1 / 75

Cloud Computing Architecture, IT Security, & Operational Perspectives

Cloud Computing Architecture, IT Security, & Operational Perspectives. Steven R. Hunt ARC IT Governance Manager Ames Research Center Matt Linton IT Security Specialist Ames Research Center Matt Chew Spence IT Security Compliance Consultant Dell Services Federal Government

clancy
Download Presentation

Cloud Computing Architecture, IT Security, & Operational Perspectives

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cloud ComputingArchitecture, IT Security, & Operational Perspectives Steven R. Hunt ARC IT Governance Manager Ames Research Center Matt Linton IT Security Specialist Ames Research Center Matt Chew Spence IT Security Compliance Consultant Dell Services Federal Government Ames Research Center August 17, 2010

  2. Agenda • Introductions • Steve Hunt • What is cloud computing? • Matt Chew Spence • How can NASA benefit from cloud computing? • Matt Chew Spence • How is NASA implementing cloud computing? • Matt Linton • How does NASA secure cloud computing? • Matt Linton • Q&A • Presentation Team • Extended Presentation • FISMA & Clouds • Matt Chew Spence • Steve Hunt • Assessment, Authorization, & FedRAMP • Steve Hunt

  3. OBJECTIVE: Overview of cloud computing and share vocabulary Agenda • Introductions • Steve Hunt • What is cloud computing? • Matt Chew Spence • How can NASA benefit from cloud computing? • Matt Chew Spence • How is NASA implementing cloud computing? • Matt Linton • How does NASA secure cloud computing? • Matt Linton • Q&A • Presentation Team • Extended Presentation • FISMA & Clouds • Matt Chew Spence • Steve Hunt • Assessment, Authorization, & FedRAMP • Steve Hunt

  4. What is Cloud Computing? Cloud Computing – NIST Definition: “A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”

  5. What is Cloud Computing? Conventional Computing vs. Cloud Computing Conventional Cloud Self-provisioned Shared Hardware Elastic Capacity Pay for Use Operational Expenses Managed via APIs • Manually Provisioned • Dedicated Hardware • Fixed Capacity • Pay for Capacity • Capital & Operational Expenses • Managed via Sysadmins

  6. What is Cloud Computing? Five Key Cloud Attributes: • Shared / pooled resources • Broad network access • On-demand self-service • Scalable and elastic • Metered by use

  7. What is Cloud Computing? Shared / Pooled Resources: • Resources are drawn from a common pool • Common resources build economies of scale • Common infrastructure runs at high efficiency

  8. What is Cloud Computing? Broad Network Access: • Open standards and APIs • Almost always IP, HTTP, and REST • Available from anywhere with an internet connection

  9. What is Cloud Computing? On-Demand Self-Service: • Completely automated • Users abstracted from the implementation • Near real-time delivery (seconds or minutes) • Services accessed through a self-serve web interface

  10. What is Cloud Computing? Scalable and Elastic: • Resources dynamically-allocated between users • Additional resources dynamically-released when needed • Fully automated

  11. What is Cloud Computing? Metered by Use: • Services are metered, like a utility • Users pay only for services used • Services can be cancelled at any time

  12. What is Cloud Computing? Three Service Delivery Models • IaaS: Infrastructure as a Service • Consumer can provision computing resources within provider's infrastructure upon which they can deploy and run arbitrary software, including OS and applications • PaaS: Platform as Service • Consumer can create custom applications using programming tools supported by the provider and deploy them onto the provider's cloud infrastructure • SaaS: Software as Service • Consumer uses provider’s applications running on provider's cloud infrastructure

  13. What is Cloud Computing? Service Delivery Model Examples Amazon Google Salesforce Microsoft SaaS PaaS IaaS Products and companies shown for illustrative purposes only and should not be construed as an endorsement

  14. What is Cloud Computing? Cloud efficiencies and improvements $ • Burst capacity (over-provisioning) • Short-duration projects • Cancelled or failed missions • Cost efficiencies • Time efficiencies • Power efficiencies • Improved process control • Improved security • “Unlimited” capacity • Procurement • Network connectivity • Standardized, updated base images • Centrally auditable log servers • Centralized authentication systems • Improved forensics (w/ drive image)

  15. OBJECTIVE: Discuss requirements, use cases, and ROI Agenda • Introductions • Steve Hunt • What is cloud computing? • Matt Chew Spence • How can NASA benefit from cloud computing? • Matt Chew Spence • How is NASA implementing cloud computing? • Matt Linton • How does NASA secure cloud computing? • Matt Linton • Q&A • Presentation Team • Extended Presentation • FISMA & Clouds • Matt Chew Spence • Steve Hunt • Assessment, Authorization, & FedRAMP • Steve Hunt

  16. How can NASA benefit from cloud computing? Current IT options for Scientists Current Options* Requirements* * Requirements and Options documented in over 30+ interviews with Ames scientists as part 2009 NASA Workstation project.

  17. How can NASA benefit from cloud computing? Scientists direct access to Nebula cloud computing Mission Objectives Explore, Understand, and Share MISSION Aeronautics Exploration Science Space Ops Mission Support USE CASES Process Large Data Sets Run Compute Intensive Workloads Scale-out for one-time events Require infrastructure on-demand Store mission & science data Share information with the public OCIO INNOVATION High Compute Vast Storage High Speed Networking Shared Resource

  18. How can NASA benefit from cloud computing? Offer scientists services to address the gap Desktop TARGET COMPUTE PLATFORM Server-based compute resources Excellent example of how OCIO-sponsored innovation can be rapidly transformed into services that address Agency mission needs High-end Compute Vast Storage High Speed Networking Super Computer

  19. How can NASA benefit from cloud computing? ROI and ARC Case Study • POWER: Computers typically require 70% of their total power requirements to run at just 15% utilization. *15% utilization based on two reports from Gartner Group, Cost of Traditional Data Centers (2009), and Data Center Efficiency (2010).

  20. How can NASA benefit from cloud computing? ROI and ARC Case Study • Operational Enhancements: • Strict standardization of hardware and infrastructure software components • Small numbers of system administrators due to the cookie-cutter design of cloud components and support processes • Failure of any single component within the Nebula cloud will not become reason for alarm • Application operations will realize similar efficiencies once application developers learn how to properly deploy applications so that they are not reliant on any particular cloud component.

  21. OBJECTIVE: Overview of how NASA is implementing cloud computing Agenda • Introductions • Steve Hunt • What is cloud computing? • Matt Chew Spence • How can NASA benefit from cloud computing? • Matt Chew Spence • How is NASA implementing cloud computing? • Matt Linton • How does NASA secure cloud computing? • Matt Linton • Q&A • Presentation Team • Extended Presentation • FISMA & Clouds • Matt Chew Spence • Steve Hunt • Assessment, Authorization, & FedRAMP • Steve Hunt

  22. How is NASA implementing cloud computing?

  23. How is NASA implementing cloud computing?

  24. How is NASA implementing cloud computing?

  25. How is NASA implementing cloud computing? Nebula Principles • Open and Public APIs, everywhere • Open-source platform, apps, and data • Full transparency • Open source code and documentation releases • Reference platform • Cloud model for Federal Government

  26. How is NASA implementing cloud computing? Nebula User Experience Nebula IaaS user will have an experience similar to Amazon EC2: • Dedicated private VLAN for instances • Dedicated VPN for access to private VLAN • Public IPs to assign to instances • Launch VM instances • Dashboard for instance control and API access • Able to import/export bundled instances to AWS and other clouds Products and companies named for illustrative purposes only and should not be construed as an endorsement

  27. How is NASA implementing cloud computing? Architecture Drivers • Reliability • Availability • Cost • IT Security

  28. Shared Nothing How is NASA implementing cloud computing? • Messaging Queue • State Discovery • Standard Protocols Automated • IPMI • PXEBoot • Puppet

  29. How is NASA implementing cloud computing? Nebula Infrastructure Components • Cloud Node • Network Node • Compute Node • Volume Node • Object Node • Monitoring / Metering / Logging / Scanning

  30. Cloud Node How is NASA implementing cloud computing? LDAP Data Store Nova Cloud Node Redis KVS Puppet Ubuntu OS RabbitMQ PXE

  31. Compute Node How is NASA implementing cloud computing? Project VLAN Running Instance Nova Compute Node LibVirt Brctl Puppet Ubuntu OS KVM 802.1(q) PXE

  32. Volume Node How is NASA implementing cloud computing? Exported Volume Nova Volume Node AoE Puppet Ubuntu OS LVM PXE

  33. Object Node How is NASA implementing cloud computing? Nova Object Node Nginx Puppet Ubuntu OS PXE

  34. Network Node How is NASA implementing cloud computing? Project VLAN Public Internet Nova Network Node Brctl IPTables Puppet Ubuntu OS 802.1(q) PXE

  35. Pilot Lessons Learned- Automate Everything How is NASA implementing cloud computing? • No SysAdmin is perfect • 99% is not good enough • NEVER make direct system changes • When in doubt - PXEBoot

  36. Pilot Lessons Learned - Test Everything How is NASA implementing cloud computing? • KVM + Jumbo Frames • Grinder • Unit Tests / Cyclometric Complexity • TransactionID Insertion (Universal Proxy)

  37. Pilot Lessons Learned - Monitor Everything How is NASA implementing cloud computing? • Ganglia • Munin • Syslog-NG + PHPSyslog-NG • Nagios • Custom Log Parsing (Instance-centric)

  38. OBJECTIVE: Overview of technical security mechanisms built into Nebula Agenda • Introductions • Steve Hunt • What is cloud computing? • Matt Chew Spence • How can NASA benefit from cloud computing? • Matt Chew Spence • How is NASA implementing cloud computing? • Matt Linton • How does NASA secure cloud computing? • Matt Linton • Q&A • Presentation Team • Extended Presentation • FISMA & Clouds • Matt Chew Spence • Steve Hunt • Assessment, Authorization, & FedRAMP • Steve Hunt

  39. OBJECTIVE: Overview of technical security mechanisms built into Nebula • Technical Security Overview • Issues with Commercial Cloud Providers • Overview of Current Security Mechanisms • Innovations

  40. How does NASA secure cloud computing? Commercial Cloud Provider Security Concerns • IT Security not brought into decision of how & when NASA orgs use clouds • IT Security may not know NASA orgs are using clouds until an incident has occurred • Without insight into monitoring/IDS/logs, NASA may not find out that an incident has occurred • No assurances of sufficient cloud infrastructure access to perform proper forensics/investigations • These issues are less likely with a private cloud like Nebula  

  41. How does NASA secure cloud computing? IT Security is built into Nebula • User Isolation from Nebula Infrastructure • Users only have access to APIs and Dashboards • No user direct access to Nebula infrastructure • Project-based separation • A project is a set of compute resources accessible by one or more users • Each project has separate: • VLAN for project instances • VPN for project users to launch, terminate, and access instances • Image library of instances

  42. How does NASA secure cloud computing? Networking • RFC1918 address space internal to Nebula • NAT is used for those hosts within Nebula needing visibility outside a cluster • Three core types of networks within Nebula: • Customer • Customer VLANs are isolated from each other • DMZ • Services available to all Nebula such as NTP, DNS, etc • Administrative

  43. How does NASA secure cloud computing? Security Groups • Combination of VLANs and Subnetting • Can be extended to use physical network/node separation as well (future)

  44. How does NASA secure cloud computing? Project A (10.1.1/24) RFC1918 Space (LAN_X) Public IP Space DMZ Services I N T E R N E T External Scanner C L O U D A P I S S M R Operations Console (custom) B R I D G E Security Scanners (Nessus, Hydra, etc) Log Aggregation, SOC Tap Event Correlation Engine Project B (10.1.2/24)

  45. How does NASA secure cloud computing? Firewalls • Multiple levels of firewalling • Hardware firewall at site border • Firewall on cluster network head-ends • Host-based firewalls on key hosts • Project based rule sets based on Amazon security groups

  46. How does NASA secure cloud computing? Remote User Access • Remote access is only through VPN (openVPN) • Separate administrative VPN and user VPNs • Each project has own VPN server

  47. How does NASA secure cloud computing? Intrusion Detection • OSSEC on key infrastructure hosts • Open source Host-based Intrusion Detection • Mirror port to NASA SOC tap • Building 10Gb/sec IDS/IPS/Forensics device with vendor partners

  48. How does NASA secure cloud computing? Configuration Management • Puppet used to automatically push out configuration changes to infrastructure • Automatic reversion of unauthorized changes to system

  49. How does NASA secure cloud computing? Vulnerability Scanning • Nebula uses both internal and external vulnerability scanners • Correlate findings between internal and external scans

  50. How does NASA secure cloud computing? Incident Response • Procedures for isolating individual VMs, compute nodes, and clusters, including: • Taking snapshot of suspect VMs, including memory dump • Quarantining a VM within a compute node • Disabling VM images so new instances can’t be launched • Quarantining a compute node within a cluster • Quarantining a cluster

More Related