Government Cloud Service Models Cloud Computing East 2014 Christopher Grady President – Clear Government Solutions [email protected] May 15, 2014 Introduction Christopher Grady President – Clear Government Solutions • Cloud Service Provider • Focused exclusively on the U.S. Federal Government • GSA Infrastructure as a Service Blanket Purchase Agreement Awardee • Storage • Virtual Machines • Hosting • In FedRAMP pursuing the JAB P-ATO - approaching the end of the process with a FISMA Moderate cloud infrastructure. Introduction Security DISA IaaS Pre-Solicitation (Leveraging the FedRAMP Requirements) FedRAMP (adds controls to FISMA) - HIPAA Healthcare Insurance Portability and Accountability Act - PCI-DSS FISMA / NIST (approximately 250+ security controls) Payment Card Industry – Digital Security Standard - ISO 27000 International Standards Organization - FISMA Federal Information Security Management Act - FedRAMP ISO 27000 (1-6) Federal Risk Assessment and Mgmt Program HIPAA PCI-DSS 4 Agency vs. JAB Authorization Process 6 months + JAB P-ATO System Security Plan ISSO & CSP Review SSP JAB Review CSP Addresses JAB Concerns Security Assessment Plan 3PAO Creates SAP/ ISSO Reviews SAP JAB Review Testing CSP Addresses JAB Concerns 3PAO Tests & Creates SAR SAR & POA&M Review ISSO / CSP Reviews SAR JAB Review CSP Addresses Jab Concerns Creates POA&M Authorize Final JAB Review / P-ATO Sign Off Quality of documentation will determine length of time and possible cycles throughout the entire process System Security Plan Agency ATO CSP Implement s Control Delta Agency Review CSP Addresses Agency Concerns Security Assessment Plan Agency Review SAP Address Agency Notes Testing 3PAO Tests & Creates SAR 4 months + Original presentation by Matt Goodrich, FedRAMP PMO in December 2013. SAR & POA&M Review Agency Reviews SAR CSP Addresses Concerns CSP Creates POA&M Authorize Final Agency ATO Sign Off Cloud Service Models – In the Wild AaaS Architecture as a Service CaaS Communication as a Service DaaS Data as a Service Desktop as a Service Database as a Service EaaS Everything as a Service Ethernet as a Service FaaS Framework as a Service GaaS Governance Globalization IaaS Infrastructure IDaaS Identity MaaS Monitoring Mashups Messaging Migration Media Mobility OaaS Optimization Operations Organization PaaS Platform SaaS Software Security StaaS Storage XaaS Anything as a Service Service Models – Specified by NIST SaaS (Software as a Service) The SPI Model Includes the most common Cloud Computing Service Models. PaaS (Platform as a Service) IaaS (Infrastructure as a Service) Cloud is really about Service(s) Software as a Service Cloud Computing Platform as a Service Infrastructure as a Service 2005 2007 2008 2009 Source: Google Trends Today SaaS Service Model Highlights SaaS (Software as a Service) • Easiest way to consume services – It’s a finished ready-to-use product. • Software is delivered as a web-based one-to-many model typically based on a per-user billing basis. • Software is centrally managed by the vendor – no patches or updates • Perfect for Applications that present significant engineering challenges • Demand Spikes • Applications where demand spikes significantly. • Security • Applications requiring significant interaction with the general public. • Applications where mobile access is central to the service Cons: It’s the most abstracted layer of all of the service models typically making it difficult to migrate from especially if it is replacing IT staff. PaaS Service Model Highlights PaaS (Platform as a Service) • It’s a platform meant to facilitate development, testing, deployment, hosting and maintenance of applications on a unified and integrated development environment. • It’s not a finished product like SaaS or a clean slate like IaaS • Purpose: Rapidly create your own cloud applications using supplierspecific tools and languages without maintaining the software or hardware beneath it. • Rapid development at low cost is possible via developer hooks and tools for that particular platform. Cons: Risk of vendor lock-in via proprietary languages or approaches. IaaS Service Model Key Characteristics IaaS (Infrastructure as a Service) • Delivers Network, storage, servers, and operating systems as an ondemand service. • Utility Pricing Model - Metered Billing • Run any operating systems or applications you wish (or offered by CSP) • Maintain the most control over your environment without maintaining any equipment. • Existing applications can be migrated from your internal infrastructure • Physical to Virtual Migration (P2V) • Virtual to Virtual Migration (V2V) Cons: ? Guide to Understanding FedRAMP – Page 26 http://www.gsa.gov/portal/mediaId/170599/fileName/Guide_to_Understanding_FedRAMP_042213 “It’s possible that an agency may want to use three providers that each provide a different layer.” • “the PaaS provider is dependent on leveraging a pre-existing Provisional Authorization from the IaaS provider” • “the SaaS provider is dependent on leveraging a preexisting Provisional Authorization from the PaaS provider (and indirectly the IaaS provider)” • “if the agency decides to make use of this integrated package, three different FedRAMP Provisional Authorizations are applicable as illustrated in Figure 3-12” Provisional Authorization A Provisional Authorization B Provisional Authorization A On-Premises Infrastructure Infrastructure as-a-Service Software as-a-Service Data Runtime Runtime Middleware Middleware Middleware Operating System Operating System Operating System Hypervisor Hypervisor Runtime Middleware Runtime CSP Data Data CSP Applications Operating System Hypervisor Hypervisor Servers Servers Servers Storage Storage Storage Storage Networking Networking Networking Networking Servers CSP Agency / Integrator Platform as-a-Service Applications Data Applications Agency / Integrator Applications Agency / Integrator SPI Architecture Responsibilities More Control Less Control Increase Cost Decrease Cost Common Cloud Infrastructure View Common Threat Management Array Web Hosting Customer N Web Hosting Customer 4 Web Hosting Customer 3 Web Hosting Customer 2 Web Hosting Customer 1 Virtual Machine Customer N Virtual Machine Customer 4 Virtual Machine Customer 3 Virtual Machine Customer 2 Storage Service Virtual Machine Customer 1 Storage Customer N Storage Customer 4 Storage Customer 3 Storage Customer 2 Storage Customer 1 SaaS & PaaS Shared Cloud Management Services & Infrastructure • • • • • • • Network Management Services Hypervisor Management Auditing & Accounting IDS/IPS Identity Management Security Orchestration • • • • • • • IaaS IT Service Management (ITSM) Automation Management Out-of-band Management Storage Management DR Management (backup) Portal and more. Thank You! Christopher Grady President Clear Government Solutions, Inc. [email protected] www.ClearGovSolutions.com
© Copyright 2024 ExpyDoc
