TSACloud Strategy 2 Government... · The approach will start by enabling DevSecOps to focus on...

TSACloud Strategy 2.0

• • • • • • • •

•

0 CLOUD REQUIREMENTS

© CLOUD FRAMEWORK

~ CLOUD IMPLEMENTATION PLAN

l"\f\l"'I tifa.ttit VVORKFORCE

Table of Contents

1 Introduction ................................................................. 3

2 Cloud Vision and Principles .......................................... 4

3 Cloud Requirements ................................... ................. 6

4 Cloud Framework ........................................................ 7

5 Cloud Implementation Plan ......................................... 10

6 Workforce .................................................................. 14

7 References ................................................................ 15

Figure 1 ........................................................................... 7

TSA Cloud Strategy 2.0 April 2019

1 INTRODUCTION

As technology changes, federal agency information technology (IT) strategies must continue

to evolve as well. In order to achieve TSA objectives outlined in the TSA Strategy and the

Administrators Intent, Information Technology (IT) is updating the TSA Cloud Strategy and is

focused on delivering on-demand access to IT services.

Cloud computing will impact not only every aspect of IT but also the operations of TSA. The

TSA Cloud Strategy outlines the change from an asset-based to a service based IT delivery

approach and how this transformation will make TSA more efficient in achieving its mission.

To make the most of this new era of IT, TSA requires access to seamless, flexible and secure

solutions that simplify the integration, configuration and deployment of cloud services.

The intent of the TSA Cloud Strategy 2 .0 is to describe how TSA will adopt and integrate

cloud-based services to achieve mission success, in accordance with relevant acquisition

laws, security protocols and architectural policies. With the publication of this document,

TSA adopts a "Cloud First" strategy for all new IT services, and a "Cloud Smart" strategy for

existing applications with mission critical systems utilizing a private cloud. Other applications

will be migrated to the public cloud over time.

3


2 CLOUD VISION AND PRINCIPLES

IT's Cloud Vision is to deliver secure, easy-to-use, rapidly provisioned IT services

that support TSA's mission. The goal is to harness the power of cloud computing

and transform the development and delivery of IT Services so that TSA can more

efficiently and effectively respond to new challenges and opportunities.

To help accomplish this goal, IT will adhere to the following principles and continue to:

• Build A Culture of Experimentation and Innovation: IT intends to build a culture of

innovation so TSA can rapidly prototype and operationalize capabilities that make

use of timely, relevant data and support TSA mission objectives.

• Adopt Only TSA-approved Cloud Solutions and Services: TSA-approved cloud

services are the only options IT will consider for any new software solutions, or

when evaluating alternatives or revisions to current software solutions.

• Employ a Software as a Service (SaaS)-first Model: TSA will utilize Saas as its

primary approach to cloud implementation. TSA will also use Platform

as a Service (PaaS) or Infrastructure as a Service (laaS) when necessary.

If an existing TSA cloud vendor Saas solution meets the operational/mission

need, TSA will use it. Saas vendors are constantly updating and improving their

services at a rate faster than the federal government can achieve alone.

• Systematically Retire or Replace Legacy Applications: Legacy applications have

a high cost of ownership, are difficult to modify to meet operational demands,

require a legacy skillset that fewer and fewer people possess, and in many cases

do not adequately meet compliance requirements. Adoption of software services

hosted in the cloud, or development of applications that are written to take

advantage of the scalability and flexibility of the cloud, are needed to replace and

modernize these legacy applications.

4


• Enable a Mobile workforce: Most Saas solutions readily enable a mobile

workforce, which is becoming more critical to achieving strategic priorities.

Employees should no longer be tied to desktop systems. Access to data and

applications on mobile devices is required to enhance situational awareness.

• More Efficiently and Effectively Manage TSA Data: The data TSA systems and

operations generate continues to grow exponentially. For example, TSA's plans

to implement Advanced Passenger Screening capabilities are dependent on

the ability to collect and analyze large amounts of data . Therefore, elasticity of

storage and computing capability available through cloud solutions is essential to

success. In addition, TSA will continue to develop data classification and security

standards that ensure compliance with relevant security and user requirements.

5


0 3 CLOUD REQUIREMENTS

TSA cloud solutions have three fundamental requirements that are essential to TSA's

approach to cloud computing and will govern the migration to the cloud.

• Compliance (Security and Architecture). TSA cloud solutions must be certified by

the Federal Risk and Authorization Management Program (FedRAMP), comply with

the TSA Cloud Security Handbook, and be implemented in accordance with the

Enterprise Architecture Service Model and Cost Model.

• Flexibility (Open Architecture). One important element of ensuring flexibility is the

use of open architectures and industry standard technologies . The use of open

architectures avoids reliance on a single vendor, reduces the risk of technology

shifts, lowers total cost of ownership and leverages a wide base of industry

expertise in hardware, software and services.

• Integration. By using an integrated approach to cloud planning, architecture,

hybrid deployment and operation, TSA ensures it is optimizing existing and future

investments, reducing complexity and transcending boundaries.

6


@} 4 CLOUD FRAMEWORK

Deploying new "cloud native" services and migrating existing services to cloud-based

solutions will take considerable time and effort. TSA is establishing a set of base services

and will deploy cloud solutions to a heterogeneous mix of environments. TSA will focus on

delivering timely solutions with enhanced security and performance at a lower cost to

the Agency.

TSA is adopting a hybrid cloud architecture: a cloud computing environment that uses a mix

of on-premises, private cloud and third-party, public cloud services. As shown in Figure 1,

sensitive data will be stored in a TSA data center with transaction data residing with the

applications operating in the cloud.

--Read/Write ,

Hybrid Multi-Cloud

s Highly

Sensitive

MtihiiM

~ Read/Write

••,.•---•-• w--~• -•...,••••• • ·--- ... .. --- ------- --- -- --·

On-Premise or Private

Figure 1 Target framework for the adoption of cloud services

7


The TSA Cloud Framework will employ the following cloud service models to achieve

agency objectives:

• Software as a Service (SaaS):

Definition: Use of a software distribution model in which third-party software

providers host applications making them available over the Internet.

Software is licensed on a subscription basis . Saas applications are typically

accessed via a web browser. Saas is the target delivery model for many

"business type " applications, including office software (email), messaging

software, payroll processing software , management software, collaboration,

customer relationship management (CRM), Management Information

Systems (MIS), enterprise resource planning (ERP), invoicing, human resource

management (HRM), talent acquisition, learning management systems , content

management (CM), and service desk management.

The use of Saas for new applications or refactored applications will be

implemented across support organizations or field operations. These support

services such as training, timekeeping, scheduling, case management, or service

requests will be Saas First. Examples include software solutions offering core IT

capabilities such as email , collaboration, and document management. The goal is

to accelerate adoption of Saas solutions in support of these common

use applications.

• Infrastructure as a Service (laaS) - Private Cloud:

Definition: Private cloud refers to cloud computing in which IT services are

provisioned over private IT infrastructure for the dedicated use of TSA. These

private clouds will be managed via internal TSA resources. Provisioning of private

cloud services will be contractor operated, deployed on virtualized infrastructure

as a service and managed through existing on-premises data centers.

The use of private cloud services will focus on mission unique applications

that must scale and transform in an agile and dynamic fashion. These are the

solutions supporting mission critical processes such as vetting and intelligence.

8


• Infrastructure as a Service/Platform as a Service - Government Cloud:

Definition: A pool of virtual resources developed from hardware owned and

managed by a third-party company.

Infrastructure as a Service provides virtualized servers, networks, storage and

systems software designed to augment or replace the functions of an entire

data center.

Platform as a Service provides virtualized servers on which users can run existing

applications or develop new ones without having to worry about maintaining the

operating systems, server hardware, load balancing or computing capacity.

Under these services TSA is able to automatically provision and allocate among

multiple clients through a self-service interface. These services provide for

TSA an ability to utilize and scale resources as needed, only incurring costs

when provisioned.

The use of these services will be available for existing custom applications

hosted in the on-premises data centers that can be refactored or rehosted

within the cloud. TSA intends to utilize a decision framework for existing legacy

applications to determine which ones will be refactored or rehosted in the cloud

on laaS or PaaS. The approach will start by enabling DevSecOps to focus on

applications with supporting development teams to best capitalize on cloud

native services.

9


5 CLOUD IMPLEMENTATION PLAN

As part of the Agency's effort to develop and implement the TSA Cloud Strategy, IT is taking

the following actions:

1. Establish a Digital Services Team (DST)

In April 2018 , IT formed the Digital Services Team to support TSA mission

operations and provide new, more efficient methods of delivering solutions across

the Agency.

The DST continues to focus on the rapid delivery of mission and business value

by establishing new end-to-end service delivery models . The DST is ultimately

responsible for implementing TSA's Cloud Strategy. The DST's first project is to

rapidly deliver mission-essential applications using the CRM platform

Salesforce.com.

Like the U.S. Digital Services team, the TSA DST will continue to be guided by

industry best practices for delivering modern, cloud-native software. The DST

will use systems thinking, user-centered design, iterative development, cost

transparency, and the adoption of frictionless customer engagement models to

achieve agency goals and objectives.

2. Establish a Cloud Team

The Cloud Team will serve as the central point of process development, direction

and communication for TSA's cloud transformation. The team will serve as a

permanent operational and governing body that directs and guides all aspects of

TSA cloud programs, from first implementation through ongoing operations, thereby

serving as TSA's "cloud center of excellence."

In addition to developing relevant programmatic, architectural, and security

processes, the cloud team will be responsible for the following:

• Project management

• Technical recommendations

• Application owner onboarding

• Technology training

• Risk and security recommendations

10


• Organizational change management and training

• Financial governance

• Operational services and governance

• Vendor management

3. Conduct Application Analysis and Data Discovery

It is imperative that IT understands TSA operations in order to effectively build or

refactor applications for cloud migration. This includes the functional, technical,

data relationship, infrastructure and security requirements of each application,

which will enable IT to categorize applications and identify potential

cloud-based solutions.

However, in some cases, cloud solutions will not be appropriate, and it will be

necessary to build and/or maintain applications in the OHS Data Center. For

this reason, the cloud team will implement a hybrid cloud network in which the

public cloud provider is connected to a private Multiprotocol Label Switching

(MPLS) circuit. Using this model, cloud-based applications can access legacy

on-premises services while still gaining the benefits of a cost-efficient, modern

and agile infrastructure .

The intent of the application discovery is to:

a) Identify server and application dependencies

b) Identify risks

c) Determine the migration strategy

d) Create a migration plan

e) Determine trade-offs and opportunities

f) Identify a target cloud environment and type of cloud

(Saas, PaaS or laaS)

g) Right-size resources in the cloud

h) Estimate the run rate of your resources in the cloud

Once assembled and analyzed, the cloud team will use the data to determine if

migration is appropriate and develop its Plan of Action.

11


4. Bring in Other Stakeholders

The success of cloud initiatives for TSA depends on the ability of people,

processes, and technology to deliver on the value promised. It is critical that

operations stakeholders in executive, financial, legal, and procurement areas

have sufficient understanding of the cloud to ensure the most effective solutions.

IT intends to initiate an engagement program that provides key information to

stakeholders throughout the process of cloud migration and cloud operation.

5. Build a Core Cloud Infrastructure Starting with Minimum Viable Solution

As a starting point, TSA has selected Salesforce as the first production instance

for Saas and Microsoft Azure Cloud Services for the first production applications

running on laaS.

TSA intends to continuously improve and evolve its cloud infrastructure to make

better use of native cloud services as they become available.

6. Assess and Establish Security Architecture and Processes

Security processes and tools will be incorporated as repeatable patterns in the

overall cloud implementation. Starting with FedRAMP-certified providers, the

overall control objectives will be determined by incorporating relevant federal

standards (NIST, FISMA, OHS) as required.

Cloud security architecture is effective when .the correct monitoring and defensive

implementations are in place. Establishing an efficient cloud security architecture

will recognize and close gaps presented in a hybrid cloud model. TSA intends

to implement a security solution to safeguard systems and reduce the effect

of attacks. Cybersecurity controls currently in place will continue within the TSA

cloud security solution and include the following:

• Deterrent controls will minimize attacks on a cloud system. Deterrent

controls help reduce the threat level by informing potential attackers that

there will be adverse consequences for them if they proceed.

• Detection controls will be used to identify any incidents that occur. These

controls include system and network security monitoring, such as intrusion

detection and prevention systems that will be employed to detect attacks on

cloud systems and the supporting infrastructure.

12


• Respond controls will reduce the consequences of an incident, normally by

reacting to an incident, conducting remediation and minimizing the damage.

They come into effect during or after an incident.

7. Plan for Governance

TSA must implement a continuous governance model, operating software that is

constantly monitoring the environment and optimizing the consumption and usage

of services in the cloud. Governance will encompass a combination of security,

risk, compliance and finance controls.

8. Prepare for Migration to the Cloud

Depending on the complexity, age and architecture of the application, the level

of effort (people/resources, processes, technology) to migrate an application to

the cloud can range greatly. Migration activities may include one or more of the

following actions:

• Rearchitect: Enable the application software to run on the new

cloud platform.

• Refactor: Make code level changes to allow the application to realize the

benefits of cloud services.

• Rehost: Migrate the application and data directly to the cloud platform

as is, generally referred to as "Lift and Shift." This approach does not

necessarily realize all of the cloud benefits.

• Retire: Decommission applications that are no longer in use or are

replaced by services replicated within the cloud.

• Retain: Maintain all or some portion of an application in the

on-premises data center.

TSA will utilize a structured decision framework to identify potential use cases

for cloud computing, analyzing the benefits and challenges associated with

specific applications.

TSA will establish risk management processes to assess the risks associated with

security, availability and compliance of cloud solutions. These processes will enable

TSA to weigh these considerations against cloud-based benefits.

13


iQ& 6WORKFORCE

It is imperative that TSA infuse its workforce with the key skills to move the TSA Cloud

Strategy forward. As TSA adopts and migrates to cloud platforms, the impact these

migrations will have on the TSA workforce need to be examined along with identification

of potential skill gaps. For example, migration to cloud technologies may reduce needs

for IT hardware management but increase the need for programming skills in the use of

Infrastructure as Code. TSA will also need to equip the Agency's acquisition staff with

additional skills and knowledge to keep up with the ever-expanding list of technology options

available to procure. In accordance with the Federal Government's Cloud Smart Strategy, TSA

will update its cloud execution plan and relevant policies with a workforce development and

planning component that will include the following topics and activities:

1. Identifying skill gaps for current and future work roles

2. Reskilling and retaining current federal employees

3. Recruiting and hiring to address skill gaps

4. Enhancing employee communication, engagement

and transition strategies

5. Removing bureaucratic barriers to hiring talent expeditiously

14

TSA Cloud Strategy 2 .0 April 2019

7 REFERENCES

Sources and references include industry and analyst research, government references, press

publications, and TSA internal documents.

• Approved Cloud Technologies

• Administrator's Intent

• Federal Information Security Management Act

• Federal Risk and Authorization Management Program {FedRAMP)

• Salesforce .com

• TSA Cloud Guidance Library

• TSA Cloud Security Handbook

• TSA Enterprise Cloud Architecture Framework

• TSA IT Cloud Strategy v.1.0

• TSA Strategy

• U.S. Digital Service

• National Institute of Standards and Technology (NIST) Definition

of Cloud Computing

15

TSACloud Strategy 2 Government... · The approach will start by enabling DevSecOps to focus on...

Documents

Transcript of TSACloud Strategy 2 Government... · The approach will start by enabling DevSecOps to focus on...