Knowledge. Advice. Clarity. - DLT Solutions · - Top 5 Takeaways - Key Words and Terms - Useful...

Discover how the public sector can leverage cloud computing to draw better efficiencies within the IT environment.

Written with contributions byDavid Blankenhorn, Van Ristau and Caron Beesley

Knowledge. Advice. Clarity.

Presented by DLT Solutions

Cloud computing can be a difficult technology to envision and the same solution doesn’t work for every agency. DLT Solutions understands that and it is the reason why we have gathered a team of experienced engineers – The DLT Cloud Advisory Group – to help.

Whether you are in the beginning stage of cloud computing or getting serious about your implementation, the DLT Cloud Advisory Group can provide the knowledge, advice, and resources you need to shape a cloud environment that meets your current mandates.

Contact us at 1-855-cloud01 or [email protected]

Cloud computing is a global phenomenon. Its promise of rapid procurement of information technology (IT) services, scaled up or down as needed and released when finished, is like a magic potion for public sector CIOs and program managers looking to save money and improve service delivery.

The problem is that cloud computing is so new that very few individuals or organizations have enough experience or insight into cloud deployments or know how to put them in place.

This guide will explain the basics of cloud enabling technologies and will help you determine the best cloud fit for your needs. We’ll also touch on some of the pros, cons, and cautions that you should bear in mind as you seek to deploy cloud computing in your government agency or organization.

• Understand what solutions actually make up cloud computing.

• Discover how the public sector can leverage cloud computing to draw better efficiencies within the IT environment

• Find out more about cost savings, consolidation and modernization of legacy operations and the major benefits of moving to cloud-based solutions.

Knowledge. Advice. Clarity.

Presented by DLT Solutions

Copyright

Cloud Computing for Govies™

Published byDLT Solutions, LLC13861 Sunrise Valley Drive, Ste 400Herndon, VA 20171www.dlt.com

Copyright © 2015 by DLT Solutions, LLC, Herndon, Virginia

All Rights Reserved.

This publication may not be modified, copied, distributed, framed, reproduced, republished, displayed, posted, transmitted, or sold in any form or by any means, in whole or in part, without prior written permission from DLT Solutions, LLC.

DLT Solutions and for Govies are trademarks of DLT Solutions, LLC and may not be used without written permission. All other trademarks, logos or product references are the property of their respective owners.

DLT Solutions, LLC and the authors make no representations or warranties with respect to the accuracy or completeness of the contents of this work. The information, services, products, and materials referenced in this book or available through our services, including, without limitation, all text, graphics, and links, are provided on an “as is” basis. The advice and strategies contained herein may not be suitable for every situation.

This publication or subsequent variations are not for sale. Organizations or websites referred to in this work as a citation and/or a potential source of further information does not mean that DLT Solutions, LLC or the authors endorse the information that the organization or website may provide or recommendations it may make. Further, readers should be aware that internet websites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information about products and services, please contact DLT Solutions at 800-262-4DLT (4358) or at [email protected].

Manufactured in the United States of America

Chapter 1 - An Introduction to Cloud Computing .............. Page 1

- The Origins of the Cloud- What About Virtualization?- The Cloud Defined- A Few Points to Consider Before Journeying to the Cloud

Chapter 2 – Cloud Service Models: Software as a Service (SaaS)............................. Page 15

- How SaaS Differs from PaaS and IaaS- Examples of SaaS Applications- The Pros and Cons of SaaS- Cautions and Considerations

Chapter 3 – Cloud Service Models: Infrastructure as a Service (IaaS)........................ Page 27

- What Problems does IaaS Solve?- Should I Go Public or Private?- The Pros and Cons of IaaS- Cautions and Considerations

Chapter 4 – Cloud Service Models: Platform as a Service (PaaS) ............................. Page 39

- What Problems does PaaS Solve?- The Typical Features of a PaaS Service- The Pros and Cons of PaaS- Cautions and Considerations

Chapter 5 – Securing the Cloud ........................................... Page 47

- Current Data Center Models: It’s All Inside- The Public Cloud – Who is Responsible for What?- Cloud Threats and How to Combat Them- Balance Security Controls with Acceptable Risk

Chapter 6 – Final Thoughts - A Path to the Cloud .............. Page 63

- Top 5 Takeaways- Key Words and Terms- Useful References

Table Of Contents

By way of an introduction to cloud computing, this chapter focuses on how we got to where we are today. We’ll cover the drivers for cloud computing, why virtualization is a cloud-enabling technology, and what that means with respect to the various cloud definitions.

We’ll also examine what you should look for in a cloud offering and take a high level peek at how you might use the main cloud service models (SaaS, PaaS, and IaaS) to achieve your goals.

All organizations have different challenges and cautions when it comes to cloud computing. This guide outlines some of the most prevalent concerns and suggests ways in which you can account for them prior to leveraging the cloud.

Learn about:— The Origins of the Cloud— What about Virtualization?— The Cloud Defined— A Few Points to Consider Before Journeying to the Cloud

Chapter 1An Introduction to Cloud Computing

SaaS - Software-as-a-Service:Access and use third-party applications, such as e-mail and collaboration, running on a provider-managed cloud infrastructure.

PaaS - Platform-as-a-Service:Deploy your own applications onto a provider-managed cloud infrastructure using programming languages and tools supported by that provider.

IaaS - Infrastructure-as-a-Service:Provision and control your own processing, storage, networks, and other fundamental computing resources while deploying operating systems and applications on a provider-managed cloud infrastructure.

Primary CloudService Models

1

The Origins of the CloudHow did we get where we are today? Well, the evolution of cloud computing wasn’t really planned. Early versions of what we now know of as enterprise IT came about in the 1960s and 1970s, with the advent of mainframe data centers – privileged inner-sanctum communities that served organizations on a job-by-job basis. By the early-1980s a new individual freedom was born in the form of personal computers, which became the tool of choice for knowledge workers.

Next, we saw the still ubiquitous client-server model, which connects server-hosted applications via a Local Area Network (LAN) to client PCs. The client-server model had the unintended side effect of driving an unfortunate behavior that exists in many data centers today – the-one-server-per- application, or one-server-per-function model.

Over the past five to ten years, this client-server model quickly scaled and evolved into complex data centers engineered to handle large amounts of Internet-enabled data on behalf of private and public sector enterprises.

Given this data center culture, why does cloud computing seem so appealing? Slowly but surely, several limitations in the client-server model have become apparent and are now top of mind for government CIOs:

1. Complexity and Cost – a. Data centers are labor-intensive operations that often lack standardization. The resulting complexity continuously pushes up training and maintenance costs. b. As the demand for more IT services grows, more applications and infrastructure are needed to support it. c. The capital cost of application licenses and hardware refreshes have increased. d. Energy costs have soared while server and storage utilization levels remain low.

2. Multiplicity of Data Centers – While geographically-dispersed data centers add a layer of redundancy and application resiliency, multiple data centers are costly to maintain. These data centers often only support a couple of email servers, a file server, and many applications – yet the labor and support footprint is high, while server utilization is low.

An Introduction to Cloud Computing2

3. IT Project Disappointments – Approximately half of the IT projects that are undertaken within most organizations will fail or under-deliver on their objectives. In 2013, for example, after six months of high-profile experimentation San Jose State University dismissed plans to deliver a low-cost, online education system. Many more IT projects either fail or are never really utilized to the level of expectation that the funders and originators had in mind.

4. The Need for Agility – IT is being increasingly pressured to do more with less. As if that weren’t a significant enough challenge, they are also tasked with being better aligned with the agency mission, and to react more quickly to the needs of end users and staff. The old method of acquiring and deploying hardware and software assets is not agile enough to respond quickly to new business needs.

What about Virtualization?In addition to the aforementioned drivers, new virtualization technologies entered the IT scene. This new technology allowed IT to begin breaking down the one-server-per-application mode of thinking by allowing disparate applications to peacefully co-exist on the same physical server.

Virtualization has also been a great enabler of cloud computing and is one of the underlying technologies used in building clouds. In fact, so inextricably linked have the terms virtualization and cloud computing become, that it is a common misperception that you can’t have one without the other. However, it’s important to note that virtualization is a means to an end; it is not the end itself.

Virtualization in a Nutshell

In simplest terms, virtualization is an abstraction of the infrastructure from its physical components – be it servers, storage, or network. From a business perspective, virtualization allows for the consolidation of services or applications that may have resided on highly underutilized infrastructure (again, servers, storage, and network components) while segregating those applications from other departments’ applications. The most likely inhibitor to consolidation prior to the advent of virtualization was the fear that somewhat different applications could adversely affect one another.

An Introduction to Cloud Computing 3

If you consider a traditional IT architecture, you’ll find that the services are hardware dependent and a single operating system owns all of the server resources (processors, memory, storage, and network interfaces) with one or more applications running atop the operating system. In a virtualized server environment, however, a new layer of software, the hypervisor, is added atop the physical server. This hypervisor abstracts the physical resources of the server (CPU, memory, storage, and network) and allows multiple guest operating systems to run atop it.

The hypervisor controls access to the physical resources and manages the guests’ access to the resources. This allows multiple applications to run safely within the guest instances while mitigating any negative impact that one application might have on other applications running on the system. The end result of this method is that more applications can be safely run on a physical server, each running in their own guest operating system atop the hypervisor, and greater utilization of IT resources can be realized.

In the past, the business manager was often too concerned with which physical server was running their applications, and the fear of someone else’s application negatively impacting their services. Whereas, with the isolation and resource management capabilities of a virtualized platform, the focus is shifting to the Service Level Requirements (SLR) and the necessary levels of availability, performance, and overall health of the service. Ideally, the physical infrastructure becomes less important to the manager than the quality of service they receive from their IT services.

This change in focus by business owners allows CIOs to shift their attention to technologies like virtualization, enabling them to lower their Total Cost of Ownership (TCO) and increase their asset utilization and Return on Asset (ROA) value. The combination of virtualization technologies with newer multi-core processors neutralizes both the technical and business mentality of one-application-per-server.

Fewer machines results in smaller data center footprint, lower overall capital investment, and lower support and utility costs. These reductions often translate into lower power, cooling, floor space, and hardware maintenance costs and potentially even lower software licensing and support costs. So virtualization begins to look attractive from the CIO’s point of view as a technology that, assuming it is stable and very reliable, might solve some budget constraints.


Beyond Virtualization

The challenge with virtualization is that it is not the universal remedy for truly mission-driven IT, or even the top of mind CIO concerns mentioned previously. Virtualization allows for the pooling of resources and the consolidation of applications into a smaller footprint. However, virtualization in and of itself will not fully address the organization’s need for agile, elastic, self-serviceable and on-demand IT.

Fortunately, virtualization is an excellent foundation for building out mission-centric, services based IT infrastructures. Combining virtualization with Service Oriented Architecture (SOA), application hosting models, utility computing, and Web 2.0, results in a whole new way of delivering value to users …Cloud Computing.

The Cloud DefinedWhen discussing cloud computing, it seems as though everyone has their own spin on what “cloud” means. When having a meaningful discussion about cloud computing, using the same terms in different ways can become problematic. To help alleviate this problem, in September 2011 the National Institute of Standards and Technology (NIST) released the official government definition of cloud computing.1. NIST defined cloud computing as:

“… a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.”

1 The NIST Definition of Cloud Computing, Recommendations of the National Institute of Standards and Technology, Peter Mell and Timothy Grance, September 2011. NIST Special Publication 800-145.


What the Cloud Looks LikeFigure 1 below represents NIST’s and, by extension, the U.S. government’s viewpoint of cloud computing and the “five essential characteristics, three service models, and four deployment models” as defined by NIST in its “Definition of Cloud Computing.”

What Goes Into the Cloud? Digging a little deeper into the terminology, you’ll see some common characteristics of cloud computing. Virtualization, for example, plays a role in the architecture. Geographic distribution, utilized by infrastructure providers to balance resource requirements across physical resource locations, is also a component and is particularly relevant to government usage, which requires that data be stored in the continental United States. To meet the on-demand requirements of service delivery (increased users, more storage, more computing power, etc.), massive scale is also critical and the cloud service needs to be able to respond to that.

Moving up-the-stack, we come to the “five essential characteristics” of cloud computing that NIST describes.

PrivateCloud

CommunityCloud

PublicCloud

Hybrid Clouds

Software as aService (SaaS)

Platform as aService (SaaS)

On Demand Self-Service

Broad Network Access

Resource Pooling

Rapid Elasticity

Measured Service

Massive Scale

Homogeneity

Resilient Computing

Geopraphic Distribution

Virtualization

Low Cost Software

Service Orientation

Advanced Security

Infrastructure as aService (SaaS)

DeploymentModels

ServiceModels

EssentialCharacteristics

CommonCharacteristics

Source: NIST

Figure 1: Cloud Models and Characteristics


On-demand self service enables IT administrators to use portals to provision computing capabilities, such as server time and storage, as well as add users, without having to interact with the service provider.

Measured service is also critical and is done automatically in the cloud. This provides you or the service provider with access to the metrics you need to charge back or show usage to the appropriate cost centers using the service.

Rapid elasticity is synonymous with the cloud. If you need to go from 50 to 100 users in a day and back again without any hiccups or configuration headaches, a robust pool of storage, computing resources, network access and all of the things that make a virtual data center tick are vital.

It is also worth noting that for NIST to consider a platform or service a “cloud service” that service must incorporate all five essential characteristics.

The Capabilities that the Cloud Delivers Nearer the top of the stack we encounter service models, which essentially determine how and for what the cloud is used.

On-demand ServiceEnables IT administrators to use portals to provision computing capabilities, such as server time and storage, as well as add users, without interaction with the service provider.

Measured Service Provides you or the service provider with access to the metrics you need to charge or “show” back usage to the appropriate cost centers using the service.

Rapid Elasticity Being able to quickly scale users or instances in a short time frame, without any configuration issues or service disruptions.

Key TermsTo Know

Figure 2: Cloud Service Models - Typical Case Uses Source: GSA

Who Uses It?

Business Users

Developers andDeployers

System Managers

What Services Are Available?

Email, Office Automation, CRM, Website Testing, Wiki, Blog, Virtual Desktop

Service and application test, development, integration and deployment

Vitual machines, operating systems, message queues, networks, storage, CPU, memory, backup services

Why Use It?

To complete business tasks

Create or deploy applications and services for users

Create platforms for service and application test, development, integration and deployment

SaaS

PaaS

IaaS


As you can see from figure 2, there are three service models – Software-as-a- Service (SaaS), Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) that break down into the following capability scenarios. We will dive into these with more detail in the upcoming chapters:

• SaaS – In its current state, SaaS has been focused on the delivery of cloud-based productivity applications for office or IT users and includes such services as email, blogs, collaboration tools, Customer Relationship Management (CRM), HR applications and even IT tools like penetration testing and eDiscovery. SaaS applications are becoming more sophisticated, but the core need today is office automation. Examples of SaaS applications include Google Apps™, BMC RemedyForce, Informatica®, Oracle Service Cloud, Symantec eDiscovery Platform powered by Clearwell, and Workday®.

• PaaS – This service model is targeted at developers. If you want to build an application in the cloud, the service provider supplies the tools, development environment, and testing capabilities; all of the things you need that would otherwise be costly to buy and deploy internally. PaaS developed applications are deployed in the cloud in the form of a SaaS offering. PaaS technologies include Google App Engine™, Microsoft Azure™, Red Hat OpenShift™, CloudBees®, and Amazon’s Elastic Beanstalk™.

• IaaS – In a typical IaaS vendor offering a pull-down menu appears when you sign in, offering virtual machines, operating systems (Linux or Windows), bandwidth requirements – any or all of the assets to build a virtual data center are literally available through your web browser. From here you can add applications, security and all of the things you need to manage your operations from the cloud. IaaS vendors are numerous and include Amazon Web Services™, Rackspace®, and Terremark®.

How the Cloud is Deployed Going back to the component parts of cloud computing, at the top of the stack in Figure 1 we have the cloud deployment models including public, private, community, and hybrid clouds.

Next we’ll break these down to define what each one means (according to NIST definitions) and how they are typically used in the public sector.


• Public Cloud – This cloud is available to the general public and is owned by the organization providing the cloud services. Basically, it doesn’t matter who owns, manages or operates a public cloud so long as it is open to the public. Thus, the owner can be a business (Google or Amazon Web Services), academic or government organization. The public cloud gives instant access to state-of-the-art applications and services, without a significant investment in resources. An appropriate example, for a government agency, is Data.gov or agency blogs that share unclassified citizen or customer-facing data.

• Private Cloud – This model is dedicated solely to the needs of a particular organization. Like public clouds, these clouds may be owned, managed, and operated by a government organization, a private company or some combination. In the case of an internal private cloud, an organization can consist of many individual internal business units. However, in the case of an external private cloud, like Google Apps for Government or Amazon GovCloud this organization consists of all government agencies.

• Community Cloud – The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed internally or outsourced and can exist on or off-premises. Community clouds are emerging in public sector agencies. For example, DISA has created two cloud services available to the various departments of the armed services. Two of DISA’s offerings are RACE and Forge.mil.

• Hybrid Cloud – A composition of two or more clouds that span across two or more of the deployment models (private, community, or public). The most common use case considered is private to public (or community). In this case, one would have a private cloud and the orchestration software would allow for workloads to be moved between both the private and public clouds. An example of a hybrid cloud includes a Red Hat® Enterprise Virtualization (RHEV) based internal private cloud coupled with Amazon Web Services (AWS). Another example is a VMware based internal private cloud coupled with Terremark® for periods of peak resource requirements beyond the limits of the internal cloud.


The Challenges of Cloud ComputingGiven the multi-faceted benefits of cloud computing – the promise of scalable, on-demand, and relatively inexpensive IT – and the increased focus on cloud directives and strategies from the federal CIO’s office, the U.S. government is abuzz with the promise of the cloud.

In fact, many agencies are either already researching cloud computing options, or have actively embraced some form of cloud services. Some successful early adopters of private clouds include the Defense Information Systems Agency (DISA) who built a cloud for the Department of Defense (DoD) community named RACE and the National Aeronautics and Space Administration (NASA) who built their own cloud named Nebula.

Despite this early adoption and buzz, IT managers, program managers, and even end users are still on the fence about cloud adoption and what the cloud represents.

Let’s touch on some of those concerns.

Storing and Securing Data

Undoubtedly, data security is one of the biggest concerns the government has with cloud computing, particularly as it relates to the interaction between the cloud and legacy systems. However, data privacy ranks high as well. After all, some control is given up to a cloud service provider in a multi-tenant environment – so the question becomes “where does your responsibility for data privacy and data loss end and theirs begin?” Leading to the issue of data sovereignty - where, geographically, is a citizen’s data stored - and the challenge of defining protocols and best practices for said data transport and storage. Data protection deals with the ownership of data that is loaded into a cloud service - this is where Service Level Agreements (SLAs), Terms of Service (ToS), and cloud computing all go hand-in-hand. Government IT is seemingly focusing as much, if not more, on legal and policy issues as it is on technical ones.


Interaction with Legacy Systems

If you have an application in the cloud that needs to access data on an existing on-premises application back in the data center – how will you account for this? How will that legacy hosted data be accessed and will web services be available for that data?

It’s All About Standards

Another key area that may hamper cloud adoption is a lack of standardization within the government IT environment. A standardized operating environment can definitely help agencies with cloud services adoption, as can uniform standards on cloud adoption across government agencies. The lack of a universal set of standards can result in the risk of vendor lock-in. NIST is working on this, however it is likely that cloud providers will have to enhance their existing governance, compliance, and risk mitigation policies, processes, and procedures, as well as their actual IT services to comply with emerging standards.

Dealing with the Unexpected

Unplanned outages are another very public challenge that cloud providers face. In fact, outages are rare and less of an issue than they are in the average data center, but when they do happen they tend to impact many customers. As such, some cloud services may represent a valid continuity of operations concern. Of course, these outages also have a tendency of garnering considerable national press attention when they do fail, which results in wary customers.

Connecting with the Cloud

Another consideration is how users and IT staff access the cloud. Cloud-based SaaS applications are browser- or mobile device based, and can be adversely affected by network latency. Likewise, the virtual desktop method also relies on the network for access and can also fall foul to network delay. Ensuring that applications are geographically distributed or are front-ended by content delivery accelerators can help alleviate this issue.


Cultural Resistance

One of the biggest obstacles of moving to the cloud is a cultural one – resistance to change. There are two groups that will generally resist moving to the cloud. One is the IT staff; nobody likes change, and this is a big one. In a typical IT organization, there’s the group with the gung-ho, let’s do it, and march off to get it done attitude. On the other hand, there’s the group that would rather retire or go find another job than put up with this change to the way they have always done things. Then there are the end-users; they’ve grown accustomed to what they are using, and something with a different interface may be hard for them to accept.

So how do you address resistance to change? Well hopefully this guide will help, so too will knowledge-share and best practices from those who support migration to the cloud. Existing skills will need to be refined as IT adjusts to the cloud paradigm. For example, the focus on SLAs and ToS, historically, may not have been a huge factor in government IT. It is, however, a necessary evil in the cloud space that IT will need to align itself with, particularly as it pertains to data protection.

IT Staff Skills

The use of cloud services requires the adoption of new skills. To leverage a cloud service being provided by someone else, there is the need to learn the new platform, how services are deployed and managed, how they are patched, and how they are monitored. There may also be a need to learn new provisioning and orchestration tools to successfully manage the new cloud services. Finally, to enable granular control, monitoring and integration with existing administration tools, developers and administrators should learn how to use the new cloud provider’s Application Programming Interfaces (API).

For a self-managed private cloud infrastructure, even more new skills will be needed to manage all of the new components layered atop the virtualized environment. Some of these new components include provisioning, orchestration, metering, user portals, security, and monitoring. Developers will also need new skills when it comes to developing new applications that can leverage cloud services. This may include new development tools, new APIs, and possibly even new development languages.

Application Programming Interface (API)Method of software communication that allows multiple components to interface.

Key TermsTo Know


A Few Points to Consider before Journeying to the Cloud

In the next few chapters we’ll take a deeper look at your options for deploying some of the cloud models discussed in this chapter, and help you find the right fit for your needs. In the meantime, in light of what we’ve discussed in this chapter, let’s take a step back to outline some key points that you should consider before embarking on any cloud deployment:

• Can your agency live with the vendor’s standard SLA and ToS? Getting a provider to change their SLA and ToS can be tricky, even for a large agency. Taking best practices from the private sector is your best bet here and you should get your legal department involved early on so that you know what these documents mean. Conversely, if you are looking to build your own private or community cloud, can your organization deliver against the robust criteria established by the CIO in coordination with business managers?

• What will it cost to migrate your legacy applications or integrate them with the cloud? This was touched on earlier. What will you migrate, how much will it cost, and how will the legacy systems and cloud services interact? In many cases, it may not make sense to migrate legacy services to a cloud, whereas it would be ideal to develop new applications from the ground up as a cloud service.

• How does the vendor’s security stack up? Expect to implement supplemental security if what the vendor provides is not sufficient for your system needs, whether it’s classified as low, moderate or high according to the Federal Information Security Management Act (FISMA).

• What are your capacity requirements? You’ll want to ensure sufficient capacity, but don’t over-provision because you will be charged for it even if you don’t use it. Try to negotiate capacity for peak periods with the vendor in advance, as an add-on charge to your basic service agreement. Establishing capacity management tools and disciplines are essential to saving money with cloud services over the long term.


• What are your remote access requirements? If you have users who access services outside your main Local Area Network (LAN), whether from out-of-state or overseas, be sure to consider the broadband access costs for these users and the network latencies that may exist between the users and the cloud service. While the cloud may be a cheaper overall solution for your agency, you may find your network bandwidth charges increase.

• How will you monitor cloud performance? Do you have the ability to do this or is a third party going to do it? Not all cloud services come with performance monitoring built-in, although you may be able to negotiate it as a separate service. It may even be possible to go to another cloud service to provide additional monitoring.

• What’s your plan for the organizational impact? Identify the proponents of cloud computing in your organization that can share and charter best practices for cloud migrations and the impact on the organization.

Next, we’ll explore cloud deployment options – SaaS, IaaS and PaaS. What they are, how they differ from each other, how you can use them, and the pros and cons you’ll want to consider before signing up with a cloud provider.


Chapter 2Software as a Service (SaaS)

Learn about:— How SaaS Differs from PaaS and IaaS— Examples of SaaS Applications— The Pros and Cons of SaaS— Cautions and Considerations

According to Forrester Research, Software-as-a-Service (SaaS), will dominate the cloud service model marketplace over the coming years. What does this mean for the public sector? What applications can be deployed using this model and how is it different from PaaS or IaaS?

This chapter will answer these questions and help you establish a baseline understanding of what SaaS can do for your agency, as well as provide you with some decision criteria to keep in mind as you adopt SaaS.

What is SaaS?In chapter one, we referred to NIST’s definition of SaaS as a service provider’s cloud-based solution. The premise of SaaS is that it is a software service hosted in the cloud and made accessible via the Internet, through a browser, mobile device or API.

It’s even easier to visualize what SaaS is if you think about how most of us have already been using Software-as-a-Service for quite some time – from our personal Gmail accounts, to streaming music and iCloud™, to photo-sharing sites such as Flickr®.

15

So if we think about enterprise versions of SaaS, what becomes compelling is the fact that to acquire these sorts of services in the past you would have needed several hardware and software components (server, storage, network, and content management system). With SaaS, you simply procure the functionality you need, provision it immediately, and start using it across the enterprise via a web browser. All this while the service provider takes care of the business application, operating systems, and hardware components.

The Key Characteristics of SaaSSaaS cloud services are defined as multi-tenant applications whereby users access and manage applications that utilize the same code base. Bug fixes, upgrades, and functional enhancements are generally made by the provider at the same time for all users of the code base. SaaS features all of the NIST attributes such as on-demand self-service (which allows you to seamlessly add services and users as needed, via the provider’s portal), rapid elasticity (enabling you to quickly increase or decrease the number of users who need access to an application), and measured service, a key concept in cloud services that requires the provider to collect usage information so that end user organizations can charge back services at a very granular level (e.g. department, individual). SaaS also features resource pooling wherein the services IT resources are pooled to serve multiple subscribers in a multi-tenant model.

Another key attribute of SaaS, which is particularly pertinent in the public sector, is that it usually has provisions for personalization but not customization. This means you can personalize the application using its pre-provisioned features or options to suit your needs, but you can’t customize it (i.e. change the underlying code to conform to your needs). It is often a lot more cost effective for a service provider to build a robust application that many people can use and can personalize. But once you start customizing, it’s a different story.

Multi-Tenant ApplicationMany organizations use the same software code base as opposed to traditional models where each organization had their own license and code base.

Rapid ElasticityBeing able to quickly scale users or instances in a short time frame, without any configuration issues or service disruptions.

Key TermsTo Know

Cloud Service Models: Software as a Service (SaaS)16

Support for customized services as opposed to a single standardized service results in a more complex environment that is more costly and difficult to manage.

Two final key attributes of the SaaS model is that application upgrades, additions and modifications to SaaS applications are typically made to all users simultaneously – with zero action required on your part. Likewise, all software and hardware maintenance is taken out of your hands and placed firmly in the hands of the service provider.

How SaaS Differs from PaaS and IaaSWe’ll discuss PaaS and IaaS in later chapters, but just to give you a quick side-by-side comparison, here are the key fundamental differences between SaaS, PaaS and IaaS:

Multi-tenant applications

SaaS PaaS IaaS

Production-ready applications in use

by enterprises

Highly scalable industrial strength

applications

Multi-tenant software

developer tools

Used to build applications

Used by an enterprise to

build and deploy an application for a user community (including a SaaS

application)

IaaS is the infrastructure.

Users can leverage IaaS

as a virtual data center. Some SaaS and PaaS

offerings are built atop other cloud providers’ IaaS.

Use

s

PersonalizationThe act of using the pre-provisioned features and options offered by a SaaS application to meet your needs.

Customization The modification of application code, fees and service features to suit the needs of your organization. SaaS services do not support customization.

Key TermsTo Know

Cloud Service Models: Software as a Service (SaaS) 17

Why SaaS is the Cloud Service Model to WatchMost industry observers anticipate the SaaS market to grow at an exponential rate in the coming years, and develop into a much larger global market than PaaS and IaaS offerings.

Why? Simply put, it makes sense for service providers to focus on the widely-used functionality that SaaS delivers and the common best practices that go into its implementation. This is also why providers are honing in on delivering SaaS applications such as email because the potential profit far outweighs the cost of development.

What does this mean for the user? Well, we get the best of both worlds. We have multiple choices when it comes to email. This in turn drives competition and better email solutions in the cloud.

What does this mean for the public sector? Essentially, when it comes to migrating applications to the cloud, think of SaaS less in terms of delivering a customized cloud solution (unless you want to build it yourself on a PaaS or IaaS model). Instead, think more about leveraging SaaS applications for the functionality it delivers – functionality that might serve your users productivity and collaboration needs across multiple departments, or functionality that specifically supports a user base like HR, Finance, or IT.

Examples of SaaS ApplicationsSaaS includes applications that are increasingly focused on specific end users’ needs – from office productivity to IT service desk applications; engineering collaboration and data integration. It also encompasses what we might want to consider as “SaaS relatives” such as Communications-as-a-Service and Data-as-a-Service (DaaS).

Office Productivity

Many of the online tools that we know and collaborate with today are now available via the cloud as SaaS applications, including email, calendar, document editing, file sharing, and so on. These services provide access to virtual office collaboration tools from anywhere and on any device, offer excellent scalability, provide reasonable uptime agreements, and reduce the risk of lost laptops. Some are even compliant with FISMA moderate security requirements. These services also require zero maintenance in terms of patching, updating or upgrading.


If you are not comfortable with the SaaS web browser interfaces and prefer the familiarity of your traditional email client (e.g. Microsoft® Office Outlook® or Mozilla Thunderbird®), many of these services support standard protocols, such as IMAP. Support of standard protocols allows you to access your SaaS-based email via your desktop or even mobile client. If you don’t want to give up your entire email service to the cloud, you can still benefit from à-la-carte, cloud-based email services such as email filtering and protection services, offsite backup and content-based encryption policies.

Which office productivity tools you migrate to the cloud depends on your needs and those of your users. If you have multiple users across disparate locations, cloud-based productivity tools can improve user access to mission-critical resources, reduce costs, and improve overall security for a mobile workforce.

IT Service Desk

SaaS tools also target the IT consumer to help streamline IT assistance services. Cloud-based IT service desks provide everything an IT department needs to manage requests and incidents, handle remediation efforts, and ensure that users are kept up to date via chat tools, email and mobile devices. These applications provide smaller IT shops with many of the feature-rich IT management solutions that bigger enterprise IT departments enjoy. Because these applications are based on IT service management best practices and they provide APIs and support standard protocols, they are easily integrated with existing systems and take much of the grunt work out of managing and deploying IT service desks.


Engineering Collaboration

Another interesting SaaS application focuses on the needs of a group of end users who are particularly dependent on accurate project information – the architectural, engineering and construction communities. Every level of government is involved in some form of construction project, whether it is parks and recreation, transportation, infrastructure, and so on. Collaboration across teams is essential – both at the design/build level, and among those who will ultimately manage and use the project upon completion. SaaS design collaboration tools, such as Autodesk® Buzzsaw®, have been around for a while and let project teams literally walk through a project, view and update drawings in real time, and save those changes back to the cloud. Users can access project information via the Web or mobile devices and have the confidence that they are accessing the latest project details.

Other tools provide design analysis capabilities from the cloud, allowing architects to optimize building designs before the concepts are even complete. This design simulation capability is particularly critical in supporting green building initiatives because it lets teams assess energy and water consumption and the overall carbon footprint of a building, all from a simulated cloud environment.

Data Integration

So you’ve made the move to the cloud. How do you manage your data as it extends beyond the enterprise?

As your adoption of SaaS grows and more applications are deployed, the need to ensure synchronization between cloud services and on-premises systems becomes an imperative. The good news is that data integration services, which support data integrity and quality control in the data center, can also be deployed to support the management of cloud-based data. These services act as an intermediary, ensuring that formats are kept consistent and master data management issues are tackled. Additionally, for disaster recovery or compliance purposes, data integration can replicate application data.


Communication-as-a-Service (CaaS)As Internet Protocol (IP) communications converge with network traffic, traditional telecommunication providers are rapidly moving toward a cloud-based communications vision. With Communications-as-a-Service (CaaS), all the hardware, data and voice applications are hosted and managed in the cloud by the service provider. These services take the pain out of managing complex Voice over IP (VoIP) and other video and data requirements across multiple devices.

Communications providers are also leveraging CaaS platforms to bring a richer set of communication options. Integrating voice, video, chat, and messaging via a CaaS platform gives customers greater flexibility in how they communicate.

Data-as-a-Service (DaaS)Right now, Data-as-a-Service is in the growing bucket of cloud offerings. DaaS is a term used to describe data that’s accessible from the cloud, via a web browser or through an API. Simply put, DaaS lets users quickly and easily access data or information from a cloud-based data set and make use of it in another application.

A good example of DaaS is the federal government’s Recovery.gov service. In addition to being able to search and download data sets relating to Recovery

Act spending, Recovery.gov provides APIs to allow developers to access the data and create their own mashups and custom applications.

Another example is Google’s geocoding API. Geocoding is the process of converting street addresses into geographic coordinates (latitude and longitude), which you can use to place markers or position the map. The Google® Geocoding API™ provides a direct way to access a geocoder via an HTTP request.


The Pros and Cons of SaaS Like all cloud offerings SaaS has its pros and cons, many of which we’ve already touched upon in this chapter. Let’s revisit these in summary below.

The Pros of SaaS• Numerous Applications. Undoubtedly SaaS is a growing market and the wealth of available applications expands by the minute. Whatever your needs, whether it’s office productivity apps, social media apps, or business apps, it either already exists or someone is working on building it. The General Services Administration’s (GSA) Apps.gov website (www.apps.gov) offers a useful library of tools you may wish to consider using.

• No Installation Required. SaaS is the ultimate plug-and-play software service. • Highly Scalable and Economic. SaaS applications let you add and remove users and features very easily, and without long term license commitments or hardware costs. Think of it as leasing versus buying. If you were to purchase the equivalent software and hardware and manage it internally, you’d need to plan for peak loads – which may only be once a month or once a quarter. However, the rest of the time those resources are idle – you are still paying 100 percent of the support and licensing costs for that hardware and software. So if you’re designing for peak load, then you could be paying a premium to have that platform sitting there on your own premises. In instances such as these, the cloud can deliver a significant monetary savings.

• No Compatibility Worries. With SaaS you don’t have to worry about whether or not an application conflicts with those applications that you have already provisioned on machines in the enterprise.

• Free Up IT Staff. Because SaaS application updates and fixes happen automatically in the background and are the responsibility of the service provider, the burden on an IT department is significantly less. As mentioned, SaaS can help you reduce training and maintenance costs, but it can also enable you to move less mission critical applications to the cloud so that you can free up IT staff to focus on strategic projects. Many people who are not in the IT department don’t always understand how much goes into rolling out a change to an application like their email system. But it’s a significant cost in terms of time, resources and effort.


The Cons of SaaS The following items aren’t what you would consider traditional “cons,” but are rather areas that you need to be sensitive to as you are considering SaaS for your agency.

• High Bandwidth Network Connectivity for End Users is a Must. Depending on the type of application you are using, your network bandwidth requirements are likely to be higher than previously needed across your Local Area Network (LAN), Wide Area Network (WAN) and remote users. Of course, using SaaS for email would not require as much bandwidth as an application that requires large file sharing and collaboration (video, images, etc.)

• Personalization Versus Customization. If you are looking to customize an application, you essentially neutralize the cost benefits of cloud applications and may find that SaaS is not for you. Most cloud SaaS offerings include personalization features that allow you to add features to suit your needs without incurring the cost and problems of customizing preexisting provider code. • A Lack of Total Control. In SaaS cloud computing, the basic pillars of an application environment – the security, uptime, and storage retrieval – are the responsibility of the provider. Security is an aggressive work-in-progress issue for the public sector (more on this in Chapter 5), and while providers out there are FISMA moderate compliant, it’s wise to accept that SaaS applications are often acceptable for a moderate impact government security system, and not so much for a high impact system.


Cautions and ConsiderationsAs in Chapter 1, it’s worth looking at some of the cautions and considerations that your agency will need to bear in mind as you weigh your SaaS approach. Here are eight that you will need to consider and plan for:

1. Be Wary of One-Sided Agreements. Get your legal team to review the SLA and ToS. If you are bringing a lot of users to the table, you may gain more wiggle room with the provider, but remember cloud service SLAs tend to be fairly locked and defined before they hit your desk.

2. Plan for Portability. Ease pain, in the event you change cloud service providers, by planning in advance for transition.

3. Remember, Performance Monitoring is Your Responsibility. Up to a point, this is your responsibility and it’s wise to check this out by running tests before you sign up for anything. Monitoring both end user experience as well as uptime is essential. For example, if you are experiencing 99.9 percent uptime but your end users have a slow experience, you need to discuss this with your provider.

4. Plan for Initial Data Load and System Integration. Keep in mind that you will need to do some form of data upload and integration to ensure enterprise services and identity management systems are seamlessly ported and single sign-on is maintained. Remember that some back and forth between applications on premises and in the cloud might also be necessary. 5. Handling Electronic Discovery. Consider how you are going to handle electronic discovery for things such as FOIA requests or litigation. In particular, how are you going to handle this in encrypted archives?

6. Complying with Records Management Policy. Many agencies have folks on staff to handle records management compliance. Engage them at the beginning to ensure you have an approach for this as you adopt SaaS.


7. Manage the Organizational Change. We touched on this in Chapter 1 and it remains a big consideration. Many organizations simply aren’t prepared for the shift that is required, and the repercussions can be painful. One strategy is to have a clear communcations and training plan – communicate the plan, explain the benefits, then identify and train a small group of representative pilot users (both champions of change and those who may take issue with it). Last but not least, flex your management skills to ensure a smooth rollout organization-wide.

8. Not All SaaS is Created Equal. When evaluating SaaS providers, it’s also important to look closely at the service and how well it maps to NIST’s cloud definition and reference architecture. Ensure that the provider is what they claim to be, as some self-proclaimed SaaS providers are actually just repackaging conventional enterprise licenses rather than actually offering a real, flexible, elastic SaaS service.


Earlier, we introduced the concept of IaaS as “basically raw virtual data center stuff.” And that’s pretty much what IaaS is. Virtual machines, virtual appliances, operating systems, storage and networking, IaaS encompasses all of the basic assets you need to build a data center in the cloud.

In this chapter, we’ll dig a little deeper into IaaS and explain its origins and why we even need IaaS. We’ll also demystify public and private cloud deployments of IaaS and shed some light on what services you can expect from an IaaS cloud provider. And, as is our intent with each model of cloud computing covered in this book, we’ll suggest some decision criteria for you to consider in selecting appropriate cloud services for your enterprise, your agency, or your department.

What Problems Does IaaS Solve?IaaS addresses many of the key challenges and questions posed by modern data center computing:

• How do we control and contain data center costs?• How do we increase utilization of servers and storage?• How do we address the untapped energy consumption of our data centers?• How does the public sector reduce its growing data center footprint?• How can we quickly and cost-effectively deploy new IT services?

It’s not a one size fits all approach however, as various deployment options (public and private) and service offerings solve the above challenges in different ways.

Learn about:— What Problems Does IaaS Solve?— Should I Go Public or Private?— The Pros and Cons of IaaS— Cautions and Considerations

Chapter 3Infrastructure as a Service (IaaS)

27

What is IaaS?As previously mentioned, the best way to think of IaaS is as a virtualized data center. In the past, acquiring more compute or storage capabilities required a lengthy procurement process followed by unboxing, racking, and installing the new hardware. Now, after a few clicks on a web page, users can dynamically provision virtual versions of traditional IT infrastructure. Keep in mind that these virtual compute resources are very much like “virtual bare metal” in that you will need to select the appropriate operating system (usually from a Service Catalog) and then patch and configure these server images. This service is often targeted at IT engineers in that the actual business application will need to be loaded atop the newly provisioned and patched virtual machines. Unlike SaaS, it is the responsibility of the user to manage everything above the hypervisor, including the operating system, application, and any virtual appliances like proxies, load balancers, and intrusion detection and intrusion prevention appliances.

Like SaaS, IaaS can come in any of the models defined by NIST. Although IaaS was pioneered by commercial companies who made the service available to everyone over the Internet, due to control, compliance and sensitivity concerns many organizations are opting to also build their own private clouds.

The most common forms of IaaS currently are:

Cloud Service Models: Infrastructure as a Service (IaaS)28

• Public IaaS – This cloud service is a multi-tenant service open to the general public. These clouds will typically be owned and operated by a third party and may be accessed via the public Internet. Some public cloud providers continue to innovate by adding new functionality like direct connection of the customer’s data center to the cloud provider’s data center, thereby allowing network traffic to avoid the Internet. In addition to direct connections, the creation of walled gardens within these IaaS clouds are being created which logically segregate a customer’s virtual resources from other customers’ resources. This is often done at the network layer, and customers can even opt to allow only Virtual Private Network (VPN) connection to their virtual resources.

• Internal Private Cloud – An internal private cloud is a cloud which is completely dedicated to an organization, wherein an organization is typically defined as consisting of multiple departments, bureaus, or business units. Think of internal private clouds as being a micro- version of a public cloud, but rather than catering to everyone on the Internet, these private clouds are only serving their direct cost centers. Ultimately, this cloud can be owned, operated and managed by either the organization or some third-party. • External Private Cloud – Interestingly, with the innovation of public cloud providers, the model of an external private cloud has emerged. At its simplest, an external private cloud could be a dedicated IaaS cloud that is hosted offsite and managed by some third party. However, some traditionally Public IaaS providers have cloned their infrastructure and services into completely separate data centers and limited the user base to only government customers. These government focused clouds are wholly dedicated to government organizations, and while they are multi-tenant, they only share resources with other government organizations.

Cloud Service Models: Infrastructure as a Service (IaaS) 29

The Typical Features of an IaaS ServiceIaaS provides all the standard features you would expect from a data center but adds some new capabilities that traditional data centers lack.

IaaS Service Features

This interface allows you to self-manage ordered services and provision virtual machines. Within the access portal will often be a Service Catalog from which you can select the operating system you would like to run on each of your virtual machines.

Accces Portal

Choice of Operating Systems


IaaS Service Features (Continued)

Achieve unparalleled agility by dynamically provisioning virtual machines in near real-time. Access the portal, set-up services, arrange payment, and load applications within minutes. This eliminates much of the tedious and often lengthy procurement and deployment cycles common to most data center environments. Another standard feature of IaaS service environments is a burst capability. This lets you increase your bandwidth, storage, and compute resources as and when you need them to cope with peak periods of high demand. Most providers have an out-of-scope burst capability with predetermined pricing that would fill this requirement. Conversely, unlike with a traditional fixed data center environment, you can also scale back resources when they are not needed, thereby saving even more money. The provider manages and maintains the network, storage, server, and virtualization infrastructure – you manage everything atop the hypervisor as well as configuration of any virtual appliances or storage. IaaS services typically support availability at 99.5 percent or higher. Help desk and technical support services are provided for contracted services. The provider will handle patch management for the infrastructure, including servers, storage, network, and virtualization platform – but you must still manage the patching of the operating systems and applications on your virtual machines. The provider will provide tools to enable data security while it is at rest and in transit. The provider will ensure periodic backups and implement a Disaster Recovery (DR) and Continuity of Operations (COOP) plan based on your contracted agreement. Look carefully, though, as the providers’ DR and COOP plans are often focused on the infrastructure and not your virtual machines and data. Some providers administer a rich set of tools to allow for DR or failover, but don’t assume that this will all be working by default.

Near Real-Time Provisioning

Resource Burst Capability

Provider Managed Infrastructure

Availability

Support Services

Patch Management

Data Security

Backup, Recovery and COOP Plan

How Secure is IaaS?IaaS cloud providers are maturing very rapidly and are leading the field in terms of compliance with government-oriented needs. Many of them are even at a higher compliance standard than typical internal data centers.

Typically these IaaS providers are achieving FISMA moderate ratings, which is often sufficient for hosting much of the government’s data. The release of Federal Risk and Authorization Management Program (FedRAMP), enables the government to assess and authorize cloud computing services by providing a common security risk model that can be leveraged across the federal government. Top providers are also starting to achieve SAS 70 Type II compliance (and SAS 70’s new version SSAE 16) at the physical data center level. PCI compliance for credit card transactions is also evolving, as is ISO27001 compliance for security.

Should I go Public or Private?Choosing a public cloud deployment over a private one really comes down to risk management and is very dependent on your specific workload, your use case, and your security profile. Start with the sensitivity level of the data being used, and work forward from there. For example, if you are dealing with data that must be hosted on a FISMA high rated environment, then your options will become rapidly limited, and private cloud may be the only real choice. However, if FISMA moderate or low will suffice, many options become available both on the private and public cloud realms.

External private clouds are another option that can be a nice middle ground between full public and internal private clouds. While it is still multi-tenant, at least the other tenants are government organizations.


FISMA Moderate RatingsThe process of selecing the appropriate security and risk controls and assurance requirements for organizational information systems to achieve adequate security.

Key TermsTo Know

Below are a few pointers that can help you make an initial assessment of whether public or private clouds make sense for your organization:

The Pros and Cons of Public IaaS (and External Private IaaS)

Pros of Public IaaS:• Increases agility of IT to provision virtual systems for the deployment of new applications• Avoids direct facility infrastructure, hardware and energy costs• Enables the re-engineering of IT staffing skills around priority projects• Eliminates facility management costs• Responds rapidly to changes in demand with elasticity of service• Avoids need to architect for peak loads• Services are accessible from any Internet connection• Some services can also be locked down to only be accessed via secure connection or VPN• Charge-back of metered usage to users’ cost centers ensures better resource cost awareness• 11 pre-screened providers available through GSA’s IaaS Blanket Purchasing Agreement (BPA)

Cons of Public IaaS:• Lack of total control since the underlying infrastructure is the responsibility of the service provider• End users require Internet connectivity so be prepared for possibly higher bandwidth costs and potential downtime if connectivity is lost• Large Data Requirements. This may result in excessive bandwidth costs when sending data to the cloud-based computing resources. Many services have implemented “bulk upload” methods to mitigate this problem. Encrypt the data; copy it to a hard drive; drop it in the mail; and the provider will load it into your service. Likewise large graphic requirements may experience increased network latency. In these cases, an on- premise cloud may be a better option


The Pros and Cons of Internal Private IaaS

Pros of Internal Private IaaS:• Allows complete control over the infrastructure• Virtualizes and pools resources to increase utilization• Reduces your facility footprint• Increases agility by provisioning resources quickly and efficiently• Enables charge-back of metered usage to users’ cost centers, thus ensuring better resource cost awareness• Decreases network latency and increased system performance

Cons of Internal Private IaaS:• Specialized IT skills for deployment, integration, operations and maintenance are required• Virtual machine sprawl may become a management challenge• Limited elasticity capabilities due to physical resource constraints• Unused resources are still paid for when idle• High utilization rates must be maintained to maximize return on investment

What Types of IaaS Services Can I Procure?Infrastructure-as-a-Service is exactly that – a service. These services are offered a-la-carte or as bundled offerings.

While the industry is rapidly innovating, the most established services offered include both compute and storage as a service. Specialized services like high performance computing resources are starting to emerge. Bundled services that combine virtual machines, storage, appliances, and connectivity options are also available. The bundles are basically a complete virtualized data center from which you can run your applications, store data, and serve your end users. These features are then managed and provisioned via a provider’s customer portal. Additional services also include cloud optimization services, that help manage private cloud deployment more effectively.


Storage

IaaS Service Offerings - What You Can Buy!

IaaS storage services allow you to store and retrieve any amount of data at a low cost. Data is stored in a provider’s public cloud and is accessed via a web interface, through a virtual machine, a client application or by an API. Storage can take the form of an object store, block storage, or a filesystem. This is a very competitive industry and pricing is based on gigabyte usage per month. Users may also incur a bandwidth fee to upload and retrieve data.

Publ

ic Ia

aS S

ervi

ces

Compute power can be acquired in the form of a virtual machine. This virtual machine includes virtual CPUs, memory, and storage. Typically charges are based on CPU usage per hour, though it may be possible to reserve compute resources if fixing spend is more important than elasticity.

There are many different appliance types that are starting to appear within IaaS clouds. These include Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), load balancers and proxies and even data security and encryption appliances. This list is rapidly expanding as more software and hardware vendors are making virtualized versions of their products.

Another emerging area is the bundling of a complete stack of virtual resources and software to solve for a specific business problem. A bundling of the underlying virtual infrastructure with operating system, web content management and delivery software, content delivery acceleration, and protection are the sorts of bundles that are emerging. It is also worth noting that eleven pre-screened IaaS providers have been granted a Blanket Purchase Agreement (BPA) from the GSA, making it even easier for government to acquire public IaaS.

Compute

Appliances

Bundles


Cloud Automation

(Software Only)

IaaS Service Offerings - What You Can Buy!

Cloud automation platforms allow you to layer cloud attributes on top of an existing virtualized infrastructure. These products add automation, orchestration, user portals, service catalogs, reporting, management, monitoring, and other cloud capabilities to existing infrastructure.

Clou

d O

ptim

izat

ion

Serv

ices

Pre-configured hardware and software stacks that are tuned and optimized at the factory to meet your specific requirements. They are literally delivered to your data center so you have an instant internal private cloud!

As you manage your web properties in a cloud, you may need cloud acceleration services and denial of service protection. These services improve end user experience by reducing apparent network latency. Akamai content distribution services, for example, uses a network of servers to cache content and route data requests via the fastest route – eliminating round trips and improving application response times.

Regardless of whether you choose public, internal private or external private IaaS you must still manage all of your virtual assets. Additionally, for internal private cloud you are going to need to perform your own infrastructure monitoring. Most cloud providers don’t offer this service, or they do so at an additional charge. Unified monitoring of both physical and cloud assets can be achieved with third-party services or products.

Pre-configured Hardware /

Software Stack

Cloud Acceleration

Services

Infrastructure Monitoring

IaaS

Inte

rnal

Priv

ate

Cl

oud

Serv

ices


Cautions and ConsiderationsSo what are some of the key cautions and considerations to be mindful of as you plan your IaaS deployment?

1. It’s a Very Dynamic Market! The IaaS market is experiencing continuous change with new platform features emerging every day. These features also vary significantly among the major players- check back often for new or updated services, or sign up for their announcements.

2. Read the Fine Print. When it comes to the service details, many of the agreements look more like software agreements than IT- delivered SLAs. Most cloud provider’s SLAs have been whittled down to service availability and service credits. Many of the elements that you may have traditionally associated with an SLA have been moved to a separate ToS document. Pay special attention to how availability is calculated, who is responsible for monitoring availability (and how

service credits are received), data ownership, liability, indemnification, the physical location where the services are hosted, support response times and processes, and the service termination rocess. It’s a good idea to have both the CISO and the legal team take a look. Finally, if anything is unclear, ask! It’s critical that you understand the full scope of the service and what is required of you before signing anything.

3. Plan for a Change of Service Provider. Understand this upfront. You need to be able to move should you choose to, so make sure your provider has the appropriate tools and procedures to retrieve your data. Also, check on any hidden costs that may be incurred in the event that you need to pull your data out of their service. 4. Plan for Outages. Bear in mind, that when you’re using an IaaS provider, they are effectively providing you with virtual data center services. With this model, you are still responsible for the services that run on the infrastructure. This ultimately means that the availability of services is the responsibility of the consumer, not the actual infrastructure provider. They’ll make sure that the platform is available, but you need to make sure that the services you build on their platform remain available.


5. Remember that Virtualization Adds a Layer of Complexity to Data Recovery. While you can deploy data in minutes, recovery can take hours. 6. Performance Monitoring is Up to You. This includes monitoring the end user experience, not just the application uptime. 7. Plan for Integration Issues. Be ready to deal with integration issues between your cloud services and your other enterprise services, as well as your existing identity access and management system. 8. Optimize Your Existing IT Management Architecture Before You Move to IaaS. Consolidating your infrastructure, before you move to the virtualized infrastructure, will bring disparate IT organizations together and standardize many of the different tools (monitoring, diagnostics, etc.) that are currently in use. Also be sure that the management tools in place can handle the various platforms, including virtualized environments, private and public cloud services. 9. Change Management. Be sure to engage your line of business customers, make sure they support everything and plan for changes in the scope of responsibility of your IT staff. All of those hard earned data center disciplines like change, configuration, and release management are just as important in the cloud as they are for traditional on-premises IT.


In this chapter, we’ll explore the origins of PaaS and the very particular challenges it solves both at a business and IT level. We’ll also provide a brief overview of some of the PaaS services currently available and take a look at the key considerations you should evaluate before venturing down the PaaS path. But first, let’s start with an explanation of PaaS.

What is PaaS?Building and managing on-premises applications is a challenging and expensive endeavor, requiring complex solution stacks, expensive data centers, and a host of human resources to maintain and modify the application throughout its life cycle and the systems it relies on.

But with the advancement of cloud computing, a new concept has evolved – PaaS. PaaS offers a faster and more efficient way to facilitate the deployment of applications without the cost and complexity of investing in the underlying hardware, software and data center infrastructure.

PaaS is particularly appealing to software developers who want to write excellent applications without dealing with the underlying infrastructure. PaaS includes the entire infrastructure needed to run applications over the Web without the cost and complexity of buying, installing, patching and managing the underlying hardware, operating systems, and base application software. Developers simply load their code into the cloud service and the PaaS cloud automatically handles resource provisioning and auto-scaling (elasticity) as well as load balancing and application health monitoring.

Learn about:— What Problems does PaaS Solve?— The Typical Features of a PaaS Service— The Pros and Cons of PaaS— Cautions and Considerations

Chapter 4Platform-as-a-Service (PaaS)

39

In the public cloud version of PaaS, the actual infrastructure is managed by the cloud provider. Leveraging public cloud versions can free administrators from the basic work of installing the new application infrastructure and even dealing with system and operating system patching and maintenance. Rather, administrators can focus more on overall service health, performance analysis, capacity planning, and monitoring.

At the heart of the PaaS proposition is an application development and deployment model that gives public sector developers the ability to concentrate on delivering user and citizen services, rather than focusing their energy on servers, network and storage for each application they design. In addition to allowing developers and administrators to focus on the delivering of web services, it can also be very cost-efficient for many web-based services. PaaS comes in many forms, and pricing is based on subscription models, metered fees based on resource utilization, or a combination of both.

What Problems Does PaaS Solve?We’ve already touched on some of the broad challenges that traditional enterprise application development and deployment environments pose. But the origins and potential impact of PaaS go a lot broader and deeper. Below is a snapshot of some of the problems that PaaS addresses for resource-constrained and forward-thinking organizations:

PaaS Improves IT Success Rate It’s a commonly reported metric that half of the IT projects that are undertaken within the global enterprise (not just government) will fail or under-deliver on their objectives. From a management standpoint, PaaS addresses this problem head-on by helping improve the probability of project success within budget and time constraints by providing a stable, standardized, and tested delivery platform for the development team. The same platform can also be used for all stages of the application life cycle, including development, test, quality assurance, and production. Having a ready-to-run application delivery platform available at the touch of a button eliminates waiting weeks or months for dev/test/QA systems.

Cloud Service Models: Platform as a Service (PaaS)40

PaaS Relieves Intra-Organizational Project Staffing Issues Larger IT organizations often have multiple project teams working on various IT systems, tests, deployments, etc. Oftentimes skills are not easily transferable to other projects which can quickly impact an enterprise’s agility levels. The imposition of standard approaches through a PaaS paradigm can relieve these issues by ensuring all teams work off the same common tools, languages and processes.

PaaS Solves Application Modernization Requirements The problem with many legacy applications is that they are not web-enabled and are limited in how they can serve the enterprise as a whole, as well as citizens and constituents. PaaS offerings can help accelerate the deployment of web-based applications.

PaaS Addresses Cloud-Readiness Issues Just as PaaS can help expedite the modernization of IT applications, it also helps normalize legacy applications that might not yet be suitable for the cloud. PaaS also provides better support for applications that you might plan to eventually deploy in the cloud environment.

PaaS Provides a Robust, Standardized Development Test Environment at a Low Cost You might be noticing a common thread here – standardization. Rather than each team having its own test environment, PaaS offers something to the entire enterprise that can be standardized across teams, providing very sophisticated tests of functionality at a relatively low cost.

Cloud Service Models: Platform as a Service (PaaS) 41

The Typical Features of a PaaS Service

PaaS Service Features

Typically PaaS is delivered in a public cloud multi-tenant environment offering on-demand hardware and operating systems, application platform(s) and platform libraries, database management systems access and load balancing services for production use. Typically, each PaaS architecture is designed to support a specific development language or languages. There are a number of languages and frameworks for developing web applications, so look around for the one that best supports your standards.

Offered either through a rich web interface or through a plug-in to the popular Eclipse® integrated development environment (IDE).

Usually Apache Subversion® or the equivalent.

Includes sophisticated bug trackers and problem resolvers. Synthetic load generators let you approximate end user application performance.

This includes online access to log files, automated monitoring and usage reports- all the things that development and administration teams need to get an application deployed and supported.

It’s a Public Cloud Multi-tenant Environment

PaaS Supports Popular Software Languages

Support for Common Integrated Development Environments

PaaS Includes Software Code Versioning and Revision Control Environment

Testing and Performance Measurement Tools

Post-Development Production Deployment Platform


The Pros and Cons of PaaSNow let’s look at some of the pros and cons of Platform-as-a-Service that you need to consider as you evaluate service offerings and your PaaS strategy.

Pros of PaaS• Avoid Direct Facility Infrastructure, Hardware and Energy Costs. As with the other cloud computing service models, the costs incurred in traditional application development and deployment paradigms are avoided. • Greater Transparency into IT Costing Models. PaaS pricing structures make it relatively simple to figure out how much a service actually costs and it’s often possible to break down these costs to the transaction level.

• Access from Any Internet Connection. Again a common denominator among all cloud services.

• Providers Offer Pre-integrated Suites of Application Services. Reduces the time required to build out and maintain in-house suites.

• Cost Reduction. Because you can consolidate resources and avoid building out the same infrastructure each time you start a new project you can eliminate a lot of redundant work and cut costs.

• PaaS Encourages Standardization. PaaS eliminates the need to maintain time consuming software stacks for specific applications.

• Promotes Agility. PaaS eliminates the traditional early project stage provisioning and configuration process allowing project teams to rapidly modify and refresh applications to meet changing needs.

• Cost to Terminate a Project is Low. If you decide a project is not going to meet your needs, you can terminate it at very low cost rather than incur the substantial costs that would be invested in the traditional project methodology.


Cons of PaaS:• Potential for Vendor Lock-in. If your code developers need more flexibility than the current PaaS provider delivers, application portability can become a problem. The application that you build in some of those environments is designed to take advantage of the scalability of that particular platform’s architecture. So you’ve got to balance this consideration against the cost of deployment and potential re-architecting of that application for movement to another cloud provider. For many, vendor lock-in is not a big issue. If you do, however, have a complex application requiring more control you may find yourself needing the flexibility to be able to move that application into a new development environment or language.

• Rapidly Evolving Market. As mentioned earlier in this chapter, the PaaS market is evolving very rapidly and this alone has the potential to make many hesitate before embracing PaaS, which can be a costly mistake. If you are at all curious about PaaS, you really should be building something now before you commit to the service.

• Proprietary Platforms are not Suitable for Deploying Existing Applications. While you can take certain existing web applications and port them to a platform offering, if you want to deploy an existing application to a PaaS platform, you will most likely need to re-architect. It may be better to look at new applications rather than trying to rewrite old ones.

Cautions and Considerations What are some of the key cautions and considerations to keep in mind as you plan your PaaS deployment?

1. It’s a Very Dynamic Market! You’ve heard this about IaaS but the same is true for PaaS. Providers are constantly releasing new platform features and the baseline of services available varies significantly among the major players.

2. Trust, but Verify. This market is not only dynamic, it’s hotly contested. Expect to see claims and counterclaims among the providers and in the blogosphere about provider offerings.


3. Change of Service Provider. As mentioned earlier, you’ve got to plan for portability, especially if you’re investing in a long-term project.

4. Consider a Private Versus a Public PaaS. If you’re a large organization with specific middleware requirements, you might want to consider a private PaaS. This will give you more control over your own code libraries, proprietary data formats, and application frameworks while still getting significant benefits over traditional development models.

5. Need to Accommodate Multiple Development Teams. While a single provider will support standardization and objectives, if you have multiple teams working on projects, a single provider may not meet all the teams’ true requirements. 6. One PaaS Does Not Fit All. Keep in mind that PaaS providers have designed their services to support a specific development language or set of languages. There are many different programming languages and frameworks on which a web application can be built, including but not limited to: Java, PHP, JavaScript, Ruby on Rails, and .NET. Not all PaaS offerings will support all languages and frameworks.

7. Beware Cross-Cloud Latency. In the event that you need to span across different PaaS environments to build your application, inter- cloud latency can become a real issue. Be sure you test performance and latency of the distributed application thoroughly.

8. Crunch the Numbers. PaaS fees can be rather confusing, so pay special attention to how charges will be incurred. Fees can vary from monthly or daily subscriptions to metered billing based on actual resource consumption (like storage, bandwidth in and out, and CPU usage.) Often you’ll run into pricing models that combine subscriptions with metered fees.

9. Read the Fine Print. Again, something we stress in every chapter of this book. It’s very important to look at and understand the fine print in the SLA and ToS before putting anything into production. Be sure to verify what the cloud provider is going to provide, what they’re going to be responsible for, and what their availability is going to be. You’ll also need to confirm how to get your data into the cloud, as well as how to get it out of the cloud in the event that you want to move on to some other platform.


Now we come to the elephant in the room – cloud security.

Because many of the features that make cloud computing attractive can also be at odds with traditional security models and controls, cloud security is a particular concern for the federal government.

In fact, according to the Cloud Security Alliance, 70 percent of government technology decision-makers are concerned about data security, privacy and integrity in the cloud.

Driven by the imperative of the Cloud First mandate, cloud security is such a hot topic for the federal government that NIST expedited the development of federal cloud security guidelines that advise agencies to consider security as a priority issue before they deploy any form of production environment in the cloud. Yet questions and confusion remain about the critical aspects of cloud security and their impact on long-term cloud strategies. For example:

• What are the key security and privacy concerns and issues that cloud computing has brought about and how can you tackle them? • How can you identify a cloud model that meets your agency’s needs? • What do you need to know about your cloud provider before you trust them with your data?

This chapter will address these questions and suggest some tried-and-tested strategies for securing public cloud resources.

Learn about:— Current Data Center Models: It’s All Inside— The Public Cloud – Who is Responsible for What?— Cloud Threats and How to Combat Them— Balance Security Controls with Acceptable Risk

Chapter 5Securing the Cloud

47

Current Data Center Models – It’s All Inside!Before we delve into the nuts-and-bolts of cloud security, let’s explore a quick example contrasting how IT is managed in a traditional data center versus the cloud environment.

Currently we have several scenarios:

First, we have the traditional on-premises government data center where you own and manage everything from the physical bricks and mortar, to the classic IT infrastructure inside including systems, applications, account management, security infrastructure, Governance, Risk Management, and Compliance (GRC), and the client interfaces. The IT department has insight into and control over it all.

Next, we move into a traditional hosting model. This is a very common model and it’s easy to forget that at this point the organization has already relinquished some control to third-party telecommunications providers and hosting providers (notably, the third-party provider is responsible for their own physical infrastructure/premises).As consumers of the IT service, however, the IT organization is still the ultimate arbitrator and authority for those services, but through trust and controls it has delegated parts of that responsibility to a hosting provider.

So how do these models compare with cloud scenarios? Well, many of the lessons learned from the co-hosting managed services model have been noted and applied to public cloud environments.

The Public Cloud – Who is Responsible for What?There is a division of responsibilities between cloud providers and users in the three cloud service models. From this visual you can see that, for example, with IaaS you are going to have to rely on the service provider to secure the physical data center itself, including the systems (servers, storage, network, etc.) and the hypervisor. Under no circumstances can IT folks access these directly.

Securing the Cloud48

On-premises Data CenterPhysically hosted systems, applications, account management, security infrastructure, Governance, Risk Management, and Compliance (GRC), and client interfaces in one building owned by the agency.

Key TermsTo Know

Cloud Service Provider Responsibilities

That being said, as in the hosted data center scenario, there are still a number of subscriber responsibilities that straddle all three service models. Security and password controls are still very much under the control of government IT, as is account management and the client interface. In the case of PaaS, you’ll notice that the application platform and security infrastructure is also hidden behind the cloud. Remember that the different cloud service models all abstract different layers of the infrastructure. In IaaS the subscriber responsibilities are greatest, as less of the infrastructure is hidden from the subscriber. In this model, the subscriber maintains the most amount of control.

As you move to different service models like PaaS and SaaS, the cloud providers abstract more of the infrastructure, thereby becoming responsible for those layers. As noted in Figure 3 above, a PaaS provider will be responsible for all of the elements listed in its row as well as those elements listed in the IaaS provider’s responsibilities. SaaS providers, whose services have the highest degree of abstraction, are responsible for all of those elements that both IaaS and PaaS must manage. In all service models the subscriber will remain responsible for GRC, account management, and the client (browser) interface.

So what about that client interface? As you’ll recall, in all cloud deployments the most common interface is basically a browser with an Internet connection. Maintenance of that connection is very much the responsibility of IT and, as such, requires good browser hygiene. This means avoiding third party plug-ins or bolt-ons, and at a minimum ensuring they are free of malware that could ultimately compromise the cloud services itself.

Figure 3: Public Cloud - The Realms of Responsibility.

Securing the Cloud 49

Source DLT Solutions

Subscriber Responsibilites

GRCAccount ManagementClient Interface

GRCAccount ManagementClient InterfaceApplication

GRCAccount ManagementClient InterfaceApplicationApplication PlatformSecurity Infrastructure

SaaS

PaaS

IaaS• Physical Data Center • Systems• Hypervisor

• Application

• Application Platform• Security Infrastructure

The Key Security and Privacy Issues at the Heart of the Cloud So now that we know the realms of responsibility in each cloud service, we next need to understand what are the fundamental public sector cloud security and privacy issues, how are they manifested, and ultimately, how can they be mitigated?

These answers are complex. Even if you’ve only skimmed some of the other chapters in this book, you’ve probably come to appreciate that cloud computing is a combination of technologies (virtualization, service-oriented architecture, Web 2.0, utility computing, grid computing, application service hosting, and so on) that have been leveraged to bring forth what we know of as the cloud.

The good thing about this is that we have a solid understanding of many of the security and privacy issues associated with each of these components. The downside is that we don’t necessarily know the ramifications of combining all those things together. And this is one of the fundamental security challenges we currently face with cloud computing.

To help explain and advance the key security risks and privacy issues of the cloud, it’s useful to refer to Special Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing, developed by NIST. NIST has identified the following privacy and security-related issues that are believed to have long-term significance for cloud computing.

Governance

The agility and speed with which you can pull together cloud services is a real problem when it comes to governance. It is critical that good controls are deployed to ensure these services don’t leave your agency open to legal or regulatory issues or data exposure. A couple of ways of doing this are:

• Develop a flexible risk management program that continually monitors your evolving environment. • Rely on automation and other tools to monitor, verify and validate data use (how it’s stored, how it’s protected, etc.) against policy.


Governance

ComplianceData

Pr otection

Identity &Access

TrustIncidentResponse

Av ailabilityArchitectu re& Software

Isolation

Compliance

Compliance is a multifaceted issue that can affect cloud computing in several ways. One of the key compliance issues that the cloud presents is data location, where the data is stored geographically. Because the government often requires that public sector cloud data must reside in the continental U.S., cloud providers who operate globally are rapidly addressing this compliance issue with concerted efforts to ensure that data remains within the country origin.

Other compliance issues center on federal laws and regulations such as the Federal Information Security Management Act (FISMA), the National Archives and Records Management Act (NARMA), and even the Health Insurance Portability and Accountability Act (HIPAA), or the Payment Card Industry Data Security Standard (PCI DSS).


As defined by NIST

Figure 4: The Key Security and Privacy Issues of Cloud Computing

e-Discovery requirements are another consideration and require that you look closely at the cloud provider’s ability to preserve, identify, collect, process, analyze and produce all forms of electronic files. It’s conceivable that you may want to augment one cloud service with another. For example, if you are using a cloud-based email system, but need a rich, enterprise class method of e-Discovery across not only email but all other digital assets, it may be best to augment the email provider’s capabilities with an external e-Discovery platform.

Lastly, take a look at the certifications that the cloud provider holds. If they hold ISO 27001 for security controls or SAS 70 Type II audits for physical security, these certifications might be a good indicator that they have more familiarity with standards and compliance than other providers or even your internal IT team.

Trust

Trusting and verifying your cloud provider is a must; you can protect yourself in several ways. Areas to pay attention to include verifying the integrity of your provider’s employees, and checking the ToS to verify you maintain data ownership – you don’t want to relinquish control or ownership of any cloud data. Another hidden risk is the use of composite services, meaning a SaaS offering that’s built on top of a PaaS offering. Verification of the supply chain and due diligence across the entire stack or API chain is a must.

Visibility

Because so much of what’s behind the cloud is hidden, you may need to conduct an audit or review past performance and certifications to gain a degree of trust as to what is going on within the infrastructure where your data will reside. It is critical that the cloud provider allow for external audits. Many cloud providers do not allow customers to enter their data centers. In that case, it is important that they have provisions to allow external auditors to access the facilities.


Architecture and Software Isolation

The cloud provides services via an abstraction layer – a web portal. Behind this abstraction layer is a hidden world of complexity that includes firmware, hypervisors, operating systems, virtual machines, user portals, charge back and metering systems, provisioning, orchestration and other essential functions. Much of this functionality and its supporting software don’t typically exist within IT infrastructures. By adding new functionality and software to the architecture, what is known as an attack surface emerges. From a security and privacy perspective, it is something that we need to find ways to deal with.

Another area of concern is how the provider handles software isolation. This is how data is set-up and shared across databases and common application platforms, particularly in multi-tenant applications.

Identity and Access Management

The issue here is the extension of an agency’s existing identification and authentication frameworks into the cloud – and currently it’s anything but seamless. Providers are, however, working hard to drive some much needed enhancement in this area and finding one which integrates with internal identity controls is critical.

Availability

Is my service up? Can I access it in a reliable manner? Is it meeting my service level requirements? These are all key availability considerations inside and outside the cloud. Make sure you study and run models based on the availability percentages that providers advertise – are they really as good as they sound?

Cloud outages are a hot topic, and they are going to happen, just like data center outages of old. The important point is in how you respond to these outages and whether your disaster recovery (DR) and Continuity of Operations Plan (COOP) plans have the right contingencies built in. Distributed Denial-of-Service (DDoS) attacks should also be on your radar screen.


Attack SurfaceThe attack surface in a software environment encompasses all of the software and functionality that are running in the system. Typically, the more software or functionality provided by the service, the greater the attack vectors by which an unauthorized user may attempt to disrupt or gain control over a service.

Software IsolationWithin the context of cloud computing, software isolation is the method by which one user’s code is prevented from negatively impacting another user’s code. In many clouds, the hypervisor and virtualization provide this separation.

Key TermsTo Know

Incident Response

Include this in your due diligence so that you know how the provider is going to respond to an incident before one happens. What are their processes, procedures, roles and responsibilities in the event of a critical incident, or even non-critical? How are they going to handle attack verification, analysis, containment, data collection, preservation, remediation, and restoration?

It’s also critical to understand the demarcation of where the cloud provider’s monitoring ends and the subscriber’s begins. So again, who owns which roles and responsibilities? What do they do? What do you do? At the end of the day, monitoring the health of the service against SLAs is the subscriber’s responsibility. Make sure you are aware of outages and claiming credits when you can.

Data Protection

For organizations that are moving sensitive or regulated data into a cloud, it’s important to understand how the cloud provider will regulate access to the data and keep it secure. You’ll also need to know how the provider will sanitize the storage when you terminate the service (both active data sets and snapshots).


Internal Staff (Re)Specialization By freeing up IT staffing resources, IT teams can concentrate on emerging security threats.

Standards FocusStandards-based environments are incredibly powerful tools that can deliver services quickly and safely.

Investigation and ForensicsNew services and resources available within elastic cloud environments, such as snapshots of breaches, can bring additional resources quickly to bear for investigation and forensic purposes.

LoggingElastic resources let you quickly scale-up storage for logging and log consolidation.

Complimentary Cloud ServicesCloud SaaS services are now emerging that are specifically designed to deliver security related services such as log management, identity management, access control, Environmental Resource Management (ERM), and so on.

Cloud Staff SpecializationCloud data centers are some of the largest in the world and it is in their interest to deliver the best service they can. In many cases, security is better than many of their commercial counterparts thanks to staff who are fully dedicated to handle and strengthen security.

Platform StrengthHomogeneous platforms drive greater standardization which brings with it better specialization, hardening and automation from a security perspective.

Resource AvailabilityThe sheer scale and elasticity of cloud services means that many resources can be brought to bear to respond to attacks as well as capture and analyze forensic data.

Backup and RecoveryProperly leveraged, this can provide great benefit because it allows you to maintain multiple versions and snapshots of virtual machines and data.

Data ConcentrationIn using cloud services we can keep data off of local mobile devices such as laptops and better protect the government in the event of loss or theft of these mobile devices.

The Security Upsides of the CloudIn case you were thinking that it’s all bad, there are several security upsides that the cloud bestows on government IT and that NIST defines for us.

Security Upsides of the Cloud


Internet Facing A public cloud, residing on the Internet provides a potentially large attack surface. Be sure to take advantage of all of the security features that the cloud provider offers, and harden any Internet facing services when possible.

Data SovereigntyCloud service providers leverage geographically dispersed data centers from which to provide their services. Knowing in which countries they reside and how data is replicated and moved between data centers is critical.

The Bad Guys Have Access to the Cloud TooIaaS services have been known to be used for password cracking and attacks on gaming systems. Granted, there isn’t much you can do about this, but understand that attackers can now bring significant computing resources to bear during an attack.

Shared, Multi-Tenant ServicesThe fear of accidental exposure of data to other users and sharing of resources by external hosting groups is an ongoing concern. Talk to your provider about how they manage that aspect of their service.

ComplexityWhile cloud services are designed to be simple to use with familiar web-based interfaces, there is a lot going on under the hood of a cloud environment. Do your due diligence through provider audits, penetration testing, past performance and certification checks.

Loss of Control and VisibilityAgain this is a major concern that can only be alleviated on a case-by-case basis through trust and verification protocols. Audits, penetration testing, and continuous monitoring can help mitigate some of these concerns.

The Security Downsides of the CloudJust as there are upsides there are downsides, most of which we discussed earlier in this chapter, but it’s useful to see them in snapshot form:

Security Downsides of the Cloud


Cloud Threats and How to Combat ThemWe’ve touched on security concerns and security upsides of cloud, but what are the vulnerabilities of the cloud? Below is a snapshot of the top threats and risks to the cloud model and suggested strategies for addressing these.


Abuse and Nefarious UseTypically, criminals use IaaS for password cracking, storing data that has been pilfered, and launching Distributed Denial of Service (DDoS) attacks. While there isn’t much that you can do about this directly, there are things that can be done to better protect your cloud services. Use strong passwords, encrypt data at rest and in transit, and consider content delivery and acceleration cloud services that can shrug off DDoS attacks.

Insecure Interfaces and APIsBe sure to assess the security of your provider’s interfaces including authentication, access control, and encrypted transmissions. Some cloud services are layered affairs. For example, a SaaS offering may be built atop another cloud provider’s PaaS or IaaS offering. In these cases, the APIs may be layered as well. If this is the case, then you should look at the APIs of the underlying service as well as the service that you are directly consuming.

Malicious InsidersThis is really no different than on-premises or co-hosted IT that we have today. This risk can be mitigated by ensuring your provider has the right programs, processes, training, controls, and isolation in place within their environment.

Shared TechnologyBecause of the shared technology in the cloud, it’s essential to take a defense in-depth security posture to the cloud by applying the same disciplines (monitoring, authentication, access controls, and vulnerability scanning) that are used internally, and possibly take them up a notch by augmenting them with the tools and disciplines of the cloud provider.

Tips for Dealing with the Top Cloud Threats Source: Cloud Security Alliances (CSA) Top Threats to Cloud Computing v1.O

Data Loss or LeakageTo mitigate this threat, encrypt your data at rest, in flight, and in use (if you can). Implement strong key management life cycle practices. Additionally, ensure that the provider has a formal data destruction process before a disk leaves the provider’s premises.

Account or Service HijackingThis is as much a problem in the cloud as it is in any other IT service. Proper authentication credentials management can help alleviate unauthorized activity, but you should also cross-check your provider’s security policies, Terms of Use (TOU), and SLAs against your organization’s risk profile. Ultimately, it is each user’s responsibility to protect their keys!

Unknown Risk FactorThere’s always an unknown risk factor. In the cloud world, this comes down to the visibility issue again, and the threat lies in the cloud provider’s willingness to disclose their processes, procedures, controls, architecture, log files, intrusion detection, patch files, and so on. Again, this can only be addressed on a case-by-case basis using due diligence prior to contract signing as well as ongoing audits, penetration testing, and continuous monitoring.

Tips for Dealing with the Top Cloud Threats (Cont.) Source: Cloud Security Alliances (CSA) Top Threats to Cloud Computing v1.O


Coping Strategies – When You Need Extra SecurityAs discussed throughout this chapter, many of the security and privacy risks that cloud computing poses can be overcome through due diligence, best practices and other measures. But if you need extra layers of control over your cloud environment, you may want to consider three viable alternatives to the public cloud – the internal private cloud, the virtual private cloud, and the external private cloud.

Consider an Internal Private Cloud. A private cloud is an infrastructure operated solely for a single organization, whether managed internally or by a third-party and hosted internally or externally. The private cloud has its benefits, but it also has its downsides – for example, you may lose the level of scale that you experience with a public cloud; you’re going to need to ramp up your skill base to handle the additional security and operational responsibilities of the private cloud; and you’ll incur upfront capital costs for software.

The private cloud does alleviate some of the issues faced in order to utilize public cloud. By allowing agencies to maintain complete control and visibility over their own cloud infrastructure, subscribers may find it easier to “let go”. It also addresses fundamental security concerns around data sovereignty. Bear in mind, however, that the private cloud does require additional security controls on the actual virtual machine host and the other components of the cloud infrastructure, over and above those in place in a typical data center or co-located facility.

Leverage a Virtual Private Cloud. Virtual private clouds still leverage public cloud infrastructures, but they allow for a private cloud within that infrastructure. Instead of using the cloud provider’s auto-generated Internet accessible IP addresses, the subscriber can allocate their own internal and external facing IP addresses. Additionally, access can be further protected by only allowing connectivity via an encrypted VPN. While you may still be using shared resources in a multi-tenant environment, access to those resources can be more tightly controlled, effectively mitigating a major attack vector. The virtual private cloud also retains the elasticity and scalability of the public cloud. The main downside of this option is the price. If you want to leverage cloud resources but need the extra control that a virtual private cloud affords, you can expect to pay a premium price.


Use an External Private Cloud. External private clouds are public cloud services that have been cloned and placed in separate data centers. These services are only available to a controlled set of users. A number of cloud services have been cloned in this manner and are only available to government customers. These services are still multi-tenant, but you only share resources with fellow government users. These external private clouds often have industry specific controls or certifications that allow them to better cater to this specialized user base.

How to Assess a Potential Cloud Provider’s Security PostureAs discussed throughout this chapter, cloud security often comes down to a balancing act between assessing and defending your security payload and assessing the case-by-case security profile of your potential cloud provider.

Below are some tips for assessing a cloud provider’s security posture:

• Review the Fine Print - Time and again we come back to this. Go over the ToS and SLA until you are sure you have a firm grasp of the potential provider’s terms and conditions before you sign. Get legal and technical advice as you conduct your review.

• Assess Provider Certifications - Certifications and compliance alignment are good indicators of the maturity of a provider’s security posture. Have they achieved a FISMA rating? Have they received an authority to operate from a government agency? From a security perspective, do they have SAS 70 Type II audits or are they ISO 27001 certified? Look for the sort of certifications appropriate to your environment.

1. What’s the audit process?

2. Where’s the data stored?

3. How are employees trained?

4. What data classification is used?

5. How strategically and financially viable is the cloud provider as a business?

Five Questions to Ask a Cloud Provider about their Security

Posture


• Will they Allow Penetration/Audit Testing? It’s worth asking if the cloud provider will allow this. Not all will be willing, but be sure to ask. Find out if they have a clearly defined process for dealing with audits and penetration testing. Without visibility into and control of the cloud, you are often going to need to rely on third party audit organizations and testers to conduct trust and verification audits on your behalf.

• Understand Incident Response Processes and Procedures - The goal here is to ensure that if there is an issue, the response from the provider is not ad hoc.

• How is Service and Data Recovery Managed? Understand the provider’s processes to ensure continuity of operations, prevent data loss, and ensure high availability.

Cautions and Considerations of Securing the Cloud

“When eating an elephant, take one bite at a time.” – General Creighton Abrams Jr.

This same approach is true when it comes to the evaluation and enforcement of cloud security policies in a world where control and visibility over your data assets is no longer a given.

Proceed, but proceed with caution – trust but verify – and be mindful of the following:

1. Data Sovereignty – Make sure you know where your data resides and that it stays where it belongs. Ultimately, your data is only legally protected by the laws of the country in which it resides.

2. Encryption Key Management – Securing your data in flight and at rest is a must; this means being able to use your privacy encryption keys safely in the cloud. Currently, key management technology is struggling to keep pace with this federated trust requirement.


3. Identity Integration – Proper identity management is often lacking in the rush to cloud-enabling services and applications, and this is a key issue for federated identities that need to use clouds as an extension of their internal data centers.

4. Cloud Compatibility – A key part of risk assessment is to understand whether it is feasible or not to move to another cloud in the event of ongoing service failures.

5. Choosing Auditors – Another hot topic that we’ve touched on throughout this chapter, The use of auditors can take you under the hood of the cloud to ensure compliance requirements and regulations are being met. Look for auditors who have experience in and with IT organizations that specialize in multi-tenant environments.

In a Nutshell – Balance Security Controls with Acceptable Risk

Despite the security challenges described in this chapter, public cloud computing is a compelling IT model that agencies are actively seeking to incorporate as part their information technology solution set. Critical to achieving secure deployments is recognition among federal, state and local agencies that accountability for the security and privacy of public clouds is ultimately their responsibility. Despite the lack of control and visibility that the public cloud affords, the deployment, configuration, and management of your cloud solution is essentially a balancing act between preserving consistency with your current security policies and dealing with acceptable risk.

According to NIST (Special Publication 800-144): “Assessing and managing risk in cloud computing systems can be a challenge. Throughout the system lifecycle, risks that are identified must be carefully balanced against the security and privacy controls available and the expected benefits from their utilization. Too many controls can be inefficient and ineffective, if the benefits outweigh the costs and associated risks. Federal agencies and organizations should work to ensure an appropriate balance between the number and strength of controls and the risks associated with cloud computing solutions.”


1. Focus on the Service Level Agreement and Terms of Service. Make sure your vendors are very clear about their SLAs. Review all options that relate to uptime guarantees, outage recovery times or downtime maintenance, or upgrades within the SLA.

2. Provider Communications. Find out how your vendor measures uptime and how this is communicated to clients, such as what part of the hosting infrastructure the uptime calculation takes into account. Ask about processes in place for handling major outages and how they typically communicate with the client (phone, email, RSS Feed, Twitter, SMS), at what speed and with what level of details. Determine if they are proactive or reactive when a problem occurs.

3. Know Your Computing Profile and Scalability Requirements. The infrastructure and service profiles provided by any cloud service need to match your requirements. What happens if you need to spin up additional instances during peak data management times (such as April for the IRS)? Don’t expect any provider to have truly “unlimited” resources, even though relatively speaking, it might seem this way. Judge long-term needs in the context of scale, and match those needs to the provider’s capabilities.

4. Clearly Define Your Security Requirements. Security is a shared responsibility between individual agencies and the cloud providers. Most agencies will still have to provide and manage the security platform from the operating system (OS) upward. However, providers have a vested interest in avoiding security incidents, so they often have tools, methods and expertise to support your efforts beyond what you could do alone. Map the control objectives, and know which ones are addressed by you and which one are addressed by the cloud provider.

5. Find Out Where Your Cloud Lives. It is important to know where the physical infrastructure is located, especially in terms of information flow restrictions. It is also an important question to answer in the context of a possible COOP or Disaster Recovery scenario as well as addressing how to get data into and from the cloud services.

Key takeaways and considerations before makingfinal decisions on a cloud purchase.

Chapter 6Final Thoughts – A Path to the Cloud

63

Application Programming Interface (API)Method of software communication that allows multiple components to interface.

CustomizationThe modification of application code, fees and service features to suit the needs of your organization. SaaS services do not support customization.

FISMA Moderate RatingsThe process of selecting the appropriate security and risk controls and assurance requirements for organizational information systems to achieve adequate security.

Infrastructure-as-a-Service (IaaS)Provision and control your own processing, storage, networks, and other fundamental computing resources while deploying operating systems and applications on a provider-managed cloud infrastructure.

Attack SurfaceThe attack surface in a software environment encompasses all of the software and functionality that are running in the system. Typically, the more software or functionality provided by the service, the greater the attack vectors by which an unauthorized user may attempt to disrupt or gain control over a service.

Measured ServiceProvides you or the service provider with access to the metrics you need to charge or show back usage to the appropriate cost centers using the service.

Multi-tenant ApplicationMany organizations use the same software code base as opposed to traditional models where each organization had their own license and code base.

On-premises Data CenterPhysically hosted systems, applications, account management, security infrastructure, Governance, Risk Management, and Compliance (GRC), and client interfaces in one building owned by the agency.

A Few Key Cloud Terms to Know

Final Thoughts - A Path to the Cloud64

On-demand ServiceEnables IT administrators to use portals to provision computing capabilities, such as server time and storage, as well as add users, without interaction with the service provider.

PersonalizationThe act of using the pre-provisioned features and options offered by a SaaS application to meet your needs.

Platform-as-a-Service (SaaS)Deploy your own applications onto a provider-managed cloud infrastructure using programming languages and tools supported by that provider.

Rapid ElasticityBeing able to quickly scale users or instances in a short time frame, without any configuration issues or service disruptions.

Service Level Agreements (SLAs)Refers to the contracted delivery time (of the service) or performance of the features or functionality. This may also reference product uptime and response times.

Software-as-a-Service (SaaS)Access and use third-party applications, such as e-mail and collaboration, running on a provider-managed cloud infrastructure.

Software IsolationWithin the context of cloud computing, software isolation is the method by which one user’s code is prevented from negatively impacting another user’s code. In many clouds, the hypervisor and virtualization provide this separation.

Terms of Service (ToS)Also known as Terms and Conditions, these are the parameters that must be agreed upon by both parties in order to purchase and obtain the product.

A Few Key Cloud Terms to Know

Final Thoughts - A Path to the Cloud 65

Useful References

DLT Cloud www.dlt.com/cloud

National Institute of Standards and Technology (NIST): www.nist.gov/itl/cloud

Cloud Security Alliance (CSA): www.cloudsecurityalliance.org

Federal Risk and Authorization Management Program (FedRAMP): www.FedRAMP.gov

Final Thoughts - A Path to the Cloud66

Notes:

67

Notes:

68

13861 Sunrise Valley Drive, Suite 400 • Herndon, VA 201711-855-cloud01 • [email protected]

addresses many of the questions that government agencies have about this rapidly evolving technology. It explains the basics of cloud computing, the problems it solves and how you can find the right fit for your organization.

Knowledge. Advice. Clarity. - DLT Solutions · - Top 5 Takeaways - Key Words and Terms - Useful...

Documents

Transcript of Knowledge. Advice. Clarity. - DLT Solutions · - Top 5 Takeaways - Key Words and Terms - Useful...