Nesta apresentação, mostramos como o Setor Público pode se beneficiar da nuvem da AWS. Melhores práticas para especificação e seleção de um provedor de nuvem para o serviço público. Apresentada no Public Sector Summit 2015

1. Sao Paulo

2. Cloud Procurement
Best Practices for Public Sector Customers
David DeBrandt, Business Development
AWS Worldwide Public Sector

3. Agenda – Cloud Procurement
• Cloud Procurement Overview
• Procurement Models
• Solicitation Details
• Budget and Pricing
• Security and Cyber Controls
• Legal and Legislative Issues

4. Cloud Procurement Overview

5. Characteristics of Cloud
Old World IT New World of Cloud Computing
Price lock Low variable costs
Vendor lock-in No required minimum commitments
Rigid structure Rapid innovation
CapEx OpEx
Budget for tech refresh Cloud providers continually upgrading
Months to plan and order Rapid deployments
Design lock-in Agile architecture

6. Successful Public Sector Adoption Has Several Steps
Security and Compliance
Procurement
Culture
Broad Adoption
Business Uses/Definition
Policy

7. Government Organizations Should Plan Early
• Involve all key stakeholders at an early stage:
– Procurement
– Legal
– Budget/finance
– Security
– IT
– Business leadership
• Get comfortable with the cloud model

8. Understand Different Cloud Models
Networking
Storage
Servers
Virtualization
Operating System
Middleware
Runtime
Data
Applications
Infrastructure
(as a Service)
Networking
Storage
Servers
Virtualization
Data
Applications
Platform
(as a Service)
Operating System
Middleware
Runtime
Networking
Storage
Servers
Virtualization
Software
(as a Service)
Operating System
Middleware
Runtime
Data
Applications
Provider Responsible Consumer Responsible

9. Government
Sponsor
(CIO, etc.)
Gov Cust
1
Gov Cust
2
Gov Cust
3
Gov Cust
n
AWS Training
Strategy&Roadmap
SolutionArch&Design
TechReview&Audit
ReqAnalysis
AppDevlpSupt
Professional Services
ServiceDesk
ProgramMgmt
Billing&AccountMgt
Program Support
Implement/Migration
ConfigMgt/COOP
IT O&M
Governance
Security
Controls
Infrastructure
Direct
Providers
Reselling
Cloud Migration and Service Providers
All-Inclusive System Integrators
Cloud Brokers
Packaging/Bundling of Cloud IaaS/PaaS
Typical
Project
Packages
Vendor/
Owner
Types
Cloud Service
Provider
Government
Customer
Array of Cloud Project/Program Services

10. Cloud Governance
• Ownership and sovereignty
– Public Sector entity owns all data
• No long term contracts or exclusivity
– Public Sector entity can terminate at any time
• Choose location of your data
– E.g.; Region in Brazil

11. Separate Infrastructure from Services/Labor
• Separate the purchase of infrastructure from
services (planning, development,
implementation, and maintenance).
• Results in maximum pricing efficiencies

12. Procurement Models

13. Procurement Approach
• Indirect purchase:
– Managed Service Provider (MSP)
– Independent Software Vendor (ISV)
– Consultant/System Integrator/Reseller
• Direct purchase from CSP

14. Broad Eco-System of Partners

15. A marketplace for software in the Cloud
Over 2,100 listings across
23 categories

16. Procurement Models
• Understand different procurement models to buy
cloud:
– Cloud catalogue procurements
– Solution procurement
– Immediate cloud needs

17. Procurement Models – Cloud Catalogues
A pre-approved catalogue that can be used by
multiple purchasers – a ‘license to hunt’
• Commercial Item: a utility-type service with no
custom-built deliverables
• Flexible pricing models: cloud vendors have
different approaches
• Quantities: not known in advance

18. Procurement Models – Solution Procurement
• Traditional IT procurement – cloud infrastructure
is only a component
• Seek best value of cloud resources

19. Procurement Models – Immediate Needs
• On-demand infrastructure
• Emergent or temporary needs
• Use cloud catalogue, existing vendor contract

20. Solicitation Details

21. Don’t Be Overly Prescriptive
• Focus on overall performance
• Do no dictate specific methods, hardware or
equipment
• Leverage commercial best practices

22. New and Updated Services
• Take advantage of new and improved services
• Avoid including restrictions or consent
requirements for CSPs ability to change/improve
services (and related terms)

23. Cloud Provider Evaluation Criteria
Evaluation Question to Ask AWS Value
Experience How long has the vendor been providing cloud related
services?
AWS has been building and managing its cloud services since
2006.
Service Breadth and
Depth
Provide details on how deep and wide the set of
services provided go?
40+ services to support any cloud computing workload
Pace of Innovation How does the vendor continue to innovate its offerings? AWS has released over 1,100 new services or major features
since 2008 (including 516 in 2014).
Global Footprint How large is the vendor’s global footprint? AWS serves customers through our 11 Regions, 28 Availability
Zones, and 52 Edge Locations.
Pricing Philosophy
and History
How does the vendor offer its pricing? Is there a long-
term lock in? What is the history of price reductions?
For each AWS service, you pay for exactly the amount of
resources you actually need in a utility-style pricing model.
AWS has lowered prices 48 times in the last eight years.
Total Cost of
Ownership (TCO)
Does the vendor provide a complete TCO analysis (not
just an “apples to apples” approach measuring potential
hardware expense alongside utility pricing)?
AWS offers the following TCO tool: http://aws.amazon.com/tco-
calculator/
Ecosystem How extensive is the ecosystem of vendors that work
with the CSP?
8,000+ SIs and ISVs; 2,000+ AWS Marketplace products.
Security and Audit
Certifications
Does the CSP have industry-acknowledged
certifications and accreditations?
AWS can cite many security frameworks, best practices, audit
standards, and standardized controls, including: SOC 1, SOC 2,
SOC 3, PCI DSS, ISO 27001, ISO 9001, and U.S. FedRAMP,
Industry Analysis How is the provider assessed by independent analysts? AWS has been assessed by multiple independent analysts,
including Gartner, Inc., Forrester Research, and IDC

24. Budgets and Pricing

25. Flexible Pricing Model
• Pay as you go model
• Fluctuating/variable prices
• Accept multiple pricing models from CSPs
– Don’t compare ‘apples to apples’
• Transparency

26. Supervising and Controlling Budget and
Consumption
• Utilizing Resellers/Solution Providers to manage
consumption of CSP Infrastructure and Platforms
• Create internal control organization to manage
utilization
• Explore existing contract models such buying
electricity for models

27. Security and Cyber Controls

28. Certifications and accreditations for workloads that matter
Architected for Government Security Requirements

29. Leverage 3rd Party Accreditations for
Security, Privacy, & Audit
• Leverage industry best practices on security and
audit
• Avoid mandating your unique security protocols
• Take into account levels of security required

30. AWS Foundation Services
Compute Storage Database Networking
AWS Global Infrastructure
Regions
Availability Zones
Edge Locations
Identity Data Infrastructure
Customer applications & content
You
You get to
define your
controls IN the
Cloud
AWS takes care
of the security
OF
the Cloud
Understand Security is a Shared Responsibility

31. Legal and Legislative

32. Terms & Conditions
• Commercial item: an item sold, leased, licensed, or
otherwise offered for sale to the general public
• Evolving terms and conditions
– Take advantage of continuous evolution of cloud’s enhanced
features and efficiencies
• Avoid unnecessary restrictions or change consent
• Identify only relevant requirements and terms

33. Service Level Agreements
• Accept Commercial Cloud Provider SLAs
– The scalability and low cost of the cloud is directly linked to a
single model for all customers
• If required, additional SLAs could be handled by
reseller or solution partner

34. Minimized Admin Burdens
• Minimize needs for project requirements
– If working with CSP directly, avoid, project meetings, customized
reporting, non standard notifications
– Rely on resellers/partners for add-on project requirements

35. Legislative Issues
• Understand how existing laws and policy can
affect this approach:
– Security standards;
– Audits;
– Pricing controls;
– Inability to accept changing terms;

36. Conclusion

37. Cloud Procurement Best Practices
April 9, 2015
• CSPs provide foundational services to build solutions/house workloads.
• Accept different vendor approaches – CSP offerings are not apples to apples.
• Understand different ways to buy SaaS v. IaaS/PaaS.
• Focus on application-level and performance-based requirements – not
dictating specific methods, infrastructure or hardware. Ultimately, you are not
buying a physical asset.
• Embrace on-demand, utility-like, OpEx model cloud pricing. Traditional IT
pricing approaches can reduce or eliminate benefits of cloud.
• Accept different vendor pricing models – do not create single pricing model.
• Shared security/compliance model between the CSP & end user.
• Leverage industry best practices on security and audit.
• View cloud as a commercial item and consider appropriate terms & conditions
• A mechanism to incorporate CSP’s unique terms and conditions.
• Leverage CSP’s commercial SLAs, i.e. uptime, durability, reliability etc.
• A model to obtain cloud services directly from CSP and/or an indirect model in
which cloud services are procured through partners or reseller.
• Do not consider or treat CSPs as System Integrators (SIs).
Cloud Models
Performance Based
Requirements
Pricing
Security/Assurance/Audit
Terms & Conditions and SLAs
Vendor Types and
Partner Ecosystem
• Separate purchase of cloud infrastructure from the purchase of services and
labor for planning, developing, and executing, migrations & workloads.
Services vs. Infrastructure

38. Cloud Procurement Next Steps
• Understand the cloud model, security and how it
is different from traditional IT
• Understand working with partners/resellers
• Understand Cloud pricing and SLA constructs
• Focus on requirements that are cloud specific –
not traditional IT