Building YOURcloud: The Federal Government s first Secure Hybrid Community Cloud

Similar documents
Cloud Architecture and Mobility

Cloud and Mobility. J Travis Howerton, NNSA Chief Technology Officer Anil Karmel, NNSA M&O Chief Technology Officer

Key Management Challenges in a Cloud Ecosystem

Security in the Software Defined Data Center

Keith Luck, CISSP, CCSK Security & Compliance Specialist, VMware, Inc. kluck@vmware.com

Copyright 2015 EMC Corporation. All rights reserved. 1

VMware vcloud Networking and Security

vcloud Suite Architecture Overview and Use Cases

VMware for your hosting services

SOLUTION BRIEF Citrix Cloud Solutions Citrix Cloud Solution for On-boarding

Consumption IT. Michael Shepherd Business Development Manager. Cisco Public Sector May 1 st 2014

Server & Cloud Management

5 Key Reasons to Migrate from Cisco ACE to F5 BIG-IP

VMware vcloud Networking and Security Overview

Cloud Computing and Data Center Consolidation

Dell Active System, Enabling service-centric IT, the path to the Cloud. Pavlos Kitsanelis Enterprise Solutions Lead Greece, Cyprus, Malta

Course 20533: Implementing Microsoft Azure Infrastructure Solutions

Architecting and Building a Secure and Compliant Virtual Infrastructure and Private Cloud

Infrastructure Virtualization for Hybrid Cloud

Cisco Prime Network Services Controller. Sonali Kalje Sr. Product Manager Cloud and Virtualization, Cisco Systems

Moving beyond Virtualization as you make your Cloud journey. David Angradi

Unleash the IaaS Cloud About VMware vcloud Director and more VMUG.BE June 1 st 2012

ADVANCE YOUR MISSION WITH THE CLOUD DO MORE WITH LESS CLOUD SOLUTIONS CDW NONPROFIT

Implementing Microsoft Azure Infrastructure Solutions

Application Centric Cloud Solutions. Fast IT! Stefan Ruoss Business Consultant Fast IT! Datacenter Technology Team

Empowering Private Cloud with Next Generation Infrastructure. Martin Ip, Head of Advanced Solutions and Services Macroview Telecom

Driving Down the Cost and Complexity of Application Networking with Multi-tenancy

How To Get A Cloud Based System To Work For You

Building an Enterprise Hybrid Cloud with the VMware vcloud Solution

Software defined networking. Your path to an agile hybrid cloud network

Learn how to build Enterprise Hybrid Clouds for your customers using VMware vcloud

VMware vcloud Director for Service Providers

VMUG - vcloud Air Deep Dive VMware Inc. All rights reserved.

Intro to NSX. Network Virtualization VMware Inc. All rights reserved.

Citrix On-Boarding A target Cloud

Potecting your business assets in The Cloud, with. Secure Multitency Environment from CloudHPT.

VMware End User Computing

Implementing Microsoft Azure Infrastructure Solutions 20533B; 5 Days, Instructor-led

Virtualization and IaaS management

Understanding Cisco Cloud Fundamentals CLDFND v1.0; 5 Days; Instructor-led

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions

Why Cisco for Cloud? IT Service Delivery, Orchestration and Automation

Proactively Secure Your Cloud Computing Platform

The Evolving Data Center. Past, Present and Future Scott Manson CISCO SYSTEMS

The growing importance of a secure Cloud environment

vcloud Suite 5.1- Build your Private Cloud

IT Infrastructure Services. White Paper. Utilizing Software Defined Network to Ensure Agility in IT Service Delivery

locuz.com A comprehensive orchestration tool for setting up private and hybrid clouds

Data center fo the future software defined DC

Where in the Cloud are You? Session Thursday, March 5, 2015: 1:45 PM-2:45 PM Virginia (Sheraton Seattle)

Managing Cloud Infrastructure

Remote Voting Conference

Strategic Direction of Networking IPv6, SDN and NFV Where Do You Start?

WHITE PAPER: Egenera Cloud Suite for EMC VSPEX. The Proven Solution For Building Cloud Services

What s New with VMware Virtual Infrastructure

HAWAII TECH TALK SDN. Paul Deakin Field Systems Engineer

Netzwerkvirtualisierung? Aber mit Sicherheit!

VMware Overview Journey to Cloud Computing Adam Oaten Technical Partner Manager

VMware vcloud Air Networking Guide

Aligning Applications and Connectivity to Enable Fast And Safe Cloud Computing Derrick Loi, May 2015

WHITE PAPER: Egenera Cloud Suite

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

SOFTWARE DEFINED NETWORKING

Secure Cloud Computing

Shifting Roles for Security in the Virtualized Data Center: Who Owns What?

VMware Software Defined Network. Dejan Grubić VMware Systems Engineer for Adriatic

How To Build A Software Defined Data Center

Cloud computing: the IBM point of view

SUSE Cloud 2.0. Pete Chadwick. Douglas Jarvis. Senior Product Manager Product Marketing Manager

EMA Radar for Private Cloud Platforms: Q1 2013

Barnaby Jeans Sr. Solution Architect Business Critical Applications

Partner Guide. August 26 August 30 Moscone Center San Francisco, CA

Virtualization, SDN and NFV

Simplify IT. With Cisco Application Centric Infrastructure. Roberto Barrera VERSION May, 2015

Adatbázis hibrid felhő - egyszerűbb, mint gondolná

HP OpenStack & Automation

How To Compare The Cost Of A Microsoft Private Cloud To A Vcloud With Vsphere And Vspheon

VM-Series for VMware. PALO ALTO NETWORKS: VM-Series for VMware

Business Values of Network and Security Virtualization

F5 and VMware. Realize the Virtual Possibilities.

SDN PARTNER INTEGRATION: SANDVINE

SOLUTIONS. Secure Infrastructure as a Service for Production Workloads

White Paper: Optimizing the Cloud Infrastructure for Enterprise Applications

How Cisco IT Automated End-to-End Infrastructure Provisioning In an Internal Private Cloud

Cloud Computing. Jean-Claude DISPENSA IBM Distinguished Engineer

Don't outsource IT! Bring your own Cloud with SDN

VIRTUALIZATION SECURITY IS NOT AN OXYMORON. With Kaspersky, now you can. kaspersky.com/business Be Ready for What s Next

Microsoft Private Cloud

Securing the Virtualized Data Center With Next-Generation Firewalls

SESSION 703 Wednesday, November 4, 9:00am - 10:00am Track: Advancing ITSM

Cloud.. Migration? Bursting? Orchestration? Vincent Lavergne SED EMEA, South Gary Newe Sr SEM EMEA, UKISA

IT as a Service Emerges as a New Management Paradigm in the Software-Defined Datacenter Era

How To Protect Your Virtual Infrastructure From Attack From A Cyber Threat

EMC IT AUTOMATES ENTERPRISE PLATFORM AS A SERVICE

Microsoft Private Cloud. A comparative look at Functionality, Benefits, and Economics

Converged Infrastructure to Private Cloud

Implementing Microsoft Azure Infrastructure Solutions

What Is Microsoft Private Cloud Fast Track?

RIDE THE SDN AND CLOUD WAVE WITH CONTRAIL

SDN Applications in Today s Data Center

Transcription:

Building YOURcloud: The Federal Government s first Secure Hybrid Community Cloud Anil Karmel, Deputy Chief Technology Officer National Nuclear Security Administration A Partnership between the Office of the Chief Information Officer and the National Nuclear Security Administration 1

RightPath focuses on People, Processes, and Technology to deliver: powered by Immersive Collaboration and Social Networking tools Virtual Servers and Desktops hosted in your Secure Hybrid, Community Cloud 2

LLNL HQ/SC KS NNSS Sandia LANL Pantex Y-12 SRS 3

4

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources 5

Cloud Computing Organizations are faced with large existing technology investments and dwindling budgets { US Data Centers consume between 1.7-2.2% of the energy budget 6

DOE IaaS Business Use Cases Rapid deployment of servers to scientists Security controls based on data sensitivity Calculating energy savings Disaster Recovery Capital Expenditure Reduction 7

DOE SaaS Business Use Cases Social Computing Web Conferencing Instant Messaging Enterprise Mobility 8

A Cloud of Clouds approach brokering any organization, through any device, to any service respectful of site autonomy; powered by the innovation of the National Labs DOE Cloud On-Premise Cloud NNSA Cloud Other Gov t Agency Cloud Public Cloud INSIGHT Green & Business IT Smart Meters PortfolioStat Enterprise Architecture Data Center Consolidation Services Broker * Powered by developed by LANL FEATURES Virtual Desktops & Servers Enterprise Application Store Enterprise Certification & Accreditation DOE Federal Users General Public Users Laboratory & Plant Users Other Gov t Agecy Users Support Contractors 9

* Powered by developed by LANL Services Broker Enclaves Organization: IM-60 Enclave SITES On Premise Cloud DOE Cloud Public Cloud CFO Shared Services Open Science Public Websites Hypervisor Network VDI Compute Remediation Storage 10

* Powered by developed by LANL Services Broker Modules 11

Secure Hybrid Community Cloud LANL s Infrastructure on Demand is the first Infrastructure-as-a-Service secure hybrid cloud to automatically request and provision virtual servers Value Added Features: GreenIT Smart Meter Dynamic Cost Calculator LifeCycle Management Chargeback / Showback Requestor Responsibility: Enclave Security Plan System Administration Maintenance of operating system and applications Awards: SANS National Cybersecurity Innovators Award: Cloud Security InformationWeek 500 Top IT Government Innovators 12

Secure Hybrid Cloud 13

Security Journey TRADITIONAL SECURITY Complex Multiple provisioning interfaces Overlapping admin roles Multiple point solutions VIRTUALIZED SECURITY Simple Single interface for provisioning Separation of duties Firewall policy reduction Virtual security appliances Rigid Agents in each VM, AV storms No granular segmentation Rigid Policies tied to servers Labor Intensive Compliance Not change-aware, data leaks Manual assessment Manual remediation Adaptive Agentless Adaptive trust zones, compromised apps quarantined Virtualization aware firewall Automatic Compliance Discover sensitive data Continuous assessment Automated remediation, programmable 14

Physical Security Architecture Internet Load Balancer Load Balancer Unclassified A Unclassified B Service A Service B Service C Service D Service E 15

Cloud Security: Protect the VDI Clients 16

Cloud Security: Quarantine the Compromised Virtual Machines 17

Secure Hybrid Cloud Computing Service A VDC Service B VDC Service B VDC Secure VPN On Premise Private Cloud Commercial Cloud Service Provider 18

Cross Cloud Management Makes Hybrid Cloud Real Visualize resources across hybrid clouds Copy and operate resources across clouds Deliver enterprise level security Hybrid Cloud Private Clouds Federation & Choice Public Clouds 19

Elastic Compute Elastic VDC vshield Edge Elastic VDC Benefits: Cross cluster mobility within or across datacenters On demand networks without physical network configuration 20

LANL IoD Elastic Compute 192.168.10.1 192.168.10.1 VXLAN On Premise Private Cloud Commercial Cloud Service Provider 21

22

23

24

25

26

27

Organization Registration Organization Users Organization registration is a critical function of the service broker because it identifies the organizations top level contacts and ensures that unnecessary organization overlap is not occurring. The organizations top level contacts are granted certain permissions throughout their slice of the cloud infrastructure and their contact information is used for notification actions which are leveraged by many of the system s workflows. IoD v3 Service Broker NNSA Private Cloud Virtualization Subsystem Technical Contacts Security Contacts Billing Contacts Shared Service Subsystem AD / LDAP Server Subsystem Storage Subsystem Network Subsystem Selecting Providers Creating Enclaves Granting Permissions Managing configuratio ns Receives Notifications Org Firewall Control Security functions outside of the system Receives Notifications Billing Statement Controls Billing functions outside of the system. 28

Provider Selection Organization Users IoD v3 Service Broker Provider selection is one of the core capabilities of the IoD v3 service broker. The IoD v3 service broker allows an organization to select from multiple public and private cloud providers. As mentioned before, this document will focus on what components are leveraged when the service broker interacts with the NNSA Private Cloud. Below is a visual representation of the virtual overlay that is created when an organization selects the NNSA Private Cloud as a provider. Org Campus Networks NNSA Private Cloud OneNNSA Network Virtualization Subsystem vcloud Dir. Shared Service Subsystem AD / LDAP Server Subsystem Provider Defined IP Space / VLAN Org Outside Transport (VLAN) Organization Firewall (Cisco ASA Virtual Context) NetApp Storage Subsystem Org Inside Transport (VLAN) Organization Load Balancer Context (F5 Virtual BIG-IP, Local and Global LB) Cisco Network Subsystem F5 Organization Storage Context virtual (NetApp vserver with Service Level Mounts) 29

Enclave Creation Organization Users IoD v3 Service Broker Enclaves within an organization provide a container for workloads and configurations. Each Enclave is protected by an edge firewall and contains virtual networks and servers. Enclaves also provide configuration control of RBAC, Load balancer rules, public IP mappings, and global load balancing rules. A large portion of the Service Broker s functionality is dedicated at simplifying the user experience related to configuring the enclave so that end-to-end communications for systems hosted in the cloud is achieved without manual intervention. Org Campus Networks NNSA Private Cloud OneNNSA Network Virtualization Subsystem vcloud Dir. vshield Shared Service Subsystem AD / LDAP Server Subsystem Hardware ESXi Storage Subsystem Org Inside Transport (VLAN) Org Outside Transport (VLAN) Organization Firewall (Cisco ASA Virtual Context) Organization Load Balancer Context (F5 Virtual BIG-IP, Local and Global LB) Network Subsystem Enclave Networks (VLAN / VXLAN s) Enclave Networks (VLAN / VXLAN s) Organization Storage Context virtual (NetApp vserver with Service Level Mounts) 30

Enclave RBAC Organization Users IoD v3 Service Broker NNSA Private Cloud After an Enclave is created, Role Based Access Control (RBAC) is established by assigning permissions to the organization s technical staff. The Technical Contact that creates an Enclave becomes the Enclave Owner. This contact can then grant permissions to administrators and other technical staff that need configuration control for that Enclave. The Security Contact is informed of the actions that the technical contact is preforming and can take action relating to personnel security. Technical Contact Security Contacts Virtualization Subsystem vcloud Dir. vshield AD / LDAP Shared Service Subsystem Server Subsystem Granting Permissions Notification Storage Subsystem Enclave Administrators Network Subsystem 31

Enclave Management Organization Users IoD v3 Service Broker NNSA Private Cloud Virtualization Subsystem vshield Shared Service Subsystem Server Subsystem Storage Subsystem Network Subsystem Cisco F5 Once an Enclave has been established and applications are ready to be presented to end users, several configuration steps need to be taken. The Service Broker should simplify these steps but provide control at the organization level. For instance, if an Enclave Admin is ready to present an application to the organization s users, they would need to configure static NAT and Load Balancer Rules. Control is maintained because public NAT and access rules can only be set by the organization s technical and security contacts. End Users Technical and Security Contacts Enclave Administrators End User Traffic Flows Public NAT, Org Access Control Load Balancer Rules, SSL Offload Static NAT, Access Control, VPN Applications and Shared Services Org Campus Networks OneNNSA Network Org Outside Transport (VLAN) Org Inside Transport (VLAN) Enclave Networks (VLAN / VXLAN s) 32

Business Dynamic Cost Calculator Chargeback / Showback Green and Business IT Smart Meters Enterprise Application Store 33

Technical Unified Management across private, hybrid and public clouds Broker Concept cloud computing meets travel agency Advanced Orchestration no touch Comprehensive Management Networks and Firewalls Load Balancers DNS Workload Management 34

Security Software Defined Security Network Storage Compute Adaptive Security VDI Remediation Enclave Interactive Intelligence Business Social Cyber 35

Secure Workload Portability Automated Cloud Risk Management What s Next? Moving Target Security Network Virtualization SustainIT 36

SustainIT Integrated Capabilities Data Center High-Level View Data Center Detail View DC Pro Analysis Sustainable Portfolio Project Manager Facility TCO Modeling Real-time Energy Monitoring and Management 37 37

Begin with the end goal in mind Rapid results Focus on real business solutions Low risk Take a lean, agile approach to technology Low cost 38

Anil Karmel Deputy Chief Technology Officer, NNSA RightPath Chief Architect @AnilKarmel 39

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information