Transport Canada (TC) Infrastructure Modernization - Cloud / DR / Workload Migration

Transport Canada (TC) Infrastructure Modernization - Cloud / DR / Workload Migration[edit | edit source]

Transport Canada (TC) IT Infrastructure Modernization[edit | edit source]

The goal of this project is to deliver a complete modern infrastructure environment for TC applications in the Cloud. This requires building a foundational Cloud environment, planning and executing a workload migration plan, as well as creating and implementing a Disaster Recovery Management Program. In conjunction with SSC, a secure network to Cloud and authentication services will be established.

The Cloud will provide TC with a modern, scalable, and resilient infrastructure which offers disaster recovery and rapid time to market to support the promotion of a safe and secure, efficient and environmentally responsible transportation system in Canada.

This project is meant to address the business needs and opportunities of:

• Providing recovery services for IT in the event of a disaster. This will ensure that the delivery of critical services affecting the safety, security, and economic viability of Canadian citizens continues in a normal operations mode in the event of a disaster;
• Responding to the Cloud First principle and direction from TBS for delivery of Digital Services;
• Responding to demands for increased IT capabilities and increased IT capacity to support department’s programs;
• Adoption of DevSecOps and modern development methodologies that are enhanced by Cloud services – working in Agile, Open, Collaboration; and,
• Implementing a Disaster Recovery Management program in response to the TBS Policy on Government Security to provide IT service continuity in a timely and efficient manner.

The key deliverables are:

• Modernized TC IT environment using Cloud solutions;
• A migration of all applications/systems within the Workload Migration (WLM) initiative to the Cloud;
• Application development and support model modernization to enable Cloud solutions providing efficiencies in delivery time and cost; and,
• A validated and maintained Disaster Recovery Management framework in place.

Secure Cloud Enablement and Defence (SCED)[edit | edit source]

As workloads are migrated to the Cloud, the GC perimeter shifts outside of the on-premise environment, and measures must be put in place to monitor and protect these Cloud-based environments, and respond to cyber threats quickly. The establishment of private, dedicated connections to GC approved Cloud Service Providers (CSP) will enable a hybrid IT environment, and ensure that the GC can continue to have secure access to information systems and solutions hosted in the Cloud.

Secure connectivity from Cloud to Ground is being implemented for applications and platforms that handle Protected B data. This connectivity is Secure Cloud Enablement and Defence (SCED), also called Express Route. SCED was delivered to TC by SSC in June 2020 as a pilot project for two applications: Enterprise BI and Data Analytics (eBIDA) and Policy on Government Security (PGS). SCED is currently being implemented for these two applications.

Cloud Service Operation Model (CSOM)[edit | edit source]

The Cloud Service Operation Model (CSOM) is a framework used to assess current levels of organizational maturity in the operation, management, and governance of Cloud services. The CSOM framework and methodology is iterative and can be used for existing and new Cloud services. Microsoft is leading the CSOM effort for TC and will deliver the Maturity Roadmap and Assessment Report in August 2020.

Project Status[edit | edit source]

This project is using Agile methodology and is in Phase 3, Launch/Execution & Control, of the TC Project Management Framework 4 Gate Model. TC's Azure Cloud Foundational Environment has been granted Authority to Operate (ATO) up to Protected-B for applications not requiring secure network connectivity.

Overall, the project was impacted by the delayed SSC delivery of SCED (Secure Cloud Enablement & Defence), required for applications that need secure connectivity, but is now moving forward with a SCED pilot for two COVID-19 related applications: PGS and eBIDA. Applications related to the COVID-19 response have been given top priority for migration, so more resources will be put on these, and other activities may be impacted. For PGS and eBIDA, resources from Solutions Centre and Microsoft have been secured for Cloud migration work.

Disaster Recovery (DR) plans are implemented for each application that moves to the Cloud, if required. The full DR program is expected to be set up and operational by the end of the calendar year 2022. All applications are expected to be in the Cloud, with DR plans if required, by March 2023.

Key Accomplishments[edit | edit source]

• The following applications have been migrated to the Cloud: Open Data, Alexa Recalls, TC Search, Navigable Waters Act Registry, eGIS, TC WWW, MEDV, and NWAR-ESS.
• TC-SSC ADM Cloud Steering Committee created to address issues and risks associated with this project.
• SCED pilot in progress for two applications: PGS and eBIDA.
• Applications related to COVID-19 response were prioritized and work is underway.
• Identified and prioritized next 8 non-COVID-19 applications for migration to the Cloud.
• Upgraded the Microsoft Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) features to use a centralized portal.
• Created a Cloud Migration Checklist for teams to use for migrating their apps to the Cloud.
• Created a Cloud Workload Prioritization framework to establish a priority order for applications moving to the Cloud.
• Created an Application Gateway script that dramatically reduces the amount of time required to create and configure subdomains on the network. As a manual process, creating and configuring subdomains takes about 30 minutes for each one, but with the new script it takes only 2 minutes. The script contains all the accurate settings for the subdomains, which removes any chance of configuration errors, and therefore saves the team potential troubleshooting time. The script is shared in the GCAccelerators github.
• Launched an Education Initiative as a way to create and distribute content to educate other teams in TC about Cloud migration and operations. As one of the first steps in this initiative, an onboarding checklist was created to help teams understand the steps involved in their journey to the Cloud.
• Created an Assessment Scorecard as a way to assess the criticality of moving applications to the Cloud and create a priority order. This scorecard will assist ARB with a technical understanding of the applications in the migration pipeline so they can make a decision about the migration priority order.
• All active TC employees (7,079) have been on-boarded to MS Teams.
• Active Directory Federation Services (ADFS) is now available for Cloud-based applications at TC. ADFS provides users with single sign-on capabilities by establishing a link between TC’s Azure Active Directory and the on-premise Active Directory. This reduces the amount of usernames and passwords required to log on to Cloud-based applications.
• TC has received the Memorandum of Understanding (MoU) from TBS for $1.27M for Cloud Migration activities, and it has been signed by Philippe Johnston (Director General, Digital Services Directorate).
• Completed implementation of security controls required for Protected-B Cloud environment.
• Completed assessment of TC's applications for readiness to be migrated to the Cloud.
• Contracted industry Cloud expertise to assist to create, configure, and train TC FTE staff.
• Established the foundational Cloud environment, Hybrid Cloud Management (HCM), to start accepting workloads.
• As part of Culture change to adopt Cloud, 37 (formal and informal) Training sessions, 11 Technical Talks, 33 Awareness building roadshows, and four TC-wide Cloud engagement sessions have been completed.
• TC is sharing with other GC Agencies and Departments the Azure Network Template Generator via the GitHub repository.
• Adoption of DevSecOps and modern development methodologies that are enhanced by Cloud services – Working in Agile, Open, Collaboration.
• Dedicated TC Cloud Centre of Excellence (#TC3OE) has been established.          

Overview of Transport Canada’s Cloud Centre of Excellence (#TC3OE)[edit | edit source]

TC3OE is Transport Canada’s Cloud Centre of Excellence. The TC3oE team is enabling the delivery of modern digital solutions by leveraging the Agility, Flexibility, Elasticity, and Disaster Recovery features of Cloud technologies. The team supports and maintains the Cloud foundational infrastructure, and aids designers in the planning, procurement, configuration and integration of Cloud services, so that TC clients can quickly address their rapidly changing business needs.

#TC3OE can be contacted via email at: TC.Cloud-Infonuagique.TC@tc.gc.ca

Here is a photo of our outstanding team!

Challenges: Risks and Issues[edit | edit source]

RISK: SCED pilot has begun with two applications: PGS and eBIDA, but there are 370+ other applications to migrate to the Cloud, so the overall project schedule may still be delayed. After the SCED pilot is complete, it will be clearer how long SCED implementation will take for the other applications. Impact: High. Probability: Medium. Mitigation: Ongoing assessment of project schedule as SCED implementation develops, and continue to migrate non-SCED dependent apps.                  

RISK: There are 27 capital projects that have a dependency on this project for Cloud foundation infrastructure, workload migration, and SCED. Delivery of these 27 capital projects may be delayed, due to the delay in getting SCED. Impact: High. Probability: High. Mitigation: Create on-premise implementations for the 27 capital projects that can be easily migrated to the Cloud when SCED becomes available.

ISSUE: Resource availability and schedule constraints. Impact: Medium. Resolution Plan: The 67H3 project manager is actively prioritizing the workload, working with strategic partners to ensure the availability of skilled people, and the TC3oE team is taking on some of the workload from the teams that are moving their apps to the Cloud.

ISSUE: Cloud technology is new and is rapidly evolving, creating a steep learning curve for TC developers, cyber security experts, and operations teams which is impacting the project schedule. Impact: Medium. Resolution Plan: The adoption of DevSecOps is expected to alleviate this problem because expertise from SSC and the rest of TC can be leveraged. Digital Services management is equipping the team with the necessary tools, and ensuring the team is trained in Cloud technology, including Q&A sessions and training with the vendor.

ISSUE: GC EARB approved partial funding for 20/21 fiscal year ($2.7M out of $7.7M) and the amount is insufficient for the planned work. Impact: Medium. Resolution Plan: Planned work will be adjusted according to the level of funding and/or additional funding will be sought from within TC.      

Guidance and Documentation[edit | edit source]

• Frequently Asked Questions  
• GC Cloud Adoption Strategy
• Journey to the Cloud
• TC Cloud Corner
• Azure Network Template Generator on GitHub

Workload Migration Categorizations (Business Applications in Scope)[edit | edit source]

Data was sourced from the previous Microsoft Assessment.

Application Workload Migration via Agile Sprints[edit | edit source]

This project is following an iterative Agile process to migrate applications to the Cloud.

The following applications have already been migrated to the Cloud: Open Data, Alexa Recalls, TC Search, Navigable Waters Act Registry, eGIS, TC WWW, MEDV, iServer, and NWAR-ESS.

Business Drivers and Timeline for TC's Journey to the Cloud[edit | edit source]