NCI Agency Portal Harmonization

Public Cloud Opportunities

Jose Herrero – NCI Agency / SSTRAT / Service Engineering and Architecture

Agenda

• What we have done (use case scenario)• Requirement• Project implementation with AWS• Way ahead

• Lessons learned• Organizational changes• Others

• Opportunities for public cloud service providers• Cloud-based Web hosting• Cloud Framework contract

Agency Use Case - Requirement

-Issues identified on 60+ extranet portals supporting internal and external customers for collaboration, information sharing, etc.-Customers vary from Internal, NHQC3S, National, ACO, ACT, etc.

Supporting HW was obsolete and failing, not resilient and funding was unclear. In addition, migration to new server room in The Hague was not planned for this HW

Lack of security approach, no accreditation and inconsistent architecture applied

Project Implementation with AWS

• Design and Migration

• Initially identified 60 sites, reduced after scrub to 49

• Many technologies: Sharepoint, Apache-Tomcat, Wordpress and IIS sites

• Design implemented in AWS Frankfurt region with Industry support following AWS Architecting best practices (High availability)• 4 Sprints of 4-day each with AWS Consultancy support during period Dec-2018 / Mar-2019

• Also specific Industry AWS Security support to implement design hardening including a VPN site-to-site between NCIA-Mons and AWS region, managed by NCIRC

• Successful pentest performed during 11-21 February to the platform

Project Implementation with AWS

• Migration Plan Executed in 2 waves, during period 1-4 March 2019• Operational sites (priority attention and support)

• Non-Operational sites

• March 2019 platform is stabilized. Optimization for cost started in May after measuring consumption

• Enterprise agreement with AWS on 31st DEC 2018:• Previously a NDA was signed with AWS in May 2018

• LEGAD supervised for law enforcement and data sovereignty

• ACQ and AWS final signature on 31st DEC 2018

• Training to staff: 4 official AWS trainings organized of various expertise levels

Project Timelines

2018 2019JANUARY 2019

SPRINT #2

14-01-2019

IDAM AchievedInitial pre-TestsSecurity DesignServers configuredFinalize VPN

SPRINT #321-1-2019

Final works and optimizationDemo to CES SL + Cost Analysis

Pentest 11-21 FEBCustomer tests 15-28 FEB

Migration Execution

Follow up and troubleshoot w/customer

4-3-2019 15-03-201917-01-2019

Migration Plan & TestFormal internal TestsDesign finishedLoad balancersServers configuredSecurity DocsService Docs

24-1-2019

Existing portals frozenOnly data updates

FEBRUARY 2019

Go livew/Microsoft support

Stable Service Operation

MARCH 2019

Other portals plansOptimization Portals

Successful migration 49 portals on 4th March

DECEMBER 2018

SPRINT #14-12-2018

Kickoff 15OCTInitial DesignAccountsIP ranges

Results – Value generated

-A new infrastructure has been created in AWS public cloud-This infrastructure is now hosting securely all portals-Overcomes HW obsolescence and security issues-Improved availability-IV&V and user acceptance testing successful-based on Service Catalogue: PLT010 and PLT003 – (COO agreed)-Covered by AWS NDA and Enterprise Agreement (LEGAD and ACQ agreed)-Scalable & elastic allowing to expand to further portals and applications

Secure design from the outset in close cooperation with CS SL

-49 portals are now exactly the same with the same functionalityand access to customers, but have been migrated since 4th March to a public Cloud platform designed by NCI Agency in AWS

Way Ahead

• Finalize optimization of machines in computing and storage resource consumption

• Upcoming portal migration (9 in the pipeline including web portals and applications)

• Competition for public cloud based web hosting as part of PIA renewal contract

Lessons Learned

• Cloud projects involve the whole organization: Architecture, Infrastructure, Cyber, Legal, Finance, Acquisition, Applications…Cloud Adoption is to be led from the top

• Cloud Adoption projects change the internal organization and processes…We need to adapt our processes based on traditional IT to the new paradigm, to include specially

the service provision and the funding model

• Commitment from Management and a Dedicated Team with the right skillsets is keyFrequent scrum-based meetings with a defined list of tasks in a multi-disciplinary Team

• Industry partner engagement is keyFrequent consultancy request for solving upcoming issues

Help is required in training, design and operation

Experience from other customers in Public Sector is a valuable asset

Opportunities – Cloud-based Web Hosting• SOW in preparation for web hosting of a number of NATO portals of NU level in a

public cloud infrastructure

• NCI Agency need to be able to introduce some changes in terms and conditions

• Solution design needs to follow Cyber Security regulations for Accreditation

• Exit strategy requirements to be included

• “Utility based pricing” model, only pay for cloud resources used

• Dynamic service delivery in accordance with demand and within the limit of an agreed cost envelope

• NCI Agency follows a multi-cloud approach• Multi-Cloud Service Management is a challenge

• Shared Responsibility Model

Shared Responsibility Model

Opportunities – Cloud Framework Contract

• NCI Agency to release before end 2019 a global Cloud Framework Contract

• To be applicable to Cloud IaaS, PaaS and SaaS services will apply shared responsibility model

• Zero volume “Utility based pricing” (pay-as-you-go)

• Based on multiple-Enterprise Agreements which include NATO legal and security requirements

• Agnostic workloads that will allow NATO flexibility to shift

• NCI Agency to be the broker and manage service based on transparent metrics

NCI Agency Portal Harmonization

Public Cloud Opportunities

Jose Herrero – NCI Agency / SSTRAT / Service Engineering and Architecture

BACKUP SLIDE