Enterprise of the Future

The Recovery Board’s blueprint for the enterprise of the future, which uses the right service for the right workload to enable a secure, nimble and cost-efficient organization

Nov 05 2012
Data Center

A Technology Blueprint for the Enterprise of the Future

The Recovery Accountability and Transparency Board makes use of many different flavors of cloud computing.

More than two years ago, the Recovery ­Accountability and Transparency Board became the first federal agency to move a governmentwide information system to a public cloud. Our initial migration of Recovery.gov to a public-cloud provider was the beginning of what is now a multicloud enterprise solution. The Recovery Board has moved a wide variety of its IT services to the cloud, implementing the federal government’s first civilian, compliance-focused hybrid-cloud environment.

To achieve this success, the Recovery Board had to address a number of serious challenges as we sought to match the work our agency performs with the most efficient cloud services available. As the stewards of a groundbreaking project, the Recovery Board’s IT team didn’t have an example to follow, but our experience can provide an example for other agencies looking to implement a hybrid cloud.

The First Step: Planning

With a project of this scope, planning is critical to success. It is essential to perform a thorough analysis of the ­entire enterprise and make strategic decisions that move each workload to the right operating environment. Security, efficiency and cost-­optimization are key drivers.

Given the variety of cloud services and their ability to drive down costs and deliver a superior user experience, an enterprise must master the various technologies and interfaces of multiple cloud providers, secure its connections to each provider, establish security and monitoring capabilities for each provider, and manage authentication and authorization.

The Recovery Board performed a rigorous discovery and analysis phase to develop a scalable strategy that would match the best cloud services to current and emerging business needs. By following a systematic planning and execution process, we were able to make effective decisions and execute a phased implementation approach. The planning phase clearly articulated the migration approach and roadmap for the entire system. The execution phase allowed individual program teams to build upon prior efforts.

Assessing what we needed and where we wanted to go allowed the Recovery Board to match different cloud options to its needs. The cloud services we employ include:

  • Public websites and infrastructure in Amazon’s public cloud
  • Office automation systems in Microsoft’s Office 365 Government Community Cloud
  • FederalReporting.gov in CGI’s secure federal cloud
  • FederalAccountability.gov on our private analytics cloud, maintained onsite at agency headquarters, and
  • Plans to move big data analytics using Hadoop to a secure private cloud.

Analyzing the agency’s needs and options helped us make the best decisions as we implemented the plan. For example, the Recovery Board selected Microsoft Office 365 Government Community Cloud to reduce the maintenance and licensing costs associated with commodity services such as e-mail. In making this choice, we sought to minimize disruption for existing users, avoid user retraining costs and ensure the security of e-mail data. Using the hybrid Microsoft Exchange deployment model, the Recovery Board can route all traffic through its cloud hub while making the shift to the Office 365 cloud transparent. End users will have the same client throughout the migration.

Storage services also have reduced costs, offering efficient backup and offsite storage options. The adoption of such services ensures a common security construct with robust, independent monitoring.

Enterprise of the Future

Bringing It All Together

Making the best use of a variety of cloud services is just part of the story. The key is how our agency integrates and manages those services securely.

The Recovery Board has designed a cloud hub that allows the agency to use multiple cloud services at the lowest cost while reducing risk, adding value and increasing the speed of developing new applications and services.

Our research made clear that we had to be able to use multiple cloud services from a variety of providers. However, given the emerging marketplace for cloud services and cloud brokers, we needed an approach tailored to our organization that could deliver results in three to six months. Thus, we leveraged the cloud hub concept and security architecture provided by a our lead systems integrator, Smartronix.

The Recovery Board’s IT Team designed a solution that used the cloud hub as an intermediary to provide secure, reliable and flexible access for computing, storage and network resources. This ensured that we did not have to set up costly point-to-point connections and implement a consistent security stack. The cloud hub provides a technology stack consisting of a firewall between the enterprise and the cloud service provider; a router that provides VPN services; and computing services that host integrated security and service management.

The cloud hub model ensures that customers can consume cloud services at a pace that makes sense for the individual enterprise and without the common concerns about accessing the cloud. The trusted connectivity component is critical, because it means that agencies do not have to spend time and money to establish connections to each cloud provider — security is ensured through inline devices that provide an independent and trusted connection gateway. This permits monitoring and inspection of all traffic entering or exiting the agency’s cloud services.

Cloud computing services offer great promise for optimizing spending and delivering an agile response to business needs. However, it is critical to plan and develop a scalable approach that can leverage multiple options. A cloud hub is essential for success, as it provides trusted connectivity and the hardware and software needed to ensure secure and reliable connectivity between users and cloud service providers.

Managed Security and Continuous Monitoring

Security is a critical component for deriving benefits from cloud computing. A cloud hub must provide continuous monitoring to maintain security. These are some of the key elements of the Recovery Board’s cloud hub security stack:

  • Intrusion detection and prevention, deployed outside the firewall to prevent attacks on exposed systems downstream on the Internet;
  • Multilayer firewalls to protect the network against intruders;
  • Data loss prevention technology to monitor all cloud traffic and flag violations of information security policies;
  • An outbound proxy to ensure that viruses and other nefarious software are not downloaded onto a user’s system;
  • A network traffic monitor to analyze all inbound and outbound traffic for hacking and other unscrupulous activities;
  • A governance and risk compliance system to ensure that established IT policies are followed;
  • Enterprise monitoring of all security operational logs to check for anomalies suggesting unauthorized or illicit activity;
  • Database protection against known attacks that applies best practices and monitors for any functional changes;
  • Two-factor authentication requiring a token or personal information (hardware, retina, fingerprint or HSPD-12 card) to verify a user’s identity.

In addition to the systems components, it is critical to have a team experienced in monitoring and responding to alerts. An independent security operations center, which tracks performance, security and systems data, safeguards the clouds.


Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.