Program sides from the Federal Cloud Computing Summit on Dec. 17, 2013 at the Ronald Reagan Building in Washington, D.C.

1. Welcome to the
Federal Cloud
Computing Summit
@fedsummits #cloudfeds

2. The Federal Cloud Computing
Summit Mobile App is now
available for download

3. Host Organization
Advanced Mobility Academic
Research Center
AMARC is a non-profit organization that focuses on
the three areas: Academic, Government & Corporate.
The Academic Research sector is the bridge between
Government and Corporate participation.
@amarcedu
www.amarcedu.org

4. Agenda
8 to 9 a.m. – Opening of Cloud
Technology Showcase
9 to 9:10 a.m. – Welcome, Keith
Trippie, DHS
9:10 to 9:50 a.m. – Visionary
Keynote, Bill Schlough, San Francisco
Giants
@fedsummits #cloudfeds

5. Agenda
9:50 to 10:40 a.m. – Panel 1,
Innovation Today
Moderator: Keith Trippie, DHS
Panelists: Peter Chin, DHS; Joe
Klimavicz, NOAA; Mark Schwartz,
DHS
@fedsummits #cloudfeds

6. Agenda
10:40 to 11:30 a.m. – Panel 2, Cloud
Acquisition Solutions
Moderator: Jason Miller, Federal
News Radio
Panelists: Mark Day, GSA; Keith
Trippie, DHS; Oliver Voss, NNSA
@fedsummits #cloudfeds

7. Agenda
11:30 a.m. to 12 p.m. – Cloud Technology
Showcase
12 to 1 p.m. – Cloud Innovation Awards
Presenters: Greg Mundell, InfoZen & Tom Suder,
AMARC
The Cloud Innovation Awards recognize
individuals that use cloud solutions to better
accomplish the mission of their agency
@fedsummits #cloudfeds

8. Cloud Innovation Award Winners
Matt Goodrich – General Services Administration
Jennifer Gray – U.S. Department of Health & Human
Services
Roopangi Kadakia – NASA
Julie Mintz – Defense Information Systems Agency
@fedsummits #cloudfeds

9. Past Cloud Innovation Award Winners
Casey Coleman – General Services Administration
Anil Karmel – National Nuclear Security
Administration
Shawn Kingsberry – Recovery Accountability and
Transparency Board
Dr. David McClure – General Services Administration
Keith Trippie – U.S. Department of Homeland
Security
@fedsummits #cloudfeds

10. Agenda
1 to 2 p.m. – Cloud Technology Showcase
2 to 2:45 p.m. – Panel 3, Security Harmonization
Moderator: Christopher Dorobek,
DorobekINSIDER
Panelists: Jeff Eisensmith, DHS; Doug Gardner,
DISA; Maria Roat, GSA; John Streufert, DHS
@fedsummits #cloudfeds

11. UNCLASSIFIED
Cloud Security Model Details
12 DEC 2013 -- 1300
UNCLASSIFIED
11

12. Agenda
2:45 to 3:30 p.m. – Panel 4, Recap of MITRE
Cloud Collaboration Sessions
Moderator: Justin Brunelle, MITRE
Challenge Area 1: Interoperability & Portability
Challenge Area 2: End-to-End Service Delivery
Challenge Area 3: Federal-Wide Standards for
SLAs
Challenge Area 4: Cyber Security
@fedsummits #cloudfeds

13. Leveraging Academia to Solve
Cloud Challenges
Justin F. Brunelle
The MITRE Corporation
jbrunelle@mitre.org

14. Thank you!

15. Justin F. Brunelle
jbrunelle@mitre.org

16. Cloud Working Group: Tactical Cloud
• Government collaboration
– Data replication
– Ad hoc/distributed cloud analytics
– Identity Access Management
– Federated Query

17. Interoperability
& Portability
• Cloud enables
interoperability
• Mobile is key
• Universal service
catalog
• Need improved
models

18. End-to-end
Service Delivery
• Need a la carte
pricing
• Not all services
suitable for cloud
• Need improved
models
• Assured elasticity
with fixed max cost

19. Federal Standards
and SLAs
•
•
•
•
SLAs for multiple providers
Improved governance
Agile methods for cloud provisioning
Federal collaboration needed

20. Cyber
Security
•
•
•
•
Need Security as a Service
A la Carte security procurement
Security as contractual obligation
Automatic detection

21. Academic
Collaboration
• Interop: mobile as enabler
• End-to-end: need real-time
to disconnected users
• SLAs: improved modeling
• Security: need automatic
detection
• Need:
– Industry days
– Attention to government trends
– Industry to Academia Signal for need

22. Academics to shape cloud landscape

23. Call for mentors!
• Leverage Academia
• Use a talent agent
– AMARC
– MITRE
jbrunelle@mitre.org

24. Dan Mintz
•
•
•
•
Executive Director of AMARC
Former CIO
Fed 100 Award Winner
Adjunct Professor, IT Education:
– Syracuse University
– University of Maryland University College

25. Agenda
3:30 to 4:15 p.m. – Panel 5, The Future of Cloud
Moderator: Dan Mintz, Advanced Mobility
Academic Research Center (AMARC)
Panelists: Irena Bojanova, University of Maryland
Univ. College; Chris Kemp, Former CTO, NASA &
CSO, Nebula; Adam Porter, University of Md.; Dr.
David Rogers, University of Central Florida
4:15 to 4:30 p.m. – Afternoon Visionary Keynote,
Keith Trippie, DHS
@fesummits #cloudfeds

26. Welcome to the
Federal Cloud
Computing Summit
@fedsummits #cloudfeds

27. Mobile Cloud
is Changing
Adam Porter
Training &
UMD
Education

31. Mobile Cloud
Computing

33. Trends in
Education

34. M assive
O pen
O nline
C ourses

35. Highly scalable, cloud-based,
interactive learning systems
Video lectures / tutorials
In-video questions
Online quizzes
Hands-on assignments

36. https://www.coursera.org/course/android
70K+ students from all over the world
Part of a multi-course sequence taught with Vanderbilt University

37. 15M+ students
Wrote 500B LOC

38. Learning never sleeps
Everyone will be a teacher and a
student
What you know and can show,
more important than where you
learned it

39. Content is still king, but lessons are
becoming commoditized
Hands-on experiences are the
real added value
It’s a buyer’s market

40. Mobile Cloud
+
Education

41. Bring Your Own Device (to class)
Providers will exploit mobility &
context awareness
Just in time learning, outside the
classroom
Leverage sensors to interact with
real world

42. Everyone’s a learner
More cloud-supported learning
applications
Leverage complex computations,
interact with simulators, data
analytics, etc.

43. MARS Superintendent by PAR Works

45. For more
information, contact
aporter@cs.umd.edu

46. Future of
Cloud Computing
Irena Bojanova, Ph.D.
UMUC, NIST

47. No Longer On The Horizon
Essential Characteristics
• Pay/charge-per-use access to applications,
software development & deployment
environments, and computing infrastructure.
• Optimized, efficient computing through
enhanced collaboration, agility, scalability, and
availability.
• On-demand Self-Service
• Broad Network Access
• Resource Pooling
• Rapid Elasticity
• Measured Service
Service models (SPI)
Natural evolution of the Web:
• Software as a Service (SaaS)
• Platform as a Service (PaaS)
• Infrastructure as a Service (IaaS)
Web Sites
Applications
Deployment models
•
•
•
•
Private
Community
Public
Hybrid
 Next logical step for IT industry
 Strategic weapon in enterprise computing
 Norm in every sector of society.
SaaS
Developer
Platforms
PaaS
Compute
and Store
IaaS
Governments, organizations, and individuals adopt
cloud computing 
to manage information instead of infrastructure.

48. Now Focus On
•
Initial Risks Evaluation – using CSA’s framework
–
–
–
–
•
Multi-Tenancy – the True Cloud solution
–
–
–



•
Importance of data and applications/functions/processes to be moved to Cloud
Risk tolerance of organization
Acceptable deployment and service models combinations
Potential exposure points for sensitive information and operations.
Data and applications of different consumers share platforms, storage, and networks
Tightly related to resource pooling  Economies of scale, passed to costumers
Use of newest technology and the latest software versions
Logical separation is a suitable substitute for physical separation.
Main risks come from not knowing the architecture
One of top 6 questions to ask: Is it hosted or a true Cloud solution?
Cloud-Based Integration – iPaaS
–
–
Silos –- applications and data cannot interact with on-premise systems.
iPaaS –- development, execution and governance of integration flows
• Connecting on-premise and cloud-based processes, services, applications, and data
• Within individual or across multiple organizations.

49. Now Focus On (Cont.)
•
Cloud Portability, Interoperability, and Federation
–
–
–
–
–


Applications and data are easily moved between platforms and providers
Scaling one service across disparate providers , while appearing and operating as one system
Interoperability is closely related to rapid elasticity and multi-tenancy
Connecting clouds through network gateways  hybrid Cloud environment
Interconnecting services of providers from disparate networks
Providers wholesale or rent resources to balance workloads and handle spikes in demand
Standard, pre-negotiated set of contracts.; Federation agreements.
Benefits for Consumers
 Choose best provider by flexibility, cost, and availability of services
 Use most appropriate infrastructure environment
 Distribute workloads around globe ;move data between disparate networks.
Benefits for Providers
 Earn revenue from idle or underutilized resources
 Expand geographic footprints without building new points of presence.
 Considerable effort: IEEE CS P2302 –
Standard for Intercloud Interoperability and Federation.

50. New Trends
Nexus of Forces –evolving through convergence and mutual reinforcement of:


Social
Mobile
 Cloud
 Big Data
• Social media and mobile apps provide platform for
effective social and business interactions.
• Cloud offers convenient and cost effective computational
and information delivery infrastructure.
• New digital economy is being built upon this Nexus in combination with the Internet of Things,
unlocking an incredible opportunity to connect everything together.
The gap between ideas and actions is being rapidly reduced through:
Near-global connectivity
Pervasive mobility
Industrial-strength compute services
Access to vast amounts of information
Without Cloud
•
•
•
Social interactions – no place to happen at scale
Mobile – no connection to data and functions
Information – stuck inside internal systems.

51. New Trends (Cont.)
•
Personal Clouds (PC’s)
–
–
–
–
•
Hybrid Clouds Evolution
–
–
•
PC idea reborn -- control on data, apps, terms of service
Personal devices  Personal services; self-hosted, provider-hosted, or hybrid
Interoperable and addressable through XDI
p2p marketplace – Find and engage with anyone with PC’ – trust, reputation.
From integration of internal private clouds & public services 
Towards bringing together personal clouds & external private services
Will have to be design with interoperability and federation in mind.
Private Clouds Evolution
–
–
Will have to be designed with hybrid future in mind to be able to handle future
aggregation, integration, interoperability, and customization of services
Organizations implementing such clouds will have to:
• Handle overdrafting and cloudbursting
• Take role of cloud service brokers.

52. New Trends (Cont.)
From
• Cloud ~ provides ubiquitous, on-demand, elastic, selfconfigurable, cost effective computing.
and
• Mobile ~ convenient gadgets, with regional wireless
communication and limited data services and
computing and power resources.
Flyables
Drivables
To
• Cloud-Based Mobile Augmentation (CMA) ~ employs
Cloud to increase, enhance, and optimize computing
capabilities of mobile devices.
and
• Cloud Mobility ~ low-end mobile devices access cloud
computing resources and globally connected mobile
enabled resources.
Wearables
Scannables

54. Evaluating Initial Cloud Risks
Steps in Evaluating Risk
Details
1. Identify asset for cloud deployment
• Determine exactly what data or applications/ function/ process is being
considered for the Cloud.
Potential uses of asset to account for:
• Scope creep — data and transaction volumes often become
higher than expected.
2. Evaluate asset
Ask what would be the harm if:
• Determine how sensitive that data is and how important that application/ • Asset became widely public and widely distributed
function/ process is to organization. Assess confidentiality, integrity, and
• Asset were accessed by employee of Cloud provider
availability; and how risk changes if all/ part of that asset is in the Cloud
• Process/function were manipulated by outsider
— similar to project outsourcing assessment, just with wider range of
• Process/function failed to provide expected results
deployment options.
• Data were unexpectedly changed
• Asset were unavailable for a period of time
3. Map asset to cloud deployment models
Which model is acceptable for identified asset:
• Determine if any risks implicit to different deployment models (private,
• Public; Private, internal/ on premises
public, community, hybrid) and hosting scenarios (internal, external,
• Private, external — look at dedicated or shared infrastructure
combined) are acceptable.
• Community — look at hosting location, service provider,
• At this point there should be a good idea of the comfort level for
community members
transitioning to the Cloud, and which deployment models and locations fit • Hybrid — look at least at rough architecture of where
desired security and risk requirements.
components, functions, and data will reside
4. Evaluate cloud service models and providers
• Focus on degree of control organization will have at each SPI tier to
implement any required risk management (risk mitigation).
• For a specific offering, switch to a fuller risk assessment.
Consider:
• SaaS
• PaaS
• IaaS
5. Map out data flow
Consider:
• For specific provider offering, map out data flow between organization,
• Private
cloud service, any customers/ other nodes. Understand whether and how • Public
data can move in and out of the Cloud.
• Community
• For any offering, sketch out rough data flow for any deployment option
• Hybrid
on your acceptable list, to help you identify risk exposure points when
making final decisions.
Consider:
• Providers' offerings
Consider:
• Providers' offerings

55. Multi-Tenancy
Examples of Shared Resources by Service Model
Service Model
Shared Resources
Shared By
SaaS
Same application or database
Different consumers
Paas
Same operating system, and supporting data
and networking services
Different processes
Iaas
Same hardware via a hypervisor
Different VMs
General Methods for Achieving Multi-Tenancy
Multi-Tenancy Via
Database
Description
Cost
Database and configuration, with isolation provided Least costly.
at the application layer.
Virtualization
VM technology, providing hardware emulation layer
over the real hardware. Multiple copies of server
OSs are run within one physical machine, while
sharing physical hardware (network cards and disk
storage) between virtual OS instances.
Might reduce services
costs and expenses, but is
more costly compared to
multi-tenancy via
databases.
Physical separation
Resources are provided to tenants individually —
each tenant uses only dedicated hardware.
Most costly.

56. Security Risks
•
•
PaaS builds upon IaaS, SaaS in turn builds upon PaaS 
security issues and risks are inherited just as capabilities are.
Lower down the stack, provider stops bearing responsibility, and consumer
becomes responsible for more security capabilities and management.
Service
Model
Security
• Most integrated • Least
functionality built consumer
directly into the
extensibility
offering
• Relatively high level of integrated security - provider
responsible
• Negotiated into contracts for service (service levels,
privacy, compliance)
• Customer ready
futures
SaaS
Integrated Features Extensibility
• More
extensible
than SaaS
• Less complete built-in capabilities
• Securing the platform -- provider responsible
• More flexibility to layer on additional security
• Applications developed on platform and developing
them securely -- consumer responsibility
• Few if any
application-like
futures
• Enormous
extensibility
• Protecting underlying infrastructure and abstraction
layers -- provider responsible
• Less integrated security capabilities and
functionality beyond that
• Reminder of stack -- OSs, applications, content -managed/ secured by consumer
PaaS
IaaS

57. Multi-Tenancy Risks (1)
Deployment Model
Multi-tenancy Risks and Mitigation
Implications: Workloads of different consumers may reside:
• Concurrently on same computer system and local network,
• Separated only by access policies implemented by provider's software.
Consumers security could be compromised by flaw in:
General
• Implementation or
• Provider’s management and operational policies and procedures.
Multi-tenancy risks:
• Reliability – failure may occur
• Security – attack may be perpetrated by consumer
Implications:
• General risks apply, as there could be authorized but malicious insiders
• Different organizational functions (payroll, sensitive PII storage, IP generation)
can become accessible to not authorized users and classes of data disclosed.
On-site
Risks mitigation:
• Logical segregation techniques at network layer, such as VPN Routing and
Forwarding (VRF)
Private
• Clients are restricted to organization members or authorized guests/ partners.
Implications:
• On-site private cloud risks apply.
Risks mitigation:
Outsourced
• FISMA and OMB policy require external cloud providers to handle federal
information or operating information systems on behalf of the federal
government meet same security requirements as federal agencies.

58. Multi-Tenancy Risks (2)
Deployment Model
Multi-tenancy Risks and Mitigation
Implications:
• On-site private cloud risks apply, but more organizations are encompassed.
On-site
Risks mitigation:
• Restricted number of possible attackers, but more than with private onside cloud.
Community
Implications:
• On-site community cloud risks apply.
Outsourced
Risks mitigation:
• Restricted number of possible attackers, but more than with private cloud.
Implications:
• Workloads of any combination of consumers may be sharing a single
machine
• Workload may be co-resident with workloads of competitors or
adversaries.
Risks:
Public
• Large collection of potential attackers, as public clouds aim scaling in
consumers and resources to achieve low costs and elasticity.
Risks mitigation:
• Limited kinds of data for computations in the cloud
• Data encryption (but then data needs to be unencrypted to be processed)
• Physical separation – rent entire computer systems rather than VMs
(mono-tenancy), VPNs, segmented networks, or advanced access controls.

59. Interoperability (1)
Interoperability, Portability, and Cloud Service Models
Service
Model
Interoperability and Portability
IaaS
• Interoperability and portability of customer workloads are more achievable in IaaS
service
• IaaS building blocks are relatively well-defined, e.g., network protocols, CPU instruction
sets, and legacy device interfaces
PaaS
• Application written to use specific services from a vendor's PaaS will require changes to
use similar services from another vendor's PaaS
• Efforts on development of open and proprietary standard API's to enable cloud
management, security, and interoperability: Open Cloud Computing Interface Working
Group (OCCI), Amazon EC@API, ...
• Common container formats: DMTF'S Open Virtualization Format (OVF).
• Application written to those standards is far more likely to be interoperable and
portable.
SaaS
• Portability of workloads requires a level of compatibility and interoperability between
SaaS applications.

60. Interoperability (2)
Interoperability of Between
Application
Need of
Application components deployed as: Dynamic discovery and composition:
• SaaS
• Discover instances of application components
• Applications using PaaS
• Combine them with others at run time.
• Applications on platforms using
Note: Application component may be a complete
IaaS
monolithic application or part of a distributed application.
Platform
Platform components deployed as:
• PaaS
• Platforms on IaaS
Standard protocols for service discovery and information
exchange — indirectly these enable interoperability of
applications on these platforms.
Management
• Cloud services (SaaS, PaaS, Iaas)
and programs for implementation
of on-demand self-service.
Standard interfaces for cloud services — to create generic
system management products for both cloud services and
in-house systems.
Publication and
Acquisition
Portability of
Data
Application
Platform
• Platforms, cloud PaaS services and Standard interfaces to these stores — to lower cost of for
marketplaces (including app stores). software provideers and users.
Enables Re-Use of
• Data components across different applications
• Application components across cloud PaaS services and traditional computing platforms
• Platform components across cloud IaaS services and non-cloud infrastructure
(platform source portability)
• Bundles containing applications and data with their supporting platforms
(machine image portability)

61. Upcoming Events
Federal Mobile Computing Summit
January 22, 2014, Washington, D.C.
www.mobilefeds.com
Federal Cloud Computing Summit
June 2014, Washington, D.C.
www.cloudfedsummit.com