Unclassified
AF Cloud Computing Architecture
14 Apr 2011
Steven L. Stoner
[email protected] DSN 779-6926
Unclassified
Unclassified
Overview • What? • Cloud Computing Defined
• Why? • DoD Data Center Consolidation Initiative • Cloud Computing Advantages
• How? • DoD Cloud Computing Goals & Timeline • Proposed Hybrid Cloud Design • Management Roles & Responsibilities
• Issues and Concerns • Way Ahead • Summary
Unclassified
2
Unclassified
Overview • What? • Cloud Computing Defined
• Why? • DoD Data Center Consolidation Initiative • Cloud Computing Advantages
• How? • DoD Cloud Computing Goals & Timeline • Proposed Hybrid Cloud Design • Management Roles & Responsibilities
• Issues and Concerns • Way Ahead • Summary
Unclassified
3
Unclassified
Cloud Computing Defined A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction (Ref, NIST) • Characteristics of Cloud Computing: • • • • • •
On-demand self-service Broad network access Resource pooling Location independence Rapid elasticity Measured service Unclassified
4
Unclassified
Cloud Computing Taxonomy
Unclassified
5
Unclassified
Cloud Computing Primary Service Models
• Infrastructure as a Service (IaaS): Data Center as a Service: Capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications • Platform as a Service (PaaS): Capability provided to the consumer is to deploy onto the cloud infrastructure consumercreated or acquired applications created using programming languages and tools supported by the provider • Software as a Service (SaaS): The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email)
Unclassified
6
6
Unclassified
Overview • What? • Cloud Computing Defined
• Why? • DoD Data Center Consolidation Initiative • Cloud Computing Advantages
• How? • DoD Cloud Computing Goals & Timeline • Proposed Hybrid Cloud Design • Management Roles & Responsibilities
• Issues and Concerns • Way Ahead • Summary
Unclassified
7
Unclassified
AF Data Center Consolidation Plan • The Office of Management and Budget (OMB) has tasked all Federal Agencies to develop a Data Center Consolidation Plan in support of the Federal Data Center Consolidation Initiative (FDCCI). • …under FDCCI, a data center is defined as a single facility or combination of facilities that contain an aggregate total of 15 or more servers, 1 mainframe, or more than 1000 square feet dedicated to housing servers, storage devices, and network equipment. • Deployed data centers are not considered part of this consolidation, as they are location-specific and are easily moved due to their tactical nature. • Several AF programs of record are currently evaluating various commercial, DISA, & Intel Community approaches toward employing cloud computing… • In addition to balancing potential cost savings, a chief consideration for mission systems is mission assurance …implying that mission effectiveness must be the primary consideration, followed by cost efficiency. Military activities are often not efficient ...to be in-effective can be extremely costly! Unclassified
8
Unclassified
Federal CIO Initiatives Cloud technologies and Infrastructure-as-a-Service enable IT services to efficiently share demand across infrastructure assets, reducing overall reserve capacity across the enterprise Agencies must focus on consolidating existing data centers, reducing the need for infrastructure growth by implementing a “Cloud First” policy for services, and increasing their use of available cloud and shared services. … the government is operating and maintaining almost 2,100 data centers. Through the FDCCI, a minimum of 800 data centers will be closed by 2015 … strategy…will revolve around using commercial cloud technologies where feasible, launching private government clouds, and utilizing regional clouds with state and local governments where appropriate
Vivek Kundra Federal Chief Information Officer of the United States
… 25-Point Implementation Plan to Reform Federal IT Mgmt includes: • Turnaround or terminate…underperforming projects in IT portfolio • Shift to “Cloud First” policy • Reduce…Federal data centers by at least 800 by 2015 • Only approve funding of major IT programs that: • Have a dedicated program manager & a fully staffed integrated program team • Use a modular approach with usable functionality delivered every six months • Use specialized IT acquisition professionals 25 Point Implementation Plan to Reform Federal Information Technology Mgmt, 9 Dec 2010
Unclassified
9
Unclassified
Cloud Computing Advantages Assumes a commercial provider or a government provider following commercial practices
• Rapid Provisioning • 24 hour, around-the-clock provisioning • On-line self-service • Flexible funding approaches (IMPAC card or MIPR)
• Increased Scalability • Increased capacity ~ typically in less than 24 hours • Capacity on Demand • Turn On Resources when needed; Release when done
• Reduced Risks • No capital funds required
• Reduced Costs • Pay only for what you use • Billing Cycle-to-Billing Cycle service • No annual maintenance fees Unclassified
10 10
Unclassified
Overview • What? • Cloud Computing Defined
• Why? • DoD Data Center Consolidation Initiative • Cloud Computing Advantages
• How? • DoD Cloud Computing Goals & Timeline • Proposed Hybrid Cloud Design • Management Roles & Responsibilities
• Issues and Concerns • Way Ahead • Summary
Unclassified
11
Unclassified
DoD Cloud Computing Strategy • Synchronizes cloud computing efforts and initiatives • Enables rapid, on-demand IT capabilities • Achieves necessary fiscal goals set in place by current cost constraints across federal government • Provides common definition for a “DoD Cloud Computing framework” based on the NIST definition • States cloud computing value proposition for DoD, identifying specific opportunities within the cloud paradigm, as well as examining potential risks and challenges that DoD faces • Advocates use of coordinated research and pilots to fully understand risks of the cloud environment • Highlights opportunities for interoperability and increased synergies across DoD Unclassified
12
Unclassified
DoD Cloud Computing Timeline
Phase 0 Current State
Phase 1 Establish a Cloud-First Campaign
FY2011
Phase 2 Migrate to DoD Private Clouds
Phase 3 Assess non-DoD Clouds
FY2012
Phase 4 Collapse the Desktop Into the Cloud
Phase 5
Phase 6
Migrate Business Systems
Migrate Mission Systems
FY2013
FY2014
Unclassified
13
Unclassified
AF Current State: Private Network • AF Enterprise Data Centers • Scott AFB • Limited additional capacity pending power upgrade • AFDW • Growing capacity for user e-mail and SharePoint accounts • Pending data circuit installation, C&A and OT&E
• AF VPN Intranet with “Gateways” on NIPR & SIPR • BNCC-Rebuild Program • Tech Refresh Installs Blades Servers, VMWare, & Storage • Expandable infrastructure hosting “local” instances of the “AF Core Enterprise Services”
Unclassified
14
Unclassified
AF Target: Hybrid Cloud • Multiple IT service components to hybrid solution; • Part out-sourced to commercial providers where appropriate • Part in-sourced Private Cloud consisting of AF provisioned data centers and VPN networks to house AF unique Core Enterprise Services and certain AF Mission Systems • Part out-sourced to DISA at the DECCs to house “DoD Core Enterprise Services” as identified by DoD CIO
• Two (non-hybrid) AF cloud solution “pilots” with potential to integrate forward into a hybrid • TENCAP I2P (Intelligence Integration Pilot) • Based on NSA version of Google design (HaDoop)
• Mission Oriented Cloud Architecture (MOCA) • Based on IBM stream processing technology
Unclassified
15
Unclassified
Proposed AF Hybrid Cloud Design Commercial Cloud SaaS
DoD Private Cloud IaaS
PaaS
PaaS
AF Private Cloud * PaaS IaaS AF VPN Network
PaaS
SaaS
* 24 AF Operates & Defends
Web-based Services
Software-as-a-Service
PaaS
Platform-as-a-Service
IaaS
Infrastructure-as-a-Service
Unclassified
16
Unclassified
Virtualized Computing Resources
Virtualize the operating systems (virtual machines)
Boot multiple operating systems in parallel “on top of” the hypervisor
Virtualize the processors (CPUs)
Group physical computers together to function as one large server, using a “hypervisor” (new software layer)
Virtualize the storage
Virtual Machines
Group physical disks together to function as one storage device, using Network Attached Storage (NAS) or Storage Area Networks (SANs)
Hypervisor Servers tbd
Storage tbd
Unclassified
17
Unclassified
Overview • What? • Cloud Computing Defined
• Why? • DoD Data Center Consolidation Initiative • Cloud Computing Advantages
• How? • DoD Cloud Computing Goals & Timeline • Proposed Hybrid Cloud Design • Management Roles & Responsibilities
• Issues and Concerns • Way Ahead • Summary
Unclassified
18
Unclassified
Issues and Concerns
(1/4)
• All of the classic security concerns of the traditional client-server paradigm continue to exist in a Cloud Computing environment • All of the classical cyber attacks against a single machine or entity are still present in the Cloud • Locking down data transactions is the most challenging task for developers; just as in the classical client-server environment • Risk of adversary penetration of the isolation between Virtual Machines (e.g., via a vulnerability that allows an “escape” to the hypervisor or via side-channels between VMs (cross-VM attacks) • The Gartner Group list of security risks certainly apply to DoD protection of sensitive data, regulatory/mandate compliance, data location, data segregation, recovery, etc.
• How will we Certify and Accredit the solution via DIACAP?
Unclassified
19
Unclassified
Issues and Concerns
(2/4)
• Data dispersal and international privacy laws • EU Data Protection Directive and U.S. Safe Harbor program • Exposure of data to foreign governments & data subpoenas • Data retention issues • Need for isolation management • Multi-tenancy issues • Logging challenges • Data ownership issues • Quality of service guarantees • Must support an end-to-end security solution • Can complicate accountability and forensics • Bandwidth Impacts? • How would the AF effect a change to a different cloud provider at the end of a contract…? Unclassified
20
20
Unclassified
Issues and Concerns (3/4) • • • • •
Dependence on secure hypervisors Attraction to hackers (high value target) Security of OSs and virtual OSs in the cloud Possibility for massive outages Encryption needs for cloud computing: • • • • • •
Access to cloud resource control interface Administrative/Root access to OS instances Access to applications Application data at rest Application data in motion Shared crypto key management/use issues
• Public cloud vs. internal cloud security • Lack of public SaaS version control Unclassified
21
21
Unclassified
Issues and Concerns (4/4) Who should be responsible for performing Fault, Configuration, Accounting, Performance, and Security operations on the identified system components? (A = Air Force, D = DISA) Potential * Identified Major System Component Areas Ops COAs Boundary Boundary Core Enclave Net-D Network Apps HW/OS/LAN 1 A A A D 2 A A D D 3 A D A D 4 A D D D 5 D A A D 6 D A D D 7 D D A D 8 D D D D Operationally & Technically Possible, Cost = Deciding Factor
Operationally & Technically Complex = High Risk
Not Currently Operationally Acceptable
Unclassified
22
Unclassified
Overview • What? • Cloud Computing Defined
• Why? • DoD Data Center Consolidation Initiative • Cloud Computing Advantages
• How? • DoD Cloud Computing Goals & Timeline • Proposed Hybrid Cloud Design • Management Roles & Responsibilities
• Issues and Concerns • Way Ahead • Summary
Unclassified
23
Unclassified
Way Ahead (1/3) • Focus on componentization before moving to the ‘Cloud’ • Avoid force-fit of IT onto cloud computing platforms; • Rebuilding core AF IT infrastructure as many components parts: data, services, processes, images perhaps bundled into virtual appliances that could be portable among cloud platforms • Idea is to treat components as items that can be moved to any platform easily, allowing DoD to run its systems on the platforms that are most efficient and effective, and to quickly align to the requirements of the missions • Acquire the right skill sets Ref: InfoWorld Article, 16 May 10, “How and Why the Military Should Adopt the Cloud”
Unclassified
24
Unclassified
Way Ahead (2/3) • Leverage private cloud first • Security issues around DoD systems are so sensitive that they can't live on public clouds -- at least for now • DoD needs to get good at private clouds (effectiveness) and move to better and/or more efficient (less costly) platforms/models when (as soon as) it can • If it componentizes well, the use of cloud technology in a private cloud installation should not be a major challenge • Use of shared and/or multi-tenant Public Cloud services presents another, additional magnitude of difficulty
Paraphrased from: “How and Why the Military Should Adopt the Cloud”; InfoWorld, 16 May 10
Unclassified
25
Unclassified
Way Ahead (3/3) • Network perimeter defense is no longer the single solution to security! • Security strategy must account for all layers & tiers of the environment • Must think beyond; increase depth of our 'Defense in Depth' solutions • Must significantly advance our host-based security • Don’t forget basics – people, TTP’s T.O.’s, etc. • Must consider compliance issues (e.g., HIPAA) • Clouding introduces new security challenges • Issues to address (cloud or traditional): • Privileged user access • Regulatory Compliance • Data Location • Data Segregation • Long Term Viability • Recovery • Forensics and Investigative Support Unclassified
26
Unclassified
AFNet Cloud Computing Architecture • Segment Architecture--focuses entirely on AF cloud computing; vice fragmented discussion • Provides more holistic technology descriptions • Overlays DoDAF artifacts onto the OMB format for segment architectures
• DoDAF products in development: 1. 2. 3. 4. 5. 6.
AV-1 AV-2 OV-1 OV-5 OV-6a OV-6c
7. Div-2 8. SV-1 9. SV-2 10. SV-4 11. SV-7 12. StdV-1/2
Unclassified
27 27
Unclassified
Overview • What? • Cloud Computing Defined
• Why? • DoD Data Center Consolidation Initiative • Cloud Computing Advantages
• How? • DoD Cloud Computing Goals & Timeline • Proposed Hybrid Cloud Design • Management Roles & Responsibilities
• Issues and Concerns • Way Ahead • Summary
Unclassified
28
Unclassified
Summary • Leadership interested in cloud computing • Major Concerns: • Security risks • End-to-End “Service” Management • Software and Records Ownership
• RT-SON and IBM MOCA Pilots • Cloud Computing Segment Architecture Under Construction
Unclassified
29 29
Unclassified
Questions?
Unclassified
30
Unclassified/FOUO
Cloud Computing Way Ahead
The Presidential Memo on Cutting Costs and Improving Energy Efficiency (June 10, 2010), directs that "[Agency] actions shall include ... pursuing consolidation opportunities within and across agencies in common assets types, such as [data centers]." Agencies are required to develop a plan to consolidate and significantly reduce data centers within 5 years. This directive is consistent with the Federal Data Center Consolidation Initiative. The impact of these directives with regard to cloud computing is not clear. Any cloud solution must accommodate both mandates.
Unclassified/FOUO
32
Cloud Type: Public Cloud
• The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services
33
Cloud Type: Private Cloud
• The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.
34
Cloud Type: Community Cloud
• The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.
35
Cloud Type: Hybrid Cloud
• The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).
36
Unclassified/FOUO
Cloud Services • Areas where _XXX_ -as-a-Service may have utility: • • • • • • • • • • •
Storage Database Information Process Application Platform Integration Security Management/Governance Testing Infrastructure
Unclassified/FOUO
37
Unclassified
Federal Cloud Computing Strategy
“…for the Federal Government, cloud computing holds tremendous potential to deliver public value by increasing operational efficiency and responding faster to constituent needs.”
Unclassified
38
Unclassified
Federal Cloud Computing Strategy • Articulate benefits, considerations, & trade-offs of cloud computing • Provide decision framework and case examples to support agencies in migrating towards cloud computing • Highlight cloud computing implementation resources • Identify Federal Government activities and roles and responsibilities for catalyzing cloud adoption
Unclassified
39
Unclassified
DoD Cloud Computing Vision
“Adopt cloud computing to rapidly acquire new capabilities that are secure, and trusted while reducing cost and increasing mission effectiveness”
Unclassified
40
Unclassified/FOUO
AFSPC Cloud Computing Goals • Develop space mission data sharing/fusion capabilities, presenting data as a service to support Space & Cyber mission application development • Enable AFSPC (through 24AF - AFNETOPS) to manage a standardized scalable computing infrastructure to support AF specific requirements for all mission areas (i.e., 14AF, 24AF) • Minimize the need for costly “stove-piped” implementations • Drive AFSPC to a net-centric environment supporting implementation of the following 2009-2010 AFSPC Command Strategic Plan A6 Objectives • Integrate robust C&I services, support, and capabilities to drive decision makers and warfighting power • Deliver modern network capabilities to synchronize the full spectrum of cyber and space operations • Exploit existing communications and information technology to evolve capabilities and mature network operations • Integrate and implement applicable directives and mandates to improve acquisition of Information Technology (IT) for the warfighter Unclassified/FOUO
41
Unclassified/FOUO
DoD Cloud Computing Goals Strategic Goals for Framework • GOAL 1: Adopt a Air Force-wide Cloud Computing Implementation Approach • GOAL 2: Mature Implementation Practices • GOAL 3: Increase Efficiency of IT Investments • GOAL 4: Manage Culture, Change and Expectations • GOAL 5: Innovate Using Cloud Technology
Unclassified/FOUO
42
Unclassified/FOUO
DoD Goal #1 & Objectives GOAL 1: Adopt AF-wide Cloud Computing Approach • Identify and coordinate plans for moving services to cloud solutions • Review and develop policies, processes, governance, and standards to enable rapid acquisition and adoption of cloud-based solutions • Develop reference architectures that enable the Air Force to more effectively implement and leverage cloud computing solutions • Establish Private Clouds in Air Force Community
Unclassified/FOUO
43
Unclassified/FOUO
DoD Goal #2 & Objectives GOAL 2: Mature Implementation Practices • Guide stakeholders in adoption and implementation of cloud solutions • Develop methodologies to effectively assess and implement services • Ensure reuse and modularity of Cloud Computing Services • Mitigate cloud implementation challenges – resolution through pilots and pathfinders • Collapse the desktop into the Cloud” – use of webenabled applications that store and operate using cloud-resident data Unclassified/FOUO
44
Unclassified/FOUO
DoD Goal #3 & Objectives GOAL 3: Increase Efficiency of IT Investments • Establish baselines for Cost Evaluation – using standardized forms and content for cloud-related IT investment • Identify and develop DoD Business Cases and Value Propositions for Cloud Solutions • Identify, develop, and monitor Cloud Computing Performance Metrics
Unclassified/FOUO
45
Unclassified/FOUO
DoD Goal #4 & Objectives GOAL 4: Manage Culture, Change and Expectations • Enable Understanding of Cloud Computing Solutions • Conduct Outreach with Stakeholders and Industry Partners • Develop and Manage DoD Strategic Cloud Computing Communications –identify key message points, modes, audiences, timelines, & approach
Unclassified/FOUO
46