Upload
frank-todd
View
218
Download
0
Tags:
Embed Size (px)
Citation preview
CalCloud Service OverviewMarch 2014
Neeraj Chauhan: OTech CalCloud Project DirectorJan K. Gravesen: IBM ArchitectDave Langston: OTech - IT Security Architect
Overview of OTech
222
California Department of Technology (OTech) provides information technology services to many state, county, federal and local government entities throughout California. Through the use of a scalable, reliable and secure statewide network, combined with expertise in voice and data technologies, OTech delivers comprehensive, cost-effective computing, networking, electronic messaging and training solutions to benefit the people of California.
Company Profile• More than 700 Employees• Support Approx. 3,000 Sites, in All 58 California Counties.• Two Tier III Data Centers• Main Services: Network, Email, Application Hosting, Equipment hosting,
Server Based Computing..
Overview of CalCloud
• Service hosted on State data centers and behind State network (LAN/WAN).
• Provided by a cloud service vendor (IBM).• CalCloud Vendor provides hardware, software, portal
and OS administration (patching).• Usage based with no initial cost to the state.• Self-Service business model (via web portal) and Low
cost service offering.– Small, Medium, Large and X-Large VMs– RedHat Linux, Windows, AIX, and Linux for z– Multiple disaster recovery and backup/restore
tiers
333
Dedicated virtual private cloud
CalCloud
Shared cloud services
CalCloud
BA
Flexibility Security and isolation
Multiple technology platforms
Control
CalCloud
CompetitivePay-as-you-go
• Security designed for ISeC and FEDRAMP – multiple levels of isolation (network, storage, computing)
• Inside CGEN security firewalls• Security tiered 10gb network.• Load balancing and firewall.• Infrastructure monitoring via the portal.• Performance and capacity reports via the portal• CalCloud go live in June 2014.
Cloud Service Provider Platform
The CalCloud will be a Contractor Owned Contractor Operated (COCO) “super cloud” providing scale and cost efficiencies for government, education and healthcare
organizations in California – the world’s 10th largest economy
4
State departments
State departments
UniversitiesUniversities
ConsortiaConsortia TOM
Public healthcare
organizations
Public healthcare
organizations
CitiesCitiesSmall Businesses
Small Businesses
School systemsSchool systems
CountiesCountiesCalCloudCalCloud
CalCloud Services
555
Service Description
RedHat Server RedHat Virtual server (version 6 and above)
Windows Server Windows Server (version 2008 and above)
AIX Server AIX server (P7+ chip set, Power VM)
Backup Two Tiers of backup. Backup replicated to Vacaville.Tier I (One Hr. RPO) -Tier II (Daily incremental, weekly full)
Infrastructure DR Two Tiers of DR (Oversubscribed and Reserved) . DR provided at Vacaville site. Tier I (One Hr. RPO&RTO) - Tier II (24hr. RPO & 96hr. RTO)
Storage Additional storage for servers. (20 msec. response)
Archive Storage Additional archive storage for servers.(100 msec. response)
CalCloud “Shopping Cart”
666
The CalCloud self-service web portal will provide user a “shopping cart”
experience.
Small VM Configuration = 2xCCU; 4GB RAM; 90GB StorageMedium VM Configuration = 4xCCU; 8GB RAM; 90GB StorageLarge VM Configuration = 8xCCU; 16GB RAM; 90GB StorageXLarge VM Configuration = 16xCCU; 32GB RAM; 90GB Storage
CalCloud Server Rates
888
OS Small Medium Large Xlarge
RedHat $658 $914 $1266 $1841
With DR I $1194 $1450 $1802 $2376
With DR II $926 $1182 $1534 $2108
Windows $679 $943 $1305 $1900
With DR I $1200 $1495 $1857 $2450
With DR II $955 $1219 $1581 $2174
AIX $1133 $1717 $2682 $4852
With DR I $1475 $2199 $3467 $6287
With DR II $1294 $1940 $3105 $5589
• All rates have volume discounts. The table below has volume one (<500 servers) pricing.
Small VM Configuration = 2xCCU; 4GB RAM; 90GB StorageMedium VM Configuration = 4xCCU; 8GB RAM; 90GB StorageLarge VM Configuration = 8xCCU; 16GB RAM; 90GB StorageXLarge VM Configuration = 16xCCU; 32GB RAM; 90GB Storage
CalCloud Extra Rates
999
Additional Service Rate
Storage (priced per GB) $0.44 to $0.38 (at highest volume)
Archive Storage (priced per GB) $0.19 to $0.16 (at highest volume)
RAM (priced per GB) $18 to $15 (at highest volume)
Backup Tier I (priced per GB) $0.35 to $0.27 (at highest volume)
Backup Tier II (priced per GB) $0.26 to $0.24 (at highest volume)
• All rates have volume discounts.
10
Cloud Services Roadmap
CalCloud Service Roadmap
FY 13/14 FY 14/15 FY 15/16
IaaS/PaaS (RedHat, Windows and AIX)
DaaS/PaaS/STaaS (SQL,DB2,Oracle..)
SaaS/AaaS
CalCloud architectural decisions
The CalCloud is engineered for flexible, secure, cost efficient enterprise class workloads
11
PersonalizationPersonalization
ScalabilityScalability
Security &Isolation
Security &Isolation TOM
Low-Cost Accommodation
Low-Cost Accommodation
ExtensibilityExtensibilityFlexible Self-Service
Flexible Self-Service
Enterprise-ClassEnterprise-Class
ControlControl
Cloud Service Provider Platform
CalCloudCalCloud
The CalCloud provides Enterprise-Class availability and
backup/restore and disaster recovery capabilities
CalCloud is designed to support the need for Low-cost Accommodation – the ability to combine low cost with the flexibility to accommodate a wide range of diverse government requirements
A Flexible Self-service model, which adapts to departmental needs and is able to bring future services on-board
CalCloud supports multiple Security standards and models and is a highly secure multi-tenancy architecture
The Usability model provides an intuitive, relevant, role-based and
customizable user interface
CalCloud is Extensible with other hypervisors and OS, other storage solutions, and other compute tiers
CalCloud supports flexible dashboards, reporting
services and service catalogs- state cloud
service consumers will feel in Control
CalCloud flexibility
12
User Access Layer
User Access Layer
Management & Automation
Layer
Management & Automation
Layer
Physical Resource
Layer
Physical Resource
Layer
Resource Abstraction &Control Layer
Resource Abstraction &Control Layer
My User RolesMy User Roles My ShoppingCart
My ShoppingCart
My ApprovalProcess
My ApprovalProcess
My ReportsMy Reports My DashboardsMy Dashboards My TroubleTickets
My TroubleTickets
My BillingStatus
My BillingStatus
Virtual Private Cloud
My TemplatesMy Templates
My User RolesMy User Roles My ShoppingCart
My ShoppingCart
My ApprovalProcess
My ApprovalProcess
My ReportsMy Reports My DashboardsMy Dashboards My TroubleTickets
My TroubleTickets
My BillingStatus
My BillingStatus
My TemplatesMy Templates
My User RolesMy User Roles My ShoppingCart
My ShoppingCart
My ApprovalProcess
My ApprovalProcess
My ReportsMy Reports My DashboardsMy Dashboards My TroubleTickets
My TroubleTickets
My BillingStatus
My BillingStatus
My TemplatesMy Templates
+
+
+
StandardCalCloudServices
StandardCalCloudServices
StandardCalCloud Services
Two-FactorAuthentication
Two-FactorAuthentication
Standard Reports
Standard Reports
Service CatalogService Catalog
Standard Approval
Processes
Standard Approval
Processes
Standard Dashboards
Standard Dashboards
LDAP w/Standard user
roles
LDAP w/Standard user
rolesProvisioningProvisioning ModificationsModifications
Usage & Accounting
Usage & Accounting Backup/RestoreBackup/Restore Multi-tiered
IDR
Multi-tiered IDR
Standard Cloud Services
Virtual Private Cloud
Virtual Private Cloud
Department
Agency
Municipality
Open to the entirepublic sector in California
Campus
CalCloud logical architecture diagram
13
** Departmentof Technology/Departmental
Interfaces
Management & Automation
Layer
Physical Resource
Layer
Resource Abstraction &Control Layer
Remedy
Compute Nodes
(Windows/RHELx86)
CommonCloud
Storage
Network
Backup Storage
VMware
*z/VM
*Solaris Zones
*Xen/KVM(open source)
LDAP
Billing
LogLogic(SIEM)
CalCloud Managed Security
CalCloud Managed Services
User Access Layer
Service Catalog
ShoppingCart
ProvisioningImage
LifecycleMgmt
ReportingServices
EventsDashboard
Backup/Restore
IDR
TroubleTickets
BillingStatus
Authentication Documentation
Reporting Warehouse
Service Automation Management
Usage and Accounting
Monitoring
Storage and BackupManagement
POWER VM
Compute Nodes(AIX on
POWER)
Physical Resource
Layer
Dept of Technology
ManagedzLinux /DS8000
Tenant Managed
AIXEnvironments
** Physicalenvironments not
managed by CalCloud
Managed Services
CalCloud logical architecture diagram
14
** Departmentof Technology/Departmental
Interfaces
Remedy
LDAP
Billing
LogLogicSIEM
CalCloud Managed Security
CalCloud Managed Services
User Access Layer Management & Automation
Layer
Physical Resource
Layer
Resource Abstraction &Control Layer
SmartCloud Control Desk
SmartCloud Managed Backup
Tivoli Common Reporting
Jazz/DASH PortalConsume
rDashboar
d
Service Catalog
Shopping
Cart
Provision-ing
LifecycleMgmt
Instant Backup
Reporting
Scheduled
Backup
Tivoli Identity ManagerAuthentication /
Authorization
TroubleTickets
Tivoli Storage Manager
IBM Service Delivery Manager
Reporting Warehouse
Service Automation Management
Usage & Accounting
Monitoring
StorageMgmt
DeviceMgmt
StoragePools
Policies
IBM Flex SystemCalCloud
Portal and Management
VMsCalCloud
Tenant VMs(x86 and POWER)
NetApp ONTAPCommon Cloud
Storage
IBM Flex Fiber Channel
Interconnect
TSM for VE
Backup Archive Agent
VMware
vCenter
vSRMHA/DRS
vSphere
VTL Backup Storage Arrays
PowerVM
PowerHAPowerV
M
Live Partition Mobility
PowerSC
CalCloud Storage ServicesOptimized, scalable and dynamic
15
Deep integration with VMware
NetApp and VMware are deeply integrated in terms of Research & Development Optimized for multi-tenant cloud storage environments
Multi-tenant encryption key management
Virtual Storage Tiering (VST)
• Supports multiple virtual storage tiers: Moves data in an automated between different tiers based on a data driven, real time and self-managed approach
• Efficiently leverages Flash technology
Encryption at Rest
Encryption at rest storage services using the Brocade Encryption Blade (BEB) with the SAN Directors
IntelligentStorage Optimization
High Availability
Replication
Customers will manage their own encryption keys
Grows clusters non-disruptively Storage arrays can be added incrementally
• NetApp SnapMirroring for Tier 1 data replication between Gold Camp and Vacaville sites
• Integrated with VMware SRM• POWER HA mirroring for AIX virtual
machines
• Provides RAID-Dual Parity (DP) without performance penalty
• Ability to recover from two simultaneous disk failures
Highly scalable
• Rich set of intelligent storage optimization features for cloud service provider benefits the growth/cost curve for CalCloud as more and more consumers are on-boarded
CalCloud Storage ServicesOptimized, scalable and dynamic
16
TB
$ Snapshot
Data Growth with Traditional Storage
FlashCache/FlashPools
RAID-DP
Thin provisioning
FlexClone®
In-line Compression
Thin ReplicationData Growth with Efficient Storage
Intelligent Storage Optimization
Change the cost/growth curve for cloud computing
CalCloud Security Goals
• Provide a service that is equally or more secure to that which can be provided with a physical, dedicated infrastructure
• Support both mission-critical and non-mission-critical systems
• Provide an infrastructure that can meet the operational and compliance requirements of the State and supported agencies
17
CalCloud Security Policy Pyramid
18
CalCloud Customer Application
CalCloud Standards
CalTechPolicy
CustomerPolicy
StatePolic
y
Data CenterStandards
CalCloud Security Stack
19
IBM + California Dept of Technology Security Controls (ISeC)(CalCloud Information Security Controls)
The Federal Risk and Authorization Management Program(FEDRAMP – Includes NIST 800-53)
WorkloadSpecificSecurity(HIPAA)
WorkloadSpecificSecurity
(PCI DSS)
WorkloadSpecificSecurity
(IRS 1075)
WorkloadSpecificSecurity
(SSA)
WorkloadSpecificSecurity(other)
Base Level
Security Profile
Support Available
Upon Customer
Request
Hosted inside the California Dept of Technology’s data centers and inside OTech firewall(s)
CalCloud provides a comprehensive and tiered security model
CalCloud Security Controls
• A formal security control program is in place (based on IBM ISeC processes and cloud experience)
• Final set in works - exceeds 1500 individual controls• Base set of controls derived from
ISO/IEC 27002 and FEDRamp• Compliance support to other authorities available
(infrastructure controls only)• CalCloud ISeCs can be shared with customer security
personnel under strict confidentiality agreement
20
Select CalCloud Security Features
21
Encrypted Two-Factor Authenticated Sessions
• Encrypted, two-factor authenticated sessions for all remote administrative access (portal, OS, infrastructure)
• Separate tokens • Ability to authenticate with customer
managed “LDAPs” using TFIM
Log of Administrative Actions
• Department of Technology’s SIEM will capture and log administrative actions that change the configuration state of the CalCloud infrastructure, including the physical and hypervisor layers
Tamper ResistantLog Streams
• OTech SIEM logs source event data, performs immediate correlation, identifies false positives
• OTech SIEM supports NIST Log Management Security Standards
InfrastructureHardening
• CalCloud Information Security Controls Documents (ISeC) defines security controls/configuration
• Hardening of the hypervisor is provided via access/authority control including limited access to the hypervisor and hypervisor console.
• All OSs patched via standardized patching processes
Encryption at Rest
• Encryption at rest storage services are optionally available via Brocade Encryption Blade (BEB) configured with the SAN Directors
Tenant Isolation • Each tenant in the CalCloud environment will have their workloads running on dedicated and isolated virtual machines, virtual storage / file systems, and virtual networks.
Isolated SecurityTiers (network)
• Tenant administrators will have the option to set up and configure n-tier architectures for their web, application, database, and utility workloads using firewall and load balancer appliances
Cloud Border Security
• CalCloud physically resides inside the State’s data centers in Rancho Cordova and Vacaville
• Physical firewalls and managed intrusion detection service by OTech
• Inside the California Government Enterprise Network
Other CalCloud Security Facts
• Coordinated Security Incident Handling• Coordinated Change Control• OTech Managed Vulnerability Scanning• Data are Property of the State (VMs, virtual disks, data sets..)• Vendor(s) Background Checked• Security Awareness Including IRS Disclosure• Least Privilege and Separation of Duties• Admin Access Only from Territorial U.S.• NO SHARED CREDENTIALS
(non-repudiation for all infrastructure config changes)
22
CalCloud Security Advisory Council (CalCloud SAC)
• Purpose– Advises on Security standards / requirements– Advises on compliance requirements and directions– Reviews vendor assessment & monitor summaries– Advises on larger security community needs
• Membership from a range of CalCloud customers (large, small, non-State…)
• Limit to 16 members for effectiveness– 12 annually rotating customer members– 4 permanent members
• Meets bi-monthly (or as needed)
23
CalCloud Security Communication
• In addition to the CalCloud SAC…• Conduct 2 Security Forums per year for broad community
attendance on CalCloud security– First Security Forum planned for June 2014– Subsequent forums in December and May
• Focus on – Customer adoption and experiences– Security status and stats– Changes to environment, if any– SAC actions– Compliance– Q&A
24
Thank You!!!
25