GSA Cloud Reverse Industry Training: Cloud Management Evolution

GSA Cloud Reverse Industry Training: Cloud Management Evolution

Show Video

Good, afternoon everybody and welcome. To the final session. Cloud. Management, cloud evolution, and what's next. So. You've heard the previous panels take, you through the cloud, journey, starting. With. You. Know the. Whole cloud strategy what do you need to. Buy. How you procure, it and, how. Do you migrate your workloads and again, what we are going to do is focus, on. What. Comes next what happens when you actually, implement. Your. Workloads in the cloud, how. Do you actually operate in the cloud. So. Again. My name is moses merchant, I'm from, julius. And. We. Have a great panel over here for you, for. This event. Starting. With, because. Sharma. On, my left. Because. Is the chief, Solutions, Architect at. Saver. Tech. Because. 30, seconds, what's your favorite. Loud acronym, or buzz word. My. Favorite buzz, word it transformational. And, I'll. Explain it. Okay. Well, okay. Whoo. Next. Up over there on the far. Right. Over there is. Adam. Claytor. And. Adam. Is the chief architect, at the, North America, public sector division of Red Hat, yeah. Thanks for having me your. Your favorite buzz word cloud story yeah, so I think you. Know one of the things that I've heard is when, you're when your cloud bill gets to around. $100,000. Your cloud salesperson, never stops. Calling you but, when it gets to a million dollars they never call you back all right and so it's it's, just the idea of how do we put, how. Do we put the control back in the consumer, of cloud right rather than having folks locked in and I hope we're. Talk a lot about that and how to make, sure our workloads are portable and we're smart, consumers, of cloud as we enter into all this. Excellent. Finally, we have, Dan. Prieto. And. Dan is the. Strategic. Executive. From. A small company called Google. They. Make search, engines. Dan. What. Is the airspeed velocity of, an unladen swallow, I. Had. To Google this 11, riders. Per second. African. Swallow. 11.15. Meters. Per second. I. Don't. Know if it's so much a story but I think given, the composition, of much of the audience today acquisition, professionals, I think it's important, to realize. Sort, of the. Brave. New world that we're entering. The. Federal acquisition register. The far. Includes. The word cloud, exactly. Zero times, if. You extend, that search, to the D far the word cloud shows up six times, OMB. A-133. Strategic. Management, of IT, which. Was just updated in mid-to-late. 2016. Only includes the word cloud three, times. So. And I I was, at the White House at the time on the National Security Council staff I was a DoD prior to that it I helped. You. Know push that document, out times, they are a-changin, and that's, really the focus of the. Conversation today and it's not just about understanding, tech it's, about understanding, the impact on business, and culture of that tech so I think that's really gonna be a lot of the focus of our talk today all. Right. Folks. We have some really, smart people on the stage over here. Barring, myself. So. Then without any further ado, let's. Jump, into the discussion, over here let's start with an important, milestone. Soph you have. Already crossed it. Some. Of you are getting. Over. There very soon and making your way towards it. And. That's deploying, your first, application. In, the cloud, right. So. Because.

Let Me start with you you know you've successfully deployed your first application, the. Ones complaining. So. In your experience what are the important things that one, should be thinking about at this stage what. Do you need to do at a strategic, and operational, level at, this stage right, thank. You thank you much. So. First I'll start with admitting. It's bit of a hypothetical question. Because. Given, the size and organization. Structure of the agencies there. Won't be one they. Will be many, two. Three one. Program one per program officer, center or, service. Or business unit, so. They'll all be going, to the cloud but this question when. The panel selected it was, intended, to be a table. Setter for the conversation that follows. And. Let. Me try, start. Off that conversation. What. We want to do it, folks, do a lot of stuff after. They achieve so. You just got your first system and ATO, production. ATO in. Your enterprise cloud environments, a lot of stuff has already happened before. You, did that but. At, this point when your first. ATO, is granted, I. Would. Strongly, urge people, to. Use. This first experience, as a learning. Experiment. And. Gather. And leverage those lessons, learned across the entire enterprise. How. Do we do that we do an enterprise. Retrospective. You. Can get some agile coaches acquire. Services, or some agile coaches to help you along with their activity, but, at a minimum your. Group of people, who are engaged in this retrospective are, your system developers. And. Owners your. Mission folks, IT. Operations and. Infrastructure. And. Absolutely. Acquisitions. There. Are some critical lines of inquiry here okay, as to. What. Do we do next. So. How is our experience okay, how long did it take how, many groups did it involve were. There shortcomings. In our system or architecture and and configurations. That, we had to overcome the. System, meet performance requirements. Not only for itself but every upstream. And downstream dependencies. That. The system has, was. The process of deployment, automated, if. We keep to our current process how many updates and, deployments.

Can We do. Okay. What. Changes do we need to make in our operations. Okay. - for, this system. When. Do we know if something happened, to that system in production. What is our contingency. Plans disaster, recovery, RTO. And RPO recovery. Time, objective, and recovery. Point objective. Halling. How long did the ATO process take do. We expect all following systems to follow the same process or. Are, we going to somehow change it. How. Do we update or, do we need to update our enterprise, threat model, okay. Because of this new reality of there. Being a cloud in our environment. What. Security, events do we need to now. Monitor. An address. Okay. And, are. You seeing the cost savings that you perhaps expected, to see very. Important and, why. And why not. Finally. We're trying to do this because. We. Want to learn, lessons - how to do this faster. And cheaper. Okay. So. That's, a pretty, significant, list, and then, and. The. Question naturally arises right. That why should we do this okay. Seems, a long list a lot of very complicated things and, for, that we, have to kind, of step back a bit and. Tell. It a story okay. Well. After all we've been running you know we've been developing systems, and running infrastructures, for decades now why, do we have to suddenly, everything. Has to change, okay. What's new okay. What happened, okay. So. To answer. That you know it's it's, it's necessary, to take a step back and kind of, talk. About a particular, story. First. Of all everybody knows you know clouds the, class. Of thing right now okay, oh he's doing it he's. Going to the cloud cloud. Adoption we, had a little discussion up in the morning about cloud adoption but an option racer, very. Nice, okay. To. Me the question was why, what's. Why, are people going to the cloud. Okay. So we started looking and. Obviously. What happened was we found out you, know sure capacity, and lastly see elasticity. On demand and, cost-effectiveness. Was the top tucán. Why people, were moving to the cloud but. There. Were a whole bunch of other reasons okay. And why they were moving. So. And. Then. Other. Thing that was caught my attention, was certain, leadership. And industry that. Understood, the cloud platform. To be that. Innovation. That. Transformational. Technology. That. Allows, them to change. Their, organizations. To. Finally. Transform, their organizations, into what, they always wanted, what. Do, you folks want is nothing, different from what those guys want. More. Organizational. Responsiveness, to the mission, more. Business agility. Okay. And that. The stories are no different out in industry or in government is everybody. Is really, looking for that. Responsiveness, in the organization, and the business agility and. So. That was a big reason for why they were they finally recognized cloud as that enabling technology. Now it but what, is the cloud is something new okay. To really get overwhelmed. About it for. Me as a as a person. Who's been dealing with a cloud for a while I know. Most. Of the best technologies, within the cloud. Exist. In your enterprise right now. Virtualization. Containers. All. That stuff this block. Storage object, storage everything, every base technology, that exists the cloud exists in your enterprise right now so what's new. Ok. Well. What. The cloud really did was, put. That in a really. Smart. New package. So. If the internet gave us the global communication, infrastructure. Think. Of the cloud as giving you the global compute. Infrastructure, to go along with it and. All. Of that. Just. You, get to go to our website present. Your credit card and use, every, one of these great ideas in, computing that we have put together in that package. That's.

New. Ok. How we, deliver these, compute, services, back, to the end-users that's new. Ok. And. What. Really this, enabled. Was. Almost. Transformational. CEOs. And leadership, out and industry have. Completely. Revamped their business models, they, have created entirely new business models, and, they. Have brought about more than anything else the kind of transformation they were looking for and. So. That's why you have to learn the lessons because the package, does those uses, the same base technologies, in a slightly different way to enable. Cloud, paradigms, like. Elasticity. On demand and capacity on, demand. Time. Sharing, for your cost effectiveness, and pay-as-you-go. So. It doesn't make much sense to for. Anybody, to go adopt, what. Is, yes. A new package awesome package of old, technology, and then, go about doing, the stuff, the way we've been doing all along. Can't, take your old infrastructures. In here the, way you develop systems, and all that stuff at. So. That's. Why we had to learn the lessons that's. Why we, do enterprise retrospectives. We. Learn how to change all, the, processes, from. Development, to, deployment to, operations, to, security, -. That's. The first step that I should that, I would recommend people the organization's, take thank. You transformation. That's the key word over there right because. Very. Good very good and and that. Was my buzzword transformation. As formation, and, when, you talk about transformation, I'm sure people have heard about, building. Things faster. Cheaper, better you. Know there's the old joke about pick two of the three I think, with the cloud we can get all three right. Faster. Cheaper better. Is. There anything that's. That's. Different, when you move to the cloud you know from from moving. From. A physical infrastructure, or from like on-prem, to the cloud when you again. If you've you know you've just finished your your, migration, you, come in the next day. You. Know other other things which are going to be the same also, no. Bespoke warts and differences are there things that are going to be the, same and you know does. Anybody else on the panel have any any opinion. About that. Thanks. So. I, think we need to take a little bit of a step back and just think about you, know when we begin to talk about cloud what what aspect, of cloud are we really talking, about, so there's infrastructure. As a service which i think is really the classic design of I have, a virtual. Machine or a physical machine within my data center I want, someone else to take on the O&M, for ping power and pipe and I just want to move that out to someone else's data center but. There are other models that I think we're gonna talk about later on like, platform as-a-service function. As a service, and finally. Software. As a service and I think by and large the. Consumption. Characteristics, i've seen throughout the federal government have been focused, on the, two extremes. Of that spectrum right how many folks in the room are using some sort of software, as a service for their email you've got a 365. Or Gmail right so that's that for a lot of organizations, that was actually, the first foray, into the cloud and, now we're looking at some. Of these lift and shift type of models right I want to move out of my datacenter, into, someone else's data center so I dropped that O&M for ping power and pipe I'm no longer in the and the real estate business which these are all really intelligent sort, of decisions, for a CIO to be making. But. Many times that's kind. Of closely aligned, to more of a managed services, contract, right if I've haven't, refactored. My application. To exist in that cloud I'm. Really just entering into a managed, services agreement, with a cloud provider and then obligating, myself to pay you. Know by the minute by the hour for, that service, as I do that so I think we need to carefully. Examine the cost benefits, of making, these decisions oftentimes that, movement in that lift and shift is quite valuable and, so we do that to. Stem some of that short-term. Hemorrhaging. Of cash right and so. But. If it is more valuable in fact for us to enter, into a traditional managed services agreement I wouldn't necessarily, be afraid of doing that so I think you have to look at what, level you're really looking to attack and what the goal of the organization actually. Is beyond, moving. To cloud which. I think has been a big, driver I, want. To pick up on that and also pick up on the casas. Comments. You, know once you get, your toe in the water on cloud I think, it's important, not to focus on the technical. Aspects, of it but as some of the other panels. Before us we said focus on sort of the business implications of, it, because.

If, You ask that question, why, am I doing this cloud. Project, and what benefits, is it having it will, tell you whether you are taking full advantage of, what the cloud can offer or not. Am. I, doing, a cloud project simply to save, costs, perfectly. Valid reason, there's been a push for many years to sort of improve cost management in government, obviously. But. That is sort of the most base, sic, proposition. Of the cloud you. Could go further and say well, am I actually getting significant. Performance, improvement. That. Is a more mature and strategic, view. You. Could go further and say is it transforming. My approach to security, because, I am now no longer responsible. For what I've moved to the cloud for the patch management, or the lifecycle, management, and. That's now up to the CSP, that, is another consideration, and the. Final most strategic, consideration, is is. My cloud project in my view of how I'm going to use cloud does it actually help me modernize, is. It actually helped me innovate, right. And those are different, value, propositions from, cloud, in. My view the big push to cloud that, we are in right now actually. Has a very specific. Point. In time impetus. I think, the, focus on cloud in, my view, from when I was at the White House stems to be frank from the aftermath of the OPM breach, that. Is the first time that all, of these formerly, separate, conversations. Cost reduction, security. And modernization. Those had been long trends but they had tended to be treated separately. OPM. Brought all of those together and, OPM. Said we'll wait a minute you can attack. You, know kill each of these birds with. A stone and that stone is either, shared services, or cloud so. The big push to. Say it's okay to outsource, key functions, around IT, happened. Under the tail end of the Obama, administration. We focused on shared services, in the cloud but this administration has, actually picked up the ball and been pretty continuous, and has shifted. More and more to cloud. On balance, even more so than shared services, so. Once. You dip your toe in the water step, back and say how, is this project setting, us forth on a journey to, take full advantage of what cloud can offer over time. Absolutely. So. I spoke a little bit about sort of the ongoing O&M, costs whether. That be in your data center or whether that be in, a cloud environment and, so the reality is you, know if as the, CIO we decide to buy some, technology. And it costs us a hundred thousand dollars but there's, a million, dollars, on the backend of. Man-hours. And operational. Cost. In, seeing. That technology, to fruition that's, a pretty significant, cost overall and so we need to make evaluations, about. You, know should we be buying this as a service, rather than really, trying to build this technology on, our own, or building, this upon an infrastructure, stack where we have to be, responsible, for all of that management. And then I think Maria actually, did a really nice job in, the last session of illustrating. The value, of, monitoring. And having, an understanding of, all the things that you're deploying so she said when, she first got there they couldn't tell her what. Was on the network what was the number of the top five consumers, in network traffic they couldn't even begin to put their finger on that but now she has capability, in her cloud environment, to have that charge back and show back of resource. Utilization and, say oh we need to turn this off we need to turn the lights off when, we're done. Building. Or, using a particular workload because, the potential for run-up of those costs, is quite, dramatic, and so. What. I would say is that yes management. And management tools are a. Critical, component of, being successful in the cloud but, I think the. Tenant, that we have to really, take with us is that, it's automation. Of that management if we have human. Capital individuals.

Managing. Resources. Directly. Within our cloud environment. It's, an incredibly. Expensive, way, to do that right, so if you have a human. Deploying. A server in, a cloud and it takes them an hour to, execute, on that task and that's that, would really be great right if one individual, could do that an hour that's, a task that could be automated to happen within seconds. Or even minutes, and. That's a fully secured, implementation. Of that infrastructure, so I really, think that automation, of a lot of these tasks the security, evaluations, the implementations, the deployment, of our. Technologies. As, we look to move into cloud that's, really the tool that. Needs to be in, my opinion. One. Of the biggest parts of that I think, the good news is that learning. The skills, and the practices, of automation, are, something that you can do sort of within your own data center right you can begin to automate, within. Your existing infrastructure, and really not make. A huge. Expenditure. In the cloud in learning, how to automate, the, cloud so. What. I would say is that you know kind of use that as an opportunity to get your internal. House in order and begin. To automate, those workloads internally. And then automate, their deployment, to, that cloud I, believe, that once we've executed. On that automation, into a cloud we begin, to figure out how we're going to automate ourselves, out of that cloud and so you, know in the next generation, of cloud consumption. The portability, of workloads, is going to become really important, if, in fact we're able to capitalize on spot. Market, opportunities. Within the, cloud marketplace, our, ability to move those workloads between the clouds is going to be the, only way that we can realize those. Financial, opportunities. Yeah. So I, think the. Vendor. Community has been pretty adept at. Cloud. Enabling. I think we're we're. Getting much closer to actually cloud enabled. Tools then, maybe we were a few years ago when I think the focus was really on cloud washing, right which was just hey look we've added cloud to the name of this and now you can use it in the cloud and it's gonna help and, so. Yes. I would say that many of the there's a lot of maturity, in the tool sets today but, there, are also going to be new tools that you're going to seek out and that you're going to use a, lot, of those tools are really going to be cloud native you're not going to necessarily want. To deploy a complex. Monitoring, system into your cloud in order to get a lot of the information you're gonna use, some sort of subscription. Software. As a service, monitoring, tool and. Then consolidate, that but I think one, of the, rather. Daunting, tasks. Of CIO. Is certainly going to be how do i integrate, the. Things that are in the cloud that I'm buying today with, the technologies, that are still, within my data center there. Was some discussion earlier today, on what workloads. Are or, are not appropriate. For a cloud and for. Certain agencies, there are workloads that may not ever move to a cloud I think those expectations, are, constantly, evolving so the, workload we might not move today we may be looking.

To Move a year to five from. Now but in the meantime that, integration, of, exposing. The business value that is available in the cloud -, whether, that be our internal, data or even our, internal, applications. Is, certainly, one of the tasks that our CIOs are gonna be responsible for moving. Forward. Thank, you one. Other. Concept that I keep hearing about when. You know for cloud. Management, and that's. Pets versus, cattle. Which. Means. Like very interesting, can you tell. Us a little bit about that what does that mean pets versus cattle yeah has. Anyone else heard that term I apologize. So, the, the, idea is that, if, we have a server, in, our data center, it's. Really, really important, right we know exactly. What the workload is that's running on that server all the time and in fact we, named these servers they may have creative, names you, know when I started out at, the Patent and Trademark Office tour, nearly 20 years ago we, named all of our servers after dead rock stars like that was our server naming, standard, and they were really our pets and and someone would say hey linen. Just went down and, you know McCartney's, not able to this or that and and so, that was a real part, of how we managed. Our infrastructure, and and we knew the, version of the operating system and. The patch level and we knew all these things about these servers and they were we really treated them like pets, but. In the cloud environment we. Don't do that we don't do that at all and, the idea is that if, you've, got a herd of animals and, and. One, gets sick you don't necessarily take, it to the vet to, get it fixed right you may just cycle it out of your production system, and you'll, bring in another cow. Or mule, or what have you to, sort of fulfill that spot and so rather than sort of making that investment on, an individual, basis, for each individual, server and really taking care of them. You, know we, we, really just have, this, idea, that we, can build a brand new server with this capability. Instantaneously. In the cloud and I think that really speaks to the automation, story, as well is that as we automate, that we're able to guarantee consistency. Across. All, of those servers so hopefully. Without, too much of the gore I'll illustrate it a bit and I realized Paul McCartney's not dead and, there's there's some debate on that there has been, some. Of you remember but, he's, not not dead just released new album actually. Very. Good. Let's. Come back to, automation. And more. Specifically. DevOps. Who. On the panel would like to define. DevOps. For me. So. DevOps. It's. Not a complicated. Definition. In my mind, it's. Best. Defined. As a culture, of collaboration between. Your. Developers, and your IT operations and, all the operations teams, to. Deliver. Effectively. On the mission. When. Do we start thinking about DevOps oh my. My. Suggestion. Is before, you go to the cloud because. If you're gonna define DevOps, in the naio a collaboration. Between teams, I mean who doesn't want that okay. Right so start, thinking about it before, you go to the cloud. Also. I today, know I do, not know. Any. Way to do cloud effectively, without. Agile, Intel ops I, can. Do cloud without those, things yes, just. Not effectively. So. What. Does this and what, is automation and context, of DevOps. So. I tend. To think of automation, as. The. Implementation, that the, of that, before-mentioned. Collaboration. I mean you can ask the question okay so what kind of what. Form does this collaboration take, do. We talk a lot bang each other we already do that now.

We Rewrites, automation. Software. To. Automate. Stuff. We. Want to do through things we want to in our DevOps. Implementations. That in we, want to automate our software engineering prints life, cycle as much. As possible to. Actually develop, the systems and we, call those. CI. CD pipelines. And. There was a continuously, CD. Stands for continuous, integration and continuous delivery pipelines. Okay that's typically, there. And. All the code that goes and enables that automation tool within, it the. Continuous integration, pipeline. Is is is. An integration, engine, that integrates. All of your. Development. Processes. Enables. Automated, testing and the. Continuous delivery pipeline, which. Lots of software. For is. Written by the ops folks or, traditionally, what were the ops is. About. Continuously, delivering, software to your environment. So. When. We operate, in the cloud we tend to think of delivering, software, not. In three-month, increments, on whatever and that that. Big deployment. And everybody stays up at night and all that stuff no we do it every day we. Our code goes from our. Development environment, goes. Through all the testing. Passes. All the security, checks and it's, delivered, to the cloud we. Don't want. BIGBANG, modernization. Efforts I like, to think of it we are modernizing every day just, a small bit but, yes modernizing every day. So. What. Do we have to do to enable this ok, so I told you about the continuous integration pipelines. But when. We write. Automation. For, deployments. What. We are doing is we have to let's look at the steps in the deployment, process we have to provision compute. Your. Networks, your, storages. Certain. Security, this stuff on that and, enterprise. Services like logging and monitoring and then. Of course that comes the part, about, updates. And and patch. Management ok, you keep on putting patches on it so. We write code for it we, don't do it manually so. It's. It's, written in automation so that none of these. Instances. That we are deploying virtual, machines, that we are deploying and, applications. We are deploying we. Are hand crafting, lovingly. Handcrafting. Them now. It's. Part, of an automation pipeline, that, gets, it done. That's. The automation and the, goal. In my mind of automation is to. Take our workforce. From. What. Is considered lower level. Activities. To. Higher value, activities, in. Your operations, so. I don't have to spend hours and hours taking. A disc with me or whatever mechanism, we had of updating. My servers I'd rather to be doing something else of a higher value and I'd. Let my automation, engine handle the updates and, the configurations, and the provisioning. So. When. We build that automation. Developers. Operations. Infrastructure. Folks security. Folks, why. Do we need this collaboration. Back. In the day somebody asked me why, why do you define, it as collaboration, and what.

I Did at that time I ever stumped but I I went, and asked give, me your. Top five or seven concerns that you're managing I asked, that to a development, team I asked. Them from operations. Infrastructure. And security the. Lists I got back from these diverse, groups is, completely. Orthogonal II, different, they. Are managing, different concerns and of course that's, why we had different groups but. Now since we have to enable this. Fast continuous. Delivery of software into they. We. Have to develop. A mechanism to do this better and automation. Is their answer. Okay. So. That's my definition, oh. I'll. Piggyback, on, that and, also introduce, the concept of no ops or, service, and this, speaks to again what, the cloud can. Enable. Basically. You, know Google, and the other cloud providers as well or including, me are. Increasingly, offering. Cloud. Offerings, where, you really don't have to worry about the. Infrastructure, or updating, the infrastructure, or writing, code to automate, patch, management lifecycle management, all of the above that is all handled, in the background, by, the cloud service provider and that. Is particularly, valuable for use cases like at the and development, working. In databases. And. Analytics. Because. It allows for. Example an app developer, to just code, and when. They need more capacity it automatically, spins up and the environment, has the tools to, allow them, to just focus, on the coding. Similarly, on analytics, a. Lot. Of cases in, our instances. A lot of automated, machine learning for example allows. Automation. Of labeling. Of data so that you can just focus on what the. Data is telling you, for. Example to improve a business process. The. Analytics, folks the application, developers, don't have to worry about all the things in the background and and in. That case neither do the operations, IT people. Inside. The, enterprise you, have the opportunity, to outsource, that provisioning. That configuration, that patch management, that lifecycle. Management to. The. Cloud service provider and with. That actually, I want to pivot because, I know this is one of our question to you okay if I pivot to security, yes. In. Those instances, where you increasingly, rely, on the CSP, for more of the functions configuration. Patch management, lifecycle management, there. Is an increasing, opportunity, with cloud providers, to really. Figure. Out what, your security, model is do. You take your, old, security, model, from your legacy environment, and. Replicate. That in the cloud environment that is more likely to happen if you simply replicate your data center you lift and shifted I have the same number of servers but I'm still responsible for managing all the security. There. Is more value add potentially, and saying you know what I need to come up with a strategy where I rely, increasingly, on, the CSP, for security now this is an interesting point because one of the largest impediments. To. Cloud. Migration continues. To be concepts, about is the cloud provider secure. In. Google's example, I'll give you the following we, provide a public cloud the cloud that you will be running on with Google is exactly. The same global infrastructure, that YouTube runs on the, Gmail runs on that, search runs on, and so, the question, is. Actually. The proposition, is that Google's, interests, are completely, aligned with yours, in terms of the network and cloud. Services being performant, and available. Our ability to deliver a YouTube video and you know South. America, any time, of day any time of night and under 1/10 of a second our global infrastructure, provides that you. Know we, discovered. Some. Of the biggest, recent, security flaws because we have security. Researchers, in, the last three years you know we've put thirty billion dollars into our own infrastructure, in the, last eight twenty twenty sixteen Amazon, Microsoft and. Us combined, put thirty billion dollars into our infrastructure, so we're constantly investing. So, that relieves the burden of investing, from you and it. Relieves a lot of the sort of blocking, and tackling security. Functions, yes. I know my patches aren't updated but I haven't got around to it so yeah I'll be ok with an unpatched system for about six months the benefit, of relying.

On The CSP is that they are constantly, upgrading the. Infrastructure, and the patches and updating. The. Environment, similarly, OMB, a-133. Multi-factor. Authentication at, rest, and in transit. Encryption. There. Is a long history. Of challenged. Projects, in government of trying to implement implement, multi-factor. Authentication. Trying to implement encryption, in-house. You're. Now in an environment where. You don't have to run those kinds of projects, because what you move to the cloud is natively encrypted, what you move to the cloud automatically, has patch management so, really I go back again, to the far section, 7 of the far says that when you write acquisition. Proposals, you have to think about the. Benefits, to government, of what you were acquiring, the. Role of the acquisition, community is. As. A full and equal player. In. An environment, with the CIO with the CFO, with the secretary, you. Guys play an equal role in, enterprise. Risk management, and. If you think about that as your mission not. As learning, about all the technology of cloud but what role can the acquisition, can be to play an enterprise risk management what, can I do to inject. More. Innovation, what can I do to buy down or. Obsolete, technology. That. Is expensive, to maintain and hard to secure when. You think about risk management don't just think about risk management of the acquisition, process, think. About risk management to the enterprise the, agency, the department, that you are part of and how, using. Acquisition. And procurement to get cloud services, can improve. Your risk management posture. That's. The right way to think about, the. Role of acquisition. In here because it is a multi-stakeholder. Sport. Everyone. Has the same objectives, you can no longer, put. IT and, business, in silos or acquisition. And IT in silos you're all part, of trying to. Buy. Down. Expensive. And hard to secure legacy, environments, and move it to something that is more nimble more agile more cost effective, and more secure. How. Do I fed, rampa, guidelines, play, a rule. So. Play. A role in the yeah, so. The. FedRAMP guidelines, were obviously. Established. With, a view to making the process of. Thinking. About security, around cloud providers, more, agile, and more efficient, the. FedRAMP office, over time has made a lot of improvements, I mean there's still things that can do to improve but I think the important, thing to do is. To. Look at the federal requirements. On the one hand it's a compliance, regime on. The other hand it does provide. Actual. Security, but for the acquisition community I would say this. Get. Familiar with the FedRAMP. Controls. Understand. What they are trying to achieve from a security perspective I, think. I've. Seen instances where. Acquisition. Professionals, sort of put. On the contract, dozen, the score as hundreds of pages of additional security appendices. That isn't. Necessary. I think you have to build up a level of knowledge and trust about what Fred ramped brings, you from a security perspective. Try. Not to bring, a bunch of additional. Requirements. On top of it because that. Basically. Defeats, the. The time to market time to efficiency, benefits, of cloud. And. Also, think about if you are gonna bring anything agency-specific, is it really achieving, something from, a security perspective we've seen this in a number of cloud RFPs. Lately where they're, over, and above FedRAMP, there are additional location. Specific requirements. Think. That through just. Because something is located, in the United States doesn't necessarily. Mean it buys you more security it buys you security, in an old version of sort. Of physical space and physical borders, but that's an outdated view of security if you have strong multi-factor, authentication if, you have a zero trust network like. The network that Google provides if you have strong encryption. The. Guidance in many cases actually is if your data is encrypted and somebody didn't steal the keys and you lose the data you didn't actually have a breach. So. In that situation ask, yourself, what does location-specific, requirement. By me or I really, have an outmoded, view of security. Where. I can increasing, or a lot really rely on the CSP or the security or rely on encryption, or rely on strong and identity, and not just rely on traditional perimeter. Views of security, excellent. Thanks I'm, going to shift gears a little bit and talk about agencies. That. Are further along in their cloud journey. And. Adam. Question, for you, should. Agencies. Institute, a cloud center of excellence, to. Focus on things like governance. Standardization. Ongoing, training, education, programs. It. Is it appeared this one's on alright. Thank, you so. Establishing, a cloud center of excellence absolutely. I mean I think there's no reason not. To I think the. Guidance that I would give is that we should start small we should start with an application, that's far away from our data, something.

Where We can iterate quickly and. Really. Learn what, these things really mean to consume, clout to implement, DevOps what an ATO. Looks like what the security, process really, is. Because. I think every organization every application, every cloud implementation. Is going to be incredibly, different and I think that there's. Just a ton that, can. Be learned by going through the process, whether. You take a two type of approach or what-have-you there's there's a variety of ways that you can execute, on something observe make, some decisions, and then reiterate. Through your activity, so so yes yes to all of those things, you. Know I think the other the. Other thing that I would think about especially from, an, acquisition. Perspective. Is. Try, to buy, as many large, components. Of this as you have as. Are available, in the marketplace, right so, you. Know if we think about the postal service they. Have a pretty unique. Mission. Right they are really. Responsible, for that last mile, of delivery, and they, have some pretty unique things, that they do in order to do that there are post offices, in every small town and they have these really funky. But iconic, right-hand-drive, vehicles. That, are all over the place delivering. Mail and those are pretty unique at least in the, North America marketplace, to the post office not a lot of folks out there are buying, a vehicle that they can't take through a drive-thru for example. But. The post office made an interesting decision they had a unique, requirement. They are a government agency they, needed something that really wasn't available in the marketplace otherwise, and they. Did not go into automotive, manufacturing. And I, find that astounding. Because I think a lot of IT organizations. Within the government today are in a very similar, state, they have some Niq requirements, they have some security standards, they, are the government and they're, in many ways going, into, the process of manufacturing, technology. But, instead the Postal Service found that they. Could buy this in the marketplace they might need some specialized. And they are iconic, we all are aware of these right-hand drive vehicles there in our society, and they're really the only ones that are using them but rather than build a manufacturing. Facility for, them they. Were able to buy that from industry, and so, I think we, need to be very critical about the, way that we go about these acquisitions that, we don't need to build our own technology, over, and over and over again because. I think ultimately what. Happens, is it makes a lot of sense, sometimes for. A single, agency, to do that it, there are really some very specific. Environmental. Requirements where you need to build your own technology, but, what we're seeing is in the aggregate, across all of government when, this begins to happen I think it becomes a bit of waste not. In the capital, W I'm gonna call somebody an alert an IG, but in the hey is that a really good effort are we wasting effort and as we talk about DevOps, DevOps. Is about delivering, frequency, frequently, and the elimination of waste that's really where. The Kaizen part. Of DevOps comes in to, this lean capability. So I would just say think critically about that should we be building technology, or should we be buying technology a 130 would also argue that you should buy on. That on that last point the OMB, a-133, vision. In 2016, is very clear, on that front when you are making IT investments or doing new, IT projects, you. Need to thoroughly determine. Whether the same capability. Is out there commercially. And if, it is. Your. Point posted you should not be out there trying to build own and operate it yourself and cloud. You. Know even, though OMB a-133. Times. You. Know cloud is constantly. Evolving, really. Dramatically, the capabilities, have increased just over the last couple years and, so that clause. Inside, a 130, is really, at, the forefront when, you think about cloud, services, versus, trying to continue, to sort of roll your own IT so. On that topic what are your thoughts but in, Caesar sharing, best practices, and lessons learned. Well. First. Of all what we are seeing, across. The. Engagements, that we are. But. B whether we learn lessons from. Is. That. The agencies, that are ahead are actually ahead and about, four axes. They're. Agile practices they're, DevOps and automation practices, cloud.

Management And delivery. And. Cloud governance and security that these four accesses where they have gone. Thought. They have taken significant. Steps to, increase their capabilities, so. That's where the the. Axis, of maturity, is for their for the various agencies were slightly, ahead, should. Days share. Yes. But. I am, a little hesitant to say that I I say, that. Because. It that is a good goal and. You can definitely leverage. Lessons, learned at other agencies. However. Agency. Missions are, very. Typical their, organization, is very typical the. Way they deliver IT is very typical lots. Of things are very different. Point. Solutions, don't, really carry over. Good. Ideas will always carry over but, not. Point solutions, okay. So. It. Has to be thought through if there's going to be a formal exchange mechanism, to be set up how. Does this operate, what. Is the level at which it operates, and what is the kind of stuff that we do share. So. I think, there will be some, need for. For. That agencies. That are ahead are also ahead in acquisition, practices they have learned their lessons of how. Is it what. Are the intricacies, of operating, in the cloud that. Has bearing on cost and how, they acquire resources, it. Is not just about acquiring resources also it is also they. Are ahead in. Terms, of, how, they deliver to the end users to your mission so. You we got this great package now great new package, we. Acquired it and, how. Do we deliver it to our end users and mission so. Looking. At that, those. Mechanisms also. Certain. Organizations, have made progress. There's. I have. In my in my mind, a sort. Of a evolutionary. Path that I personally, have seen, agencies. Go through in. Terms of delivering their to the, user and. Because. If he if we don't make it easy for mission, two to, consume these. Resources. That we are acquiring, your. Adoption rates are going to suffer people. Will do their own thing they have to deliver on the mission their, will they. Will do their own thing one offs will start coming up whatever. We have to do to deliver on the mission will happen. Credit. Card purchases get done lots. Of other things happen. But. As we make it easier we, improve, and we, impose. The governance and the security, policies. That the enterprise. Would require. And. How we deliver that without, being a barrier to agility, that that. System, owners would like to see, in their teams, that, is the, maturity. That and. Good. Ideas will always transfer, I have.

Witnessed. And. Listen. To some, ex public servants. Who. Are doing, exactly that. That. Exchange happens, at the highest levels as well as to the operational, levels so. It is happening if, I'm not, quite sure if the question was to set up a formal mechanism to do it I. Haven't. Thought about that whether there's, a formal mechanism but informally, it is happening all. Right I'm just going to, pause. Over here real quick and see if anyone. In the audience has questions. At. This stage. Yeah. This. Is the question for the panel. Security. Is a, shared. Responsibility more. So with the evolution of the cloud or the, proliferation. Of cloud within the federal government now. One of the challenges that we. Have is as. We try, to bring the solutions, quicker, to the user communities, we, are faced with a shared responsibility of. Securing. Information assets. In. A cloud platform, where. You have different, service. Providers providing. Different, capabilities for, example. Infrastructure. The service a platform, as a service a software, as service and, then then you have the user communities. Do. You have any suggestions, for that. Can be leveraged to. Help. The. System, owners, and the, administrators. Move, faster. To get an authorization. To, operate. He. Said there were two questions. Rolled, up in there I think one is security strategy, which we've addressed a little bit I think. It. Would be a mistake if you move to the cloud to just say look I'm gonna keep all my old security, stuff and just try to lift and shift my security, over to the cloud you are not gaining and. Scaled, the efficiencies, and the effectiveness, of sort. Of capital. Expenditures, and technical. Capabilities, of the cloud providers, in. Terms of Atos. It's. A separate question, again, FedRAMP. And the, provisional ATO is were meant to. Speed. The issuance of 80 O's by the agencies, and departments themselves. And the, overall push, has been an attempt. To sort of increase ATO. Reciprocity, oh they have an ATO I'll just sort of borrow theirs because they're using the sound same cloud provider the same service and all accelerate. When. I was still in government and I left in January. 2017. We. Still hadn't reached that, ideal state you still had a lot of CIOs. Saying. Yeah. I know, what's going on with FedRAMP but you know I'm gonna redo, some of the evaluations, on my own just so I can sort of convince myself and Trust it similarly. We've had meetings with. Some. Component. CIOs. At, certain, departments. Where. There is a tension, between the CIO and some of the traditional their. IT staff which is at some point you just have to trust. That their FedRAMP and not try to label on top of it a bunch of additional security, requirements.

Because, That's the way you're used to doing it or because that makes you comfortable or because that gives you a level of visibility, that, you think you need. So. This more, than anything is a culture, change than. A security issue, I. Do. Think, though it is important. For. Anyone in the audience here. To, increasingly, understand, the capabilities, that the CSPs provide and to build that into your strategies, Google. For example on both its productivity, suite and it's sort of infrastructure. Platform and platform as-a-service GCP. Google cloud platform. There. Are really, robust. - boards and visualizations, that show you who accessed, your data when that give you rheostat, ik control, over, who can access data and when again. Their, security, capabilities, built into the our cloud fabric from end to end hardware. Root of trust zero, trust network not a perimeter model basically I authenticate. The user I authenticate. The machine and I authenticate the purpose every time they're accessing, a piece of data and and, native encryption, options. On key management do we manage the keys or do you. And again, these visualization. Dashboards, to give you status, at any moment, who's, pinging my data where. Is the inbound IP what's the outbound IP, and. Then encryption, again in many of these cases and even according sort of a lot, of state laws and NIST standards if your stuff is fully encrypted when. You lose it you do not have a breach, so. Really if. You, can focus on that and not. Spend all your time on what people call hygiene I have to do the patch management myself, I need you know it, really dramatically, and strategically, changes, your security posture. Any. Other questions okay. I. Have a couple of interesting questions over here. So. I'd. Like to hear from all of you on the panel okay really quickly what are some of the real-life challenges, of, working, in the cloud right, are. There any brick walls that. You expect agencies to bump into at. A certain point in, their journey and. How, can they prepare for that. Yeah. I think the two that I see most frequently are so in like culture and cost. You. Know there's, Maria. Mentioned the, need to turn the lights off when you're done or to shutdown workloads. And so are, the traditional workloads, that we have in, our data center today are not really optimized, for working in a cloud environment.

By. And large right just generally, they're not, well-suited, so I think you have to be intentional about how you whether. It's a refactor, or adapting. That application, to work in a cloud environment where, you do have that. Horizontal, scalability. Because if you're you. Know sort of the standard, implementation. In a data center has, always been in plus one how much do I need add one more if one fails that I'm I'm, good to continue operating. Forklifting. That model, into, a cloud provider is incredibly, expensive and, is really not the way that. That's designed, to work so that I think that's really the intersection of cost and culture we have this idea that we need more than we're, going to use and then, by virtue we use more than we need, and. So. It's it's really focusing, on that application, and in and determining. That, horizontal. Scalability and then I think long term as I mentioned once. You have a workload that you're able to scale horizontally and, decouple, from a very specific cloud implementation. You, as the consumer, get to have a lot of choice about where. That workload lives, what who is going to be your cloud provider today if it's a nickel a CPU. Minute then go over there but if you get it for four cents let's, have the ability, to move, our workloads, and so today, one. Last thing that I'll say and I know we're running short on time is, that when you flip on a light switch you don't think about where that power is coming from whether it's hydro, or solar or even, coal. Or nuclear and when, you go and buy a television, you don't think about where that's coming from but today as an IT organization when. You go to build a piece of functionality you're. Doing a lot of thinking about where, that compute, and how, that compute, is going to be surfaced, to you and so ideally we get to a point where that's no longer a stumbling, block. Because. Do you have anything to add or whatever I do, want to get to one final question over here. Again. Cost, and, the huge culture, change from, one of capex. In a long tail of om that eats up 75%, of your IT budget, cloud, is a completely different cost model and so to have it work inside the business it requires close collaboration. Between IT professionals. CFO's. Office, acquisition. Professionals, I mean this is a huge, change, in how you think about budgeting, how, you think about dollars how you think about cost controls, and so. It's. Important, for acquisition, of officials to move, to a period again where they're looking at risk to the enterprise not, so much risk of the IT project. I think, some of the other barriers. You, know you look, at the commercials everything is like everything. Goes to cloud the reality, is for a long time you will end up being a hybrid Multi, cloud enterprise not, everything, is going to shift to cloud you'll have stuff some stuff on Prem you'll, have some stuff in the cloud and to, be honest for resilience, and performance issues you will want multiple, cloud vendors.

There, Is, a. Maturity. Level an, awareness, level that comes from managing, a hybrid. Environment right, so, yes there is, that. Is a new kind, of expertise, that needs to develop to, be developed to manage a hybrid multi cloud environment, in a way that is optimal for you I do think, though ever net-net it. Dramatically, increases, costs. Certainly on the capex and O&M side and it dramatically, reduces, risk. To the enterprise but, that is a place where you need to invest the. Other thing is that to take full advantage of the cloud environment you often have to refactor date data and applications, sometimes, again you need to spend a penny to, save a nickel so, that also raises questions and you know things. Like the new IT modernization. Funder out there to try to help transition, people across that transom. But, those are some of the things I think that are important continue, on final thoughts we are out of time so just you know. What. Is next in the cloud evolution, cycle, what. Are some new technologies, that we should be getting excited about what. Does the future hold right, so. It's. A truism that, by. The time you are done setting. Up your enterprise cloud environments, the. State of the earth as far as the vendors are concerned has. Already gone ahead. But. What's next for. Cloud. What is cloud 2.0, 2.0. In government. Generally. We see a certain state of the earth across agencies, and, and. Obviously. The question what next, isn't what next for you folks, okay. In. My mind. Operationally. Speaking. Cloud. 2.0, in government, is simply a, self-aware. Self-healing. Autonomous. Environment. With, an eye towards, manageability, security. And cost transparency. It. Has certain features, self-service. We. Would like our end-users to just go up to a, portal. And acquire. The services they need, automated. Deployments, automated, onboarding. ITSM. Integration, we want our IT service, manager integrated into our cloud platforms. Chevrolet's. Micro services no ops, cloud. Native, mission. Critical systems, ok. Serverless. Management. Services the. Cloud management services security. Is a serious, with active defense, we. Want to be proactive with our defense not react. To events that happen security events that happen, ok. Automated. Governance and policy enforcement we would like that to be automated. Ok. And we. Want a full environment, monitoring, with, a machine learning and AI based. Response. To those events that happen in the other environment. So. This is where you start putting in more intelligence, into your environment itself, the, operating environment itself, so. These are some of the features that I see. Coming. These. Are some of the technology. When, we, were dreaming about this a few years back the base technologies, it, was a long shot because, the base technologies did not exist but every one of these things is in, one format the other is available. In the market and it's. A matter of crafting. A solution to, bring it to government alright. 30 seconds. Dan. 30. Seconds - Adam. So. I think I, think it's made a really good point and that is that there really is no end state in technology. Right and so I think that, as we enter. Into these. Acquisitions. We have to be very aware that change, is on the horizon change is coming very very quickly we, need to think very differently about how the timeframes.

And The methods, in which we're, making these acquisitions and, the reality is that, success, will not be defined by the technology, acquisition that we make it'll be defined, by how well we prepare ourselves, for, that, change, is eminent. Comment. I think. We have to move from the idea that the cloud has simply moved my data center to somebody else owning it that. Is not the promise of cloud the. Promise. Of cloud in my view is further up the value chain as Vika said for example analytics. It, is true that. Inside, government enterprises. There is an enormous amount of trapped, data. About. Programs, about customers. About Enterprise performance, that all in, my view if unlocked properly, using. Really. Inexpensive. Compute, power analytics. Machine learning and AI has. The ability, really back, to the transformation beginning, transform. How government, does its business, but. You will not get there if you put a glass ceiling on yourself and say well all I'm doing is lifting and shifting my data center no the reality is to use these continually, evolving, capabilities, to get much. Better insight, into how, to run, your, enterprise. Run your department run your agency, and better serve citizens, that. To me is the promise of cloud doing that inexpensively. Without having to buy your own servers, by your own licenses, manage your own environment, let somebody else do all the blocking and tackling you, focus on your mission and you focus on doing your mission better. Excellent. Well that concludes our, session, I would like to thank our esteemed, panel. Thank. You all for coming and, have. A wonderful. Rest of the afternoon.

2018-08-15 07:10

Show Video

Other news