The document provides an overview of lessons learned from brokering cloud services. It discusses 5 key lessons: open source technologies can be more closed than they appear; managing customer expectations to control scope creep; avoiding vendor lock-in ("stickiness") by using multi-cloud orchestration tools; security opportunities exist in leveraging cloud service provider security controls; and the importance of trust between brokers and their customers.
3. 3
INTRODUCTIONS
5 years in Enterprise automation; 2 years in brokering
– Booz Allen (23K employees – 1.5K broker users)
– Government (280K employees – 2K+ users)
– Commercial
• Health Care
• Oil & Gas
• Pharmaceuticals
Confirm Publicly Distributable
4. 4
#5 - OPEN IS MORE CLOSED THAN YOU THINK
• Modularity, Openness & Reusability
• Impressive open source technologies from Red
Hat and others for enterprise automation
– CloudFormation/CloudForms
– AWS Integration
– Containerization/PaaS offerings
– Lacking the self-service and ease of use
Limited sample scripts only
• Dependencies on other open source projects
create limitations
– Staggered rollouts require custom code
• Implementer on the hook for updates
– New features released that overwrite custom code
5. 5
INTRODUCING THE OPEN CLOUD BROKER
User Portal or
Marketplace
IaaS
Broker
PaaS
Broker
SaaS
Broker
Data
Broker
Administrator
Portal
TaaS
Broker
Cloud
Orchestration
Engine
XaaS
Broker
Capabilities
• Mult IaaS integration
• Sticky PaaS config
• SaaS offerings
Benefits
• Modular/Flexible
• Open Source
• Business Process
Integration
• Marketplace
6. 6
#4 MANAGE CUSTOMER EXPECTATIONS
Control Scope Creep
– Brokerage solutions are relatively new; expect a lot of
PoC’s, customer demos and pilots.
– Create a well-defined Statement of Work/Contract
– Repeatable, tested, well-documented, packaged solution
Results
– Avoid cost overruns
– Prevent delivery delays
– Provides self-service capabilities
7. 7
#3 – STICKINESS KILLS!
Tempting, built-in services (PaaS)
– Price advantages (free?)
– Performance/Resiliency advantages
• Master/Slave databases
• Web sites
• Underlying core services (DNS, DHCP,
NTP)
– Corresponding services w/ other CSPs?
DevOps/Orchestration
– Allows reuse of systems & services across
multiple vendors
• Puppet, Chef, Juju, etc..
– Major broker advantage anyway!
9. 9
PRICING
Commoditization already in play
– Differentiable/Niche markets not
as aggressive
• Secure, Bring your own hardware,
VMware/Microsoft/OpenSource based
Price wars already started for IaaS
– Google, Azure and AWS price cuts
• AWS already regularly discounted
services as new offerings brought online
• Google aggressively pricing GCE
• Microsoft working to match
13. 1
3SIDE BY SIDE COMPARISONS
0
5
10
15
20
25
30
35
40
t2s,t2m,m3M
t2M,t2M,t2S
m3M,t2M,-
m3l,-,-
m3M,t2M,t2M
m3M,m3M,-
m3L,t2M,-
m3XL,-,-
t2S,m3L,m3M
m3M,t2M,t2S
m3L,t2M,-
m3XL,-,-
t2S,t2S,m3M
t2S,t2M,t2M
t2M,t2M,t2S
m3M,t2S,-
Web DB App Auth
CPU Memory Capacity
(in AWS m3.2XL units)
Peak (<2)
Incremental (8hr)
Persistent (24hr)
0
10
20
30
40
50
60
70
80
S,
M,
L
M,
M,
S
L,
M,
-
XL,
S,
-
S,
M,
L
M,
M,
S
L,
M,
-
XL,
S,
-
S,
M,
L
M,
M,
S
L,
M,
-
XL,
S,
-
S,
S,
M
S,
M,
S
M,
S,
S
M,
M,
-
Web DB App Auth
CPU Capacity
(in Azure XL units)
Peak
Incremental
Persistent
AMAZON WEB SERVICES SIZING AND PRICING
14. 1
4SIDE BY SIDE COMPARISONS
0
5
10
15
20
25
30
35
40
t2s,t2m,m3M
t2M,t2M,t2S
m3M,t2M,-
m3l,-,-
m3M,t2M,t2M
m3M,m3M,-
m3L,t2M,-
m3XL,-,-
t2S,m3L,m3M
m3M,t2M,t2S
m3L,t2M,-
m3XL,-,-
t2S,t2S,m3M
t2S,t2M,t2M
t2M,t2M,t2S
m3M,t2S,-
Web DB App Auth
Memory Capacity
(in AWS m3.2XL units)
Peak
Incremental
Persistent
0
10
20
30
40
50
60
70
80
S,
M,
L
M,
M,
S
L,
M,
-
XL,
S,
-
S,
M,
L
M,
M,
S
L,
M,
-
XL,
S,
-
S,
M,
L
M,
M,
S
L,
M,
-
XL,
S,
-
S,
S,
M
S,
M,
S
M,
S,
S
M,
M,
-
Web DB App Auth
Memory Capacity
(in Azure XL units)
Peak
Incremental
Persistent
AMAZON WEB SERVICES SIZING AND PRICING
15. 1
5SIDE BY SIDE COMPARISONS
$-
$5.00
$10.00
$15.00
$20.00
$25.00
t2s,t2m,m3M
t2M,t2M,t2S
m3M,t2M,-
m3l,-,-
m3M,t2M,t2M
m3M,m3M,-
m3L,t2M,-
m3XL,-,-
t2S,m3L,m3M
m3M,t2M,t2S
m3L,t2M,-
m3XL,-,-
t2S,t2S,m3M
t2S,t2M,t2M
t2M,t2M,t2S
m3M,t2S,-
Web DB App Auth
AWS Price per day
Peak
Incremental
Persistent
$-
$10.00
$20.00
$30.00
$40.00
$50.00
$60.00
S,
M,
L
M,
M,
S
L,
M,
-
XL,
S,
-
S,
M,
L
M,
M,
S
L,
M,
-
XL,
S,
-
S,
M,
L
M,
M,
S
L,
M,
-
XL,
S,
-
S,
S,
M
S,
M,
S
M,
S,
S
M,
M,
-
Web DB App Auth
Azure Cost per Day
Peak
Incremental
Persistent
AMAZON WEB SERVICES SIZING AND PRICING
16. 1
6ARBITRAGE ISSUES
Notice any problems with this example?
Based on the relative CSP processing capabilities
• Is an Azure XL equal to an AWS m3.2XL?
– There are larger and more specialized units within all of
the environments – IOPS, SSD, Memory, etc
• Does the computing/memory capability of an Azure
instance offset the price differential
• AWS offers an ECU – elastic computing unit
• Azure bases their pricing on a similar set of statistics
– i.e. Database Throughput Unit,
Scrutinizing the broker’s algorithms with this level
of detail difficult
Might include company sensitive information
• At least ask the question
Forbes article
18. 1
8#1 - SECURITY’S AN OPPORTUNITY
Know the CSPs and use their mitigations
• (Also know they may be sticky!)
• CloudHSM – root of trust w/ SafeNet Luna
Qualitative Assessments
• Gartner Magic Quadrant
• Broker Analysis of Alternatives
• FedRAMP
Quantitative Assessments
• CSA STAR
• SOC I/II Audits
Provenance & Pedigree
• aka Pre & Post Configuration
19. 1
9QUALITATIVE ASSESSMENTS
IAAS GARTNER MAGIC QUADRANT
*Gartner, Magic Quadrant
for Cloud Infrastructure as a
Service, Lydia Leong et al.,
published: 28 May 2014
20. 2
0RISK MITIGATION - CHOOSING CSPS
*Results based on Booz Allen Cloud Service Provider AoA – 2014.05.30
PROVIDE A QUICK STARTING POINT
Brokers need to start the discussion
• Identify most important customer risks
• Combine with industry knowledge
and experience
BCP/DR
• All Microsoft shop—does it make sense to
retrain to another provider?
Provisioning
• Processes and procedures in place—retool from
enterprise VMware?
Automation
• Linux scripts transfer over directly—DevOps
makes easy to port anywhere?
Governance, Risk & Compliance
• Which providers offer SOC/IaaS underlying
certifications to pass PCI/HIPAA/FISMA audits?
21. 2
1PROVENANCE & PEDIGREE
Beyond Configuration Management
– On-premise Enterprise: Utilize an ISO, test downloaded patches
from “vendor”
• How many people here actually check the hashes?
• Vendor infected distribution
– Sony/BMG rootkit, Dell firmware, Stuxnet anyone?
– Even bigger issue in the cloud? snapshots, most software from
linked locations, ISOs difficult to load/use
Provenance
– Provide contextual evidence for its original production or
discovery, by establishing the sequences of its formal ownership,
custody, and places of storage
Pedigree
– A document to record ancestry
Known “good” software/updates/distributions
– Trusted Broker service
• Define your repositories for Linux updates
– i.e. spacewalk.redhat.com; www.pulpproject.org
22. 2
2# ¾ - TRUST
Not looking for a Boy Scout
– Do need transparency:
• Cost savings?
Pass a portion on to customer
• Sticky services?
Advise on implications ahead of time
• Unmitigated security risks?
Come to terms and offer alternatives,
even if another vendor
– Most of us are in business
– It is your reputation
Value the relationship for the long run
– Quick sale/qualifier might damage reputation if not
executed successfully