theme: work,7
footer: 
[.hide-footer: true]
| 09:00 | Welcome Shashank Khandelwal |
| 09:10 | cloud.gov Overview |
| 09:40 | cloud.gov Hands On Pt 1 |
| 10:20 | Break |
| 10:30 | Federalist Will Slack |
| 10:40 | cloud.gov Hands On Pt 2 |
| 11:30 | Q & A |
[.hide-footer: true]
[.build-lists: true]
- ➡️: Focus on mission
- 🕑: Eliminate long lead times
- 💵: Your tax 💰 ($85B, 8.2% ☁️)1
- 🇺🇸: Provide great public service
^ Thesis. 4 reasons - mY passion and I"d like them to be yours.
^ 1st Enables mission like nothing else available to the federal govt at a TCO below most other options
^ 2nd Lead times. Since 2010 student/advocate for DevOps - AHA! -> Kaching! Dev to Ops, and Ops to Dev. Better everything. Sane. Humane
^ 3rd $$. 8.2% "Provisioned" Services. We can get better value
^ 4th Lastly, a sense of patriotism - and an example to the world
^ Misson focus / Speed of Exec / $$ Stewardship / We deserve. How then does ;cg do this?
[.footer: Video timestamp 04:02]
[.footer: Video timestamp 04:19]
[.build-lists: true]
- A mission
- Housing for disaster victims
- A team
- Project / Product Managers Designers / Devs Ops / Sec
- A platform
- Build
- Test
- Run
^ Note: This team has a lot of work to do to realize their mission.
[.footer: Video timestamp 04:52]
[.build-lists: true]
- Stack: WebServer, AppServer, Database, Cache, Index
- Environments: (Local), Dev, Test, Stage, Prod
- User management: Admin, Devs, Auditors
- Operations: Patch, Logs, CDN, Scaling, Availability
- All of this is commodity: think iPad or Android Tablet
- Acquire: weeks // Running: hours // Build: months // Authorize: weeks
^ Stack / Environment / Users / Operations
^ Note: By commodity: no harder to run your platform run your iPad or Android table. u
^ No genius bar to update it, get new software, or configure the WiFi.
^These are self-service, have sane defaults, include vetted applications in a marketplace, and are regularly, or continually patched.
^We have the bold nothion that we treat so much of an underlying platform as self-service commodity that is still performant and compliant
[.footer: Video timestamp 07:15]
- Open-source Cloud Foundry PaaS atop AWS GovCloud2
- Available to Departments & Agencies by IAA
- FedRAMP P-ATO Moderate, DISA Level 2
- Built/run by 18F/TTS/GSA as a cost-recoverable service
[.footer: Video timestamp 08:15]
[.footer: ]
Pre-built environment ready for deploying an application.
Developers can focus on mission needs.
Common technology resources are managed by an expert operations team:
- Operating system
- Databases
- Audit trails
- Authorization and authentication
- Load balancing
- Scaling
- Vulnerability scans
- Programming languages
- Automated updates
^ I came to federal service from Chef Software. Enterprise financial, insurance, manufacturing.
^ All the dev: please give me an App Server and a Database and let us get to work!
^ Assuming you get ;cg what does working with us look like?
[.footer: Video timestamp 10:24]
[.footer: Video timestamp 10:26]
- Procure
- Implement
- Authorize
[.footer: Video timestamp 10:52]
- Pre-procurement sandbox accounts
- IAAs: weeks instead of months
- Pricing:
$$Risk \times Complexity$$ - Prototyping
$$\times$$ Trivial = $20k/ann. - FISMA Moderate
$$\times$$ Complex = $110k/ann.
- Prototyping
[.footer: Video timestamp 11:42]
[.footer: Video timestamp 13:10]
- Users, Spaces & Roles
- Apps
- Services
[.footer: Video timestamp 13:30]
- Authentication:
- Agency IdP or cloud.gov
- Authorization (CF's UAA)
-
Manager, Developer , Auditor
$$\times$$ -
Organization (EPA, FEC) & Space (
dev,stage)
-
Manager, Developer , Auditor
[.footer: Video timestamp 15:03]
[.footer: Video timestamp 15:24]
[.footer: Video timestamp 15:47]
cf create-space dev
cf create-space stage
cf create-space prod[.footer: Video timestamp 16:02]
cf set-space-role peterb dev SpaceDeveloper
cf set-space-role peterb prod SpaceAuditor[.footer: Video timestamp 16:20]
[.build-lists: true]
- Procured ✅
- Implemented:
- Users and Authentication ✅
- Dev/Test/Prod Environments ✅
- Roles ✅
^ Note: We've done the procurement, you've been provided a ;cloud.gov organization, and you've integrated your ;cloud.gov authentication with your Agency IDP (which takes a couple of days). Then you've created the space you need and assigned your users to their appropriate roles. All this take months for bare metal or even of IaaS. And once the procurement is done, this has taken days (or less) (https://www.google.com/patents/US20060073976)
[.footer: Video timestamp 17:07]
git clone https://github.com/18F/cf-hello-worlds.git
cd cf-hello-worlds/python-flask
cf push cg-flask-demo
open https://cg-flask-demo.app.cloud.gov
cf scale cg-flask-demo -i 4
[.footer: Video timestamp 17:30]
| staticfile | java | ruby |
| nodejs | go | python |
| php | binary | dotnet |
[.footer: Video timestamp 18:03]
| Relational databases (RDS) | PostgreSQL, MySQL, Oracle |
| Storage (S3) | Private or public data buckets |
| Custom domain | HTTPS + Content Delivery Network |
| Redis | In-memory data structure store |
| Elasticsearch | Full-text search engine |
| Service accounts | For continuous deployment and auditing |
| Identity provider | Use cloud.gov authentication in apps |
^ S3: basic vs public, RDS: enc-at-rest, limit ingress.
[.footer: Video timestamp 20:22]
[.autoscale: false]
- logs: Kibana, custom logdrains
cf ssh: diagnose ephemeral containers
[.footer: Video timestamp 20:59]
- Procure
- Implement
- Authorize
[.footer: Video timestamp 21:10]
- Authority to Operate (ATO)
- Risk Management Framework (Low, Moderate, High)
- NIST 800-53
^ Note: Fed systems must have ATO from agency CIO, generally follows CISO lead, and they are obliged to follow NIST-800-53 standards, or accept risk of not doing so.
^ Clarify 325 for MODERATE, simplified,
^ Systems need to be classified: Violaion of CIA: Low, Moderate, Hi. Depending on classification, then appropriate controls in place. 4004 pages
[.footer: Video timestamp 21:46]
- DataCenter: All 325 - You're responsible for:
- Security Guards, PE-3(3)
- Disk wiping, MP-6(8)
- IaaS: FedRAMP - You inherit ~88 controls, still 237:
- System logs, AU-12
- Kernel patches, SI-2
- cloud.gov:
- See next slide....
^ MP - media protection, PE - physical env, SI - system integrity, AU - audit and accountability
[.hide-footer: true]
^ If you want a second example: AU-6 is "Audit review, analysis, and reporting" - cloud.gov provides a built-in logging feature, but customers need to review and analyze their own logs
^ SC - security controls, IA - id and auth,
[.footer: Video timestamp 23:16]
- 15 unshared controls, 41 shared
- Simplicity and secure defaults
- Reduce shadow IT (thanks, self-service!)
- Example: Stack Clash kernel patch: < 24 hrs
^ credit-card cloud (server in closet).
[.footer: Video timestamp 25:07]
- Procure
- Implement
- Authorize
^Why wouldn't you use ;cloud.gov ?
[.footer: Video timestamp 25:15]
- TIC ingress control
- PIV/CAC enabled authentication
- App environment security scanning
- Attach a persistent file volume to apps
- AWS resource brokering
- Built-in CI/CD service
[.footer: Video timestamp 26:51]
[.footer: Video timestamp 26:55]
- A mission
- Housing for disaster victims
- A team
- Project / Product Managers Designers / Devs Ops / Sec
- A platform
- Build
- Test
- Run
[.hide-footer: true]
Footnotes
-
CIO IT Dashboard for FY2017 https://www.itdashboard.gov/#learn-basic-stats ↩
-
Multi-cloud w/ Azure USGov on our roadmap ↩