Text

1 Cloud Computing Training for IT CORs and Project Managers 11/27/2017 Table of Contents 1

Strategy and Planning for Cloud Computing Projects........................................................... 1 2

Required Cloud Computing Concepts Training..................................................................... 1 3

Additional Knowledge for Sharing.......................................................................................... 1 4

Other Cloud Computing Resources..................................................................................... 11 1 Strategy and Planning for Cloud Computing Projects Be familiar with the content in the following resources:

NRC Cloud Computing Strategy (NRC Cloud Computing Strategy, Version 1.3(ML17354A636))

Project Management Methodology (PMM) and PMM 2.0 website (http://pmocentral.nrc.gov/)

Planning and Preparation Approach for Acquisition of Public Cloud Services (Planning and Preparation Approach for Acquisition of Public Cloud Services, Version 1.2(ML17352A737))

2 Required Cloud Computing Concepts Training Complete the online training course An Introduction to Basic Cloud Concepts (Course cc_uccf_a01_it_enus) in iLearn by March 31, 2018.

3 Additional Knowledge for Sharing This section captures additional cloud computing knowledge previously shared with OCIO management and functional leads.

3.1 What is the Cloud and What are the Benefits?

3.1.1 Essential Cloud Characteristics On-demand self-service o Consumer can unilaterally provision computing capabilities, such as server time and network storage o Provisioning as needed automatically without requiring human interaction with each services provider

2 Broad network access o Capabilities Available over the network Accessed through standard mechanisms Promotes use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, and workstations)

Resource pooling o Providers computing resources are pooled to serve multiple consumers using a multi-tenant model o Different physical and virtual resources dynamically assigned and reassigned according to consumer demand o Location independence in that the customer generally has no control or knowledge over the exact location of the provided resources o Resources include, for example, storage, processing, memory, and network bandwidth Rapid elasticity o Capabilities can be rapidly and elastically provisioned o Provisioning can be performed automatically o Scales rapidly outward and inward commensurate with demand o Capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time Measured Service o Cloud systems automatically control and optimize resource use by leveraging a metering capability o Usually pay-per-use or charge-per-use o Use is at some level of abstraction appropriate to the type of service (e.g.,

storage, processing, bandwidth, and active user accounts) o Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the service 3.1.2 Cloud Computing Service Models Software as a Service (SaaS) o Service provider owns, maintains and operates the environment required support the complete lifecycle of building and delivering web-based (cloud) services o Software or an application that runs over the Internet on computers owned and operated by the service provider o Eliminates the need to own, operate, and maintain your own servers and software o Platform independent

3 o Can be used on a workstation, laptop, tablet, or smartphone if you choose o Customer provides security on their end of the connection and on their devices o NRC example: Office 365 Platform as a Service (PaaS) o Service provider owns, maintains and operates the environment required to support the complete lifecycle of building and delivering web-based (cloud) applications o Customer develops needed applications o Customer provides security on their end of the connection, on their devices, and on their applications and define how applications are used o Examples:

Amazon: uses Amazon DynamoDB, a highly scalable, fully managed NoSQL database service Azure: uses sql-database Infrastructure as a Service (IaaS) o Service provider owns, maintains and operates the physical environment and hardware such as servers and networking o Customer owns, operates, and maintains the operating systems and software o Customer provides security for the operating systems and software (patching, configuration, etc), on their end of the connection, on their devices, on their applications and define how applications are used o NRC example: HPC, FAIMIS 3.1.3 Cloud Computing Deployment Models Private cloud o Provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units) o May be owned, managed, and operated by the organization, a third party, or some combination of them o It may exist on or off premises Community cloud o Provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns (e.g., mission, security requirements, policy, and compliance considerations) o May be owned, managed, and operated by one or more of the organizations in the community, a third party, or some combination of them, and it may exist on or off premises Public cloud o Provisioned for open use by the general public

4 o May be owned, managed, and operated by a business, academic, or government organization, or some combination of them o Exists on the premises of the cloud provider Hybrid cloud o Composition of two or more distinct cloud infrastructures (private, community, or public) o Each infrastructure remains as a unique entity o Infrastructures are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).

3.1.4 Cloud Computing Benefits Patch once, spin up unpatched instances down and spin patched instances up Pay only for what is used Increased scalability Increased availability Standardization that enables greater extension of capabilities 3.2 What Should We Move to the Cloud?

Some systems/applications/services are more suitable for the cloud o Services offered as SaaS that we can live with o Service oriented applications Some systems/applications/services are less suitable for hosting in a cloud environment o Non-standard implementations (e.g., ADAMS) o Too tightly coupled with other implementations o Hardware dependencies (e.g., tied to hardware appliance, tied to server MAC address)

Benefits of cloud are achieved by conforming to standards and applying service models Often, re-engineering or re-architecting is required to reap the benefits from the cloud An application's performance in the cloud is dictated by its design o Applications designed specifically for the cloud achieve the best performance o The ability of the application to scale (use or release resources according to demand) is important Effective cloud applications are tightly coded and not easily affected by storage and network latencies Forklifting an application to the cloud often creates more issues than not moving the application to the cloud

5 Using an architecture that allows scaling different workload elements independently enables more efficient use of cloud resources Optimization or even a fundamental redesign of applications can result in substantial benefits 3.3 Moving Systems/Applications/Services to the Cloud 3.3.1 Preparation for Movement to Cloud Must separate the data from the software Most systems/applications/services moving to the cloud require one of the following migration strategies:

o Rehost (lift and shift): direct port to the cloud o Replatform (lift, tinker and shift): move to a cloud-supported latest version of hardware and operating system o Repurchase (drop and shop): move to a different product o Refactor: Redesign the solution to take advantage of the cloud technologies; offers greatest benefit after using an existing cloud service Different skills required to accomplish each Figure 1 - Six Common Application Migration Strategies (Source: Amazon Web Services) 3.3.2 Rehosting Also known as Lift and Shift Can be accomplished if system/application/service has similar environment to cloud environment Pros:

o Requires minimal effort and time o Lowest cost and time to the cloud

6 Cons:

o Moves existing issues to the cloud o Does not take advantage of cloud native services o May actually reduce performance and capabilities o May cost more than keeping in data center 3.3.3 Replatforming Prior to moving to the cloud, the system/application/service must be capable of executing on current technologies Replatforming is required when the source and destination environments dont match Replatforming may be desired when a new platform can take better advantage of cloud capabilities Pros:

o Applications typically offer higher performance o Applications can be optimized to operate at lower costs resulting in lower costs in the long term Cons:

o Requires development, test, QA, validation, re-training o Much higher initial cost since much of the application must change o Slower time to deployment o Specialized skills are required including application, business logic, cloud and specific cloud native services 3.3.4 Refactoring Refactoring necessary if existing application poorly written or designed Refactoring can enable better performance, better scalability, or cost savings Optimizing use of resources will reduce costs, whereas not optimizing use of resources could result in higher cloud costs than not moving to cloud Partial refactoring modifies portions of the application to take advantage of cloud Complete refactoring modifies most of the application Refactoring existing data center application requires changes to take advantage of cloud infrastructure services 3.3.5 Partial Refactoring Pros:

o Only parts of the application are modified requiring development, test, QA, validation, re-training o Faster migration and deployment than complete refactoring

7 o Better performance in the cloud than direct port o Lower cloud operating costs than direct port Cons:

o Initial costs higher than direct port to cloud o Takes longer to get to the cloud than direct port o Specialized skills are required including application, business logic, cloud and specific cloud native services o Only takes advantage of some features of the cloud o May cost more to operate in a cloud than complete re-factoring 3.3.6 Complete Refactoring Pros:

o Applications typically offer higher performance o Applications can be optimized to operate at lower costs resulting in lower costs in the long term o Better performance in the cloud than direct port and partial re-factoring o Lower cloud operating costs than direct port and partial re-factoring Cons:

o Most of the application are modified requiring development, test, QA, validation, re-training o Much higher initial cost since much of the application must change o Slower time to deployment than direct port or partial re-factoring o Specialized skills are required including application, business logic, cloud and specific cloud native services 3.4 How FedRamp Helps Movement to the Cloud 3.4.1 What is the Federal Risk and Authorization Management Program (FedRAMP)?

Government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services Result of close collaboration with cybersecurity and cloud experts from:

o General Services Administration (GSA) o National Institute of Standards and Technology (NIST) o Department of Homeland Security (DHS) o Department of Defense (DOD) o National Security Agency (NSA) o Office of Management and Budget (OMB) o Federal Chief Information Officer (CIO) Council and its working groups

8 o Private industry 3.4.2 FedRAMP Goals Accelerate the adoption of secure cloud solutions through reuse of assessments and authorizations Increase confidence in security of cloud solutions achieve consistent security authorizations using a baseline set of agreed upon standards to be used for cloud product approval in or outside of FedRAMP Ensure consistent application of existing security practice, increase confidence in security assessments Increase automation and near real-time data for continuous monitoring 3.4.3 FedRAMP Benefits Increase re-use of existing security assessments across agencies Save significant cost, time, and resources - do once, use many times Improve real-time security visibility Provide a uniform approach to risk-based management Enhance transparency between government and Cloud Service Providers (CSPs)

Improve the trustworthiness, reliability, consistency, and quality of the Federal security authorization process FedRAMP Compliant CSPs are cloud systems that have security packages reflecting the completion of the FedRAMP Security Assessment Framework NRC can leverage the compliant CSPs, reducing costs to NRC 3.4.4 Initial Information Needed to Determine Authorization Path System Security Categorization Information types NRC will use with the system Privacy Threshold Analysis or Privacy Impact Assessment Assessment of privacy content in information NRC will use with the system Scope of NRC need CSP authorization scope CSP FedRAMP documentation 3.4.5 Initial Questions Is the security categorization consistent with the CSP FedRAMP authorization (e.g.

confidentiality, integrity, and availability sensitivity levels)?

Does the CSP FedRAMP authorization include all the capabilities NRC needs?

9 3.4.6 Authority to Use Determination If o the security categorization is consistent with the NRC information to be used with the CSP system o NRC is using exactly what was authorized by FedRAMP and nothing more or different Then o OCIO analyzes FedRAMP package to ensure FedRAMP authorization is fully understood o Authorization is obtained using NRCs CSO-PROS-1325, Authority to Use Process 3.4.7 Authority to Operate Determination If CSP solution appropriate to meet NRC needs, effort will need to be appropriately coordinated with OCIO:

o OCIO analyzes FedRAMP package to ensure FedRAMP authorization is fully understood o Differences between what FedRAMP authorized and the full and complete NRC implementation o Requires assessment of controls not part of FedRAMP authorization 3.5 How Will the Cloud Impact Our Network Architecture?

3.5.1 Overview Cloud computing moves the data and transactions to a new location Users interact with the cloud from their current location (e.g., office, on-the-road, on travel, telework)

Users use a variety of devices to perform functions Transactions need to occur from user locations to cloud locations, while meeting federal Trusted Internet Connection requirements Processing shifts from user devices to cloud devices Typical network architectures were built for local processing, data storage, and transmission The typical network architecture will not perform well in the cloud based model 3.5.2 Data Centers Data center to data center communication required to put data/workload in proximity to users Users are in different geographic locations

10 Quality of service requires optimization of co-location of service to users Movement of virtual machine work can enable this by following the work 3.5.3 Network Architecture Requirements Architecture must:

o Ensure security of data during transmission and at rest o Optimize communication between data centers and with the user o Be elastic in terms of transmissions o Ensure appropriate routing for effective performance o Be capable of supporting a variety of end user devices and transmission types o Be application aware to enable prioritization of delivery 3.6 Service Pricing Models SaaS: pricing primarily based on a per user, per month basis though there may be different levels based on storage requirements, contractual commitments or access to advanced features PaaS and IaaS: pricing models are more granular, with costs for consumption of specific resources or resource sets

11 4 Other Cloud Computing Resources Recommended resources for IT CORs and Project Managers.

• Introduction to Cloud Computing o Cloud Computing: A Self-Teaching Introduction (https://ilearnnrc.skillport.com/skillportfe/main.action#summary/BOOKS/RW$52822

_ss_book:128097)

• Cloud Project Management o Managing a Cloud Computing Project (https://www.itworldcanada.com/blog/managing-a-cloud-computing-project/374832) o Cloud Computing: The New Strategic Weapon (https://www.pmi.org/-

/media/pmi/documents/public/pdf/white-papers/cloud-computing.pdf) o Important Causes of Failure in Cloud Computing Projects (https://www.simplilearn.com/cloud-computing-projects-failure-causes-article) o Cloud Computing Management (online course) (https://www.edx.org/course/cloud-computing-management-usmx-umuc-cc607x) - Learn methods for managing cloud computing projects and build an understanding of the various risks and compliance issues involved.

• Economics o Be Wary of the Economics of Serverless Cloud Computing (http://ieeexplore.ieee.org/document/8077240/)

• Industry Best Practices and Guidance o Migrating Applications to Public Cloud Services: Roadmap for Success (http://www.cloud-council.org/deliverables/migrating-applications-to-public-cloud-services-roadmap-for-success.htm) o Migrating Applications to the Cloud: Assessing Performance and Response Time Requirements (http://www.cloud-council.org/deliverables/migrating-applications-to-the-cloud-assessing-performance-and-response-time-requirements.htm) o Practical Guide to Cloud Service Agreements (http://www.cloud-council.org/deliverables/practical-guide-to-cloud-service-agreements.htm) o Public Cloud Service Agreements: What to Expect and What to Negotiate (http://www.cloud-council.org/deliverables/public-cloud-service-agreements-what-to-expect-and-what-to-negotiate.htm)

• Selected Cloud Service Provider Resources

12 o Amazon Web Services (AWS)

AWS Cloud Adoption Framework (https://aws.amazon.com/professional-services/CAF/)

Resources for Migrating to AWS (https://aws.amazon.com/cloud-migration/)

o Microsoft Whitepapers (https://azure.microsoft.com/en-us/resources/whitepapers/)

Enterprise Cloud Strategy (https://azure.microsoft.com/en-us/resources/enterprise-cloud-strategy/en-us/)