Cloud Computing Architecture, IT Security,

1
Cloud ComputingArchitecture, IT Security,
Operational Perspectives

• Steven R. Hunt
• ARC IT Governance Manager
• Ames Research Center
• Matt Linton
• IT Security Specialist
• Ames Research Center
• Matt Chew Spence
• IT Security Compliance Consultant
• Dell Services Federal Government
• Ames Research Center
• August 17, 2010

2
(No Transcript)
3
OBJECTIVE Overview of cloud computing and share
vocabulary
4
What is Cloud Computing?

• Cloud Computing NIST Definition
• A model for enabling convenient, on-demand
  network access to a shared pool of configurable
  computing resources (e.g., networks, servers,
  storage, applications, and services) that can be
  rapidly provisioned and released with minimal
  management effort or service provider
  interaction

5
What is Cloud Computing?
Conventional Computing vs. Cloud Computing

• Conventional

• Cloud

• Manually Provisioned
• Dedicated Hardware
• Fixed Capacity
• Pay for Capacity
• Capital Operational Expenses
• Managed via Sysadmins

• Self-provisioned
• Shared Hardware
• Elastic Capacity
• Pay for Use
• Operational Expenses
• Managed via APIs

6
What is Cloud Computing?

• Five Key Cloud Attributes
• Shared / pooled resources
• Broad network access
• On-demand self-service
• Scalable and elastic
• Metered by use

7
What is Cloud Computing?

• Shared / Pooled Resources
• Resources are drawn from a common pool
• Common resources build economies of scale
• Common infrastructure runs at high efficiency

8
What is Cloud Computing?

• Broad Network Access
• Open standards and APIs
• Almost always IP, HTTP, and REST
• Available from anywhere with an internet
  connection

9
What is Cloud Computing?

• On-Demand Self-Service
• Completely automated
• Users abstracted from the implementation
• Near real-time delivery (seconds or minutes)
• Services accessed through a self-serve
• web interface

10
What is Cloud Computing?

• Scalable and Elastic
• Resources dynamically-allocated between users
• Additional resources dynamically-released when
  needed
• Fully automated

11
What is Cloud Computing?

• Metered by Use
• Services are metered, like a utility
• Users pay only for services used
• Services can be cancelled at any time

12
What is Cloud Computing?
Three Service Delivery Models
IaaS Infrastructure as a Service Consumer can
provision computing resources within provider's
infrastructure upon which they can deploy and run
arbitrary software, including OS and
applications PaaS Platform as Service Consumer
can create custom applications using programming
tools supported by the provider and deploy them
onto the provider's cloud infrastructure SaaS
Software as Service Consumer uses providers
applications running on provider's cloud
infrastructure
13
What is Cloud Computing?
Service Delivery Model Examples
Amazon
Google
Microsoft
Salesforce



SaaS
PaaS
IaaS
Products and companies shown for illustrative
purposes only and should not be construed as an
endorsement
14
What is Cloud Computing?
Cloud efficiencies and improvements

• Burst capacity (over-provisioning)
• Short-duration projects
• Cancelled or failed missions

• Cost efficiencies
• Time efficiencies
• Power efficiencies
• Improved process control
• Improved security
• Unlimited capacity

• Procurement
• Network connectivity

• Standardized, updated base images
• Centrally auditable log servers
• Centralized authentication systems
• Improved forensics (w/ drive image)

15
OBJECTIVE Discuss requirements, use cases, and
ROI
16
How can NASA benefit from cloud computing?
Current IT options for Scientists
17
How can NASA benefit from cloud computing?
Scientists direct access to Nebula cloud
computing
18
How can NASA benefit from cloud computing?
Offer scientists services to address the gap
19
How can NASA benefit from cloud computing?
ROI and ARC Case Study
POWER Computers typically require 70 of their
total power requirements to run at just 15
utilization.
15 utilization based on two reports from
Gartner Group, Cost of Traditional Data Centers
(2009), and Data Center Efficiency (2010).
20
How can NASA benefit from cloud computing?
ROI and ARC Case Study

• Operational Enhancements
• Strict standardization of hardware and
  infrastructure software components
• Small numbers of system administrators due to the
  cookie-cutter design of cloud components and
  support processes
• Failure of any single component within the Nebula
  cloud will not become reason for alarm
• Application operations will realize similar
  efficiencies once application developers learn
  how to properly deploy applications so that they
  are not reliant on any particular cloud
  component.

21
OBJECTIVE Overview of how NASA is implementing
cloud computing
22
How is NASA implementing cloud computing?
23
How is NASA implementing cloud computing?
24
How is NASA implementing cloud computing?
25
How is NASA implementing cloud computing?

• Nebula Principles
• Open and Public APIs, everywhere
• Open-source platform, apps, and data
• Full transparency
• Open source code and documentation releases
• Reference platform
• Cloud model for Federal Government

26
How is NASA implementing cloud computing?

• Nebula User Experience
• Nebula IaaS user will have an experience similar
  to Amazon EC2
• Dedicated private VLAN for instances
• Dedicated VPN for access to private VLAN
• Public IPs to assign to instances
• Launch VM instances
• Dashboard for instance control and API access
• Able to import/export bundled instances to AWS
  and other clouds

Products and companies named for illustrative
purposes only and should not be construed as an
endorsement
27
How is NASA implementing cloud computing?

• Architecture Drivers
• Reliability
• Availability
• Cost
• IT Security

28
Shared Nothing
How is NASA implementing cloud computing?

• Messaging Queue
• State Discovery
• Standard Protocols

Automated

• IPMI
• PXEBoot
• Puppet

29
How is NASA implementing cloud computing?

• Nebula Infrastructure Components
• Cloud Node
• Network Node
• Compute Node
• Volume Node
• Object Node
• Monitoring / Metering / Logging / Scanning

30
Cloud Node
How is NASA implementing cloud computing?
31
Compute Node
How is NASA implementing cloud computing?
32
Volume Node
How is NASA implementing cloud computing?
33
Object Node
How is NASA implementing cloud computing?
34
Network Node
How is NASA implementing cloud computing?
35
Pilot Lessons Learned - Automate Everything
How is NASA implementing cloud computing?

• No SysAdmin is perfect
• 99 is not good enough
• NEVER make direct system changes
• When in doubt - PXEBoot

36
Pilot Lessons Learned - Test Everything
How is NASA implementing cloud computing?

• KVM Jumbo Frames
• Grinder
• Unit Tests / Cyclometric Complexity
• TransactionID Insertion (Universal Proxy)

37
Pilot Lessons Learned - Monitor Everything
How is NASA implementing cloud computing?

• Ganglia
• Munin
• Syslog-NG PHPSyslog-NG
• Nagios
• Custom Log Parsing (Instance-centric)

38
OBJECTIVE Overview of technical security
mechanisms built into Nebula
39
OBJECTIVE Overview of technical security
mechanisms built into Nebula

• Technical Security Overview
• Issues with Commercial Cloud Providers
• Overview of Current Security Mechanisms
• Innovations

40
How does NASA secure cloud computing?

• Commercial Cloud Provider Security Concerns
• IT Security not brought into decision of how
  when NASA orgs use clouds
• IT Security may not know NASA orgs are using
  clouds until an incident has occurred
• Without insight into monitoring/IDS/logs, NASA
  may not find out that an incident has occurred
• No assurances of sufficient cloud infrastructure
  access to perform proper forensics/investigations
• These issues are less likely with a private cloud
  like Nebula  

41
How does NASA secure cloud computing?

• IT Security is built into Nebula
• User Isolation from Nebula Infrastructure
• Users only have access to APIs and Dashboards
• No user direct access to Nebula infrastructure
• Project-based separation
• A project is a set of compute resources
  accessible by one or more users
• Each project has separate
• VLAN for project instances
• VPN for project users to launch, terminate, and
  access instances
• Image library of instances

42
How does NASA secure cloud computing?

• Networking
• RFC1918 address space internal to Nebula
• NAT is used for those hosts within Nebula needing
  visibility outside a cluster
• Three core types of networks within Nebula
• Customer
• Customer VLANs are isolated from each other
• DMZ
• Services available to all Nebula such as NTP,
  DNS, etc
• Administrative

43
How does NASA secure cloud computing?

• Security Groups
• Combination of VLANs and Subnetting
• Can be extended to use physical network/node
  separation as well (future)

44
How does NASA secure cloud computing?
Project A (10.1.1/24)
RFC1918 Space (LAN_X)
Public IP Space
DMZ Services
I N T E R N E T
C L O U D A P I S
S M R
External Scanner
Operations Console (custom)
B R I D G E
Security Scanners (Nessus, Hydra, etc)
Log Aggregation, SOC Tap
Event Correlation Engine
Project B (10.1.2/24)
45
How does NASA secure cloud computing?

• Firewalls
• Multiple levels of firewalling
• Hardware firewall at site border
• Firewall on cluster network head-ends
• Host-based firewalls on key hosts
• Project based rule sets based on Amazon security
  groups

46
How does NASA secure cloud computing?

• Remote User Access
• Remote access is only through VPN (openVPN)
• Separate administrative VPN and user VPNs
• Each project has own VPN server

47
How does NASA secure cloud computing?

• Intrusion Detection
• OSSEC on key infrastructure hosts
• Open source Host-based Intrusion Detection
• Mirror port to NASA SOC tap
• Building 10Gb/sec IDS/IPS/Forensics device with
  vendor partners

48
How does NASA secure cloud computing?

• Configuration Management
• Puppet used to automatically push out
  configuration changes to infrastructure
• Automatic reversion of unauthorized changes to
  system

49
How does NASA secure cloud computing?

• Vulnerability Scanning
• Nebula uses both internal and external
  vulnerability scanners
• Correlate findings between internal and external
  scans

50
How does NASA secure cloud computing?

• Incident Response
• Procedures for isolating individual VMs, compute
  nodes, and clusters, including
• Taking snapshot of suspect VMs, including memory
  dump
• Quarantining a VM within a compute node
• Disabling VM images so new instances cant be
  launched
• Quarantining a compute node within a cluster
• Quarantining a cluster

51
How does NASA secure cloud computing?

• Role Based Access Control
• Multiple defined roles within a project
• Role determines which API calls can be invoked
• Only network admin can request non-1918 addresses
• Only system admin can bundle new images
• etc

52
How does NASA secure cloud computing?

• Innovation - Security Gates
• API calls can be intercepted and security gates
  can be imposed on function being called
• When an instance is launched, it can be scanned
  automatically for vulnerabilities
• Long term vision is to have a pass/fail launch
  gate based on scan/monitoring results

53
How does NASA secure cloud computing?

• Vision - Security as a Service
• Goal - Automate compliance through security
  services provided by cloud provider
• Security APIs/tools mapped to specific controls
• Customers could subscribe to tools/services to
  meet compliance requirements
• When setting up new project in cloud
• Customers assert nature of data they will use
• Cloud responds with list of APIs/tools for
  customers to use
• Currently gathering requirements but funding
  needed to realize vision

54
How does NASA secure cloud computing?

• Vision - Security Service Bus
• Goal - FISMA compliance through continuous
  real-time monitoring and situational awareness
• Security service bus with event driven messaging
  engine
• Correlate events across provider and multiple
  customers
• Dashboard view for security providers and
  customers
• Allows customers to make risk-based security
  decisions based on events experienced by other
  customers
• Funding Needed to Realize Vision

55
Nebula Open Source Progress
How does NASA secure cloud computing?

• Significant progress in embracing the value of
  open source software release
• Agreements with SourceForge and Github
• Open source identified as an essential component
  of NASAs open government plan
• Elements of Nebula in open source release
  pipeline
• Started Feb 2010. Hope for release in June.
• Working toward continual incremental releases.
• Exploring avenues to contribute code to external
  projects and to accept external contributions to
  the Nebula code base.

56
(No Transcript)
57
Q A
58
Extended Presentation
59
OBJECTIVE Overview of Nebula CA with Lessons
Learned
60
FISMA Clouds

• FISMA Overview
• Federal Information Security Management Act
• Requires all Govt computers to be under a
  security plan
• Mandates following NIST security guidance
• Required controls depend on FIPS-199 sensitivity
  level
• Requires periodic assessments of security
  controls
• Extremely documentation heavy
• Assumes one organization has responsibility for
  majority of identified security controls
• FISMA is burdensome to cloud customers
• Customers want to outsource IT Security to cloud
  provider

61
FISMA Clouds

• FISMA Responsibilities in Clouds
• Clouds are a Highly Dynamic Shared Management
  Environment
• Customers retain FISMA responsibilities for
  aspects of a cloud under their control
• Responsibilities vary depending on level of
  control maintained by customer
• Customer control varies relative to service
  delivery model (SaaS, PaaS, or IaaS)
• Need to define document responsibilities
• We parsed 800-53 Rev3 controls per service
  delivery model
• Nebula currently only offers IaaS
• We parsed all three service models for future
  planning

62
FISMA Clouds
Customer FISMA Responsibilities for Cloud
Customer FISMA responsibilities Increase as
Customers have more control over security measures
IaaS
OS Config Mgmt Anti-Malware SW Install
Controls OS specific Controls etc
PaaS
Software Licenses Developer Testing App
Configuration Management Software Development
Lifecycle
Cloud Customer Security Responsibility
SaaS
Identifying data types Ensuring data appropriate
to system User/Account Management Personnel
Controls
62
63
FISMA Clouds

• IaaS Customer Security Plan Coverage Options
• At inception little guidance existed on cloud
  computing control responsibilities security
  plan coverage
• FedRAMP primarily addresses cloud provider
  responsibilities
• Other than control parsing definitions Customers
  are given little guidance on implementing and
  managing FISMA requirements in a highly dynamic
  shared management environment
• We have developed the following options

Option Description Issues
Customer Owned Customer responsible for own security plan with no assistance from provider None to Providers Burdensome to customers
Facilitated Customer responsible for own security plan using NASA template May still be burdensome to customers. Not scalable unless automated.
Agency Owned Agency or Center level Group security plans associated with Cloud providers serve as aggregation point for customer. May be burdensome to Agency or Center. Requires technology to automate input and aggregation of customer data.
64
FISMA Clouds

• Current NASA Requirements/Tools may Impede Cloud
  Implementation
• Default security categorization of Scientific
  and Space Science data as Moderate
• Independent assessment required for every major
  change
• Currently requires 3rd party document-centric
  audit
• Not scalable to cloud environments
• e-Authentication/AD integration required for all
  NASA Apps
• NASA implementations dont currently support
  LDAP/SAML-based federated identity management
• Function-specific stove-piped compliance tools
• STRAW/PIA tool/AA Repository/NASA electronic
  forms
• Cant easily automate compliance process for new
  apps

64
65
FISMA Clouds

• Emerging Developments in FISMA Clouds
• Interagency Cloud Computing Security Working
  Group is developing additional baseline security
  requirements for cloud computing providers
• NIST Cloud Computing guidance forthcoming?
• Move towards automated risk models and security
  management tools over documentation
• On the bleeding edge - changing guidance
  requirements are a key risk factor (and
  opportunity)

65
66
FISMA Clouds

• Nebula is Contributing to Cloud Standards
• Federal Cloud Standards Working Group
• Fed Cloud Computing Security Working Group
• Federal Risk Authorization Management Program
  (FedRAMP)
• Cloud Audit project
• Automated Audit Assertion Assessment Assurance
  API
• Providing Feedback to NIST and GAO
• GSA Cloud PMO

66
67
OBJECTIVE Overview of how Nebula concepts may
integrate with FedRAMP
68
FedRAMP
Federal Risk and Authorization Management Program

• A Federal Government-Wide program to provide
  Joint Authorizations and Continuous Monitoring
• Unified Government-Wide risk management
• Authorizations can be leveraged throughout
  Federal Government
• This is to be an optional service provided to
  Agencies that does not supplant existing Agency
  authority

69
Independent Agency Risk Management of Cloud
Services
FedRAMP
Federal Agencies

Risk Management

Cloud Service Providers (CSP)
70
Federated Risk Management of Cloud Systems
FedRAMP
Federal Agencies
Risk management cost savings and increased
effectiveness

• Risk Management
• Authorization
• Continuous Monitoring
• Federal Security Requirements

Risk Management
Interagency vetted approach
FedRAMP
Rapid acquisition through consolidated
risk management

Cloud Service Providers (CSP)
Consistent application of Federal security
requirements
71
FedRAMP Authorization process
FedRAMP
72
FedRAMP Authorization process (cont)
FedRAMP
73
Issues Concerns
FedRAMP

• FedRAMP doesnt provide much guidance for
  customer side e.g. Agency users of cloud
  services
• Current NIST guidance oriented primarily towards
  Static Single System Owner environments
• Lack of NIST guidance for Highly Dynamic Shared
  Owner environments e.g. Virtualized Data
  Centers Clouds
• SSP generation maintenance
• Application of SP 800-53 (security controls)
• Application of SP 800-37 (assessment ATO)
• Continuous Monitoring
• Guidance may be forthcoming but NIST is resource
  constrained

74
Potential Solution
FedRAMP

• Agency/Center level Aggregated SSPs
• Plan per CSP e.g. Nebula, Amazon, Google,
  Microsoft etc.
• Plan covers all customers of a specific CSP
• Technology integration may be needed with SSP
  repository to dynamically update SSP content via
  Web Registration site.
• Or SSP may be able to point to dynamic content
  entered and housed on Web Registration site ...
  maintained in Wiki type doc.

75
Q A