Moving to the Cloud HHS Directions in Cloud Computing Mary Forbes, Chief Enterprise Architect Scott Cory, Capital Planning and Investment Control Officer 4/27/2011 V3b rpc

-2- Agenda Why Cloud Computing HHS Cloud Computing Participants Understanding Cloud Computing as a Utility Choices of Computing Models – Ownership-based model (Current Vision) – Utility-based Cloud model (Future Vision) Benefits of the Cloud Model What about Security? Understanding the Cloud – Understanding the service models – Understanding the deployment models – Cloud Model Challenges How does HHS Move to the Cloud Long term self-service vision HHS Cloud Planning Strategies HHS Cloud Acquisition Strategies What must Acquisition Professionals Do? What must Project and Program Managers Do?

-3- Why Cloud Computing? Because we Should Potential for 20-30% Cost Savings Potential for rapid acquisition and deployment Increase agency agility and focus on mission Provide entirely new capabilities with on-demand vision Leverage interagency and Government-wide work such as GSA BPA’s Because we Must OMB-based “Cloud First” Policy OMB 25-point IT Management Reform, including: CloudFirst Policy and movement to other light on-demand technologies Data Center consolidation (aided by cloud) Government-wide acquisition vehicles such as GSA Cloud BPA’s for infrastructure and Strategies for shared services Best practices collaboration

-4- HHS Cloud Computing Participants HHS Cloud Computing Activities HHS Security Group HHS Enterprise Planning Lifecycle Group HHS Acquisitions Community Others… CTO Council Chair: John Teeter Cloud Computing Advisory Council Chair: Jaspal Sagoo HHS Enterprise Architecture Federal Cloud Computing Advisory Council Liaison: Mary Forbes

-5- Understanding Cloud Comp5 5, uting as a Utility Cloud Data Centers Generation as a shared regulated utility at large scale Distribution Ubiquitous infrastructure at large scale Metering Standards based, at individual scale Usage On demand at individual scale App Users Agency Usage- Based Billing Internet / Intranet Distribution Cloud Services Agency Usage

-6- Computing Model (Current Vision) Agency acquires and operates discrete resources Agency IT manages all phases of computing Discrete activities per application system, with consequent inefficiencies Infrastructur e Platfor m Application Acquire And Operate Configure and Maintain Deploy, Maintain and Operate Agency IT Once Per Application… App Users Use

-7- Utility-Based Cloud Computing Model (Future Vision) Up-front agency or organization acquisition On demand usage through common contracts Services span application systems Cloud Provider Agency IT Infrastructure Cloud Platform Cloud Services Cloud Provision on Demand Deploy on Demand Use On Demand Acquire Once per Agency, Use as Needed Use Manage Cloud

-8- Benefits of the Cloud Model Reduced effort and expense – acquire once, use on demand Improved negotiation leverage through consolidated acquisitions Drives industry standards, especially when coordinated across agencies Acquisition Faster deployment through provisioning on demand Reduced cost by using only services as needed Opportunities for standardization and consolidation at all levels of cloud Opportunities for improved Records Management through standardization and consolidation Operations Reduced acquisition and configuration time Improved reuse through common catalog and interfaces Opportunities for shared and collaborative services Agility

-9- What about Security? Chief Cloud Security Challenges Multitenancy –What new exposures and controls are there? Certification – how can I efficiently certify massive infrastructure? Scale – how many systems does a potential breach affect? Process – adapting existing processes and standards to the cloud? Chief Cloud Security Benefits Efficiency – hardening fixes many targets at once! Standardization – consistent policies are easier to administer Leverage – Certifications can be done once and used by many agencies Process – revisiting process can focus on effectiveness over form FEDRamp and Cloud Security FEDRamp (Federal Risk and Authorization Management Program): cross-agency standard approach to Assessing and Authorizing (A&A) Cloud is the first target thru GSA IaaS BPA Cloud Computing Security Requirements Baseline Continuous Monitoring Assessment and Authorization Approach

-10- Understanding the Cloud Service Models Cloud Service Model Offers On Demand: Who Uses It Directly? What’s it For Infrastructure as a Service (IaaS) Virtual Machines Raw Storage Network access Hardware managers Systems managers Hosting platforms Platform as a Service (PaaS) Platforms for: Testing Development Deployment Application deployers Testing Managers Dev. Managers Deploying software applications Software as a Service (SaaS) Direct application or (SOA) Service Access End Users of apps End users of SOA services Direct everyday end usage

-11- Understanding Cloud Deployment Models Cloud Deployment Model Operated ByChief BenefitsChief Liabilities Public CloudCommercial entities Cost savings Rapid access Mature market Security concerns from the other tenants Complex accreditation Private Cloud Individual agencies or organizations Commercial entities under contract Eliminates exposure to co-tenants Cost savings for very large storage or compute Requires setup and management Community CloudConsortium of agencies Known co-tenants Shared expenditure Requires (shared) setup and management

-12- Cloud Model Challenges Acquisition Requirements Efficient acquisition policies to avoid “cloud sprawl” and fragmentation New agreement provisions, including security reporting, outage management and distribution of resources Provisions to ensure portability and avoid vendor lock-in, both contractually and technically Sufficient scope to ensure best pricing across operating divisions and staff divisions Security Requirements Details of FEDRamp controls, processes and business models Details of transitional policies for shared security models Details of impact on privacy policies Agility Requirements Efficient on-boarding mechanisms to give operating divisions and staff divisions access to the agency acquisitions Collaborative portals and catalogs to publicize what exists and ensure reuse Best practices and techniques for migrating existing applications to quickly capture benefits Operations and Cost Considerations Determine and implement enterprise services, particularly Executive Branch Identity and Access Management Account for and detail transition and ancillary costs, e.g. increased network bandwidth, training, migration Communicate regarding initial investments required to realize savings Develop efficient billing mechanisms for just-in-time cost tracking Define triggers and limits to prevent cost overruns Define integrated control and provisioning mechanisms for ease of use and management

-13- How does HHS Move to the Cloud? HHS Cloud Computing Establish IT Strategic Goals For using Cloud Computing Leverage & Enhance Current IT Management and Governance Leverage & Enhance Existing EA, CPIC and Security Processes & Tools

-14- Long Term Agency Self-Service Vision Catalog of deployable cloud services driven by Agency Enterprise Architecture inventory Agency business managers directly select and provision services on demand Includes infrastructure, platforms and applications Integrated identity management, billing and help Deploy to public or private cloud based on requirements

-15- HHS Cloud Planning Strategies IT Capital Planning Security Drivers Financial Drivers Functionality Drivers Prototypes Pilots Deploy- ments Architect  Invest  Implement Collaboration Portal Enterprise Architecture HHS Cloud Strategy

-16- HHS Cloud Acquisition Strategies RFI-Driven Information Gathering Determine and analyze marketplace through HHS Request for Information Analyze utility and applicability of existing purchase agreements, e.g. GSA IaaS and BPA Determine specific acquisition strategies and priorities for both short and long term requirements Acquisition Execution Determine required service agreements and parameters to avoid acquisition risks Coordinate acquisitions across operating divisions and staff divisions to avoid proliferation, and achieve benefits of scale and ease of provisioning Acquire resources in coordination with overall Cloud Computing Advisory Committee transition and implementation plan

-17- What must Acquisition Professionals Do? What Cloud solutions and acquisitions have been approved for HHS and Federal Use Understand … In Stage Gate and Program Critical Partner Reviews Participate… With Enterprise Architecture, Capital Planning and IT Security Critical partners To understand how Cloud computing may (or may not) be an appropriate solution for a project or program Collaborate… That Alternative Analyses and Acquisition Strategies include approved Cloud Computing solutions and acquisition vehicles Ensure…

-18- What must IT Project and Program Managers Do? Identify gaps in performance and Agency technical architecture where Cloud Computing may be an appropriate solution Operational Analysis Propose and evaluate Cloud Computing solutions against other alternatives Alternative Analysis Propose use of approved Cloud Computing acquisition vehicles Acquisition Strategy Propose tailored approach to take advantage of benefits of rapid prototyping and on- demand provisioning Project Process Agreement