Professional Documents
Culture Documents
Steven R. Hunt
ARC IT Governance Manager Ames Research Center
Matt Linton
IT Security Specialist Ames Research Center
Agenda
Introductions
Steve Hunt
Q&A
Presentation Team
Extended Presentation
FISMA & Clouds
Matt Chew Spence Steve Hunt
Agenda
Introductions
Steve Hunt
Q&A
Presentation Team
Extended Presentation
FISMA & Clouds
Matt Chew Spence Steve Hunt
Cloud Computing NIST Definition: A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction
Conventional Computing
vs.
Cloud Computing
Conventional
Manually Provisioned Dedicated Hardware Fixed Capacity Pay for Capacity Capital & Operational Expenses Managed via Sysadmins
Cloud
Self-provisioned Shared Hardware Elastic Capacity Pay for Use Operational Expenses Managed via APIs
1. 2. 3. 4. 5.
Shared / pooled resources Broad network access On-demand self-service Scalable and elastic Metered by use
On-Demand Self-Service:
Completely automated Users abstracted from the implementation Near real-time delivery (seconds or minutes) Services accessed through a self-serve web interface
Metered by Use:
Services are metered, like a utility Users pay only for services used Services can be cancelled at any time
IaaS
PaaS
SaaS
SaaS
PaaS
IaaS
Products and companies shown for illustrative purposes only and should not be construed as an endorsement
Standardized, updated base images Centrally auditable log servers Centralized authentication systems Improved forensics (w/ drive image)
Agenda
Introductions
Steve Hunt
Q&A
Presentation Team
Extended Presentation
FISMA & Clouds
Matt Chew Spence Steve Hunt
BUY IT Go through a lengthy procurement and provisioning process for basic IT services
DO NOTHING The current basic IT services model is cost prohibitive and I cannot afford to process my data and share with collaborators and the public at large.
* Requirements and Options documented in over 30+ interviews with Ames scientists as part 2009 NASA Workstation project.
Aeronautics
Exploration
Science
Space Ops
Mission Support
USE CASES
OCIO INNOVATION
High Compute
Vast Storage
Shared Resource
Super Computer
Excellent example of how OCIOsponsored innovation can be rapidly transformed into services that address Agency mission needs
High-end Compute
Vast Storage
POWER: Computers typically require 70% of their total power requirements to run at just 15% utilization.
*15% utilization based on two reports from Gartner Group, Cost of Traditional Data Centers (2009), and Data Center Efficiency (2010).
Agenda
Introductions
Steve Hunt
Q&A
Presentation Team
Extended Presentation
FISMA & Clouds
Matt Chew Spence Steve Hunt
Nebula Principles
Open and Public APIs, everywhere Open-source platform, apps, and data Full transparency Open source code and documentation releases Reference platform Cloud model for Federal Government
Nebula User Experience Nebula IaaS user will have an experience similar to Amazon EC2:
Dedicated private VLAN for instances Dedicated VPN for access to private VLAN Public IPs to assign to instances Launch VM instances Dashboard for instance control and API access Able to import/export bundled instances to AWS and other clouds
Products and companies named for illustrative purposes only and should not be construed as an endorsement
Architecture Drivers
Reliability Availability Cost IT Security
Shared Nothing
Messaging Queue State Discovery Standard Protocols
Automated
IPMI PXEBoot Puppet
Cloud Node
Compute Node
Brctl
Ubuntu OS
Volume Node
Exported Volume AoE Puppet LVM PXE Ubuntu OS Nova Volume Node
Object Node
Network Node
Project VLAN
Brctl
Public Internet
IPTables
Puppet
802.1(q)
PXE
Ubuntu OS
Agenda
Introductions
Steve Hunt
Q&A
Presentation Team
Extended Presentation
FISMA & Clouds
Matt Chew Spence Steve Hunt
Networking
RFC1918 address space internal to Nebula NAT is used for those hosts within Nebula needing visibility outside a cluster Three core types of networks within Nebula: Customer Customer VLANs are isolated from each other DMZ Services available to all Nebula such as NTP, DNS, etc Administrative
Security Groups
Combination of VLANs and Subnetting Can be extended to use physical network/node separation as well (future)
External Scanner I N T E R N E T C L O U D A P I S
B R I D G E
S M R
Project B (10.1.2/24)
Firewalls
Multiple levels of firewalling Hardware firewall at site border Firewall on cluster network head-ends Host-based firewalls on key hosts Project based rule sets based on Amazon security groups
Intrusion Detection
OSSEC on key infrastructure hosts Open source Host-based Intrusion Detection Mirror port to NASA SOC tap Building 10Gb/sec IDS/IPS/Forensics device with vendor partners
Configuration Management
Puppet used to automatically push out configuration changes to infrastructure Automatic reversion of unauthorized changes to system
Vulnerability Scanning
Nebula uses both internal and external vulnerability scanners Correlate findings between internal and external scans
Incident Response
Procedures for isolating individual VMs, compute nodes, and clusters, including: Taking snapshot of suspect VMs, including memory dump Quarantining a VM within a compute node Disabling VM images so new instances cant be launched Quarantining a compute node within a cluster Quarantining a cluster
Agenda
Introductions
Steve Hunt
Q&A
Presentation Team
Extended Presentation
FISMA & Clouds
Matt Chew Spence Steve Hunt
Q&A
Extended Presentation
Agenda
Introductions
Steve Hunt
Q&A
Presentation Team
Extended Presentation
FISMA & Clouds
Matt Chew Spence Steve Hunt
FISMA Overview
Federal Information Security Management Act
Requires all Govt computers to be under a security plan
Mandates following NIST security guidance Required controls depend on FIPS-199 sensitivity level Requires periodic assessments of security controls Extremely documentation heavy Assumes one organization has responsibility for majority of identified security controls
IaaS
OS Config Mgmt Anti-Malware SW Install Controls OS specific Controls etc Cloud Customer Security Responsibility
PaaS
SaaS
Software Licenses Developer Testing App Configuration Management Software Development Lifecycle Identifying data types Ensuring data appropriate to system User/Account Management Personnel Controls
62
Facilitated
Agency Owned
e-Authentication/AD integration required for all NASA Apps NASA implementations dont currently support LDAP/SAMLbased federated identity management Function-specific stove-piped compliance tools STRAW/PIA tool/A&A Repository/NASA electronic forms Cant easily automate compliance process for new apps
64
65
Nebula is Contributing to Cloud Standards Federal Cloud Standards Working Group Fed Cloud Computing Security Working Group Federal Risk & Authorization Management Program (FedRAMP) Cloud Audit project Automated Audit Assertion Assessment & Assurance API Providing Feedback to NIST and GAO GSA Cloud PMO
66
Agenda
Introductions
Steve Hunt
Q&A
Presentation Team
Extended Presentation
FISMA & Clouds
Matt Chew Spence Steve Hunt
FedRAMP
A Federal Government-Wide program to provide Joint Authorizations and Continuous Monitoring Unified Government-Wide risk management Authorizations can be leveraged throughout Federal Government This is to be an optional service provided to Agencies that does not supplant existing Agency authority
FedRAMP
Federal Agencies
FedRAMP
Risk Management Authorization Continuous Monitoring Federal Security Requirements : Risk management cost savings and increased effectiveness
FedRAMP
FedRAMP
Agency X releases RFP for new IT system and awards contract to cloud service provider (CSP)
Agency X submits request to FedRAMP office for CSP To be FedRAMP authorized to operate
CSP is put into FedRAMP priority queue (prioritization occurs based on factors such as multi-agency use, number of expected users, etc.)
FedRAMP
CSP has independent assessment of security controls and develops appropriate reports for submission to FedRAMP office
FedRAMP office reviews and assembles the final authorization package for the JAB
FedRAMP office adds CSP to authorized system inventory to be reviewed and leveraged by all Federal agencies
FedRAMP
FedRAMP
Potential Solution
Agency/Center level Aggregated SSPs: Plan per CSP e.g. Nebula, Amazon, Google, Microsoft etc. Plan covers all customers of a specific CSP Technology integration may be needed with SSP repository to dynamically update SSP content via Web Registration site. Or SSP may be able to point to dynamic content entered and housed on Web Registration site ... maintained in Wiki type doc.
Presentation Title 74 March 5, 2010
Q&A