DoD Enterprise Cloud Services Broker - AWS Symposium 2014 - Washington D.C.

3,305 views

Published on

This session will discuss the DoD Enterprise Cloud Services Broker model and the process for engagement with DISA in their role as the ECSB. This session will also review the DoD Cloud Security Model (CSM) and its security container levels.

Published in: Technology, Business
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,305
On SlideShare
0
From Embeds
0
Number of Embeds
18
Actions
Shares
0
Downloads
133
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • Yes
    Slide to follow. Focus of presentation.
    Yes
    Links below.

    http://www.disa.mil/Services/DoD-Cloud-Broker
    http://calculator.s3.amazonaws.com/calc5.html
    http://www.awsnow.info/
  • Our data center footprint is global, spanning 5 continents with highly redundant clusters of data centers in each region. Our footprint is expanding continuously as we increase capacity, redundancy and add locations to meet the needs of our customers around the world.
  • There’s a shared responsibility to accomplish security and compliance objectives in AWS cloud. There are some elements that AWS takes responsibility for, and others that the customer must address. The outcome of the collaborative approach is positive results seen by customers around the world.

    Since AWS and its customers share control over the IT environment, both parties have responsibility for managing the IT environment. AWS’ part in this shared responsibility includes providing its services on a highly secure and controlled platform and providing a wide array of security features customers can use. The customers’ responsibility includes configuring their IT environments in a secure and controlled manner for their purposes. While customers don’t communicate their use and configurations to AWS, AWS does communicate its security and control environment relevant to customers. AWS does this by doing the following:

    • Obtaining industry certifications and independent third party attestations described in this document
    • Publishing information about the AWS security and control practices in whitepapers and web site content
    • Providing certificates, reports, and other documentation directly to AWS customers under NDA (as required)
  • DoD Enterprise Cloud Services Broker - AWS Symposium 2014 - Washington D.C.

    1. 1. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Deciphering the DoD Cloud Broker Process Mark Fox DoD Sales Executive markfox@amazon.com
    2. 2. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 DoD Commercial Cloud – Commonly Asked Questions 1. Can I run DoD workloads in the Commercial Cloud? – Are you FedRAMP Compliant? – What is the IA Process? (DIACAP/RMF…?) – How do I work with the DISA Cloud Broker? FOCUS OF TODAY’S SESSION – Can I get a private cloud? 2. Where is/are your Data Center(s)? – How are they different than DoD Data Centers and DECC’s (CDC’s)? – How is AWS different from other “Cloud” providers? – Does my data stay in the US? 3. How much do you cost? Where is your “Rate Card”? 4. How do I get started using a CSP?
    3. 3. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Cloud Services Provider DoD Cloud Security Model (CSM) - ATO Process Increasing Security and Operating Requirements DoD Cloud Security Model (Administered via DISA) 14 FedRAMP Compliant CSP’s1 FedRAMP Authority to Operate CSM ATO Levels 1-2 (Public) CSM ATO Levels 3-5 (NIPR) CSM ATO Level 6 (SIPR) 1 2 3 4 5 6 Providers are a mix of IaaS, PaaS, SaaS (Initial Focus is on IaaS) Provisional Authorization granted1 0 Provisional Authorization granted2 100’s of Cloud Service Providers (CSP) System- Specific ATO John Doe DoD DAA The DoD provisionally authorized commercial CSP offering is eligible to be included in the Enterprise Cloud Service Catalog 1 Source: http://www.gsa.gov/portal/content/131931 2 Provisional ATO granted as of 2/15/2014
    4. 4. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 DoD CSP – Useful Links DoD Cloud Broker http://www.disa.mil/Services/DoD-Cloud-Broker DoD Cloud Security Model http://iase.disa.mil/cloud_security/index.html AWS FedRAMP Information http://aws.amazon.com/compliance/fedramp-faqs/ DISA Cloud Broker mailbox disa.meade.cae.mbx.cloud-broker@mail.mil
    5. 5. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS Commercial Platform
    6. 6. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 The following services are in the accreditation boundary for FedRAMP: Enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups and use permissions to allow and deny their access to AWS resources. Amazon EC2 Provides resizable compute capacity in the cloud. It is designed to make web-scale computing easier for developers. Amazon VPC Provides the ability for you to provision a logically isolated section of AWS where you can launch AWS resources in a virtual network that you define. Amazon S3 Provides a simple web services interface that can be used to store and retrieve any amount of data, at any time, from anywhere on the web. Amazon EBS Provides highly available, highly reliable, predictable storage volumes that can be attached to a running Amazon EC2 instance and exposed as a device within the instance. Amazon Redshift A fast, fully managed, petabyte-scale data warehouse service that makes it simple and cost-effective to efficiently analyze all your data using your existing business intelligence tools. IAM
    7. 7. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS Global Infrastructure 10 Regions consisting of 25 Availability Zones and 51 Edge Locations (CDN)
    8. 8. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 CONUS REGIONS Availability Zone A Availability Zone B GovCloud (OR) Availability Zone A Availability Zone B Availability Zone C Availability Zone D US East (VA) Availability Zone A Availability Zone B US West (CA) Availability Zone A Availability Zone B Availability Zone C US West (OR) Customer Decides Where Applications and Data Reside Note: Conceptual drawing only. The number of Availability Zones may vary. AWS Regions & Availability Zones within FedRAMP Boundary
    9. 9. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS Regional Construct View - Independent/separate geographic areas - Isolated from other Regions (security boundary) - = ~50 mile radius “clustered” data center architecture - Comprised of multiple Availability Zones - Availability Zone = 1 or more “data center” - Availability Zones connected through redundant low- latency links - Customer chooses Region. Data stays within Region. - Enables high-availability architecture Sample US Region Availability Zone A Availability Zone C Availability Zone B
    10. 10. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS Availability Zone (AZ) View - Multiple isolated locations within a Region - Availability Zone = 1 or more “data center” - Independent Failure Zone - Physically separated - On separate Low Risk Flood Plains - Discrete UPS - Onsite backup generation facilities - Fed from different segments of utility provider - Redundantly connected to multiple tier-1 ISP’s - No “Disaster Recovery Datacenter” - Built for Continuous Availability - Customer decides Availability Zone for Compute Sample US Region ~ DoD Data Center Availability Zone A Availability Zone B Availability Zone C
    11. 11. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Security is a Shared Responsibility Cross-service Controls Service-specific Controls Managed by AWS Managed by Customer and/or Partner Cloud Service Provider Controls Optimized Network/OS/App Controls DoD Scope of a Cloud Service Provider (CSP)
    12. 12. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 DoD Cloud Consumer Cloud Service Request Process Data Categorization CSP Selection Cloud Service Request Form Task Order Negotiations and Service Level Agreement (SLA) Cloud Service Request Assessment and Recommendation DoD Cloud Consumer Mission Assessment Contract Vehicle Usage Cloud Service Request (CSR) Mission Security Moni- toring Technical, Mission Assurance, and Security Assessments Onboarding System- Specific ATO Service Delivery and SLA Moni- toring Transi- tion to Opera- tions Mission Operations Support Service DeskCSP List Technical Matching Assessment Security Model Impact Level Assessment • Mission Owner submit CSR • ECSB assess CSR • ECSB connect Mission Owner with CSP’s • ECSB assess CSR • ECSB connect Mission Owner with CSP’s • Acquisition strategy and options • ATO and • migration • O&M • Continuous Monitoring
    13. 13. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 DoD Cloud Broker - Cloud Service Request http://www.disa.mil/Services/DoD-Cloud-Broker/~/media/Files/DISA/Services/Cloud-Broker/Service- Customer-Request.pdf
    14. 14. AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 Thank You Mark Fox DoD Sales Executive markfox@amazon.com

    ×