Building YOURcloud: The Federal Government s first Secure Hybrid Community Cloud Anil Karmel, Deputy Chief Technology Officer National Nuclear Security Administration A Partnership between the Office of the Chief Information Officer and the National Nuclear Security Administration 1
RightPath focuses on People, Processes, and Technology to deliver: powered by Immersive Collaboration and Social Networking tools Virtual Servers and Desktops hosted in your Secure Hybrid, Community Cloud 2
LLNL HQ/SC KS NNSS Sandia LANL Pantex Y-12 SRS 3
4
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources 5
Cloud Computing Organizations are faced with large existing technology investments and dwindling budgets { US Data Centers consume between 1.7-2.2% of the energy budget 6
DOE IaaS Business Use Cases Rapid deployment of servers to scientists Security controls based on data sensitivity Calculating energy savings Disaster Recovery Capital Expenditure Reduction 7
DOE SaaS Business Use Cases Social Computing Web Conferencing Instant Messaging Enterprise Mobility 8
A Cloud of Clouds approach brokering any organization, through any device, to any service respectful of site autonomy; powered by the innovation of the National Labs DOE Cloud On-Premise Cloud NNSA Cloud Other Gov t Agency Cloud Public Cloud INSIGHT Green & Business IT Smart Meters PortfolioStat Enterprise Architecture Data Center Consolidation Services Broker * Powered by developed by LANL FEATURES Virtual Desktops & Servers Enterprise Application Store Enterprise Certification & Accreditation DOE Federal Users General Public Users Laboratory & Plant Users Other Gov t Agecy Users Support Contractors 9
* Powered by developed by LANL Services Broker Enclaves Organization: IM-60 Enclave SITES On Premise Cloud DOE Cloud Public Cloud CFO Shared Services Open Science Public Websites Hypervisor Network VDI Compute Remediation Storage 10
* Powered by developed by LANL Services Broker Modules 11
Secure Hybrid Community Cloud LANL s Infrastructure on Demand is the first Infrastructure-as-a-Service secure hybrid cloud to automatically request and provision virtual servers Value Added Features: GreenIT Smart Meter Dynamic Cost Calculator LifeCycle Management Chargeback / Showback Requestor Responsibility: Enclave Security Plan System Administration Maintenance of operating system and applications Awards: SANS National Cybersecurity Innovators Award: Cloud Security InformationWeek 500 Top IT Government Innovators 12
Secure Hybrid Cloud 13
Security Journey TRADITIONAL SECURITY Complex Multiple provisioning interfaces Overlapping admin roles Multiple point solutions VIRTUALIZED SECURITY Simple Single interface for provisioning Separation of duties Firewall policy reduction Virtual security appliances Rigid Agents in each VM, AV storms No granular segmentation Rigid Policies tied to servers Labor Intensive Compliance Not change-aware, data leaks Manual assessment Manual remediation Adaptive Agentless Adaptive trust zones, compromised apps quarantined Virtualization aware firewall Automatic Compliance Discover sensitive data Continuous assessment Automated remediation, programmable 14
Physical Security Architecture Internet Load Balancer Load Balancer Unclassified A Unclassified B Service A Service B Service C Service D Service E 15
Cloud Security: Protect the VDI Clients 16
Cloud Security: Quarantine the Compromised Virtual Machines 17
Secure Hybrid Cloud Computing Service A VDC Service B VDC Service B VDC Secure VPN On Premise Private Cloud Commercial Cloud Service Provider 18
Cross Cloud Management Makes Hybrid Cloud Real Visualize resources across hybrid clouds Copy and operate resources across clouds Deliver enterprise level security Hybrid Cloud Private Clouds Federation & Choice Public Clouds 19
Elastic Compute Elastic VDC vshield Edge Elastic VDC Benefits: Cross cluster mobility within or across datacenters On demand networks without physical network configuration 20
LANL IoD Elastic Compute 192.168.10.1 192.168.10.1 VXLAN On Premise Private Cloud Commercial Cloud Service Provider 21
22
23
24
25
26
27
Organization Registration Organization Users Organization registration is a critical function of the service broker because it identifies the organizations top level contacts and ensures that unnecessary organization overlap is not occurring. The organizations top level contacts are granted certain permissions throughout their slice of the cloud infrastructure and their contact information is used for notification actions which are leveraged by many of the system s workflows. IoD v3 Service Broker NNSA Private Cloud Virtualization Subsystem Technical Contacts Security Contacts Billing Contacts Shared Service Subsystem AD / LDAP Server Subsystem Storage Subsystem Network Subsystem Selecting Providers Creating Enclaves Granting Permissions Managing configuratio ns Receives Notifications Org Firewall Control Security functions outside of the system Receives Notifications Billing Statement Controls Billing functions outside of the system. 28
Provider Selection Organization Users IoD v3 Service Broker Provider selection is one of the core capabilities of the IoD v3 service broker. The IoD v3 service broker allows an organization to select from multiple public and private cloud providers. As mentioned before, this document will focus on what components are leveraged when the service broker interacts with the NNSA Private Cloud. Below is a visual representation of the virtual overlay that is created when an organization selects the NNSA Private Cloud as a provider. Org Campus Networks NNSA Private Cloud OneNNSA Network Virtualization Subsystem vcloud Dir. Shared Service Subsystem AD / LDAP Server Subsystem Provider Defined IP Space / VLAN Org Outside Transport (VLAN) Organization Firewall (Cisco ASA Virtual Context) NetApp Storage Subsystem Org Inside Transport (VLAN) Organization Load Balancer Context (F5 Virtual BIG-IP, Local and Global LB) Cisco Network Subsystem F5 Organization Storage Context virtual (NetApp vserver with Service Level Mounts) 29
Enclave Creation Organization Users IoD v3 Service Broker Enclaves within an organization provide a container for workloads and configurations. Each Enclave is protected by an edge firewall and contains virtual networks and servers. Enclaves also provide configuration control of RBAC, Load balancer rules, public IP mappings, and global load balancing rules. A large portion of the Service Broker s functionality is dedicated at simplifying the user experience related to configuring the enclave so that end-to-end communications for systems hosted in the cloud is achieved without manual intervention. Org Campus Networks NNSA Private Cloud OneNNSA Network Virtualization Subsystem vcloud Dir. vshield Shared Service Subsystem AD / LDAP Server Subsystem Hardware ESXi Storage Subsystem Org Inside Transport (VLAN) Org Outside Transport (VLAN) Organization Firewall (Cisco ASA Virtual Context) Organization Load Balancer Context (F5 Virtual BIG-IP, Local and Global LB) Network Subsystem Enclave Networks (VLAN / VXLAN s) Enclave Networks (VLAN / VXLAN s) Organization Storage Context virtual (NetApp vserver with Service Level Mounts) 30
Enclave RBAC Organization Users IoD v3 Service Broker NNSA Private Cloud After an Enclave is created, Role Based Access Control (RBAC) is established by assigning permissions to the organization s technical staff. The Technical Contact that creates an Enclave becomes the Enclave Owner. This contact can then grant permissions to administrators and other technical staff that need configuration control for that Enclave. The Security Contact is informed of the actions that the technical contact is preforming and can take action relating to personnel security. Technical Contact Security Contacts Virtualization Subsystem vcloud Dir. vshield AD / LDAP Shared Service Subsystem Server Subsystem Granting Permissions Notification Storage Subsystem Enclave Administrators Network Subsystem 31
Enclave Management Organization Users IoD v3 Service Broker NNSA Private Cloud Virtualization Subsystem vshield Shared Service Subsystem Server Subsystem Storage Subsystem Network Subsystem Cisco F5 Once an Enclave has been established and applications are ready to be presented to end users, several configuration steps need to be taken. The Service Broker should simplify these steps but provide control at the organization level. For instance, if an Enclave Admin is ready to present an application to the organization s users, they would need to configure static NAT and Load Balancer Rules. Control is maintained because public NAT and access rules can only be set by the organization s technical and security contacts. End Users Technical and Security Contacts Enclave Administrators End User Traffic Flows Public NAT, Org Access Control Load Balancer Rules, SSL Offload Static NAT, Access Control, VPN Applications and Shared Services Org Campus Networks OneNNSA Network Org Outside Transport (VLAN) Org Inside Transport (VLAN) Enclave Networks (VLAN / VXLAN s) 32
Business Dynamic Cost Calculator Chargeback / Showback Green and Business IT Smart Meters Enterprise Application Store 33
Technical Unified Management across private, hybrid and public clouds Broker Concept cloud computing meets travel agency Advanced Orchestration no touch Comprehensive Management Networks and Firewalls Load Balancers DNS Workload Management 34
Security Software Defined Security Network Storage Compute Adaptive Security VDI Remediation Enclave Interactive Intelligence Business Social Cyber 35
Secure Workload Portability Automated Cloud Risk Management What s Next? Moving Target Security Network Virtualization SustainIT 36
SustainIT Integrated Capabilities Data Center High-Level View Data Center Detail View DC Pro Analysis Sustainable Portfolio Project Manager Facility TCO Modeling Real-time Energy Monitoring and Management 37 37
Begin with the end goal in mind Rapid results Focus on real business solutions Low risk Take a lean, agile approach to technology Low cost 38
Anil Karmel Deputy Chief Technology Officer, NNSA RightPath Chief Architect @AnilKarmel 39