Consider this fundamental information for deploying ProjStream’s BOEMax or MaxTeam software tools in the cloud.
A common definition is on-demand computing services that are delivered over the internet where you pay a cloud service provider (CSP) a subscription fee or when you use resources.1 The CSP maintains a virtualized pool of resources from raw compute power and database storage to applications and developer tools. The advantage is scalability and agility. The CSP uses automated provisioning to tap those resources in real time to support changing workload demands.
What benefits are important to you depends on what you want to achieve. It also depends on what types of services or products your company provides. For some, moving to a cloud environment frees information technology (IT) personnel to focus on internal business needs instead of maintaining a data center. For others, it is a way to reduce the time to market for a new product or software application. They can take advantage of new advanced cloud services as well as the latest trends in software development such as devops to meet business demands for speed, agility, and responsiveness.
Often cited benefits of cloud computing include:
Even though security is often listed as a benefit to cloud computing, many companies remain concerned about security risks. A recent IDG cloud computing survey2 found that 34% of companies have security concerns. Qualified CSPs have proven themselves much less susceptible to attack than the average enterprise data center because they must proactively maintain their FedRAMP certifications and demonstrate they provide a secure managed solution.
Security is a shared responsibility between you and the CSP. The greater security risk may be your existing systems, how data are stored, and user authentication. Internal security policies and identity management often need to be enhanced and proactively managed to properly secure the data and services. Security practices need to evolve to integrate effectively with the range of cloud infrastructure or applications your company plans to deploy over time.
Cybersecurity processes and practices must be in place to adequately protect your company’s proprietary information, intellectual property, technical information, and information systems from unauthorized disclosure or malicious attackers whether your systems are internal or in the cloud. This has become a matter of economic and national security for the US industrial base.
Survey results indicate cloud adoption and spending is increasing. According to the same IDG survey, nine out of ten companies have already moved at least some of their applications to the cloud or plan to do so in the next 12 months. The average investment in the cloud rose in 2018 to nearly 36% from two years ago.
Your company may have already started moving infrastructure or applications to the cloud, often as part of overall business initiatives to achieve process agility – the ability to quickly respond to internal and customer demands.
The US federal government, and in particular, the DoD is no different. They know they need to embrace the cloud to ensure mission success and mitigate cybersecurity risks. The DoD recently published a Cloud Strategy3 document emphasizing their commitment to the cloud and their need to view initiatives from an enterprise perspective. The DoD intends to implement a Joint Enterprise Defense Infrastructure (JEDI), for the majority of systems and applications. This will help them to take advantage of economies of scale, provide a core of common services, proactively address cyber challenges, and leverage data analytics so personnel can make time-critical decisions.
For contractors with federal government contracts that want to take advantage of could computing, there are a number of compliance and security control standards that apply. Cybersecurity must be a top priority for all companies.
A few of the primary standards and regulations to be aware of include the:
There a variety of cloud computing services in the marketplace. The most common types include software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS). A CSP may provide a single type of service or a range of services. Each type of service has different roles organized in a stack.
The following image illustrates this stack with ProjStream managing the SaaS and Rackspace,5 a FedRAMP certified CSP, managing the PaaS and IaaS.
Other common types of services include:
The IDG Cloud Computing Survey provides other insights into what companies are doing. For example:
ProjStream can support a number of different scenarios to deploy our software tools in the cloud. For example:
The SaaS plus managed PaaS/IaaS model often works well to address internal IT resource limitations or to lower the cost of the ownership. Another example: a small company that has a one-off three-year project with earned value management system (EVMS) requirements and needs a tool to produce contractual performance reports for a given timeframe.
You do have choices for proposal management, earned value management, and project cost management tools. A consideration to include in your requirements list is whether the tool is designed to support cloud environments.
ProjStream is an agile software development company that has embraced the cloud computing delivery model. We can support traditional and cloud computing environments. The software can be deployed on a local computer, on a server, or as a web service.
Applications optimized for the cloud computing delivery model or “cloud-native” applications:
Legacy software designed for a client/server environment cannot exploit the advantages of the cloud computing delivery model. The software is monolithic in design – the exact opposite of applications designed for the cloud. Updates and enhancements are a major event – they are often released as “patches” or new versions that break the rigid connections with the underlying infrastructure. The software vendor may put a browser front-end on a desktop tool so it appears to function as web service. The downside is performance degradation and security. “Lifting and shifting” a legacy application may be a stop-gap measure. However, it limits your options in the future. At some point, it will matter as more applications move to the cloud.
|CMMC||Cybersecurity Maturity Model Certification (CMMC). Similar to other maturity models, it provides a framework of processes and best practices a contractor follows to achieve a defined level of cybersecurity capability that can be independently verified by an approved CMMC third party assessment organization. Created to merge all the different cybersecurity requirements and standards into a single standard that is more comprehensive.|
|CSP||Cloud service provider. There are different types of cloud services. See the definitions for software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS).|
|Devops||A combination of “development” and “operations.” The objective is to align the priorities between the development and operations teams to reduce the time to market with a higher quality product focused on customer needs. Devops encompasses the organization structure, practices, and culture so teams have a single mindset of responding faster to business needs. It combines rapid agile development and innovation that is balanced with security and operational needs.|
|DFARS Clause 252.204-7012||Safeguarding Covered Defense and Cyber Incident Reporting. DoD contractual clause that spells out contractor requirements to protect information and information systems as well as reporting cyber incidents. Cites NIST SP 800-171.|
|Failover||A means for ensuring high availability of a critical resource such as a computer system, involving a parallel, backup system so that when there is a detected failure of the primary system, processing can be automatically shifted over to the backup.|
|FedRAMP||Federal Risk and Authorization Management Program. Created to standardize the approach for assessing and monitoring the security of cloud products and services for US federal government agencies. CSPs with a FedRAMP certification have demonstrated they have a unified risk management process in place that includes agreed upon security requirements.|
|FISMA||Federal Information Security Management Act. US legislations that defined a comprehensive framework to protect government information, operations, and assets against natural or human threats. It was signed into law as part of the Electronic Government Act of 2002. Agencies must ensure the security of data in the government with annual reviews of information security programs. The intent is to keep risk at or below specified levels in a cost-effective, timely, and efficient manner.|
|IaaS||Infrastructure as a service. The foundation layer for cloud services. Typically includes an array of servers for computing and data storage, networks, and other services.|
|ITAR||International Traffic in Arms Regulations. Controls exports from the US of defense related articles. Non US citizens cannot have physical or logical access to articles stored in an ITAR environment unless a special authorization or exemption is in place.|
|NIST 800-53||Provides a catalog of security and privacy controls for federal information systems and organizations. It is a mandatory federal standard developed by NIST in response to FISMA.|
|NIST SP 800-171||Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. This publication provides federal agencies and other organizations with a set of recommended security requirements for protecting the confidentiality of controlled unclassified information (CUI).|
|PaaS||Platform as a Service. The middle layer for cloud services. Typically includes operating systems, development tools, middleware, database management, and other services. Security monitoring and controls are an important component of this layer.|
|SaaS||Software as a Service. The top layer for cloud services. This is the layer visible to the end users of an application.|