Table of Contents 2017 Forecast ............................................................................................................................................. 2 2016 Hybrid Cloud Adoption Trends ....................................................................................................... 4 2017 Industry Best Practices For Hybrid Cloud Implementation ........................................................ 5 How GSA Can Help You Acquire Hybrid Cloud .................................................................................. 10 2017 Closing Remarks ............................................................................................................................ 16 Appendix 1: GSA Tools for Hybrid Cloud Solutions ............................................................................ 18 Appendix 2: Cloud Reference Documents ........................................................................................... 19 2017 Forecast In 2016, prominent cloud experts predicted the death of enterprise public cloud and the birth of agency shifts to “commodity” cloud providers. 2016 brought in enterprise workload management in both on-premises and in public cloud environments (what we now call hybrid clouds) as well as the difficulty of finding programmers who can develop and maintain applications in cloud environments. Meanwhile, the proliferation of DevOPS practices emerged to provide constant delivery and updating of applications in increasingly demanding markets. Some CSPs struggled with shifting from virtual machine hosting (which often requires the continuation of legacy processes) to using containers for increased efficiency and security. Consequently, the outlook for hybrid cloud adoption in 2017 is very good. According to International Data Corporation (IDC), 80% of Enterprise IT organizations will commit to hybrid cloud architectures in 2017. Agencies have been realizing the benefits of cloud solutions, and have taken their IT to another level by adding the dynamic flexibility of hybrid. IDC projects the cloud market within the Federal sector will increase to $9 billion by 2017. In a recent Gartner survey of Federal IT Managers, 75% indicated plans to implement a hybrid cloud solution by the end of 2017. Many factors contribute to the expected growth in Federal hybrid cloud adoption, and this section outlines the primary drivers. Cloud is not a secret any longer: Agencies have been exploring cloud solutions since the emergence of the “Cloud First Policy”, a part of the Office of Management and Budget’s 25 Point Plan to Reform Federal IT. In the beginning, it was unchartered territory with many unknowns looming. As innovators forged ahead, a robust library of lessons learned have been developed. There is now a proven roadmap to cloud implementation, solid use cases, and answers to all previous concerns such as security. Convergence of Digital Services: Many Federal agencies are beginning to embrace a customer first approach to developing new processes and technology, focusing instead on the experience not the solution. As the Digital Services Playbook gains traction, agencies will dive deeper into streamlining websites for ease of use, developing intuitive apps and portals, and making their data open. Hybrid cloud solutions such as public hosting, and large volume data repositories accent and support these sites. Security is now a strength: A major objection to diving into the cloud for early adopters was security concerns. Federal agencies have an obligation to maintain transparency of data, access and security, not to mention sorting sensitive and non-classified data sets and making them work in unison. Recent studies have shown that private clouds hosted by larger cloud service providers are more secure than on-premise solutions. Agencies no longer have to stress about building security into their solution. FedRAMP certifications give a sense of assurance that a certified vendor is able to provide a compliant and secure hybrid environment. For those who still want to maintain control and ownership of sensitive data, hybrid technologies have allowed a seamless integration of services that include on-premises hosting of classified data, while maintaining a lower cost public cloud for public facing websites. Hybrid offers security and control, as well as cost effectiveness, resource pooling and flexibility. Administration change- Agencies are always concerned with shrinking budgets, and election years make this even more of a concern. A new administration brings new goals, and attempts to curb government spending; the easiest method is to slash budgets. Agencies are still required to achieve their mission, but innovation is required to do so. Hybrid cloud allows an agency to keep capabilities, reduce IT bloat, and become more agile for future innovation. Page 2 of 21 Streamlined Procurement- Cloud is not well suited for the federal procurement practices employed by the federal government. It must be treated as a utility, procured similarly to an electricity bill. Customers don’t have to forecast how much electricity they use for the next month or more, instead they use the service, and pay for what they have consumed. Cloud usage is difficult to project, especially early on in an agency's cloud experience. Coupled with the difficulties in projecting use, the market is flooded with CSPs offering endless assortments of solutions which often result in less than optimal procurement of the best solution at the best price. The General Services Administration (GSA) is on the cutting edge of cloud technology and is working to streamline the procurement of cloud solutions through pre-competed contracts, scope reviews and other activities, which will further streamline the process. Agencies do not have to go at it alone, there are experts with resources that will help ensure their cloud migration is a success. Phased Approach- Agencies are able to leverage existing capabilities, focusing instead on workflows that will make the most business sense. Some systems were recently implemented, and have a steep price tag. Justifying eliminating these systems a few years after they were launched makes no sense. Instead, an agency can begin updating solutions as needed, while maintaining orchestration of existing technologies and continuation of services. The conditions for a huge year in hybrid cloud adoption are present for 2017. The experts and practitioners agree that cloud is the solution for years of neglected and antiquated IT systems, and hybrid cloud is the path forward. Page 3 of 21 2016 Hybrid Cloud Adoption Trends In 2016, Federal Agencies were adopting cloud as much as budgets and available technical expertise allowed to continue towards achieving objectives outlined in the “Cloud First” policy. In particular, agencies are finding the hybrid cloud deployment model to be highly advantageous by allowing some IT resources to be supported in the public cloud while storing sensitive information in on-premise or consolidated legacy architectures. Based on a survey of 1,060 IT enterprise technical professionals, hybrid cloud proliferation is growing as cloud users and cloud providers are maturing. Lack of resources and expertise has surpassed the challenge of ensuring sufficient security. 82% of enterprises held firm on hybrid cloud strategy between 2015 and 2016. Hybrid cloud adoption has increased by 13% year to year while overall cloud adoption has increased 2%. Cloud users are leveraging 6 clouds on average, with 17% of enterprises now having over 1,000 virtual machines in public clouds, up from 13%. Private cloud use has increased by 22% among enterprises. Additionally, enterprise business units have shown an increased acknowledgement of central IT setting policies by 13% since last year. 38% of respondents now have established approval policies for cloud over 2015’s 30%, signifying the growing role of cloud governance. Cost challenges continue to increase as optimization efforts lag. Few companies are taking action to minimize cloud costs by shutting down unused workloads or selecting lower-cost clouds. Overall cloud computing growth this year has led to an increased proliferation of a multi-cloud type environments, including hybrid. The flexibility offered by hybrid cloud is responsible for the growing numbers stated above. Agencies no longer have to ‘discard’ IT investments in order to move to the cloud. Hybrid allows agencies to phase in an updated IT solution over the course of time. Many IT leaders view hybrid as a safer alternative to moving everything to the cloud at once. Hybrid allows lessons learned to be discovered that are agency specific, and factors in that not all systems are suited for the cloud. It allows for the integration of security of on-premises infrastructure with the availability and cost savings of public, in a blended and well-orchestrated solution. Adopting hybrid cloud or multi-cloud configurations effectively involves using best practices observed both in industry and government. Each agency should consider many variables, as their mission and resources differ from those they may pull lessons learned from. In any event, the following section details best practices that should be considered when implementing a hybrid cloud. Page 4 of 21 2017 Industry Best Practices For Hybrid Cloud Implementation Create a Roadmap for Hybrid Cloud Adoption In any migration to cloud computing, planning cannot be overdone or under-emphasized. Agencies need to look at the short and long term costs of migrating, and realize they are going to be saving money in network administration, security patching, and infrastructure modification costs to meet usage demand. To calm agency concerns about data loss and security during a migration, some system integrators will replicate the legacy applications and systems in a DEV environment so stakeholders can compare the efficiency of the cloud against the legacy solution. However, agencies need to have a clear list of milestones to complete this transition. Current best practices call for prioritizing the order of application and data migration from easy to difficult in order to most expeditiously meet Federal OMB “Cloud First” policy mandate, as well as the Data Center Optimization Initiative effective as of August 1, 2016. It is first important to understand the types of cloud deployment models available and how they differ from each other. The below table explains some key differences. Model Cloud Infrastructure Set-up Managed by Location The cloud infrastructure is provisioned for Private exclusive use by a single organization Owned, managed, and On or Off- cloud comprising multiple consumers (e.g., operated by the organization premises business units) The cloud infrastructure is provisioned for It may be owned, managed, exclusive use by a specific community of and operated by one or more Community consumers from organizations that have On or Off- of the organizations in the cloud shared concerns (e.g., mission, security Premises community, a third party, or requirements, policy, and compliance some combination of them considerations) On the Owned, managed, and The cloud infrastructure is provisioned for premises of Public cloud operated by a Cloud Service open use by the general public the cloud Provider. provider. The cloud infrastructure is a composition of two or more distinct cloud infrastructures (private, Hybrid community, or public) that remain unique entities, but are bound together by standardized or cloud proprietary technology that enables data and application portability In a Hybrid Cloud, multiple clouds work together, coordinated by a cloud broker that federates data, applications, user identity, security and other details. A hybrid cloud can be delivered by a federated cloud provider and has the capability to combine its own resources with those of other providers. The provider of the hybrid cloud must manage the cloud resources based on consumer requirements. Page 5 of 21 Considerations For Implementation 1. Integration- Integration is critical in a successful hybrid implementation. Hybrid aggregates capabilities and solutions from cloud service providers, and those hosted on-site in order to leverage the best available combination. Service Oriented Architecture (SOA) Representational State Transfer (REST), Application Programming Interfaces (APIs), and cloud management and orchestration frameworks have opened up new options for integrating cloud services. 2. Composition- The appeal of hybrid cloud solutions is that it allows for an agency to attain desired business outcomes through combining services and capabilities in a way that promotes agility, is budget friendly, and secure. The hybrid model allows flexibility in terms of the length of use of each solution. Some applications may be required for only a short period of time, while others are used for years. 3. Organizational Impact- Take into consideration that hybrid cloud solutions are not traditional IT projects and their impact can be felt throughout an organization. Successful agencies have implemented coaching programs to help facilitate the change in technology and processes for their many diverse stakeholders. 2016 industry trends supported the practice of conducting an initial assessment of the current architecture and forming solid requirements. The requirements gathering process is not strictly specific to cloud - most of the points here might apply to any systems migration, even if the migration target is on-premise hosted. Industry leaders advise agencies to first identify services and/or applications to be migrated to a cloud host. The following steps should be taken: Conduct a thorough inventory of all current IT assets: o IT Infrastructure; server farms, etc., and their details - Servers (including VMs) and their OS plus any middleware components Facilities where infrastructure is housed. Data connections for each infrastructure grouping and their capacity. List each application’s interfaces and all dependent systems. Include existing systems that lie outside of IT control. o Applications, including: Names of stakeholders for each application, including owners, systems administrators and end users. Applications that can be migrated to a public vs. community vs. private cloud. Current physical location of host and bandwidth availability. Software licensing model (e.g., seats, servers, clients) for all applications, including cost and length of term OS, Storage, processing, database, libraries requirements. Any configuration management programs and/or policies in place. Network bandwidth requirements for each application, including connection type (e.g., VPN). FISMA / FIPS PUB 199 impact level and security needs for each application. Access controls and dependencies (e.g., MS AD, Method of Authentication and SSO). Page 6 of 21 Consider number of staff and skill set needed to maintain the application (admins, programmers). The points of integration between the application and other systems. Email services, such as SMTP servers for receiving outbound emails generated by the application Identify network and systems monitoring tools used by your agency’s Network Operations Center. Identify messaging queues such as an Enterprise Service Bus (ESBs) or other middleware. What other applications depend on data furnished by the application being migrated? o IT Governance: Consider how current on-premises compute resources are provisioned and allocated across the departments. Identify who shall be delegated to review, approve, and execute the provisioning of cloud services. Determine cloud services reporting requirements. How shall chargebacks to sub-departments for consumed cloud services be handled? This step must not be neglected. Lack of governance of cloud services will result in a hard to manage sprawl of cloud services and runaway expenses. Include a requirement for a cloud center of excellence, to promote and govern use of cloud best practices and develop a core cloud services competency. Once requirements have been identified, the next step is to consider the following cloud services which will help you identify the type of cloud service provider (CSP) needed. Virtual Machines – Operating system, number of CPUs, quantity of RAM per virtual machine - o OS requirements: Storage Type and Amount - GB/TB per VM. GB/TB total, drive type (e.g., solid state), IOPs requirements (higher for some databases, lower for more static Does the CSP support its current on premises OS version? Can the application be modified to run on the CSP supported OS's? Bandwidth: o Include segments from agency to host and from host to public users. o Network topology can potentially be much more flexible in the cloud and CSPs often have varying rates for bandwidth charges depending on source and destination. Cloud deployment models offered by cloud service providers (CSPs): o Private Cloud - the most secure but most expensive o Public Cloud - the least expensive but possibly less secure[1] o Community Cloud - a little more expensive and a bit more secure o Hybrid Cloud - a mixture of less secure cloud infrastructure combined with much more secure on premises infrastructure Hybrid system example: A website that distributes information to the public is based on data residing in an on-premise ERP system. The ERP system is too costly and too risky to migrate currently. The related and dependent systems are to be migrated in phases to mitigate risk of disrupting the ERP, thus a hybrid solution is pursued. Cloud service models offered by CSPs: Page 7 of 21 o IaaS - Infrastructure as a Service o PaaS - Platform as a Service o SaaS - Software as a Service Load balancing - As demand changes, servers can be added to or subtracted from the resource pool and traffic routed accordingly. Availability of a system or component expressed as 98%, 99%, etc. in a given year. Backup – A data copy that is sent to on off-site data storage service (could be another cloud services vendor.) Vendor Operation and Maintenance – Vendor to provide patching of operating system and/or other components plus change management processes. Once services are identified, consider how these cloud services will integrate with existing in house infrastructure and established in house staffing and operational processes. o For example, consider whether a CSP has the capability to leverage existing MS AD group policies and extend and integrate them into the new cloud infrastructure. o Identify current agency mission application workflow changes that may become necessary due to migration to cloud services. Identify current roles and responsibilities. Then identify roles and responsibilities changes necessary to incorporate cloud services. Identify new change management process that will include the cloud service provider (CSP). For instance, consider the CSP give before applying OS patches to the cloud host of a mission critical application. o Does the CSP offer these managed services (e.g. patching) or will a systems integrator (or your agency IT staff) provide them on top of the native CSP services? Assess existing staffing resources, redeploy staff or hire new staff. Consider how much cloud architecture experience an administrator of a cloud hosted database should have. Application support impacts - o Review system/application support documentation for changes needed by cloud hosting. Legal Impacts: o Transactional data subject to FOIA o Data subject to eDiscovery or legal holds o Federal Records Act compliance Security: o FISMA compliance o ATO generation and signoff o FedRAMP o Agencies are now mandated by OMB to utilize CSPs with a FedRAMP authorization, and some may now require CSPs with FedRAMP High Baseline for classified data hosting. o A FedRAMP authorization held by a CSP may be leveraged by agencies when crafting their own ATOs. Application design considerations: o Will applications in the cloud be optimized for the cloud, or will apps be migrated using a “lift and shift” approach? o It may be easier to just re-host applications to the cloud with no optimization, but those applications may not perform as well as newly built, cloud native applications that are cloud optimized. For example, some custom-built Page 8 of 21 applications may currently serve their purpose adequately. Even though they are architected for legacy on premise data centers, starting a fresh round of systems analysis, functional requirements gathering, and subsequent development to rebuild these applications may make little business sense. o What is the life expectancy of the application? o Would the application benefit from a migration to the cloud? o How much elasticity is there to manage varying workloads such as seasonal demand peaks? Execute the Migration Migration: o Unit testing in the cloud hosting environment. o Leverage cloud benefits for ease of environment deployment to configure separate instances for Sandbox, Development, QA/UAT, and Production (or however configured and named) environments. o Practice and write your deployment playbook based on the Sandbox configuration and refine as you repeat it through each environment. o Engage super users first and then end-users in user acceptance testing. o Consider load testing where applicable prior to production launch – these kinds of surprises are not welcome. Testing: o Dependent systems are operating. o Legacy dependent systems are no longer operating. o Acceptance testing and signoff by all stakeholders. Repurpose or decommission legacy on premises software and their support contracts. Repurpose or disposal of on premises servers, networking switches and routers, equipment racks. Decommission legacy facility physical plant, e.g., backup generators, UPS, cooling, fire suppression, data circuits, and service contracts. Termination of real estate leases Page 9 of 21
Description: