Upload
arron-holt
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
CalCloud Government CalCloud Government End-User GroupEnd-User Group
November 4, 2015
1
Introducing…Introducing…
Chris CruzChris CruzChief Deputy Director, Operations
Department of Technology
2
AgendaAgenda
WelcomeIntroduction (Chris or myself)CDFA migration of 70 apps (Hence)Security (Dave)Technical Architecture (Scott And Kyle)Q/A
3
What is CalCloud? What is CalCloud?
CalCloud is a suite of cloud services offered by the Department of Technology, which includes:IaaS - A private cloud infrastructure service:
O/S Licenses with Security updates O/S Licenses (customer managed patching) Customer Provided O/S (customer managed patching)
SaaS - Vendor Hosted Subscription Services (VHSS): SalesForce Clarity Remedy on Demand
Lines of Business: Disaster Recovery Storage Email HR
4
CalCloud StrategyCalCloud Strategy
5
CalCloud Architectural DecisionsCalCloud Architectural DecisionsThe CalCloud is engineered for flexible, secure, cost efficient
enterprise class workloads
Personalization
Scalability
Security &Isolation TOM
Low-Cost Accommodation
ExtensibilityFlexible Self-Service
Enterprise-Class
Control
Cloud Service Provider Platform
CalCloud
The CalCloud provides Enterprise-Class availability and backup/restore
and disaster recovery capabilitiesCalCloud is designed to support the need for Low-cost Accommodation – the ability to combine low cost with the flexibility to accommodate a wide range of diverse government requirements
A Flexible Self-service model, which adapts to departmental needs and is able to bring future services on-board
CalCloud supports multiple Security standards and models and is a highly secure multi-tenancy architecture
The Usability model provides an intuitive, relevant, role-based and
customizable user interface
CalCloud is Extensible with other hypervisors and OS, other storage
solutions, and other compute tiers
CalCloud supports flexible dashboards, reporting
services and service catalogs- state cloud service consumers
will feel in Control
6
Introducing…Introducing…
Robert SchmidtRobert SchmidtOffice of Technology (OTech)
Chief California Department of
Technology
7
Introduction of User GroupIntroduction of User Group User Group was implemented to:
Align IT Tactical efforts with IT Strategy; Ensure that the CalCloud achieves its
implementation roadmap; Recommend CalCloud requirements; Enhance CalCloud visibility while managing
implementation risk; Communicate the organization’s cloud
strategy to government business and IT leaders.
8
Introduction of User GroupIntroduction of User Group Members are responsible for:
Serve as change champion within their agency;
Aligning tactical IT implementation with IT strategy;
Assess business impact of moving IT services to the hybrid cloud.
9
New User Group LeadNew User Group Lead
Hence Phillips - CDFAHence Phillips - CDFACDFA has 70 applications running on
CalCloud.Time to deploy applicationsPerformance standards of applicationsEase of use for customersSecurityLessons Learned/Tips
10
User Group LeadUser Group Lead
Answer as a developer using CalCloud: How does CalCloud help me do my job? How does CalCloud solve my technical problem? What do developers most appreciate about
CalCloud? What technical benefit do I receive from using
CalCloud?
11
CDFA Network
CDFA CalCloud ArchitectureCDFA CalCloud Architecture
12
Mercury (Primary
Web)
Venus(Primary DB)
Earth (Utility)
Mars(Secondary
Web)
Jupiter(Sandbox)
CDFA Mail
Relay
Internet
Introducing…Introducing…
Scott MacDonaldScott MacDonaldCalCloud Chief
California Department of Technology
Kyle E PribilskiKyle E PribilskiIBM
13
OverviewOverview of CalCloudof CalCloud
Dedicated private cloud (IaaS) for State. Service hosted on State data centers and behind State network (LAN/WAN)
and security. Provided by a cloud service vendor (IBM). CalCloud Vendor provides hardware, software, portal and OS administration
(patching). Usage based with no initial cost to the state. Self-Service business model (via web portal) and Low cost service offering.
Dedicated virtual private cloud
CalCloud
Shared cloud services
CalCloud
Flexibility Security and isolation
Multiple technology platforms
Control
CalCloud
CompetitivePay-as-you-go
14
““Shopping Cart” & Self-Provisioning ModelShopping Cart” & Self-Provisioning Model
Small Medium Large Extra Large
Select Base Server Size
Select OS
Select Extras
RAM StorageDisaster
Recovery BackupVirtual
AppliancesData
Encryption
Service Catalog and Shopping Cart
15
CalCloud “Shopping Cart” and self-provisioning CalCloud “Shopping Cart” and self-provisioning model(2)model(2)
1. Shopping and provisioning:Small, Medium, Large, or Extra Large VMsMicrosoft Windows Server, Red Hat OS or AIXAdd-ons including RAM, Storage and BackupInfrastructure Disaster Recovery servicesSelect IDR tier (0, 1, 2) Select Backup/Restore tier (0, 1, 2)Pick extra memory and storagePut into shopping cartBuild application templates and save in shopping cartPress “Submit”
2. Monitoring and reporting:Performance metricsCapacity metrics (total compute, storage, RAM, backup)Billing data broken down by consumerSee open trouble ticketsAll CalCloud Consumer servers along with up/down statusCurrent CPU, RAM, and storage usage for each serverTotal backup used and available
3. Management and modification:Upgrade or downgrade an existing VM to Small, Medium, Large, or Extra Large VMIncrease or decrease add-ons including RAM, Storage, and BackupStopping existing IDR Services
4. Decommissioning:Decommission a single image or an entire project
Comprehensive Self-Service Model
16
CalCloud FlexibilityCalCloud FlexibilityCalCloud
User Access Layer
CalCloudManagement &
AutomationLayer
CalCloud Physical Resource
Layer
CalCloud Resource
Abstraction &Control Layer
My User Roles My ShoppingCart
My ApprovalProcess
My Reports My Dashboards My TroubleTickets
My BillingStatus
Virtual Private Cloud
My Templates
My User Roles My ShoppingCart
My ApprovalProcess
My Reports My Dashboards My TroubleTickets
My BillingStatus
My Templates
My User Roles My ShoppingCart
My ApprovalProcess
My Reports My Dashboards My TroubleTickets
My BillingStatus
My Templates
+
+
+
StandardServices
StandardServices
StandardServices
Two-FactorAuthentication
Standard Reports
Service Catalog
Standard Approval Processes
Standard Dashboards
LDAP w/Standard user
rolesProvisioning Modifications
Usage & Accounting
Backup/RestoreMulti-tiered
IDR
CalCloud Standard Services
Virtual Private Cloud
Virtual Private Cloud
Department
Department
Department
CalCloud/IBM
17
CalCloud Logical Architecture DiagramCalCloud Logical Architecture Diagram
Layer 2<<Management &
Automation >>
Layer 4<<Modular Physical
Resources>>
Layer 3 <<Resource
Abstraction &Control>>
Compute Nodes
(Windows/RHELx86)
CommonCloud
Storage
Network
Backup Storage
VMware vSphere
CalCloud Managed Security
CalCloud Managed Services
Layer 1<<User Access –
CalCloud Portal>>
Reporting Warehouse
Storage and BackupManagement
IBM POWER VM/PowerVC
Compute Nodes(AIX on
POWER)
Layer 4<<Physical Resource –
Modular Addition>>
zLinux /DS8000
Tenant Managed
AIXEnvironments
** OTechInterfaces
Troubleticketing
LDAPs
Invoicing
SIEM
** OTech Interfaces
IBM StorageVirtualization
Center
STaaSBlock Storage
Service Automation Management
Usage and Accounting
Monitoring
Troubleticketing
LDAPs
Invoicing
SIEM
Service Catalog
ShoppingCart
ProvisioningImage
LifecycleMgmt
ReportingServices
EventsDashboard
Backup/Restore IDR
TroubleTickets
BillingStatus
2FAGuides/FAQs/
Videos
18
CalCloud Logical Architecture DiagramCalCloud Logical Architecture Diagram
** CDT/Departmental
Interfaces
Remedy
LDAP
Billing
LogLogicSIEM
CalCloud Managed Security
CalCloud Managed Services
User Access Layer Management & Automation
Layer
Physical Resource
Layer
Resource Abstraction &Control Layer
SmartCloud Control Desk
SmartCloud Managed Backup
Tivoli Common Reporting
Jazz/DASH Portal
ConsumerDashboard
Service Catalog
ShoppingCart
Provision-ing
LifecycleMgmt
Instant Backup
Reporting
Scheduled Backup
Tivoli Identity ManagerAuthentication /
Authorization
TroubleTickets
Tivoli Storage Manager
IBM Service Delivery Manager
Reporting Warehouse
Service Automation Management
Usage & Accounting
Monitoring
StorageMgmt
DeviceMgmt
StoragePoolsPolicies
IBM Flex System
CalCloud Portal and Management
VMs
CalCloud Tenant VMs
(x86 and POWER)
NetApp ONTAPCommon Cloud
Storage
IBM Flex Fiber Channel
Interconnect
TSM for VE
Backup Archive Agent
VMware
vCenter
vSRMHA/DRS
vSphere
VTL Backup Storage Arrays
PowerVM
PowerHAPowerVM
Live Partition Mobility
PowerSC
Remedy
LDAP
Billing
LogLogicSIEM
SmartCloud Control Desk
Jazz/DASH PortalConsumerDashboar
d
Service Catalog
ShoppingCart
Provision-ing
LifecycleMgmt
Instant Backup
Reporting
Scheduled
Backup
Tivoli Identity ManagerAuthentication /
Authorization
TroubleTickets
Tivoli Storage Manager
IBM Service Delivery Manager
Reporting Warehouse
Service Automation Management
Usage & Accounting
Monitoring
StorageMgmt
StoragePools
IBM Flex System
CalCloud Portal and Management
VMs
CalCloud Tenant VMs
(x86 and POWER)
NetApp ONTAPCommon Cloud
Storage
IBM Flex Fiber Channel
Interconnect
TSM for VE
Backup Archive Agent
VMware
vCenter
vSRMHA/DRS
vSphere
VTL Backup Storage Arrays
PowerVM
PowerHAPowerVM
Live Partition Mobility
PowerSC
19
CalCloud R&RCalCloud R&R
20
CalCloud Storage ServicesCalCloud Storage Services
21
CalCloud Tenant SpaceCalCloud Tenant Space
A TVN is created via a number of VLANs which implement the isolated network environment.
Only the DMZ tier has inbound access from the Internet. Across the four tiers
A standard TVN provides a pre-defined number of IP addresses (therefore a pre-defined number of VMs can be supported). For tenants who require additional VMs or environments, the TVN model can be extended.
Tier VLANs are all /25 (128 Tier VLANs are all /25 (128 addresses), except the Util VLAN is addresses), except the Util VLAN is /24 (256 addresses)/24 (256 addresses)
22
CalCloud Backup and RecoveryCalCloud Backup and Recovery
Tier 1 storage provides optional services that can be selected for the storage allocated to a VM (all storage for a VM shares the same characteristics).
Tier 1 Backup and Recovery (BUR): Tier 1 BUR provides a Recovery Point Objective (RPO) of 1 hour with a retention period of 24 hours. Tier 1 BUR is implemented via a snapshot captured within the storage disks.
Tier 2 Backup and Recovery (BUR): Tier 2 BUR provides a Recovery Point Objective (RPO) of 24 hours with a retention period of fourteen days. Tier 2 BUR is implemented via a whole VM backup to the TSM backup subsystem.
Restore operations are requested via the portal. For Tier 2 backups, either the entire VM or a selected file can be restored.
Encryption: Tier 1 storage can be encrypted on disk. Note that this is purely while the data resides on disk. As data is written to disk it is encrypted, and as it is read from disk it is decrypted. 23
CalCloud Infrastructure Disaster CalCloud Infrastructure Disaster Recovery (IDR)Recovery (IDR)
Tier 1• RTO = 1 hour• RPO = 1 hour
Tier 2• RTO = 96 hour• RPO = 24 hour
24
Introducing…Introducing…
David LangstonDavid LangstonBranch Chief
Security Management California Department of
Technology
25
CalCloud SecurityCalCloud SecurityGeneral General
Provide services that meet the operational and compliance requirements of the State. SAM/SIMM NIST FedRAMP where applicable Other regulatory if/where applicable
Ensure that vendors are conforming to best security practice.
26
CalCloud IaaS SecurityCalCloud IaaS SecurityGoalsGoals
Provide a service that is equally or more secure to that which can be provided with a physical, dedicated infrastructure.
Support both mission-critical and non-mission-critical systems.
Provide an infrastructure that can meet the operational and compliance requirements of the State and supported agencies.
27
CalCloud IaaS Security CalCloud IaaS Security StackStack
28
The Federal Risk and Authorization Management ProgramThe Federal Risk and Authorization Management Program(FEDRAMP V2 – Includes NIST 800-53 Rev 4)(FEDRAMP V2 – Includes NIST 800-53 Rev 4)
Base Level
Security Profile
CalCloud provides a comprehensive and tiered security model
IBM + California Dept of Technology Security Controls (ISeC)IBM + California Dept of Technology Security Controls (ISeC)(CalCloud Information Security Controls)(CalCloud Information Security Controls)
Hosted inside the California Dept of Technology’s data Hosted inside the California Dept of Technology’s data centers and inside Department of Technology firewall(s)centers and inside Department of Technology firewall(s)
WorkloadSpecificSecurity(HIPAA)
WorkloadSpecificSecurity
(PCI DSS)
WorkloadSpecificSecurity
(IRS 1075)
WorkloadSpecificSecurity
(SSA)
WorkloadSpecificSecurity(other)
CalCloud IaaS SecurityCalCloud IaaS SecurityControlsControls
29
A formal security control program is in place (based on IBM ISeC processes, cloud experience, and FedRAMP V2).
~325 FedRAMP controls assessed against 25+ domains.
Compliance support to other authorities available (infrastructure controls only).
CalCloud security controls can be shared with customer security personnel under strict controls and agreements.
CalCloud IaaS SecurityCalCloud IaaS SecurityKey ElementsKey Elements
30
Encrypted Two-Factor
Authenticated Sessions
Cloud Border Security
Admin Access Only from Territorial U.S.
Log of AllAdministrative
Actions
Least Privilege and Separation of Duties
Practice
Data are Property of the State
InfrastructureHardening
Coordinated Security Incident Handling
Vendor(s) Background Checked
Encryption at Rest (Option)
Coordinated Change Control
Security Awareness Training Including
IRS Disclosure
Strong Tenant Isolation
Coordinated OS Patching
No Shared Credentials
Isolated SecurityTiers (network)
Configuration and Vulnerability Monitoring
Controlled Administrative
Access
CalCloud IaaS - SecurityCalCloud IaaS - SecurityCompliance StatusCompliance Status
CDT “Authorization to Operate” based on FedRAMP v2 signed in Sept 2015.
Major documents and processes in place.• System Security Plan
• Security Assessment Report
• POAM tracking process
• Privacy Threshold and Impact Report
Annual revue process.
31
CalCloud IaaS SecurityCalCloud IaaS SecurityThen and NowThen and Now
32
FedRAMP program contacted to begin formal recognition.
Currently, FedRAMP is very Federal Gov’t centric with no State provisions.
Formal recognition by FedRAMP generally requires a Federal agency sponsor.
FedRAMP “interested” in State/Local participation but specifics not yet determined.
Likely 18 - 36+ months to work with FedRAMP on a State version of FedRAMP and to obtain formal recognition.
CalCloud IaaS - SecurityCalCloud IaaS - SecurityDialog - Tenant SpaceDialog - Tenant Space
33
Questions & AnswersQuestions & Answers
34
For more information, visitFor more information, visit
35
marketing.dts.ca.gov/calcloudand
servicecatalog.dts.ca.gov/services/cloud/calcloud/calcloudoverview.html
Thank you for Coming!!Thank you for Coming!!