Main 2010 Tuesday 5 Hunt Linton ChweSpence
-
Upload
gilbert-rozario -
Category
Documents
-
view
216 -
download
0
Transcript of Main 2010 Tuesday 5 Hunt Linton ChweSpence
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
1/75
Cloud ComputingArchitecture, IT Security, & Operational Perspectives
Steven R. Hunt
ARC IT Governance Manager
Ames Research Center
Matt Linton
IT Security Specialist
Ames Research Center
Matt Chew Spence
IT Security Compliance Consultant
Dell Services Federal Government
Ames Research Center
August 17, 2010
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
2/75
Agenda
Introductions Steve Hunt
What is cloud computing? Matt Chew Spence
How can NASA benefit from cloud computing? Matt Chew Spence
How is NASA implementing cloud computing? Matt Linton
How does NASA secure cloud computing? Matt Linton
Q&A Presentation Team
Extended Presentation
FISMA & Clouds Matt Chew Spence
Steve Hunt
Assessment, Authorization, & FedRAMP
Steve Hunt
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
3/75
OBJECTIVE: Overview of cloud
computing and share vocabularyAgenda
Introductions Steve Hunt
What is cloud computing? Matt Chew Spence
How can NASA benefit from cloud computing? Matt Chew Spence
How is NASA implementing cloud computing? Matt Linton
How does NASA secure cloud computing? Matt Linton
Q&A Presentation Team
Extended Presentation
FISMA & Clouds Matt Chew Spence
Steve Hunt
Assessment, Authorization, & FedRAMP
Steve Hunt
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
4/75
Cloud Computing NIST Definition:
A model for enabling convenient, on-demand
network access to a shared pool of configurable
computing resources (e.g., networks, servers,
storage, applications, and services) that can be
rapidly provisioned and released with minimal
management effort or service provider
interaction
What is Cloud Computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
5/75
Conventional Manually Provisioned
Dedicated Hardware
Fixed Capacity
Pay for Capacity
Capital & OperationalExpenses
Managed via Sysadmins
Cloud Self-provisioned
Shared Hardware
Elastic Capacity
Pay for Use
Operational Expenses
Managed via APIs
Conventional Computingvs.
Cloud Computing
What is Cloud Computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
6/75
Five Key Cloud Attributes:
1. Shared / pooled resources
2. Broad network access3. On-demand self-service
4. Scalable and elastic
5. Metered by use
What is Cloud Computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
7/75
Shared / Pooled Resources:
Resources are drawn from a common pool
Common resources build economies of scale
Common infrastructure runs at high efficiency
What is Cloud Computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
8/75
Broad Network Access:
Open standards and APIs
Almost always IP, HTTP, and REST
Available from anywhere with an internetconnection
What is Cloud Computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
9/75
On-Demand Self-Service:
Completely automated
Users abstracted from the implementation
Near real-time delivery (seconds or minutes)
Services accessed through a self-serve
web interface
What is Cloud Computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
10/75
Scalable and Elastic:
Resources dynamically-allocated between
users
Additional resources dynamically-released
when needed
Fully automated
What is Cloud Computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
11/75
Metered by Use:
Services are metered, like a utility
Users pay only for services used
Services can be cancelled at any time
What is Cloud Computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
12/75
VirtualMachines
Virtual Networks
IaaS
Auto Elastic
ContinuousIntegration
PaaS
Built for Cloud
Uses PaaS
SaaS
Three Service Delivery ModelsIaaS: Infrastructure as a Service
Consumer can provision computing resources within
provider's infrastructure upon which they can deploy and
run arbitrary software, including OS and applications
PaaS: Platform as ServiceConsumer can create custom applications using
programming tools supported by the provider and
deploy them onto the provider's cloud infrastructure
SaaS: Software as Service
Consumer uses providers applications running onprovider's cloud infrastructure
What is Cloud Computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
13/75
What is Cloud Computing?
SaaS
PaaS
IaaS
Amazon Google Microsoft Salesforce
Service Delivery Model Examples
Products and companies shown for illustrative purposes only and should not
be construed as an endorsement
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
14/75
Cost efficiencies
Time efficiencies
Power efficiencies
Improved process
control
Improved security
Unlimited capacity
Cloud efficiencies and improvements
Burst capacity (over-
provisioning) Short-duration projects
Cancelled or failed missions
$
Procurement Network connectivity
Standardized, updated base images Centrally auditable log servers
Centralized authentication systems Improved forensics (w/ drive image)
Process
Process
Process
What is Cloud Computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
15/75
OBJECTIVE: Discuss requirements,
use cases, and ROIAgenda
Introductions Steve Hunt
What is cloud computing? Matt Chew Spence
How can NASA benefit from cloud computing? Matt Chew Spence
How is NASA implementing cloud computing? Matt Linton
How does NASA secure cloud computing? Matt Linton
Q&A Presentation Team
Extended Presentation
FISMA & Clouds Matt Chew Spence
Steve Hunt
Assessment, Authorization, & FedRAMP
Steve Hunt
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
16/75
How can NASA benefit from cloud computing?
Current IT options for Scientists
Science-scaleapplication
development
Very large dataset processing
Compute
intensiveprocessing
Timely sharing of
results withcollaborators andthe public
Missions
BUILD IT
Build my own IT infrastructurethat may/may not comply withF
ederal/Agency IT securitystandards.
BUY IT
Go through a lengthyprocurement and provisioningprocess for basic IT services
DO NOTHINGThe current basic IT servicesmodel is cost prohibitive and Icannot afford to process my dataand share with collaborators andthe public at large.
Current Options*Requirements*
* Requirements and Options documented in over 30+ interviews
with Ames scientists as part 2009 NASA Workstation project.
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
17/75
Mission Objectives
Explore, Understand, and Share
Exploration Space OpsScienceAeronautics
High Compute Vast StorageHigh Speed
Networking
Process
Large
Data
Sets
Scale-out for
one-time
events
Require
infrastructure
on-demand
Store
mission &
science
dataUSEC
ASES
Share
information
with the
public
Run
Compute
Intensive
Workloads
M
ISSION
OCIO
INNOVATION
Shared Resource
Mission Support
How can NASA benefit from cloud computing?
Scientists direct access to Nebula cloud computing
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
18/75
High-endCompute
Vast StorageHigh SpeedNetworking
TARGET
COMPUTE
PLATFORM
Server-base
d
computeresou
rces
Super
Computer
Desktop
Excellent example
of how OCIO-
sponsored
innovation can be
rapidlytransformed into
services that
address Agency
mission needs
How can NASA benefit from cloud computing?
Offer scientists services to address the gap
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
19/75
*15% utilization based on two reports from Gartner Group, Cost of Traditional
Data Centers (2009), and Data CenterEfficiency (2010).
ROI and ARC Case Study
How can NASA benefit from cloud computing?
POWER: Computers typically require 70% of their
total power requirements to run at just 15%
utilization.
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
20/75
Operational Enhancements:
Strict standardization of hardware and infrastructure
software components
Small numbers of system administrators due to thecookie-cutter design of cloud components and
support processes
Failure of any single component within the Nebula
cloud will not become reason for alarm
Application operations will realize similar efficienciesonce application developers learn how to properly
deploy applications so that they are not reliant on any
particular cloud component.
ROI and ARC Case Study
How can NASA benefit from cloud computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
21/75
OBJECTIVE: Overview of how NASA
is implementing cloud computingAgenda
Introductions Steve Hunt
What is cloud computing? Matt Chew Spence
How can NASA benefit from cloud computing? Matt Chew Spence
How is NASA implementing cloud computing? Matt Linton
How does NASA secure cloud computing? Matt Linton
Q&A Presentation Team
Extended Presentation
FISMA & Clouds Matt Chew Spence
Steve Hunt
Assessment, Authorization, & FedRAMP
Steve Hunt
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
22/75
How is NASA implementing cloud computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
23/75
How is NASA implementing cloud computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
24/75
How is NASA implementing cloud computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
25/75
Nebula Principles
Open and Public APIs, everywhere
Open-source platform, apps, and data Full transparency
Open source code and documentation
releases
Reference platform Cloud model forFederal Government
How is NASA implementing cloud computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
26/75
Nebula UserExperience
Nebula IaaS user will have an experience
similar to Amazon EC2:
Dedicated privateV
LAN for instances Dedicated VPN for access to private VLAN
Public IPs to assign to instances
Launch VM instances
Dashboard for instance control and API access
Able to import/export bundled instances to
AWS and other clouds
How is NASA implementing cloud computing?
Products and companies named for illustrative purposes only and should not be
construed as an endorsement
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
27/75
Architecture Drivers
Reliability
Availability Cost
IT Security
How is NASA implementing cloud computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
28/75
Shared Nothing
Messaging Queue
State Discovery
Standard Protocols
AutomatedAutomated
IPMI
PXEBoot
Puppet
How is NASA implementing cloud computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
29/75
Nebula Infrastructure Components
Cloud Node
Network Node Compute Node
Volume Node
Object Node
Monitoring / Metering / Logging / Scanning
How is NASA implementing cloud computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
30/75
Cloud Node
LDAP
Data
Store
Ubuntu OS
Puppet
Nova
Cloud
Node
PXE
RabbitMQ
Redis KVS
How is NASA implementing cloud computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
31/75
Ubuntu OS
Puppet
KVM
LibVirt
Nova
Compute
Node
802.1(q)
Brctl
PXE
Project VLAN
Running Instance
Compute Node
How is NASA implementing cloud computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
32/75
Ubuntu OS
Puppet
LVM
AoENova
Volume
Node
PXE
Exported Volume
Volume Node
How is NASA implementing cloud computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
33/75
Object Node
Ubuntu OS
Puppet
Nova
ObjectNode
PXE
Nginx
How is NASA implementing cloud computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
34/75
Network Node
Ubuntu OS
Puppet
NovaNetwork
Node
802.1(q)
Brctl
PXE
Project
VLAN
IPTables
Public
Internet
How is NASA implementing cloud computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
35/75
Pilot Lessons Learned- Automate Everything
No SysAdmin is perfect
99% is not good enough
NEVER make direct system changes
When in doubt - PXEBoot
How is NASA implementing cloud computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
36/75
Pilot Lessons Learned- Test Everything
KVM + Jumbo Frames
Grinder Unit Tests / Cyclometric Complexity
TransactionID Insertion (Universal Proxy)
How is NASA implementing cloud computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
37/75
Pilot Lessons Learned- MonitorEverything
Ganglia
Munin
Syslog-NG + PHPSyslog-NG
Nagios
Custom Log Parsing (Instance-centric)
How is NASA implementing cloud computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
38/75
OBJECTIVE: Overview of technical
security mechanisms built into NebulaAgenda Introductions
Steve Hunt
What is cloud computing? Matt Chew Spence
How can NASA benefit from cloud computing? Matt Chew Spence
How is NASA implementing cloud computing? Matt Linton
How does NASA secure cloud computing? Matt Linton
Q&A Presentation Team
Extended Presentation
FISMA & Clouds Matt Chew Spence
Steve Hunt
Assessment, Authorization, & FedRAMP
Steve Hunt
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
39/75
Technical Security Overview
Issues with Commercial Cloud Providers
Overview of Current Security Mechanisms
Innovations
OBJECTIVE: Overview of technical
security mechanisms built into Nebula
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
40/75
How does NASA secure cloud computing?
Commercial Cloud Provider Security Concerns
IT Security not brought into decision of how & whenNASA orgs use clouds
IT Security may not know NASA orgs are usingclouds until an incident has occurred
Without insight into monitoring/IDS/logs, NASAmay not find out that an incident has occurred
No assurances of sufficient cloud infrastructureaccess to perform proper forensics/investigations
These issues are less likely with a private cloud likeNebula
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
41/75
How does NASA secure cloud computing?
IT Security is built into Nebula
User Isolation from Nebula Infrastructure
Users only have access to APIs and Dashboards
No user direct access to Nebula infrastructure Project-based separation
A project is a set of compute resourcesaccessible by one or more users
Each project has separate: V
LAN for project instances VPN for project users to launch, terminate,and access instances
Image library of instances
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
42/75
How does NASA secure cloud computing?
Networking RFC1918 address space internal to Nebula
NAT is used for those hosts within Nebulaneeding visibility outside a cluster
Three core types of networks within Nebula: Customer
CustomerVLANs are isolated from eachother
DMZ
Services available to all Nebula such asNTP, DNS, etc
Administrative
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
43/75
Security Groups
Combination ofVLANs and Subnetting
Can be extended to use physicalnetwork/node separation as well (future)
How does NASA secure cloud computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
44/75
C
L
OU
D
A
P
I
S
S
M
R
Project A
(10.1.1/24)
Project B
(10.1.2/24)
Operations Console
(custom)
Security Scanners
(Nessus, Hydra, etc)
Log Aggregation,
SOC Tap
RFC1918
Space
(LAN_X)
BR
I
D
G
E
Public IPSpace
IN
T
E
R
N
E
T
External
Scanner
DMZ
Services
Event Correlation
Engine
How does NASA secure cloud computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
45/75
How does NASA secure cloud computing?
Firewalls
Multiple levels of firewalling
Hardware firewall at site border
Firewall on cluster network head-ends
Host-based firewalls on key hosts
Project based rule sets based on Amazon
security groups
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
46/75
How does NASA secure cloud computing?
Remote User Access
Remote access is only through VPN (openVPN)
Separate administrative VPN and userVPNs
Each project has own VPN server
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
47/75
How does NASA secure cloud computing?
Intrusion Detection
OSSEC on key infrastructure hosts
Open source Host-based Intrusion Detection
Mirror port to NASA SOC tap
Building 10Gb/sec IDS/IPS/Forensics device
with vendor partners
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
48/75
How does NASA secure cloud computing?
Configuration Management
Puppet used to automatically push out
configuration changes to infrastructure
Automatic reversion of unauthorized changes
to system
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
49/75
How does NASA secure cloud computing?
Vulnerability Scanning
Nebula uses both internal and external
vulnerability scanners
Correlate findings between internal and
external scans
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
50/75
How does NASA secure cloud computing?
Incident Response
Procedures for isolating individual VMs,compute nodes, and clusters, including:
Taking snapshot of suspect VMs, includingmemory dump
Quarantining a VM within a compute node
Disabling VM images so new instancescant be launched
Quarantining a compute node within acluster
Quarantining a cluster
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
51/75
How does NASA secure cloud computing?
Role Based Access Control
Multiple defined roles within a project
Role determines which API calls can be
invoked
Only network admin can request non-1918
addresses
Only system admin can bundle new images
etc
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
52/75
How does NASA secure cloud computing?
Innovation - Security Gates
API calls can be intercepted and security
gates can be imposed on function being called
When an instance is launched, it can be
scanned automatically for vulnerabilities
Long term vision is to have a pass/fail launch
gate based on scan/monitoring results
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
53/75
How does NASA secure cloud computing?
Vision - Security as a Service Goal - Automate compliance through securityservices provided by cloud provider
Security APIs/tools mapped to specific controls
Customers could subscribe to tools/services tomeet compliance requirements
When setting up new project in cloud
Customers assert nature of data they will use
Cloud responds with list of APIs/tools for
customers to use Currently gathering requirements but fundingneeded to realize vision
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
54/75
How does NASA secure cloud computing?
Vision - Security Service Bus
Goal - FISMA compliance through continuousreal-time monitoring and situational awareness
Security service bus with event driven
messaging engine Correlate events across provider and multiple
customers Dashboard view for security providers and
customers Allows customers to make risk-based security
decisions based on events experienced byother customers
Funding Needed to Realize Vision
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
55/75
Nebula Open Source Progress
Significant progress in embracing the value ofopen source software release
Agreements with SourceForge and Github
Open source identified as an essential component of
NASAs open government plan
Elements of Nebula in open source release
pipeline
Started Feb 2010. Hope for release in June.
Working toward continual incremental releases.
Exploring avenues to contribute code to external
projects and to accept external contributions to the
Nebula code base.
How does NASA secure cloud computing?
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
56/75
Agenda Introductions
Steve Hunt
What is cloud computing? Matt Chew Spence
How can NASA benefit from cloud computing? Matt Chew Spence
How is NASA implementing cloud computing? Matt Linton
How does NASA secure cloud computing? Matt Linton
Q&A Presentation Team
Extended Presentation
FISMA & Clouds Matt Chew Spence
Steve Hunt
Assessment, Authorization, & FedRAMP
Steve Hunt
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
57/75
Q & A
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
58/75
Extended Presentation
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
59/75
OBJECTIVE: Overview of Nebula C&A
with Lessons LearnedAgenda Introductions
Steve Hunt
What is cloud computing? Matt Chew Spence
How can NASA benefit from cloud computing? Matt Chew Spence
How is NASA implementing cloud computing? Matt Linton
How does NASA secure cloud computing? Matt Linton
Q&A Presentation Team
Extended Presentation
FISMA & Clouds Matt Chew Spence
Steve Hunt
Assessment, Authorization, & FedRAMP
Steve Hunt
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
60/75
FISMA & Clouds
FISMA Overview
Federal Information Security Management Act Requires all Govt computers to be under a security plan
Mandates following NIST security guidance
Required controls depend on FIPS-199 sensitivity levelRequires periodic assessments of security controls
Extremely documentation heavy
Assumes one organization has responsibility for majority of
identified security controls
FISMA is burdensome to cloud customersCustomers want to outsource IT Security to cloud provider
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
61/75
FISMA & Clouds
FISMA Responsibilities in Clouds Clouds are a Highly Dynamic Shared ManagementEnvironment
Customers retain FISMA responsibilities for aspects of acloud under their control
Responsibilities vary depending on level of controlmaintained by customer
Customer control varies relative to service delivery model(SaaS, PaaS, or IaaS)
Need to define & document responsibilities
We parsed 800-53 Rev3 controls per service delivery model
Nebula currently only offers IaaS
We parsed all three service models for future planning
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
62/75
Identifying data typesEnsuring data appropriate to system
User/Account Management
Personnel Controls
Software Licenses
Developer Testing
App Configuration Management
Software Development Lifecycle
OS Config Mgmt
Anti-Malware
SW Install Controls
OS specific Controls
etc
SaaS
IaaS
PaaSCloud
Customer
Security
Responsibility
Customer FISMA Responsibilities for Cloud
Customer FISMA
responsibilities Increase
as Customers have more
control over security
measures
62
FISMA & Clouds
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
63/75
FISMA & Clouds
IaaS Customer Security Plan Coverage Options
At inception little guidance existed on cloud computing control responsibilities &security plan coverage
FedRAMP primarily addresses cloud provider responsibilities
Other than control parsing definitions Customers are given little guidance onimplementing and managing FISMA requirements in a highly dynamic sharedmanagement environment
We have developed the following options:
Option Description Issues
Customer Owned Customer responsible for own
security plan with no assistance
from provider
None to Providers
Burdensome to customers
Facilitated Customer responsible for own
security plan using NASAtemplate
May still be burdensome to
customers. Not scalable unless
automated.
Agency Owned Agency or Center level Group
security plans associated with
Cloud providers serve as
aggregation point for customer.
May be burdensome to
Agency or Center.
Requires technology to
automate input and aggregation
of customer data.
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
64/75
FISMA & Clouds
Current NASA Requirements/Tools may ImpedeCloud Implementation
Default security categorization of Scientific and Space Sciencedata as Moderate
Independent assessment required for every major change
Currently requires 3rd party document-centric audit
Not scalable to cloud environments
e-Authentication/AD integration required for all NASA Apps
NASA implementations dont currently support LDAP/SAML-based federated identity management
Function-specific stove-piped compliance tools STRAW/PIA tool/A&A Repository/NASA electronic forms
Cant easily automate compliance process for new apps
64
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
65/75
FISMA & Clouds
Emerging Developments in FISMA & Clouds
Interagency Cloud Computing Security Working Group
is developing additional baseline security requirements
for cloud computing providers
NIST Cloud Computing guidance forthcoming?
Move towards automated risk models and security
management tools over documentation
On the bleeding edge - changing guidance &
requirements are a key risk factor (and opportunity)
65
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
66/75
FISMA & Clouds
Nebula is Contributing to Cloud StandardsNebula is Contributing to Cloud Standards
Federal Cloud Standards Working Group
Fed Cloud Computing Security WorkingGroup
Federal Risk & Authorization ManagementProgram (FedRAMP)
Cloud Audit project
Automated Audit Assertion Assessment &Assurance API
Providing Feedback to NIST and GAO
GSA Cloud PMO
66
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
67/75
OBJECTIVE: Overview of how Nebula
concepts may integrate with FedRAMPAgenda Introductions
Steve Hunt
What is cloud computing? Matt Chew Spence
How can NASA benefit from cloud computing? Matt Chew Spence
How is NASA implementing cloud computing? Matt Linton
How does NASA secure cloud computing? Matt Linton
Q&A Presentation Team
Extended Presentation
FISMA & Clouds Matt Chew Spence
Steve Hunt
Assessment, Authorization, & FedRAMP Steve Hunt
F dRAMP
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
68/75
A Federal Government-Wide program to provide
Joint Authorizations and Continuous Monitoring
Unified Government-Wide risk management
Authorizations can be leveraged throughout
Federal Government
This is to be an optional service provided toAgencies that does not supplant existing
Agency authority
Federal Risk and Authorization
Management Program
FedRAMP
F dRAMP
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
69/75
Independent Agency Risk Management of Cloud Services
Federal Agencies
Cloud Service Providers (CSP)
: Duplicative risk
management efforts
: Incompatible agencypolicies
: Potential for inconsistent
application ofFederal
security requirements
: Acquisition slowed by
lengthy compliance
processes
FedRAMP
F dRAMP
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
70/75
Federated Risk Management of Cloud Systems
: Risk management cost
savings and increased
effectiveness
: Interagency vettedapproach
: Consistent
application ofFederal
security requirements
Federal Agencies
: Rapid acquisition
through consolidated
risk management
Cloud Service Providers (CSP)
FedRAMP
Risk Management
Authorization
Continuous
Monitoring Federal Security
Requirements
FedRAMP
FedRAMP
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
71/75
FedRAMP Authorization process
Agency X has a needfor a new cloud based
IT system
Agency X getssecurity requirementsfor the new IT systemfrom FedRAMP and
adds requirements ifnecessary
Agency X releasesRFP for new IT
system and awardscontract to cloudservice provider
(CSP)
Agency X submitsrequest to FedRAMPoffice for CSP To be
FedRAMP authorizedto operate
CSP is put into FedRAMPpriority queue
(prioritization occursbased on factors such as
multi-agency use, numberof expected users, etc.)
FedRAMP
FedRAMP
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
72/75
FedRAMP Authorization process (cont)
CSP and agency
sponsor beginauthorizationprocess with
FedRAMP office
CSP, agencysponsor and
FedRAMP officereview security
requirements andany alternative
implementations
FedRAMP office
coordinates withCSP for creation of
system securityplan (SSP)
CSP hasindependent
assessment ofsecurity controls
and developsappropriate reportsfor submission toFedRAMP office
FedRAMP officereviews and
assembles thefinal authorization
package for theJAB
JAB reviews finalcertificationpackage and
authorizes CSP tooperate
FedRAMP officeadds CSP to
authorized systeminventory to bereviewed and
leveraged by all
Federal agencies
FedRAMPprovides
continuousmonitoring of CSP
FedRAMP
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
73/75
Issues & Concerns
FedRAMP doesnt provide much guidance for customerside e.g. Agency users of cloud services
Current NIST guidance oriented primarily towards Static
Single System Owner environments
Lack of NIST guidance for Highly Dynamic Shared
Owner environments e.g. Virtualized Data Centers &
Clouds
SSP generation & maintenance
Application of SP 800-53 (security controls)
Application of SP 800-37 (assessment & ATO)
Continuous Monitoring
Guidance may be forthcoming but NIST is resource
constrained
FedRAMP
FedRAMP
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
74/75
Potential Solution
Agency/Center level Aggregated SSPs:
Plan per CSP e.g. Nebula, Amazon,
Google, Microsoft etc.
Plan covers all customers of a specific CSP
Technology integration may be needed with
SSP repository to dynamically update SSP
content via Web Registration site.
Or SSP may be able to point to dynamic
content entered and housed on Web
Registration site ... maintained in Wiki type
doc.
Presentation Title
74
March 5, 2010
FedRAMP
-
8/3/2019 Main 2010 Tuesday 5 Hunt Linton ChweSpence
75/75
Q & A