In this podcast, MJ DiBerardino, CEO at Cloudnexa, discusses compliant migrations into the AWS Cloud for federal customers and the importance of moving workloads to the Cloud.
Clara Carter: Hi, my name is Clara Carter, Partner Development Manager with Carahsoft Technologies supporting our Amazon Web Services practice. I'd like to introduce you to MJ DiBerardino, CEO of Cloudnexa. MJ is the founding management team member of Cloudnexa, one of the original AWS partners. He has over 20 years of diversified experience and a high level of success in several industries, including manufacturing, financial services, healthcare, entertainment and information technology services. Prior to joining Cloudnexa, MJ worked with various cloud management companies for the past 12 years. Welcome. Great. Thank you for having me. Yeah, absolutely. So I'd like to go ahead and just ask you a few questions in regards to compliant migrations into the AWS cloud as it would relate to federal customers to leverage your expertise in the topic. Perfect. Sounds good. Cool. So we'll start with, what trends are you seeing in the federal government with respect to the cloud?
MJ DiBerardino: Well, right now, there's a lot of interesting things going on in cloud, specifically within the federal government, we've been seeing quite a few large opportunities come out through various RFIs, RFPs use some most recent notable ones are t cloud, which is the Treasury cloud there, they've put out a fairly large RFI recently. And this is going to be a multi-year process, but we're gonna see some great things ultimately come out of that RFP. There's also many other IDIQs that are being released, a recent one was under HHS, which they're doing an agency wide, IDIQ multi award. But what I'm also finding pretty interesting is these RFIs and RFPs are very much multi-cloud, which is great to see, you know, a few years ago, it was more oriented around a single cloud award. We're now the award is including mostly the main cloud players AWS, Azure, Google Cloud. That's been great to see. And what I suspect is, a lot of this is gearing up for larger migrations under the cloud smart strategy. And additionally, we're seeing quite a bit activity on both sides of the government, civil and defense.
Clara Carter: Got it. What exactly is the cloud smart strategy you mentioned? And why are workloads being moved into the cloud?
MJ DiBerardino: Sure. So the cloud smart strategy, it's very interesting. It's the first major update to the federal cloud first was released in 2011. So definitely a little overdue, and it's great to see and what they did under this judge is the CIO office, not only the least the strategy, but more importantly, they're equipping the federal agencies with the tools and actionable information and recommendations of how to take advantage of the cloud. And actually use these cloud based solutions, which is extremely important. So they're not only giving the strategy but a, a roadmap of how to use it in the guiding principles along the cloud smart is security procurement in workforce, which also is great to see because it aligns directly with a lot of the cloud solutions in the cloud providers and the way that they operate today. So many of these workloads that are being moved into Cloud services, they are mission critical. They are more along the lines of the service delivery need that these agencies need. And it's changing the mindset through cloud smart to not only take advantage of immediate cost benefit for the agencies, but also allowing them to select the provider that enables them to achieve their mission goals. It's a great strategy to see and very happy that the government put this out.
Clara Carter: Got it. Okay. So how would compliance be handled then in that aspect in regards to you know, moving those workloads over into the cloud?
MJ DiBerardino: Of course, and when we think of the cloud compliance is always Top of Mind compliance and security extremely important. In from a CSP perspective, the each handle clouds slightly different, but luckily, the government put a lot of standards and regulations in through their FedRAMP compliance program. But when you look at something like FedRAMP, you have a couple of levels like moderate or high. And what this does is it helps you not only determine the solution provider that you can utilize for your environment, but also the architecture required in order to meet and achieve these standards. So when you look at, for example, FedRAMP, on AWS, an agency has many options that they can go through and many different architects that they can utilize. But what they first determine is, what level moderate or high are they going to fall in. And what that helps them to determine is, what region they're going to be able to be deployed in. So if it's moderate, they can utilize all of the US base regions, which is great. But when it's high, then they have to look at gov cloud, and how they can utilize gov cloud within their deployment. And just one other example of another compliance because we can talk compliance all day, there's many different out there. But another one that's just getting a lot of attention right now that's worth to know, is CMMC. And I bring this up, because right now, it's estimated that more than 300,000, organizations will be required to have an assessment and certification on one of the five CMMC levels. So it's anything from small businesses to major defense contractors, if they are the member of the do the supply chain, this will need to be addressed.
Clara Carter: So that makes sense. It's good to know that there's different regions and you can help with determining which one would be the right choice for you know, different levels of compliance that are required. But would you mind getting into the CMMC topic a little bit more? Why is that important?
MJ DiBerardino: Sure. So CMMC is the cyber security Maturity Model certification. And it was initiated by the US DOD. And they develop this certification in order to measure their defense contracts capability, readiness and sophistication within the Cybersecurity Framework. So there's five concrete levels of certification, in each level, has their own audit standards. And the reason why it's so important is because defense contractors that are migrating or optimizing their cloud deployments, the CMMC standards need to be considered in their implementation management. So a lot of the public cloud providers, they have programs around CMMC. But then also, there's many partners that can help their clients implemented correctly, and ensure that when it's time for an audit, they're going to be able to pass and achieve their certification. So as this becomes required by DOD, this is going to take more center stage with any type of design within cloud providers.
Clara Carter: Okay, that makes sense. So what would the project flow look like then to migrate into the cloud?
MJ DiBerardino: Sure. So the project flow, it can go many different ways. And when you think about migrating to the cloud, the first thing that you have to determine is what type of cloud provider Do you want to consider or look at. And when I say about a cloud providers, not just about AWS, or Azure, or Google, it's about the type of cloud service. So you have infrastructure, platform, and software. So after you can determine what type of providers so let's just say infrastructure in this case, so I IaaS Infrastructure as a Service, then we can start looking at in developing a cloud strategy, utilizing the cloud smart initiative. That's where we would start and then from there, you would develop a cloud roadmap within your agency. So really looking at your agency and any sub agencies? What's the roadmap that makes sense? What type of cloud are you going to utilize? And maybe it's all three? And if it is all three? How does that roadmap fit into what you're doing today? So you would conduct an assessment across all your IT environments to help determine that initial application base that are directly in good fits as they are today to migrate. Then you would in another bucket look at what would need to be re factored in order to migrate in what would be involved in refactor. Windows applications. Once you are ready to get started, and you've already determined what bucket your application environments fall in, then you would have the process of standing up your initial cloud environment and developing your requirement documentation. Because there's going to be many different areas within your ultimate cloud deployment that fall under shared responsibility that could fall under share services, it really will vary depending on the agency, and how their CIO office is deploying that out to their customers. The next step would be to create an architectural diagram. And what you want to do in this architectural document is not only diagram out the different components, but really outline each service and component that you plan to utilize, and how you plan to utilize and deploy, you conduct some POCs ensure the application is behaving as you expect it to. Then once you pass your POC, then you can start implementing anywhere from DevOps or dev sec Ops, security and compliance standard deployment pipeline, and so on. There's many different implementation models. And I'm sure you know, each agency has their own, and each application within the agency is gonna have its own. So you have to, you know, implement these various deployment models that you've undertook, then you can build out that environment, you can include any and all the supporting infrastructure that's going to be required. And you would start performing your application and data migration. At that point, you know, you're going to have ongoing syncs. But during that migration, what you're going to be able to do is also optimize that environment before you go live through a series of load testing, vulnerability scans, pentesting, whatever you need to do to ensure that once you have your cutover, you're going to be up and running as inspected, and hopefully better than you were before. Now, but before you do that, cutover, you want to ensure that you develop your management and runbook strategies, this is extremely important. So once you get to production, and after you cut over, you have to make sure you have that proper management in place, then you can plan and conduct that your production cutover. And you would implement your management strategy and move on to the next application. But one thing that's just really important today, and we talked about it a little bit with CMMC, and FedRAMP. But you have to also ensure that you have that continued compliance manager management in place that is critical to long term success.
Clara Carter: Sounds like roadmap is definitely important as well along with a strategy for your migration to make sure you hit on every one of those points along the different phases of the migration. That's all I had for today. This discussion was super helpful and understanding the framework behind a compliant migration into the AWS cloud. And I'd like to thank you for joining us to touch on your expertise in the matter. Well, thank you for having us here today. Absolutely. Our pleasure. Thank you for listening. If you'd like more information on how Carahsoft Cloudnexa or AWS can assist your agency, please visit www.carahsoft.com or email us at aws@carahsoft.com. Thanks again for listening and have a great day.