ITB for the UN Cloud
ICC – International Computing Centre (OSN), Ženeva
UNICC is based in Geneva and has offices in New York, Rome, Brindisi and Valencia.
UNICC is meeting the challenges and drivers for organizations to move to new private, hybrid and public cloud offerings. UNICC offers assessment, migration and implementation as well as fully managed operational support for a number of cloud typologies, including Microsoft O365 Management services (including SharePoint Online), MS Azure Management services, AWS Management services, Cloud Web Hosting, MS Dynamics 365 and Service Now management service.
In order to allow a seamless extension of its in-house delivery to multi-hybrid cloud, UNICC would like to implement and integrate a software solution capable of providing full IaaS experience.
Technical Scope – Key Requirements
This ITB document outlines the requirements to build and transition to operations, a UN Private Cloud in the UNICC Data Centres.
• The core principle for the UN Private Cloud is Digital Trust. UNICC believes that trust in technology requires the solution to offer (i) reproducible builds (ii) end-to-end assurance of the software supply chain (iii) attributable configuration changes (iv) continuous assurance during on-going operations . These attributes should deliver a completely auditable and transparent software stack- from the base operating system, virtualisation platform to the complex artificial learning algorithm. Therefore, UNICC strongly encourages respondents to highlight Open Source Software solution components and software licensing arrangements (with preference given to public domain). If the respondents have a mix of close and open-source software to complete their solution stack, they are expected to highlight the different components clearly in their responses. Furthermore, UNICC would also like to understand the respondent’s willingness to share, or grant access to, the source code for audits under NDA.
• The respondents are expected to provide clear answers on which of the ‘must have’ and ‘should have’ requirements their technical solution is capable of meeting.
• As the operator of the AS-IS on-premises data centre for the UN eco-system, UNICC has a number of existing operational tools. Some details of these tools/solutions have been provided for as a guidance for the respondents in the different cloud components sections below. UNICC is willing to understand if other tools performing similar tasks are a better fit for the respondent’s technology stack. Pricing for such tools must be provided separately – so that UNICC can make a cost/benefit decision.
• Current UNICC Data Centres are located in Switzerland, Spain and United States. The implementation scope of this ITB will be two data centres, one each in Switzerland and Spain.
• The scope of the ITB covers implementation of functionalities similar to that of major public clouds covering IaaS, PaaS and serverless options. However, please pay close attention to the Minimum Viable Product (MVP) definition for UN Cloud. The respondents are expected to provide pricing for the MVP to be implemented in phase I and a ‘not-to-exceed’ pricing for phase II. Phase II will cover all other requirements listed in this ITB.
• The technical solution(s) will be installed on UNICC premises, will be entirely managed by UNICC and it must include all required elements from the front-end user interface to the backend software, including licenses. This includes all ‘control plane’ as well as ‘deployment plane’ components. The control plane (for example K8 OR hypervisor management) cannot be outside of UNICC premises or depend upon external services for management of the UNICC.
• The solution provider can recommend specific hardware if is relevant and include it as an annex, with a separate ‘order-of-magnitude’ quotation. If software cost is influenced by the consideration of the hardware, please specify. Where possible, UNICC limits the acquisition and investment in specialised hardware. It is seeking a solution where the hardware as a commodity is operated at least possible costs, but in compliance with UNICC’s need to operate energy efficient and carbon neutral green data centres.
• The UN Cloud will be used to run and operate solutions built for the UN Member States, UN Organization and its Specialised Agencies. It must be ‘multi-tenanted’ by design and provide capabilities for internal as well as external developers to consume Infrastructure as Code.
• The respondents should list any external dependencies needed for the solution to offer Internet facing services (Edge network, DNS, certificates, PKI infrastructure, etc.) and provide guidelines about how to integrate with these dependencies and any suggestions about how they should be managed to have a fully automated platform. In line with the drive towards automation, any manual or “high touch” elements, or procedures must be listed.
• The solution should be as modular as possible. If any of the requirements need a new module/tool to provide the stated functionality, it should be specified as a required dependency so UNICC can properly analyse the cost/complexity of adding that requirement. UNICC needs complete visibility over all the functionalities of each module/solution.
• Full On-premises solution to meet all the necessary requirements of this ITB document, with no operational dependencies on any non-UNICC entity (e.g. 3 rd party or cloud provider)
• Proven capability to extend the on-premises solution to external cloud providers (Azure and AWS) in a hybrid/multi cloud mode; i.e.it should be capable of using – even for the same application – on-premise resources and commercial cloud providers resources (e.g. extend the K8 namespaces from same app across clouds; keeping the data on-premise with compute in the cloud).
• The solution must support clean multi-tenancy, with logical separation between different clients and for specific client teams within the tenant (e.g. developers) or running COTS software on top of virtual machines. Key controls must be provided to protect against “east west” traffic flow between tenants, by default. A malicious or compromised tenant must not be able to discover the identity of other tenants (e.g. through namespace enumeration) and attempts to compromise other tenants must be blocked, logged and attributed. UNICC requires the solution provider to notify them on an on-going basis of any known (or suspected/credible) platform control weaknesses that could lead to a breach.
• The solution must support multi-domain data segregation covering common scenarios; e.g. when extending on-premise applications to multiple CSPs, the solution must by default protect on-premise data from being migrated off-premise. The solution must also prevent data leakage/exfiltration of cloud hosted data off-cloud (by default)
• Full-stack installation automation: addition of new compute nodes (fully automated for virtual servers, nice to have with physical servers), network configuration and storage management
• Platform updates and patches must be available through a pull mechanism (no forced updates) with deployment at the discretion of UNICC without service interruption (your response must detail if this requires the purchase/adoption of additional hardware or software components and/or requires a particular architecture to achieve).
• The solution must support hosting at multiple sites in support of redundancy and disaster recovery. Please specify how the solution manages the data synchronisation between different sites.
As a reference, UNICC has two data centres in Geneva with metropolitan distance separation.
• The solution must have HA for every single component. No SPOF allowed for the core infrastructure. Where this is discretionary, this must be clearly stated with cost impact.
• UNICC has standardised on Terraform for Infrastructure as Code (IaC) and therefore any solution must be fully compatible. In addition, the vendor must provide written assurance that investment in future Terraform compatibility will be a funded priority. If there are currency compatibility gaps, these must be highlighted.
• UNICC uses upstream Ansible for Configuration as Code (CaC) with UNICC AWX for configuration management. The respondents are welcome to suggest supported versions of Ansible OR alternate solution with similar functionality for Config as Code.
• Continuous Infrastructure Automation (CIA): The solution should be capable of working with major DevOps platforms – like Atlassian Cloud or GitLab; specifically, Git as the code repository.
• CMDB: The solution must support integration with ServiceNow as a CMDB tool. However, UNICC will also want to understand the Git Ops capabilities of the proposed solution.
• Security threat detection, response and remediation: The solution must be compatible with UNICC’s Security Operations Centre tool set comprising of Splunk, Redcloak, Microsoft Defender, CyberArk, ELK, Qualys. The solution must provide UNICC the ability to detect, respond and remediate cyber threats in a timely manner. Specify the capabilities of the solution in this regard. The solution should offer security features and functionalities that are modular in nature that UNICC Partner agencies can subscribe to at additional but transparent costs.
• Capable of modularly adding Cloud Native solutions on top of the IaaS/PaaS
• Open / Extensible architecture that supports adding new modules/features without service interruption.
• Versatility to deliver emerging technologies
• FinOps Capabilities/Support (refer to telemetry section)