TSACloud Strategy 2 Government... · The approach will start by enabling DevSecOps to focus on...
Transcript of TSACloud Strategy 2 Government... · The approach will start by enabling DevSecOps to focus on...
TSACloud Strategy 2.0
• • • • • • • •
•
0 CLOUD REQUIREMENTS
© CLOUD FRAMEWORK
~ CLOUD IMPLEMENTATION PLAN
l"\f\l"'I tifa.ttit VVORKFORCE
Table of Contents
1 Introduction ................................................................. 3
2 Cloud Vision and Principles .......................................... 4
3 Cloud Requirements ................................... ................. 6
4 Cloud Framework ........................................................ 7
5 Cloud Implementation Plan ......................................... 10
6 Workforce .................................................................. 14
7 References ................................................................ 15
Figure 1 ........................................................................... 7
TSA Cloud Strategy 2.0 April 2019
1 INTRODUCTION
As technology changes, federal agency information technology (IT) strategies must continue
to evolve as well. In order to achieve TSA objectives outlined in the TSA Strategy and the
Administrators Intent, Information Technology (IT) is updating the TSA Cloud Strategy and is
focused on delivering on-demand access to IT services.
Cloud computing will impact not only every aspect of IT but also the operations of TSA. The
TSA Cloud Strategy outlines the change from an asset-based to a service based IT delivery
approach and how this transformation will make TSA more efficient in achieving its mission.
To make the most of this new era of IT, TSA requires access to seamless, flexible and secure
solutions that simplify the integration, configuration and deployment of cloud services.
The intent of the TSA Cloud Strategy 2 .0 is to describe how TSA will adopt and integrate
cloud-based services to achieve mission success, in accordance with relevant acquisition
laws, security protocols and architectural policies. With the publication of this document,
TSA adopts a "Cloud First" strategy for all new IT services, and a "Cloud Smart" strategy for
existing applications with mission critical systems utilizing a private cloud. Other applications
will be migrated to the public cloud over time.
3
TSA Cloud Strategy 2.0 April 2019
2 CLOUD VISION AND PRINCIPLES
IT's Cloud Vision is to deliver secure, easy-to-use, rapidly provisioned IT services
that support TSA's mission. The goal is to harness the power of cloud computing
and transform the development and delivery of IT Services so that TSA can more
efficiently and effectively respond to new challenges and opportunities.
To help accomplish this goal, IT will adhere to the following principles and continue to:
• Build A Culture of Experimentation and Innovation: IT intends to build a culture of
innovation so TSA can rapidly prototype and operationalize capabilities that make
use of timely, relevant data and support TSA mission objectives.
• Adopt Only TSA-approved Cloud Solutions and Services: TSA-approved cloud
services are the only options IT will consider for any new software solutions, or
when evaluating alternatives or revisions to current software solutions.
• Employ a Software as a Service (SaaS)-first Model: TSA will utilize Saas as its
primary approach to cloud implementation. TSA will also use Platform
as a Service (PaaS) or Infrastructure as a Service (laaS) when necessary.
If an existing TSA cloud vendor Saas solution meets the operational/mission
need, TSA will use it. Saas vendors are constantly updating and improving their
services at a rate faster than the federal government can achieve alone.
• Systematically Retire or Replace Legacy Applications: Legacy applications have
a high cost of ownership, are difficult to modify to meet operational demands,
require a legacy skillset that fewer and fewer people possess, and in many cases
do not adequately meet compliance requirements. Adoption of software services
hosted in the cloud, or development of applications that are written to take
advantage of the scalability and flexibility of the cloud, are needed to replace and
modernize these legacy applications.
4
TSA Cloud Strategy 2.0 April 2019
• Enable a Mobile workforce: Most Saas solutions readily enable a mobile
workforce, which is becoming more critical to achieving strategic priorities.
Employees should no longer be tied to desktop systems. Access to data and
applications on mobile devices is required to enhance situational awareness.
• More Efficiently and Effectively Manage TSA Data: The data TSA systems and
operations generate continues to grow exponentially. For example, TSA's plans
to implement Advanced Passenger Screening capabilities are dependent on
the ability to collect and analyze large amounts of data . Therefore, elasticity of
storage and computing capability available through cloud solutions is essential to
success. In addition, TSA will continue to develop data classification and security
standards that ensure compliance with relevant security and user requirements.
5
TSA Cloud Strategy 2.0 April 2019
0 3 CLOUD REQUIREMENTS
TSA cloud solutions have three fundamental requirements that are essential to TSA's
approach to cloud computing and will govern the migration to the cloud.
• Compliance (Security and Architecture). TSA cloud solutions must be certified by
the Federal Risk and Authorization Management Program (FedRAMP), comply with
the TSA Cloud Security Handbook, and be implemented in accordance with the
Enterprise Architecture Service Model and Cost Model.
• Flexibility (Open Architecture). One important element of ensuring flexibility is the
use of open architectures and industry standard technologies . The use of open
architectures avoids reliance on a single vendor, reduces the risk of technology
shifts, lowers total cost of ownership and leverages a wide base of industry
expertise in hardware, software and services.
• Integration. By using an integrated approach to cloud planning, architecture,
hybrid deployment and operation, TSA ensures it is optimizing existing and future
investments, reducing complexity and transcending boundaries.
6
TSA Cloud Strategy 2.0 April 2019
@} 4 CLOUD FRAMEWORK
Deploying new "cloud native" services and migrating existing services to cloud-based
solutions will take considerable time and effort. TSA is establishing a set of base services
and will deploy cloud solutions to a heterogeneous mix of environments. TSA will focus on
delivering timely solutions with enhanced security and performance at a lower cost to
the Agency.
TSA is adopting a hybrid cloud architecture: a cloud computing environment that uses a mix
of on-premises, private cloud and third-party, public cloud services. As shown in Figure 1,
sensitive data will be stored in a TSA data center with transaction data residing with the
applications operating in the cloud.
--Read/Write ,
Hybrid Multi-Cloud
s Highly
Sensitive
MtihiiM
~ Read/Write
••,.•---•-• w--~• -•...,••••• • ·--- ... .. --- ------- --- -- --·
On-Premise or Private
Figure 1 Target framework for the adoption of cloud services
7
TSA Cloud Strategy 2.0 April 2019
The TSA Cloud Framework will employ the following cloud service models to achieve
agency objectives:
• Software as a Service (SaaS):
Definition: Use of a software distribution model in which third-party software
providers host applications making them available over the Internet.
Software is licensed on a subscription basis . Saas applications are typically
accessed via a web browser. Saas is the target delivery model for many
"business type " applications, including office software (email), messaging
software, payroll processing software , management software, collaboration,
customer relationship management (CRM), Management Information
Systems (MIS), enterprise resource planning (ERP), invoicing, human resource
management (HRM), talent acquisition, learning management systems , content
management (CM), and service desk management.
The use of Saas for new applications or refactored applications will be
implemented across support organizations or field operations. These support
services such as training, timekeeping, scheduling, case management, or service
requests will be Saas First. Examples include software solutions offering core IT
capabilities such as email , collaboration, and document management. The goal is
to accelerate adoption of Saas solutions in support of these common
use applications.
• Infrastructure as a Service (laaS) - Private Cloud:
Definition: Private cloud refers to cloud computing in which IT services are
provisioned over private IT infrastructure for the dedicated use of TSA. These
private clouds will be managed via internal TSA resources. Provisioning of private
cloud services will be contractor operated, deployed on virtualized infrastructure
as a service and managed through existing on-premises data centers.
The use of private cloud services will focus on mission unique applications
that must scale and transform in an agile and dynamic fashion. These are the
solutions supporting mission critical processes such as vetting and intelligence.
8
TSA Cloud Strategy 2.0 April 2019
• Infrastructure as a Service/Platform as a Service - Government Cloud:
Definition: A pool of virtual resources developed from hardware owned and
managed by a third-party company.
Infrastructure as a Service provides virtualized servers, networks, storage and
systems software designed to augment or replace the functions of an entire
data center.
Platform as a Service provides virtualized servers on which users can run existing
applications or develop new ones without having to worry about maintaining the
operating systems, server hardware, load balancing or computing capacity.
Under these services TSA is able to automatically provision and allocate among
multiple clients through a self-service interface. These services provide for
TSA an ability to utilize and scale resources as needed, only incurring costs
when provisioned.
The use of these services will be available for existing custom applications
hosted in the on-premises data centers that can be refactored or rehosted
within the cloud. TSA intends to utilize a decision framework for existing legacy
applications to determine which ones will be refactored or rehosted in the cloud
on laaS or PaaS. The approach will start by enabling DevSecOps to focus on
applications with supporting development teams to best capitalize on cloud
native services.
9
TSA Cloud Strategy 2.0 April 2019
5 CLOUD IMPLEMENTATION PLAN
As part of the Agency's effort to develop and implement the TSA Cloud Strategy, IT is taking
the following actions:
1. Establish a Digital Services Team (DST)
In April 2018 , IT formed the Digital Services Team to support TSA mission
operations and provide new, more efficient methods of delivering solutions across
the Agency.
The DST continues to focus on the rapid delivery of mission and business value
by establishing new end-to-end service delivery models . The DST is ultimately
responsible for implementing TSA's Cloud Strategy. The DST's first project is to
rapidly deliver mission-essential applications using the CRM platform
Salesforce.com.
Like the U.S. Digital Services team, the TSA DST will continue to be guided by
industry best practices for delivering modern, cloud-native software. The DST
will use systems thinking, user-centered design, iterative development, cost
transparency, and the adoption of frictionless customer engagement models to
achieve agency goals and objectives.
2. Establish a Cloud Team
The Cloud Team will serve as the central point of process development, direction
and communication for TSA's cloud transformation. The team will serve as a
permanent operational and governing body that directs and guides all aspects of
TSA cloud programs, from first implementation through ongoing operations, thereby
serving as TSA's "cloud center of excellence."
In addition to developing relevant programmatic, architectural, and security
processes, the cloud team will be responsible for the following:
• Project management
• Technical recommendations
• Application owner onboarding
• Technology training
• Risk and security recommendations
10
TSA Cloud Strategy 2.0 April 2019
• Organizational change management and training
• Financial governance
• Operational services and governance
• Vendor management
3. Conduct Application Analysis and Data Discovery
It is imperative that IT understands TSA operations in order to effectively build or
refactor applications for cloud migration. This includes the functional, technical,
data relationship, infrastructure and security requirements of each application,
which will enable IT to categorize applications and identify potential
cloud-based solutions.
However, in some cases, cloud solutions will not be appropriate, and it will be
necessary to build and/or maintain applications in the OHS Data Center. For
this reason, the cloud team will implement a hybrid cloud network in which the
public cloud provider is connected to a private Multiprotocol Label Switching
(MPLS) circuit. Using this model, cloud-based applications can access legacy
on-premises services while still gaining the benefits of a cost-efficient, modern
and agile infrastructure .
The intent of the application discovery is to:
a) Identify server and application dependencies
b) Identify risks
c) Determine the migration strategy
d) Create a migration plan
e) Determine trade-offs and opportunities
f) Identify a target cloud environment and type of cloud
(Saas, PaaS or laaS)
g) Right-size resources in the cloud
h) Estimate the run rate of your resources in the cloud
Once assembled and analyzed, the cloud team will use the data to determine if
migration is appropriate and develop its Plan of Action.
11
TSA Cloud Strategy 2.0 April 2019
4. Bring in Other Stakeholders
The success of cloud initiatives for TSA depends on the ability of people,
processes, and technology to deliver on the value promised. It is critical that
operations stakeholders in executive, financial, legal, and procurement areas
have sufficient understanding of the cloud to ensure the most effective solutions.
IT intends to initiate an engagement program that provides key information to
stakeholders throughout the process of cloud migration and cloud operation.
5. Build a Core Cloud Infrastructure Starting with Minimum Viable Solution
As a starting point, TSA has selected Salesforce as the first production instance
for Saas and Microsoft Azure Cloud Services for the first production applications
running on laaS.
TSA intends to continuously improve and evolve its cloud infrastructure to make
better use of native cloud services as they become available.
6. Assess and Establish Security Architecture and Processes
Security processes and tools will be incorporated as repeatable patterns in the
overall cloud implementation. Starting with FedRAMP-certified providers, the
overall control objectives will be determined by incorporating relevant federal
standards (NIST, FISMA, OHS) as required.
Cloud security architecture is effective when .the correct monitoring and defensive
implementations are in place. Establishing an efficient cloud security architecture
will recognize and close gaps presented in a hybrid cloud model. TSA intends
to implement a security solution to safeguard systems and reduce the effect
of attacks. Cybersecurity controls currently in place will continue within the TSA
cloud security solution and include the following:
• Deterrent controls will minimize attacks on a cloud system. Deterrent
controls help reduce the threat level by informing potential attackers that
there will be adverse consequences for them if they proceed.
• Detection controls will be used to identify any incidents that occur. These
controls include system and network security monitoring, such as intrusion
detection and prevention systems that will be employed to detect attacks on
cloud systems and the supporting infrastructure.
12
TSA Cloud Strategy 2.0 April 2019
• Respond controls will reduce the consequences of an incident, normally by
reacting to an incident, conducting remediation and minimizing the damage.
They come into effect during or after an incident.
7. Plan for Governance
TSA must implement a continuous governance model, operating software that is
constantly monitoring the environment and optimizing the consumption and usage
of services in the cloud. Governance will encompass a combination of security,
risk, compliance and finance controls.
8. Prepare for Migration to the Cloud
Depending on the complexity, age and architecture of the application, the level
of effort (people/resources, processes, technology) to migrate an application to
the cloud can range greatly. Migration activities may include one or more of the
following actions:
• Rearchitect: Enable the application software to run on the new
cloud platform.
• Refactor: Make code level changes to allow the application to realize the
benefits of cloud services.
• Rehost: Migrate the application and data directly to the cloud platform
as is, generally referred to as "Lift and Shift." This approach does not
necessarily realize all of the cloud benefits.
• Retire: Decommission applications that are no longer in use or are
replaced by services replicated within the cloud.
• Retain: Maintain all or some portion of an application in the
on-premises data center.
TSA will utilize a structured decision framework to identify potential use cases
for cloud computing, analyzing the benefits and challenges associated with
specific applications.
TSA will establish risk management processes to assess the risks associated with
security, availability and compliance of cloud solutions. These processes will enable
TSA to weigh these considerations against cloud-based benefits.
13
TSA Cloud Strategy 2.0 April 2019
iQ& 6WORKFORCE
It is imperative that TSA infuse its workforce with the key skills to move the TSA Cloud
Strategy forward. As TSA adopts and migrates to cloud platforms, the impact these
migrations will have on the TSA workforce need to be examined along with identification
of potential skill gaps. For example, migration to cloud technologies may reduce needs
for IT hardware management but increase the need for programming skills in the use of
Infrastructure as Code. TSA will also need to equip the Agency's acquisition staff with
additional skills and knowledge to keep up with the ever-expanding list of technology options
available to procure. In accordance with the Federal Government's Cloud Smart Strategy, TSA
will update its cloud execution plan and relevant policies with a workforce development and
planning component that will include the following topics and activities:
1. Identifying skill gaps for current and future work roles
2. Reskilling and retaining current federal employees
3. Recruiting and hiring to address skill gaps
4. Enhancing employee communication, engagement
and transition strategies
5. Removing bureaucratic barriers to hiring talent expeditiously
14
TSA Cloud Strategy 2 .0 April 2019
7 REFERENCES
Sources and references include industry and analyst research, government references, press
publications, and TSA internal documents.
• Approved Cloud Technologies
• Administrator's Intent
• Federal Information Security Management Act
• Federal Risk and Authorization Management Program {FedRAMP)
• Salesforce .com
• TSA Cloud Guidance Library
• TSA Cloud Security Handbook
• TSA Enterprise Cloud Architecture Framework
• TSA IT Cloud Strategy v.1.0
• TSA Strategy
• U.S. Digital Service
• National Institute of Standards and Technology (NIST) Definition
of Cloud Computing
15