Professional Documents
Culture Documents
Steven R. Hunt
ARC IT Governance Manager
Ames Research Center
Matt Linton
IT Security Specialist
Ames Research Center
Extended Presentation
§FISMA & Clouds
»Matt Chew Spence
»Steve Hunt
§Assessment, Authorization, & FedRAMP
»Steve Hunt
Agenda OBJECTIVE: Overview of cloud
computing and share vocabulary
§Introductions
»Steve Hunt
§What is cloud computing?
»Matt Chew Spence
§How can NASA benefit from cloud computing?
»Matt Chew Spence
§How is NASA implementing cloud computing?
»Matt Linton
§How does NASA secure cloud computing?
»Matt Linton
§Q&A
»Presentation Team
»
Extended Presentation
§FISMA & Clouds
»Matt Chew Spence
»Steve Hunt
§Assessment, Authorization, & FedRAMP
»Steve Hunt
What is Cloud Computing?
Conventional Computing
vs.
Cloud Computing
Conventional Cloud
§ Manually Provisioned § Self-provisioned
§ Dedicated Hardware § Shared Hardware
§ Fixed Capacity § Elastic Capacity
§ Pay for Capacity § Pay for Use
§ Capital & Operational § Operational Expenses
Expenses § Managed via APIs
§ Managed via Sysadmins
What is Cloud Computing?
Five Key Cloud Attributes:
1. Shared / pooled resources
2. Broad network access
3. On-demand self-service
4. Scalable and elastic
5. Metered by use
What is Cloud Computing?
Shared / Pooled Resources:
§ Resources are drawn from a common pool
§ Common resources build economies of scale
§ Common infrastructure runs at high efficiency
What is Cloud Computing?
Broad Network Access:
§ Open standards and APIs
§ Almost always IP, HTTP, and REST
§ Available from anywhere with an internet
connection
What is Cloud Computing?
On-Demand Self-Service:
§ Completely automated
§ Users abstracted from the implementation
§ Near real-time delivery (seconds or minutes)
§ Services accessed through a self-serve
web interface
§
What is Cloud Computing?
Scalable and Elastic:
§ Resources dynamically-allocated between
users
§ Additional resources dynamically-released
when needed
§ Fully automated
What is Cloud Computing?
Metered by Use:
§ Services are metered, like a utility
§ Users pay only for services used
§ Services can be cancelled at any time
What is Cloud Computing?
SaaS
PaaS
IaaS
Products and companies shown for illustrative purposes only and should not
be construed as an endorsement
What is Cloud Computing?
§ Cost efficiencies $
§ Time efficiencies
§ Power efficiencies
§ Improved process
control
§ Improved security
§ “Unlimited” capacity
Agenda OBJECTIVE: Discuss requirements,
use cases, and ROI
§Introductions
»Steve Hunt
§What is cloud computing?
»Matt Chew Spence
§How can NASA benefit from cloud computing?
»Matt Chew Spence
§How is NASA implementing cloud computing?
»Matt Linton
§How does NASA secure cloud computing?
»Matt Linton
§Q&A
»Presentation Team
»
Extended Presentation
§FISMA & Clouds
»Matt Chew Spence
»Steve Hunt
§Assessment, Authorization, & FedRAMP
»Steve Hunt
How can NASA benefit from cloud computing?
Mission Objectives
MISSION Explore, Understand, and Share
USE CASES
OCIO INNOVATION
Shared Resource
How can NASA benefit from cloud computing?
Excellent example
of how OCIO-
High-end Compute Vast Storage High Speed Networking
sponsored
innovation can be
rapidly
transformed into
services that
address Agency Super Computer
mission needs
How can NASA benefit from cloud computing?
§ Operational Enhancements:
» Strict standardization of hardware and
infrastructure software components
» Small numbers of system administrators due to the
cookie-cutter design of cloud components and
support processes
» Failure of any single component within the Nebula
cloud will not become reason for alarm
» Application operations will realize similar
efficiencies once application developers learn
how to properly deploy applications so that they
are not reliant on any particular cloud
component.
»
Agenda OBJECTIVE: Overview of how NASA
is implementing cloud computing
§Introductions
»Steve Hunt
§What is cloud computing?
»Matt Chew Spence
§How can NASA benefit from cloud computing?
»Matt Chew Spence
§How is NASA implementing cloud computing?
»Matt Linton
§How does NASA secure cloud computing?
»Matt Linton
§Q&A
»Presentation Team
»
Extended Presentation
§FISMA & Clouds
»Matt Chew Spence
»Steve Hunt
§Assessment, Authorization, & FedRAMP
»Steve Hunt
How is NASA implementing cloud computing?
How is NASA implementing cloud computing?
How is NASA implementing cloud computing?
How is NASA implementing cloud computing?
Nebula Principles
§ Open and Public APIs, everywhere
§ Open-source platform, apps, and data
§ Full transparency
» Open source code and documentation
releases
§ Reference platform
» Cloud model for Federal Government
How is NASA implementing cloud computing?
Products and companies named for illustrative purposes only and should not be
construed as an endorsement
How is NASA implementing cloud computing?
Architecture Drivers
§ Reliability
§ Availability
§ Cost
§ IT Security
How is NASA implementing cloud computing?
Shared Nothing
§ Messaging Queue
§ State Discovery
§ Standard Protocols
§
Automated
IPMI
PXEBoot
Puppet
How is NASA implementing cloud computing?
Nebula Infrastructure Components
§ Cloud Node
§ Network Node
§ Compute Node
§ Volume Node
§ Object Node
§ Monitoring / Metering / Logging / Scanning
How is NASA implementing cloud computing?
Cloud Node
Redis KVS
RabbitMQ
Ubuntu OS
How is NASA implementing cloud computing?
Compute Node
Running Instance
Ubuntu OS
How is NASA implementing cloud computing?
Volume Node
Exported Volume
Ubuntu OS
How is NASA implementing cloud computing?
Object Node
Ubuntu OS
How is NASA implementing cloud computing?
Network Node
Ubuntu OS
How is NASA implementing cloud computing?
§ No SysAdmin is perfect
§ 99% is not good enough
§ NEVER make direct system changes
§ When in doubt - PXEBoot
How is NASA implementing cloud computing?
§Introductions
»Steve Hunt
§What is cloud computing?
»Matt Chew Spence
§How can NASA benefit from cloud computing?
»Matt Chew Spence
§How is NASA implementing cloud computing?
»Matt Linton
§How does NASA secure cloud computing?
»Matt Linton
§Q&A
»Presentation Team
»
Extended Presentation
§FISMA & Clouds
»Matt Chew Spence
»Steve Hunt
§Assessment, Authorization, & FedRAMP
»Steve Hunt
OBJECTIVE: Overview of technical
security mechanisms built into Nebula
Innovations
How does NASA secure cloud computing?
§ Project-based separation
» A project is a set of compute resources
accessible by one or more users
»
Networking
§ RFC1918 address space internal to Nebula
» NAT is used for those hosts within Nebula
needing visibility outside a cluster
»
» DMZ
• Services available to all Nebula such as
NTP, DNS, etc
•
» Administrative
How does NASA secure cloud computing?
Security Groups
§ Combination of VLANs and Subnetting
§ Can be extended to use physical
network/node separation as well (future)
How does NASA secure cloud computing?
Project A
RFC1918
Public IP (10.1.1/24) Space
Space
DMZ (LAN_X)
Services
External
Scanner Operations Console
C (custom)
L
I B O Security Scanners
N R U (Nessus, Hydra, etc)
T S
I D
E M
D
R R
G A Log Aggregation,
N E P SOC Tap
E I
T S
Event Correlation
Engine
Project B
(10.1.2/24)
How does NASA secure cloud computing?
Firewalls
§ Multiple levels of firewalling
» Hardware firewall at site border
» Firewall on cluster network head-ends
» Host-based firewalls on key hosts
» Project based rule sets based on Amazon
security groups
How does NASA secure cloud computing?
Intrusion Detection
§ OSSEC on key infrastructure hosts
» Open source Host-based Intrusion Detection
»
Configuration Management
§ Puppet used to automatically push out
configuration changes to infrastructure
Vulnerability Scanning
§ Nebula uses both internal and external
vulnerability scanners
§
Incident Response
§ Procedures for isolating individual VMs,
compute nodes, and clusters, including:
§
§
§
How does NASA secure cloud computing?
§
§
How does NASA secure cloud computing?
Extended Presentation
§FISMA & Clouds
»Matt Chew Spence
»Steve Hunt
§Assessment, Authorization, & FedRAMP
»Steve Hunt
Q&A
Extended Presentation
Agenda OBJECTIVE: Overview of Nebula C&A
with Lessons Learned
§Introductions
»Steve Hunt
§What is cloud computing?
»Matt Chew Spence
§How can NASA benefit from cloud computing?
»Matt Chew Spence
§How is NASA implementing cloud computing?
»Matt Linton
§How does NASA secure cloud computing?
»Matt Linton
§Q&A
»Presentation Team
»
Extended Presentation
§FISMA & Clouds
»Matt Chew Spence
»Steve Hunt
§Assessment, Authorization, & FedRAMP
»Steve Hunt
FISMA & Clouds
FISMA Overview
§ Federal Information Security Management Act
– Requires all Gov’t computers to be under a security plan
– Mandates following NIST security guidance
– Required controls depend on FIPS-199 sensitivity level
– Requires periodic assessments of security controls
– Extremely documentation heavy
– Assumes one organization has responsibility for majority
of identified security controls
§
FISMA & Clouds
Customer FISMA
responsibilities Increase IaaS
as Customers have more OS Config Mgmt
control over security Anti-Malware
measures SW Install Controls
OS specific Controls
PaaS etc
Cloud
Software Licenses Customer
Developer Testing Security
App Configuration Management Responsibility
Software Development Lifecycle
SaaS
62
FISMA & Clouds
Option Description Issues
Customer
Facilitated
Agency Owned
Owned Customer
Agency or responsible
Center levelfor May
Nonebe
still
to burdensome
Providers
be burdensometo to
own security
“Group” security
planplans
with no
using Agency
customers.
Burdensome
or Center.
to customers
assistance
NASA
associated
template
from
with Cloud
provider Requires
Not scalabletechnology
unless to
providers serve as automated.
automate input and
aggregation point for aggregation of customer
customer. data.
FISMA & Clouds
Cloud Implementation
§ Default security categorization of Scientific and Space Science
data as “Moderate”
» Independent assessment required for every major change
• Currently requires 3rd party document-centric audit
• Not scalable to cloud environments
•
§ e-Authentication/AD integration required for all NASA Apps
» NASA implementations don’t currently support
LDAP/SAML-based federated identity management
»
§ Function-specific stove-piped compliance tools
» STRAW/PIA tool/A&A Repository/NASA electronic forms
» Can’t easily automate compliance process for new apps
»
»
»
64
FISMA & Clouds
65
FISMA & Clouds
66
Agenda OBJECTIVE: Overview of how Nebula
concepts may integrate with FedRAMP
§Introductions
»Steve Hunt
§What is cloud computing?
»Matt Chew Spence
§How can NASA benefit from cloud computing?
»Matt Chew Spence
§How is NASA implementing cloud computing?
»Matt Linton
§How does NASA secure cloud computing?
»Matt Linton
§Q&A
»Presentation Team
»
Extended Presentation
§FISMA & Clouds
»Matt Chew Spence
»Steve Hunt
§Assessment, Authorization, & FedRAMP
»Steve Hunt
FedRAMP
Federal Agencies
: Duplicative risk
… management efforts
: Incompatible agency
policies
Risk Management
: Acquisition slowed by
lengthy compliance
processes
: Rapid acquisition
through consolidated
risk management
…
Cloud Service Providers (CSP)
: Consistent
application of Federal
security requirements
FedRAMP
Potential Solution