Main 2010 Tuesday 5 Hunt Linton ChweSpence

Cloud Computing
Architecture, IT Security, & Operational Perspectives
Steven R. Hunt
ARC IT Governance Manager
Ames Research Center
Matt Linton
IT Security Specialist
Matt Chew Spence

IT Security Compliance Consultant
Dell Services Federal Government
August 17, 2010

Agenda
§Introductions
»Steve Hunt
§What is cloud computing?
»Matt Chew Spence
§How can NASA benefit from cloud computing?
»Matt Chew Spence
§How is NASA implementing cloud computing?
»Matt Linton
§How does NASA secure cloud computing?
»Matt Linton
§Q&A
»Presentation Team
»
Extended Presentation
§FISMA & Clouds
»Matt Chew Spence
»Steve Hunt
§Assessment, Authorization, & FedRAMP
»Steve Hunt
Agenda OBJECTIVE: Overview of cloud
computing and share vocabulary
§Introductions
»Steve Hunt
»Matt Chew Spence
»Matt Chew Spence
»Matt Linton
»Matt Linton
§Q&A
»Presentation Team
»
§FISMA & Clouds
»Matt Chew Spence
»Steve Hunt
»Steve Hunt
What is Cloud Computing?
 Cloud Computing – NIST


Definition:
 “A model for enabling convenient,
on-demand network access to a shared
pool of configurable computing
resources (e.g., networks, servers,
storage, applications, and services)
that can be rapidly provisioned and
released with minimal management
effort or service provider interaction”
Conventional Computing
vs.
Cloud Computing
 Conventional  Cloud
§ Manually Provisioned § Self-provisioned
§ Dedicated Hardware § Shared Hardware
§ Fixed Capacity § Elastic Capacity
§ Pay for Capacity § Pay for Use
§ Capital & Operational § Operational Expenses
Expenses § Managed via APIs
§ Managed via Sysadmins


Five Key Cloud Attributes:
1. Shared / pooled resources
2. Broad network access
3. On-demand self-service
4. Scalable and elastic
5. Metered by use


Shared / Pooled Resources:
§ Resources are drawn from a common pool
§ Common resources build economies of scale
§ Common infrastructure runs at high efficiency


Broad Network Access:
§ Open standards and APIs
§ Almost always IP, HTTP, and REST
§ Available from anywhere with an internet
connection


On-Demand Self-Service:
§ Completely automated
§ Users abstracted from the implementation
§ Near real-time delivery (seconds or minutes)
§ Services accessed through a self-serve
 web interface
§


Scalable and Elastic:
§ Resources dynamically-allocated between
users
§ Additional resources dynamically-released
when needed
§ Fully automated


Metered by Use:
§ Services are metered, like a utility
§ Users pay only for services used
§ Services can be cancelled at any time
Three Service Delivery Models

IaaS: Infrastructure as a Service
Consumer can provision computing resources within
provider's infrastructure upon which they can deploy and
run arbitrary software, including OS and applications
PaaS: Platform as Service
Consumer can create custom applications using
programming tools supported by the provider and deploy
them onto the provider's cloud infrastructure
SaaS: Software as Service
Consumer uses provider’s applications running on
provider's cloud infrastructure
Service Delivery Model Examples

Amazon Google Microsoft Salesforce
SaaS
PaaS
IaaS
Products and companies shown for illustrative purposes only and should not
be construed as an endorsement
Cloud efficiencies and improvements
§ Cost efficiencies $
§ Time efficiencies
§ Power efficiencies
§ Improved process
control
§ Improved security
§ “Unlimited” capacity
Agenda OBJECTIVE: Discuss requirements,
use cases, and ROI
§Introductions
»Steve Hunt
»Matt Chew Spence
»Matt Chew Spence
»Matt Linton
»Matt Linton
§Q&A
»Presentation Team
»
§FISMA & Clouds
»Matt Chew Spence
»Steve Hunt
»Steve Hunt
How can NASA benefit from cloud computing?
Current IT options for Scientists
Requirements* Current Options*
* Requirements and Options documented in over 30+ interviews

with Ames scientists as part 2009 NASA Workstation project.
Scientists direct access to Nebula cloud computing
Mission Objectives
MISSION Explore, Understand, and Share
Aeronautics Exploration Science Space Ops Mission Support
USE CASES
Process Large Data

Run Sets
Compute Intensive Workloads
Scale-out for one-timeRequire
events infrastructure on-demand
Store mission & science
Sharedata
information with the
OCIO INNOVATION
High Compute Vast Storage High Speed Networking
Shared Resource
Offer scientists services to address the gap

Desktop
TARGET COMPUTE Server-based

PLATFORM compute resources
Excellent example
of how OCIO-
High-end Compute Vast Storage High Speed Networking
sponsored
innovation can be
rapidly
transformed into
services that
address Agency Super Computer
mission needs
ROI and ARC Case Study
POWER : Computers typically require 70 % of their total power requirements to r
*15% utilization based on two reports from Gartner Group, Cost of

Traditional Data Centers (2009), and Data Center Efficiency(2010).
ROI and ARC Case Study
§ Operational Enhancements:
» Strict standardization of hardware and
infrastructure software components
» Small numbers of system administrators due to the
cookie-cutter design of cloud components and
support processes
» Failure of any single component within the Nebula
cloud will not become reason for alarm
» Application operations will realize similar
efficiencies once application developers learn
how to properly deploy applications so that they
are not reliant on any particular cloud
component.
»
Agenda OBJECTIVE: Overview of how NASA
is implementing cloud computing
§Introductions
»Steve Hunt
»Matt Chew Spence
»Matt Chew Spence
»Matt Linton
»Matt Linton
§Q&A
»Presentation Team
»
§FISMA & Clouds
»Matt Chew Spence
»Steve Hunt
»Steve Hunt
How is NASA implementing cloud computing?


Nebula Principles
§ Open and Public APIs, everywhere
§ Open-source platform, apps, and data
§ Full transparency
» Open source code and documentation
releases
§ Reference platform
» Cloud model for Federal Government
Nebula User Experience

Nebula IaaS user will have an experience
similar to Amazon EC2:

§ Dedicated private VLAN for instances
§ Dedicated VPN for access to private VLAN
§ Public IPs to assign to instances
§ Launch VM instances
§ Dashboard for instance control and API access
§ Able to import/export bundled instances to
AWS and other clouds
Products and companies named for illustrative purposes only and should not be
construed as an endorsement


Architecture Drivers
§ Reliability
§ Availability
§ Cost
§ IT Security
Shared Nothing
§ Messaging Queue
§ State Discovery
§ Standard Protocols
§
Automated
IPMI
PXEBoot
Puppet



Nebula Infrastructure Components
§ Cloud Node
§ Network Node
§ Compute Node
§ Volume Node
§ Object Node
§ Monitoring / Metering / Logging / Scanning
Cloud Node
Redis KVS
RabbitMQ
Ubuntu OS
Compute Node
Running Instance
Ubuntu OS
Volume Node
Exported Volume
Ubuntu OS
Object Node
Ubuntu OS
Network Node
Ubuntu OS
Pilot Lessons Learned

- Automate Everything
§ No SysAdmin is perfect
§ 99% is not good enough
§ NEVER make direct system changes
§ When in doubt - PXEBoot

- Test Everything
§ KVM + Jumbo Frames

§ Grinder
§ Unit Tests / Cyclometric Complexity
§ TransactionID Insertion (Universal Proxy)
§
§

- Monitor Everything
§ Ganglia
§ Munin
§ Syslog-NG + PHPSyslog-NG
§ Nagios
§ Custom Log Parsing (Instance-centric)
OBJECTIVE: Overview of technical
Agenda security mechanisms built into Nebula
§Introductions
»Steve Hunt
»Matt Chew Spence
»Matt Chew Spence
»Matt Linton
»Matt Linton
§Q&A
»Presentation Team
»
§FISMA & Clouds
»Matt Chew Spence
»Steve Hunt
»Steve Hunt
OBJECTIVE: Overview of technical
security mechanisms built into Nebula
Technical Security Overview

 Issues with Commercial Cloud
Providers

 Overview of Current Security

Mechanisms

 Innovations
How does NASA secure cloud computing?
Commercial Cloud Provider Security Concerns


» IT Security not brought into decision of how &

when NASA orgs use clouds
»
» IT Security may not know NASA orgs are using

clouds until an incident has occurred
»
» Without insight into monitoring/IDS/logs, NASA

may not find out that an incident has occurred
»
» No assurances of sufficient cloud infrastructure

access to perform proper
forensics/investigations
»
» These issues are less likely with a private cloud

like Nebula
»
 IT Security is built into Nebula

§ User Isolation from Nebula Infrastructure
§ Users only have access to APIs and Dashboards
» No user direct access to Nebula
infrastructure
»
§ Project-based separation
» A project is a set of compute resources
accessible by one or more users
»
» Each project has separate:

• VLAN for project instances
• VPN for project users to launch,
terminate, and access instances
• Image library of instances

 Networking
§ RFC1918 address space internal to Nebula
» NAT is used for those hosts within Nebula
needing visibility outside a cluster
»
§ Three core types of networks within Nebula:

» Customer
• Customer VLANs are isolated from each
other
•
» DMZ
• Services available to all Nebula such as
NTP, DNS, etc
•
» Administrative



Security Groups
§ Combination of VLANs and Subnetting
§ Can be extended to use physical
network/node separation as well (future)
Project A
RFC1918
Public IP (10.1.1/24) Space
Space
DMZ (LAN_X)
Services
External
Scanner Operations Console
C (custom)
L
I B O Security Scanners
N R U (Nessus, Hydra, etc)
T S
I D
E M
D
R R
G A Log Aggregation,
N E P SOC Tap
E I
T S
Event Correlation
Engine
Project B
(10.1.2/24)
 Firewalls
§ Multiple levels of firewalling
» Hardware firewall at site border
» Firewall on cluster network head-ends
» Host-based firewalls on key hosts
» Project based rule sets based on Amazon
security groups

 Remote User Access

§ Remote access is only through VPN (openVPN)
§ Separate administrative VPN and user VPNs
§ Each project has own VPN server

 Intrusion Detection
§ OSSEC on key infrastructure hosts
» Open source Host-based Intrusion Detection
»
§ Mirror port to NASA SOC tap

§
§ Building 10Gb/sec IDS/IPS/Forensics device

with vendor partners

 Configuration Management
§ Puppet used to automatically push out
configuration changes to infrastructure

§ Automatic reversion of unauthorized changes

to system

 Vulnerability Scanning
§ Nebula uses both internal and external
vulnerability scanners
§
§ Correlate findings between internal and

external scans

 Incident Response
§ Procedures for isolating individual VMs,
compute nodes, and clusters, including:
§
» Taking snapshot of suspect VMs,

including memory dump
» Quarantining a VM within a compute node
» Disabling VM images so new instances
can’t be launched
» Quarantining a compute node within a
cluster
» Quarantining a cluster
 Role Based Access Control

§ Multiple defined roles within a project
§ Role determines which API calls can be
invoked
» Only network admin can request non-
1918 addresses
» Only system admin can bundle new
images
» etc

 Innovation - Security Gates

§ API calls can be intercepted and security
gates can be imposed on function being
called
§
§ When an instance is launched, it can be

scanned automatically for vulnerabilities
§
§ Long term vision is to have a pass/fail launch

gate based on scan/monitoring results

§
§

 Vision - Security as a Service

§ Goal - Automate compliance through security
services provided by cloud provider
§
§ Security APIs/tools mapped to specific controls

» Customers could subscribe to tools/services
to meet compliance requirements
»
§ When setting up new project in cloud

» Customers assert nature of data they will use
» Cloud responds with list of APIs/tools for
customers to use
»
§ Currently gathering requirements but funding

needed to realize vision
§
§

 Vision - Security Service Bus

§ Goal - FISMA compliance through continuous
real-time monitoring and situational awareness
§
» Security service bus with event driven

messaging engine
» Correlate events across provider and
multiple customers
» Dashboard view for security providers and
customers
» Allows customers to make risk-based
security decisions based on events
experienced by other customers
»
§ Funding Needed to Realize Vision


§
§

Nebula Open Source Progress

§ Significant progress in embracing the value of
open source software release

» Agreements with SourceForge and Github

» Open source identified as an essential component
of NASA’s open government plan
»
§ Elements of Nebula in open source release

pipeline

» Started Feb 2010. Hope for release in June.

» Working toward continual incremental releases.
» Exploring avenues to contribute code to external
projects and to accept external contributions to
the Nebula code base.
»
Agenda
§Introductions
»Steve Hunt
»Matt Chew Spence
»Matt Chew Spence
»Matt Linton
»Matt Linton
§Q&A
»Presentation Team
»
§FISMA & Clouds
»Matt Chew Spence
»Steve Hunt
»Steve Hunt
Q&A
Agenda OBJECTIVE: Overview of Nebula C&A
with Lessons Learned
§Introductions
»Steve Hunt
»Matt Chew Spence
»Matt Chew Spence
»Matt Linton
»Matt Linton
§Q&A
»Presentation Team
»
§FISMA & Clouds
»Matt Chew Spence
»Steve Hunt
»Steve Hunt
FISMA & Clouds
 FISMA Overview
§ Federal Information Security Management Act
– Requires all Gov’t computers to be under a security plan
– Mandates following NIST security guidance
– Required controls depend on FIPS-199 sensitivity level
– Requires periodic assessments of security controls
– Extremely documentation heavy
– Assumes one organization has responsibility for majority
of identified security controls

§ FISMA is burdensome to cloud customers

– Customers want to outsource IT Security to cloud
provider
§

§
FISMA & Clouds
 FISMA Responsibilities in Clouds

§ Clouds are a “Highly Dynamic Shared Management
Environment”
» Customers retain FISMA responsibilities for aspects of a
cloud under their control
» Responsibilities vary depending on level of control
maintained by customer
» Customer control varies relative to service delivery model
(SaaS, PaaS, or IaaS)
»
§ Need to define & document responsibilities

» We parsed 800-53 Rev3 controls per service delivery
model
»
§ Nebula currently only offers IaaS

» We parsed all three service models for future planning

FISMA & Clouds
Customer FISMA Responsibilities for Cloud
Customer FISMA
responsibilities Increase IaaS
as Customers have more OS Config Mgmt
control over security Anti-Malware
measures SW Install Controls
OS specific Controls
PaaS etc
Cloud
Software Licenses Customer
Developer Testing Security
App Configuration Management Responsibility
Software Development Lifecycle
SaaS
Identifying data types

Ensuring data appropriate to system
User/Account Management
Personnel Controls
62
FISMA & Clouds
 IaaS Customer Security Plan Coverage Options

§ At inception little guidance existed on cloud computing control
responsibilities & security plan coverage
§
§ FedRAMP primarily addresses cloud provider responsibilities

» Other than control parsing definitions Customers are given little
guidance on implementing and managing FISMA requirements
in a highly dynamic shared management environment
»
§ We have developed the following options:

§

Option Description Issues
Customer
Facilitated
Agency Owned
Owned Customer
Agency or responsible
Center levelfor May
Nonebe
still
to burdensome
Providers
be burdensometo to

own security
“Group” security
planplans
with no
using Agency
customers.
Burdensome
or Center.
to customers
assistance
NASA
associated
template
from
with Cloud
provider Requires
Not scalabletechnology
unless to
providers serve as automated.
automate input and
aggregation point for aggregation of customer
customer. data.
FISMA & Clouds
Current NASA Requirements/Tools may Impede


Cloud Implementation
§ Default security categorization of Scientific and Space Science
data as “Moderate”
» Independent assessment required for every major change
• Currently requires 3rd party document-centric audit
• Not scalable to cloud environments
•
§ e-Authentication/AD integration required for all NASA Apps
» NASA implementations don’t currently support
LDAP/SAML-based federated identity management
»
§ Function-specific stove-piped compliance tools
» STRAW/PIA tool/A&A Repository/NASA electronic forms
» Can’t easily automate compliance process for new apps
»
»
»

64

FISMA & Clouds
Emerging Developments in FISMA & Clouds


§ Interagency Cloud Computing Security Working Group

is developing additional baseline security requirements
for cloud computing providers
§
§ NIST Cloud Computing guidance forthcoming?

§
§ Move towards automated risk models and security

management tools over documentation
§
§ On the bleeding edge - changing guidance &

requirements are a key risk factor (and opportunity)
»

65
FISMA & Clouds
Nebula is Contributing to Cloud Standards


§ Federal Cloud Standards Working Group

§ Fed Cloud Computing Security Working
Group
» Federal Risk & Authorization
Management Program (FedRAMP)
§ Cloud Audit project
» Automated Audit Assertion Assessment
& Assurance API
§ Providing Feedback to NIST and GAO
§ GSA Cloud PMO
»
»

66
Agenda OBJECTIVE: Overview of how Nebula
concepts may integrate with FedRAMP
§Introductions
»Steve Hunt
»Matt Chew Spence
»Matt Chew Spence
»Matt Linton
»Matt Linton
§Q&A
»Presentation Team
»
§FISMA & Clouds
»Matt Chew Spence
»Steve Hunt
»Steve Hunt
FedRAMP
§ A Federal Government-Wide program to provide

“Joint Authorizations” and Continuous
Monitoring
» Unified Government-Wide risk management
» Authorizations can be leveraged throughout
Federal Government
»
§ This is to be an optional service provided to

Agencies that does not supplant existing
Agency authority
FedRAMP
Independent Agency Risk Management of Cloud Services
Federal Agencies
: Duplicative risk
… management efforts
: Incompatible agency
policies
Risk Management
: Acquisition slowed by
lengthy compliance
processes
: Potential for inconsistent

… application of Federal
Cloud Service Providers (CSP) security requirements
FedRAMP
Federated Risk Management of Cloud Systems
Federal Agencies : Risk management cost

savings and increased
effectiveness
…
Risk Management
Authorization
Risk Management Continuous
: Interagency vetted
Monitoring
Federal Security approach
Requirements
: Rapid acquisition
through consolidated
risk management
…
Cloud Service Providers (CSP)
: Consistent
application of Federal
security requirements
FedRAMP
FedRAMP Authorization process

FedRAMP
FedRAMP Authorization process (cont)

FedRAMP
Issues & Concerns

§ FedRAMP doesn’t provide much guidance for customer
side … e.g. Agency users of cloud services

§ Current NIST guidance oriented primarily towards “Static

Single System Owner” environments

§ Lack of NIST guidance for “Highly Dynamic Shared

Owner” environments … e.g. Virtualized Data Centers &
Clouds
» SSP generation & maintenance
» Application of SP 800-53 (security controls)
» Application of SP 800-37 (assessment & ATO)
» Continuous Monitoring
»
§ Guidance may be forthcoming but NIST is resource

constrained
FedRAMP
Potential Solution
§ Agency/Center level Aggregated SSPs:


» Plan per CSP … e.g. Nebula, Amazon,

Google, Microsoft … etc.
» Plan covers all customers of a specific
CSP
» Technology integration may be needed
with SSP repository to dynamically
update SSP content via Web
Registration site.
» Or … SSP may be able to point to
dynamic content entered and housed on
Web Registration site ... maintained in
Presentation Title
Wiki type doc.
—‹#›—
March 5, 2010
Q&A

Main 2010 Tuesday 5 Hunt Linton ChweSpence

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Main 2010 Tuesday 5 Hunt Linton ChweSpence

Uploaded by

Copyright:

Available Formats

Cloud Computing

Architecture, IT Security, & Operational Perspectives

Matt Chew Spence

August 17, 2010

 Cloud Computing – NIST

Three Service Delivery Models

Service Delivery Model Examples

Cloud efficiencies and improvements

Current IT options for Scientists

Requirements* Current Options*

* Requirements and Options documented in over 30+ interviews

Scientists direct access to Nebula cloud computing

Aeronautics Exploration Science Space Ops Mission Support

Process Large Data

High Compute Vast Storage High Speed Networking

Offer scientists services to address the gap

TARGET COMPUTE Server-based

ROI and ARC Case Study

POWER : Computers typically require 70 % of their total power requirements to r

*15% utilization based on two reports from Gartner Group, Cost of

ROI and ARC Case Study

Nebula User Experience

similar to Amazon EC2:

Pilot Lessons Learned

Pilot Lessons Learned

§ KVM + Jumbo Frames

Pilot Lessons Learned

Technical Security Overview

 Overview of Current Security

Commercial Cloud Provider Security Concerns

» IT Security not brought into decision of how &

» IT Security may not know NASA orgs are using

» Without insight into monitoring/IDS/logs, NASA

» No assurances of sufficient cloud infrastructure

» These issues are less likely with a private cloud

 IT Security is built into Nebula

» Each project has separate:

§ Three core types of networks within Nebula:

 Remote User Access

§ Mirror port to NASA SOC tap

§ Building 10Gb/sec IDS/IPS/Forensics device

§ Automatic reversion of unauthorized changes

§ Correlate findings between internal and

» Taking snapshot of suspect VMs,

 Role Based Access Control

 Innovation - Security Gates

§ When an instance is launched, it can be

§ Long term vision is to have a pass/fail launch

 Vision - Security as a Service

§ Security APIs/tools mapped to specific controls

§ When setting up new project in cloud

§ Currently gathering requirements but funding

 Vision - Security Service Bus

» Security service bus with event driven

§ Funding Needed to Realize Vision

Nebula Open Source Progress

» Agreements with SourceForge and Github

§ Elements of Nebula in open source release

» Started Feb 2010. Hope for release in June.

§ FISMA is burdensome to cloud customers

 FISMA Responsibilities in Clouds

§ Need to define & document responsibilities

§ Nebula currently only offers IaaS

Customer FISMA Responsibilities for Cloud