Professional Documents
Culture Documents
Steven R. Hunt
ARC IT Governance Manager
Ames Research Center
Matt Linton
IT Security Specialist
Ames Research Center
Extended Presentation
FISMA & Clouds
» Matt Chew Spence
» Steve Hunt
Assessment, Authorization, & FedRAMP
» Steve Hunt
Agenda OBJECTIVE: Overview of cloud
computing and share vocabulary
Introductions
» Steve Hunt
What is cloud computing?
» Matt Chew Spence
How can NASA benefit from cloud computing?
» Matt Chew Spence
How is NASA implementing cloud computing?
» Matt Linton
How does NASA secure cloud computing?
» Matt Linton
Q&A
» Presentation Team
Extended Presentation
FISMA & Clouds
» Matt Chew Spence
» Steve Hunt
Assessment, Authorization, & FedRAMP
» Steve Hunt
What is Cloud Computing?
Conventional Computing
vs.
Cloud Computing
Conventional Cloud
Manually Provisioned Self-provisioned
Dedicated Hardware Shared Hardware
Fixed Capacity Elastic Capacity
Pay for Capacity Pay for Use
Capital & Operational Operational Expenses
Expenses Managed via APIs
Managed via Sysadmins
What is Cloud Computing?
On-Demand Self-Service:
Completely automated
Users abstracted from the implementation
Near real-time delivery (seconds or minutes)
Services accessed through a self-serve
web interface
What is Cloud Computing?
Metered by Use:
Services are metered, like a utility
Users pay only for services used
Services can be cancelled at any time
What is Cloud Computing?
SaaS
PaaS
IaaS
Products and companies shown for illustrative purposes only and should not
be construed as an endorsement
What is Cloud Computing?
Improved security
“Unlimited” capacity
Extended Presentation
FISMA & Clouds
» Matt Chew Spence
» Steve Hunt
Assessment, Authorization, & FedRAMP
» Steve Hunt
How can NASA benefit from cloud computing?
Mission Objectives
Explore, Understand, and Share
High Speed
High Compute Vast Storage
Networking
Shared Resource
How can NASA benefit from cloud computing?
TARGET
COMPUTE
PLATFORM
Excellent example
of how OCIO- High-end
Vast Storage
High Speed
Compute Networking
sponsored
innovation can be
rapidly
transformed into
services that
address Agency
mission needs
How can NASA benefit from cloud computing?
Operational Enhancements:
» Strict standardization of hardware and infrastructure software
components
» Small numbers of system administrators due to the cookie-
cutter design of cloud components and support processes
» Failure of any single component within the Nebula cloud will not
become reason for alarm
» Application operations will realize similar efficiencies once
application developers learn how to properly deploy applications
so that they are not reliant on any particular cloud component.
OBJECTIVE: Overview of how NASA
Agenda is implementing cloud computing
Introductions
» Steve Hunt
What is cloud computing?
» Matt Chew Spence
How can NASA benefit from cloud computing?
» Matt Chew Spence
How is NASA implementing cloud computing?
» Matt Linton
How does NASA secure cloud computing?
» Matt Linton
Q&A
» Presentation Team
Extended Presentation
FISMA & Clouds
» Matt Chew Spence
» Steve Hunt
Assessment, Authorization, & FedRAMP
» Steve Hunt
How is NASA implementing cloud computing?
How is NASA implementing cloud computing?
How is NASA implementing cloud computing?
How is NASA implementing cloud computing?
Nebula Principles
Open and Public APIs, everywhere
Open-source platform, apps, and data
Full transparency
» Open source code and documentation
releases
Reference platform
» Cloud model for Federal Government
How is NASA implementing cloud computing?
Products and companies named for illustrative purposes only and should not be
construed as an endorsement
How is NASA implementing cloud computing?
Architecture Drivers
Reliability
Availability
Cost
IT Security
How is NASA implementing cloud computing?
Shared Nothing
Messaging Queue
State Discovery
Standard Protocols
Automated
• IPMI
• PXEBoot
• Puppet
How is NASA implementing cloud computing?
Cloud Node
LDAP
Data
Store
Nova
Cloud
Redis KVS Node
Puppet
RabbitMQ
PXE Ubuntu OS
How is NASA implementing cloud computing?
Compute Node
Project VLAN
Running Instance
Nova
Compute
LibVirt Brctl Node
Puppet
KVM 802.1(q)
PXE Ubuntu OS
How is NASA implementing cloud computing?
Volume Node
Exported Volume
Nova
Volume
AoE
Node
Puppet
LVM
PXE Ubuntu OS
How is NASA implementing cloud computing?
Object Node
Nova
Object
Nginx
Node
Puppet
PXE Ubuntu OS
How is NASA implementing cloud computing?
Network Node
Project Public
VLAN Internet
Nova
Network
Brctl IPTables Node
Puppet
802.1(q)
PXE Ubuntu OS
How is NASA implementing cloud computing?
Introductions
» Steve Hunt
What is cloud computing?
» Matt Chew Spence
How can NASA benefit from cloud computing?
» Matt Chew Spence
How is NASA implementing cloud computing?
» Matt Linton
How does NASA secure cloud computing?
» Matt Linton
Q&A
» Presentation Team
Extended Presentation
FISMA & Clouds
» Matt Chew Spence
» Steve Hunt
Assessment, Authorization, & FedRAMP
» Steve Hunt
OBJECTIVE: Overview of technical
security mechanisms built into Nebula
Networking
RFC1918 address space internal to Nebula
» NAT is used for those hosts within Nebula
needing visibility outside a cluster
Three core types of networks within Nebula:
» Customer
• Customer VLANs are isolated from each
other
» DMZ
• Services available to all Nebula such as NTP,
DNS, etc
» Administrative
How does NASA secure cloud computing?
Security Groups
Combination of VLANs and Subnetting
Can be extended to use physical
network/node separation as well (future)
How does NASA secure cloud computing?
Project A
RFC1918
Public IP (10.1.1/24) Space
Space
DMZ
Services (LAN_X)
External
Scanner Operations Console
C (custom)
L
I B O
N Security Scanners
R U
T S (Nessus, Hydra, etc)
I D
E M
D
R R Log Aggregation,
G A
N E P SOC Tap
E I
T S Event Correlation
Engine
Project B
(10.1.2/24)
How does NASA secure cloud computing?
Firewalls
Multiple levels of firewalling
» Hardware firewall at site border
» Firewall on cluster network head-ends
» Host-based firewalls on key hosts
» Project based rule sets based on Amazon
security groups
How does NASA secure cloud computing?
Intrusion Detection
OSSEC on key infrastructure hosts
» Open source Host-based Intrusion Detection
Mirror port to NASA SOC tap
Building 10Gb/sec IDS/IPS/Forensics device
with vendor partners
How does NASA secure cloud computing?
Configuration Management
Puppet used to automatically push out
configuration changes to infrastructure
Automatic reversion of unauthorized changes to
system
How does NASA secure cloud computing?
Vulnerability Scanning
Nebula uses both internal and external
vulnerability scanners
Correlate findings between internal and
external scans
How does NASA secure cloud computing?
Incident Response
Procedures for isolating individual VMs,
compute nodes, and clusters, including:
» Taking snapshot of suspect VMs, including
memory dump
» Quarantining a VM within a compute node
» Disabling VM images so new instances
can’t be launched
» Quarantining a compute node within a
cluster
» Quarantining a cluster
How does NASA secure cloud computing?
Extended Presentation
FISMA & Clouds
» Matt Chew Spence
» Steve Hunt
Assessment, Authorization, & FedRAMP
» Steve Hunt
Q&A
Extended Presentation
Agenda OBJECTIVE: Overview of Nebula C&A
with Lessons Learned
Introductions
» Steve Hunt
What is cloud computing?
» Matt Chew Spence
How can NASA benefit from cloud computing?
» Matt Chew Spence
How is NASA implementing cloud computing?
» Matt Linton
How does NASA secure cloud computing?
» Matt Linton
Q&A
» Presentation Team
Extended Presentation
FISMA & Clouds
» Matt Chew Spence
» Steve Hunt
Assessment, Authorization, & FedRAMP
» Steve Hunt
FISMA & Clouds
FISMA Overview
Federal Information Security Management Act
– Requires all Gov’t computers to be under a security plan
–Mandates following NIST security guidance
–Required controls depend on FIPS-199 sensitivity level
–Requires periodic assessments of security controls
–Extremely documentation heavy
–Assumes one organization has responsibility for majority of identified
security controls
FISMA is burdensome to cloud customers
–Customers want to outsource IT Security to cloud provider
FISMA & Clouds
Customer FISMA
responsibilities Increase IaaS
as Customers have more OS Config Mgmt
control over security Anti-Malware
SW Install Controls
measures OS specific Controls
PaaS etc
Cloud
Software Licenses
Customer
Developer Testing
Security
App Configuration Management
Responsibility
Software Development Lifecycle
SaaS
Identifying data types
Ensuring data appropriate to system
User/Account Management
Personnel Controls
62
FISMA & Clouds
At inception little guidance existed on cloud computing control responsibilities & security
plan coverage
64
FISMA & Clouds
65
FISMA & Clouds
66
Agenda OBJECTIVE: Overview of how Nebula
concepts may integrate with FedRAMP
Introductions
» Steve Hunt
What is cloud computing?
» Matt Chew Spence
How can NASA benefit from cloud computing?
» Matt Chew Spence
How is NASA implementing cloud computing?
» Matt Linton
How does NASA secure cloud computing?
» Matt Linton
Q&A
» Presentation Team
Extended Presentation
FISMA & Clouds
» Matt Chew Spence
» Steve Hunt
Assessment, Authorization, & FedRAMP
» Steve Hunt
FedRAMP
Federal Agencies
: Duplicative risk
… management efforts
: Incompatible agency
policies
: Acquisition slowed by
lengthy compliance
processes
: Rapid acquisition
through consolidated
risk management
…
Cloud Service Providers (CSP)
: Consistent
application of Federal
security requirements
FedRAMP
Agency X releases
Agency X submits
RFP for new IT
request to FedRAMP
system and awards
office for CSP To be
contract to cloud
FedRAMP authorized
service provider
to operate
(CSP)
CSP has
independent
assessment of FedRAMP office
security controls JAB reviews final
reviews and
and develops certification
assembles the
appropriate package and
final authorization
reports for authorizes CSP to
package for the
submission to operate
JAB
FedRAMP office
FedRAMP office
adds CSP to
FedRAMP
authorized system
provides
inventory to be
continuous
reviewed and
monitoring of CSP
leveraged by all
Federal agencies
FedRAMP
Potential Solution