Title: Cloud Computing Architecture, IT Security,
1Cloud ComputingArchitecture, IT Security,
Operational Perspectives
- Steven R. Hunt
- ARC IT Governance Manager
- Ames Research Center
- Matt Linton
- IT Security Specialist
- Ames Research Center
-
- Matt Chew Spence
- IT Security Compliance Consultant
- Dell Services Federal Government
- Ames Research Center
- August 17, 2010
2(No Transcript)
3OBJECTIVE Overview of cloud computing and share
vocabulary
4What is Cloud Computing?
- Cloud Computing NIST Definition
- A model for enabling convenient, on-demand
network access to a shared pool of configurable
computing resources (e.g., networks, servers,
storage, applications, and services) that can be
rapidly provisioned and released with minimal
management effort or service provider
interaction
5What is Cloud Computing?
Conventional Computing vs. Cloud Computing
- Manually Provisioned
- Dedicated Hardware
- Fixed Capacity
- Pay for Capacity
- Capital Operational Expenses
- Managed via Sysadmins
- Self-provisioned
- Shared Hardware
- Elastic Capacity
- Pay for Use
- Operational Expenses
- Managed via APIs
6What is Cloud Computing?
- Five Key Cloud Attributes
- Shared / pooled resources
- Broad network access
- On-demand self-service
- Scalable and elastic
- Metered by use
7What is Cloud Computing?
- Shared / Pooled Resources
- Resources are drawn from a common pool
- Common resources build economies of scale
- Common infrastructure runs at high efficiency
8What is Cloud Computing?
- Broad Network Access
- Open standards and APIs
- Almost always IP, HTTP, and REST
- Available from anywhere with an internet
connection
9What is Cloud Computing?
- On-Demand Self-Service
- Completely automated
- Users abstracted from the implementation
- Near real-time delivery (seconds or minutes)
- Services accessed through a self-serve
- web interface
10What is Cloud Computing?
- Scalable and Elastic
- Resources dynamically-allocated between users
- Additional resources dynamically-released when
needed - Fully automated
11What is Cloud Computing?
- Metered by Use
- Services are metered, like a utility
- Users pay only for services used
- Services can be cancelled at any time
12What is Cloud Computing?
Three Service Delivery Models
IaaS Infrastructure as a Service Consumer can
provision computing resources within provider's
infrastructure upon which they can deploy and run
arbitrary software, including OS and
applications PaaS Platform as Service Consumer
can create custom applications using programming
tools supported by the provider and deploy them
onto the provider's cloud infrastructure SaaS
Software as Service Consumer uses providers
applications running on provider's cloud
infrastructure
13What is Cloud Computing?
Service Delivery Model Examples
Amazon
Google
Microsoft
Salesforce
SaaS
PaaS
IaaS
Products and companies shown for illustrative
purposes only and should not be construed as an
endorsement
14What is Cloud Computing?
Cloud efficiencies and improvements
- Burst capacity (over-provisioning)
- Short-duration projects
- Cancelled or failed missions
- Cost efficiencies
- Time efficiencies
- Power efficiencies
- Improved process control
- Improved security
- Unlimited capacity
- Procurement
- Network connectivity
- Standardized, updated base images
- Centrally auditable log servers
- Centralized authentication systems
- Improved forensics (w/ drive image)
15OBJECTIVE Discuss requirements, use cases, and
ROI
16How can NASA benefit from cloud computing?
Current IT options for Scientists
17How can NASA benefit from cloud computing?
Scientists direct access to Nebula cloud
computing
18How can NASA benefit from cloud computing?
Offer scientists services to address the gap
19How can NASA benefit from cloud computing?
ROI and ARC Case Study
POWER Computers typically require 70 of their
total power requirements to run at just 15
utilization.
15 utilization based on two reports from
Gartner Group, Cost of Traditional Data Centers
(2009), and Data Center Efficiency (2010).
20How can NASA benefit from cloud computing?
ROI and ARC Case Study
- Operational Enhancements
- Strict standardization of hardware and
infrastructure software components - Small numbers of system administrators due to the
cookie-cutter design of cloud components and
support processes - Failure of any single component within the Nebula
cloud will not become reason for alarm - Application operations will realize similar
efficiencies once application developers learn
how to properly deploy applications so that they
are not reliant on any particular cloud
component.
21OBJECTIVE Overview of how NASA is implementing
cloud computing
22How is NASA implementing cloud computing?
23How is NASA implementing cloud computing?
24How is NASA implementing cloud computing?
25How is NASA implementing cloud computing?
- Nebula Principles
- Open and Public APIs, everywhere
- Open-source platform, apps, and data
- Full transparency
- Open source code and documentation releases
- Reference platform
- Cloud model for Federal Government
26How is NASA implementing cloud computing?
- Nebula User Experience
- Nebula IaaS user will have an experience similar
to Amazon EC2 - Dedicated private VLAN for instances
- Dedicated VPN for access to private VLAN
- Public IPs to assign to instances
- Launch VM instances
- Dashboard for instance control and API access
- Able to import/export bundled instances to AWS
and other clouds
Products and companies named for illustrative
purposes only and should not be construed as an
endorsement
27How is NASA implementing cloud computing?
- Architecture Drivers
- Reliability
- Availability
- Cost
- IT Security
28Shared Nothing
How is NASA implementing cloud computing?
- Messaging Queue
- State Discovery
- Standard Protocols
Automated
29How is NASA implementing cloud computing?
- Nebula Infrastructure Components
- Cloud Node
- Network Node
- Compute Node
- Volume Node
- Object Node
- Monitoring / Metering / Logging / Scanning
30Cloud Node
How is NASA implementing cloud computing?
31Compute Node
How is NASA implementing cloud computing?
32Volume Node
How is NASA implementing cloud computing?
33Object Node
How is NASA implementing cloud computing?
34Network Node
How is NASA implementing cloud computing?
35Pilot Lessons Learned - Automate Everything
How is NASA implementing cloud computing?
- No SysAdmin is perfect
- 99 is not good enough
- NEVER make direct system changes
- When in doubt - PXEBoot
36Pilot Lessons Learned - Test Everything
How is NASA implementing cloud computing?
- KVM Jumbo Frames
- Grinder
- Unit Tests / Cyclometric Complexity
- TransactionID Insertion (Universal Proxy)
37Pilot Lessons Learned - Monitor Everything
How is NASA implementing cloud computing?
- Ganglia
- Munin
- Syslog-NG PHPSyslog-NG
- Nagios
- Custom Log Parsing (Instance-centric)
38OBJECTIVE Overview of technical security
mechanisms built into Nebula
39OBJECTIVE Overview of technical security
mechanisms built into Nebula
- Technical Security Overview
- Issues with Commercial Cloud Providers
- Overview of Current Security Mechanisms
- Innovations
40How does NASA secure cloud computing?
- Commercial Cloud Provider Security Concerns
- IT Security not brought into decision of how
when NASA orgs use clouds - IT Security may not know NASA orgs are using
clouds until an incident has occurred - Without insight into monitoring/IDS/logs, NASA
may not find out that an incident has occurred - No assurances of sufficient cloud infrastructure
access to perform proper forensics/investigations - These issues are less likely with a private cloud
like Nebula
41How does NASA secure cloud computing?
- IT Security is built into Nebula
- User Isolation from Nebula Infrastructure
- Users only have access to APIs and Dashboards
- No user direct access to Nebula infrastructure
- Project-based separation
- A project is a set of compute resources
accessible by one or more users - Each project has separate
- VLAN for project instances
- VPN for project users to launch, terminate, and
access instances - Image library of instances
42How does NASA secure cloud computing?
- Networking
- RFC1918 address space internal to Nebula
- NAT is used for those hosts within Nebula needing
visibility outside a cluster - Three core types of networks within Nebula
- Customer
- Customer VLANs are isolated from each other
- DMZ
- Services available to all Nebula such as NTP,
DNS, etc - Administrative
43How does NASA secure cloud computing?
- Security Groups
- Combination of VLANs and Subnetting
- Can be extended to use physical network/node
separation as well (future)
44How does NASA secure cloud computing?
Project A (10.1.1/24)
RFC1918 Space (LAN_X)
Public IP Space
DMZ Services
I N T E R N E T
C L O U D A P I S
S M R
External Scanner
Operations Console (custom)
B R I D G E
Security Scanners (Nessus, Hydra, etc)
Log Aggregation, SOC Tap
Event Correlation Engine
Project B (10.1.2/24)
45How does NASA secure cloud computing?
- Firewalls
- Multiple levels of firewalling
- Hardware firewall at site border
- Firewall on cluster network head-ends
- Host-based firewalls on key hosts
- Project based rule sets based on Amazon security
groups
46How does NASA secure cloud computing?
- Remote User Access
- Remote access is only through VPN (openVPN)
- Separate administrative VPN and user VPNs
- Each project has own VPN server
47How does NASA secure cloud computing?
- Intrusion Detection
- OSSEC on key infrastructure hosts
- Open source Host-based Intrusion Detection
- Mirror port to NASA SOC tap
- Building 10Gb/sec IDS/IPS/Forensics device with
vendor partners
48How does NASA secure cloud computing?
- Configuration Management
- Puppet used to automatically push out
configuration changes to infrastructure -
- Automatic reversion of unauthorized changes to
system
49How does NASA secure cloud computing?
- Vulnerability Scanning
- Nebula uses both internal and external
vulnerability scanners - Correlate findings between internal and external
scans
50How does NASA secure cloud computing?
- Incident Response
- Procedures for isolating individual VMs, compute
nodes, and clusters, including - Taking snapshot of suspect VMs, including memory
dump - Quarantining a VM within a compute node
- Disabling VM images so new instances cant be
launched - Quarantining a compute node within a cluster
- Quarantining a cluster
51How does NASA secure cloud computing?
- Role Based Access Control
- Multiple defined roles within a project
- Role determines which API calls can be invoked
- Only network admin can request non-1918 addresses
- Only system admin can bundle new images
- etc
52How does NASA secure cloud computing?
- Innovation - Security Gates
- API calls can be intercepted and security gates
can be imposed on function being called - When an instance is launched, it can be scanned
automatically for vulnerabilities - Long term vision is to have a pass/fail launch
gate based on scan/monitoring results
53How does NASA secure cloud computing?
- Vision - Security as a Service
- Goal - Automate compliance through security
services provided by cloud provider - Security APIs/tools mapped to specific controls
- Customers could subscribe to tools/services to
meet compliance requirements - When setting up new project in cloud
- Customers assert nature of data they will use
- Cloud responds with list of APIs/tools for
customers to use - Currently gathering requirements but funding
needed to realize vision
54How does NASA secure cloud computing?
- Vision - Security Service Bus
- Goal - FISMA compliance through continuous
real-time monitoring and situational awareness - Security service bus with event driven messaging
engine - Correlate events across provider and multiple
customers - Dashboard view for security providers and
customers - Allows customers to make risk-based security
decisions based on events experienced by other
customers - Funding Needed to Realize Vision
55Nebula Open Source Progress
How does NASA secure cloud computing?
- Significant progress in embracing the value of
open source software release - Agreements with SourceForge and Github
- Open source identified as an essential component
of NASAs open government plan - Elements of Nebula in open source release
pipeline - Started Feb 2010. Hope for release in June.
- Working toward continual incremental releases.
- Exploring avenues to contribute code to external
projects and to accept external contributions to
the Nebula code base.
56(No Transcript)
57Q A
58Extended Presentation
59OBJECTIVE Overview of Nebula CA with Lessons
Learned
60FISMA Clouds
- FISMA Overview
- Federal Information Security Management Act
- Requires all Govt computers to be under a
security plan - Mandates following NIST security guidance
- Required controls depend on FIPS-199 sensitivity
level - Requires periodic assessments of security
controls - Extremely documentation heavy
- Assumes one organization has responsibility for
majority of identified security controls - FISMA is burdensome to cloud customers
- Customers want to outsource IT Security to cloud
provider
61FISMA Clouds
- FISMA Responsibilities in Clouds
- Clouds are a Highly Dynamic Shared Management
Environment - Customers retain FISMA responsibilities for
aspects of a cloud under their control - Responsibilities vary depending on level of
control maintained by customer - Customer control varies relative to service
delivery model (SaaS, PaaS, or IaaS) - Need to define document responsibilities
- We parsed 800-53 Rev3 controls per service
delivery model - Nebula currently only offers IaaS
- We parsed all three service models for future
planning
62FISMA Clouds
Customer FISMA Responsibilities for Cloud
Customer FISMA responsibilities Increase as
Customers have more control over security measures
IaaS
OS Config Mgmt Anti-Malware SW Install
Controls OS specific Controls etc
PaaS
Software Licenses Developer Testing App
Configuration Management Software Development
Lifecycle
Cloud Customer Security Responsibility
SaaS
Identifying data types Ensuring data appropriate
to system User/Account Management Personnel
Controls
62
63FISMA Clouds
- IaaS Customer Security Plan Coverage Options
- At inception little guidance existed on cloud
computing control responsibilities security
plan coverage - FedRAMP primarily addresses cloud provider
responsibilities - Other than control parsing definitions Customers
are given little guidance on implementing and
managing FISMA requirements in a highly dynamic
shared management environment - We have developed the following options
Option Description Issues
Customer Owned Customer responsible for own security plan with no assistance from provider None to Providers Burdensome to customers
Facilitated Customer responsible for own security plan using NASA template May still be burdensome to customers. Not scalable unless automated.
Agency Owned Agency or Center level Group security plans associated with Cloud providers serve as aggregation point for customer. May be burdensome to Agency or Center. Requires technology to automate input and aggregation of customer data.
64FISMA Clouds
- Current NASA Requirements/Tools may Impede Cloud
Implementation - Default security categorization of Scientific
and Space Science data as Moderate - Independent assessment required for every major
change - Currently requires 3rd party document-centric
audit - Not scalable to cloud environments
- e-Authentication/AD integration required for all
NASA Apps - NASA implementations dont currently support
LDAP/SAML-based federated identity management - Function-specific stove-piped compliance tools
- STRAW/PIA tool/AA Repository/NASA electronic
forms - Cant easily automate compliance process for new
apps
64
65FISMA Clouds
- Emerging Developments in FISMA Clouds
- Interagency Cloud Computing Security Working
Group is developing additional baseline security
requirements for cloud computing providers - NIST Cloud Computing guidance forthcoming?
- Move towards automated risk models and security
management tools over documentation - On the bleeding edge - changing guidance
requirements are a key risk factor (and
opportunity)
65
66FISMA Clouds
- Nebula is Contributing to Cloud Standards
- Federal Cloud Standards Working Group
- Fed Cloud Computing Security Working Group
- Federal Risk Authorization Management Program
(FedRAMP) - Cloud Audit project
- Automated Audit Assertion Assessment Assurance
API - Providing Feedback to NIST and GAO
- GSA Cloud PMO
66
67OBJECTIVE Overview of how Nebula concepts may
integrate with FedRAMP
68FedRAMP
Federal Risk and Authorization Management Program
- A Federal Government-Wide program to provide
Joint Authorizations and Continuous Monitoring - Unified Government-Wide risk management
- Authorizations can be leveraged throughout
Federal Government - This is to be an optional service provided to
Agencies that does not supplant existing Agency
authority
69Independent Agency Risk Management of Cloud
Services
FedRAMP
Federal Agencies
Risk Management
Cloud Service Providers (CSP)
70Federated Risk Management of Cloud Systems
FedRAMP
Federal Agencies
Risk management cost savings and increased
effectiveness
- Risk Management
- Authorization
- Continuous Monitoring
- Federal Security Requirements
Risk Management
Interagency vetted approach
FedRAMP
Rapid acquisition through consolidated
risk management
Cloud Service Providers (CSP)
Consistent application of Federal security
requirements
71FedRAMP Authorization process
FedRAMP
72FedRAMP Authorization process (cont)
FedRAMP
73Issues Concerns
FedRAMP
- FedRAMP doesnt provide much guidance for
customer side e.g. Agency users of cloud
services - Current NIST guidance oriented primarily towards
Static Single System Owner environments - Lack of NIST guidance for Highly Dynamic Shared
Owner environments e.g. Virtualized Data
Centers Clouds - SSP generation maintenance
- Application of SP 800-53 (security controls)
- Application of SP 800-37 (assessment ATO)
- Continuous Monitoring
- Guidance may be forthcoming but NIST is resource
constrained
74Potential Solution
FedRAMP
- Agency/Center level Aggregated SSPs
- Plan per CSP e.g. Nebula, Amazon, Google,
Microsoft etc. - Plan covers all customers of a specific CSP
- Technology integration may be needed with SSP
repository to dynamically update SSP content via
Web Registration site. - Or SSP may be able to point to dynamic content
entered and housed on Web Registration site ...
maintained in Wiki type doc.
75Q A