Cloudy with a Chance of Rootkits - Assurance Requirements for e-Infrastructure Services
-
Upload
martin-hamilton -
Category
Technology
-
view
343 -
download
0
Transcript of Cloudy with a Chance of Rootkits - Assurance Requirements for e-Infrastructure Services
Assurance Requirements fore-Infrastructure Services
Martin HamiltonLoughborough University /
HPC Midlands
Cloudy With a Chance of Rootkits
Martin HamiltonLoughborough University /
HPC Midlands
Topics
1. What is e-Infrastructure?
2. Barriers to Adoption
3. Opening Pandora’s Box
4. Conclusions
Topics
1. What is e-Infrastructure?
2. Barriers to Adoption
3. Opening Pandora’s Box
4. Conclusions
1. What is e-Infrastructure?
—Research community context: HPC, SKA, LHC, DLS, NGS and other TLAs
—Industrial context:TSB Catapults, BIS/EPSRC supercomputer centres, “on ramps” for SMEs
1. What is e-Infrastructure?
[http://goo.gl/fIpA7R]
Case Study - HPC Midlands:—BIS/EPSRC regional centre—3,000 core supercomputer—Expertise from Loughborough
University & University of Leicester
—Software from leading ISVs—Flexible usage model for use
by research and industry
1. What is e-Infrastructure?
Case Study - HPC Midlands:—BIS/EPSRC regional centre—3,000 core supercomputer—Expertise from Loughborough
University & University of Leicester
—Software from leading ISVs—Flexible usage model for use
by research and industry
1. What is e-Infrastructure?
1. What is e-Infrastructure?
1. What is e-Infrastructure?
1. What is e-Infrastructure?Not just HPC:- Bioinformatics- Diamond Light
Source, SKA etc- Major capital kit at
Institutions- But not just kit?
- Open Access Pubs- Open Data- Software
Topics
1. What is e-Infrastructure?
2. Barriers to Adoption
3. Opening Pandora’s Box
4. Conclusions
2. Barriers to Adoption
Picture credits: CC-BY-NC by Flickr user ladybeames; Peter Strutton, HPC Midlands
2. Barriers to Adoption - Awareness
equipment.data.ac.uk
Kit Catalogue™ – kit-catalogue.com
Key question:What are the boundaries of e-Infrastructure?
2. Barriers to Adoption - Awareness
2. Barriers to Adoption - Awareness
2. Barriers to Adoption - Awareness
2. Barriers to Adoption - Training
2. Barriers to Adoption - Training- Typically supply led- Inflexible timing- Prohibitively
expensive for SMEs- Ad-hoc engagement
with ISVs- Where is the MOOC?
2. Barriers to Adoption - Assurance
Challenging preconceptions:—“Supercomputing is just for
rocket scientists”—“Academic services are
inherently insecure”—“Legal would never sign off
on anything like this”—“It’s just too hard to satisfy
assurance requirements”
Photo credit: CC-BY-NC by Flickr user justin_case
2. Barriers to Adoption - Assurance
Challenging preconceptions:—Common off-the-shelf packages
have HPC solver capability, e.g. FLUENT, NASTRAN, MATLAB
—Pen testing / audit tools don’t care if you are an academic site
—Locking systems down is hard work – get over it
—FTSE100 firms’ have similar requirements to research and education organizations
Photo credit: CC-BY-NC by Flickr user justin_case
2. Barriers to Adoption - Assurance
Challenging preconceptions:—Common off-the-shelf packages
have HPC solver capability, e.g. FLUENT, NASTRAN, MATLAB
—Pen testing / audit tools don’t care if you are an academic site
—Locking systems down is hard work – get over it
—FTSE100 firms’ have similar requirements to research and education organizations
Photo credit: CC-BY-NC by Flickr user justin_case
Topics
1. What is e-Infrastructure?
2. Barriers to Adoption
3. Opening Pandora’s Box
4. Conclusions
3. Opening Pandora’s Box
3. Opening Pandora’s Box
—Who makes the agreement?—Dedicated special purpose vehicle, spin-out
company, cost sharing groups, VAT exemption etc—What does it look like?
—Guaranteed turnaround time?—Reducing the friction
—Compliance challenges—ISO 27002, CESG InfoSec, physical security (e.g.
LPS 1175), CIS audit tool, pen testing / auditing
3. Opening Pandora’s Box
—Who makes the agreement?—Dedicated special purpose vehicle, spin-out
company, cost sharing groups, VAT exemption etc—What does it look like?
—Guaranteed turnaround time?—Reducing the friction
—Compliance challenges—ISO 27002, CESG InfoSec, physical security (e.g.
LPS 1175), CIS audit tool, pen testing / auditing
3. Opening Pandora’s Box
Sample security audit tool output from http://benchmarks.cisecurity.org/
3. Opening Pandora’s Box
—Relationship with customer networks—Firewall traversal, double NAT, outbound access to service,
inbound access to license servers, double encryption? (VPN + ssh)
—What would root do?—Remove unnecessary permissions, turn off unused
services, is command line access even necessary?—Connectivity
—Online access vs. sneakernet, remote visualization requirement, JANET connectivity + AAA support through Moonshot
Topics
1. What is e-Infrastructure?
2. Barriers to Adoption
3. Opening Pandora’s Box
4. Conclusions
4. Conclusions
Photo credit CC-BY-NC Flickr user brianklug
4. Conclusions
Photo credit CC-BY-NC Flickr user brianklug
4. Conclusions
—More disciplined approach to contractual relations, technical aspects of service provision—Requirement for certain public sector data, e.g. NHS
patient records—Similar considerations around regional shared
services as for generic “cloud” providers—Opportunity to set common expectations around
levels and types of service—Migration between service providers and marketplace
for e-Infrastructure services