Shared Services Canada and Cloud Computing. Slide Deck from the SSC Architecture Framework Advisory Committee

1. Shared Services Canada
and
Cloud Computing
Architecture Framework Advisory Committee
Transformation, Service Strategy and Design
December 17, 2012

2. Agenda
TOPICS PRESENTER(S)
9:00 – 9:15 Opening Remarks and Objective B. Long, Chair
9:15 – 9:55 Shared Services Canada and Cloud J. Danek
Computing P. Littlefield
•SSC’s Role in Cloud Computing
•Opportunities and Challenges
9:55 – Health Break
10:05
10:05 – Open Discussion on Cloud Computing All
11:50 • Basics of Cloud Computing
• Getting to the Next Level
11:50 – Timeline and Next Meeting January 28, 2013
12:00 (9:00 – 12:00)
2

3. AFAC Forward Agenda
Oct Nov Dec Jan Feb Mar 2013 Apr 2013 May 2013
2012 2012 2012 2013 2013
Transformation
 
Overview
DCC and Telecom
 
P2P
Constraints, Dependencies, and Risks
Architectural
 
Framework P2P
Finalize
Cloud Computing/
 Jan 28 for ITIR
Platforms
Identity, Credential
Finalize
and Access X X
for ITIR
Management*
Converged
Communications X X
(Voice, Video, Data)*
Assumptions: * only for discussion purposes; Advisory committee meets every 4-6 weeks and has core group of members
from ICT industry and SSC. Advisory committee would have minimum of two meetings to develop product for consideration by
IT Infrastructure Roundtable and one meeting to finalize product before presentation to IT Infrastructure Roundtable.
3

4. AFAC Forward Agenda: Next Meeting
PROPOSED TOPICS
Implementation Approach & Priorities (Best Practice)
Security Reference Architecture
NIST Presentation
Service Level Definitions & Taxonomy
NIST Presentation
Cloud Service Broker Roles & Responsibilities
Service Modeling Standards
4

5. Context For Cloud Computing
• SSC Mandate
 Consolidating data centres and their computing/storage platforms
− Large (> 5000 sq.ft.) – 22
− Medium (1000 - 4999 sq.ft.) – 65
− Small (100 - 999 sq.ft.) – 386
− Other server locations – 2747
• Objective
 Build and Buy Infrastructure as a Service (IaaS) and
Platform as a Service (PaaS)
– If building IaaS and PaaS  Community Cloud (e.g. GC SSC private cloud)
– If buying IaaS and PaaS  e.g. Private or Hybrid Cloud
 Public cloud (e.g. GC public facing web presence)
5

6. SSC Core Mandate w/r TBS Profile of IT Services
• Standard service categories
for management and
accounting
• One of the outcomes of IT
Expenditure Review Program
(ERP)
• To ensure accurate
accounting and reporting on
IT expenditure
• Appropriated for these
services to SSC and 43
Government of Canada
departments/agencies
6

7. ICT Deployment Models and Evolving
Degrees of Accountabilities
IaaS PaaS SaaS
managed
CIO
Applications Applications Applications
CIO managed
Runtimes Runtimes Runtimes
Managed by Shared Services
Managed by Shared Services
Security & Integration Security & Integration Security & Integration
•IaaS: DBMS DBMS Databases
Infrastructure as a Service
Managed by Shared Services
Servers Servers Servers
•PaaS:
Virtualization Virtualization Virtualization
Platform as a Service
Server HW Server HW Server HW
•SaaS:
Software as a Service (non Storage Storage Storage
Dept/Agency program
Network Network Network
Applications)
7

8. SSC Consuming Cloud Services
SSC Employees & Protected “B” GCnet GC Cloud Computing
Contractors with
GC-SRA B2B
CWA
GC-WiFi
Domino R8
GC-LAN ILMS
GEDS
STSI
Desktop
8
Note – final decisions on email services pending completion of procurement process

9. GC Cloud Conceptual
Internet Public-facing web sites
Public Cloud (GCnet-I*Net) Remote
• e.g. Some public-facing GC Access
presence GCTravel
• e.g. Limited Development / Test
capacity
GCnet Canada.gc.ca External Community Cloud
Pay
GEDS e.g. CANARIE
Collab Jobs MySchool
GCDocs
Pension
Mail & Messaging
Intranet sites
GCdrive
Hybrid Cloud
(GCnet over Secured Internet)
Free / Busy
Mobile Integration
• Secured extension of
Directory GCnet to vendor
• Vendor-provided cloud
GCnet services to the GC
Community Cloud (GCnet)
• Internal services for GC community
• SSC-provided cloud services to the GC
• Secured perimeter
Non-SSC Private Cloud
• Multi-Domain (Protected-B to Secret)
9

10. Cloud Computing: Defining Shared Services
Canada’s Role
Internal Private Cloud and External Cloud services should be defined
by the same Service Architecture?
• SSC could be the
Cloud Provider
Cloud Broker Cloud Broker and
Cloud Orchestration
Cloud
Consumer Service Layer
could also be a Cloud
Cloud Service
SaaS
SaaS Management Service
Provider
Intermediation
PaaS
PaaS
Cloud Auditor Business
Support
• Some private cloud
IaaS
IaaS
Security
Audit
Service services could be
Aggregation
Resource Abstraction and Provisioning / provided by SSC
Control Layer Configuration
Privacy
Impact Audit Physical Resource Layer
Portability
Service
Arbitrage
• This would be the
Hardware
Performance /Interoperability “Community Cloud”
Audit Facility
• The Cloud Broker
Cloud Carrier would ensure multi-
vendor management
Cross Cutting Concerns: Security, Privacy, etc.
10

11. Cloud Computing: Opportunities and
Challenges
Opportunities Challenges
• On-demand self service • Connecting resources across clouds
 V storage
and customer premises
• Managing identity, federation, and
• Ubiquitous network access access control
 Community cloud (CWA, GCDocs) • Isolating tenants in a multi-tenancy
• Resource pooling (location environment
independence, homogeneity) • Extending on-premises security &
operations management practices to
 Hybrid cloud - STSI the cloud
• Rapid elasticity • Latency and other performance-
• Measured service related considerations
• Network capacity and capability
• Private clouds
 DCC and Telecommunications
consolidations
• Data sovereignty, privacy and
security
 Data in motion, data processing and
data at rest
11

12. Cloud Computing: Basics
Specific Areas of Focus What We Think We Know Other
Service Framework  NIST Framework Are there other frameworks that
NIST doesn’t incorporate that
Architecture we should consider?
Service Models  GSM Are there any other standard
 UML service modeling tools that we
 SOMA should consider?
Security SSC Security Domains and Zones Are there any other security
Architecture frameworks that are not
 CSEC ITSG33 incorporated?
 NIST Security RA
Getting to Next Level • Detailed component service Any other considerations?
architectures
• Agreement on security
framework & process
Next Steps • Do we need working groups? Other next steps?
Governance structure?
12

13. Preliminary Sample GC Service Architecture DCS
• Data Centre Services View
• Illustrates IaaS, PaaS, & SaaS Services
• Services can service Users, or other Services
SaaS SaaS • Services can be accessed internally or externally
Cloud1 Cloud1
CRM Email • Internal services are on the DC LAN
IaaS • External Services are accessed via the I-Net Gate and
Cloud
PaaS LAN PaaS the Net ISP IaaS
Cloud1
Cloud1
.Net Java • This service model is described in detail in GSM*
PaaS IaaS Cloud Brokerage Services
Cloud1 Cloud1
Oracle x86
SaaS PaaS PaaS PaaS SaaS
PaaS IaaS PaaS SaaS SaaS SaaS IaaS
MyKey SEC1 Directory ETI ETI
Load Bal z/OS Store1 Broker1 Broker2 Broker3 ETI
Firewall
IaaS
Net
IaaS
ISP1 IaaS DC LAN
I-Net
Gate
PaaS IaaS SaaS IaaS IaaS PaaS PaaS PaaS PaaS IaaS IaaS IaaS
USD5 SEC2 Unix ETI x86 Linux .Net Java Oracle DB2 Store1 Store2 Store
IDS/IPS Sm Archive
IaaS
Unix
Large
*GSM - Generic Service Model, A generic framework for describing a Service in terms of its systematic hierarchy of related service objects.
13

14. Preliminary GC Sample Service Architecture DCS
IaaS SaaS IaaS SaaS IaaS SaaS IaaS SaaS
Cloud1 Cloud1 Cloud2 Cloud2 Cloud3 Cloud3 Cloud4 Cloud4
Linux IaaS Mgmt. Linux IaaS Mgmt. Linux IaaS Mgmt. Linux IaaS Mgmt.
Cloud1 Cloud2 Cloud3 Cloud4
IaaS LAN IaaS LAN IaaS LAN IaaS LAN
Cloud1 Cloud2 Cloud1 Cloud1
Unix Unix Unix Unix
IaaS
Net
ISP1
SSC Data Centre
Cloud Brokerage Services
Cloud Security Services
SaaS PaaS PaaS
SEC2 IaaS SaaS SaaS SaaS
IaaS MyKey SEC1
IDS/IPS z/OS Broker1 Broker2 Broker3
I-Net Firewall
Gate
IaaS DC LAN
PaaS IaaS IaaS IaaS IaaS IaaS IaaS PaaS
Unix Windows Linux Store1 Store2 Storage Load Bal
Directory Archive
Mid-Range Platform Services
*GSM - Generic Service Model, A generic framework for describing a Service in terms of its systematic hierarchy of related service objects.
14

15. Cloud Computing Model: United Kingdom
Should SSC start as the UK did with the Broker Functions/SaaS?
Cloud Provider
ICAM
Cloud Broker
(Apps Store)
• Apps Store
Service Layer
SaaS SaaS SaaS SaaS
MyKey
SaaS Cloud Service
SaaS Management
• SaaS deployment
Service
PaaS Intermediation
PaaS
SaaS SaaS SaaS
Business SaaS
Cloud Auditor IaaS Support
IaaS
Security
Privacy
Security
Audit
Service
Aggregation • Manage deployments
ResourcePaaS
PaaS and
Abstraction
Control Layer
Provisioning /
SaaS SaaS SaaS
Configuration SaaS
Privacy IaaS
IaaS
Physical Resource Layer
Impact Audit
Portability
Service
Arbitrage
• Manage SLAs across a
Hardware
PaaS
Performance
PaaS
SaaS SaaS
/Interoperability
SaaS
multi-service provider
Facility SaaS
Audit IaaS
IaaS environment
Network
15

16. Cloud Computing Model: United States
Should SSC start as the U.S. did with IaaS?
• “Cloud First” policy
Cloud Provider
Service Layer • FedRamp / Procurement
IaaS
IaaS SaaS
Cloud Service
Management
and security certification
IaaS
IaaSPaaS Business
• Start with IaaS
IaaS Support deployment
Security
IaaS
Privacy
Resource Abstraction and
Control Layer
Provisioning / • Cloud Service
Configuration
Physical Resource Layer
Management per vendor
Hardware Portability
/Interoperability
• ICAM in place, but not
Facility leveraged
• Other International
Network
examples?
16

17. For Discussion: Challenges Revisited –
Requirements
• Connecting resources across clouds and vendor premises
• Managing identity, federation, and access control
• Isolating tenants in a multi-tenancy environment
• Extending on-premises security & operations management practices to the
cloud
• GC as one tenant
• Latency and other performance-related considerations
• Network capacity and capability
1. How should SSC address these challenges?
2. What architectural artefacts and supports are required to support SSC
leveraging cloud services going forward?
3. What criteria should SSC use to decide which services would be best for
cloud service models?
17

18. Timeline
December 17, 2012 January 28, 2013 February 2013 March 2013
 GCCC  Revised GCCC  Revised GCCC  Revised GCCC
Architectures architectures architectures Platform
thoroughly feedback endorsed by endorsed by
discussed with Incorporated AFAC AFAC
AFAC members  Platform  Platform  ICAM strategy
strategy strategy - thoroughly
thoroughly feedback discussed with
discussed incorporated feedback
18

19. Annex
19

20. Cloud Computing Advance Reading Material
1. SSC Cloud Computing Vision
2. Security Domains & Zones Architecture
3. Security Domains & Zones Implementation Guidelines
4. Management Zone Implementation Guidelines
5. NIST Foundational Documents on Cloud Computing
SSC will incorporate all input from AFAC members
and release final versions to the industry
20

21. Cloud Standards Bodies
• Many standards bodies
• NIST is among the most
mature and most often
referenced
• NIST is open / public sector
aligned
• Cloud Security Alliance
(CSA) among most mature
re security framework
• NIST has incorporated
CSA’s framework in their
Security Framework
• Are there Canadian
considerations?
21

22. Foundational Documents on Cloud
Computing
NIST - Definition of Cloud NIST - Cloud Computing NIST - Cloud Computing
Computing Standards Roadmap Reference Architecture
SP-800-145 SP-500-291 SP-500-292
http://csrc.nist.gov/publications/nistpub http://www.nist.gov/manuscript-
s/800-145/SP800-145.pdf publication-
search.cfm?pub_id=909024
NIST - USG Cloud Computing NIST – Cloud Computing NIST - Cloud Computing
Technology Roadmap Security Reference Service Levels
SP-500-293 Architecture (TBA Jan.13) (TBA Feb. 13)
http://www.nist.gov/itl/cloud/upload/SP_
http://collaborate.nist.gov/twiki-cloud-
500_293_volumeI-2.pdf
computing/bin/view/CloudComputing/Clou
dSecurity
CSA – TCI Reference NIST Current Status Presentation (Dec.12)
Architecture docbox.etsi.org/Workshop/2012/201212.../NIST_BOHN.pd
https://cloudsecurityalliance.org/wp-
content/uploads/2011/10/TCI-
Reference-Architecture-v1.1.pdf
22