@jezhumble cloud native london, 27 september 2017 cloud native in the us federal government

principles for building a paas why we built cloud.gov what cloud.gov is implementation agenda

Let’s ship it!

Or not.

Shipping software isn’t rocket science

Is the launch checklist working?

The U.S. Government's Digital Launch Checklist

Records Management Records Schedule Privacy Act Paperwork Reduction Act Section 508 and Accessibility Standards Federal Acquisition Regulation Anti-deficiency Act Economy Act E-Government Act Computer Matching Act National Cyber Protection System Guidance for Agency Use of Third-Party Websites and Applications Social Media and Web-Based Interactive Technologies Office of Management Budget Circular A-130 Appendix 3 Federal Information Security and Management Act Federal Information Processing Standard (FIPS) 199 Federal Information Processing Standard (FIPS) 200 Federal Information Processing Standard (FIPS) 140-2 Special Publication 800-37 Special Publication 800-53 Revision 4 Special Publication 800-60 Volume 1 Special Publication 800-60 Volume 2

Special Publication 800-18 Special Publication 800-137 Special Publication 800-171 Special Publication 800-133 Special Publication 800-95 EINSTEIN Compliance FedRAMP OMB Guidance on third party websites and applications OMB Memo M-14-04 OMB Memo M-15-01 Trusted Internet Connection 2.o Reference Architecture Pages in total: 4006

My friend, you can clearly see the intention of FIPS 140-2 Annex A was to deprecate SHA-1 on the lunar new year...

http://dx.doi.org/10.6028/NIST.SP.800-53r4

http://dx.doi.org/10.6028/NIST.SP.800-53r4

http://dx.doi.org/10.6028/NIST.SP.800-53r4

http://dx.doi.org/10.6028/NIST.SP.800-53r4

No content

How long is this going to take?

6 - 14 months to ship

No content

Speed is the new security.

No content

Ops Dev

IaaS Ops Dev PaaS

No content

No content

No content

compliance https://18f.gsa.gov/2017/02/02/cloud-gov-is-now-fedramp-authorized/

push-button deployments teams can deploy into a production-like environment from day 1 architectural paradigm designed for distributed systems templates for all your compliance documentation most of the controls taken care of at the platform level what this gets you

everything must be self-service principles for building a paas

what is a cloud? NIST SP 800-145, “The NIST Definition of Cloud Computing”

everything must be self-service design your platform for multi-tenancy principles for building a paas

multi-tenancy

IaaS “one account to rule them all” trade-offs • Hard to deal with multi-tenancy & provide a real cloud • Significantly higher ongoing maintenance costs • Hard to manage sprawl • One-size-fits-all platform solution

IaaS multiple accounts trade-offs • Can give teams direct control over each account • Potentially need to instantiate shared services in each account • Still some issues with multi-tenancy

PaaS trade-offs • You only need to ATO once • RBAC built-in - deals with multi-tenancy • Good practices baked in • Lower maintenance & operational costs • One-size-fits-all solution

use native cloud primitives everything must be self-service design your platform for multi-tenancy everything must be reproducible from version control principles for building a paas

download the source: https://github.com/18f/cg-provision

use native cloud primitives everything must be self-service design your platform for multi-tenancy take care of compliance at the platform layer everything must be reproducible from version control principles for building a paas

© 2017 DevOps Research and Assessment LLC

© 2017 DevOps Research and Assessment LLC

thank you! © 2016-7 DevOps Research and Assessment LLC https://devops-research.com/ To receive the following: • 30% off my new video course: creating high performance organizations • 50% off my CD video training, interviews with Eric Ries, and more • A copy of this presentation • A 100 page excerpt from Lean Enterprise • An excerpt from The DevOps Handbook • A 20m preview of my Continuous Delivery video workshop Just pick up your phone and send an email To: [email protected] Subject: devops