business report (professional design)
TRANSCRIPT
CLOUD STRATEGY Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 2 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
Executive Summary ................................................................................................................ 3
Definitions, Attributes & Taxanomy ........................................................................................ 4
What is Cloud Computing? ................................................................................................................. 4 Attributes of Cloud Computing ......................................................................................................................... 4
Cloud Deployment Models .................................................................................................................. 4
Cloud Computing Service Models ....................................................................................................... 5 Software as a Service (SaaS) .......................................................................................................................... 5 Platform as a Service (PaaS) ........................................................................................................................... 6 Infrastructure as a Service (IaaS) .................................................................................................................... 7
Current State .......................................................................................................................... 7
Risks and Issues with Current State................................................................................................... 7
Why Cloud? ............................................................................................................................ 8
Cloud is a fundamental shift in IT ....................................................................................................... 8 Efficiency improvements will shift resources towards higher-value activities ....................................................... 8 Services will be more scalable ......................................................................................................................... 8 Agility improvements will make services more responsive ................................................................................. 8 Innovation improvements will rapidly enhance service effectiveness .................................................................. 9 Assets will be better utilized ............................................................................................................................ 9 Portability and Flexibility ................................................................................................................................. 9
Creating the Cloud Culture ................................................................................................... 10
Roadmap for Cloud Migration ............................................................................................... 11 1. Create a Cloud Strategy ....................................................................................................................... 12 2. Establish a Cloud Program ................................................................................................................... 12 3. Cloud Discovery ................................................................................................................................... 12 4. Define Governance Structure ................................................................................................................ 12 5. Implement Core Technologies ............................................................................................................... 12 6. Assess and Plan .................................................................................................................................. 13 7. Build and Pilot ..................................................................................................................................... 16 8. Application Migrations .......................................................................................................................... 17 9. Operational Integration and Environment Optimization ........................................................................... 17 10. Define EA Policies ............................................................................................................................... 17 11. Cost/Billing Analysis & Management ..................................................................................................... 17
Appendices ........................................................................................................................... 18
Appendix A - Abbreviations and Acronyms ...................................................................................... 18
Appendix B - Existing Cloud Application deployments .................................................................... 18
Appendix C - Systems/Applications Migrations and considerations ................................................ 19
Appendix D - AWS vs. Azure for IaaS and PaaS ............................................................................... 20 Amazon Web Services (AWS) ........................................................................................................................ 20 Azure ........................................................................................................................................................... 21
Appendix E - Cloud Connectivity Options ........................................................................................ 22
Appendix F - Cloud First Considerations .......................................................................................... 24
References ............................................................................................................................ 25
Links ..................................................................................................................................... 25
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 3 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
EXECUTIVE SUMMARY As technology continues to evolve so does Oakland County Information Technology’s (OCIT) infrastructure
environment and development model. The overarching goal of OCIT ‘s Cloud Strategy is the ability to run any time
and run any where. This means that OCIT needs to have the ability to support cloud and on-premise solutions;
where the optimal configuration for performance, reliability and cost can be selected.
For the purposes of streamlining the run any time and run any where strategy, we will determine on a case by case
basis where a workload should reside, and will construct environments where the solutions are either all in the cloud
or on-premises. Splitting workloads between the cloud and on-premises reduces the effectiveness and efficiency of
both technology platforms.
As we look toward our future, Oakland County (OC) is looking to establish a Cloud First approach to application
infrastructures. The Cloud will provide Oakland County with several benefits including econ omies of scale, removal of
non-value added tasks from daily workloads, increased innovation and improved collaboration across IT. We will
establish the standards that govern our cloud environments and enable the Cloud First mindset through our Technical
Design Review process.
Oakland County has been leveraging cloud computing technologies for some time. We have many successful
Software as a Service (SaaS) implementations and some Infrastructure as a Service implementations. Our
preliminary experiences with Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) suggest that they
are suitable for agile, rapid development and deployments.
With the convergence of market trends, successful cloud deployments , limited “On-Premise” capacity and upcoming
technology projects, now is the time for Oakland County to transform the way we do business. We cannot take our
current processes and adapt them to the cloud. We need to create a new way of doing business that
leverages all of the value propositions of cloud. These new and improved processes may be applied to our on-
premises infrastructure to take advantages of the lessons learnt in the cloud as a part of our Outside-In approach.
A true cloud strategy includes a holistic view of IT that requires partnership, collaboration and the support of
leadership to remove the barriers to the cultural chage.
This Cloud Strategy will:
1. Define the cloud and its components creating a common and shared lexicon for OC.
2. Articulate the benefits, considerations, and trade-offs of cloud computing.
3. Identify the program, activities, roles and responsibilities for our transformation to Cloud First computing.
4. Provide a high-level roadmap for cloud migrations.
5. Provide a deicison framework for solutions to migrate to the cl oud.
6. Define the Cloud connection methodologies.
7. Ensure the security requirements are included and met.
8. Establish the governance policies of the cloud.
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 4 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
DEFINITIONS, ATTRIBUTES & TAXANOMY
What is Cloud Computing?
“Cloud Computing is a style of computing where elastically scalable technical capabilities are delivered as a service
using Internet technologies.” – Gartner
Attributes of Cloud Computing
• Abstraction – infrastructure abstracted from the customer and delivered as a service.
• Agility – ability to provision and re-provision infrastructure resources since it is delivered as a service.
• Reliability – improved availability with multiple redundant sites.
• Scalability – ability to accommodate varying loads (scale-up, down or scale-out).
• Elasticity – ability to cope with loads dynamically.
• Security – provides a secure infrastructure.
• Performance – is reliable and can be monitored.
• Maintenance – is easier to maintain with self-service for all configurations.
• Multi-tenancy – ability to host multiple tenants.
• Metered usage – ability to monitor and control usage. Pay as you go model to reduce capital expenditures.
Cloud Computing can deliver System Infrastructure components (Network, Storage, Servers, Load Balancers etc.),
Application Infrastructure components (Services, Platforms, Applications, etc.) and provides licensing flexibility (Bring
your own License or purchase from the service provider).
Cloud Deployment Models
Deployment
Model
Definition Service
Providers/Examples
OCIT
Private Cloud Cloud Infrastructure operated
solely for a single organization,
whether managed internally or by a
third-party, and may be hosted
either on-premise or off-premise.
OpenStack, VMWare Private
Cloud, IBM SoftLayer, etc.
Oakland County does not
have the size or scale to
warrant the need for a
Private Cloud at this time.
Public Cloud Cloud Infrastructure made available
to the general public or a large
industry group and is owned by an
organization providing cloud
services.
AWS, Azure, Rackspace,
etc.
AWS and Azure are
currently leveraged for OC
today. We will continue to
use these cloud
environments, but look to
improve our design,
implementation and
governance.
Hybrid Cloud Cloud Infrastructure delivered by
some combination of private and
public services, from different
service providers.
The cloud infrastructure is a
composition of two or more clouds
(private, community, or public) that
remain unique entities but are
bound together by standardized or
proprietary technology that enables
Cloud bursting for load-
balancing between clouds.
Application deployed to the
cloud infrastructure and data
is on-premises.
At some point in the future,
this type of cloud structure
may be needed. At this point
we will not be leveraging
this deployment type.
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 5 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
data and application portability.
Community
Cloud
Cloud Infrastructure shared by
several organzations and supports
a specific community that has
shared concerns (e.g., security
requirements, policies and
compliance considerations, industry
requirements).
It may be managed by the
organizations themselves or a third
party, and may exist on-premise or
off-premise.
AWS GovCloud, Azure
Government Community
Cloud.
AWS and Azure Government
clouds host environments
for several federal, state
and local government
entities.
Oakland County will
leverage this type of cloud
environment. We will need
to create a design,
implementation and
governance process.
Cloud Computing Service Models
Figure 1 shows the comparison options of the different cloud computing service models. A typical deployment in the
cloud environment for an OC application could include components in each of the three cloud service models.
Figure 1: Comparing Cloud Computing service models
Software as a Service (SaaS)
The capability provided to the customer is to use the provider’s applications running on a cloud infrastructure.The
applications are accessible from various client devices through a thin client interface such as a web browser (e.g.,
web-based email).The customer does not manage or control the underlying cloud infrastructure including network,
servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 6 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
user-specific application configuration settings. Applications are typically upgraded and maintained by the SaaS
provider.
e.g.: SalesForce, Kronos, ArcGIS Online, Office 365, Okta, etc.
Pros:
• Quick implementation – since there is no hardware or software to setup and configure, the implementation
times are greatly reduced.
• Zero planned upgrades – the service provider is responsible for all planned upgrades. OC may need to test
the changes for some planned upgrades with the vendor.
• Patches and Upgrades – are automatically applied (more often on a scheduled timeframe). This ensures the
customer always uses the most current version of the softwareand also includes the latest security patches.
• Availability and Redundancy – is the responsibility of the service provider.
• Backup and Retention – is the responsibility of the service provider.
• Security – is the reponsibility of the service provider. This includes security compliance testing, scans,
certificates, etc.
Cons:
• Control – the customer has little control over the application other than who has access. The customer can
alter configurations, but not to customize the core functionality.
• Vendor lock-in – switching to a new vendor may become difficult, especially with customizations.
• Patches/Upgrades – Patches and upgrades to the software are automatically applied (more often on a
scheduled timeframe). There will not be an option to back out of certain patches or upgrades as the customer
has may not have a say in the pre-established SLAs, maintenance windows, etc.
• Integration – integrating with on-premises data and applications may require additional effort, since the data
is hosted by the service provider.
Platform as a Service (PaaS)
The customer is provided the ability to deploy onto the cloud infrastructure customer-created or acquired applications
created using programming languages and tools supported by the provider. The customer does not manage or control
the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the
deployed applications and possibly application hosting environment configurations.
e.g.: AWS RDS, Azure App Service, etc.
Pros:
• Server-less Architecture – the customer does not have to manage hardware, operating systems, database
systems, and programming stack servers are not required to stand-up the components of the solution. This
leads to faster implementation of the solution as there is no installation of the platform required.
• Allocated Resources – is configurable and can be scheduled and scaled in most cases, if required.
• Features – more features are readily available, which would otherwise require installation and configuration
of additional components.
• Backups – are easily handled with standard and established procedures.
• High-Availability and Redundancy – can be configured.
• Security – is implemented with industry best practices for the platform.
Cons:
• Vendor lock-in – switching to a new vendor may require coding changes, and re-architecting, which can be
time consuming, based on the complexity the solution.
• Patches/Upgrades – Patches and upgrades to the platform are automatically applied (more often on a
scheduled timeframe). There will not be an option to back out of certain patches or upgrades.
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 7 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
Infrastructure as a Service (IaaS)
The customer is provided the ability to provision processing, storage, networks and other fundamental computing
resources where the customer is able to deploy and run arbitrary software, which can inc lude operating systems and
applications. The customer does not manage or control the underlying cloud infrastructure but has control over
operating systems, storage, deployed applications and possibly limited control of select networking components.
e.g.: AWS, Azure, Rackspace, IBM SoftLayer, etc.
Pros:
• Custom Architecture – the customer has complete freedom in designing the architecture as required by the
applications. This means that the customer must manage operating systems, database systems and
programming stack servers. This provides complete control to building a custom architecture and implement
custom components.
• Allocated Resources – is configurable and can be scheduled and scaled, if required.
• Backups – are handled with customer standards and established procedures.
• High-Availability and Redundancy – can be configured using customer solutions.
• Security – is implemented with industry best practices by the customer.
• Vendor lock-in – switching to a new service provider most likely will not require rearchitecting the solution
and coding changes.
Cons:
• Maintenance – Since the architecture is designed by the customer, the customer holds the responsibilitues of
administering and maintaining the entire architecture, which could include security, firewalls, monitoring,
alerting, etc.
• Patches/Upgrades – Patches and upgrades to the to the infrastructure have to be managed by the customer.
CURRENT STATE Oakland County (OC) has a majority of deployments on-premise, but is also currently using many cloud computing
services. Here are some of the current cloud deployments:
• SaaS: Office 365, Salesforce, ArcGIS online, Kronos, Google, Salesforce
• PaaS: Azure Media Services, Azure Mobile Services, SharePoint online
• IaaS: AWS VPC and Virtual Machines, which host the SharePoint websites for OC and G2G customers and
the NACo Application Store (.Net web application).
Risks and Issues with Current State
• The current RAP environment is running at maximum utilization.
• Our current on-premise infrastructure does not scale well with demand.
• Our current cloud deployments have been designed to mimic some of the on-premise processes, which
replicates the same problems in the cloud
• Our current cloud connections need to be expanded, scalable, redundant and provide increased security for
the various type of cloud deployments we will have in the future .
• Our current processes do not include a Cloud First mindset; meaning that without evolving our strategy we
will migrate our technical debt o the Cloud without looking at new technologies to optmize and leverage the
best practices.
• The Culture of Collaboration is missing from our current cloud deployments. Having a true Cloud First
mindset will increase our need of cross-team collaboration and holistic ownership.
• Our method of securing our Cloud Infrastructure must evolve from how we secure things to a re quirement
driven security model.
• Our current infrastructure is not portable – we cannot move our workloads to efficiently util ize our capacity in
the cloud and on-premises.
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 8 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
WHY CLOUD?
Cloud is a fundamental shift in IT
Cloud computing enables IT systems to be scalable and elastic. We as OCIT, do not need to determine their exact
computing resource requirements upfront. Instead, we provision computing resources as required, on-demand. Using
cloud computing services, OCIT does not need to own data center infrastructure to launch a capability that reliably
serves thousands of concurrent users, but instead can leverage the pay-as-you-go model for provisioning new
infrastructure.
As shown in the Figure 3, the cloud expenditure and adoption has progressively increased over the past few years
and is projected to increase in the near future.
Figure 3: Public Cloud forecast
Using a public or community cloud like AWS or Azure would give OCIT access to infrastructure and services
relatively inexpensively, in minutes. In our current environment, it would take months to procure and configure
comparable resources and significant management oversight to monitor, maintain and upgrade systems. Applying
cloud technologies across OC can yield tremendous benefits in efficiency, agility, and innovation.
Efficiency improvements will shift resources towards higher-value activities
Only a fraction of the investment in data center infrastructure delivers real, measurable impact for the departments,
agencies and the general public serviced by OC. Improvements in efficiency will be seen in software applications and
end-user support. These savings can be used to increase capacity or be reinvested in other alternatives, including
citizen-facing services and inventing and deploying new innovations.
Services will be more scalable
With a larger pool of resources to draw from, individual cloud services are un likely to encounter capacity constraints.
As a result, services hosted in the cloud would be able to more rapidly increase capacity and avoid service outages.
Given appropriate service level agreements and governance to ensure overall capacity is met, clou d computing will
make the OCIT’s investments less sensitive to the uncertainty in demand forecasts.
Agility improvements will make services more responsive
Cloud computing will also allow OCIT to improve services and respond to changing needs and regulations much more
quickly. With traditional infrastructure, OCIT’s service reliability is strongly dependent upon the ability to predict
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 9 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
service demand, which is not always possible Cloud computing will allow OCIT to rapidly scale up to meet
unpredictable demand thus minimizing similar disruptions. Notably, cloud computing also provides an important
option in meeting short-term computing needs; applications need not invest in infrastructure in cases where service is
needed for a limited period of time.
Innovation improvements will rapidly enhance service effectiveness
Cloud computing will not only make our IT services more efficient and agile, it will also serve a s an enabler for
innovation. Cloud computing allows the OCIT to use its investments in a more innovative way and will help OCIT take
advantage of leading-edge technologies.
Assets will be better utilized
According to a recent analysis, OCIT is not fully ut ilizing allocated capacity. Low utilization is not necessarily a
consequence of poor management, but instead, a result of the need to ensure that there is reserve capacity to meet
periodic or unexpected demand for key functions.
With cloud computing, total infrastructure resources are pooled and shared across large numbers of applications and
organizations Cloud computing can complement data center consolidation efforts by shifting workloads and
applications to infrastructures owned and operated by third parties Capacity can be provisioned to address the peak
demand.
As utilization is optimized by migrating workloads to the cloud infrastructure, more value is derived from the existing
assets and in-turn reducing the need to continuously increase capacity which means less expenditure on hardware,
software, operations, maintenance, and power consumption.
Portability and Flexibility
Cloud computing gives OC the f lexibility to alleviate capacity problems with on-premises infrastructure and hence
provide the option to be portable with application deployments. This in turn converts a lot of OCIT’s capital Expense
budget into Operational Expense and helps us better plan and utilize our infrastructures in the cloud and on -
premises. Having the option to deploy applications to multiple infrastructure platforms where optimal configuration for
performance, reliability and cost can be selected based on the application requirements.
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 10 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
CREATING THE CLOUD CULTURE The shift toward a Cloud First mindset requires a shift in our current culture. This will be an ongoing shift, in which
we will need to exemplify and improve our collaboration throughout the entire organization.
Figure 4: Oakland County Culture of Collaboration
Building off this model of culture of collaboration as shown in Figure 4, we are recommending the following roles to
help ensure Collaboration and a clear delineation of responsibility.
IT Steering – This group will be responsible for setting the strategic objectives for the effort, securing funding and
providing continual change management support for the mind set change. This will start with helping share the
message of the mindset through the celebration of successful events.
Architecture Team and CTO – This group will provide the current state and future strategic direction for this effort.
The team will assist in the planning of cloud development, execution and integration strategies on a project by project
basis. This group will identify and lead the implementation of governance of Cloud which will balance between
performance, optimization, fiduciary and fiscal responsibilities.
IT Security and CISO – This group will establish the requirements for security, compliance and data. The group will
also consult on the execution of individual projects ensuring the alignment to the requirements and constraints
defined by the team. This group will have representation in establishing the governance process.
Applications Team – This team is responsible for the execution of projects to the Cloud First mindset. This team will
ensure the business and service delivery needs are implemented in the most effective and efficient manner. This
group will have representation in establishing the governance process.
TSN – This team is responsible for the day to day operations of the cloud environment. This includes monitoring
performance servers and network. This group will have representation in establishing the governance process.
We will leverage our new Technical Design Review Process for the Architecture, Security, Applications and TSN
Team to collaborate on the right solution on a project by project basis.
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 11 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
ROADMAP FOR CLOUD MIGRATION Figure 5 shows the overall roadmap for cloud migration and adoption for Oakland County. It is broken into multiple phases (color -coded), each of
which will be discussed below.
Figure 5: Oakland County Cloud Roadmap
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 12 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
1. Create a Cloud Strategy
A cloud strategy will increase the understanding of how decisions about the cloud can affect and improve the delivery
of work at OC. It will help us understand best practices, which will translate into speed and agility to improve
availability and delivery of software and services for OC customers. It will also contain the definitions of cloud
computing in terms of Oakland County's view and a roadmap for how implement a Cloud First strategy.
2. Establish a Cloud Program
The first step on the Cloud Roadmap is to establish a cloud program and identify projects to implement the strategy.
The Cloud Program will:
• Gain the understanding of cloud computing and infrastructures.
o Research the latest technologies in provisioning servers and environments.
o Get trained on cloud technologies and best-practice implementations.
o Gain extensive knowledge on provisioning “Infrastructure as Code”.
o Develop and implement cloud models needed for OC's future based on migrations and further
resource needs.
• Evaluate the current cloud deployments and make suggestions for improvement or migrations to new OC
standards.
• Have a cloud ready environment available for migrations and future deployments.
o Prepare governance and automation procedures for IaaS, PaaS and SaaS models.
o Implement security policies.
o Establish standards for communication with on-premises infrastructure and resources.
o Determine the integration platforms and processes for cloud services.
• Establish Goals and Objectives for Cloud implementations.
• Migrate pilot applications to the Cloud.
• Begin the migration process with Application services.
3. Cloud Discovery
This phase will identify and inventory existing Oakland County Cloud IaaS, PaaS and SaaS deployments. These
services will eventually be brought under the standard policies and procedures that will be established as a part of
the Cloud adoption and implementation.
When looking at Oakland County's Cloud Roadmap, once the strategy is approved and the initial Cloud discovery
phase is complete, most of the remaining tasks can be done in parallel.
4. Define Governance Structure
Policies and processes for governance in the Cloud environments will be established and implemented in this phase.
This includes, but is not limited to support, monitoring and alerting, SLAs, pa tching, etc.
5. Implement Core Technologies
To be successful in migrating applications to the cloud environments, core solutions need to be in place. Here are
some of the solutions identified:
IAM – An effective SaaS based IAM solution will greatly reduce the amount of manual effort involved in integrating
active directory users to cloud platforms and applications. An IAM solution provides:
• Standard authentication method for applications migrating to the cloud.
• Standard authentication method to authenticate and administer cloud resources.
• Standard authentication method for SaaS applications.
Integration Platform – Integration platforms help different applications and services talk to and share data with each
other. An integration platform helps:
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 13 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
• Ensure that the same datasets are being used across different applications. Metadata and versioning
ensures the data is kept consistent.
• Integrate different types of applications independent of platform, programming language or operating system,
so they can be bound together in workflows and processes.
• Collaborate between distributed and scattered applications, regardless of where they are deployed.
• Take security considerations into account so that data is shared is only with the right resources.
6. Assess and Plan
Requirements for the cloud environments will be gathered after consultations with the appropriate groups within OC
and external vendors. These requirements will not be fixed, but will be living documents as they will change as the
underlying cloud technologies change and as our experience with the cloud grows.
Select Cloud Service providers
This phase will comprise of researching and defining the criteria of when to use cloud environments for Oakland
County. We will position Oakland County for innovation and provide the flexibility of using the right environment for
each solution.
Define Cloud Environment Requirements
This step of the cloud environment requirements phase will determine the requirements for logging, log retention,
monitoring, alerting, reverse proxy, load balancing, PaaS vs. IaaS, storage types, VM type evaluations, High -
availability, DR, etc.
Define Network requirements
This step of the cloud environment requirements phase will be used to determine the IP address ranges, subnets,
Firewall requirements, firewall logs and retention, etc.
Define Connectivity options
We have identified the three methods to connect to cloud environments:
ISP/Internet – This will be the primary method of connecting to the cloud and will be used for Cloud Administ ration
and all hosted Web Applications and services in the Cloud. This requires that our ISP/Internet connectivity is robust ,
secure and reliable at all times.
IPsec VPN – This will be used for back end connections to data and databases hosted in the clou d, non-public
applications hosted in the cloud that require dedicated/sustained bandwidth and cloud administration activities that
require dedicated bandwidth. Since this also uses internet bandwidth, reliability of our ISP connections is paramount.
Bonded Connection – This will be used for secure, private connections to the cloud environment where connectivity
and bandwidth are mission critical. This is a more expensive option and should be utilized judiciously where there
cannot be any compromise in the reliability, security and performance of the connection.
Additional information about the connection types to the cloud are detailed in Appendix E.
Define Cloud Security requirements
Security is a shared responsibility between Oakland County and the Service Provider. This applies to both SaaS and
PaaS/IaaS deployment models. A high-level overview of the responsibilities is indicated in Figure 6.
Even though the infrastructure provided by Public, Community and Hybrid IaaS and PaaS service providers is shared
between multiple customers, security and isolation is provisioned by virtual networks for each customer. This
guarantees the security of customer data within the virtual networ k.
This phase will identify and enforce the security requirements and standards in the cloud.
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 14 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
Figure 6: Cloud Security responsibilities
Create Reference Architecture
Once all the requirements are gathered, a reference architecture can be created for applications and services that
will be hosted on the Cloud Architecture. This architecture will include options for high -availability, redundancy and
DR and will be tested out with the pilot application deployments.
Applications assessment and readiness
Oakland County’s existing application portfolio should be evaluated to determine next steps in migrating to the cloud.
We have identified the following paths each application can take as shown in Figure 7. We will evaluate solutions to
manually migrate or automate migrations using third-party products.
Figure 7: Application Migration Paths
Re-Host (Lift and Shift) – This type of migration will be simplest, where the application can be moved to a cloud
environment without any changes to the infrastructure or services in the cloud or any changes to the application
code.
Refactor (Re-Architect/Decouple) – This is the most complex of migrations where the applications and the
infrastructure will have to be modified. A few modules of the application might need to be rewritten to accommodate
the migration to the cloud.
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 15 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
Re-Platform (Lift and Re-Shape) – This type migration requires a change to the infrastructure or platform the
application is hosted on. For example, we might have to use a different data storage for file systems on the cloud
platform. Migrations can be achieved
Replace (Drop and Shop) – This type of migration will replace the existing application with a SaaS application or a
COTS application that can be hosted in the cloud.
Retire – These applications are slated for retirement and do not need to be migrated.
Retain – These applications will not be moving to the cloud. There could be various reasons that can affect this
decision some of which could be the complexity of the application, integration, or security and compliance.
These migration paths are explained in more detail in Figure 8.
Figure 8: Application Migration Routes
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 16 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
Figure 9 shows the decision tree for new application initiatives at Oakland County. We should look at SaaS and cloud
based deployments before making the decision to host the application on -premises.
Figure 9: New Application decision tree
Select Pilot Applications
Once the applications analysis and cloud readiness is complete, a list of applications will be selected for pilot
migrations. These applications will be selected based on distinct criteria like .Net applicat ions, Java applications,
COTS, applications that require high-availability, applications that require auto-scaling, etc.
7. Build and Pilot
Create base (minimum) Cloud Architecture
This will be the phase where we implement the Cloud Environment where and when needed based on the
requirements identified in the phase above. At the end of this phase, we aspire to have one functional IaaS based
cloud network with IPsec VPN connectivity which meet the overall environment and network requirements. The cloud
environment will be scripted so that it can be used to create similar environments within the same service provider.
We will also identify any additional solutions required to satisfy the requirements.
Migrate Pilot applications
This phase will migrate the pilot applications that were identified in the prior steps and will utilize the cloud
architecture that has been built. This will provide us with the experience to effectively migrate the rest of the
applications and also the benchmarks on estimates and effort to do so.
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 17 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
8. Application Migrations
Once all the phases of the previous steps are complete, we can start with migrating the applications based on the
established priorities. This may be accomplished by a migration tool or a manual process.
The high level components of migrating applications to the cloud are shown in Figure 10. Based on the amount of
data that needs to be uploaded to the cloud, we have to employ a different method (one of which is manually
shipping the data to the service provider).
Figure 10: Application migration phases
9. Operational Integration and Environment Optimization
As we migrate toward our cloud first mindset, the Pilot Team will be leveraging tools for streamlined integration and
environment optimization. The Pilot Team will partner with the Architecture Team on the implementation and use of
an API integration standard as well as tools to highlight environment performance and tuning. The application
readiness assessment will be a direct input into how we start our Cloud moves, which will help in the overall
environment optimization.
10. Define EA Policies
The Architecture Team will be defining the standards and policies for Cloud use. These standards and policies will
evolve and be refreshed over time. It is imperative to leverage the Technical Design Review Process to ensure
alignment with our standards.
11. Cost/Billing Analysis & Management
Cloud is a true pay as you go expense. It is critical to manage and control the cost structure of the environment. A
finely tuned and optimized environment is critical to the fiscal success of Cloud. This phase will create the process of
how the governance team will ensure proper cloud sizing. The results of this analysis will be reported to IT Steering.
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 18 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
APPENDICES
Appendix A - Abbreviations and Acronyms
• OC – Oakland County
• OCIT – Oakland County Information Technology
• SaaS – Software as a Service
• PaaS – Platform as a Service
• IaaS – Infrastructure as a Service
Appendix B - Existing Cloud Application deployments
SaaS – O365, ArcGIS Online, Security Mentor, Forms Assembly, Kronos, Salesforce, SurveyMonkey, Basecamp, and
Google services.
PaaS – Azure Mobile Services, Azure Media Services, SharePoint Online
IaaS – Compute, Storage, Network, Load Balancing, etc. in AWS
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 19 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
Appendix C - Systems/Applications Migrations and considerations
To effectively move applications to a Cloud IaaS/PaaS, we have to identify all the integrations and their endpoints.
These integrations will determine the level of complexity in migrating the applications and the processes used to
share information.
Here is a template to identify the integrations for applications with examples of possible values:
Endpoint Examples: • SQL Server DB • Oracle DB • Web Service • API • Flat Files • Web Page • Application
What Format is used for the data exchange? Examples: • JSON • XML • TXT • CSV • N/A
Which Protocol/Port is used for communication? Examples: • HTTP/80 • HTTPS/443 • TCP/1433
Which application/process is accessing the Endpoint? Examples: • Batch process • Web application • Thick client application
Who is accessing the Endpoint? Examples: • OC user in AD • External user in AD • Anonymous
Is the Endpoint the source or destination for the data? Examples: • Source • Destination
Based on high-level analysis, here is a list of systems/applications that are possible candidates for migrating to a
cloud platform:
Enterprise GIS
Health and Human Services Communications portal
COTS applications, with no integrations
Etc.
Migrations of these applications could impact licensing for WebSphere, Oracle, etc.
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 20 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
Appendix D - AWS vs. Azure for IaaS and PaaS
Both AWS and Microsoft Azure offer similar capabilities to some degree, along the lines of compute, storage and
networking. They share the common elements of a public cloud: self -service and instant provisioning, auto-scaling,
security, compliance and management features. Both companies also continually invest in meeting demand for new
cloud services. As indicated in Figure A1, AWS and Azure are the leaders in the Gartner Magic Quadrant for IaaS in
August 2016.
Figure A1: Gartner Magic Quadrant for IaaS
Amazon Web Services (AWS)
Amazon Web Services (AWS), a subsidiary of Amazon.com, is a cloud -focused service provider with a very pure
vision of highly automated, cost-effective IT capabilities, delivered in a flexible, on -demand manner.
Officially launched in 2006, it is the most mature Cloud Computing service provider and has the more customers and
adoption than any other provider. AWS now has more than 70 services that span a wide range including compute,
storage, networking, database, analytics, application services, deployment, management, mobile, developer tools
and tools for the Internet of things.
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 21 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
Although SDKs are available for many languages, the more popular programming languages are Python & Java.
Pros:
• AWS has a diverse customer base and the broadest range of use cases, including enterprise and mission -critical applications.
• It is the overwhelming market share leader, with over 10 times more cloud IaaS compute capacity in use than the aggregate total of the other 14 providers in this Magic Quadrant.
• AWS offers the cheapest pricing for compute and storage, and continually competes with other service providers from a cost perspective.
• Everything in AWS can be scripted. This is a big step in provisioning I nfrastructure as Code, which will help with the speed and agility in provisioning a re-provisioning infrastructure.
• Being the market leader has enabled it to attract a very large technology partner ecosystem that includes software vendors that have licensed and packaged their software to run on AWS, as well as many vendors that have integrated their software with AWS capabilities.
• It also has an extensive network of partners that provide application development expertise, managed services, and professional services such as data center migration.
• AWS is a thought leader; it is extraordinarily innovative, exceptionally agile, and very responsive to the market.
• It has the richest array of IaaS features and PaaS-like capabilities. It continues to rapidly expand its service offerings and offer higher-level solutions.
• It is the provider most commonly chosen for strategic adoption. • It is the most stable of the all the cloud providers in terms of availability and reliability.
Cons:
• While AWS works very well with Windows based systems and solutions, it does not offer ready to use platforms and tools for Windows based systems.
• AWS does not offer a PaaS solution for IIS, which hosts .Net applications.
• The learning curve is may be higher for Microsoft centric organizations.
• AWS pricing is per hour, rounded up.
• Amazon EC2 (Virtual Machines) have a shorter lifespan than traditional on -premises virtual servers. Amazon forces its customers to migrate to a newer version of the VM to stay on the latest technology.
Azure
Azure is Microsoft's cloud platform and is open across multiple frameworks, languages, and tools. It is fully scalable,
localized in that it is hosted globally in many datacenters, and has widespread capabilities.
Although SDKs are available for many languages, the more popular programming languages are PowerShell & .Net.
Pros:
• Azure is the more popular choice for Microsoft's corporate customers as it is designed to work hand in hand with other Microsoft products.
• Oakland County can leverage the Microsoft EA agreement for licensing in Azure.
• Smaller learning curve for Microsoft shops.
• Azure pricing is per minute, rounded up.
• Azure is the second most adopted platform for IaaS and PaaS according to Gartner.
• Very easy to integrate and deploy .Net applications with Azure PaaS offerings.
• It is integrated with Visual Studio, which makes development and deployments to Azure much simpler.
• SQL Server 2016 has deeper integration with Azure.
Cons:
• Does not offer all the features of AWS.
• Microsoft’s long-term roadmap for Azure isn’t very visible. The portal and design of the services has drastically changed in the past few years, which can lead to confusion. The programming model has also changed and evolved in the recent past to make it more flexible, which resulted in a change in the code.
• Microsoft is not the innovator in this field.
• Azure Virtual Servers have a shorter lifespan than traditional on -premises virtual servers. Azure forces its customers to migrate to a newer version of the VM.
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 22 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
Appendix E - Cloud Connectivity Options
ISP/Internet IPsec VPN Bonded Connection SD-WAN
Target Usage This will be used for
Cloud Administration
and all hosted Web
Applications and
services in the Cloud.
This will be used for
back end connections to
data hosted in the cloud,
non-public applications
hosted in the cloud that
require
dedicated/sustained
bandwidth and cloud
administration activities
that require dedicated
bandwidth.
This will be used for
secure, private
connections to the
cloud environment
where connectivity
and bandwidth are
mission critical.
This will be used for
secure private
connections to the
cloud environments
where reliability,
redundancy,
connectivity and
bandwidth are
mission critical. This
will also help
prioritizing and
managing the cloud
bandwidth.
Current State Redundant ISP
connections in
Waterford and Troy
Connection to AWS
implemented with a
router. Connection to the
Mainframe will also be
implemented with this
router.
All connections terminate
on the external firewall.
N/A N/A
HA Yes Yes Needs to be designed Needs to be
designed
Current
Bandwidth
500MB (250MB to
Waterford, 250MB to
Troy)
Uses Internet bandwidth
500MB (250MB to
Waterford, 250MB to
Troy)
Bandwidth to be sized
and implemented by
UC-Vmail
Uses Internet
bandwidth. This
option can combine
bandwidth available
from ISPs and
Bonded connections
to create a
redundant pipe to
the cloud.
Current Usage 300MB 300MB of internet
bandwidth is currently
used. We have to
analyze how much of this
is VPN traffic.
N/A N/A
Planned Future
Bandwidth
1GB (500MB to
Waterford and 500MB
to Troy)
1GB (500MB to
Waterford and 500MB to
Troy)
TBD TBD
Future State No changes planned. Since this will be the
primary connection path
for external connections,
The voicemail project
will implement a
session border
The voicemail
project will create
and execute an RFP
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 23 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
we need a project to
build an environment to
meet our needs. We
need an appliance for
intelligent routing to the
external and internal
firewalls. External
firewalls will be used for
client to server
connections and
administration
connections. Internal
firewalls will be used for
server to server and
cloud connections.
Traffic prioritization and
guaranteed bandwidth
rules need to be
formalized.
controller that will be
the enforcement
mechanism for voice
and voicemail.
Data efforts that
require a bonded
connection will follow
the standards like IP
SEC - a future project
will be needed to
implement this when/if
it is needed
This connection type
will only be used for
situations that require:
• Guaranteed
bandwidth
• No jitter or noise
• Low latency
to select a SD-WAN
provider and
implement policies
to manage this
connection.
Traffic prioritization
and guaranteed
bandwidth rules
need to be
formalized.
Environment
Changes
Any change in the
environment must
ensure adequate
bandwidth and
performance to
maintain cloud needs.
Any change in the
environment must ensure
adequate bandwidth and
performance to maintain
cloud needs.
Any change in the
environment must
ensure adequate
bandwidth and
performance to
maintain cloud needs.
Any change in the
environment must
ensure adequate
bandwidth and
performance to
maintain cloud
needs.
Monitoring and
Performance
We need monitoring
of what is being used,
peak requirements
and how to blend
demand
We need monitoring of
what is being used, peak
requirements and how to
blend demand. We need
prioritization, dedicated
bandwidth and throttling
to ensure performance.
We need to monitor
quality of service,
usage and burst. This
will drive bandwidth
subscription changes.
This solution
provides feedback
of usage and
performance, which
should help up
priorotize and
manage babdwidth
and throttling to
ensure optimal
performance.
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 24 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
Appendix F - Cloud First Considerations
In addition to the high level decision flow, the Architecture Team will be leveraging a best practices Gartner model to
drive the correct cloud decision. Here are some of the key criteria when looking at Cloud First Deployments.
Criteria Considerations
Initiative and Mode • Focus of the effort (Rapid Innovation, Application Process, Infrastructure)
• Mode of development (Traditional vs. Agile/Uncertain)
Business Outcomes and
Financials
• Priority of the effort (Financial, Flexibility or Other )
• Impact of user demand on cost model
Business Processes and
Information Affected
• Current Cloud Usage by the area/domain
• Dependencies on business processes affected and where the processed
reside
• Data Sensitivity and privacy
Application Suitability • Is it a Cloud Ready Application or a lift and shift application?
• Is the application legacy or new and what is the complexity of the
application?
• What is the level of integration with other applications?
Operational Impact • What are the support/management needs of the application?
• What environments are required?
• Alignment to the Architectural, Security, Operational and Application
Development standards of the County?
Skills and Capabilities • Level of technical skills required?
• Availability of the skills in the market.
Agility • Are the processes and functions mission critical, business critical or other?
• Presence of APIs?
• Level of third party support for additional services?
Compliance • Type of data
• Applicable laws and legal mandates for this data
• Level of the provider's experience in this space
Security • Level of security controls required
• Contract clauses for security
• Level of provider's experience in this space
• Encryption?
Availability • How is data stored (unique, primary, replicated)?
• Data availability requirements
• SLAs defined and mechanisms to measure compliance
Provider Specific Risks • Vendor viability
• Contingency and exit plan
Licensing • Is the application serving G2G customers?
Prepared by Shukur Mohammad, James Taylor, EJ Widun
Revised 4/10/2019 6:21:00 PM Page 25 of 25
CONFIDENTIAL – NOT SUBJECT TO FOIA
• Does OC own licensing required for this application?
REFERENCES • Reference Architecture – https://en.wikipedia.org/wiki/Reference_architecture
LINKS ▪ AWS Regions and Services – https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/
▪ AWS CJIS Compliance - https://aws.amazon.com/compliance/cjis/
▪ Azure Regions and Services – https://azure.microsoft.com/en-us/regions/#services
▪ Azure Compliance – https://www.microsoft.com/en-us/trustcenter/Compliance