Cloudy with a Chance of Rootkits - Assurance Requirements for e-Infrastructure Services

Assurance Requirements fore-Infrastructure Services

Martin HamiltonLoughborough University /

HPC Midlands

Cloudy With a Chance of Rootkits

Martin HamiltonLoughborough University /

HPC Midlands

Topics

1. What is e-Infrastructure?

2. Barriers to Adoption

3. Opening Pandora’s Box

4. Conclusions


—Research community context: HPC, SKA, LHC, DLS, NGS and other TLAs

—Industrial context:TSB Catapults, BIS/EPSRC supercomputer centres, “on ramps” for SMEs


[http://goo.gl/fIpA7R]

Case Study - HPC Midlands:—BIS/EPSRC regional centre—3,000 core supercomputer—Expertise from Loughborough

University & University of Leicester

—Software from leading ISVs—Flexible usage model for use

by research and industry


1. What is e-Infrastructure?Not just HPC:- Bioinformatics- Diamond Light

Source, SKA etc- Major capital kit at

Institutions- But not just kit?

- Open Access Pubs- Open Data- Software

Topics




4. Conclusions


Picture credits: CC-BY-NC by Flickr user ladybeames; Peter Strutton, HPC Midlands

2. Barriers to Adoption - Awareness

equipment.data.ac.uk

Kit Catalogue™ – kit-catalogue.com

Key question:What are the boundaries of e-Infrastructure?

http://equipment.data.ac.uk/

http://kit-catalogue.com/

2. Barriers to Adoption - Awareness

2. Barriers to Adoption - Training

2. Barriers to Adoption - Training- Typically supply led- Inflexible timing- Prohibitively

expensive for SMEs- Ad-hoc engagement

with ISVs- Where is the MOOC?

2. Barriers to Adoption - Assurance

Challenging preconceptions:—“Supercomputing is just for

rocket scientists”—“Academic services are

inherently insecure”—“Legal would never sign off

on anything like this”—“It’s just too hard to satisfy

assurance requirements”

Photo credit: CC-BY-NC by Flickr user justin_case

2. Barriers to Adoption - Assurance

Challenging preconceptions:—Common off-the-shelf packages

have HPC solver capability, e.g. FLUENT, NASTRAN, MATLAB

—Pen testing / audit tools don’t care if you are an academic site

—Locking systems down is hard work – get over it

—FTSE100 firms’ have similar requirements to research and education organizations

Photo credit: CC-BY-NC by Flickr user justin_case

Topics




4. Conclusions


—Who makes the agreement?—Dedicated special purpose vehicle, spin-out

company, cost sharing groups, VAT exemption etc—What does it look like?

—Guaranteed turnaround time?—Reducing the friction

—Compliance challenges—ISO 27002, CESG InfoSec, physical security (e.g.

LPS 1175), CIS audit tool, pen testing / auditing


Sample security audit tool output from http://benchmarks.cisecurity.org/


—Relationship with customer networks—Firewall traversal, double NAT, outbound access to service,

inbound access to license servers, double encryption? (VPN + ssh)

—What would root do?—Remove unnecessary permissions, turn off unused

services, is command line access even necessary?—Connectivity

—Online access vs. sneakernet, remote visualization requirement, JANET connectivity + AAA support through Moonshot

Topics




4. Conclusions

4. Conclusions

Photo credit CC-BY-NC Flickr user brianklug

4. Conclusions

—More disciplined approach to contractual relations, technical aspects of service provision—Requirement for certain public sector data, e.g. NHS

patient records—Similar considerations around regional shared

services as for generic “cloud” providers—Opportunity to set common expectations around

levels and types of service—Migration between service providers and marketplace

for e-Infrastructure services

Cloudy With a Chance of Rootkits

Martin Hamilton@martin_hamilton

[email protected]

Cloudy with a Chance of Rootkits - Assurance Requirements for e-Infrastructure Services

Technology

Transcript of Cloudy with a Chance of Rootkits - Assurance Requirements for e-Infrastructure Services