Cloud Possible: Infrastructure as a Service (IaaS) – Installment #3
In our third installment of the Cloud Possible Series we discuss Infrastructure as a Service (IaaS), one of three types of cloud deployment models. Here we discuss the requirements of the Utility and the benefits that this model provides.
For Utilities who have the greatest requirement for flexibility and control, the IaaS operating model is the best choice. This model is closest to a dedicated on-premise computing environment. Utilities who choose an IaaS model to receive a scalable infrastructure, with the ability to grow compute, storage, and network on demand. In addition to infrastructure, IaaS providers often offer a variety of additional services: firewalls, load balancers, IP addresses, VLANs, data protection/backups, encryption, colocation, cross-connects, and internet connections.
Operating Model: IaaS providers manage and maintain the physical data center environment, and compute, storage, networking equipment, and the virtualization layer to provide virtual machines (VMs) for the Utility. Networking and firewalls are architected into a multi-tenant platform so that each tenant’s environment is logically isolated from other tenants. The Utility’s technical resources access their secure tenant environments via a private connection to their corporate WAN or a connection to the internet (often procured from the cloud provider). The Utility retains full control of the operating systems, databases, middleware tools, and applications within their environment. This enables the flexibility for homegrown software, customizations, and operating system/application version control. This is a great solution for CIS – where the Utility still needs more flexibility to customize the solution to meet specific regulatory requirements. This control and flexibility comes with the responsibility to operate and support these layers – you will still need support personnel knowledgeable in the operating systems and databases your solutions run on, as well as technical and functional application support, either employed by your organization or provided via a managed service. The benefit of this model is the scalability and cost-efficiency of a shared multi-tenant cloud infrastructure with built-in redundancies for reliability and the flexibility to maintain customized solutions, version control, and maintenance schedules.
IaaS Providers: Amazon Web Services, Rackspace, Microsoft Azure, Google Compute Engine, Cisco Metapod, Virtustream
End-User Support: As in all of the models, the Utility’s internal help desk is the single point of contact (SPOC) for end-to-end support for their users. Significant planning between the Utility and the Cloud Service Provider (CSP) is needed to develop and document an end-to-end support plan for an IaaS cloud deployment. The various support teams and procedures for applications, operating systems, IaaS Cloud, and WAN will need to be integrated:
• Procedures and RACI for incident management, response times, and escalations
• Ticket management via ticket association or ticketing system integration
• Managing end-to-end incident diagnosis and resolution without finger-pointing
• Approval process for Moves, Adds, and Changes (MAC), with response times for resulting service orders
This requires detailed due diligence and a partnership approach with your cloud provider. The Utility should invest time at the beginning of the contract to understand redundancy built into the cloud platform and the monitoring capabilities of each provider and the proactive actions taken to avoid incidents that may impact the Utility. Performance metrics and targets for SLA reporting, management, and stewardship meetings should be negotiated and implemented with each vendor.
Security Compliance: In any cloud deployment, the Utility must own, define, manage, and update the overall security plan for their environment. Components of the security plan will be assigned to the CSP and other vendors; these assigned components will change depending on the Cloud Service Model. Under the IaaS Model, the Utility is responsible for the operating system and application access control, user credential management, vulnerability management, and personnel training.
It is also important for the Utility to understand what certifications and audits are executed by their Cloud provider. ISO 27001, SSEA 16, and SOC2 certifications are implemented to verify overall Cloud security, availability, processing integrity, confidentiality, and privacy of customer data. PCI-DSS is a certification of the security standards for account data protection.
From a high-level security standpoint, the IaaS provider should be responsible for executing and auditing the following (the Utility will inherit these audited controls):
• Vulnerability management for cloud infrastructure and management systems
• Access control, credential management, and training for all personnel accessing cloud components
• Isolation of client data and systems (e.g., firewalls, encryption, access)
• Physical equipment and data center controls
Depending on the requirements of the overall security plan, network providers may be responsible for encryption, internet VPNs, and DDoS security services.
As with any technology decision the utility must assess its current and future resources to choose the best solution for the business. With this information about the operating model, requirements of the end user support, and security compliance for a IaaS deployment you are one step closer to evaluating your needs.
Next week we discuss the details of a Platform as a Service (PaaS) model. If you like this post or would like to be notified about the next installment, follow us at https://www.linkedin.com/company/validos/.