How to Move Seamlessly to a Hybrid Cloud Industry Perspective
Executive Summary The federal government maintains one of the largest computing infrastructures in the world, with each agency traditionally responsible for building out its IT backbone as needed. Until very recently, the only reliable method available to support federal operations was to invest heavily in data centers, taking on the burden and expenses of maintaining those facilities. But ensuring data centers are physically secure while continuously refreshing their information technology systems is time-consuming and expensive. For the federal government, simply maintaining its aging data centers is almost completely draining its IT budget. According to the Government Accountability Office (GAO), about 75 percent of the total amount budgeted for IT in 2016 was spent on operations and maintenance. And those costs continue to grow, in large part because of the burden of maintaining aging hardware in federal data centers. With so much being spent on maintenance, there is little left to modernize and develop federal infrastructure to accommodate advances in technology. Federal agencies don’t want to be in the data center business, nor do they want the burden of legacy systems that inhibit business operations or the delivery of citizen services. The ideal solution is to move operations to a federal hybrid cloud. A hybrid cloud is a combination of public cloud offerings, private cloud and on-premises technologies connected by a layer of orchestration or automation allowing for data loads to be moved to match agency needs. While the hybrid cloud provides a unique solution and capabilities for agencies, it is not without its challenges. To best understand why moving to a hybrid cloud is the solution for federal agencies and how to overcome associated obstacles, GovLoop partnered with Swish, NetApp and Varonis, leaders in hybrid cloud technology and adoption, for this industry perspective. In the following pages, we’ll discuss the benefits of a hybrid cloud, strategies for advancing into it and how to overcome roadblocks along the way.
2
Industry Perspective
The Best of Both Worlds: Federal Hybrid Clouds There are a variety of cloud service offerings today, including community, private, public or a hybrid mixture of both private on-premises and public clouds to accommodate the workloads, security and management requirements of each federal agency. Most agencies are probably going to want to deploy a hybrid solution that keeps certain applications installed on-premises while moving more flexible applications to the cloud to save on hardware costs and maintenance fees. A hybrid cloud is comprised of any combination of public cloud offerings, private clouds and on-premises technologies connected by a layer of orchestration or automation allowing for data loads to be moved to match needs. They are highly efficient because
with a hybrid cloud, it’s possible to house mission-critical or secure workloads in existing data centers or internally on private clouds, while offloading less critical applications like test environments or public-facing informational websites to a third-party cloud service. The key is working with an integrator that knows how to organize distinct parts of an agency’s infrastructure for optimal hybrid cloud deployment, and one that has the tools to streamline the maintenance and security of the hybrid cloud once created. Finally, plans need to be put in place to prevent common cloud problems, such as a vast increase in management burdens as the number of enterprise file shares grows over time.
How to Move Seamlessly to a Hybrid Cloud
3
Preparing to Advance into a Hybrid Cloud The experts at Swish have spearheaded many advances into hybrid clouds for both public-sector and private organizations, shepherding extremely complex datasets, applications and information into optimal placements, linked by a robust orchestration layer to tie it all together. “Once you get into a working, hybrid cloud, the management is not too difficult,” said Joe Bailey, Senior Solutions Architect at Swish. “It’s the transition that is the most difficult. One of the things that we recommend, and do for each of our customers, is a systemic inventory of everything in their environment. We map out exactly what can move to the cloud and what should stay in place, and then help to design the migration as well as new service-level agreements (SLAs) and processes to support the new environment – all before we ever move any pieces of data.” Just like every federal agency has distinct needs and requirements, every hybrid cloud deployment is going to be a little bit different. The goal is always going to be moving as many applications and datasets to the cloud as possible, but only when doing so makes sense from a performance, fiscal and security perspective. For example, some agencies are required to maintain certain financial or communication records for a number of years. To meet that obligation, moving static data that must be maintained, but which will probably never be accessed, into any type of cloud is going to waste resources. Instead, it might make more sense to move those records to less expensive disk storage, or even tape backups. But it’s that level of planning that is required before any part of the enterprise transitions to a hybrid cloud.
4
Industry Perspective
Additionally, a hybrid deployment is an opportunity to consolidate the data and storage containers across the enterprise, something that can and should be built into agency-vendor SLAs. Gartner estimates that over 80 percent of data in most organizations resides in file shares, folders, file servers or Network Attached Storage (NAS) devices throughout the enterprise. As organizations grow, this can lead to management challenges as permission tracking becomes extremely difficult. Part of the systematic inventory conducted by integrators like Swish involves tracking, consolidating and taming that data. Specifically, all data should go through the following processes as part of deployment planning: • The owners of all data should be identified; • Locations of data within the enterprise should be carefully mapped; • New storage containers should be built to consolidate and house data within the new hybrid cloud; • All storage containers should be protected with highly controlled access and continual monitoring; • And rules should be put in place so that new data goes into the proper containers to prevent a reemergence of sprawl. By following these steps, not only can hybrid clouds be deployed efficiency, but all enterprise data can be consolidated and optimized for maximum performance and security in the new environment.
Solving the ‘Everyone’ Problem at the Republic of Ireland’s Marine Institute While not a specific hybrid cloud problem, the “everyone” situation crops up almost everywhere, and is a leading cause of data loss, data spillage and even theft. Adding cloud to the mix further complicates the issue. As such, planning for a move to a hybrid cloud presents a perfect opportunity to remove this insidious problem from your federal agency. The everyone problem begins innocently enough when administrators set up file systems or shared drives where some of the folders are left wide open, or given to data owners to manage. Other folders may be locked down with access permissions given to certain groups, such as financial data only accessible by the accounting group. At first, the permissions are set correctly and there are few security or data spillage vulnerabilities. Networks, however, are not static creations. They evolve and grow, as does the user pool. Over time, people leave an organization but may not have their access rescinded. Users also move or copy protected files into unsecure areas for convenience, which are often forgotten about once the work is complete. Users can even create folders for their personal use or the use of their group, without realizing that permissions are often automatically set by Windows or SharePoint to allow anyone access. Unchecked, this everyone problem creeps into existence everywhere, growing to the point where it’s all but impossible to restore complete security to the file system. That was the exact situation being faced by the Republic of Ireland’s Marine Institute, the country’s national agency responsible for marine research, technology development and innovation. With 182 employees of varying levels of technical and work experience from interns to visiting professors to contractors, plus a growing infrastructure and limited IT support staff, the environment was ripe for the everyone problem to grow.
Like in most organizations, if admins needed to check the permissions of a particular folder, they would look at the security attributes within the file share; however, due to broken inheritance within the directory structure, subfolders often contained different attributes. And, under deadline pressure, even admins occasionally granted short-term, unrestricted access to users as needed, but didn’t always go back and restore security settings afterward. The Marine Institute needed a way to ensure that its users only had access to the data they were authorized to use, and at the correct permission level. Instead of trying to use brute force to disenfranchise valid users across the network, or spending thousands of hours manually restoring security to every folder and file share, the Marine Institute employed a specifically engineered suite of tools from Varonis. With the Varonis tools, the institute could list every folder and site within its network, highlighting each one configured for global access that was contributing to the everyone problem. Users who access data were also cataloged so that their authorizations and permission levels could be verified. From there, file permission rules were rewritten to allow authorized users to have continued access to allowed data, while restricting everyone else. The Varonis tools enabled all of this to happen without disrupting production or work at the Marine Institute, and in priority order, so the most dangerous loopholes were closed first. Proper users never lost access to their folders or work, and the entire process was controlled from a single interface. Once fixed, the Varonis tools continue to monitor files and datasets to ensure the everyone problem never returns. That is why the experts at Swish recommend and use the Varonis toolset to audit and fix any and all permissions problems for customers before they move to a hybrid cloud, and to make sure it won’t become an issue in the new configuration.
How to Move Seamlessly to a Hybrid Cloud
5
The Tools of the Hybrid Cloud: NetApp and Varonis There are assorted options for hardware and software to support hybrid cloud infrastructures, but agencies with mission-critical applications are going to want a standardized solution with a proven reputation. Hybrid clouds can have a lot of components, but they need not be composed of Frankenstein-like, hodgepodge elements that are difficult to track and manage. In fact, the experts at Swish have standardized two main technologies for optimizing hybrid clouds, NetApp for hardware and Varonis software for monitoring and support.
“NetApp’s innovative data management products enable U.S. public sector partners like Swish to build well architected solutions for federal customers that improve intelligence and protect information from their most precious asset: data,” Kirk Kern, NetApp Chief Technology Officer, U.S. Public Sector.
It all starts with the NetApp hardware, which is specifically built to support storing data with the added ability of being able to easily and securely move it into and through cloud applications. By standardizing specific cloud-friendly hardware through NetApp, building out a hybrid infrastructure becomes much more manageable, even after the deployment. And because NetApp hardware supports both file- and block-level storage, it can drive everything within the hybrid cloud, from file servers to virtual machines, from a centralized interface. As a final advantage to standardized hardware that handles all types of storage data, this makes working with the Varonis tools even easier for federal admins who need to ensure their data security remains intact within the new hybrid environment.
“We can actually use the built-in cloud storage features of the newest NetApp appliances to move data directly to and from the cloud seamlessly, so it all works through the same interface,” said Swish’s Joe Bailey. “We can have that hooked up to a vendor’s cloud offering, or a private cloud at another location and do what’s called a SnapMirror, the replication technology from NetApp. We can SnapMirror data up to the cloud, and then move it down to branch sites, or vice versa. We then build automation and orchestration into the mix that allows for these types of transfers to happen in the background freeing up man hours for other, more important tasks.” Using NetApp allows federal agencies to give branch offices the same access to data as their main headquarters, with data going to the hybrid cloud first and then to a centralized archive. This keeps everything across the entire enterprise standardized with the same feature set, the same protections and the same interface. Federal workers can do their jobs regardless of their physical location, and everything is kept secure. Even redundant backups, both in the cloud and physically on site or at disaster recovery locations, can be connected to the NetApp hardware, which also can serve legacy backup applications like tape if needed. Using the NetApp hardware ensures that backups are accessible and able to be restored from anywhere.
“By integrating Varonis and NetApp clients get a very intuitive and cloud-ready data management toolset that enables them to more intelligently detect and stop the insider threats, while also optimizing storage operations and costs,” Sean Applegate, Chief Technology Officer (CTO) at Swish.
Using expert integrators like those from Swish that understand how to maximize the efficiency of the NetApp hardware, combined with the security and monitoring tools from Varonis, is the best way to ensure that a hybrid cloud deployment in the federal space goes smoothly.
6
Industry Perspective
Conclusion Moving to a hybrid cloud can be a complex process, but the benefits in reduced man hours, lower risk, better file-level security, the automation of everyday tasks and elimination of the everyone problem are well worth the effort. Hybrid clouds also have the distinct advantage of bringing agencies into compliance with federal mandates, guidelines and executive orders stipulating the need for cloud computing. The experts at Swish employ the cutting-edge, cloud-supporting hardware from NetApp, married with the powerful security and monitoring software from Varonis, along with industry leading orchestration and automation tools to bring local and cloud storage together in a well-planned and skillfully deployed hybrid configuration. And you will finally know where all your data resides, who’s accessing it and from where. The knowledge and control of your enterprise data, protected and managed through an efficient hybrid cloud, has never been safer, easier to manage or more cost-effective.
About Swish
About NetApp
About Varonis
About GovLoop
Swish is a 10 year old veteranowned solutions provider, with a focus on high-quality outcomes for our clients. Our experienced and certified engineers search out the most innovative technologies, and then develop full lifecycle solution offerings to ensure our clients realize maximum operational value. Swish ensures your digital service capabilities, performance and security exceed your mission requirements. Working together, we build long term relationships focused on value, sharing our insights and ideas to help our clients succeed.
Government agencies of all levels count on NetApp for software, systems, and services to manage and store their most important asset, their data. With solutions ranging from data protection and recovery to cloud computing, data analytics, and flash solutions, NetApp has become government customers’ top choice for key technologies that drive data center transformation. Top counties, cities, and states count on NetApp and value our teamwork, expertise, and passion for helping them succeed now and into the future.
Varonis is the leading provider of
GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government.
software solutions for unstructured, human-generated enterprise data. Varonis provides an innovative software platform that allows enterprises to map, analyze, manage and migrate their unstructured data. Varonis specializes in human-generated data, a type of unstructured data that includes an enterprise’s spreadsheets, word processing documents, presentations, audio files, video files, emails, text messages and any other data created by employees. This data often contains an enterprise’s financial information, product plans, strategic initiatives, intellectual property and
For more information about NetApp, visit: www.netapp.com.
numerous other forms of vital information. IT and business personnel deploy Varonis software for a variety of use cases,
For more information about this report, please reach out to info@govloop.com.
including data governance, data security, archiving, file synchronization, enhanced mobile data accessibility and information collaboration.
How to Move Seamlessly to a Hybrid Cloud
7
1152 15th St. NW Suite 800 Washington, DC 20005 P: (202) 407-7421 | F: (202) 407-7501 www.govloop.com @GovLoop