Transcript Lou Ansaldi - National Association of State Workforce Agencies

Cloud Overview in the
UI Domain
10 OCT 2016
NEW ORLEANS
Outline
 What is the Cloud
 Cloud Types and Models
 Cloud and Data Centers
 Security
 Some Key Considerations
 UI Domain
What is the Cloud
 Access to computing resources (servers, processing,
local networking devices, Storage, all the way to
Applications) using the Internet
 Examples
o
o
o
o
o
o
o
Facebook
Twitter
LinkedIn
Skype
Web-based Email
Google Doc
Online Banking
Cloud Types and Models
App
PaaS,
Managed
Services
Guest O/S, 3rd Party
Products install, configure,
maintain, provisioning
SaaS
Infrastructure (Hypervisor,
Host O/S, LB, Firewall,
Internet Diversity, network,
etc.)
IaaS
Types
Models
IaaS – Infrastructure as a Service
PaaS – Platform as a Service
SaaS – Software as a Service
Public Cloud – Shared infrastructure
Private – Dedicated Environment
Hybrid - Combination
4
Cloud vs Data Centers
 Cloud
o
o
o
o
o
o
o
o
o
o
No CapEx for Infrastructure, Services, Application Evolution
Amortize investment expenses of very, very large customer bases
Subscription-based pricing
Elastic Capacity
Secure Internet access
Typically Outsource of Managed Services (configuring computing resources, Backup/Recovery, 3rd party
Products, etc.)
For Government, generally NIST-based security compliance
Ultimately always a physical location
IaaS is a Commodity
Legally Binding SLAs
 Data Center
o
o
o
o
o
o
On-Premise or State Data Center (access vis dedicated state network)
Own and refresh infrastructure
Buy to peak loads
State Security Standards
SLAs?
Monthly Pricing
Cloud Security
 Federal Risk and Authorization Management Program, or
FedRAMP NIST 800-53
 FISMA 2014
o Also NIST- based
o More encompassing
 IRS
 SSA
No FedRAMP rev 4 Compliant provider breached to date
FedRAMP Classifications
 Classifications
o JAB Provisional Authorizations
-
Cloud systems listed under the FedRAMP P-ATO path have undergone a rigorous technical review by the
FedRAMP PMO, been assessed by a FedRAMP accredited 3PAO, and received a P-ATO from the DHS, DOD,
and GSA CIOs.
o Agency FedRAMP Authorizations
-
Cloud systems listed under the Agency Authorization have worked directly with a customer agency to
achieve a FedRAMP compliant ATO that has been verified by the FedRAMP PMO.
-
FedRAMP Compliant (In PMO Review) is a designation for Agency ATO Authorization Packages only. This
designation signifies that the CSP’s cloud system has been granted an ATO by an agency and has submitted
all required documentation for review to the FedRAMP PMO. Once the FedRAMP PMO completes an Initial
Review of the package the CSP will be listed as FedRAMP Compliant.
o CSP Supplied Packages
-
Cloud systems listed under the CSP Supplied Package path have submitted to the FedRAMP PMO a
completed Security Assessment Package (SAP) that has been assessed by a FedRAMP accredited 3PAO.
https://www.fedramp.gov/marketplace/compliant-systems/
FedRAMP rev 3 and 4 vs. Pub 1075
 NIST Control Number Title Explanation of coverage
 AU-5 Response to Audit Processing Failures QTS complies with AU-5(1)
through various FedRAMP IAAS controls (telemetry logging, monitoring and alerting
[triggered thresholds]), as well as existing comprehensive policy and procedure (incident
response and specific corrective actions) that are all inherent parts built into the VCGS
system.
 SA-22 Unsupported System Components
FedRAMP IAAS regards
unsupported technology as a High vulnerability, and allows 30 days to correct – therefore
this control isn’t selected separately. QTS VCGS identifies unsupported technology by
several methods: Technology architecture/inventory refresh schedule, scanning and
vulnerability assessment tools, POA&M tracking/continuous monitoring.
SSA
 Working with SSA on Physical Connectivity
Some Key Cloud Considerations
 Terms and Conditions
o Must Understand them
o Largely Immutable
 If pursuing IaaS understand boundaries between IaaS and Managed Services
o Use RACI matrix
 SLAs
 Always requires Capacity Analyses
 Co-Location
o Important for IRS compliance
 Disaster Recovery
 Exit Strategy
o Transfer cloud to cloud
-
IaaS
Docker
o As move up the stack becomes harder to almost impossible to migrate
o Ensure extract of Data
 Pricing
o IaaS appears to have significant pricing advantages
Azure T&Cs Inquiries
 Pricing - Could you explain pricing? Is it a monthly subscription based on
infrastructure, or a charge based on usage? Or a combination?
 Use of Software with the Online Service (Non-Microsoft Products?) – Is the
customer responsible for installing third party software?
 Third-party Software Components – The way we read it, MS will license third
party components to the customer on their own terms. Please confirm.
 Validation, Automatic Updates, and Collection for Software – MS may perform
upgrades or supplements to its software. Please confirm that MS will own MS
product installation and updates/patches.
 Security Incident Notification – What monitoring is performed by MS. How is
notification handled?
 Data Retention/Extract – Please confirm that if we stop our subscription to the
“online services” we only will have 90 days access to our data.
12
Azure T&Cs











Location of Data Processing – UI data includes FTI and TOP PII. Please confirm that this data would not be stored
in any country that MS does business in? Is MS authorized to to transfer data to any facility they want to?
Data Processing Terms – Of the 4 services listed (Microsoft Dynamics CRM Online Services, Office 365 Services,
Microsoft Azure Core Services, Microsoft Intune Online Services) we are assuming we will use portions of the
Microsoft Azure Core Services service. Please confirm we won’t be paying for any of these other services.
Location of Customer Data at Rest - Microsoft Azure Core Services – Please confirm that all data, including
backups will be stored in the US only.
Security – There is a table that outlines what MS will do related to security such as event logging, purging of data,
access authorization and authentication etc.. Confirm that these really are services that will be provided and
reconcile this table to the TCS RACI, particularly for activities where the hosting vendor is accountable and
responsible
Online Services Information Security Policy – There is a reference to the Microsoft Azure Trust Center which is an
additional set of control standards and frameworks. Please confirm that the Microsoft Azure Trust Center is where
the Pub 1075 and/or FedRAMP controls are found.
Service Level Agreement – The states will review.
Attachment 1 – Notices - Professional Services – What are the “Professional Services” that are applicable to the
Online Services that we would subscribe to?
How does the enterprise agreement differ from the volume licensing agreement referred to in the Online Services
Terms document?
Term: Please confirm that the initial term has to be 3 years. What happens if we cancel the contract and need to
shorten the term?
Definitions: “Software Assurance” is not defined in this section. Please define software assurance.
SCEProdSelForm(WW)ExPRC(ENG)(Sep2015)(CR) – 4 pages
o
Please walk us through this document to determine whether we need any products in the Product Selection Form. We assume the
“Core Infrastructure Suite” would be the only item worth discussing.
13
About 130 Items
UI Domain




Tools (MRM Jazz, ID/IA/VT) TFS, WA VSTS
ICON Relay
Integrity Center SAR, IDH
Consortia
o Data Migration
o Interfaces
o Shared Costs
- Support Costs can be unsustainable as a single state
Conceptual Diagram
Xerox
Web Services
WS-Security
Internet
Id/Ia/Vt/ITSC
Web Services
WS-Security
Internet
State
Azure
ICON Hub
ICON-T
• Promote Migration to Web Services
• Take full advantage of the Internet
• SOAP using Transport-Layer Security (HTTPS/SSL)
and Message-Layer security (XML Digital Signature
using sender’s X.509 certificate, XML Encryption
and XML Secure Timestamp
• Help Clean data in the ICON system
• More than a Proof of Concept but an operational benefit
to the UI System
Validation, logging, inquiry, test harness
Consortiums
 ID/VT/IA
o Investigating use of Cloud (Azure, AWS)
 WyCAN 1.0
o SaaS (not FedRAMP-compliant)
 WyCAN 2.0
o Iaas (FedRAMP), Managed Services, App support
o Maybe transition to States
 MW
o Outsourced support first few years post go-live
o Sagitec with Azure (FedRAMP)
o Transition to States
 MRM
o Iaas (FedRAMP), Managed Services (TCS), App support (TCS)
 SCUBI
o Outsourced support first few years post go-live
o CapG Xerox (non-FedRAMP)
- Generally using IaaS
- Mix of App Outsource and in-house
21
Vision of the Cloud in the Future?
UI Components
Common Microservices
Common Microapps
State Extensions
X 2
FedRAMP Compliant Cloud Providers
Web Services
WS-Security
State A
Internet
State B
State C
State n
Questions
Azure Infrastructure




Does Azure provide OS installation, maintenance and patching? What about OS Hardening?
Does Azure provide application monitoring support to any extent? If so, what tools are used for application
monitoring?
Please speak to backup and recovery processes. Would Azure need implementation provider or state support?
Who is responsible for configuration and management of firewalls? Would Azure allow the implementation
vendor to work on them? This configuration would include:
o
o
o
o
o
o
o






Firewall OS upgrades and patches
Firewall configuration changes and updates
Regularly backup firewall configuration files
Restore firewall configurations in the event of failure
Enable firewall device monitoring
Specify firewall settings specific to any application (from customer)
Configure firewall/security rules to restrict access to known IP addresses
Does Azure establish the SAN?
We are assuming Azure is responsible for providing and maintaining the Server Infrastructure? Would hosting
provider need implementation provider or State support? Who is responsible for spinning up the VMs and
installing the guest OS?
We are assuming Azure is responsible for setting up SSL and Encryption services. Would Azure need support
from the implementation provider or the States?
We are assuming Azure provides infrastructure monitoring. If so, what tools are used for infrastructure
monitoring, and would Azure need implementation vendor or State support?
Does Azure test network connectivity paths to server components?
Does Azure manage the hypervisor?
24
o Please provide the different cloud implementation models that your company provides as part of their IaaS
offering and which meet FedRamp moderate level rev 4 compliance.
-
Hybrid Cloud, including co-location
Private Cloud
Public or Government Cloud
o Please provide all information supporting the IaaS services, and any added capabilities, that are provided by the
responding cloud provider.
 a) Different computing resource (CPU, RAM, memory, network, Internet Bandwidth, etc.) offerings
and associated pricing levels (see pricing section below)
-
-
Customer-based configuration and provisioning tools for cloud environment, e.g., portals, APIs, etc. For example, building virtual machines
with customer defined RAM, CPU, etc. computing resources, and the time to receive allocated resources
Upper and Lower capacity boundaries associated with client provisioning tools
o SAN or SAN-like Storage options
o NAS Storage options
CNetwork configuration options available with either provisioning tool or customer service assisted provisioning (describe the process for
engaging customer service assisted for each applicable item below as available):
o Firewall and Network Perimeter zones (prevention of DDoS) and Port Configuration
o Intrusion Detection
o IP Configuration for all IaaS components
o Network segmentation and ACL rules for IP subnet capabilities between all components and environments
o Capabilities of extending the network privately/securely to other non-cloud environments
o Encryption in transit and rest
o Load Balancer
o Switches
o IP Address assignment and control
o Added capabilities including:
-
Backup and Recovery Tools
Disaster Recovery RTOs/RPOs supported
Monitoring and notification support
SSL certificates, RSA Tokens and Dual Factor Authentication
O/S support
Active/Active Site to Site Load Balance Processing
o Define the process used to procure additional resources associated with each of the
infrastructure components mentioned in previous section
- Define the timeline associated with execution and expansion of each component
- Define any manual processes associated with the procurement of each of the
aforementioned components
o Define the different levels of support that is provided as part of the Cloud Service
Providers IaaS offering
- Operating Systems supported within the environments including versions
o FISMA Data Center compliance level(s)