By Majed Saadi

CTO @ Govplace

V4.0

GOVERNMENT CLOUD ENABLEMENT,

A FEDERATED MODEL

Approved for Public Distribution

2

Background

• Agency adoption of Cloud (while varied in maturity) is primarily done to improve efficiency and flexibility of IT.

• Brokerage models and governance tools lack demonstrated performance and comprehensive functionality necessary to properly operate/automate an Enterprise Cloud approach

• FedRAMP - great first step towards solving challenges --significant unknowns remain

Purpose

• Understand trends and drivers in the current market (Federal IT and Cloud)

• Introduce a new Government Cloud Enablement Model that codifies the scope of critical functional areas that must be addressed

• Introduce a procurement vehicle construct to support the approach

Majed Saadi – CTO @ Govplace

• Years of experience supporting Federal IT– CTO @ Govplace

– CTO (Civilian Agencies) @ SRA International

– Director of Cloud Computing @ SRA International

• Participated in the creation of award winning go-to-market offerings AcuITy® for IT Decision Making Enablement and Stratify® for Cloud Security.

• Over 18 years of experience in IT Strategy Development, Enterprise Architecture, and Enterprise Systems Management

• Master’s degree in IT Management from the University of Virginia as well as several industry certifications including TOGAF 9, ITIL, ISO 20000, and Management of Risk (MoR).

© Govplace 2016. Proprietary & Confidential 3

In the News

4© Govplace 2016. Proprietary & Confidential

Cloud in the Government, What’s Different?

• Different Agencies have different structures

–Centralized

–Componentized

– Inter-related

• Source of budgets

• Distribution of budgets

• Accountability

5© Govplace 2016. Proprietary & Confidential

Ya, and there’s FedRAMP

6© Govplace 2016. Proprietary & Confidential

• A duplicative, inconsistent, time consuming, costly and inefficient cloud security risk management approach with little incentive to leverage existing Authorizations to Operate (ATOs) among agencies.

• Unified risk management approach• Uniform set of approved, minimum security

controls (FISMA Low and Moderate Impact)• Consistent assessment process• Provisional ATO

The Problem The Solution: FedRAMP

https://www.fedramp.gov/marketplace/compliant-systems/

https://www.fedramp.gov/marketplace/in-process-systems/

Cloud Enablement Drivers

1. Reduce costs by capitalizing on cloud computing economies of scale through standard acquisition processes

2. Provide alternate solutions to traditional expensive datacenter models

3. Expedite Time-to-Market / Time-to-Value for cloud initiatives and procurements

4. Allow for competition to drive down prices while providing more flexibility and service options to Agency components

7

Additional Government Specific Drivers

1. Compliance with mandates

1. Cloud First

2. Datacenter Consolidation

3. Datacenter Optimization

4. Digital Strategy

2. Retain budget control over centralized IT functions

3. Control Shadow IT

8

Market Updates and Trends

9

• Cloud adoption trends

– Private Cloud is still the most adopted model in the federal government.

– Public and community clouds are being used mainly for public sites and development efforts and the number of FedRAMP’d CSPs continues to grow

– Hybrid Clouds remain the biggest target for the majority federal agencies

– Cloud cost predictability and charge back distribution remain as a major enterprise adoption challenge

• Cloud Brokerage adoption is still very slow & its mainly due to:

– Difficulty in unifying the vision and marketing the value

– Difficulty of governing brokerage models

– Brokerage tools lack of maturity (CASB seems to be an outlier)

– Lack of standardization across CSPs

– Current cloud vendor investments are largely focused on increasing automation and orchestration and not on interoperability

• Agencies taking small steps toward cloud to solve local needs - enterprise enablement remains an opportunity

TAKE AWAYS

So far, maturity is still not matching the hype

Biggest gaps (Interoperability, Orchestration

across platforms, Dynamic bursting capabilities, Data

Access governance)

CSPs are not willing to improve these gaps

without realizing economies of scale

Four Approach Alternatives

10

1. Agency components contract directly with FedRAMP certified CSPs and resellers of those CSPs to access cloud services – Easy to implement, hard to control, no

economies of scale, creates shadow IT problems

2. Contract with Cloud Broker(s) to manage the CSPs and the entire cloud lifecycle (acquisition to retirement) – Requires massive planning, tools are incomplete

or immature, limited industry maturity

3. Employ Facilitator(s) - provides single pane of glass (reporting visibility) of cloud service acquisitions and operations– Good starting point but little value, could

become stagnant quickly

4. Build a Cloud Enablement IDIQ with multiple awardees.

– Multiple “1-to-many” cloud service contracts – drives engineered cloud solution optimization

– Proven acquisition model

– Build in phases to reduce risks

– Allows for immediate, standardized cloud services access by components

– Allows for course modification as industry matures

Key Considerations – Plan to Maneuver

11

1. Accessibility: Contract structure and technical exchange mechanisms should enable dynamic movement of data and workloads minimizing CSP lock-in

2. Security: Should rapidly address security threats when dealing with multiple cloud service providers

3. Data Access & Migration: Should facilitate application & data migration between cloud service providers

4. Cloud Provisioning & Operations: Should allow for standardized provisioning across multiple CSPs

5. Cloud Monitoring & SLA Management: Must provide a single pane of glass for systems across public cloud & on premise systems

6. Alternate Cloud Offerings: Account for hybrid & private cloud offerings

7. Other Concerns: CSP market and offerings are rapidly evolving and the acquisition approach has to take that into consideration

Approach Guiding Principles

12

1. Allow for component customers to retain a high-level of independence and enable their access to a wide verity of options for selecting cloud service (private and public)

2. Capitalize on the successes of integrated programs (such as CDM & FedRAMP), and employ lessons learned for ineffective programs (such as the GSA IaaS & EaaS BPAs)

3. Provide a roadmap of initiatives that lead to fulfilling a comprehensive Department-wide cloud vision in a gradual measured fashion

4. Balance speed of delivery with security and enterprise standardization requirements

5. Allow for flexibility in changing and\or augmenting the program

GOVPLACE

Majed Saadi

CTO

msaadi@govplace.com