters we ll take a deeper look at your options for deploying some of the cloud models discussed in this chapter, and help you find the right fit for your needs. In the meantime, in light of what we ve discussed in this chapter, let s take a step back to outline some key points that you should consider before embarking on any cloud deployment: Can your agency live with the vendor s standard SLA and ToS? Getting a provider to change their SLA and ToS can be tricky, even for a large agency. Taking best practices from the private sector is your best bet here and you should get your legal department involved early on so that you know what these documents mean. Conversely, if you are looking to build your own private or community cloud, can your organization deliver against the robust criteria established by the CIO in coordination with business managers? What will it cost to migrate your legacy applications or integrate them with the cloud? This was touched on earlier. What will you migrate, how much will it cost, and how will the legacy systems and cloud services interact? In many cases, it may not make sense to migrate legacy services to a cloud, whereas it would be ideal to develop new applications from the ground up as a cloud service. How does the vendor s security stack up? Expect to implement supplemental security if what the vendor provides is not sufficient for your system needs, whether it s classified as low, moderate or high according to the Federal Information Security Management Act (FISMA). What are your capacity requirements? You ll want to ensure sufficient capacity, but don t over-provision because you will be charged for it even if you don t use it. Try to negotiate capacity for peak periods with the vendor in advance, as an add-on charge to your basic service agreement. Establishing capacity management tools and disciplines are essential to saving money with cloud services over the long term.
14 An Introduction to Cloud Computing What are your remote access requirements? If you have users who access services outside your main Local Area Network (LAN), whether from out-of-state or overseas, be sure to consider the broadband access costs for these users and the network latencies that may exist between the users and the cloud service. While the cloud may be a cheaper overall solution for your agency, you may find your network bandwidth charges increase. How will you monitor cloud performance? Do you have the ability to do this or is a third party going to do it? Not all cloud services come with performance monitoring built-in, although you may be able to negotiate it as a separate service. It may even be possible to go to another cloud service to provide additional monitoring. What s your plan for the organizational impact? Identify the proponents of cloud computing in your organization that can share and charter best practices for cloud migrations and the impact on the organization. Next, we ll explore cloud deployment options SaaS, IaaS and PaaS. What they are, how they differ from each other, how you can use them, and the pros and cons you ll want to consider before signing up with a cloud provider.
15 Chapter 2 Software as a Service (SaaS) Learn about: How SaaS Differs from PaaS and IaaS Examples of SaaS Applications The Pros and Cons of SaaS Cautions and Considerations According to Forrester Research, Software-as-a-Service (SaaS), will dominate the cloud service model marketplace over the coming years. What does this mean for the public sector? What applications can be deployed using this model and how is it different from PaaS or IaaS? This chapter will answer these questions and help you establish a baseline understanding of what SaaS can do for your agency, as well as provide you with some decision criteria to keep in mind as you adopt SaaS. What is SaaS? In chapter one, we referred to NIST s definition of SaaS as a service provider s cloud-based solution. The premise of SaaS is that it is a software service hosted in the cloud and made accessible via the Internet, through a browser, mobile device or API. It s even easier to visualize what SaaS is if you think about how most of us have already been using Software-as-a-Service for quite some time from our personal Gmail accounts, to streaming music and icloud, to photosharing sites such as Flickr.
16 Cloud Service Models: Software as a Service (SaaS) So if we think about enterprise versions of SaaS, what becomes compelling is the fact that to acquire these sorts of services in the past you would have needed several hardware and software components (server, storage, network, and content management system). With SaaS, you simply procure the functionality you need, provision it immediately, and start using it across the enterprise via a web browser. All this while the service provider takes care of the business application, operating systems, and hardware components. The Key Characteristics of SaaS SaaS cloud services are defined as multi-tenant applications whereby users access and manage applications that utilize the same code base. Bug fixes, upgrades, and functional enhancements are generally made by the provider at the same time for all users of the code base. SaaS features all of the NIST attributes such as on-demand self-service (which allows you to seamlessly add services and users as needed, via the provider s portal), rapid elasticity (enabling you to quickly increase or decrease the number of users who need access to an application), and measured service, a key concept in cloud services that requires the provider to collect usage information so that end user organizations can charge back services at a very granular level (e.g. department, individual). SaaS also features resource pooling wherein the services IT resources are pooled to serve multiple subscribers in a multi-tenant model. Key Terms To Know Multi-Tenant Application Many organizations use the same software code base as opposed to traditional models where each organization had their own license and code base. Rapid Elasticity Being able to quickly scale users or instances in a short time frame, without any configuration issues or service disruptions. Another key attribute of SaaS, which is particularly pertinent in the public sector, is that it usually has provisions for personalization but not customization. This means you can personalize the application using its pre-provisioned features or options to suit your needs, but you can t customize it (i.e. change the underlying code to conform to your needs). It is often a lot more cost effective for a service provider to build a robust application that many people can use and can personalize. But once you start customizing, it s a different story.
Cloud Service Models: Software as a Service (SaaS) 17 Key Terms To Know Support for customized services as opposed to a single standardized service results in a more complex environment that is more costly and difficult to manage. Personalization The act of using the preprovisioned features and options offered by a SaaS application to meet your needs. Customization The modification of application code, fees and service features to suit the needs of your organization. SaaS services do not support customization. Two final key attributes of the SaaS model is that application upgrades, additions and modifications to SaaS applications are typically made to all users simultaneously with zero action required on your part. Likewise, all software and hardware maintenance is taken out of your hands and placed firmly in the hands of the service provider. How SaaS Differs from PaaS and IaaS We ll discuss PaaS and IaaS in later chapters, but just to give you a quick sideby-side comparison, here are the key fundamental differences between SaaS, PaaS and IaaS: SaaS PaaS IaaS Uses Multi-tenant applications Production-ready applications in use by enterprises Highly scalable industrial strength applications Multi-tenant software developer tools Used to build applications Used by an enterprise to build and deploy an application for a user community (including a SaaS application) IaaS is the infrastructure. Users can leverage IaaS as a virtual data center. Some SaaS and PaaS offerings are built atop other cloud providers IaaS.
18 Cloud Service Models: Software as a Service (SaaS) Why SaaS is the Cloud Service Model to Watch Most industry observers anticipate the SaaS market to grow at an exponential rate in the coming years, and develop into a much larger global market than PaaS and IaaS offerings. Why? Simply put, it makes sense for service providers to focus on the widely-used functionality that SaaS delivers and the common best practices that go into its implementation. This is also why providers are honing in on delivering SaaS applications such as email because the potential profit far outweighs the cost of development. What does this mean for the user? Well, we get the best of both worlds. We have multiple choices when it comes to email. This in turn drives competition and better email solutions in the cloud. What does this mean for the public sector? Essentially, when it comes to migrating applications to the cloud, think of SaaS less in terms of delivering a customized cloud solution (unless you want to build it yourself on a PaaS or IaaS model). Instead, think more about leveraging SaaS applications for the functionality it delivers functionality that might serve your users productivity and collaboration needs across multiple departments, or functionality that specifically supports a user base like HR, Finance, or IT. Examples of SaaS Applications SaaS includes applications that are increasingly focused on specific end users needs from office productivity to IT service desk applications; engineering collaboration and data integration. It also encompasses what we might want to consider as SaaS relatives such as Communications-as-a-Service and Data-as-a- Service (DaaS). Office Productivity Many of the online tools that we know and collaborate with today are now available via the cloud as SaaS applications, including email, calendar, document editing, file sharing, and so on. These services provide access to virtual office collaboration tools from anywhere and on any device, offer excellent scalability, provide reasonable uptime agreements, and reduce the risk of lost laptops. Some are even compliant with FISMA moderate security requirements. These services also require zero maintenance in terms of patching, updating or upgrading.
Cloud Service Models: Software as a Service (SaaS) 19 If you are not comfortable with the SaaS web browser interfaces and prefer the familiarity of your traditional email client (e.g. Microsoft Office Outlook or Mozilla Thunderbird ), many of these services support standard protocols, such as IMAP. Support of standard protocols allows you to access your SaaS-based email via your desktop or even mobile client. If you don t want to give up your entire email service to the cloud, you can still benefit from à-la-carte, cloud-based email services such as email filtering and protection services, offsite backup and content-based encryption policies. Which office productivity tools you migrate to the cloud depends on your needs and those of your users. If you have multiple users across disparate locations, cloud-based productivity tools can improve user access to mission-critical resources, reduce costs, and improve overall security for a mobile workforce. IT Service Desk SaaS tools also target the IT consumer to help streamline IT assistance services. Cloud-based IT service desks provide everything an IT department needs to manage requests and incidents, handle remediation efforts, and ensure that users are kept up to date via chat tools, email and mobile devices. These applications provide smaller IT shops with many of the feature-rich IT management solutions that bigger enterprise IT departments enjoy. Because these applications are based on service management best practices and they provide APIs and support standard protocols, they are easily integrated with existing systems and take much of the grunt work out of managing and deploying IT service desks. IT
20 Cloud Service Models: Software as a Service (SaaS) Engineering Collaboration Another interesting SaaS application focuses on the needs of a group of end users who are particularly dependent on accurate project information the architectural, engineering and construction communities. Every level of government is involved in some form of construction project, whether it is parks and recreation, transportation, infrastructure, and so on. Collaboration across teams is essential both at the design/build level, and among those who will ultimately manage and use the project upon completion. SaaS design collaboration tools, such as Autodesk Buzzsaw, have been around for a while and let project teams literally walk through a project, view and update drawings in real time, and save those changes back to the cloud. Users can access project information via the Web or mobile devices and have the confidence that they are accessing the latest project details. Other tools provide design analysis capabilities from the cloud, allowing architects to optimize building designs before the concepts are even complete. This design simulation capability is particularly critical in supporting green building initiatives because it lets teams assess energy and water consumption and the overall carbon footprint of a building, all from a simulated cloud environment. Data Integration So you ve made the move to the cloud. How do you manage your data as it extends beyond the enterprise? As your adoption of SaaS grows and more applications are deployed, the need to ensure synchronization between cloud services and on-premises systems becomes an imperative. The good news is that data integration services, which support data integrity and quality control in the data center, can also be deployed to support the management of cloud-based data. These services act as an intermediary, ensuring that formats are kept consistent and master data management issues are tackled. Additionally, for disaster recovery or compliance purposes, data integration can replicate application data.
Cloud Service Models: Software as a Service (SaaS) 21 Communication-as-a-Service (CaaS) As Internet Protocol (IP) communications converge with network traffic, traditional telecommunication providers are rapidly moving toward a cloudbased communications vision. With Communications-as-a-Service (CaaS), all the hardware, data and voice applications are hosted and managed in the cloud by the service provider. These services take the pain out of managing complex Voice over IP (VoIP) and other video and data requirements across multiple devices. Communications providers are also leveraging CaaS platforms to bring a richer set of communication options. Integrating voice, video, chat, and messaging via a CaaS platform gives customers greater flexibility in how they communicate. Data-as-a-Service (DaaS) Right now, Data-as-a-Service is in the growing bucket of cloud offerings. DaaS is a term used to describe data that s accessible from the cloud, via a web browser or through an API. Simply put, DaaS lets users quickly and easily access data or information from a cloud-based data set and make use of it in another application. A good example of DaaS is the federal government s Recovery.gov service. In addition to being able to search and download data sets relating to Recovery Act spending, Recovery.gov provides APIs to allow developers to access the data and create their own mashups and custom applications. Another example is Google s geocoding API. Geocoding is the process of converting street addresses into geographic coordinates (latitude and longitude), which you can use to place markers or position the map. The Google Geocoding API provides a direct way to access a geocoder via an HTTP request.
22 Cloud Service Models: Software as a Service (SaaS) The Pros and Cons of SaaS Like all cloud offerings SaaS has its pros and cons, many of which we ve already touched upon in this chapter. Let s revisit these in summary below. The Pros of SaaS Numerous Applications. Undoubtedly SaaS is a growing market and the wealth of available applications expands by the minute. Whatever your needs, whether it s office productivity apps, social media apps, or business apps, it either already exists or someone is working on building it. The General Services Administration s (GSA) Apps.gov website (www.apps.gov) offers a useful library of tools you may wish to consider using. No Installation Required. SaaS is the ultimate plug-and-play software service. Highly Scalable and Economic. SaaS applications let you add and remove users and features very easily, and without long term license commitments or hardware costs. Think of it as leasing versus buying. If you were to purchase the equivalent software and hardware and manage it internally, you d need to plan for peak loads which may only be once a month or once a quarter. However, the rest of the time those resources are idle you are still paying 100 percent of the support and licensing costs for that hardware and software. So if you re designing for peak load, then you could be paying a premium to have that platform sitting there on your own premises. In instances such as these, the cloud can deliver a significant monetary savings. No Compatibility Worries. With SaaS you don t have to worry about whether or not an application conflicts with those applications that you have already provisioned on machines in the enterprise. Free Up IT Staff. Because SaaS application updates and fixes happen automatically in the background and are the responsibility of the service provider, the burden on an IT department is significantly less. As mentioned, SaaS can help you reduce training and maintenance costs, but it can also enable you to move less mission critical applications to the cloud so that you can free up IT staff to focus on strategic projects. Many people who are not in the IT department don t always understand how much goes into rolling out a change to an application like their email system. But it s a significant cost in terms of time, resources and effort.
Cloud Service Models: Software as a Service (SaaS) 23 The Cons of SaaS The following items aren t what you would consider traditional cons, but are rather areas that you need to be sensitive to as you are considering SaaS for your agency. High Bandwidth Network Connectivity for End Users is a Must. Depending on the type of application you are using, your network bandwidth requirements are likely to be higher than previously needed across your Local Area Network (LAN), Wide Area Network (WAN) and remote users. Of course, using SaaS for email would not require as much bandwidth as an application that requires large file sharing and collaboration (video, images, etc.) Personalization Versus Customization. If you are looking to customize an application, you essentially neutralize the cost benefits of cloud applications and may find that SaaS is not for you. Most cloud SaaS offerings include personalization features that allow you to add features to suit your needs without incurring the cost and problems of customizing preexisting provider code. A Lack of Total Control. In SaaS cloud computing, the basic pillars of an application environment the security, uptime, and storage retrieval are the responsibility of the provider. Security is an aggressive work-in-progress issue for the public sector (more on this in Chapter 5), and while providers out there are FISMA moderate compliant, it s wise to accept that SaaS applications are often acceptable for a moderate impact government security system, and not so much for a high impact system.
24 Cloud Service Models: Software as a Service (SaaS) Cautions and Considerations As in Chapter 1, it s worth looking at some of the cautions and considerations that your agency will need to bear in mind as you weigh your SaaS approach. Here are eight that you will need to consider and plan for: 1. Be Wary of One-Sided Agreements. Get your legal team to review the SLA and ToS. If you are bringing a lot of users to the table, you may gain more wiggle room with the provider, but remember cloud service SLAs tend to be fairly locked and defined before they hit your desk. 2. Plan for Portability. Ease pain, in the event you change cloud service providers, by planning in advance for transition. 3. Remember, Performance Monitoring is Your Responsibility. Up to a point, this is your responsibility and it s wise to check this out by running tests before you sign up for anything. Monitoring both end user experience as well as uptime is essential. For example, if you are experiencing 99.9 percent uptime but your end users have a slow experience, you need to discuss this with your provider. 4. Plan for Initial Data Load and System Integration. Keep in mind that you will need to do some form of data upload and integration to ensure enterprise services and identity management systems are seamlessly ported and single sign-on is maintained. Remember that some back and forth between applications on premises and in the cloud might also be necessary. 5. Handling Electronic Discovery. Consider how you are going to handle electronic discovery for things such as FOIA requests or litigation. In particular, how are you going to handle this in encrypted archives? 6. Complying with Records Management Policy. Many agencies have folks on staff to handle records management compliance. Engage them at the beginning to ensure you have an approach for this as you adopt SaaS.