Transcript Document
Future Architectures and Technologies
John McLaughlin, IBM Corporation
22 September 2010
Approved for Public Release
Distribution Unlimited
NCOIC-DefDaily-JFM20100917
Cloud and the Military
Cloud Computing shows promise in the commercial world
– Cost, Schedule, and Performance parameters are encouraging
Private cloud architectures in military context are another thing
.…Standardization, capital
preservation, flexibility and
time to deploy
Public …
• Service provider owned
and managed
• Access by subscription
• Delivers select set of
standardized business
process, application
and/or infrastructure
services on a flexible
price per use basis.
ORGANIZATION
.… Customization, efficiency,
availability, resiliency,
security and privacy___
Flexible Delivery Models
Cloud
Services
Cloud
Computing
Model
Hybrid …
• Access to client, partner
network, and third party
resources
CULTURE
Private …
• Privately managed.
• Access limited to
command and its
partner network.
• Drives efficiency,
standardization and
best practices while
retaining greater
customization and
control
GOVERNANCE
2
Cloud and NAVAIR
(What’s really needed…..)
Despite the IT cost savings, speed to deployment, and performance,
cloud computing is not a viable military capability until the following
are solved:
Foundational Cloud Computing
Resilience
Compliance
Analytics
Deep Packet Inspection
Multi-tenancy
3
Foundational Work
NCOIC, among others, is working this problem
Cloud Computing WG is developing a Hybrid Cloud Computing
pattern
– Potential for an NGA pilot
The NCOIC Cyber Security IPT is working on the global
authentication problem
– Solutions, technology independent
IBM Mission Oriented Cloud Computing
– 10 month project to work the hard engineering problems for AF Cloud
Computing
– Completion next month
4
Foundational
Cloud Computing
• Federated Identity
Management Capability
• Provide ability for
external authentication
(think coalition
forces…..)
• Process governance for
approval purposes
• Automated and Request
Driven Provisioning
• Foundational Service
Discovery
• Operational Service
Deployment
• Service Delivery
Monitoring
• Operational Monitoring
5
Cloud Computing and
Compliance
Virtual Production Servers
Provisioning
Cloud Provisioning
Virtual Resource
Pool
Service and Monitoring
Network
Awareness
Access
Control
Vulnerability
Detection
Cloud
Management
Policy Distribution
Engine
Security Policy
Engine
Policy Compliance
Engine
Compliance provides
distribution, revocation, and
integrity services for security
policies
– Prove identification and
authentication
– Prove role provisioning
capability
– Prove role based
permissions
authentication to
identified entities
– Prove auditing of
privileged user
– Prove patch
management of end
points
6
Cloud and Resilience
Virtual Production Servers
Provisioning
Cloud Provisioning
Virtual Resource
Pool
Service and Monitoring
Network
Awareness
Access
Control
Vulnerability
Detection
Cloud
Management
1. Can we protect?
– Protection for the cloud infrastructure
achieved through:
• Network attack protection at the
perimeter
• Virtual firewalls protecting
servers
• Specialized database protection
capabilities
2. Can we rebuild?
– Reconstruction of damaged cloud
resources
• Rapid restoration from gold
copies
3. Can we relocate?
– Relocation of virtualized resources 7
• Rapid relocation to a new VLAN
Analytics – Know It Now
Defend at Machine Speed
Step One : Collection
– Security and
configuration logs
– Internal network
sensors and network
protection devices
– Servers
Step Two: Correlation
and Reduction
– Ingest engine
provides filtered
sensor data to the
analytics engine for
classification and
correlation
Step Three: Response
– The response engine
initiates autonomic
security policy
8
changes
Deep Packet Inspection
Is It Safe?
Virtual Production Servers
Provisioning
Cloud Provisioning
Virtual Resource
Pool
Service and Monitoring
Users
Network
Awareness
Access
Control
9
Vulnerability
Detection
Cloud
Management
Provide behavior-based, near
real time detection and
response to network level
threats
All network traffic is
inspected for behavior
based attacks
– TCP/IP level network
traffic inspection
detects out of spec
protocols
– Behavior based allows
zero day protection
Detected threats cause
autonomic security policy
changes to be
implemented
Multi-Tenancy
Peaceful, Secure Co-existence
Virtual Production Servers
Provisioning
Validate VM Isolation
Management
– Prove that data confidentiality
exists between images
Cloud Provisioning
Virtual Resource
Pool
– Test that deployed VM images
are correctly configured
– Show that corrective actions for
mis-configured VM images can
be applied
Service and Monitoring
Network
Awareness
Vulnerability
Detection
Access
Control
10
Cloud
Management
Prove ability to detect and correct
image provisioning anomalies
Prove rapid provisioning
capabilities
– Rapid deployment of new VM
images
– Rapid provisioning of new
images
– Rapid access by new users
The End
Questions?
Contact Information
John McLaughlin, IBM Corporation
571.229.0453
[email protected]
Thank you
11