Implementing a Public Cloud Model

Assuming that the you elect to pursue a public Cloud and selects AWS as the public Cloud, the following are some key considerations.

  • —Cloud computing is a shared responsibility: AWS is responsible for foundation infrastructure services, while the customer is responsible for data encryption/protection, OS, applications, and data
  • —AWS Responsibility: AWS operates, manages, and controls the infrastructure components, from the host OS and virtualization layer, down to the physical security of facilities in which a service operates
  • —Customer/Partner Responsibility: Customers assume responsibility and management of the guest operating system (including updates/security patches), other associated application software, and configuration of AWS-provided security group firewalls and other security, change management, and logging features.
  • AWS Shared Services Overview

    FAQ 10_graphic

    Cloud services procurement, design, architecting, and implementation followed by managed services is much more than just purchasing AWS line items. The State will need an Amazon Advanced Consulting Partner who has the expertise to assist and provide continued 3600 support in all aspects of Cloud services acquisition and complete Cloud managed services. The partner should support requirements gathering/discovery, architecting and designing the solution, ensuring security compliance, implementation phases including workload migration, and providing managed services to ensure performance, cost, and service-optimization management of the complete solution. The customer must architect and manage these services.

    If the State chooses to perform all customer responsibility itself, the Partner would simply set up the VPC and all required AWS services and will become responsible for usage billing. However, if given a task, the Partner’s Cloud solutions/architecture team will work closely with the State and assist in these tasks, from requirements gathering all the way to deployment of the solution and data, followed by configuration and implementation of business-focused and requirements-based managed services. The Partner should have already built these solutions and will be able to provide rapid deployment upon customer request and approval.

    Effective IT governance helps in successfully aligning IT with business needs. The partner should have developed a sound Cloud governance model that leverages the Partner’s experience in state and federal focused Cloud solutions, managed services, and deep understanding of industry best practices to help establish IT governance that can improve IT efficiency, effectiveness and responsiveness as well as control over IT operations in the Cloud.

    The Governance model needs to be backed up by tools, processes and methodologies that the State or an AWS partner uses. It needs to address all governance issues including security, architecture, identity and access management, workload migration, ongoing monitoring, accounting and billings, and optimization.

    As always, AWS customers must maintain adequate governance over the entire IT control environment regardless of how IT is deployed. Leading practices include an understanding of required compliance objectives and requirements (from relevant sources), establishment of a control environment that meets those objectives and requirements, an understanding of the validation required based on the organization’s risk tolerance, and verification of the operating effectiveness of their control environment. Deployment in the AWS Cloud gives enterprises different options to apply various types of controls and various verification methods. Strong customer compliance and governance might include the following basic approach:

      • —  Review information available from AWS together with other information to understand as much of the entire IT environment as possible,
        and then document all compliance requirements
      • —  Design and implement control objectives to meet the enterprise compliance requirements
      • —  Identify and document controls owned by outside parties
      • —  Verify that all control objectives are met and all key controls are designed and operating effectively

    Approaching compliance governance in this manner will help companies gain a better understanding of their control environment, and will help clearly delineate the verification activities to be performed.