Cloudy with a Chance of Rootkits - Assurance Requirements for e-Infrastructure Services

  • 290 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
290
On Slideshare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
1
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Assurance Requirements for e-Infrastructure Services Martin Hamilton Loughborough University / HPC Midlands
  • 2. Cloudy With a Chance of Rootkits Martin Hamilton Loughborough University / HPC Midlands
  • 3. Topics 1. What is e-Infrastructure? 2. Barriers to Adoption 3. Opening Pandora’s Box 4. Conclusions
  • 4. Topics 1. What is e-Infrastructure? 2. Barriers to Adoption 3. Opening Pandora’s Box 4. Conclusions
  • 5. 1. What is e-Infrastructure? —Research community context: HPC, SKA, LHC, DLS, NGS and other TLAs —Industrial context: TSB Catapults, BIS/EPSRC supercomputer centres, “on ramps” for SMEs
  • 6. 1. What is e-Infrastructure? [http://goo.gl/fIpA7R]
  • 7. 1. What is e-Infrastructure? Case Study - HPC Midlands: —BIS/EPSRC regional centre —3,000 core supercomputer —Expertise from Loughborough University & University of Leicester —Software from leading ISVs —Flexible usage model for use by research and industry
  • 8. 1. What is e-Infrastructure? Case Study - HPC Midlands: —BIS/EPSRC regional centre —3,000 core supercomputer —Expertise from Loughborough University & University of Leicester —Software from leading ISVs —Flexible usage model for use by research and industry
  • 9. 1. What is e-Infrastructure?
  • 10. 1. What is e-Infrastructure?
  • 11. 1. What is e-Infrastructure? Not just HPC: - Bioinformatics - Diamond Light Source, SKA etc - Major capital kit at Institutions - But not just kit? - Open Access Pubs - Open Data - Software
  • 12. Topics 1. What is e-Infrastructure? 2. Barriers to Adoption 3. Opening Pandora’s Box 4. Conclusions
  • 13. 2. Barriers to Adoption Picture credits: CC-BY-NC by Flickr user ladybeames; Peter Strutton, HPC Midlands
  • 14. 2. Barriers to Adoption - Awareness equipment.data.ac.uk Kit Catalogue™ – kitcatalogue.com Key question: What are the boundaries of e-Infrastructure?
  • 15. 2. Barriers to Adoption - Awareness
  • 16. 2. Barriers to Adoption - Awareness
  • 17. 2. Barriers to Adoption - Awareness
  • 18. 2. Barriers to Adoption - Training
  • 19. 2. Barriers to Adoption - Training - Typically supply led - Inflexible timing - Prohibitively expensive for SMEs - Ad-hoc engagement with ISVs - Where is the MOOC?
  • 20. 2. Barriers to Adoption - Assurance Challenging preconceptions: —“Supercomputing is just for rocket scientists” —“Academic services are inherently insecure” —“Legal would never sign off on anything like this” —“It’s just too hard to satisfy assurance requirements” Photo credit: CC-BY-NC by Flickr user justin_case
  • 21. 2. Barriers to Adoption - Assurance Challenging preconceptions: —Common off-the-shelf packages have HPC solver capability, e.g. FLUENT, NASTRAN, MATLAB —Pen testing / audit tools don’t care if you are an academic site —Locking systems down is hard work – get over it —FTSE100 firms’ have similar requirements to research and education organizations Photo credit: CC-BY-NC by Flickr user justin_case
  • 22. 2. Barriers to Adoption - Assurance Challenging preconceptions: —Common off-the-shelf packages have HPC solver capability, e.g. FLUENT, NASTRAN, MATLAB —Pen testing / audit tools don’t care if you are an academic site —Locking systems down is hard work – get over it —FTSE100 firms’ have similar requirements to research and education organizations Photo credit: CC-BY-NC by Flickr user justin_case
  • 23. Topics 1. What is e-Infrastructure? 2. Barriers to Adoption 3. Opening Pandora’s Box 4. Conclusions
  • 24. 3. Opening Pandora’s Box
  • 25. 3. Opening Pandora’s Box —Who makes the agreement? —Dedicated special purpose vehicle, spin-out company, cost sharing groups, VAT exemption etc —What does it look like? —Guaranteed turnaround time? —Reducing the friction —Compliance challenges —ISO 27002, CESG InfoSec, physical security (e.g. LPS 1175), CIS audit tool, pen testing / auditing
  • 26. 3. Opening Pandora’s Box —Who makes the agreement? —Dedicated special purpose vehicle, spin-out company, cost sharing groups, VAT exemption etc —What does it look like? —Guaranteed turnaround time? —Reducing the friction —Compliance challenges —ISO 27002, CESG InfoSec, physical security (e.g. LPS 1175), CIS audit tool, pen testing / auditing
  • 27. 3. Opening Pandora’s Box Sample security audit tool output from http://benchmarks.cisecurity.org/
  • 28. 3. Opening Pandora’s Box —Relationship with customer networks —Firewall traversal, double NAT, outbound access to service, inbound access to license servers, double encryption? (VPN + ssh) —What would root do? —Remove unnecessary permissions, turn off unused services, is command line access even necessary? —Connectivity —Online access vs. sneakernet, remote visualization requirement, JANET connectivity + AAA support through Moonshot
  • 29. Topics 1. What is e-Infrastructure? 2. Barriers to Adoption 3. Opening Pandora’s Box 4. Conclusions
  • 30. 4. Conclusions Photo credit CC-BY-NC Flickr user brianklug
  • 31. 4. Conclusions Photo credit CC-BY-NC Flickr user brianklug
  • 32. 4. Conclusions —More disciplined approach to contractual relations, technical aspects of service provision —Requirement for certain public sector data, e.g. NHS patient records —Similar considerations around regional shared services as for generic “cloud” providers —Opportunity to set common expectations around levels and types of service —Migration between service providers and marketplace for e-Infrastructure services
  • 33. Cloudy With a Chance of Rootkits Martin Hamilton @martin_hamilton m.t.hamilton@lboro.ac.uk