Main 2010 Tuesday 5 Hunt Linton ChweSpence

8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence

1/75

Cloud ComputingArchitecture, IT Security, & Operational Perspectives

Steven R. Hunt

ARC IT Governance Manager

Ames Research Center

Matt Linton

IT Security Specialist


Matt Chew Spence

IT Security Compliance Consultant

Dell Services Federal Government


August 17, 2010


2/75

Agenda

Introductions Steve Hunt

What is cloud computing? Matt Chew Spence

How can NASA benefit from cloud computing? Matt Chew Spence

How is NASA implementing cloud computing? Matt Linton

How does NASA secure cloud computing? Matt Linton

Q&A Presentation Team

Extended Presentation

FISMA & Clouds Matt Chew Spence

Steve Hunt

Assessment, Authorization, & FedRAMP

Steve Hunt


3/75

OBJECTIVE: Overview of cloud

computing and share vocabularyAgenda









Steve Hunt


Steve Hunt


4/75

Cloud Computing NIST Definition:

A model for enabling convenient, on-demand

network access to a shared pool of configurable

computing resources (e.g., networks, servers,

storage, applications, and services) that can be

rapidly provisioned and released with minimal

management effort or service provider

interaction

What is Cloud Computing?


5/75

Conventional Manually Provisioned

Dedicated Hardware

Fixed Capacity

Pay for Capacity

Capital & OperationalExpenses

Managed via Sysadmins

Cloud Self-provisioned

Shared Hardware

Elastic Capacity

Pay for Use

Operational Expenses

Managed via APIs

Conventional Computingvs.

Cloud Computing



6/75

Five Key Cloud Attributes:

1. Shared / pooled resources

2. Broad network access3. On-demand self-service

4. Scalable and elastic

5. Metered by use



7/75

Shared / Pooled Resources:

Resources are drawn from a common pool

Common resources build economies of scale

Common infrastructure runs at high efficiency



8/75

Broad Network Access:

Open standards and APIs

Almost always IP, HTTP, and REST

Available from anywhere with an internetconnection



9/75

On-Demand Self-Service:

Completely automated

Users abstracted from the implementation

Near real-time delivery (seconds or minutes)

Services accessed through a self-serve

web interface



10/75

Scalable and Elastic:

Resources dynamically-allocated between

users

Additional resources dynamically-released

when needed

Fully automated



11/75

Metered by Use:

Services are metered, like a utility

Users pay only for services used

Services can be cancelled at any time



12/75

VirtualMachines

Virtual Networks

IaaS

Auto Elastic

ContinuousIntegration

PaaS

Built for Cloud

Uses PaaS

SaaS

Three Service Delivery ModelsIaaS: Infrastructure as a Service

Consumer can provision computing resources within

provider's infrastructure upon which they can deploy and

run arbitrary software, including OS and applications

PaaS: Platform as ServiceConsumer can create custom applications using

programming tools supported by the provider and

deploy them onto the provider's cloud infrastructure

SaaS: Software as Service

Consumer uses providers applications running onprovider's cloud infrastructure



13/75


SaaS

PaaS

IaaS

Amazon Google Microsoft Salesforce

Service Delivery Model Examples

Products and companies shown for illustrative purposes only and should not

be construed as an endorsement


14/75

Cost efficiencies

Time efficiencies

Power efficiencies

Improved process

control

Improved security

Unlimited capacity

Cloud efficiencies and improvements

Burst capacity (over-

provisioning) Short-duration projects

Cancelled or failed missions

$

Procurement Network connectivity

Standardized, updated base images Centrally auditable log servers

Centralized authentication systems Improved forensics (w/ drive image)

Process

Process

Process



15/75

OBJECTIVE: Discuss requirements,

use cases, and ROIAgenda









Steve Hunt


Steve Hunt


16/75

How can NASA benefit from cloud computing?

Current IT options for Scientists

Science-scaleapplication

development

Very large dataset processing

Compute

intensiveprocessing

Timely sharing of

results withcollaborators andthe public

Missions

BUILD IT

Build my own IT infrastructurethat may/may not comply withF

ederal/Agency IT securitystandards.

BUY IT

Go through a lengthyprocurement and provisioningprocess for basic IT services

DO NOTHINGThe current basic IT servicesmodel is cost prohibitive and Icannot afford to process my dataand share with collaborators andthe public at large.

Current Options*Requirements*

* Requirements and Options documented in over 30+ interviews

with Ames scientists as part 2009 NASA Workstation project.


17/75

Mission Objectives

Explore, Understand, and Share

Exploration Space OpsScienceAeronautics

High Compute Vast StorageHigh Speed

Networking

Process

Large

Data

Sets

Scale-out for

one-time

events

Require

infrastructure

on-demand

Store

mission &

science

dataUSEC

ASES

Share

information

with the

public

Run

Compute

Intensive

Workloads

M

ISSION

OCIO

INNOVATION

Shared Resource

Mission Support


Scientists direct access to Nebula cloud computing


18/75

High-endCompute

Vast StorageHigh SpeedNetworking

TARGET

COMPUTE

PLATFORM

Server-base

d

computeresou

rces

Super

Computer

Desktop

Excellent example

of how OCIO-

sponsored

innovation can be

rapidlytransformed into

services that

address Agency

mission needs


Offer scientists services to address the gap


19/75

*15% utilization based on two reports from Gartner Group, Cost of Traditional

Data Centers (2009), and Data CenterEfficiency (2010).

ROI and ARC Case Study


POWER: Computers typically require 70% of their

total power requirements to run at just 15%

utilization.


20/75

Operational Enhancements:

Strict standardization of hardware and infrastructure

software components

Small numbers of system administrators due to thecookie-cutter design of cloud components and

support processes

Failure of any single component within the Nebula

cloud will not become reason for alarm

Application operations will realize similar efficienciesonce application developers learn how to properly

deploy applications so that they are not reliant on any

particular cloud component.

ROI and ARC Case Study



21/75

OBJECTIVE: Overview of how NASA

is implementing cloud computingAgenda









Steve Hunt


Steve Hunt


22/75

How is NASA implementing cloud computing?


23/75



24/75



25/75

Nebula Principles

Open and Public APIs, everywhere

Open-source platform, apps, and data Full transparency

Open source code and documentation

releases

Reference platform Cloud model forFederal Government



26/75

Nebula UserExperience

Nebula IaaS user will have an experience

similar to Amazon EC2:

Dedicated privateV

LAN for instances Dedicated VPN for access to private VLAN

Public IPs to assign to instances

Launch VM instances

Dashboard for instance control and API access

Able to import/export bundled instances to

AWS and other clouds


Products and companies named for illustrative purposes only and should not be

construed as an endorsement


27/75

Architecture Drivers

Reliability

Availability Cost

IT Security



28/75

Shared Nothing

Messaging Queue

State Discovery

Standard Protocols

AutomatedAutomated

IPMI

PXEBoot

Puppet



29/75

Nebula Infrastructure Components

Cloud Node

Network Node Compute Node

Volume Node

Object Node

Monitoring / Metering / Logging / Scanning



30/75

Cloud Node

LDAP

Data

Store

Ubuntu OS

Puppet

Nova

Cloud

Node

PXE

RabbitMQ

Redis KVS



31/75

Ubuntu OS

Puppet

KVM

LibVirt

Nova

Compute

Node

802.1(q)

Brctl

PXE

Project VLAN

Running Instance

Compute Node



32/75

Ubuntu OS

Puppet

LVM

AoENova

Volume

Node

PXE

Exported Volume

Volume Node



33/75

Object Node

Ubuntu OS

Puppet

Nova

ObjectNode

PXE

Nginx



34/75

Network Node

Ubuntu OS

Puppet

NovaNetwork

Node

802.1(q)

Brctl

PXE

Project

VLAN

IPTables

Public

Internet



35/75

Pilot Lessons Learned- Automate Everything

No SysAdmin is perfect

99% is not good enough

NEVER make direct system changes

When in doubt - PXEBoot



36/75

Pilot Lessons Learned- Test Everything

KVM + Jumbo Frames

Grinder Unit Tests / Cyclometric Complexity

TransactionID Insertion (Universal Proxy)



37/75

Pilot Lessons Learned- MonitorEverything

Ganglia

Munin

Syslog-NG + PHPSyslog-NG

Nagios

Custom Log Parsing (Instance-centric)



38/75

OBJECTIVE: Overview of technical

security mechanisms built into NebulaAgenda Introductions

Steve Hunt








Steve Hunt


Steve Hunt


39/75

Technical Security Overview

Issues with Commercial Cloud Providers

Overview of Current Security Mechanisms

Innovations

OBJECTIVE: Overview of technical

security mechanisms built into Nebula


40/75

How does NASA secure cloud computing?

Commercial Cloud Provider Security Concerns

IT Security not brought into decision of how & whenNASA orgs use clouds

IT Security may not know NASA orgs are usingclouds until an incident has occurred

Without insight into monitoring/IDS/logs, NASAmay not find out that an incident has occurred

No assurances of sufficient cloud infrastructureaccess to perform proper forensics/investigations

These issues are less likely with a private cloud likeNebula


41/75


IT Security is built into Nebula

User Isolation from Nebula Infrastructure

Users only have access to APIs and Dashboards

No user direct access to Nebula infrastructure Project-based separation

A project is a set of compute resourcesaccessible by one or more users

Each project has separate: V

LAN for project instances VPN for project users to launch, terminate,and access instances

Image library of instances


42/75


Networking RFC1918 address space internal to Nebula

NAT is used for those hosts within Nebulaneeding visibility outside a cluster

Three core types of networks within Nebula: Customer

CustomerVLANs are isolated from eachother

DMZ

Services available to all Nebula such asNTP, DNS, etc

Administrative


43/75

Security Groups

Combination ofVLANs and Subnetting

Can be extended to use physicalnetwork/node separation as well (future)



44/75

C

L

OU

D

A

P

I

S

S

M

R

Project A

(10.1.1/24)

Project B

(10.1.2/24)

Operations Console

(custom)

Security Scanners

(Nessus, Hydra, etc)

Log Aggregation,

SOC Tap

RFC1918

Space

(LAN_X)

BR

I

D

G

E

Public IPSpace

IN

T

E

R

N

E

T

External

Scanner

DMZ

Services

Event Correlation

Engine



45/75


Firewalls

Multiple levels of firewalling

Hardware firewall at site border

Firewall on cluster network head-ends

Host-based firewalls on key hosts

Project based rule sets based on Amazon

security groups


46/75


Remote User Access

Remote access is only through VPN (openVPN)

Separate administrative VPN and userVPNs

Each project has own VPN server


47/75


Intrusion Detection

OSSEC on key infrastructure hosts

Open source Host-based Intrusion Detection

Mirror port to NASA SOC tap

Building 10Gb/sec IDS/IPS/Forensics device

with vendor partners


48/75


Configuration Management

Puppet used to automatically push out

configuration changes to infrastructure

Automatic reversion of unauthorized changes

to system


49/75


Vulnerability Scanning

Nebula uses both internal and external

vulnerability scanners

Correlate findings between internal and

external scans


50/75


Incident Response

Procedures for isolating individual VMs,compute nodes, and clusters, including:

Taking snapshot of suspect VMs, includingmemory dump

Quarantining a VM within a compute node

Disabling VM images so new instancescant be launched

Quarantining a compute node within acluster

Quarantining a cluster


51/75


Role Based Access Control

Multiple defined roles within a project

Role determines which API calls can be

invoked

Only network admin can request non-1918

addresses

Only system admin can bundle new images

etc


52/75


Innovation - Security Gates

API calls can be intercepted and security

gates can be imposed on function being called

When an instance is launched, it can be

scanned automatically for vulnerabilities

Long term vision is to have a pass/fail launch

gate based on scan/monitoring results


53/75


Vision - Security as a Service Goal - Automate compliance through securityservices provided by cloud provider

Security APIs/tools mapped to specific controls

Customers could subscribe to tools/services tomeet compliance requirements

When setting up new project in cloud

Customers assert nature of data they will use

Cloud responds with list of APIs/tools for

customers to use Currently gathering requirements but fundingneeded to realize vision


54/75


Vision - Security Service Bus

Goal - FISMA compliance through continuousreal-time monitoring and situational awareness

Security service bus with event driven

messaging engine Correlate events across provider and multiple

customers Dashboard view for security providers and

customers Allows customers to make risk-based security

decisions based on events experienced byother customers

Funding Needed to Realize Vision


55/75

Nebula Open Source Progress

Significant progress in embracing the value ofopen source software release

Agreements with SourceForge and Github

Open source identified as an essential component of

NASAs open government plan

Elements of Nebula in open source release

pipeline

Started Feb 2010. Hope for release in June.

Working toward continual incremental releases.

Exploring avenues to contribute code to external

projects and to accept external contributions to the

Nebula code base.



56/75

Agenda Introductions

Steve Hunt








Steve Hunt


Steve Hunt


57/75

Q & A


58/75



59/75

OBJECTIVE: Overview of Nebula C&A

with Lessons LearnedAgenda Introductions

Steve Hunt








Steve Hunt


Steve Hunt


60/75

FISMA & Clouds

FISMA Overview

Federal Information Security Management Act Requires all Govt computers to be under a security plan

Mandates following NIST security guidance

Required controls depend on FIPS-199 sensitivity levelRequires periodic assessments of security controls

Extremely documentation heavy

Assumes one organization has responsibility for majority of

identified security controls

FISMA is burdensome to cloud customersCustomers want to outsource IT Security to cloud provider


61/75

FISMA & Clouds

FISMA Responsibilities in Clouds Clouds are a Highly Dynamic Shared ManagementEnvironment

Customers retain FISMA responsibilities for aspects of acloud under their control

Responsibilities vary depending on level of controlmaintained by customer

Customer control varies relative to service delivery model(SaaS, PaaS, or IaaS)

Need to define & document responsibilities

We parsed 800-53 Rev3 controls per service delivery model

Nebula currently only offers IaaS

We parsed all three service models for future planning


62/75

Identifying data typesEnsuring data appropriate to system

User/Account Management

Personnel Controls

Software Licenses

Developer Testing

App Configuration Management

Software Development Lifecycle

OS Config Mgmt

Anti-Malware

SW Install Controls

OS specific Controls

etc

SaaS

IaaS

PaaSCloud

Customer

Security

Responsibility

Customer FISMA Responsibilities for Cloud

Customer FISMA

responsibilities Increase

as Customers have more

control over security

measures

62

FISMA & Clouds


63/75

FISMA & Clouds

IaaS Customer Security Plan Coverage Options

At inception little guidance existed on cloud computing control responsibilities &security plan coverage

FedRAMP primarily addresses cloud provider responsibilities

Other than control parsing definitions Customers are given little guidance onimplementing and managing FISMA requirements in a highly dynamic sharedmanagement environment

We have developed the following options:

Option Description Issues

Customer Owned Customer responsible for own

security plan with no assistance

from provider

None to Providers

Burdensome to customers

Facilitated Customer responsible for own

security plan using NASAtemplate

May still be burdensome to

customers. Not scalable unless

automated.

Agency Owned Agency or Center level Group

security plans associated with

Cloud providers serve as

aggregation point for customer.

May be burdensome to

Agency or Center.

Requires technology to

automate input and aggregation

of customer data.


64/75

FISMA & Clouds

Current NASA Requirements/Tools may ImpedeCloud Implementation

Default security categorization of Scientific and Space Sciencedata as Moderate

Independent assessment required for every major change

Currently requires 3rd party document-centric audit

Not scalable to cloud environments

e-Authentication/AD integration required for all NASA Apps

NASA implementations dont currently support LDAP/SAML-based federated identity management

Function-specific stove-piped compliance tools STRAW/PIA tool/A&A Repository/NASA electronic forms

Cant easily automate compliance process for new apps

64


65/75

FISMA & Clouds

Emerging Developments in FISMA & Clouds

Interagency Cloud Computing Security Working Group

is developing additional baseline security requirements

for cloud computing providers

NIST Cloud Computing guidance forthcoming?

Move towards automated risk models and security

management tools over documentation

On the bleeding edge - changing guidance &

requirements are a key risk factor (and opportunity)

65


66/75

FISMA & Clouds

Nebula is Contributing to Cloud StandardsNebula is Contributing to Cloud Standards

Federal Cloud Standards Working Group

Fed Cloud Computing Security WorkingGroup

Federal Risk & Authorization ManagementProgram (FedRAMP)

Cloud Audit project

Automated Audit Assertion Assessment &Assurance API

Providing Feedback to NIST and GAO

GSA Cloud PMO

66


67/75

OBJECTIVE: Overview of how Nebula

concepts may integrate with FedRAMPAgenda Introductions

Steve Hunt








Steve Hunt

Assessment, Authorization, & FedRAMP Steve Hunt

F dRAMP


68/75

A Federal Government-Wide program to provide

Joint Authorizations and Continuous Monitoring

Unified Government-Wide risk management

Authorizations can be leveraged throughout

Federal Government

This is to be an optional service provided toAgencies that does not supplant existing

Agency authority

Federal Risk and Authorization

Management Program

FedRAMP

F dRAMP


69/75

Independent Agency Risk Management of Cloud Services

Federal Agencies

Cloud Service Providers (CSP)

: Duplicative risk

management efforts

: Incompatible agencypolicies

: Potential for inconsistent

application ofFederal

security requirements

: Acquisition slowed by

lengthy compliance

processes

FedRAMP

F dRAMP


70/75

Federated Risk Management of Cloud Systems

: Risk management cost

savings and increased

effectiveness

: Interagency vettedapproach

: Consistent

application ofFederal

security requirements

Federal Agencies

: Rapid acquisition

through consolidated

risk management

Cloud Service Providers (CSP)

FedRAMP

Risk Management

Authorization

Continuous

Monitoring Federal Security

Requirements

FedRAMP

FedRAMP


71/75

FedRAMP Authorization process

Agency X has a needfor a new cloud based

IT system

Agency X getssecurity requirementsfor the new IT systemfrom FedRAMP and

adds requirements ifnecessary

Agency X releasesRFP for new IT

system and awardscontract to cloudservice provider

(CSP)

Agency X submitsrequest to FedRAMPoffice for CSP To be

FedRAMP authorizedto operate

CSP is put into FedRAMPpriority queue

(prioritization occursbased on factors such as

multi-agency use, numberof expected users, etc.)

FedRAMP

FedRAMP


72/75

FedRAMP Authorization process (cont)

CSP and agency

sponsor beginauthorizationprocess with

FedRAMP office

CSP, agencysponsor and

FedRAMP officereview security

requirements andany alternative

implementations

FedRAMP office

coordinates withCSP for creation of

system securityplan (SSP)

CSP hasindependent

assessment ofsecurity controls

and developsappropriate reportsfor submission toFedRAMP office

FedRAMP officereviews and

assembles thefinal authorization

package for theJAB

JAB reviews finalcertificationpackage and

authorizes CSP tooperate

FedRAMP officeadds CSP to

authorized systeminventory to bereviewed and

leveraged by all

Federal agencies

FedRAMPprovides

continuousmonitoring of CSP

FedRAMP


73/75

Issues & Concerns

FedRAMP doesnt provide much guidance for customerside e.g. Agency users of cloud services

Current NIST guidance oriented primarily towards Static

Single System Owner environments

Lack of NIST guidance for Highly Dynamic Shared

Owner environments e.g. Virtualized Data Centers &

Clouds

SSP generation & maintenance

Application of SP 800-53 (security controls)

Application of SP 800-37 (assessment & ATO)

Continuous Monitoring

Guidance may be forthcoming but NIST is resource

constrained

FedRAMP

FedRAMP


74/75

Potential Solution

Agency/Center level Aggregated SSPs:

Plan per CSP e.g. Nebula, Amazon,

Google, Microsoft etc.

Plan covers all customers of a specific CSP

Technology integration may be needed with

SSP repository to dynamically update SSP

content via Web Registration site.

Or SSP may be able to point to dynamic

content entered and housed on Web

Registration site ... maintained in Wiki type

doc.

Presentation Title

74

March 5, 2010

FedRAMP


75/75

Q & A

Main 2010 Tuesday 5 Hunt Linton ChweSpence

Documents

Transcript of Main 2010 Tuesday 5 Hunt Linton ChweSpence