Welcome to the DISA Cloud Symposium

Similar documents
Cloud Overview. Mr. John Hale Chief, DISA Cloud Portfolio February, 2018 UNITED IN SERVICE TO OUR NATION UNCLASSIFIED 1

Migrating Applications to the Cloud

Secure Cloud Computing Architecture (SCCA)

Secure Cloud Computing Architecture (SCCA)

What is milcloud 2.0?

About the DISA Cloud Playbook

DISA CLOUD CLOUD SYMPOSIUM

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Introduction To Cloud Computing

CLOUD WORKLOAD SECURITY

Defense Information Systems Agency (DISA) Department of Defense (DoD) Cloud Service Offering (CSO) Initial Contact Form

OFFICE OF THE ASSISTANT SECRETARY OF DEFENSE HEALTH AFFAIRS SKYLINE FIVE, SUITE 810, 5111 LEESBURG PIKE FALLS CHURCH, VIRGINIA

White Paper Impact of DoD Cloud Strategy and FedRAMP on CSP, Government Agencies and Integrators.

Supporting the Cloud Transformation of Agencies across the Public Sector

IBM Cloud Security for the Cloud. Amr Ismail Security Solutions Sales Leader Middle East & Pakistan

Introduction to Cloud Computing. [thoughtsoncloud.com] 1

Clouds in the Forecast. Factors to Consider for In-House vs. Cloud-Based Systems and Services

Cisco Services: Towards Your Next Generation IT

Getting Hybrid IT Right. A Softchoice Guide to Hybrid Cloud Adoption

Please give me your feedback

Accelerate your Azure Hybrid Cloud Business with HPE. Ken Won, HPE Director, Cloud Product Marketing

Next Generation Enterprise Network- Recompete (NGEN-R) Industry Day

IT Enterprise Services. Capita Private Cloud. Cloud potential unleashed

Fundamental Concepts and Models

CHEM-E Process Automation and Information Systems: Applications

ArcGIS in the Cloud. Andrew Sakowicz & Alec Walker

DC: Le Converged Infrastructure per Software Defined e Cloud Cisco NetApp - Softway. Luigi MARCOCCHIA SOFTWAY

Cisco CloudCenter Solution Use Case: Application Migration and Management

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

COMPLIANCE IN THE CLOUD

2013 AWS Worldwide Public Sector Summit Washington, D.C.

10 Considerations for a Cloud Procurement. March 2017

Transform Your Business with Hybrid Cloud

Forecast to Industry 2016

ASD CERTIFICATION REPORT

Why the cloud matters?

Accelerate Your Enterprise Private Cloud Initiative

Popular SIEM vs aisiem

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. reserved. Insert Information Protection Policy Classification from Slide 8

<Placeholder cover we will adjust> Microsoft Azure Stack Licensing Guide (end customers)

DATA SHEET AlienVault USM Anywhere Powerful Threat Detection and Incident Response for All Your Critical Infrastructure

DISA Cybersecurity Service Provider (CSSP)

Orchestrating the Cloud Infrastructure using Cisco Intelligent Automation for Cloud

Cloud First Policy General Directorate of Governance and Operations Version April 2017

<Placeholder cover we will adjust> Microsoft Azure Stack Licensing Guide (Hosters and service providers)

Government IT Modernization and the Adoption of Hybrid Cloud

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

Network Implications of Cloud Computing Presentation to Internet2 Meeting November 4, 2010

Privacy hacking & Data Theft

Community Clouds And why you should care about them

State of Cloud Adoption. Cloud usage is over 90%, are you ready?

Where are you with your Cloud or Clouds? Simon Kaye Dr Cloud

Cloud Computing and Its Impact on Software Licensing

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

Azure Stack: The hybrid cloud revolution

SIMPLIFY, AUTOMATE & TRANSFORM YOUR BUSINESS

CSP 2017 Network Virtualisation and Security Scott McKinnon

Cloud Computing introduction

IBM Bluemix compute capabilities IBM Corporation

IZO MANAGED CLOUD FOR AZURE

Cisco Cloud Architecture with Microsoft Cloud Platform Peter Lackey Technical Solutions Architect PSOSPG-1002

A CISO GUIDE TO MULTI-CLOUD SECURITY Achieving Transparent Visibility and Control and Enhanced Risk Management

PUBLIC AND HYBRID CLOUD: BREAKING DOWN BARRIERS

Qualys Cloud Platform

Chapter 4. Fundamental Concepts and Models

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

EMC Strategy Overview: Journey To The Private Cloud

Why Microsoft Azure is the right choice for your Public Cloud, a Consultants view by Simon Conyard

Service Description VMware Workspace ONE

Deploying to the Cloud: A Case study on the Development of EHNAC s Cloud Enabled Accreditation Program (CEAP)

Cloud Computing: Is it safe for you and your customers? Alex Hernandez DefenseStorm

SYMANTEC DATA CENTER SECURITY

The Oracle Trust Fabric Securing the Cloud Journey

McAfee Public Cloud Server Security Suite

MySQL CLOUD SERVICE. Propel Innovation and Time-to-Market

Cloud Essentials for Architects using OpenStack

Security Readiness Assessment

CLOUD COMPUTING. Rajesh Kumar. DevOps Architect.

Deploying and Operating Cloud Native.NET apps

VMWARE CLOUD FOUNDATION: INTEGRATED HYBRID CLOUD PLATFORM WHITE PAPER NOVEMBER 2017

Capgemini Dynamic Services

AFCEA BELVOIR. Industry Day. Joint Service Provider Overview. Victor O. Shirley Chief of Staff Joint Service Provider April 4, 2018

2-4 April 2019 Taets Art and Event Park, Amsterdam CLICK TO KNOW MORE

Copyright 2011 EMC Corporation. All rights reserved.

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

Cloud Computing. January 2012 CONTENT COMMUNITY CONVERSATION CONVERSION

Exam C Foundations of IBM Cloud Reference Architecture V5

Analytics in the Cloud Mandate or Option?

Automating Security Practices for the DevOps Revolution

The IBM Platform Computing HPC Cloud Service. Solution Overview

Data Center Management and Automation Strategic Briefing

Christopher Covert. Principal Product Manager Enterprise Solutions Group. Copyright 2016 Symantec Endpoint Protection Cloud

Copyright 2015 EMC Corporation. All rights reserved. Published in the USA.

Naval Enterprise Networks Industry Day #2 NGEN Re-compete Acquisition Approach

Drive digital transformation with an enterprise-grade Managed Private Cloud

ALI-ABA Topical Courses ESI Retention vs. Preservation, Privacy and the Cloud May 2, 2012 Video Webcast

What is Dell EMC Cloud for Microsoft Azure Stack?

Cisco Tetration Analytics

Transcription:

Welcome to the DISA Cloud Symposium 1

2

Information IN PERSON VIA QUESTION FORMS, SUBMITTED DURING BREAKS VIRTUAL INFORMATION PORTAL: http://www.disa.mil/newsandevents/events/cloud-symposium 3

DISA CLOUD SYMPOSIUM 4

5

Crawl - Cloud Intro Mr. John Hale Chief, DISA Cloud Portfolio November, 2017 6

Deputy Secretary of Defense Memo Sep 13 th, 2017 by Deputy Secretary of Defense Creates the Cloud Enterprise Steering Group (CESG) Two phase approach Phase 1: Resolve acquisition issues around DoD consuming commercial cloud Phase 2: Rapidly transition DoD Components and/or Agencies to cloud Creates regular reporting process of status 7

What is cloud? The National Institute of Standards and Technology's (NIST) defines cloud in NIST Special Publication 800-145 Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction 8

What is cloud? (Cont.) In reality, cloud is: Utility Billing Scalable Management Portal Real-time Elasticity Security Services 9

Cloud Models Infrastructure as a Service (IaaS) Infrastructure Applications YOU are Responsible Data Runtime Middleware O/S Virtualization Cloud Service Provider Managed/Responsibility Servers Storage Networking 10

Cloud Models (Cont.) Platform as a Service (PaaS) Infrastructure YOU are Responsible Applications Data Runtime Middleware Cloud Service Provider Managed/Responsibility O/S Virtualization Servers Storage Networking 11

Cloud Models (Cont.) Software as a Service (SaaS) Infrastructure Shared Responsibility (YOU and the Cloud Service Provider) Applications Data Runtime Middleware Cloud Service Provider Managed/Responsibility O/S Virtualization Servers Storage Networking 12

Impact Levels Impact Level 2 (IL2) Unclassified Data (public data) requires shared or dedicated infrastructure Impact Level 4 (IL4) Unclassified Sensitive Data (FOU, CUI, etc) required shared or dedicated infrastructure with strong evidence of virtual separation controls and monitoring Impact Level 5 (IL5) Unclassified Sensitive Data (NSS, PIAA, HIPA) required dedicated infrastructure Impact Level 6 (IL6) Classified Data (Secret, etc) required dedicated infrastructure approved for classified information 13

Walk - Cloud Solutions Mr. John Hale Chief, DISA Cloud Portfolio November, 2017 14

DoD Cloud Deployment Models DoDIN On-Premise Commercial Cloud Commercially provided cloud service hosted within DoD facilities DoD security posture ensured by on premise execution Moderate customization to tailor the service for mission needs Utility pricing model pay for usage Low Total Cost of Ownership (DoD consumers share cloud cost) Best Fit Applications Web apps with high transactional data volume interfaces to DoDIN hosted systems or end-users on DoDIN DoDIN Off-Premise Commercial Cloud Limited customization; standard hosting across all consumers Broad scalability to support requirements for compute / storage Utility pricing model pay for usage Long Term Lowest Cost of Ownership (cloud consumers share cost of infrastructure; requires additional investment to secure) Level 4/5 Web apps with minimal data interfaces to on-prem apps Level 2 public information sharing Web apps with minimal data moving to DoDIN 15

Unclassified DoD Commercial Cloud Deployment Approach Cyber Command C2 Operations On Premise Level 1-5 Cloud Providers OMS (onsite management services) IBM CMSG Big Data Analytics Internet-based User Internet Access Points Boundary Protection for Internet Traffic Internet Off Premise Level 2 Approved Vendors AWS East/West Sales Force NIPR-based User Joint Regional Security Stacks Global Content Delivery System (Commercial Caching) DISN Global Content Delivery System (Commercial Caching) Cloud Access Points Boundary Protection for Impact Level 4 & 5 Secure Cloud Computing Architecture (SCCA) Meet-Me Point Central Location for DoD and Cloud Connections Off Premise Level 4/5 Approved Vendors Microsoft Azure Sales Force AWS Gov Cloud Oracle cloud Microsoft 365 DoD Controlled Environment Commercial Controlled Environment w/dod Oversight 16

Lessons Learned Technical Challenges Applications not cloud ready - some may never be ready due to cost to modernize Not all app owners have access to skills and resources to modernize apps for the cloud milcloud 2.0 and OMS include CLINs to help accelerate adoption Commercial cloud business model not always aligned to DoD heavy transactional data I/O requirements... easier for isolated applications or minimal I/O to legacy systems. (High I/O drives cost) DoD working to provide direct network connection to small number of commercial cloud providers to offset this cost and eliminate data meters Applications Existing DoD Security Solutions are not cloud aware Secure Cloud Computing Architecture (SCCA) deployed January 2018 to provide basic security services in a shared cloud environment 17

Lessons Learned (Cont.) Business Management Roadblocks Business decisions challenging Lack of a single place for application owners across DoD to find all available Cloud solutions and understand which one to choose (features, price, etc.) App owners don't understand new paradigm and responsibilities with commercial IaaS missing key cost in analysis (i.e. system administration, application of security, etc.) Current hosting costs don't show subsidized component costs (electric, HVAC, building space, etc.) making apples to apples comparison difficult Funding not available for application owners to modify apps to be cloud-ready Application rationalization data should help to decide which apps get funding for modernization Policies for specific types of data (NC3, OCO) protect where data can be processed and/or stored for mission assurance App owners don t always understand how to translate requirements to commercial facilities (search and seizure of commercial property, data sovereignty, etc.) 18

Run DISA Cloud Services Alicia Belmas Deputy Cloud Chief December 12, 2017 Vendors named within are approved or under contract to provide specified services to DISA or DOD. UNITED IN IN SERVICE TO OUR NATION 19

CLOUD COMPUTING The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. The Department of Defense adopted the NIST definition of Cloud. According to the NIST Special Publication 800-145, the Cloud model is composed of five essential characteristics, three cloud service models and four cloud deployment models The five essential characteristics are inherent in the definition of cloud. The characteristics are: On-demand self service Broad network access Resource pooling Rapid elasticity Measured service 20

The three cloud service models are: THREE CLOUD SERVICE MODELS Infrastructure as a Service (IaaS) IaaS provides the compute, storage and networking capabilities on which a user can develop and deploy their software, which can include operating systems and software applications. The consumer is not able to manage or control the underlying cloud infrastructure. Platform as a Service (PaaS) PaaS is built upon the IaaS and consists of the operating systems, programming languages, libraries, services and tools. These services are supported by the cloud provider. The consumer does not manage of control the underlying cloud infrastructure nor the operating systems, but does have control over the deployed applications and possibly the configuration settings for the application-hosting environment. Software as a Service (SaaS) SaaS is built upon the PaaS and provides an entire capability to a user. The consumer uses the cloud provider's applications running on the cloud infrastructure. The applications provided by the cloud provider are accessible from various client devices or platforms through either a thin client interface, such as a web browser or a program interface. The consumer does not manage or control the underlying cloud infrastructure, operating systems or even individual applications, although they may have access to limited user-specific application configuration settings. 21

DISA Cloud Services Off Premise Secure Cloud Computing Architecture (SCCA) On Premise milcloud 2.0 Phase 1 (m2p1) On-site Managed Services (OMS) 22

Unclassified DoD Commercial Cloud Deployment Approach Cyber Command C2 Operations On Premise Level 1-5 Cloud Providers OMS (onsite management services) IBM CMSG Big Data Analytics Internet-based User Internet Access Points Boundary Protection for Internet Traffic Internet Off Premise Level 2 Approved Vendors AWS East/West Sales Force NIPR-based User Joint Regional Security Stacks Global Content Delivery System (Commercial Caching) DISN Global Content Delivery System (Commercial Caching) Cloud Access Points Boundary Protection for Impact Level 4 & 5 Secure Cloud Computing Architecture (SCCA) Meet-Me Point Central Location for DoD and Cloud Connections Off Premise Level 4/5 Approved Vendors Microsoft AWS Azure GovCloud Oracle cloud Sales Force Microsoft 365 DoD Controlled Environment Commercial Controlled Environment w/dod Oversight 23

What is SCCA? Secure Cloud Computing Architecture (SCCA) is a suite of enterprise-level cloud security and management services. It provides a standard approach for boundary and application level security for impact level four and five data hosted in commercial cloud environments. SCCA Suite of Services Cloud Access Point (CAP) Protects DoD from cloud-originated attacks Connectivity for IaaS and SaaS Virtual Data Center Security Stack (VDSS) Traditional DMZ security for public facing applications Next generation firewall to protect cloud hosted workloads Virtual Data Center Managed Services (VDMS) Cloud connected management and security tools Privileged user access and management Trusted Cloud Credential Manager (TCCM) Role based access control and least privileged success 24

SUITE OF SERVICES OVERVIEW BOUNDARY CAP Key Features NIPRnet connectivity support for IaaS and SaaS clouds Security tools focused on protecting the DISN from the cloud Operational and security intelligence data via logging and Netflow VDSS Key Features Traditional DMZ security features for public facing web applications Next Generation Firewall for protecting cloud hosted workloads VDMS Key Features Cloud connected management and security tools Cloud privileged user access and account management Central search and display of CAP and Cloud logs via Splunk TCCM Key Features Privileged password management and control SSH Key security and management Session manager to control and monitor privileged user access to IaaS clouds and hosted instances Bastion host for access into all management and security services 25

VDMS Service Offerings Service Description Capabilities HBSS Cloud integrated epolicy Orchestrator (epo) management and SuperAgent Distributed Repository (SADR) Install host agents Configure and deliver security policies Download and push upgrades View data and generate reports ACAS Cloud integrated Tenable Security Center and Nessus vulnerability scanners Manage roles Create scan zones and policies Schedule and run compliance scans Manage server credentials Operating System Patching Cloud based versions of DoD patch repositories Integrated with on-premise DoD repositories Recursive DNS Caching Recursive DNS server in the extension to forward and cache external DNS queries Cashes responses to provide DNS response times for lookups Eliminates requirement for cloud mission owner to connect from cloud environment enclave to ERS Cloud Visibility Logs and Netflow data will feed enterprise Splunk for visibility and support security incident and event management (SIEM) Centralized through the VDMS core Future multi-tenant options will enable tailored search and display for multiple CSSP providers 26

Unclassified DoD Commercial Cloud Deployment Approach Cyber Command C2 Operations Off Premise Level 2 Approved Vendors OMS (onsite management services) IBM CMSG Big Data Analytics Internet-based User Internet Access Points Boundary Protection for Internet Traffic Internet AWS East/West Sales Force NIPR-based User Joint Regional Security Stacks Secure Cloud Computing Architecture (SCCA) Off Premise Level 4/5 Approved Vendors Global Content Delivery System (Commercial Caching) DISN Global Content Delivery System (Commercial Caching) Cloud Access Points Boundary Protection for Impact Level 4 & 5 Meet-Me Point Central Location for DoD and Cloud Connections Microsoft Azure Sales Force AWS GovCloud Oracle cloud Microsoft 365 DoD Controlled Environment Commercial Controlled Environment w/dod Oversight 27

What is m2p1? m2p1 is a commercially-owned commercially-operated on-premises private cloud. That establishes a commercial Infrastructure as a Service (IaaS) environment in DISA Data Centers that are connected to DoD networks and have unclassified workloads transitioned to and stored in the commercial IaaS solution. It is a pay for usage model instead of charging for capacity by the month. m2p1 will offer Red Hat Open Shift as it s PaaS offering. milcloud 2.0 portfolio common cloud services characteristics: On-Demand, Self-service: milcloud consumers can place orders on-demand through web-based self-service tools, configure infrastructure resources where appropriate, and manage their mission application s lifecycle running on those resources without manual intervention from DISA or CSP support staff Broad Network Access: All milcloud products and services have network connectivity to the Department of Defense Information Networks (DoDIN), and are configured in accordance with relevant DoD security guidelines and approved protocols Resource Pooling: milcloud resources are pooled such that multiple mission partners consume units from pools provisioned by DISA, enabling efficient use of aggregate compute resources and greater consumption flexibility Rapid Elasticity: milcloud has the ability to expand or contract their resource use within virtual resource pools 28

m2p1 Services m2p1 key contract features Awarded June 9, 2017 Single award IDIQ (full and open) POP (3) year base with (5) one year options Life cycle value $498M DoD Data Center s Montgomery (Prime) & Oklahoma City (Secondary) are the two site locations m2p1 key services through the web portal Metered Billing Only pay when it is in a billable state Finer billing units Servers by the hour Storage by the GB per day Monitoring and alerting through the m2p1 cloud web portal Always know how much you are spending, and how much you have left Flexible funds utilization Purchase Cloud Units Provide Funds based on your initial estimate Configure and reconfigure as needed Servers, Storage, Core Services 29

Unclassified DoD Commercial Cloud Deployment Approach Cyber Command C2 Operations Off Premise Level 2 Approved Vendors OMS (onsite management services) IBM CMSG Big Data Analytics Internet-based User Internet Access Points Boundary Protection for Internet Traffic Internet AWS East/West Sales Force NIPR-based User Joint Regional Security Stacks Secure Cloud Computing Architecture (SCCA) Off Premise Level 4/5 Approved Vendors Global Content Delivery System (Commercial Caching) DISN Global Content Delivery System (Commercial Caching) Cloud Access Points Boundary Protection for Impact Level 4 & 5 Meet-Me Point Central Location for DoD and Cloud Connections Microsoft Azure Sales Force AWS GovCloud Oracle cloud Microsoft 365 DoD Controlled Environment Commercial Controlled Environment w/dod Oversight 30

What is OMS? OMS is commercially-owned commercially-operated Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). OMS is built on VMware that supports PaaS based on the Pivotal Cloud Foundry (PCF). OMS is designed to minimize system and application changes required to migrate applications to the cloud. OMS common cloud services characteristics: On-Demand, Self-service: OMS consumers can place orders on-demand through web-based self-service tools, configure infrastructure resources where appropriate, and manage their mission application s lifecycle running on those resources without manual intervention from DISA or CSP support staff Broad Network Access: All OMS products and services have network connectivity to the Department of Defense Information Networks (DoDIN), and are configured in accordance with relevant DoD security guidelines and approved protocols Resource Pooling: OMS resources are pooled such that multiple mission partners consume units from pools provisioned by DISA, enabling efficient use of aggregate compute resources and greater consumption flexibility Rapid Elasticity: OMS has the ability to expand or contract their resource use within virtual resource pools 31

OMS Services OMS key contract features Awarded September 2016 Single award IDIQ (full and open) POP (1) year base with (4) one year options Life cycle value $98M DoD Data Center s Ogden, UT site location OMS On boarding features Staffing & Onboarding Provide staff access & resources Train staff and perform Delivery Assurance Assessment Process Integration Integrate mission policies and processes with best practices delivery model Implement best practices, process readiness, measurements, and controls to meet service performance standards Service & Technology Reporting Implement reporting measurements for service & technology management controls Publish service and technology reports demonstrating service delivery meets performance standards Technology Management Integration Implement technology management infrastructure, operational readiness, measurements and controls to meet service performance standards 32

Fly DISA Cloud Adoption Playbook Alicia Belmas Deputy Cloud Chief December 12, 2017 UNITED IN IN SERVICE TO OUR NATION 33

34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback