mexico city wwps summit assets... · 2020-03-23 · “cloud first” policy • philippines. the...

M E X I C O C I T Y

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.

M G M T 1 0 1

Get Started Today with Cloud Ready Contracts

Juan Camilo Castro Salcedo

Capture Manager LATAM

AgendaIntroduction

5 recommended practices in acquiring the cloud

Acquisition mechanisms for cloud services

Regulatory barriers: protecting data and security

Questions


• Cloud computing and the difference with traditional computing

• Global infrastructure

cloud computing

Introduction– Differences with traditional infrastructure

Equipment Resources and management

Contracts Cost

Traditional infrastructure

No entrance fees.Pay only for what you

use.

Better time to goto market and more agility

Ascending and descending

scaling

Self-service infrastructure

AWS Cloud

Introduction – Size does matter

Customers use standardized cloud services as if they were building blocks

• 69 availability zonesdistributed in 22 geographical regions

• Plans announced to create 13 more zones in 5 additional regions in Indonesia, Italy, Spain, South Africa and Japan

• 200 edge locations

Introduction – Size does matter

For AWS, each region consists of several geographically distributed availability zones

“Cloud First” policy• Philippines. The Philippine government announced its “Cloud First” policy in January 2017.

• United Kingdom. The UK government introduced its “Cloud First” policy, for which it implemented a whole strategy of specialized supply and purchase networks (G-Cloud).

• Australia. The Australian Cloud Computing Policy (2014) “urges public entities to aim to promote greater acceptance of cloud services by federal government agencies” by adopting a “Cloud First” approach.

• Colombia. The Government of Colombia instituted its “first name” policy within the National Development Plan of the current government (Law 1955 of 2019).

• Chile. Chile has a “Cloud First” institutionalized policy since 2017.

• Costa Rica. The government issued Guideline No. 46-H-MICITT of 2013 that asks to privilege cloud services if possible.

• Argentina: At the beginning of 2018, ONTI established the preference to use cloud over other technologies in its catalogs of IT projects.


in acquiring the cloud

1. Performance-based requirements

• When cloud services are acquired, to get the best solutions, theappropriate questions must be asked

• The requirements should focus on application performance... instead of establishing what hardware, infrastructure or methods

• The CSP is the owner of the hardware connected to the network that is necessaryto provide the services in the cloud and the person in charge of its maintenance

• It is not necessary to include regulatory requirements that specify how theunderlying infrastructure environment should be

1. Performance based requirements

• As physical resources are not acquired in cloud-based models, there are many traditional requirements that are used in the purchase of data centers that are not applicable

TIER (III,IV,etc.)

SPECint

Hardware specs

Data center visits

2. Direct and indirect contracting and purchasingmechanisms• Many CSPs have an online agreement that only needs to be

clicked to start using cloud services

Direct purchase from a CSP

Indirect purchase from a distributor or partner

of a CSP

2. Direct and indirect contracting and purchasingmechanisms• Acquiring a cloud infrastructure is not the same as hiring (if necessary)

labor to use that infrastructure

A cloud provider is not the sameas a systems integrator or a managed service provider

3. Prices

• If public sector customers want to hire cloud services that takeinto account demand fluctuation, they need a contract thatallows them to pay for these services as they are used

3. Local Capacity Planning

Capacidadde TI

utilizada

Capacidadinactiva

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

TI local

Computing capacity

According to studies by Gartner, McKinsey and the Uptime Institute, theaverage utilization rate of the typical

data center isless than 50 %.

www.uptimeinstitute.org anthesisgroup.com/wp-content/uploads/2014/08/Data-Center-Issue-Paper-final826.pdf

www.nytimes.com/2012/09/23/technology/data-centers-waste-vast-amounts-of-energy-belying-industry-image.html

The common local computingenvironment is greatly underused

3. Why are local environments underused?

Part time

Peak

Fluctuating/With peaks

Peak

Cyclic

Peak

Part of it is due to purchases that considerthe requirements of ”peak loads”, and because the infrastructure is

not flexible

Initialfixedcapacity

Use

Time

3. Why are local environments created for peakmoments?

Unused capacity = Wasted USD

Inactivity time,loss of clients,loss of income(impossible to measure)

More wasted USD

Otra vezaumentode capacidad

Nueva compradespués de "Nodejes que se vuelvaa repetir".

Still more wasted USD

3. Less excess supply thanks to elasticity

Auto Scaling allows you to:• React dynamically to

changes in load• Schedule periodic

workloads• Optimize the use of

instances• Reduce excess provisioning

3. Prices. Recommendations

• The rules governing traditional purchases do not fit well with the public serviceor pay-per-use model that prevails in the commercial computer market

Transparency Variable Prices

CSP prices must be clear and publicly availableA cloud service acquisition model must be flexible enough to allow cloud prices to fluctuate at market

rates.

Various Pricing Models Payment model for use of "public service” type

By allowing CSPs to offer different pricing models, organizations can evaluate each CSP's pricing

model in light of their own IT needs

The best thing for resource and utilization metrics isto incorporate a pay-as-you-go "public service"

model, where at the end of each month you only payfor what has been consumed

4. Security and guarantee / audit

Container Services – Platform as a Service (PaaS)

Focused

customer

responsibility

AWS responsibility

growsInfrastructure as a Services (IaaS)

Abstracted Services - Software as a Service (SaaS)


• Data Privacy• Public sector clients must maintain absolute control

over the data, as well as their ownership• They should be able to choose the location or

geographic locations where they want to store the data• CSPs must give customers the ability to decide how they

want to save, manage and encrypt data• CSPs must also provide documentation detailing how

public sector customers can use the cloud services to meet specific protection, compliance, audit and control requirements


• Certifications and independent accreditations• Numerous security frameworks, best practices, audit standards and

standardized controls can be cited in the specifications of the cloud; forexample:

• Federal Risk and Authorization Management Program (FedRAMP, Federal Risk Management and Authorization Program)

• Service Organization Controls (SOC, Service Organization Controls)• Payment Card Industry Data Security Standard (PCI DSS, Payment Card

Industry Data Security Standard)• International Organization for Standardization (ISO, International

Standardization Organization) 27001, ISO 27017, ISO 27108, ISO 9001

5. Terms and Conditions• Cloud computing must be acquired as a service, not from the perspective of

buying / selling a product.

• You are not acquiring IT infrastructure, you are using services from that

infrastructure.

• In general, commercial services, such as cloud computing, work the same for all

customers, whether private or public.

• When cloud services are purchased, terms and conditions that are specific to

physical IT infrastructure acquisitions should be excluded

• Service levels should be those that are individualized by service

Particular ConsiderationsDemand Aggregation

Particular Considerations

• Framework Contracts are a contracting strategy based on an agreement of wills that anagency or entity establishes with one or more possible suppliers.

• Through which technical and quality specifications, scope, prices and conditions that willregulate the acquisition or lease of movable property, or the provision of services are established.

• That, subsequently, dependencies or entities formalize through purchase orders.

What are Framework Contracts?

Particular Considerations

• Framework contracts save time and costs in supply of goods processes, since they avoid the need to renegotiate standard terms and conditions

• Standardization of goods and services for the Public Sector.

• Access to more competitive purchase prices.

• More convenient delivery times.

• Decrease in inventory costs

• Elimination of unnecessary stages in the supply chain

• Redistribution of resources

• Savings in total purchase costs

• Just in time shopping

Benefits of the Framework Contract

Evolution of Framework Contracts

General information

proposal

Rating format

Guarantee

Confidentialhandling of the proposal

untiladjudication

Paymentcurrenc

Availability level

Experience and

Certifications

STAGE CRITERIOS WEIGHTING

ECONOMICSTAGE

ECONOMIC: PRICE RANKING

TECHNICAL STAGE

TECHNICAL: LEVEL OF AVAILABILITY

EXPERIENCECERTIFICATIONS

SUSTAINABLE SUSTAINABILITY

ADMINISTRATIVE: FORMAL REQUIREMENT COMPLIANCE

AVAILABILITY LEVEL SCORE

Less than 99,5% InadmissableAt least 99,5%At least 99,671%At least 99,741%At least 99.982%At least 99,995%

For a correct weighting, one must work with the institution

The availability of each service should be measured and the proposed architecture in

each case must be weighted

Different ModelsChile Purchases

Different ModelsOTNI Argentina

Different ModelsG-Cloud in UK

© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Publicación pliegos borrador Observaciones a los borradores del proceso

Rta a observaciones / publicación de los pliegos

definitivos

Observaciones a los pliegos definitivos

Rta a observaciones / publicación de adendas Presentación de ofertas

Evaluación de ofertas.Criterios económicos,

organizacionales y técnicos.Evaluación de criterios

económicos y técnicos por CSP

Adjudicación Firma del contratoCarga del catálogo en la TVEC (Tienda Virtual del

Estado Colombiano)

Entrada en operación del AMPNP3

Identificación de la necesidad por parte de la

Entidad

La Entidad diligencia un RFI detallando su

necesidad

La entidad y los partnerintercambian información para aclarar la necesidad

Preventa: rondas de intercambio de información.

Solo responden el RFI los partner que consideren

relevante la oportunidad. RFI no incluye precios.

Sirve solo para valorar la solución idónea

Entidad recibe Rta a RFI y decide que lote (CSP) va a

usar. Los criterios de decisión son propios de la Entidad. Deberían usar el marco de arquitectura y la guía de

computación en la nube como criterios

La entidad publica un RFQ dirigido al lote seleccionado

Los partners del lote responden el RFQ. Subasta inversa La OC se adjudica a la

propuesta de menor precio

PRIM

ARY

OPE

RATI

ON

SE

CON

DARY

OPE

RATI

ON

SECOP II TVEC SIN SISTEMA

Different ModelsColombia Efficient Purchase

What does a “cloud first” policy imply?In order to achieve an adequate adoption of the cloud, legislation must contemplate a “cloud first” policy which must contemplate:

The establishment

of a modernization

strategy of all IT layers in public

sector organizations.

Faster and more cost efficient

cloud adoptable digital

transformation public policies (data analysis,

IA/ML, etc),

Incentives for entities that get

benefits from using cloud

technologies and recognition

by control entities.

Policy designed for the

implementation of hyper

scalable cloud services.

Data Protection

Regulations normally establish the obligation that the data, obeying its nature, remains in the given country or in the countries that guarantee legislation with equal or superior protection, including some listing those countries (Colombia, Argentina, GDPR, etc.).

Is your data hosted in secure environments ?- Security and control beyond

knowing where they are, but that the environments really have safety parameters;

- That these parameters are evident, because they have all the certifications that guarantee and prove it.

Territoriality and data control Safe environment guarantee for data management

Enforcement &Evidence

x

xX

Data ProtectionCloud Model

Manager / operador

Data holder Person in charge / controller

Personal data

CSP Client CSP

Data ProtectionWhat a CSP should have:

Customers can validate security controls implemented within the cloud provider environment through certifications and reports including AWS Service Organization Control (SOC) 1, 2, and 3 reports, ISO 27001, 27017, and 27018 certifications, and PCI DSS compliance reports.The 27018 certification demonstrates that the cloud provider has implemented a control system that specifically addresses the protection of customer content privacy.

These reports and certifications are produced by independent third-party auditors and testify to the design and operational effectiveness of the security controls of the cloud provider

Data ProtectionWhat a CSP should have

ISO 27018ISO 27018 is a code of conduct designed to protect personal data in the cloud. It is based on the 27002 information security standard and provides implementation advice regarding the controls of the 27002 standard applicable to personally identifiable information (PII). In addition, it provides a set of additional controls and related advice to meet the protection requirements of personally identifiable information in the cloud not covered by the existing set of controls in ISO 27002.

Data ProtectionWhat a CSP should have

Customers who use the services of a CSP must maintain effective control over their content within the cloud environment and must be able to :

• Determine where their content will be located, for example, the type of storage used by the CSP and the geographic location (by Region) of that storage

• Control the format, structure and security of their content , including if it is masked, anonymized or encrypted.

• Manage other access controls, such as identity credentials, access management, permissions and security.

Personal Data Protection

• You choose where you want your data to be

• CSP regions are geographically isolated by design

• The data is NOT replicated to other regions and the CSP should NOT

move your data unless you ask us to do so.

• The data is always yours, you decide to encrypt, move or delete it

You own YOUR information

Encryption in transit

SSL/TLS

VPN / IPSEC

SSH

Standby Encryption

Objects

Databases

File systems

Discs

Personal Data Protection

Will the content be safe?• AWS has more than 58 certifications and accreditations (+ 2,600 controls, audited

annually)

• AWS offers a wide selection of tools and security features that customers can use.

• Customers can also use their own security tools and controls, including a wide variety of third-party security solutions.

• Customers are also free to design and conduct safety assessments according to their own preferences.

Who can access the content?

AWS Management Console/APIs

AWS Infrastructure

AWS applicationsTheir applications

Developers

Management

Security Employees

Clients

Partners

Identity and Access Management

Thank you!


mexico city wwps summit assets... · 2020-03-23 · “cloud first” policy • philippines. the...

Documents