Forward
Topics in this chapter describe the definitions, principles, and rules surrounding cloud infrastructure. CMS promotes its own strategic implementations of managed cloud environments that are based on these principles and rules. These topics discuss aspects of CMS Cloud, and refer to relevant parts of this preferred implementation. Readers may find these a useful way to better understand CMS Cloud.
Background
As identified in NIST Special Publication (SP) 800-145, The NIST Definition of Cloud Computing, September 2011, the cloud operating model has the following essential characteristics:
-
On-demand self-service – A CMS business owner can provision computing capabilities, such as server processing capability and network storage, as needed automatically without requiring human interaction with each service’s provider.
-
Resource pooling – The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. Examples of resources include storage, processing, memory, network bandwidth, and server virtual machines.
-
Rapid elasticity – Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale back. To consumers, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.
-
Measured service – Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service provisioned (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.
-
Broad Network Access – Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin- or thick-client platforms (e.g., mobile phones, laptops, and PDAs).
Leveraging these cloud characteristics obligates CMS to provide its IT community appropriate rules and guidance. The CMS TRA has historically addressed the definitions and operations of the Virtual Data Centers (VDC). This chapter expands the CMS TRA data center hosting and managed services architecture to address evolving cloud environments.
Scope
As identified in the CMS Information Security and Privacy Group (ISPG) Cloud Computing Standard, the scope of CMS cloud standards and guidance spans the cloud deployment models of public, private, community, and hybrid clouds as well as the cloud service models of IaaS, Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). This chapter, however, is limited to IaaS and PaaS Clouds.
The original Federal Cloud Computing Strategy (Kundra, 2011) defines a decision framework that should be considered for determining whether a CMS business application is a candidate for inclusion in a cloud environment. Some value drivers include:
- Efficiency
- Higher computer resource utilization (through virtualization)
- Lowering labor costs
- Agility
- Speed of deployment
- Rapid provisioning
- Access to innovation
It is important to recognize that both value and readiness are provided as dimensions to help plan cloud migrations.
It is highly recommended that CMS business owners familiarize themselves with the Federal Cloud Computing Strategy as well as the Department of Health and Human Services (HHS) document, HHS Cloud Computing Tactical Implementation and Transition, v1.2.2b, Department of Health and Human Services, July 2012 because this CMS TRA chapter does not provide distinct selection criteria or guidance for deploying into a cloud environment.
However, the CMS strategic solution is to use CMS Cloud Services, which are implemented in compliance with the CMS TRA. Whether Amazon Web Services (AWS), Microsoft Azure Government (MAG), or the batCAVE platform-as-a-service, solutions based on CMS Cloud are preferred.
Items in Scope
This chapter represents the CMS guidelines and standards to be used by CMS and CMS / Contractor partners for CMS Processing Environments that are implemented and operated using private or community clouds.
This chapter contains CMS’s architectural standards employed in all CMS Processing Environments that operate in a private or community cloud, as defined by NIST SP 800-146, Cloud Computing Synopsis and Recommendations, and that are using existing and approved CMS cloud infrastructure (IaaS) and platform (PaaS) managed services.
This chapter complements the CMS ISPG Risk Management Handbook Volume III: CMS Cloud Computing Standard and NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing.
Any specific “requirements” mentioned within this chapter apply only to specific items of technology and reference architecture and do not eliminate, replace, supersede, override, or nullify published CMS minimum security or privacy requirements. The security or privacy requirements stipulated in the CMS ARS and RMH have precedence over any perceived conflict among requirements.
Items Out of Scope
It is important to note that selection criteria, assessment, and acquisition of Cloud Service Providers are out of scope for this chapter.
CMS business owners and their IT advisors must perform due diligence and assessment before choosing to host and operating their business application within a CMS data center or the cloud, based upon the application’s business requirements and the application’s security risk profile. The original Federal Cloud Computing Strategy (Kundra, 2011) as well as the HHS Cloud Computing Tactical Implementation and Transition document provide some guidance for determining cloud deployment suitability. The Department has provided some guidance regarding acquisition in section 4.6 of the HHS Cloud Computing Tactical Implementation and Transition.
This chapter does not focus on how to implement a cloud infrastructure, because this is the CSP’s responsibility. Rather, it addresses how CMS can work with a third-party CSP to securely and effectively leverage business value from the CSP’s services. It is anticipated that many of the best practices pioneered by CSPs will eventually find their way into traditional data centers.
Finally, this chapter does not address the use of Software-as-a-Service CSPs.