Transport Canada (TC) Infrastructure Modernization - Cloud / DR / Workload Migration
Transport Canada (TC) Infrastructure Modernization - Cloud / DR / Workload Migration[edit | edit source]
Transport Canada (TC) IT Infrastructure Modernization[edit | edit source]
The goal of this project is to deliver a complete modern infrastructure environment for TC applications in the Cloud or modern data centers. This requires building a foundational Cloud environment, planning and executing a workload migration plan, as well as creating and implementing a Disaster Recovery Management Program. In conjunction with Shared Services Canada (SSC), a secure network to Cloud and authentication services will be established.
This work is being done within the framework of the Cloud Smart strategy that indicated that a modern secure TC infrastructure includes moving some applications to the cloud and other to leverage SSC Enterprise Data Centers (EDC) in situations where an EDC makes more sense such as Apps that are being decommissioned, only need to be sustained or where the cloud offers no business value.
The Cloud will provide TC with a modern, scalable, and resilient infrastructure which offers disaster recovery and rapid time to market to support a safe, secure, efficient, and environmentally responsible transportation system in Canada.
TC has 378 applications in its portfolio that need to be migrated to either the cloud or an SSC EDC. For applications that only need to be sustained or will be decommissioned soon, these will be moved to a new EDC. Applications which have a long term benefit, requirements and business value of maintaining will be moved to the cloud.
This project is meant to address the business needs and opportunities of:
- Providing IT recovery services in the event of a disaster to ensure the delivery of critical services affecting the safety, security, and economic viability of Canadian citizens continues to operate normally.
- Responding to the Cloud First principle and direction from TBS for delivery of Digital Services.
- Responding to demands for increased IT capabilities and increased IT capacity to support TC’s programs.
- Adopting DevSecOps and modern development methodologies that are enhanced by Cloud services, such as working in Agile, Open, Collaboration.
- Implementing a Disaster Recovery Management program in response to the TBS Policy on Government Security to provide IT service continuity in a timely and efficient manner.
The key deliverables are:
- Modernized TC IT environment using Cloud solutions.
- Migration of all applications/systems within the Workload Migration (WLM) initiative to the Cloud or a SSC EDC.
- Application development and support model modernization to enable Cloud solutions providing efficiencies in delivery time and cost.
- Validated and maintained Disaster Recovery Management framework in place.
Migration Strategy[edit | edit source]
With the current data center closures shifting from a 2023 date to a 2025 date, TC has a chance to re-evaluate it's strategy towards a "Cloud Smart" approach as opposed to a "Cloud First" approach. This strategy shift will allow TC to move some applications to new EDCs instead of only the cloud, based on what is more appropriate for the specific application and will ensure that our cloud strategy is based on business value.
TC is currently re-defining its overall Cloud strategy to align to the new Government of Canada Cloud strategy that will focus on Cloud Smart. This includes a reassessment of our application list and migration approach.
The Cloud strategy work has also been aligned with TC's technical debt remediation strategy where both streams of work are done together to ensure our migration decisions are based on technical debt remediation as well as business value.
Working with the Business Solutions group, a joint questionnaire has been built to help with the assembly, categorization and prioritization of TCs portfolio of applications. (RDIMS # 17961582)
Secure Cloud Enablement and Defence (SCED) / Secure Cloud to Groud (SC2G) and Foundational services[edit | edit source]
As workloads are migrated to the Cloud, the GC perimeter shifts outside of the on-premise environment, and measures must be put in place to monitor and protect these Cloud-based environments, and respond to cyber threats quickly. The establishment of private, dedicated connections to GC approved Cloud Service Providers (CSP) will enable a hybrid IT environment, and ensure that the GC can continue to have secure access to information systems and solutions hosted in the Cloud.
Secure Cloud Enablement and Defence (SCED) or Secure Cloud to Ground (SC2G) is secure connectivity from Cloud to Ground that is being implemented for applications and platforms that handle Protected B data. Working with SSC, TC has implemented SCED as a pilot project for two applications: Enterprise BI and Data Analytics (eBIDA) and Policy on Government Security (PGS). SCED went live in February 2021, and TC is working with SSC to onboard additional applications.
TC is working with SSC to implement other foundational services such as Active Directory and Domain Name service (DNS) which will allow TC to migrate applications at scale.
Cloud Service Operation Model (CSOM)[edit | edit source]
The Cloud Service Operation Model (CSOM) is a framework used to assess current levels of organizational maturity in the operation, management, and governance of Cloud services. The CSOM framework and methodology is iterative and can be used for existing and new Cloud services. Microsoft performed a CSOM evaluation for TC and delivered a final report. Next steps are under review with the TC leadership team.
Project Status[edit | edit source]
This project is using Agile methodology and is in Phase 3, Launch/Execution & Control, of the TC Project Management Framework 4 Gate Model. TC's Azure Cloud Foundational Environment has been granted Authority to Operate (ATO) up to Protected-B for applications not requiring secure network connectivity.
Overall, the project was impacted by the delayed SSC delivery of SCED (Secure Cloud Enablement & Defence), required for applications that need secure connectivity, but is now moving forward with a SCED pilot for two COVID-19 related applications: PGS and eBIDA. Applications related to the COVID-19 response have been given top priority for migration, so more resources will be put on these, and other activities may be impacted. For PGS and eBIDA, resources from Solutions Centre and Microsoft have been secured for Cloud migration work. TC is working with SSC to pilot SSC's Cloud Operating Model, using DevSecOps.
Disaster Recovery (DR) plans are implemented for each application that moves to the Cloud, if required. The full DR program is expected to be set up and operational by the end of the calendar year 2022. All applications are expected to be in the Cloud, with DR plans if required, by March 2023.
| Milestones | Initial Target Completion Date | Forecast Completion Date | Actual Completion Date | Comments | ||
| Project Kickoff | 2017-10-26 | 2017-10-26 | 2017-10-26 | Complete: Project started on 2017-10-26. | ||
| Discovery & Analysis for Disaster Recovery (DR) | 2018-10-05 | 2018-10-05 | 2018-10-05 | Complete: Initial research for establishing a Disaster Recovery Program for TC. | ||
| Gate 0 Phase 1: Discovery and Initial Cloud Foundation | 2019-04-29 | 2019-04-01 | 2019-04-01 | Complete: Task awarded to Microsoft to collect information and create Cloud environment for TC applications. | ||
| Gate 1 Phase 2: Application Target State Assessment | 2019-09-20 | 2019-09-20 | 2019-09-20 | Complete: All business systems assessed and assigned a Cloud target state. | ||
| Cloud Foundation Build | 2019-04-01 | 2019-10-18 | 2019-10-18 | Complete: Cloud working environment for TC applications and platforms. | ||
| Gate 2 Project Execution Approval (under the PMF 4 Gate Model) | 2020-03-01 | 2020-03-01 | 2020-01-30 | Complete: Approval received for project execution. | ||
| Secure Cloud Enablement Defence (SCED) Pilot Implementation | 2018-07-16 | 2021-02-08 | 2021-02-08 | SCED implemented in pilot project. General Availability (GA) is expected in November 2021. | ||
| Define Migration Criteria | 2021-11-19 | 2022-03-25 | 2022-03-25 | |||
| Cloud/EDC Migration Strategy | 2021-11-19 | 2024-03-29 | 2022-07-07 | |||
| Secure Cloud Enablement Defence (SCED) General Availability (GA) | 2021-11-30 | 2021-11-30 | ||||
| Application Inventory | 2021-03-31 | 2022-03-31 | ||||
| Definition of Migration Criteria | 2021-03-31 | 2022-03-31 | ||||
| Web Platform (to support Migration of WebApps from On-prem at
scale) (TC) |
2021-11-19 | 2022-05-19 | 2022-05-19 | |||
| Database Platform (to support Migration of Apps requiring MSSQL) (TC) | 2021-11-19 | 2022-07-22 | 2022-07-22 | |||
| OCI ( Azure) | 2022-09-05 | 2022-09-29 | ||||
| RPA (Robotics Process Automation) (TC) | 2022-05-02 | 2023-01-20 | ||||
| iZev (Zero Emissions Vehicles) (TC) | 2022-11-01 | 2023-03-06 | ||||
| Relocate existing 17 apps from non-SCED to SCED environment (TC) | 2022-05-02 | 2023-02-17 | ||||
| Cloud Migration Sprint 1 - Group 1 Planning (5 Apps) | 2022-11-01 | 2022-12-19 | ||||
| Sprint 2 - Group 1 DEV | 2022-12-19 | 2022-12-30 | ||||
| Sprint 3 - Group 1 ACC | 2022-12-30 | 2023-01-12 | ||||
| Sprint 4 - Group 1 Production | 2023-01-12 | 2023-01-30 | ||||
| Sprint 5 - Group 2 Planning | 2023-03-31 | 2024-03-31 | ||||
| Wave 3 Apps (85) | 2023-01-30 | 2023-03-17 | ||||
| Sprint 6 - Group 2 DEV | 2023-03-20 | 2023-03-30 | ||||
| Operational Cloud migration | 2023-03-31 | 2024-01-25 | ||||
| EDC (Managed under SSC WLM) | 2022-04-01 | 2025-06-30 |
Key Accomplishments[edit | edit source]
- TC working with SSC to setup an enclave in the EDC based on the assessment of applications that are destined to the EDC. SSC has indicated that the earliest that the enclave will be ready is March 2024
- Completed Oracle OCI Proof of Concept and procured Oracle OCI credits to be used for migration.
- Aligned TC's AWS solution to GC standards (GC PBMM Accelerator) to better position TC for enabling SCED in AWS.
- Fortinet and FortiAnalyzer Cloud firewalls were deployed for the project, enabling foundational security measures for SCED.
- TC-SSC ADM Cloud Steering Committee created to address issues and risks associated with this project.
- SCED pilot in progress complete for PGS and eBIDA. Planning complete and implementation phase in progress, including SSC infrastructure work.
- Applications related to COVID-19 response were prioritized and work is underway.
- Upgraded the Microsoft Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) features to use a centralized portal.
- Created a Cloud Migration Checklist for teams to use for migrating their apps to the Cloud.
- Created a Cloud Workload Prioritization framework to establish a priority order for applications moving to the Cloud.
- Created an Application Gateway script that dramatically reduces the amount of time required to create and configure subdomains on the network. As a manual process, creating and configuring subdomains takes about 30 minutes for each one, but with the new script it takes only 2 minutes. The script contains all the accurate settings for the subdomains, which removes any chance of configuration errors, and therefore saves the team potential troubleshooting time. The script is shared in the GCAccelerators github.
- Launched an Education Initiative as a way to create and distribute content to educate other teams in TC about Cloud migration and operations. As one of the first steps in this initiative, an onboarding checklist was created to help teams understand the steps involved in their journey to the Cloud.
- Created an Assessment Scorecard as a way to assess the criticality of moving applications to the Cloud and create a priority order. This scorecard will assist ARB with a technical understanding of the applications in the migration pipeline so they can make a decision about the migration priority order.
- All active TC employees (7,079) have been on-boarded to MS Teams.
- Active Directory Federation Services (ADFS) is now available for Cloud-based applications at TC. ADFS provides users with single sign-on capabilities by establishing a link between TC’s Azure Active Directory and the on-premise Active Directory. This reduces the amount of usernames and passwords required to log on to Cloud-based applications.
- TC and TBS have signed a Memorandum of Understanding (MoU) to fund Cloud Migration activities.
- Completed implementation of security controls required for Protected-B Cloud environment.
- Completed assessment of TC's applications for readiness to be migrated to the Cloud.
- Contracted industry Cloud expertise to assist to create, configure, and train TC FTE staff.
- Established the foundational Cloud environment, Hybrid Cloud Management (HCM), to start accepting workloads.
- As part of Culture change to adopt Cloud, 37 (formal and informal) Training sessions, 11 Technical Talks, 33 Awareness building roadshows, and four TC-wide Cloud engagement sessions have been completed.
- TC is sharing with other GC Agencies and Departments the Azure Network Template Generator via the GitHub repository.
- Began implementing DevSecOps methodology for this project.
- Dedicated TC Cloud Centre of Excellence (#TC3OE) has been established.
Overview of Transport Canada’s Cloud Centre of Excellence (#TC3OE)[edit | edit source]
TC3OE is Transport Canada’s Cloud Centre of Excellence. The TC3oE team is enabling the delivery of modern digital solutions by leveraging the Agility, Flexibility, Elasticity, and Disaster Recovery features of Cloud technologies. The team supports and maintains the Cloud foundational infrastructure, and aids designers in the planning, procurement, configuration and integration of Cloud services, so that TC clients can quickly address their rapidly changing business needs.
#TC3OE can be contacted via email at: TC.Cloud-Infonuagique.TC@tc.gc.ca
Challenges: Risks and Issues[edit | edit source]
| RISK | If the project isn't able to sufficiently resource the Disaster Recovery (DR) role, then a DR program will not be implemented, negatively impacting the recovery of critical IT applications. |
| Impact | High |
| Probability | Medium |
| Mitigation | Find resources to create and implement a DR program for the project. |
| RISK | If the project team doesn't create and implement a change management process, then they won't be able to effectively navigate project impacts, which will put the overall project at risk. |
| Impact | High |
| Probability | Medium |
| Mitigation | Find resources to create and implement a change management process for the project. |
| RISK | If there is not enough Cloud expertise and capacity on application/platform teams, then workload migration to the Cloud stalls, delaying the project schedule. |
| Impact | High |
| Probability | Medium |
| Mitigation | Engage each application/platform team early in the process, secure temporary Cloud expertise - in part by gaining resourcing through TBS, and escalate accordingly if there is not enough capacity. |
| ISSUE | With a lengthy SCED onboarding process, our ability to migrate at scale may be impacted |
| Impact | High |
| Resolution Plan | Initiate change request process to adjust project end date to align with MCDC shutdown in 2025. |
| ISSUE | Quality of APM data is not good enough to easilly identify applications for migration. |
| Impact | Medium |
| Resolution Plan | Questionaire and manual process of engaging app owners to comfirm app information initiated. |
Guidance and Documentation[edit | edit source]
- Frequently Asked Questions
- GC Cloud Adoption Strategy
- Journey to the Cloud
- TC Cloud Corner
- Azure Network Template Generator on GitHub
Workload Migration Categorizations (Business Applications in Scope)[edit | edit source]
Data was sourced from the previous Microsoft Assessment.
| Security Classification | No Active Directory Dependency | No Connectivity | Requires Active Directory | Requires Connectivity with EDC | SQL Database | Total |
| Unclassified | 84 | 21 | 40 | 103 | 7 | 124 |
| Protected A | 87 | 9 | 60 | 138 | 5 | 147 |
| Protected B | 46 | 8 | 9 | 47 | 4 | 55 |
| Total | 217 | 38 | 109 | 288 | 16 | 326 |
Application Workload Migration via Agile Sprints[edit | edit source]
This project is following an iterative Agile process to migrate applications to the Cloud.
| App/Platform State | Description |
| Not Started | Work has not yet started on migrating the app/platform to Cloud. |
| PROD/DR | Production and Disaster Recovery testing. App/platform is in the PROD environment and ready for review, testing, and cutover to Cloud. |
| Backlog | App/platform is next in line for migration. |
| In Progress | App/platform work in progress. |
| On Hold | App/platform is on hold until a future date. |
| Apps/Platforms In Production | Current State | Notes |
| Alexa Recalls | PROD | |
| ASD | PROD | |
| eBIDA | PROD | Related to COVID-19 response. Part of SCED pilot. |
| CARS Exemption | PROD | Migrated to Cloud February 19, 2021. SSC COM pilot project successfully completed. |
| EGIS | PROD | |
| iServer | PROD | |
| MEDV | PROD | |
| Navigable Waters Act Registry | PROD | |
| NWAR-ESS | PROD | |
| Open Data | PROD | |
| PGS | PROD | Related to COVID-19 response. Part of SCED pilot. |
| SRF | PROD | |
| TCLR | PROD | |
| TC Search | PROD | |
| TC WWW | PROD | |
| TMSA | PROD | |
| CVS | PROD | |
| Document Services | PROD | |
| LoV | PROD | |
| MITRACK | PROD | |
| myTC | PROD | |
| SAC | PROD | |
| SeaFarer | PROD | |
| tc.gc.ca | PROD | |
| Vessel Registry | PROD | |
| Workload Mgmt Services | PROD |
| Apps/Platforms Backlog | Current State | Notes |
| LDPS | In Progress | |
| RPA CoE(BluePrism) | In Progress | Dev, Acc 95% |
| DLDMT | In Progress | |
| ASD | In Progress | . |
| PRET | In Progress | |
| TSCA Docusign | In Progress | |
| Zammad | In Progress | |
| TEAMMATE | In Progress | |
| NWAR | In Progress | |
| CVS | In Progress | |
| CRSM -SPR API | In Progress | |
| CRSM –SIE | In Progress | |
| CRSM –SPR | In Progress | |
| CRSM -SI API | In Progress | |
| CRSM –TM API | In Progress | |
| CRSM –CRSD | In Progress | |
| iZev | In Progress | |
| PLAINTE | In Progress | |
| LDPS | In Progress |
| Apps/Platforms Backlog | Current State | Notes | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Digital Workspace and GC Docs | Backlog | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| MISS XIM | Planning | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| MMERS | UAT | Waiting on ATOs to go to PROD. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| PRET | DEV | Development work in progress. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| SSCIMS | Planning | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Tachyon | Planning | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| TEAMMATE | UAT | Performance testing in progress. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| RPA CoE (UIPath) | backlog | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| SAP BI | backlog | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| WebFarms | backlog |
}
Business Drivers and Timeline for TC's Journey to the Cloud[edit | edit source]
|
