Cloud Computing Architecture, IT Security, & Operational Perspectives

Cloud ComputingArchitecture, IT Security, & Operational Perspectives Steven R. Hunt ARC IT Governance Manager Ames Research Center Matt Linton IT Security Specialist Ames Research Center Matt Chew Spence IT Security Compliance Consultant Dell Services Federal Government Ames Research Center August 17, 2010

Agenda • Introductions • Steve Hunt • What is cloud computing? • Matt Chew Spence • How can NASA benefit from cloud computing? • Matt Chew Spence • How is NASA implementing cloud computing? • Matt Linton • How does NASA secure cloud computing? • Matt Linton • Q&A • Presentation Team • Extended Presentation • FISMA & Clouds • Matt Chew Spence • Steve Hunt • Assessment, Authorization, & FedRAMP • Steve Hunt

OBJECTIVE: Overview of cloud computing and share vocabulary Agenda • Introductions • Steve Hunt • What is cloud computing? • Matt Chew Spence • How can NASA benefit from cloud computing? • Matt Chew Spence • How is NASA implementing cloud computing? • Matt Linton • How does NASA secure cloud computing? • Matt Linton • Q&A • Presentation Team • Extended Presentation • FISMA & Clouds • Matt Chew Spence • Steve Hunt • Assessment, Authorization, & FedRAMP • Steve Hunt

What is Cloud Computing? Cloud Computing – NIST Definition: “A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”

What is Cloud Computing? Conventional Computing vs. Cloud Computing Conventional Cloud Self-provisioned Shared Hardware Elastic Capacity Pay for Use Operational Expenses Managed via APIs • Manually Provisioned • Dedicated Hardware • Fixed Capacity • Pay for Capacity • Capital & Operational Expenses • Managed via Sysadmins

What is Cloud Computing? Five Key Cloud Attributes: • Shared / pooled resources • Broad network access • On-demand self-service • Scalable and elastic • Metered by use

What is Cloud Computing? Shared / Pooled Resources: • Resources are drawn from a common pool • Common resources build economies of scale • Common infrastructure runs at high efficiency

What is Cloud Computing? Broad Network Access: • Open standards and APIs • Almost always IP, HTTP, and REST • Available from anywhere with an internet connection

What is Cloud Computing? On-Demand Self-Service: • Completely automated • Users abstracted from the implementation • Near real-time delivery (seconds or minutes) • Services accessed through a self-serve web interface

What is Cloud Computing? Scalable and Elastic: • Resources dynamically-allocated between users • Additional resources dynamically-released when needed • Fully automated

What is Cloud Computing? Metered by Use: • Services are metered, like a utility • Users pay only for services used • Services can be cancelled at any time

What is Cloud Computing? Three Service Delivery Models • IaaS: Infrastructure as a Service • Consumer can provision computing resources within provider's infrastructure upon which they can deploy and run arbitrary software, including OS and applications • PaaS: Platform as Service • Consumer can create custom applications using programming tools supported by the provider and deploy them onto the provider's cloud infrastructure • SaaS: Software as Service • Consumer uses provider’s applications running on provider's cloud infrastructure

What is Cloud Computing? Service Delivery Model Examples Amazon Google Salesforce Microsoft SaaS PaaS IaaS Products and companies shown for illustrative purposes only and should not be construed as an endorsement

What is Cloud Computing? Cloud efficiencies and improvements $ • Burst capacity (over-provisioning) • Short-duration projects • Cancelled or failed missions • Cost efficiencies • Time efficiencies • Power efficiencies • Improved process control • Improved security • “Unlimited” capacity • Procurement • Network connectivity • Standardized, updated base images • Centrally auditable log servers • Centralized authentication systems • Improved forensics (w/ drive image)

OBJECTIVE: Discuss requirements, use cases, and ROI Agenda • Introductions • Steve Hunt • What is cloud computing? • Matt Chew Spence • How can NASA benefit from cloud computing? • Matt Chew Spence • How is NASA implementing cloud computing? • Matt Linton • How does NASA secure cloud computing? • Matt Linton • Q&A • Presentation Team • Extended Presentation • FISMA & Clouds • Matt Chew Spence • Steve Hunt • Assessment, Authorization, & FedRAMP • Steve Hunt

How can NASA benefit from cloud computing? Current IT options for Scientists Current Options* Requirements* * Requirements and Options documented in over 30+ interviews with Ames scientists as part 2009 NASA Workstation project.

How can NASA benefit from cloud computing? Scientists direct access to Nebula cloud computing Mission Objectives Explore, Understand, and Share MISSION Aeronautics Exploration Science Space Ops Mission Support USE CASES Process Large Data Sets Run Compute Intensive Workloads Scale-out for one-time events Require infrastructure on-demand Store mission & science data Share information with the public OCIO INNOVATION High Compute Vast Storage High Speed Networking Shared Resource

How can NASA benefit from cloud computing? Offer scientists services to address the gap Desktop TARGET COMPUTE PLATFORM Server-based compute resources Excellent example of how OCIO-sponsored innovation can be rapidly transformed into services that address Agency mission needs High-end Compute Vast Storage High Speed Networking Super Computer

How can NASA benefit from cloud computing? ROI and ARC Case Study • POWER: Computers typically require 70% of their total power requirements to run at just 15% utilization. *15% utilization based on two reports from Gartner Group, Cost of Traditional Data Centers (2009), and Data Center Efficiency (2010).

How can NASA benefit from cloud computing? ROI and ARC Case Study • Operational Enhancements: • Strict standardization of hardware and infrastructure software components • Small numbers of system administrators due to the cookie-cutter design of cloud components and support processes • Failure of any single component within the Nebula cloud will not become reason for alarm • Application operations will realize similar efficiencies once application developers learn how to properly deploy applications so that they are not reliant on any particular cloud component.

OBJECTIVE: Overview of how NASA is implementing cloud computing Agenda • Introductions • Steve Hunt • What is cloud computing? • Matt Chew Spence • How can NASA benefit from cloud computing? • Matt Chew Spence • How is NASA implementing cloud computing? • Matt Linton • How does NASA secure cloud computing? • Matt Linton • Q&A • Presentation Team • Extended Presentation • FISMA & Clouds • Matt Chew Spence • Steve Hunt • Assessment, Authorization, & FedRAMP • Steve Hunt

How is NASA implementing cloud computing?

How is NASA implementing cloud computing? Nebula Principles • Open and Public APIs, everywhere • Open-source platform, apps, and data • Full transparency • Open source code and documentation releases • Reference platform • Cloud model for Federal Government

How is NASA implementing cloud computing? Nebula User Experience Nebula IaaS user will have an experience similar to Amazon EC2: • Dedicated private VLAN for instances • Dedicated VPN for access to private VLAN • Public IPs to assign to instances • Launch VM instances • Dashboard for instance control and API access • Able to import/export bundled instances to AWS and other clouds Products and companies named for illustrative purposes only and should not be construed as an endorsement

How is NASA implementing cloud computing? Architecture Drivers • Reliability • Availability • Cost • IT Security

Shared Nothing How is NASA implementing cloud computing? • Messaging Queue • State Discovery • Standard Protocols Automated • IPMI • PXEBoot • Puppet

How is NASA implementing cloud computing? Nebula Infrastructure Components • Cloud Node • Network Node • Compute Node • Volume Node • Object Node • Monitoring / Metering / Logging / Scanning

Cloud Node How is NASA implementing cloud computing? LDAP Data Store Nova Cloud Node Redis KVS Puppet Ubuntu OS RabbitMQ PXE

Compute Node How is NASA implementing cloud computing? Project VLAN Running Instance Nova Compute Node LibVirt Brctl Puppet Ubuntu OS KVM 802.1(q) PXE

Volume Node How is NASA implementing cloud computing? Exported Volume Nova Volume Node AoE Puppet Ubuntu OS LVM PXE

Object Node How is NASA implementing cloud computing? Nova Object Node Nginx Puppet Ubuntu OS PXE

Network Node How is NASA implementing cloud computing? Project VLAN Public Internet Nova Network Node Brctl IPTables Puppet Ubuntu OS 802.1(q) PXE

Pilot Lessons Learned- Automate Everything How is NASA implementing cloud computing? • No SysAdmin is perfect • 99% is not good enough • NEVER make direct system changes • When in doubt - PXEBoot

Pilot Lessons Learned - Test Everything How is NASA implementing cloud computing? • KVM + Jumbo Frames • Grinder • Unit Tests / Cyclometric Complexity • TransactionID Insertion (Universal Proxy)

Pilot Lessons Learned - Monitor Everything How is NASA implementing cloud computing? • Ganglia • Munin • Syslog-NG + PHPSyslog-NG • Nagios • Custom Log Parsing (Instance-centric)

OBJECTIVE: Overview of technical security mechanisms built into Nebula Agenda • Introductions • Steve Hunt • What is cloud computing? • Matt Chew Spence • How can NASA benefit from cloud computing? • Matt Chew Spence • How is NASA implementing cloud computing? • Matt Linton • How does NASA secure cloud computing? • Matt Linton • Q&A • Presentation Team • Extended Presentation • FISMA & Clouds • Matt Chew Spence • Steve Hunt • Assessment, Authorization, & FedRAMP • Steve Hunt

OBJECTIVE: Overview of technical security mechanisms built into Nebula • Technical Security Overview • Issues with Commercial Cloud Providers • Overview of Current Security Mechanisms • Innovations

How does NASA secure cloud computing? Commercial Cloud Provider Security Concerns • IT Security not brought into decision of how & when NASA orgs use clouds • IT Security may not know NASA orgs are using clouds until an incident has occurred • Without insight into monitoring/IDS/logs, NASA may not find out that an incident has occurred • No assurances of sufficient cloud infrastructure access to perform proper forensics/investigations • These issues are less likely with a private cloud like Nebula

How does NASA secure cloud computing? IT Security is built into Nebula • User Isolation from Nebula Infrastructure • Users only have access to APIs and Dashboards • No user direct access to Nebula infrastructure • Project-based separation • A project is a set of compute resources accessible by one or more users • Each project has separate: • VLAN for project instances • VPN for project users to launch, terminate, and access instances • Image library of instances

How does NASA secure cloud computing? Networking • RFC1918 address space internal to Nebula • NAT is used for those hosts within Nebula needing visibility outside a cluster • Three core types of networks within Nebula: • Customer • Customer VLANs are isolated from each other • DMZ • Services available to all Nebula such as NTP, DNS, etc • Administrative

How does NASA secure cloud computing? Security Groups • Combination of VLANs and Subnetting • Can be extended to use physical network/node separation as well (future)

How does NASA secure cloud computing? Project A (10.1.1/24) RFC1918 Space (LAN_X) Public IP Space DMZ Services I N T E R N E T External Scanner C L O U D A P I S S M R Operations Console (custom) B R I D G E Security Scanners (Nessus, Hydra, etc) Log Aggregation, SOC Tap Event Correlation Engine Project B (10.1.2/24)

How does NASA secure cloud computing? Firewalls • Multiple levels of firewalling • Hardware firewall at site border • Firewall on cluster network head-ends • Host-based firewalls on key hosts • Project based rule sets based on Amazon security groups

How does NASA secure cloud computing? Remote User Access • Remote access is only through VPN (openVPN) • Separate administrative VPN and user VPNs • Each project has own VPN server

How does NASA secure cloud computing? Intrusion Detection • OSSEC on key infrastructure hosts • Open source Host-based Intrusion Detection • Mirror port to NASA SOC tap • Building 10Gb/sec IDS/IPS/Forensics device with vendor partners

How does NASA secure cloud computing? Configuration Management • Puppet used to automatically push out configuration changes to infrastructure • Automatic reversion of unauthorized changes to system

How does NASA secure cloud computing? Vulnerability Scanning • Nebula uses both internal and external vulnerability scanners • Correlate findings between internal and external scans

How does NASA secure cloud computing? Incident Response • Procedures for isolating individual VMs, compute nodes, and clusters, including: • Taking snapshot of suspect VMs, including memory dump • Quarantining a VM within a compute node • Disabling VM images so new instances can’t be launched • Quarantining a compute node within a cluster • Quarantining a cluster

Cloud Computing Architecture, IT Security, & Operational Perspectives