Cloud Computing Architecture, IT Security, - PowerPoint PPT Presentation

1 / 75
About This Presentation
Title:

Cloud Computing Architecture, IT Security,

Description:

Cloud Computing Architecture, IT Security, & Operational Perspectives Steven R. Hunt ARC IT Governance Manager Ames Research Center Matt Linton IT Security Specialist – PowerPoint PPT presentation

Number of Views:1873
Avg rating:3.0/5.0
Slides: 76
Provided by: LMI52
Category:

less

Transcript and Presenter's Notes

Title: Cloud Computing Architecture, IT Security,


1
Cloud ComputingArchitecture, IT Security,
Operational Perspectives
  • Steven R. Hunt
  • ARC IT Governance Manager
  • Ames Research Center
  • Matt Linton
  • IT Security Specialist
  • Ames Research Center
  • Matt Chew Spence
  • IT Security Compliance Consultant
  • Dell Services Federal Government
  • Ames Research Center
  • August 17, 2010

2
(No Transcript)
3
OBJECTIVE Overview of cloud computing and share
vocabulary
4
What is Cloud Computing?
  • Cloud Computing NIST Definition
  • A model for enabling convenient, on-demand
    network access to a shared pool of configurable
    computing resources (e.g., networks, servers,
    storage, applications, and services) that can be
    rapidly provisioned and released with minimal
    management effort or service provider
    interaction

5
What is Cloud Computing?
Conventional Computing vs. Cloud Computing
  • Conventional
  • Cloud
  • Manually Provisioned
  • Dedicated Hardware
  • Fixed Capacity
  • Pay for Capacity
  • Capital Operational Expenses
  • Managed via Sysadmins
  • Self-provisioned
  • Shared Hardware
  • Elastic Capacity
  • Pay for Use
  • Operational Expenses
  • Managed via APIs

6
What is Cloud Computing?
  • Five Key Cloud Attributes
  • Shared / pooled resources
  • Broad network access
  • On-demand self-service
  • Scalable and elastic
  • Metered by use

7
What is Cloud Computing?
  • Shared / Pooled Resources
  • Resources are drawn from a common pool
  • Common resources build economies of scale
  • Common infrastructure runs at high efficiency

8
What is Cloud Computing?
  • Broad Network Access
  • Open standards and APIs
  • Almost always IP, HTTP, and REST
  • Available from anywhere with an internet
    connection

9
What is Cloud Computing?
  • On-Demand Self-Service
  • Completely automated
  • Users abstracted from the implementation
  • Near real-time delivery (seconds or minutes)
  • Services accessed through a self-serve
  • web interface

10
What is Cloud Computing?
  • Scalable and Elastic
  • Resources dynamically-allocated between users
  • Additional resources dynamically-released when
    needed
  • Fully automated

11
What is Cloud Computing?
  • Metered by Use
  • Services are metered, like a utility
  • Users pay only for services used
  • Services can be cancelled at any time

12
What is Cloud Computing?
Three Service Delivery Models
IaaS Infrastructure as a Service Consumer can
provision computing resources within provider's
infrastructure upon which they can deploy and run
arbitrary software, including OS and
applications PaaS Platform as Service Consumer
can create custom applications using programming
tools supported by the provider and deploy them
onto the provider's cloud infrastructure SaaS
Software as Service Consumer uses providers
applications running on provider's cloud
infrastructure
13
What is Cloud Computing?
Service Delivery Model Examples
Amazon
Google
Microsoft
Salesforce



SaaS
PaaS
IaaS
Products and companies shown for illustrative
purposes only and should not be construed as an
endorsement
14
What is Cloud Computing?
Cloud efficiencies and improvements
  • Burst capacity (over-provisioning)
  • Short-duration projects
  • Cancelled or failed missions
  • Cost efficiencies
  • Time efficiencies
  • Power efficiencies
  • Improved process control
  • Improved security
  • Unlimited capacity
  • Procurement
  • Network connectivity
  • Standardized, updated base images
  • Centrally auditable log servers
  • Centralized authentication systems
  • Improved forensics (w/ drive image)

15
OBJECTIVE Discuss requirements, use cases, and
ROI
16
How can NASA benefit from cloud computing?
Current IT options for Scientists
17
How can NASA benefit from cloud computing?
Scientists direct access to Nebula cloud
computing
18
How can NASA benefit from cloud computing?
Offer scientists services to address the gap
19
How can NASA benefit from cloud computing?
ROI and ARC Case Study
POWER Computers typically require 70 of their
total power requirements to run at just 15
utilization.
15 utilization based on two reports from
Gartner Group, Cost of Traditional Data Centers
(2009), and Data Center Efficiency (2010).
20
How can NASA benefit from cloud computing?
ROI and ARC Case Study
  • Operational Enhancements
  • Strict standardization of hardware and
    infrastructure software components
  • Small numbers of system administrators due to the
    cookie-cutter design of cloud components and
    support processes
  • Failure of any single component within the Nebula
    cloud will not become reason for alarm
  • Application operations will realize similar
    efficiencies once application developers learn
    how to properly deploy applications so that they
    are not reliant on any particular cloud
    component.

21
OBJECTIVE Overview of how NASA is implementing
cloud computing
22
How is NASA implementing cloud computing?
23
How is NASA implementing cloud computing?
24
How is NASA implementing cloud computing?
25
How is NASA implementing cloud computing?
  • Nebula Principles
  • Open and Public APIs, everywhere
  • Open-source platform, apps, and data
  • Full transparency
  • Open source code and documentation releases
  • Reference platform
  • Cloud model for Federal Government

26
How is NASA implementing cloud computing?
  • Nebula User Experience
  • Nebula IaaS user will have an experience similar
    to Amazon EC2
  • Dedicated private VLAN for instances
  • Dedicated VPN for access to private VLAN
  • Public IPs to assign to instances
  • Launch VM instances
  • Dashboard for instance control and API access
  • Able to import/export bundled instances to AWS
    and other clouds

Products and companies named for illustrative
purposes only and should not be construed as an
endorsement
27
How is NASA implementing cloud computing?
  • Architecture Drivers
  • Reliability
  • Availability
  • Cost
  • IT Security

28
Shared Nothing
How is NASA implementing cloud computing?
  • Messaging Queue
  • State Discovery
  • Standard Protocols

Automated
  • IPMI
  • PXEBoot
  • Puppet

29
How is NASA implementing cloud computing?
  • Nebula Infrastructure Components
  • Cloud Node
  • Network Node
  • Compute Node
  • Volume Node
  • Object Node
  • Monitoring / Metering / Logging / Scanning

30
Cloud Node
How is NASA implementing cloud computing?
31
Compute Node
How is NASA implementing cloud computing?
32
Volume Node
How is NASA implementing cloud computing?
33
Object Node
How is NASA implementing cloud computing?
34
Network Node
How is NASA implementing cloud computing?
35
Pilot Lessons Learned - Automate Everything
How is NASA implementing cloud computing?
  • No SysAdmin is perfect
  • 99 is not good enough
  • NEVER make direct system changes
  • When in doubt - PXEBoot

36
Pilot Lessons Learned - Test Everything
How is NASA implementing cloud computing?
  • KVM Jumbo Frames
  • Grinder
  • Unit Tests / Cyclometric Complexity
  • TransactionID Insertion (Universal Proxy)

37
Pilot Lessons Learned - Monitor Everything
How is NASA implementing cloud computing?
  • Ganglia
  • Munin
  • Syslog-NG PHPSyslog-NG
  • Nagios
  • Custom Log Parsing (Instance-centric)

38
OBJECTIVE Overview of technical security
mechanisms built into Nebula
39
OBJECTIVE Overview of technical security
mechanisms built into Nebula
  • Technical Security Overview
  • Issues with Commercial Cloud Providers
  • Overview of Current Security Mechanisms
  • Innovations

40
How does NASA secure cloud computing?
  • Commercial Cloud Provider Security Concerns
  • IT Security not brought into decision of how
    when NASA orgs use clouds
  • IT Security may not know NASA orgs are using
    clouds until an incident has occurred
  • Without insight into monitoring/IDS/logs, NASA
    may not find out that an incident has occurred
  • No assurances of sufficient cloud infrastructure
    access to perform proper forensics/investigations
  • These issues are less likely with a private cloud
    like Nebula  

41
How does NASA secure cloud computing?
  • IT Security is built into Nebula
  • User Isolation from Nebula Infrastructure
  • Users only have access to APIs and Dashboards
  • No user direct access to Nebula infrastructure
  • Project-based separation
  • A project is a set of compute resources
    accessible by one or more users
  • Each project has separate
  • VLAN for project instances
  • VPN for project users to launch, terminate, and
    access instances
  • Image library of instances

42
How does NASA secure cloud computing?
  • Networking
  • RFC1918 address space internal to Nebula
  • NAT is used for those hosts within Nebula needing
    visibility outside a cluster
  • Three core types of networks within Nebula
  • Customer
  • Customer VLANs are isolated from each other
  • DMZ
  • Services available to all Nebula such as NTP,
    DNS, etc
  • Administrative

43
How does NASA secure cloud computing?
  • Security Groups
  • Combination of VLANs and Subnetting
  • Can be extended to use physical network/node
    separation as well (future)

44
How does NASA secure cloud computing?
Project A (10.1.1/24)
RFC1918 Space (LAN_X)
Public IP Space
DMZ Services
I N T E R N E T
C L O U D A P I S
S M R
External Scanner
Operations Console (custom)
B R I D G E
Security Scanners (Nessus, Hydra, etc)
Log Aggregation, SOC Tap
Event Correlation Engine
Project B (10.1.2/24)
45
How does NASA secure cloud computing?
  • Firewalls
  • Multiple levels of firewalling
  • Hardware firewall at site border
  • Firewall on cluster network head-ends
  • Host-based firewalls on key hosts
  • Project based rule sets based on Amazon security
    groups

46
How does NASA secure cloud computing?
  • Remote User Access
  • Remote access is only through VPN (openVPN)
  • Separate administrative VPN and user VPNs
  • Each project has own VPN server

47
How does NASA secure cloud computing?
  • Intrusion Detection
  • OSSEC on key infrastructure hosts
  • Open source Host-based Intrusion Detection
  • Mirror port to NASA SOC tap
  • Building 10Gb/sec IDS/IPS/Forensics device with
    vendor partners

48
How does NASA secure cloud computing?
  • Configuration Management
  • Puppet used to automatically push out
    configuration changes to infrastructure
  • Automatic reversion of unauthorized changes to
    system

49
How does NASA secure cloud computing?
  • Vulnerability Scanning
  • Nebula uses both internal and external
    vulnerability scanners
  • Correlate findings between internal and external
    scans

50
How does NASA secure cloud computing?
  • Incident Response
  • Procedures for isolating individual VMs, compute
    nodes, and clusters, including
  • Taking snapshot of suspect VMs, including memory
    dump
  • Quarantining a VM within a compute node
  • Disabling VM images so new instances cant be
    launched
  • Quarantining a compute node within a cluster
  • Quarantining a cluster

51
How does NASA secure cloud computing?
  • Role Based Access Control
  • Multiple defined roles within a project
  • Role determines which API calls can be invoked
  • Only network admin can request non-1918 addresses
  • Only system admin can bundle new images
  • etc

52
How does NASA secure cloud computing?
  • Innovation - Security Gates
  • API calls can be intercepted and security gates
    can be imposed on function being called
  • When an instance is launched, it can be scanned
    automatically for vulnerabilities
  • Long term vision is to have a pass/fail launch
    gate based on scan/monitoring results

53
How does NASA secure cloud computing?
  • Vision - Security as a Service
  • Goal - Automate compliance through security
    services provided by cloud provider
  • Security APIs/tools mapped to specific controls
  • Customers could subscribe to tools/services to
    meet compliance requirements
  • When setting up new project in cloud
  • Customers assert nature of data they will use
  • Cloud responds with list of APIs/tools for
    customers to use
  • Currently gathering requirements but funding
    needed to realize vision

54
How does NASA secure cloud computing?
  • Vision - Security Service Bus
  • Goal - FISMA compliance through continuous
    real-time monitoring and situational awareness
  • Security service bus with event driven messaging
    engine
  • Correlate events across provider and multiple
    customers
  • Dashboard view for security providers and
    customers
  • Allows customers to make risk-based security
    decisions based on events experienced by other
    customers
  • Funding Needed to Realize Vision

55
Nebula Open Source Progress
How does NASA secure cloud computing?
  • Significant progress in embracing the value of
    open source software release
  • Agreements with SourceForge and Github
  • Open source identified as an essential component
    of NASAs open government plan
  • Elements of Nebula in open source release
    pipeline
  • Started Feb 2010. Hope for release in June.
  • Working toward continual incremental releases.
  • Exploring avenues to contribute code to external
    projects and to accept external contributions to
    the Nebula code base.

56
(No Transcript)
57
Q A
58
Extended Presentation
59
OBJECTIVE Overview of Nebula CA with Lessons
Learned
60
FISMA Clouds
  • FISMA Overview
  • Federal Information Security Management Act
  • Requires all Govt computers to be under a
    security plan
  • Mandates following NIST security guidance
  • Required controls depend on FIPS-199 sensitivity
    level
  • Requires periodic assessments of security
    controls
  • Extremely documentation heavy
  • Assumes one organization has responsibility for
    majority of identified security controls
  • FISMA is burdensome to cloud customers
  • Customers want to outsource IT Security to cloud
    provider

61
FISMA Clouds
  • FISMA Responsibilities in Clouds
  • Clouds are a Highly Dynamic Shared Management
    Environment
  • Customers retain FISMA responsibilities for
    aspects of a cloud under their control
  • Responsibilities vary depending on level of
    control maintained by customer
  • Customer control varies relative to service
    delivery model (SaaS, PaaS, or IaaS)
  • Need to define document responsibilities
  • We parsed 800-53 Rev3 controls per service
    delivery model
  • Nebula currently only offers IaaS
  • We parsed all three service models for future
    planning

62
FISMA Clouds
Customer FISMA Responsibilities for Cloud
Customer FISMA responsibilities Increase as
Customers have more control over security measures
IaaS
OS Config Mgmt Anti-Malware SW Install
Controls OS specific Controls etc
PaaS
Software Licenses Developer Testing App
Configuration Management Software Development
Lifecycle
Cloud Customer Security Responsibility
SaaS
Identifying data types Ensuring data appropriate
to system User/Account Management Personnel
Controls
62
63
FISMA Clouds
  • IaaS Customer Security Plan Coverage Options
  • At inception little guidance existed on cloud
    computing control responsibilities security
    plan coverage
  • FedRAMP primarily addresses cloud provider
    responsibilities
  • Other than control parsing definitions Customers
    are given little guidance on implementing and
    managing FISMA requirements in a highly dynamic
    shared management environment
  • We have developed the following options

Option Description Issues
Customer Owned Customer responsible for own security plan with no assistance from provider None to Providers Burdensome to customers
Facilitated Customer responsible for own security plan using NASA template May still be burdensome to customers. Not scalable unless automated.
Agency Owned Agency or Center level Group security plans associated with Cloud providers serve as aggregation point for customer. May be burdensome to Agency or Center. Requires technology to automate input and aggregation of customer data.
64
FISMA Clouds
  • Current NASA Requirements/Tools may Impede Cloud
    Implementation
  • Default security categorization of Scientific
    and Space Science data as Moderate
  • Independent assessment required for every major
    change
  • Currently requires 3rd party document-centric
    audit
  • Not scalable to cloud environments
  • e-Authentication/AD integration required for all
    NASA Apps
  • NASA implementations dont currently support
    LDAP/SAML-based federated identity management
  • Function-specific stove-piped compliance tools
  • STRAW/PIA tool/AA Repository/NASA electronic
    forms
  • Cant easily automate compliance process for new
    apps

64
65
FISMA Clouds
  • Emerging Developments in FISMA Clouds
  • Interagency Cloud Computing Security Working
    Group is developing additional baseline security
    requirements for cloud computing providers
  • NIST Cloud Computing guidance forthcoming?
  • Move towards automated risk models and security
    management tools over documentation
  • On the bleeding edge - changing guidance
    requirements are a key risk factor (and
    opportunity)

65
66
FISMA Clouds
  • Nebula is Contributing to Cloud Standards
  • Federal Cloud Standards Working Group
  • Fed Cloud Computing Security Working Group
  • Federal Risk Authorization Management Program
    (FedRAMP)
  • Cloud Audit project
  • Automated Audit Assertion Assessment Assurance
    API
  • Providing Feedback to NIST and GAO
  • GSA Cloud PMO

66
67
OBJECTIVE Overview of how Nebula concepts may
integrate with FedRAMP
68
FedRAMP
Federal Risk and Authorization Management Program
  • A Federal Government-Wide program to provide
    Joint Authorizations and Continuous Monitoring
  • Unified Government-Wide risk management
  • Authorizations can be leveraged throughout
    Federal Government
  • This is to be an optional service provided to
    Agencies that does not supplant existing Agency
    authority

69
Independent Agency Risk Management of Cloud
Services
FedRAMP
Federal Agencies

Risk Management

Cloud Service Providers (CSP)
70
Federated Risk Management of Cloud Systems
FedRAMP
Federal Agencies
Risk management cost savings and increased
effectiveness
  • Risk Management
  • Authorization
  • Continuous Monitoring
  • Federal Security Requirements

Risk Management
Interagency vetted approach
FedRAMP
Rapid acquisition through consolidated
risk management

Cloud Service Providers (CSP)
Consistent application of Federal security
requirements
71
FedRAMP Authorization process
FedRAMP
72
FedRAMP Authorization process (cont)
FedRAMP
73
Issues Concerns
FedRAMP
  • FedRAMP doesnt provide much guidance for
    customer side e.g. Agency users of cloud
    services
  • Current NIST guidance oriented primarily towards
    Static Single System Owner environments
  • Lack of NIST guidance for Highly Dynamic Shared
    Owner environments e.g. Virtualized Data
    Centers Clouds
  • SSP generation maintenance
  • Application of SP 800-53 (security controls)
  • Application of SP 800-37 (assessment ATO)
  • Continuous Monitoring
  • Guidance may be forthcoming but NIST is resource
    constrained

74
Potential Solution
FedRAMP
  • Agency/Center level Aggregated SSPs
  • Plan per CSP e.g. Nebula, Amazon, Google,
    Microsoft etc.
  • Plan covers all customers of a specific CSP
  • Technology integration may be needed with SSP
    repository to dynamically update SSP content via
    Web Registration site.
  • Or SSP may be able to point to dynamic content
    entered and housed on Web Registration site ...
    maintained in Wiki type doc.

75
Q A
Write a Comment
User Comments (0)
About PowerShow.com