Professional Documents
Culture Documents
TABLE OF CONTENTS
1 2 3 4 5
Opening Comments by Vivek Kundra...................................2 NIST Cloud Computing Definition Discussion........................2 Benefits of Cloud Computing................................................3 Top 5 Issues for Vendors......................................................3 Domain Specific Discussion Topics.......................................4 5.1 Certification & Accreditation of the Cloud.....................4 5.2 Pricing..........................................................................4 5.3 Standards.....................................................................4 5.4 Accessibility/ID Management........................................5 5.5 Data Security................................................................5 5.6 Data Portability/Interoperability....................................6 5.7 Application Development and Portability......................6 5.8 Acquisition/Procurement...............................................7 6 Other Discussion Areas........................................................8 7 Overall Findings Cloud Computing PMO.............................9 8 Statements, Questions and Answers .................................10 9 Action Items.......................................................................12 9.1 Overall Model, Architecture, and Definition................12 9.2 Process Considerations Security, Acquisition, Business Case............12 9.3 Testbed/Sandbox........................................................13 9.4 Market Research........................................................13 9.5 Communications.........................................................13 9.6 Ongoing Collaboration................................................13 9.7 Administrative............................................................13 10 Appendix A Deployment Model Matrix...........................14 11 Appendix B Hybrid Cloud Concept Model.......................15 12 Appendix C Cloud Computing Definition........................16 12.1 Definition..................................................................16 12.2 Key Characteristics:..................................................16 12.3 Delivery Models........................................................17 12.4 Deployment Models..................................................17 12.5 References...............................................................18 13 Appendix D Summit Attendees......................................18 13.1 Attendee List - Morning Session................................18 13.2 Attendee List Afternoon Session............................20
The cloud is based on elasticity therefore, there needs to be elasticity in the way the Government pays for it. It was also noted that: Pay per Use was included by NIST because it serves as a feedback loop if people arent paying for a service then it exists unnecessarily. Pay per Use can be a way to meter consumption Recommendation: Replace pay per use with metered method to charge for use. o Location Independence Recommendation: Change this phrase to location aware o Recommendation: The ability of the cloud to respond to changing requirements over time should be included.
5.2 Pricing
o The tiered model also works for pricing more security, less standardization higher costs o Microsoft is exploring a pricing model that allows for meeting demands (elastic) within a rigid government budget. o Government may be willing to trade some cost benefits for cost predictability o Pricing models can be developed to meet customer needs o The types of applications deployed on the cloud may require different pricing models o Pricing models may have to be developed for large and small uses of cloud services
5.3 Standards
o Redefining standards could be useful because it would force businesses/vendors to adopt them. o Too early to impose most standards may limit innovation.
o Standardization on APIs and Storage is recommended for now. The Government could use its purchasing power to drive standardization. o Standards should be designed for common items to ensure portability. o NIST wants to be a catalyst for industry to work together. o There is a trade association of cloud computing vendors who are working to advocate for the use of cloud computing solutions and working on standards. o Cloud solutions need to be based on open standards o Need database standards in the near future. For now, databases will remain where they are but in the future they will be front ended with the cloud. o Standardization should not be placed on developers but on architectures. o Should have portability built in. o There are two types of standards: Where you interact with the cloud and how cloud providers interact with each other. o Consider application layer messaging/communications standards. Think about the middle o Move to platform independent languages o Items such as web app services and databases should be standardized because there is no massive innovation at the operating level,
o The Cloud can make apps and data more secure because standardized processes and procedures are in place. . o Note: A lot of Government data is not encrypted now so if we deploy a cloud that requires encryption, then overall security will be improved. o Encryption is key o Access rights can be pre-defined at the application level. o Customers can encrypt data themselves. Sun/Oracle have tools that perform encryption on the fly (before data is sent into the cloud). o Health Information/HIPPA Compliance There are customers that store health records in the cloud. Point decisions need to be taken. o Access security can be role-based o Separation of duties is easier to ensure in a cloud environment
Application development in the cloud forces applications to become portable. Agencies should be able to reuse C&Ad resources from another cloud. Clouds should be developed at a agency level in a development/test environment and then be moved over into the Federal Cloud.
5.8 Acquisition/Procurement o Knowledge and understanding of the FAR is limited o Use of cloud computing services should be encouraged in the acquisition process o Recommendation: OMB should ask agencies to identify applications/services that are candidates for deployment in the cloud. This would facilitate capital planning and investment in cloud computing. o The number and complexity of existing contract vehicles is cumbersome. Consider a Cloud Computing-specific GWAC. o Need a procurement process around cloud that incentivizes reuse o DISA has innovative contracting models: i.e. Have a CLIN for racking a blade and a CLIN for renting the blade per month. Can scale up or down as needed on a monthly basis.
These findings were made by the Cloud Computing PMO as a result of their research and analysis before the summit but supported by the discussion that occurred at the event. o While cost reduction will be the primary stated benefit for agencies adopting services, there are a variety of other benefits that can be cited depending upon the type of implementation (Benefits were cited in Section 3 of this document). o There is not an industry-wide standard for pricing, vendors are still tailoring pricing on different offerings. However, pricing will likely be influenced by the following: volume, SLAs, storage, requested service levels, additional services (software, development, etc.), and customization of offerings. o A Federal Certification and Accreditation process that could reduce the burden on vendors and agencies to do C&A activities in each implementation would facilitate the acquisition of cloud services, improve the ability of agencies to adopt these services, and reduce associated costs. o A tiered structure can offer an easy way to think about separating security risks, however, it does not have to completely define how agencies make use of cloud computing service providers. For example, a Public Cloud offering, can still potentially meet sensitive data security requirements. One should not assume that sensitive data must necessarily exist only in a Private Cloud environment. o The Federal government will likely have to drive efforts around cloud to cloud interoperability as industry does not have an overwhelming motive to do so on their own, their business models understandably largely center on vendor lock-in. o The largest stumbling block for effective adoption of cloud computing services are the governments budgetary, acquisition/procurement, and security certification processes. o The government needs to develop use cases and specific requirements around desired functionality in order for industry to align its offerings for government use. o Aggregation of demand across agency lines is vital, but whats most important is how that aggregation and resulting procurement and implementation is handled. o A common testbed environment should be created to test and pilot different architectures and service offerings, reducing the
need for agencies to develop separate siloed test environments across the Federal community. o The government should develop policy around the portability of data and the ability to exercise an exit strategy for both data and applications. 8
The statements were made by participants during the discussion. The Questions and Answers were part of the group discussion and are not official responses. o Anything you can get from a system now, you can get from the cloud o Consider not having private clouds since cloud providers should be trusted o Question: In a cloud environment, do we want to risk exposing one agency to another that doesnt follow the same security rules: Answer: This is a choice between private vs public clouds or public vs private administrative storage. Its important to manage the risk and not the implementation. o Question: What about the need to plug in single purpose machines Answer: This is not an issue it is common to Fortune 100 companies. o If you want to move to a cloud over time, stop paying attention to operating systems and concentrate on web stacks. o The cloud should provide a collaborative environment where people can try application development. o Demand aggregation is a key issue. o Grassroots adoption should be the model. o Tier services are the way to address security and interoperability concerns o Cloud environment allows better control of poor coding o Any tool that is operational now such as 508 compliance tools can be operational in a cloud o Risks should be fully defined and transparent. Better understanding allows for better mitigation o Companies must also provide approaches to meet COOP requirements. o Each Federal agency should NOT set up their own cloud would not realize efficiencies of sharing resources o Recommendation: Government should develop ways to aggregate demands to get economies of scale (aggregation is a given, how demand is aggregated is whats important) o Risk avoidance is a major obstacle to effective cloud computing deployment o Vendors would like to see the Governments requirements for cloud computing.
10
o The overall view is that the Government will not use public clouds but will put up private clouds. o Virtualization should be mandated. o Applications need to be portable and to be able to fail gracefully. This is enabled through built in redundancy. o Many deployments are private which give the customer 60-70% of the benefits of cloud computing. The only difference is the capital expense. o Cloud Computing is a technical, architecture, and governance refresh. o At DoD, and some other agencies, the CIO does not have the authority to tell someone at the program level to move their application to a virtual machine. o DISA has a hard network perimeter so everything is naturally protected. There is nothing equivalent to this on the Federal Civilian side.
11
Action Items
Ownership of action items is still being determined but the Cloud Computing PMO has already initiated activity on several of the items and will coordinate with the Cloud Computing Working Group to identify an action plan.
Address Security in the definition The ability of the cloud to respond to changing requirements over time should be included. o Consider standardization on common items such as APIs, Storage 9.2 Process Considerations Security, Acquisition,
Business Case
o Pursue standardization of Certification and Accreditation processes/requirements per tier. o Examine the possibility of establishing a Cloud Computing-specific GWAC o The Vendor Community should submit success stories highlighting cost savings/improved performance through ACT/IAC 12
9.3 Testbed/Sandbox
Examine establishing a portal of tools (application development/testing/etc) like a sandbox environment - for use by Federal Agencies o Examine the possibility of establishing a development and test cloud where Government developers can perform application development
o
9.5 Communications
o Consider issuing a mandate, or other note from OMB, encouraging the move towards cloud computing. Most vendors felt that without a mandate, and incentives, agencies would hesitate to make a transition to cloud computing
9.7 Administrative
o Post Cloud Computing Summit Questions online through ACT/IAC o Post NIST definition
13
10
Private Cloud: The cloud infrastructure is owned or leased by a single organization and is operated solely for that organization. Community Cloud: (The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g. mission, security requirements, policy, and compliance considerations) Hybrid Cloud: The cloud infrastructure is a composition of two or more clouds (internal, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g. cloud bursting) Public Cloud: Cloud infrastructure is owned by an organization selling cloud services to the general public or to a large industry group)
C m o m u it n y Cou l d
P iv r a teC loud
Hb y ri dC loud
XX
XXX
XXX
Inra t u t r L c t n f s r c u e o a io O -P m e(In rn l or b h dth fire a n re is te a e in e w ll) O re is (e te a or ou id th fire a ff-P m e x rn l ts e e w ll) O e aio sM d l pr t n o e (re p n ib p rtyfor a p in th s c rityc n s o s le a p ly g e e u o trols , p tc in , e ) a h g tc S rv eP v e O e te e ic ro id r p ra d G v rn e t O e te o e m n p ra d T irdP rtyV n o O e te h a e d r p ra d G vr ac Mdl o en n e o e (R s on ib p rtyfo e s rin c m lia c to e p s le a r nu g o p n e p lic sa ds n a s e ) o ie n ta d rd , tc S rv eP v e e ic ro id r G v rn e t o e mn T irdP rtyV n o h a edr D t S c r yL v l aa e u it e e Lw o Mod ra e te H h ig Cs Mdl ot o e U fron C p l e p n itu p t a ita x e d re O g gs p or c s n oin u p t o t D m n b s dS rv efe e a d a e e ic e T et d p y im o e lo Im e ia m d te Midte rm L n te o g rm A c s ib a dC n u e B c e s le n o s m d y A m Ue d in s rs T s dC s m rs m lo e s C tra tors ru te on u e (E p y e , on c ) Pu licC n u e (A th riz dtoc s m s rv e b t n le a ap rt b o s m rs u o e on u e e ic s u ot g lly a of th o a iz tion ov rn e t) e rg n a /G e m n S rv eT p s e ic y e C e E g g m n S rv e itiz n n a e e t e ic s S oftw re s -S rv e(S a ) a -a -a e ic a S Pla rm s -S rv e(P a ) tfo -a -s e ic a S In s c re s -S rv e(Ia S fra tru tu -a -a e ic a ) T d ra ition l h tin S rv e a os g e ic s
X X
X X
X X
XXX
XXX
XXX
XXX
XXX
XX
XX
X X
X X
XX X
XX
XX
XX
XXXXX
XXXX
XXXX
XXXX
XX
Pb u li cC o l u d
14
11
15
12
12.1 Definition
Cloud computing is a pay-per-use model for enabling available, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is comprised of five key characteristics, three delivery models, and four deployment models.
16
17
Note 2: The cloud computing industry represents a large ecosystem of many models, vendors, and market niches. This definition attempts to encompass all of the various cloud approaches.
12.5 References
The source of this working definition is the National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL). The final version is to be published in the upcoming NIST Special Publication on Cloud Computing and Security.
13
13.1
Susie Adams Microsoft Ken Allen ACT-IAC Rod Boothby Joyent Michael Bradshaw Google Doug Brown NetSuite Dan Burton Salesforce.com Reuven Cohen Enomaly
Casey Coleman General Services Administration Michael Crandell RightScale John DeVoe Salesforce.com Martha Dorris General Services Administration Dave Durkee
18
National Institute of Standards and Technology Dave Mihalchik Google Carl "CJ" Moses Amazon Web Services Kshemendra Paul Office of Management and Budget Charles Piercy National Archives and Records Administration Megan Price ACT-IAC Richard Reiner Enomaly Daniel Risacher Department of Defense Mark Ryland Microsoft Steve Schmidt Amazon Web Services Paul Sforza Department of Treasury John Shea Department of Defense Carl Staton Department of Energy Pat Stingley Department of the Interior George Strawn National Science Foundation Pete Tseronis Department of Energy William Turnbull Department of Energy Jeremy Warren Department of Justice
Gary Washington Office of Management and Budget Philip Wenger Office of Management and Budget Thomas Wiesner Department of Labor Steve Wright Department of Labor David Young Joyent
19
13.2 Attendee List Afternoon Session Ken Allen ACT-IAC Bert Armijo 3Tera Jere Carroll Dell Bill Coleman Cassatt Corporation Casey Coleman General Services Administration John DiCarlo Sun Microsystems Martha Dorris General Services Administration Seth Finkel ServerVault Rick Fleming Hewlett Packard Tim Grance National Institute Technology of Standards and Harel Kodesh EMC Vivek Kundra Office of Management and Budget Carmen Lannacone Smithsonian Institute Katie Lewin General Services Administration Sarah Lindenau ACT-IAC Harris Loeser GoGrid Pat Matthews RackSpace Peter Mell National Institute of Standards and Technology Michael Moomaw IBM Forrest Norrod Dell Kshemendra Paul Office of Management and Budget Timothy Pavlik IBM Matt Pfeil RackSpace Charles Piercy National Archives and Records Administration Michael Howell Office of Management and Budget Dave Hurry National Security Agency Shannon King EMC John Pozadzides Layered Tech Megan Price ACT-IAC Daniel Risacher Department of Defense
Margie Graves Department of Homeland Security Bruce Hart Terremark Jerry Horton Department of Agriculture
Akamai Technologies Dave Ryan Hewlett Packard Paul Sforza Department of Treasury John Shea Department of Defense Carl Staton Department of Energy Pat Stingley Department of the Interior George Strawn National Science Foundation John Summers Akamai Technologies Pete Tseronis Department of Energy William Turnbull Department of Energy Robbie Vann-Adibe 3Tera Bill Vass Sun Microsystems Jeremy Warren Department of Justice Gary Washington Office of Management and Budget Philip Wenger Office of Management and Budget Thomas Wiesner Department of Labor Annie Williams Terremark Steve Wright Department of Labor David Yoon