1 / 35

CalCloud Government End-User Group

Learn about CalCloud, a suite of cloud services offered by the Department of Technology. Discover the benefits, architectural decisions, and how the User Group enhances implementation. Join the User Group to align IT efforts with strategy, recommend requirements, and communicate the cloud strategy to government leaders.

cristyl
Download Presentation

CalCloud Government End-User Group

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CalCloud Government End-User Group November 4, 2015

  2. Introducing… Chris Cruz Chief Deputy Director, Operations Department of Technology

  3. Agenda • Welcome • Introduction (Chris or myself) • CDFA migration of 70 apps (Hence) • Security (Dave) • Technical Architecture (Scott And Kyle) • Q/A

  4. What is CalCloud? CalCloud is a suite of cloud services offered by the Department of Technology, which includes: • IaaS - A private cloud infrastructure service: • O/S Licenses with Security updates • O/S Licenses (customer managed patching) • Customer Provided O/S (customer managed patching) • SaaS - Vendor Hosted Subscription Services (VHSS): • SalesForce • Clarity • Remedy on Demand • Lines of Business: • Disaster Recovery • Storage • Email • HR

  5. CalCloud Strategy

  6. CalCloud Architectural Decisions The CalCloud is engineered for flexible, secure, cost efficient enterprise class workloads The Usability model provides an intuitive, relevant, role-based and customizable user interface Personalization A Flexible Self-service model, which adapts to departmental needs and is able to bring future services on-board Flexible Self-Service Extensibility CalCloud is Extensible with other hypervisors and OS, other storage solutions, and other compute tiers CalCloud supports multiple Security standards and models and is a highly secure multi-tenancy architecture Security &Isolation Control CalCloud supports flexible dashboards, reporting services and service catalogs- state cloud service consumers will feel in Control CalCloud TOM Low-Cost Accommodation Enterprise-Class Scalability The CalCloud provides Enterprise-Class availability and backup/restore and disaster recovery capabilities CalCloud is designed to support the need for Low-cost Accommodation – the ability to combine low cost with the flexibility to accommodate a wide range of diverse government requirements Cloud Service Provider Platform

  7. Introducing… Robert Schmidt Office of Technology (OTech) Chief California Department of Technology

  8. Introduction of User Group • User Group was implemented to: • Align IT Tactical efforts with IT Strategy; • Ensure that the CalCloud achieves its implementation roadmap; • Recommend CalCloud requirements; • Enhance CalCloud visibility while managing implementation risk; • Communicate the organization’s cloud strategy to government business and IT leaders.

  9. Introduction of User Group • Members are responsible for: • Serve as change champion within their agency; • Aligning tactical IT implementation with IT strategy; • Assess business impact of moving IT services to the hybrid cloud.

  10. New User Group Lead Hence Phillips - CDFA • CDFA has 70 applications running on CalCloud. • Time to deploy applications • Performance standards of applications • Ease of use for customers • Security • Lessons Learned/Tips

  11. User Group Lead Answer as a developer using CalCloud: • How does CalCloud help me do my job? • How does CalCloud solve my technical problem? • What do developers most appreciate about CalCloud? • What technical benefit do I receive from using CalCloud?

  12. CDFA CalCloud Architecture Internet Mercury (Primary Web) Venus (Primary DB) Earth (Utility) Mars (Secondary Web) Jupiter (Sandbox) CDFA Network CDFA Mail Relay

  13. Introducing… Scott MacDonald CalCloud Chief California Department of Technology Kyle E Pribilski IBM

  14. A B Overviewof CalCloud CalCloud Control Multiple technology platforms Flexibility Security and isolation CompetitivePay-as-you-go CalCloud CalCloud Dedicated virtual private cloud Shared cloud services • Dedicated private cloud (IaaS) for State. • Service hosted on State data centers and behind State network (LAN/WAN) and security. • Provided by a cloud service vendor (IBM). • CalCloud Vendor provides hardware, software, portal and OS administration (patching). • Usage based with no initial cost to the state. • Self-Service business model (via web portal) and Low cost service offering.

  15. “Shopping Cart” & Self-Provisioning Model Service Catalog and Shopping Cart Select Base Server Size Small Large Extra Large Medium Select OS Select Extras VirtualAppliances Data Encryption DisasterRecovery RAM Storage Backup

  16. CalCloud “Shopping Cart” and self-provisioning model(2) Comprehensive Self-Service Model 1. Shopping and provisioning: Small, Medium, Large, or Extra Large VMs Microsoft Windows Server, Red Hat OS or AIX Add-ons including RAM, Storage and Backup Infrastructure Disaster Recovery services Select IDR tier (0, 1, 2) Select Backup/Restore tier (0, 1, 2) Pick extra memory and storage Put into shopping cart Build application templates and save in shopping cart Press “Submit” 2. Monitoring and reporting: Performance metrics Capacity metrics (total compute, storage, RAM, backup) Billing data broken down by consumer See open trouble tickets All CalCloud Consumer servers along with up/down status Current CPU, RAM, and storage usage for each server Total backup used and available 3. Management and modification: Upgrade or downgrade an existing VM to Small, Medium, Large, or Extra Large VM Increase or decrease add-ons including RAM, Storage, and Backup Stopping existing IDR Services 4. Decommissioning: Decommission a single image or an entire project

  17. CalCloud Flexibility CalCloud User Access Layer CalCloudManagement & AutomationLayer CalCloud Resource Abstraction &Control Layer CalCloud Physical ResourceLayer Department Virtual Private Cloud StandardServices My Templates My User Roles My ShoppingCart My ApprovalProcess + My Reports My Dashboards My TroubleTickets My BillingStatus Department Virtual Private Cloud StandardServices My Templates My User Roles My ShoppingCart My ApprovalProcess + My Reports My Dashboards My TroubleTickets My BillingStatus Department Virtual Private Cloud StandardServices My ApprovalProcess My Templates My User Roles My ShoppingCart + My Reports My Dashboards My TroubleTickets My BillingStatus CalCloud/IBM CalCloud Standard Services Provisioning Modifications LDAP w/ Standard user roles Service Catalog Two-FactorAuthentication Multi-tiered IDR Backup/Restore Usage & Accounting Standard Dashboards Standard Approval Processes Standard Reports

  18. *z/VM *Solaris Zones *Xen/KVM(open source) CalCloud Logical Architecture Diagram CalCloud Managed Services Layer 2<<Management & Automation >> ** OTech Interfaces Layer 4<<Physical Resource – Modular Addition>> Layer 1<<User Access –CalCloud Portal>> Layer 3 <<Resource Abstraction &Control>> Layer 4<<Modular Physical Resources>> Guides/FAQs/Videos 2FA Compute Nodes (Windows/RHEL x86) LDAPs LDAPs zLinux /DS8000 Service Automation Management VMware vSphere Service Catalog ShoppingCart Troubleticketing Compute Nodes (AIX onPOWER) Troubleticketing Monitoring IBM POWER VM/PowerVC Tenant Managed AIX Environments Provisioning ImageLifecycleMgmt Invoicing Invoicing Network Usage and Accounting IBM StorageVirtualizationCenter ReportingServices EventsDashboard SIEM SIEM CommonCloud Storage Reporting Warehouse Backup/Restore IDR Storage and BackupManagement STaaSBlock Storage TroubleTickets BillingStatus Backup Storage CalCloud Managed Security ** OTech Interfaces

  19. CalCloud Managed Services ** CDT/Departmental Interfaces User Access Layer Management & AutomationLayer Resource Abstraction &Control Layer Physical ResourceLayer Tivoli Identity Manager Tivoli Identity Manager Authentication / Authorization Authentication / Authorization IBM Service Delivery Manager IBM Service Delivery Manager VMware VMware IBM Flex System IBM Flex System Jazz/DASH Portal Jazz/DASH Portal CalCloud Portal and Management VMs CalCloud Portal and Management VMs HA/DRS HA/DRS vSRM vSRM LDAP LDAP ConsumerDashboard ConsumerDashboard TroubleTickets TroubleTickets Service Automation Management Service Automation Management CalCloud Tenant VMs (x86 and POWER) CalCloud Tenant VMs (x86 and POWER) vCenter vCenter vSphere vSphere Remedy Remedy Monitoring Monitoring SmartCloud Control Desk SmartCloud Control Desk Service Catalog Service Catalog ShoppingCart ShoppingCart IBM Flex Fiber ChannelInterconnect IBM Flex Fiber ChannelInterconnect Usage & Accounting Usage & Accounting Billing Billing PowerVM PowerVM Provision-ing Provision-ing LifecycleMgmt LifecycleMgmt PowerVM PowerVM PowerHA PowerHA Reporting Warehouse Reporting Warehouse NetApp ONTAP Common CloudStorage NetApp ONTAP Common CloudStorage LogLogicSIEM LogLogicSIEM Live Partition Mobility Live Partition Mobility PowerSC PowerSC Tivoli Common Reporting Reporting Reporting Tivoli Storage Manager Tivoli Storage Manager VTL Backup Storage Arrays VTL Backup Storage Arrays DeviceMgmt StorageMgmt StorageMgmt TSM for VE TSM for VE SmartCloud Managed Backup Backup Archive Agent Backup Archive Agent Policies StoragePools StoragePools Instant Backup Instant Backup Scheduled Backup Scheduled Backup CalCloud Managed Security CalCloud Logical Architecture Diagram

  20. CalCloud R&R

  21. CalCloud Storage Services

  22. CalCloud Tenant Space • A TVN is created via a number of VLANs which implement the isolated network environment. • Only the DMZ tier has inbound access from the Internet. Across the four tiers • A standard TVN provides a pre-defined number of IP addresses (therefore a pre-defined number of VMs can be supported). For tenants who require additional VMs or environments, the TVN model can be extended. Tier VLANs are all /25 (128 addresses), except the Util VLAN is /24 (256 addresses)

  23. CalCloudBackup and Recovery Tier 1 storage provides optional services that can be selected for the storage allocated to a VM (all storage for a VM shares the same characteristics). • Tier 1 Backup and Recovery (BUR): Tier 1 BUR provides a Recovery Point Objective (RPO) of 1 hour with a retention period of 24 hours. Tier 1 BUR is implemented via a snapshot captured within the storage disks. • Tier 2 Backup and Recovery (BUR): Tier 2 BUR provides a Recovery Point Objective (RPO) of 24 hours with a retention period of fourteen days. Tier 2 BUR is implemented via a whole VM backup to the TSM backup subsystem. • Restore operations are requested via the portal. For Tier 2 backups, either the entire VM or a selected file can be restored. • Encryption: Tier 1 storage can be encrypted on disk. Note that this is purely while the data resides on disk. As data is written to disk it is encrypted, and as it is read from disk it is decrypted.

  24. CalCloudInfrastructure Disaster Recovery (IDR) Tier 1 • RTO = 1 hour • RPO = 1 hour Tier 2 • RTO = 96 hour • RPO = 24 hour

  25. Introducing… David Langston Branch Chief Security Management California Department of Technology

  26. CalCloud SecurityGeneral • Provide services that meet the operational and compliance requirements of the State. • SAM/SIMM • NIST • FedRAMP where applicable • Other regulatory if/where applicable • Ensure that vendors are conforming to best security practice.

  27. CalCloud IaaS SecurityGoals • Provide a service that is equally or more secure to that which can be provided with a physical, dedicated infrastructure. • Support both mission-critical and non-mission-critical systems. • Provide an infrastructure that can meet the operational and compliance requirements of the State and supported agencies.

  28. CalCloud IaaS Security Stack CalCloud provides a comprehensive and tiered security model Workload Specific Security (HIPAA) Workload Specific Security(PCI DSS) Workload Specific Security(IRS 1075) Workload Specific Security (SSA) Workload Specific Security (other) The Federal Risk and Authorization Management Program(FEDRAMP V2 – Includes NIST 800-53 Rev 4) IBM + California Dept of Technology Security Controls (ISeC)(CalCloud Information Security Controls) Base Level Security Profile Hosted inside the California Dept of Technology’s data centers and inside Department of Technology firewall(s)

  29. CalCloud IaaS SecurityControls • A formal security control program is in place (based on IBM ISeC processes, cloud experience, and FedRAMP V2). • ~325 FedRAMP controls assessed against 25+ domains. • Compliance support to other authorities available (infrastructure controls only). • CalCloud security controls can be shared with customer security personnel under strict controls and agreements.

  30. CalCloud IaaS SecurityKey Elements

  31. CalCloud IaaS - SecurityCompliance Status • CDT “Authorization to Operate” based on FedRAMP v2 signed in Sept 2015. • Major documents and processes in place. • System Security Plan • Security Assessment Report • POAM tracking process • Privacy Threshold and Impact Report • Annual revue process.

  32. CalCloud IaaS SecurityThen and Now • FedRAMP program contacted to begin formal recognition. • Currently, FedRAMP is very Federal Gov’t centric with no State provisions. • Formal recognition by FedRAMP generally requires a Federal agency sponsor. • FedRAMP “interested” in State/Local participation but specifics not yet determined. • Likely 18 - 36+ months to work with FedRAMP on a State version of FedRAMP and to obtain formal recognition.

  33. CalCloud IaaS - SecurityDialog - Tenant Space

  34. Questions & Answers

  35. For more information, visit Thank you for Coming!! marketing.dts.ca.gov/calcloud and servicecatalog.dts.ca.gov/services/cloud/calcloud/calcloudoverview.html

More Related