Presentation is loading. Please wait.

Presentation is loading. Please wait.

CalCloud Government End-User Group November 4, 2015 1.

Published byArron Holt Modified over 9 years ago

Similar presentations

Presentation on theme: "CalCloud Government End-User Group November 4, 2015 1."— Presentation transcript:

1 CalCloud Government End-User Group November 4, 2015 1

2 Introducing… Chris Cruz Chief Deputy Director, Operations Department of Technology 2

3 Agenda Welcome Introduction (Chris or myself) CDFA migration of 70 apps (Hence) Security (Dave) Technical Architecture (Scott And Kyle) Q/A 3

4 What is CalCloud? CalCloud is a suite of cloud services offered by the Department of Technology, which includes:  IaaS - A private cloud infrastructure service:  O/S Licenses with Security updates  O/S Licenses (customer managed patching)  Customer Provided O/S (customer managed patching)  SaaS - Vendor Hosted Subscription Services (VHSS):  SalesForce  Clarity  Remedy on Demand  Lines of Business:  Disaster Recovery  Storage  Email  HR 4

5 CalCloud Strategy 5

6 CalCloud Architectural Decisions The CalCloud is engineered for flexible, secure, cost efficient enterprise class workloads Personalization Scalability Security & Isolation TOM Low-Cost Accommodation Extensibility Flexible Self- Service Enterprise-Class Control Cloud Service Provider Platform CalCloud The CalCloud provides Enterprise- Class availability and backup/restore and disaster recovery capabilities CalCloud is designed to support the need for Low-cost Accommodation – the ability to combine low cost with the flexibility to accommodate a wide range of diverse government requirements A Flexible Self-service model, which adapts to departmental needs and is able to bring future services on- board CalCloud supports multiple Security standards and models and is a highly secure multi-tenancy architecture The Usability model provides an intuitive, relevant, role-based and customizable user interface CalCloud is Extensible with other hypervisors and OS, other storage solutions, and other compute tiers CalCloud supports flexible dashboards, reporting services and service catalogs- state cloud service consumers will feel in Control 6

7 Introducing… Robert Schmidt Office of Technology (OTech) Chief California Department of Technology 7

8 Introduction of User Group  User Group was implemented to:  Align IT Tactical efforts with IT Strategy;  Ensure that the CalCloud achieves its implementation roadmap;  Recommend CalCloud requirements;  Enhance CalCloud visibility while managing implementation risk;  Communicate the organization’s cloud strategy to government business and IT leaders. 8

9 Introduction of User Group  Members are responsible for:  Serve as change champion within their agency;  Aligning tactical IT implementation with IT strategy;  Assess business impact of moving IT services to the hybrid cloud. 9

10 New User Group Lead Hence Phillips - CDFA CDFA has 70 applications running on CalCloud. Time to deploy applications Performance standards of applications Ease of use for customers Security Lessons Learned/Tips 10

11 User Group Lead Answer as a developer using CalCloud:  How does CalCloud help me do my job?  How does CalCloud solve my technical problem?  What do developers most appreciate about CalCloud?  What technical benefit do I receive from using CalCloud? 11

12 CDFA Network CDFA CalCloud Architecture 12 Mercury (Primary Web) Mercury (Primary Web) Venus (Primary DB) Venus (Primary DB) Earth (Utility) Earth (Utility) Mars (Secondary Web) Mars (Secondary Web) Jupiter (Sandbox) Jupiter (Sandbox) CDFA Mail Relay Internet

13 Introducing… Scott MacDonald CalCloud Chief California Department of Technology Kyle E Pribilski IBM 13

14 Overviewof CalCloud Overview of CalCloud  Dedicated private cloud (IaaS) for State.  Service hosted on State data centers and behind State network (LAN/WAN) and security.  Provided by a cloud service vendor (IBM).  CalCloud Vendor provides hardware, software, portal and OS administration (patching).  Usage based with no initial cost to the state.  Self-Service business model (via web portal) and Low cost service offering. Dedicated virtual private cloud CalCloud Shared cloud services CalCloud B B A A FlexibilitySecurity and isolation Multiple technology platforms Control CalCloud Competitive Pay-as-you-go 14

15 “Shopping Cart” & Self-Provisioning Model Small Medium LargeExtra Large Select Base Server Size Select OS Select Extras RAMStorage Disaster Recovery Backup Virtual Appliances Data Encryption Service Catalog and Shopping Cart 15

16 CalCloud “Shopping Cart” and self- provisioning model(2) 1. Shopping and provisioning: Small, Medium, Large, or Extra Large VMs Microsoft Windows Server, Red Hat OS or AIX Add-ons including RAM, Storage and Backup Infrastructure Disaster Recovery services Select IDR tier (0, 1, 2) Select Backup/Restore tier (0, 1, 2) Pick extra memory and storage Put into shopping cart Build application templates and save in shopping cart Press “Submit” 2. Monitoring and reporting: Performance metrics Capacity metrics (total compute, storage, RAM, backup) Billing data broken down by consumer See open trouble tickets All CalCloud Consumer servers along with up/down status Current CPU, RAM, and storage usage for each server Total backup used and available 3. Management and modification: Upgrade or downgrade an existing VM to Small, Medium, Large, or Extra Large VM Increase or decrease add-ons including RAM, Storage, and Backup Stopping existing IDR Services 4. Decommissioning: Decommission a single image or an entire project Comprehensive Self-Service Model 16

17 CalCloud Flexibility CalCloud User Access Layer CalCloud Management & Automation Layer CalCloud Physical Resource Layer CalCloud Resource Abstraction & Control Layer My User Roles My Shopping Cart My Approval Process My ReportsMy Dashboards My Trouble Tickets My Billing Status Virtual Private Cloud My Templates My User Roles My Shopping Cart My Approval Process My ReportsMy Dashboards My Trouble Tickets My Billing Status My Templates My User Roles My Shopping Cart My Approval Process My ReportsMy Dashboards My Trouble Tickets My Billing Status My Templates + + + Standard Services Two-Factor Authentication Standard Reports Service Catalog Standard Approval Processes Standard Dashboards LDAP w/ Standard user roles ProvisioningModifications Usage & Accounting Backup/Restore Multi-tiered IDR CalCloud Standard Services Virtual Private Cloud Department CalCloud/IBM 17

18 CalCloud Logical Architecture Diagram Layer 2 > Layer 4 > Layer 3 > Compute Nodes (Windows/RHEL x86) Compute Nodes (Windows/RHEL x86) Common Cloud Storage Network Backup Storage VMware vSphere *z/VM *Solaris Zones *Xen/KVM (open source) CalCloud Managed Security CalCloud Managed Services Layer 1 > Reporting Warehouse Reporting Warehouse Storage and Backup Management IBM POWER VM/ PowerVC Compute Nodes (AIX on POWER) Compute Nodes (AIX on POWER) Layer 4 > zLinux / DS8000 Tenant Managed AIX Environments Tenant Managed AIX Environments ** OTech Interfaces ** OTech Interfaces Trouble ticketing LDAPs Invoicing SIEM ** OTech Interfaces IBM Storage Virtualization Center STaaS Block Storage Service Automation Management Usage and Accounting Monitoring Trouble ticketing LDAPs Invoicing SIEM Service Catalog Shopping Cart Provisioning Image Lifecycle Mgmt Reporting Services Events Dashboard Backup/ Restore IDR Trouble Tickets Billing Status 2FA Guides/FAQs/ Videos 18

19 CalCloud Logical Architecture Diagram ** CDT/ Departmental Interfaces ** CDT/ Departmental Interfaces Remedy LDAP Billing LogLogic SIEM CalCloud Managed Security CalCloud Managed Services User Access Layer Management & Automation Layer Physical Resource Layer Resource Abstraction & Control Layer SmartCloud Control Desk SmartCloud Managed Backup Tivoli Common Reporting Jazz/DASH Portal Consumer Dashboard Service Catalog Shopping Cart Provision- ing Lifecycle Mgmt Instant Backup Reporting Scheduled Backup Tivoli Identity Manager Authentication / Authorization Trouble Tickets Tivoli Storage Manager IBM Service Delivery Manager Reporting Warehouse Service Automation Management Usage & Accounting Monitoring Storage Mgmt Device Mgmt Storage Pools Policies IBM Flex System CalCloud Portal and Management VMs CalCloud Tenant VMs (x86 and POWER) NetApp ONTAP Common Cloud Storage IBM Flex Fiber Channel Interconnect TSM for VE Backup Archive Agent VMware vCenter vSRMHA/DRS vSphere VTL Backup Storage Arrays PowerVM PowerHAPowerVM Live Partition Mobility PowerSC Remedy LDAP Billing LogLogic SIEM SmartCloud Control Desk Jazz/DASH Portal Consumer Dashboard Service Catalog Shopping Cart Provision- ing Lifecycle Mgmt Instant Backup Reporting Scheduled Backup Tivoli Identity Manager Authentication / Authorization Trouble Tickets Tivoli Storage Manager IBM Service Delivery Manager Reporting Warehouse Service Automation Management Usage & Accounting Monitoring Storage Mgmt Storage Pools IBM Flex System CalCloud Portal and Management VMs CalCloud Tenant VMs (x86 and POWER) CalCloud Tenant VMs (x86 and POWER) NetApp ONTAP Common Cloud Storage NetApp ONTAP Common Cloud Storage IBM Flex Fiber Channel Interconnect TSM for VE Backup Archive Agent VMware vCenter vSRM HA/DRS vSphere VTL Backup Storage Arrays PowerVM PowerHA PowerVM Live Partition Mobility PowerSC 19

20 CalCloud R&R 20

21 CalCloud Storage Services 21

22 CalCloud Tenant Space  A TVN is created via a number of VLANs which implement the isolated network environment.  Only the DMZ tier has inbound access from the Internet. Across the four tiers  A standard TVN provides a pre- defined number of IP addresses (therefore a pre- defined number of VMs can be supported). For tenants who require additional VMs or environments, the TVN model can be extended. Tier VLANs are all /25 (128 addresses), except the Util VLAN is /24 (256 addresses) 22

23 CalCloud Backup and Recovery Tier 1 storage provides optional services that can be selected for the storage allocated to a VM (all storage for a VM shares the same characteristics).  Tier 1 Backup and Recovery (BUR): Tier 1 BUR provides a Recovery Point Objective (RPO) of 1 hour with a retention period of 24 hours. Tier 1 BUR is implemented via a snapshot captured within the storage disks.  Tier 2 Backup and Recovery (BUR): Tier 2 BUR provides a Recovery Point Objective (RPO) of 24 hours with a retention period of fourteen days. Tier 2 BUR is implemented via a whole VM backup to the TSM backup subsystem.  Restore operations are requested via the portal. For Tier 2 backups, either the entire VM or a selected file can be restored.  Encryption: Tier 1 storage can be encrypted on disk. Note that this is purely while the data resides on disk. As data is written to disk it is encrypted, and as it is read from disk it is decrypted. 23

24 CalCloud Infrastructure Disaster Recovery (IDR) Tier 1 RTO = 1 hour RPO = 1 hour Tier 2 RTO = 96 hour RPO = 24 hour 24

25 Introducing… David Langston Branch Chief Security Management California Department of Technology 25

26 CalCloud Security General  Provide services that meet the operational and compliance requirements of the State.  SAM/SIMM  NIST  FedRAMP where applicable  Other regulatory if/where applicable  Ensure that vendors are conforming to best security practice. 26

27 CalCloud IaaS Security Goals  Provide a service that is equally or more secure to that which can be provided with a physical, dedicated infrastructure.  Support both mission-critical and non-mission-critical systems.  Provide an infrastructure that can meet the operational and compliance requirements of the State and supported agencies. 27

28 CalCloud IaaS Security Stack 28 The Federal Risk and Authorization Management Program (FEDRAMP V2 – Includes NIST 800-53 Rev 4) Base Level Security Profile CalCloud provides a comprehensive and tiered security model IBM + California Dept of Technology Security Controls (ISeC) (CalCloud Information Security Controls) Hosted inside the California Dept of Technology’s data centers and inside Department of Technology firewall(s) Workload Specific Security (HIPAA) Workload Specific Security (HIPAA) Workload Specific Security (PCI DSS) Workload Specific Security (PCI DSS) Workload Specific Security (IRS 1075) Workload Specific Security (IRS 1075) Workload Specific Security (SSA) Workload Specific Security (SSA) Workload Specific Security (other) Workload Specific Security (other)

29 CalCloud IaaS Security Controls 29  A formal security control program is in place (based on IBM ISeC processes, cloud experience, and FedRAMP V2).  ~325 FedRAMP controls assessed against 25+ domains.  Compliance support to other authorities available (infrastructure controls only).  CalCloud security controls can be shared with customer security personnel under strict controls and agreements.

30 CalCloud IaaS Security Key Elements 30 Encrypted Two-Factor Authenticated Sessions Cloud Border Security Admin Access Only from Territorial U.S. Log of All Administrative Actions Least Privilege and Separation of Duties Practice Data are Property of the State Infrastructure Hardening Coordinated Security Incident Handling Vendor(s) Background Checked Encryption at Rest (Option) Coordinated Change Control Security Awareness Training Including IRS Disclosure Strong Tenant IsolationCoordinated OS Patching No Shared Credentials Isolated Security Tiers (network) Configuration and Vulnerability Monitoring Controlled Administrative Access

31 CalCloud IaaS - Security Compliance Status  CDT “Authorization to Operate” based on FedRAMP v2 signed in Sept 2015.  Major documents and processes in place. System Security Plan Security Assessment Report POAM tracking process Privacy Threshold and Impact Report  Annual revue process. 31

32 CalCloud IaaS Security Then and Now 32  FedRAMP program contacted to begin formal recognition.  Currently, FedRAMP is very Federal Gov’t centric with no State provisions.  Formal recognition by FedRAMP generally requires a Federal agency sponsor.  FedRAMP “interested” in State/Local participation but specifics not yet determined.  Likely 18 - 36+ months to work with FedRAMP on a State version of FedRAMP and to obtain formal recognition.

33 CalCloud IaaS - Security Dialog - Tenant Space CalCloud IaaS Infrastructure Tenant Zone #1 Tenant Zone #2 Tenant Zone #n 33

34 Questions & Answers 34

35 For more information, visit 35 marketing.dts.ca.gov/calcloud and servicecatalog.dts.ca.gov/services/cloud/calcloud/calcloudoverview.html Thank you for Coming!!

Download ppt "CalCloud Government End-User Group November 4, 2015 1."

Similar presentations

Windows IT Pro magazine Datacenter solution with lower infrastructure costs and OPEX savings from increased operational efficiencies. Datacenter.

Windows IT Pro magazine Datacenter solution with lower infrastructure costs and OPEX savings from increased operational efficiencies. Datacenter.
System Center 2012 R2 Overview

System Center 2012 R2 Overview
Current impacts of cloud migration on broadband network operations and businesses David Sterling Partner, i 3 m 3 Solutions.

Current impacts of cloud migration on broadband network operations and businesses David Sterling Partner, i 3 m 3 Solutions.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Chapter 22: Cloud Computing and Related Security Issues Guide to Computer Network Security.

Chapter 22: Cloud Computing and Related Security Issues Guide to Computer Network Security.
© 2010 VMware Inc. All rights reserved Cloud Andy Steven: Enterprise Cloud Architect Northern EMEA

© 2010 VMware Inc. All rights reserved Cloud Andy Steven: Enterprise Cloud Architect Northern EMEA
“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.

“It’s going to take a month to get a proof of concept going.” “I know VMM, but don’t know how it works with SPF and the Portal” “I know Azure, but.
Security in the Cloud: Can You Trust What You Can’t Touch? Rob Johnson Security Architect, Cloud Engineering Unisys Corp.

Security in the Cloud: Can You Trust What You Can’t Touch? Rob Johnson Security Architect, Cloud Engineering Unisys Corp.
BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.

BETA!BETA! Building a secure private cloud on Microsoft technologies Private cloud security concerns Security & compliance in a Microsoft private cloud.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Microsoft Virtual Server 2005 Product Overview Mikael Nyström – TrueSec AB MVP Windows Server – Setup/Deployment Mikael Nyström – TrueSec AB MVP Windows.

Microsoft Virtual Server 2005 Product Overview Mikael Nyström – TrueSec AB MVP Windows Server – Setup/Deployment Mikael Nyström – TrueSec AB MVP Windows.
© 2010 VMware Inc. All rights reserved Confidential VMware Vision Jarod Martin Senior Solutions Engineer.

© 2010 VMware Inc. All rights reserved Confidential VMware Vision Jarod Martin Senior Solutions Engineer.
© 2009 IBM Corporation ® IBM Software Group Introduction to Cloud Computing Vivek C Agarwal IBM India Software Labs.

© 2009 IBM Corporation ® IBM Software Group Introduction to Cloud Computing Vivek C Agarwal IBM India Software Labs.
M.A.Doman 2011. Model for enabling the delivery of computing as a SERVICE.

M.A.Doman Model for enabling the delivery of computing as a SERVICE.
5205 – IT Service Delivery and Support

5205 – IT Service Delivery and Support
Demonstrating IT Relevance to Business Aligning IT and Business Goals with On Demand Automation Solutions Robert LeBlanc General Manager Tivoli Software.

Demonstrating IT Relevance to Business Aligning IT and Business Goals with On Demand Automation Solutions Robert LeBlanc General Manager Tivoli Software.
Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.

Cloud Attributes Business Challenges Influence Your IT Solutions Business to IT Conversation Microsoft is Changing too Supporting System Center In House.
CTS Private Cloud Status Quarterly Customer Meeting October 22, 2014.

CTS Private Cloud Status Quarterly Customer Meeting October 22, 2014.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Cloud Computing in Large Scale Projects George Bourmas Sales Consulting Manager Database & Options.

Cloud Computing in Large Scale Projects George Bourmas Sales Consulting Manager Database & Options.

Similar presentations

Ads by Google