mexico city wwps summit assets... · 2020-03-23 · “cloud first” policy • philippines. the...
TRANSCRIPT
M E X I C O C I T Y
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
M G M T 1 0 1
Get Started Today with Cloud Ready Contracts
Juan Camilo Castro Salcedo
Capture Manager LATAM
AgendaIntroduction
5 recommended practices in acquiring the cloud
Acquisition mechanisms for cloud services
Regulatory barriers: protecting data and security
Questions
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Cloud computing and the difference with traditional computing
• Global infrastructure
cloud computing
Introduction– Differences with traditional infrastructure
Equipment Resources and management
Contracts Cost
Traditional infrastructure
No entrance fees.Pay only for what you
use.
Better time to goto market and more agility
Ascending and descending
scaling
Self-service infrastructure
AWS Cloud
Introduction – Size does matter
Customers use standardized cloud services as if they were building blocks
• 69 availability zonesdistributed in 22 geographical regions
• Plans announced to create 13 more zones in 5 additional regions in Indonesia, Italy, Spain, South Africa and Japan
• 200 edge locations
Introduction – Size does matter
For AWS, each region consists of several geographically distributed availability zones
“Cloud First” policy• Philippines. The Philippine government announced its “Cloud First” policy in January 2017.
• United Kingdom. The UK government introduced its “Cloud First” policy, for which it implemented a whole strategy of specialized supply and purchase networks (G-Cloud).
• Australia. The Australian Cloud Computing Policy (2014) “urges public entities to aim to promote greater acceptance of cloud services by federal government agencies” by adopting a “Cloud First” approach.
• Colombia. The Government of Colombia instituted its “first name” policy within the National Development Plan of the current government (Law 1955 of 2019).
• Chile. Chile has a “Cloud First” institutionalized policy since 2017.
• Costa Rica. The government issued Guideline No. 46-H-MICITT of 2013 that asks to privilege cloud services if possible.
• Argentina: At the beginning of 2018, ONTI established the preference to use cloud over other technologies in its catalogs of IT projects.
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
in acquiring the cloud
1. Performance-based requirements
• When cloud services are acquired, to get the best solutions, theappropriate questions must be asked
• The requirements should focus on application performance... instead of establishing what hardware, infrastructure or methods
• The CSP is the owner of the hardware connected to the network that is necessaryto provide the services in the cloud and the person in charge of its maintenance
• It is not necessary to include regulatory requirements that specify how theunderlying infrastructure environment should be
1. Performance based requirements
• As physical resources are not acquired in cloud-based models, there are many traditional requirements that are used in the purchase of data centers that are not applicable
TIER (III,IV,etc.)
SPECint
Hardware specs
Data center visits
2. Direct and indirect contracting and purchasingmechanisms• Many CSPs have an online agreement that only needs to be
clicked to start using cloud services
Direct purchase from a CSP
Indirect purchase from a distributor or partner
of a CSP
2. Direct and indirect contracting and purchasingmechanisms• Acquiring a cloud infrastructure is not the same as hiring (if necessary)
labor to use that infrastructure
A cloud provider is not the sameas a systems integrator or a managed service provider
3. Prices
• If public sector customers want to hire cloud services that takeinto account demand fluctuation, they need a contract thatallows them to pay for these services as they are used
3. Local Capacity Planning
Capacidadde TI
utilizada
Capacidadinactiva
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
TI local
Computing capacity
According to studies by Gartner, McKinsey and the Uptime Institute, theaverage utilization rate of the typical
data center isless than 50 %.
www.uptimeinstitute.org anthesisgroup.com/wp-content/uploads/2014/08/Data-Center-Issue-Paper-final826.pdf
www.nytimes.com/2012/09/23/technology/data-centers-waste-vast-amounts-of-energy-belying-industry-image.html
The common local computingenvironment is greatly underused
3. Why are local environments underused?
Part time
Peak
Fluctuating/With peaks
Peak
Cyclic
Peak
Part of it is due to purchases that considerthe requirements of ”peak loads”, and because the infrastructure is
not flexible
Initialfixedcapacity
Use
Time
3. Why are local environments created for peakmoments?
Unused capacity = Wasted USD
Inactivity time,loss of clients,loss of income(impossible to measure)
More wasted USD
Otra vezaumentode capacidad
Nueva compradespués de "Nodejes que se vuelvaa repetir".
Still more wasted USD
3. Less excess supply thanks to elasticity
Auto Scaling allows you to:• React dynamically to
changes in load• Schedule periodic
workloads• Optimize the use of
instances• Reduce excess provisioning
3. Prices. Recommendations
• The rules governing traditional purchases do not fit well with the public serviceor pay-per-use model that prevails in the commercial computer market
Transparency Variable Prices
CSP prices must be clear and publicly availableA cloud service acquisition model must be flexible enough to allow cloud prices to fluctuate at market
rates.
Various Pricing Models Payment model for use of "public service” type
By allowing CSPs to offer different pricing models, organizations can evaluate each CSP's pricing
model in light of their own IT needs
The best thing for resource and utilization metrics isto incorporate a pay-as-you-go "public service"
model, where at the end of each month you only payfor what has been consumed
4. Security and guarantee / audit
Container Services – Platform as a Service (PaaS)
Focused
customer
responsibility
AWS responsibility
growsInfrastructure as a Services (IaaS)
Abstracted Services - Software as a Service (SaaS)
4. Security and guarantee / audit
• Data Privacy• Public sector clients must maintain absolute control
over the data, as well as their ownership• They should be able to choose the location or
geographic locations where they want to store the data• CSPs must give customers the ability to decide how they
want to save, manage and encrypt data• CSPs must also provide documentation detailing how
public sector customers can use the cloud services to meet specific protection, compliance, audit and control requirements
4. Security and guarantee / audit
• Certifications and independent accreditations• Numerous security frameworks, best practices, audit standards and
standardized controls can be cited in the specifications of the cloud; forexample:
• Federal Risk and Authorization Management Program (FedRAMP, Federal Risk Management and Authorization Program)
• Service Organization Controls (SOC, Service Organization Controls)• Payment Card Industry Data Security Standard (PCI DSS, Payment Card
Industry Data Security Standard)• International Organization for Standardization (ISO, International
Standardization Organization) 27001, ISO 27017, ISO 27108, ISO 9001
4. Security and guarantee / audit
5. Terms and Conditions• Cloud computing must be acquired as a service, not from the perspective of
buying / selling a product.
• You are not acquiring IT infrastructure, you are using services from that
infrastructure.
• In general, commercial services, such as cloud computing, work the same for all
customers, whether private or public.
• When cloud services are purchased, terms and conditions that are specific to
physical IT infrastructure acquisitions should be excluded
• Service levels should be those that are individualized by service
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Particular ConsiderationsDemand Aggregation
Particular Considerations
• Framework Contracts are a contracting strategy based on an agreement of wills that anagency or entity establishes with one or more possible suppliers.
• Through which technical and quality specifications, scope, prices and conditions that willregulate the acquisition or lease of movable property, or the provision of services are established.
• That, subsequently, dependencies or entities formalize through purchase orders.
What are Framework Contracts?
Particular Considerations
• Framework contracts save time and costs in supply of goods processes, since they avoid the need to renegotiate standard terms and conditions
• Standardization of goods and services for the Public Sector.
• Access to more competitive purchase prices.
• More convenient delivery times.
• Decrease in inventory costs
• Elimination of unnecessary stages in the supply chain
• Redistribution of resources
• Savings in total purchase costs
• Just in time shopping
Benefits of the Framework Contract
Evolution of Framework Contracts
Evolution of Framework Contracts
General information
proposal
Rating format
Guarantee
Confidentialhandling of the proposal
untiladjudication
Paymentcurrenc
Availability level
Experience and
Certifications
STAGE CRITERIOS WEIGHTING
ECONOMICSTAGE
ECONOMIC: PRICE RANKING
TECHNICAL STAGE
TECHNICAL: LEVEL OF AVAILABILITY
EXPERIENCECERTIFICATIONS
SUSTAINABLE SUSTAINABILITY
ADMINISTRATIVE: FORMAL REQUIREMENT COMPLIANCE
AVAILABILITY LEVEL SCORE
Less than 99,5% InadmissableAt least 99,5%At least 99,671%At least 99,741%At least 99.982%At least 99,995%
For a correct weighting, one must work with the institution
The availability of each service should be measured and the proposed architecture in
each case must be weighted
Different ModelsChile Purchases
Different ModelsOTNI Argentina
Different ModelsG-Cloud in UK
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Publicación pliegos borrador Observaciones a los borradores del proceso
Rta a observaciones / publicación de los pliegos
definitivos
Observaciones a los pliegos definitivos
Rta a observaciones / publicación de adendas Presentación de ofertas
Evaluación de ofertas.Criterios económicos,
organizacionales y técnicos.Evaluación de criterios
económicos y técnicos por CSP
Adjudicación Firma del contratoCarga del catálogo en la TVEC (Tienda Virtual del
Estado Colombiano)
Entrada en operación del AMPNP3
Identificación de la necesidad por parte de la
Entidad
La Entidad diligencia un RFI detallando su
necesidad
La entidad y los partnerintercambian información para aclarar la necesidad
Preventa: rondas de intercambio de información.
Solo responden el RFI los partner que consideren
relevante la oportunidad. RFI no incluye precios.
Sirve solo para valorar la solución idónea
Entidad recibe Rta a RFI y decide que lote (CSP) va a
usar. Los criterios de decisión son propios de la Entidad. Deberían usar el marco de arquitectura y la guía de
computación en la nube como criterios
La entidad publica un RFQ dirigido al lote seleccionado
Los partners del lote responden el RFQ. Subasta inversa La OC se adjudica a la
propuesta de menor precio
PRIM
ARY
OPE
RATI
ON
SE
CON
DARY
OPE
RATI
ON
SECOP II TVEC SIN SISTEMA
Different ModelsColombia Efficient Purchase
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What does a “cloud first” policy imply?In order to achieve an adequate adoption of the cloud, legislation must contemplate a “cloud first” policy which must contemplate:
The establishment
of a modernization
strategy of all IT layers in public
sector organizations.
Faster and more cost efficient
cloud adoptable digital
transformation public policies (data analysis,
IA/ML, etc),
Incentives for entities that get
benefits from using cloud
technologies and recognition
by control entities.
Policy designed for the
implementation of hyper
scalable cloud services.
Data Protection
Regulations normally establish the obligation that the data, obeying its nature, remains in the given country or in the countries that guarantee legislation with equal or superior protection, including some listing those countries (Colombia, Argentina, GDPR, etc.).
Is your data hosted in secure environments ?- Security and control beyond
knowing where they are, but that the environments really have safety parameters;
- That these parameters are evident, because they have all the certifications that guarantee and prove it.
Territoriality and data control Safe environment guarantee for data management
Enforcement &Evidence
x
xX
Data ProtectionCloud Model
Manager / operador
Data holder Person in charge / controller
Personal data
CSP Client CSP
Data ProtectionWhat a CSP should have:
Customers can validate security controls implemented within the cloud provider environment through certifications and reports including AWS Service Organization Control (SOC) 1, 2, and 3 reports, ISO 27001, 27017, and 27018 certifications, and PCI DSS compliance reports.The 27018 certification demonstrates that the cloud provider has implemented a control system that specifically addresses the protection of customer content privacy.
These reports and certifications are produced by independent third-party auditors and testify to the design and operational effectiveness of the security controls of the cloud provider
Data ProtectionWhat a CSP should have
ISO 27018ISO 27018 is a code of conduct designed to protect personal data in the cloud. It is based on the 27002 information security standard and provides implementation advice regarding the controls of the 27002 standard applicable to personally identifiable information (PII). In addition, it provides a set of additional controls and related advice to meet the protection requirements of personally identifiable information in the cloud not covered by the existing set of controls in ISO 27002.
Data ProtectionWhat a CSP should have
Customers who use the services of a CSP must maintain effective control over their content within the cloud environment and must be able to :
• Determine where their content will be located, for example, the type of storage used by the CSP and the geographic location (by Region) of that storage
• Control the format, structure and security of their content , including if it is masked, anonymized or encrypted.
• Manage other access controls, such as identity credentials, access management, permissions and security.
Personal Data Protection
• You choose where you want your data to be
• CSP regions are geographically isolated by design
• The data is NOT replicated to other regions and the CSP should NOT
move your data unless you ask us to do so.
• The data is always yours, you decide to encrypt, move or delete it
You own YOUR information
Encryption in transit
SSL/TLS
VPN / IPSEC
SSH
Standby Encryption
Objects
Databases
File systems
Discs
Personal Data Protection
Will the content be safe?• AWS has more than 58 certifications and accreditations (+ 2,600 controls, audited
annually)
• AWS offers a wide selection of tools and security features that customers can use.
• Customers can also use their own security tools and controls, including a wide variety of third-party security solutions.
• Customers are also free to design and conduct safety assessments according to their own preferences.
Who can access the content?
AWS Management Console/APIs
AWS Infrastructure
AWS applicationsTheir applications
Developers
Management
Security Employees
Clients
Partners
Identity and Access Management
Thank you!
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.