Cloud Computing Concerns of the U.S. Government by Michael Erbschloe - HTML preview

PLEASE NOTE: This is an HTML preview only and some elements such as links or page numbers may be incorrect.
Download the book in PDF, ePub for a complete version.

Cloud Computing at the Veterans Administration

Cloud computing enables the sharing, storage, and accessibility of data via the Internet, rather than through individual, limited-access hard drives. It is an evolution toward the “renting” of integrated services as needed without the high risk and capital costs of development and infrastructure.

 

Scope

The adoption of cloud computing offers many benefits to Veterans, their families and dependents, VA personnel, and VA partners. Using cloud, Veterans and their families will have access to VA services on any device, anywhere, and at any time. They will experience improved mission services and capabilities, and will be able to access information seamlessly, globally, securely, cost effectively, and reliably.

 

VA has been pursuing various IT infrastructure evolution initiatives for some time. The adoption of utility cloud computing models has numerous advantages. Fundamentally, the capability supports rapid delivery of VA business capabilities. Thus, it provides agile, scalable, and reliable infrastructure needed to keep pace with an explosive growth of information and the increased variety and uses of VA’s strategic information assets.

 

VA’s efforts to this end align with the Office of Management and Budget (OMB)’s 25 Point Implementation Plan to Reform Federal Information Technology Management. (December 9, 2010) and the priority of the current VA Chief Information Officer (CIO) to adopt cloud computing to better support VA’s mission to serve Veterans and their families.

 

By definition, cloud computing is “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” (NIST SP 800-145)

 

Usage

VA has several cloud initiatives already in use that correspond to the Service Models identified above:

 

Infrastructure as a Service (IaaS) capabilities are available after implementing the Adaptive Cloud Environment (ACE). IaaS includes support for on-demand, self-service provisioning, broad network access, resource pooling, rapid elasticity, and measured service.

After expanding the internal Platform as a Service (PaaS) offerings, VA continues to investigate the viability of using external Software as a Service (SaaS) providers to deliver Email as a Service.

Additionally, externally hosted providers and cloud implementers (e.g. Terremark, Century Link) were adopted to host some of VA’s mission critical VA IT systems such as Veterans Benefits Management System (VBMS), My HealtheVet, and Customer Relationship Management Unified Desktop (CRM-UD).

 

Future Enhancements & Strategy

VA has developed an implementable enterprise cloud strategy to realize the greatest benefits of cloud computing across VA and to prevent the potential risk of diverging approaches or overlapping efforts.

 

The strategy is consistent with the CIO’s vision and aligned with VA policies. The purpose of the strategy is to deliver more responsive IT services at lower cost to the Department and to promote adoption of the following concepts:

 

“Cloud first” Policy. Systems are to use cloud computing unless specific criteria are met that demonstrate the solution is not yet cloud ready.

VA Cloud Broker and Central Cloud Consumer. An Enterprise Cloud Services Broker (ECSB) solution has been established to support business and technical governance and overall migration to cloud service. The ECSB also provides a gateway to centralized intermediation, aggregation, and arbitrage of cloud services.

Cloud Service Contract Vehicles. A contract vehicle will be established to acquire cloud services on a consumption-based model that supports elasticity and incrementally funded contracts.

Public/Community/Private Cloud Criteria. The use of FedRAMP-approved public and community cloud solutions will be allowed for systems that are classified up to Federal Information Security Modernization Act of 2014 (FISMA) Moderate and promote use of VA private cloud solutions for FISMA High systems.

Cloud Pilots. Pilots will be conducted to support iterative implementation of the Cloud Strategy, quantify benefits using key performance indicators, and reduce potential risks. Needed changes in procedures, programs, and technical standards to accelerate cloud services migration will be instituted through a lessons-learned process.

Cloud Computing Enterprise Design Patterns. Guiding principles, best practice approaches, and constraints will be established for acquiring cloud services and incorporating them as reusable enterprise capabilities.

Enterprise Design Patterns

Enterprise Design Patterns (EDPs) are developed by the Office of Technology Strategies (TS) in coordination with internal and external subject matter experts (SME) and stakeholders. Enterprise Design Patterns are incorporated into the Design, Engineering, & Architecture (DE&A) Compliance and provide reusable, enterprise-level capabilities guidance. They provide a standardized framework of capabilities and constraining principles to aid all integrated project teams (IPT) in the development, acquisition, and/or implementation of IT systems and services. Each signed Enterprise Design Pattern is listed below by topic area.

VA Directive 6551

On March 17, 2016, the CIO and Deputy CIO for Architecture Strategy and Design signed VA Directive 6551 regarding VA Enterprise Design Patterns. This directive establishes a mandatory policy for establishing and utilizing Enterprise Design Patterns by all Department of Veterans Affairs (VA) projects developing information technology (IT) systems in accordance with the VA’s Office of Information and Technology (OI&T) integrated development and release management process, the Veteran-focused Integration Process (VIP).

Title

Description

Enterprise Design Patterns/Executive Summary

 Privacy and Security Enterprise Design Patterns

User Identity Authentication

This Enterprise Design Pattern describes the “to-be” state for VA internal (PIV-enabled VA employees, contractors, and volunteers) and external (business partners, veterans and others who access VA resources from outside the VA network) user identity authentication. In addition to describing the “static” rules for authentication, this document describes “adaptive” authentication tools that will be implemented and the need for authentication protocols.

 

Enterprise Secure Messaging

This Enterprise Design Pattern implements the standards and protocols required for message-level security and expounds on the message-level security standards needed to integrate the enterprise IT infrastructure and Enterprise Shared Services (ESS). It outlines the capabilities and standards achievable through the use of enterprise middleware solutions such as Enterprise Messaging Infrastructure (eMI) and XML/API Gateways.

 

Mobile Veteran Facing Applications Security

This Enterprise Design Pattern provides enterprise-level capability guidance that identifies security best practices for Veteran-facing mobile applications accessing VA IT resources. It will guide projects to implementation resources that will support detailed design specifications.

 

Non-Person Entity Security

This Enterprise Design Pattern describes the "to-be" state for VA NPE security. It describes "adaptive" authentication tools that need to be implemented and the need for authentication protocols that can support attribute- and risk-based access controls. This document will assist the VA in establishing policy and methodology related to 'user identity' propagation across all architectural tiers of system design.

PDF ImagePDF Image

Enterprise Auditing

This Enterprise Design Pattern establishes the official enterprise guideline for enterprise-wide auditing across all lines of business in accordance with Federal Information Security Management Act (FISMA), National Institute of Standards and Technology (NIST) 800-53 and VA 6500 security policies (see Appendix D).

 

Enterprise Authorization

This Enterprise Design Pattern identifies a centralized method for ensuring a consistent authorization process across all VA applications; identifies best practices for migrating to new authorization processes; and provides guidance on preparations required by application owners to integrate with the authorization service.

 

Cloud Security

This Enterprise Design Pattern provides a vendor-agnostic approach to cloud security by reviewing the highest risk areas first. It discusses how comprehensive monitoring through the TIC Gateways, managed encryption of sensitive data, auditing of activity in the cloud, and proper architecture design can reduce the risk of inadequate controls or incidents within a fully compliant boundary. This Design Pattern can be used to guide decisions around compliance and critical controls as they begin the process of cloud adoption.

 

Medical Device Security

This Enterprise Design Pattern defines an enterprise medical device security model that addresses all phases of the medical device lifecycle beginning with the assessment of medical devices procured to the disposal of the device. This model will help stakeholders meet VA security requirements for medical devices and avoid integrity and availability issues due to compromise.

 

 

 

Technology (Tech) Insights

The monthly Technology (Tech) Insights series aims to help readers make better decisions and be more informed customers by providing them with high-level overviews of technology issues that impact or will impact VA’s IT environment. These Tech Insights introduce topics in an easily digestible fashion by presenting background information on the topic, clearly explaining its importance within VA, and providing recommendations for success.

Design Thinking (May 2017)       Design thinking is the formal process of creating new, innovative ideas and solving problems. This Tech Insight provides an introduction to design followed by a history and overview of design thinking and Human-Centered Design (HCD) and explores how these concepts are being applied within VA. It also includes a supplemental toolkit overview from the VA Center for Innovation’s (VACI) “Toolkit for Human-Centered Design.”       

Enterprise Design Patterns (April 2017)       An Enterprise Design Pattern (EDP) is a reusable capability guidance document that identifies best practice approaches and resources for achieving VA IT strategic objectives. This Tech Insight provides a basic explanation of the purpose of EDPs and the IT topics they address. It also provides a deeper understanding of the importance of EDPs as key components of the VA Enterprise Architecture (EA), and how VA project teams can benefit from using them.       

Technology in Healthcare Recap (March 2017)       VA Telehealth Services uses health informatics, disease management, care/case management, and telehealth technologies to increase access to care and improve the health of Veterans. This Tech Insight Recap revisits three previous Tech Insights and combines their highlights to specifically address telehealth, nanomedicine, and three dimensional (3D) printing. It examines how technological updates and innovations are beneficial to healthcare.       

Anatomy of a Computer (March 2017)       The computer is the pinnacle device for the evolution of modern products, like Internet of Things (IoT) and small devices. This Tech Insight introduces the basic parts of a computer and describes the more recent applications of the basic parts to small devices, IoT, and applications in healthcare. It also focuses on how VA is managing security risks associated with computers.       

Big Data Analytics II (February 2017)       Big data as a concept refers to the high velocity collection of data in large volumes coming from a variety of sources, resulting in different forms of data collected with great speed in great frequency. In this second Tech Insight on the topic, we present the key steps and tools commonly used in this form of analytics and address the Department of Veterans Affairs’ (VA) actions toward improving and leveraging big data analytics capabilities.       

Hackathons (January 2017)       Hackathons use brainstorming and coding sessions to stir up new ideas on a topic by creative problem solving. This Tech Insight explores how hackathons work, offers guidelines for organizing a hackathon, and presents examples of how Federal agencies are employing hackathons to drive innovation.

Source: https://www.ea.oit.va.gov/EAOIT/VA_EA/Cloud_Computing.asp