Cloud Native in the US Federal Government

@jezhumble cloud native london, 27 september 2017 cloud native in
the us federal government

principles for building a paas why we built cloud.gov what
cloud.gov is implementation agenda

Let’s ship it!

Or not.

Shipping software isn’t rocket science

Is the launch checklist working?

The U.S. Government's Digital Launch Checklist

Records Management Records Schedule Privacy Act Paperwork Reduction Act Section
508 and Accessibility Standards Federal Acquisition Regulation Anti-deficiency Act Economy Act E-Government Act Computer Matching Act National Cyber Protection System Guidance for Agency Use of Third-Party Websites and Applications Social Media and Web-Based Interactive Technologies Office of Management Budget Circular A-130 Appendix 3 Federal Information Security and Management Act Federal Information Processing Standard (FIPS) 199 Federal Information Processing Standard (FIPS) 200 Federal Information Processing Standard (FIPS) 140-2 Special Publication 800-37 Special Publication 800-53 Revision 4 Special Publication 800-60 Volume 1 Special Publication 800-60 Volume 2

Special Publication 800-18 Special Publication 800-137 Special Publication 800-171 Special
Publication 800-133 Special Publication 800-95 EINSTEIN Compliance FedRAMP OMB Guidance on third party websites and applications OMB Memo M-14-04 OMB Memo M-15-01 Trusted Internet Connection 2.o Reference Architecture Pages in total: 4006

My friend, you can clearly see the intention of FIPS
140-2 Annex A was to deprecate SHA-1 on the lunar new year...

http://dx.doi.org/10.6028/NIST.SP.800-53r4

How long is this going to take?

6 - 14 months to ship

Speed is the new security.

Ops Dev

IaaS Ops Dev PaaS

compliance https://18f.gsa.gov/2017/02/02/cloud-gov-is-now-fedramp-authorized/

push-button deployments teams can deploy into a production-like environment from
day 1 architectural paradigm designed for distributed systems templates for all your compliance documentation most of the controls taken care of at the platform level what this gets you

everything must be self-service principles for building a paas

what is a cloud? NIST SP 800-145, “The NIST Deﬁnition
of Cloud Computing”

everything must be self-service design your platform for multi-tenancy principles
for building a paas

multi-tenancy

IaaS “one account to rule them all” trade-offs • Hard
to deal with multi-tenancy & provide a real cloud • Significantly higher ongoing maintenance costs • Hard to manage sprawl • One-size-fits-all platform solution

IaaS multiple accounts trade-oﬀs • Can give teams direct control
over each account • Potentially need to instantiate shared services in each account • Still some issues with multi-tenancy

PaaS trade-oﬀs • You only need to ATO once •
RBAC built-in - deals with multi-tenancy • Good practices baked in • Lower maintenance & operational costs • One-size-ﬁts-all solution

use native cloud primitives everything must be self-service design your
platform for multi-tenancy everything must be reproducible from version control principles for building a paas

download the source: https://github.com/18f/cg-provision

use native cloud primitives everything must be self-service design your
platform for multi-tenancy take care of compliance at the platform layer everything must be reproducible from version control principles for building a paas

thank you! © 2016-7 DevOps Research and Assessment LLC https://devops-research.com/
To receive the following: • 30% oﬀ my new video course: creating high performance organizations • 50% oﬀ my CD video training, interviews with Eric Ries, and more • A copy of this presentation • A 100 page excerpt from Lean Enterprise • An excerpt from The DevOps Handbook • A 20m preview of my Continuous Delivery video workshop Just pick up your phone and send an email To: [email protected] Subject: devops

Cloud Native in the US Federal Government

Cloud Native in the US Federal Government

More Decks by Jez Humble

Other Decks in Technology

Featured

Transcript