Cloud Computing:
Infrastructure-as-a-Service
Demonstration
Northrop Grumman
Homeland Security Solutions Open House
April 14 – 16, 2009
0 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

Cloud Computing Infrastructure Demonstration:
GOAL
Within a realistic DHS/FEMA scenario:
• Demonstrate the ability to establish a secure and
robust collaboration environment that can be
quickly and easily scaled at a disruptively low cost.
• Leverage a commercial cloud platforms to host and
distribute application suites that enable a robust
information sharing capability
• Provide a flexible and robust security frameworks
capable of meeting stringent government
information assurance and information security
requirements
1 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

Scenario:
San Francisco Area Wildfires
The Federal Emergency management Agency is working with

state officials and other federal agencies engaged in the
response to the multiple wildfires burning across The San
Francisco bay area.
President Obama issues an emergency disaster declaration

for California and orders greater federal aid to supplement
state and local response activities in the affected areas.
FEMA mobilizes federal resources and authorizes federal

funds to be allocated to reimburse the state for certain costs
incurred under FEMA's Fire Management assistance Grant
Program.
2 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

San Francisco Area Wildfire:
Emergency Response Organizations
National Interagency Fire Center

FEMA Joint Field Office in Oakland

 DOI Wildland Firefighters
Response staging area

 USDA Wildland Firefighters
Federal Emergency Response Team

State Emergency Operations Center in

Regional Response Coordination Center

Sacramento
Department of the Interior

California Wild Land Fire Services in Marin

 Bureau of Land Management
County
 National Park Service
California Office of Emergency Services

 U.S. Fish and Wildlife Service
Department of Defense

 Bureau of Indian Affairs
 Defense Coordinating Officers
Department of Transportation

 Defense Coordinating Elements
United States Forest Service

 Command Assessment Element
United States Army Corps of

 US Northern Command
Engineers
Air Forces North

Department of Health and Human

 National Guard Bureau
Services
 Federal Aviation Administration
Department of Homeland Security's

 U.S. Fire Service
Infrastructure Protection.
 General Services Administration
National Response Coordination Center
  DHS/ U.S. Coast Guard
 Environmental Protection Agency  Red Cross
 
FBI Southern Baptists
 DOJ National Terrorism Task Force
3 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

San Francisco Emergency:
Incident Action Plan
Establish
Designate Decommission
Establish
Joint Field Joint Field
Incident
Perimeter
Office Office
Command
Assign &
Evaluate
Manage
Scene
Responders
4 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

San Francisco Emergency:
Modified Incident Action Plan
Designate Establish Decommission
Establish
Incident Joint Field Joint Field
Perimeter
Command Office Office
Activate Assign &
Evaluate
Collaboraton Manage
Scene
Environment Responders
5 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

San Francisco Emergency:
Modified Incident Action Plan
Designate Establish Decommission
Establish
Incident Joint Field Joint Field
Perimeter
Command Office Office
Activate Assign & Deactivate
Evaluate
Collaboraton Manage Collaboration
Scene
Environment Responders Environment
6 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

Designate Incident
Designate Establish Joint
Establish Decommission Joint
Incident Field
Perimeter Field Office
Command Office
Command Activate Deactivate
Assign & Manage
Collaboraton Evaluate Scene Collaboration
Responders
Environment Environment
 NIMS: Command and Management
 Incident Command System (ICS):
 Integrates resources from numerous organizations into a single
response structure using common terminology and common processes
Joint Field Office Coordination Group
Operations Planning Logistics Finance and
Section Section Section Admin
Technical Staff
7 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

Activate Collaboration
Designate Establish Joint
Establish Decommission Joint
Incident Field
Perimeter Field Office
Command Office
Environment Activate Deactivate
Assign & Manage
Collaboraton Evaluate Scene Collaboration
Responders
Environment Environment
Emergency Data Center
STEALTH Network Security
Policy Manager
Incident
Activator
8 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

Designate Establish Joint
Establish Decommission Joint
Incident Field
Perimeter Field Office
Command Office
IAAS Specifications Activate Deactivate
Assign & Manage
Collaboraton Evaluate Scene Collaboration
Responders
Environment Environment
Virtual Compute Units 32/64 Bit Memory Storage $/hr
Cores
Small 1 1 32 bit 1.7 G 160 G 0.10
High-CPU 2 2.5 32 bit 1.7 G 350 G 0.20
Medium
Large 2 2 64 bit 7.5 G 850 G 0.40
Extra Large 4 2 64 bit 15 G 1690 G 0.80
High CPU XL 8 2.5 64 bit 7G 1690 G 0.80
EC2 Compute Unit = 1.0-1.2 GHz 2007 Opteron or 2007 Xeon Procesor
9 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

Establish
Designate Establish Joint
Establish Decommission Joint
Incident Field
Perimeter Field Office
Command Office
Perimeter Activate Deactivate
Assign & Manage
Collaboraton Evaluate Scene Collaboration
Responders
Environment Environment
Incident Action Plan
Operational Space
Area Commander
FIRE FIRE
Incident
Incident action plan
action plan
Incident
action plan
Fire station
Wi
ind nd
al W S
ti hif
Ini t
10 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

Establish Joint Field
Designate Establish Joint
Establish Decommission Joint
Incident Field
Perimeter Field Office
Command Office
Office Activate Deactivate
Assign & Manage
Collaboraton Evaluate Scene Collaboration
Responders
Environment Environment
Joint Field Office
Department of
Defense
Representative
Defense
Coordinating
Officer
11 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

Designate Incident
Designate Establish Joint
Establish Decommission Joint
Incident Field
Perimeter Field Office
Command Office
Command Activate Deactivate
Assign & Manage
Collaboraton Evaluate Scene Collaboration
Responders
Environment Environment
Emergency Data Center
STEALTH Network Security
Policy Manager
12 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

Designate Establish Joint
Establish Decommission Joint
Incident Field
Perimeter Field Office
Evaluate Scene
Command Office
Activate Deactivate
Assign & Manage
Collaboraton Evaluate Scene Collaboration
Responders
Environment Environment
San Francisco CA - Area WildFire
Federal
Public Affairs National Ass. Of State Forresters
Office of Aircraft Services
National Weather Service
Forest Area Safety Task Force (FAST)
«inherits»
«inherits» National Park Service
ApproveFMAG
US Dept. Of Fish and Wildlife
US Forrest Service
State Police National-Interagency Fire Center
OpenRegionalResponseC
DoD, National Guard Bureau
oordinationCenter
Customes And Borders
Dept of Interior, Dept of Transportation
IdentifyandEstablish
HHS
JointFieldArea
EPA
GSA
FAA
FEMA FBI, DOJ National Terrorism Task
Force
RespondeToEmergency
«inherits»
Events
«inherits»
OpenJointFiledOffic
e
Municipal
Fire
California
Departments
California Dept. Of Forrestry
Sheriff’s ActivateNationalRespon
Office of Emergency Services
seCoordinationCenter
Department
(OES)
Geographical Area
SendLiaisonToStateEmer
Coordination Center (GAAC)
County gencyOperationsCenter
Emergency Operations Center
Fire Departments
(EOC)
Sheriff’s Department
Joint Information Center (JIC)
Mountain Area Safety
Taskorce (MAST)
Red Cross
13 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

Assign/Manage
Designate Establish Joint
Establish Decommission Joint
Incident Field
Perimeter Field Office
Command Office
Responders Activate Deactivate
Assign & Manage
Collaboraton Evaluate Scene Collaboration
Responders
Environment Environment
Emergency Data Center
STEALTH Network Security
Policy Manager
14 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

Designate Incident
Designate Establish Joint
Establish Decommission Joint
Incident Field
Perimeter Field Office
Command Office
Command Activate Deactivate
Assign & Manage
Collaboraton Evaluate Scene Collaboration
Responders
Environment Environment
Update DHS
Datacenter
Emergency Data Center
STEALTH Network Security
Policy Manager
15 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

Decommission Joint
Designate Establish Joint
Establish Decommission Joint
Incident Field
Perimeter Field Office
Command Office
Field Office Activate Deactivate
Assign & Manage
Collaboraton Evaluate Scene Collaboration
Responders
Environment Environment
16 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

San Francisco Emergency Wildfire Scenario
1. Establish an incident command structure
2. Deployed Emergency Data Center from Amazon S3 and
activated secure collaboration environment in Amazon
EC2
3. Supported Joint Field Office operations
4. Completed Operations
5. Transferred all operational data to DHS
6. Deactivated collaboration environment
7. Decommission Joint Field Office
17 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

Cloud Computing Infrastructure Demonstration:
Summary
• Demonstrated the ability to establish a secure and
robust collaboration environment that can be
quickly and easily scaled at a disruptively low cost.
• Leveraged Amazon EC2 to host and distribute
application suites that enabled a robust information
sharing capability
• Through the use of cryptographic bit splitting
technology, provided a flexible and robust security
framework capable of meeting stringent government
information assurance and information security
requirements
18 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

Additional Information
19 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

Amazon Web Services
Amazon Web Services are a set of services that provide programmatic access the
Amazon’s ready-to-use computing infrastructure.
 Storage
Storage for files, documents, user downloads, or backups. Store anything your
application needs in Amazon Simple Storage Service (S3) and take advantage of
scalable, reliable, highly available low-cost storage.
 Computing
Amazon Elastic Cloud Computing (EC2) provides the ability to scale your Computing
resources up or down based on demand and makes provisioning new server
instances very easy.
 Messaging
Decouple your application components by using the unlimited reliable messaging
provided by Amazon Simple Queue Service (SQS).
 Datasets
Amazon SimpleDB (SDB) provides scalable, indexed, zero-maintenance storage,
along with processing and querying for datasets.
20 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

Elastic Compute Cloud (EC2)
Instances
Simple Storage
Service
(S3)
XEN Virtualization
Hosting of virtual
machine images
Hardware
(AMI)
•Web service that lets users requisition virtual machines within minutes and easily scale needed capacity
up or down based on demand.
•Users pay for only the compute time you use
•The EC2 environment itself is built on top of the open source Xen hypervisor
•Users create Amazon machine images (AMIs) that act as the templates for y instances.
•Access to the instances can be controlled by specifying the permissions.
•Provides true Web-scale computing, which makes it easy to scale computing resources up and down.
•Five types of servers available; users can pick the ones that fit their application needs. The servers
range from commodity single-core x86 servers to eight-core x86_64 servers.
•Users can place the instances in different geographical locations or availability zones to ensure
resistance to failure.
•Elastic IP addresses that can be dynamically allocated to instances
•Pay by the hour ($0.10-0.80/hour) + external
•Bandwidth ($0.10-0.18/Gbyte)
21 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

Oracle Technology: SOA Suite and Oracle 11g DB
Oracle SOA Suite
The Oracle SOA Suite is a packaged set of standards-based components for enabling web

services-based SOA.
Oracle SOA Suite covers web services development, orchestration, monitoring, and security.

Oracle BPEL Process Manager orchestrates transactions across disparate applications within and

across corporate boundaries.
Web-service enabled support a cloud computing model where several low-cost servers can be

deployed in a cluster to provide scalability and high availability.
The Oracle SOA suite contains the following components

• Oracle Enterprise Service Bus
• Oracle BPEL Process Manage
• Oracle Technology Adapters
• Oracle BPM Human Workflow
• Oracle B2B
• Oracle Business Activity Monitoring
• Oracle Data Integrator
 Oracle SOA Suite Security
22 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

SF Wildfire Implementation Technology –
Oracle Beehive
Oracle Beehive
 Software platform for enterprise collaboration. Provides collaborative tools built
around a unified collaborative model. These tools help teams to collaborate
efficiently across multiple geographies and organizations with:
• Content Management Services
• Discussions Service
• E-mail Service
• Instant Message Services
• Time Management Services
• Voice Message Service
 Beehive supported protocols:
• Calendaring Extensions for WebDAV (CalDAV)
• Extensible Messaging and Presence Protocol (XMPP)
• File Transfer Protocol (FTP)
• Internet Message Access Protocol (IMAP)
• Open Mobile Alliance Data Synchronization (OMA-DS)
• Simple Mail Transfer Protocol (SMTP)
• Web-based Distributed Authoring and Versioning
23 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

SF Wildfire Implementation Technology - Appistry
Appistry’s Enterprise Application Fabric (EAF) provides:
 A ―Cloud Application Platform‖ for enabling highly scalable cloud computing
 Services/applications on private intranets and external networks.
 Scalability and reliability at the application level
 Abstracts applications across underlying infrastructure
 Simplifies and automates application deployment and management
 Essential cloud application services via APIs state, workload mgmt)
 Compliments VMWare, Xen deployments
24 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

SF Wildfire Implementation Technology:
Appistry Cloud IQ
Appistry’s CloudIQ Manager :
Unified application management for the cloud.

Enables application migration to cloud/virtualized environment.

Provides multi-application, multi-cloud management.

Provides application deployment and configuration management.

Appistry’s CloudIQ Engine:
 Distributed application container that enables highly scalable cloud computing
services/applications on private intranets and external networks.
 Abstracts applications across underlying infrastructure.
 Distributes application workload with no single point of failure.
 Access cloud application services via APIs (workload monitoring, etc.).
 Compliments virtualized (VMWare, Xen) or non-virtualized commodity
hardware deployments.
Copyright 2005 Northrop Grumman Corporation

SF Wildfire Implementation Technology:
Appistry Cloud IQ Manager
CloudIQ Manager in the SF
Wildfire Technology
Amazon EC2
Demonstration
 XML deployment scripts
 Port applications across “clouds”
 Enables choosing the right cloud for the
job
 Minimize cloud provider lock-in
 Drag-and-drop deployment of application
between clouds
Private Cloud
Tomcat Service
Geodata
files
Copyright 2005 Northrop Grumman Corporation

SF Wildfire Implementation Technology- Geoserver
GeoServer is an open source software server written in Java.

Designed for interoperability. Allows users to share and edit geospatial data.

Publishes data from any major spatial data source using open standards.

Reference implementation of the Open Geospatial Consortium (OGC) Web Feature Service (WFS)

and Web Coverage Service (WCS) standards, as well as a high performance certified compliant
Web Map Service (WMS).
The Gesoserver is deploy on the Appistry servers in the Amazon cloud. It is accessed by users

via the Oracle Beehive collaboration tool.
Demonstrate ability to request a map via WMS via GeoServer directly.

Demonstrate ability of Beehive to request the map from GeoServer and create a version-

controlled editable document and whiteboard session with it.
Demonstrate Appistry's management and monitoring features through the cloud.

Exported desktop sessions will NOT be accessible on cloud-hosted applications through the

Northrop Grumman firewall.
27 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

SF Wildfire Implementation Technology:
Unisys Stealth
Secure Cross-Domain Sharing
 Enables the secure share information across domains.
 This solution matches communities of interest to specific data
access and sharing rights.
 A community of interest can be people within the same domain or
people from different domains working together on a special
project.
 Each user can easily access data authorized for that user—
wherever the data is — but only that data. Other data remains
completely private, safe, and hidden.
28 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

SF Wildfire Implementation Technology –
Unisys Stealth - COI
Communities of Interest (COI)
The members of a community of interest are assigned a workgroup key.

Controlled sharing and access to the community of interest’s data is based on the strong

authentication via
workgroup key and log-on credentials.
Without the correct workgroup key, network packets are ignored.

The workgroup key construct provides a stronger way to control access to data.

Users can belong to more than one workgroup. This facilitates multi-level sharing for agency

operations and multi-national information sharing for cooperating partners operations.
Users in different departments, organizations, or projects can work securely on the same

network.
The result is a cloaked network that secures data-in-motion and hides servers and PCs in plain

sight.
Devices that do not have the same workgroup key remain cloaked from unauthorized eyes.

Without the correct key, users cannot ask for the data from the server or send data to the server
or workstation. They can’t even ping the server or workstation.
29 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation

SF Wildfire Implementation Technology –
Unisys Stealth/SecureParser
Certification
 The Stealth Solution cryptographic module is FIPS 140-2 certified through the use of
SecureParser by Security First Corp.
 EAL4+ ―under evaluation‖ status in the first half of 2008 and full EAL4+ certification
by early 2009.
 Stealth Solution for Network will enable Multi-Level Security, permitting data
classified at different security levels to coexist on a single network.
 The Stealth Solution permits the consolidation of NIPR, SIPR, and JWICS-connected
LANs into a single IT infrastructure.
 The SecureParser security architecture is based on provable security techniques. The
techniques implemented include Robust Computational Secret Sharing (RCSS),
Perfect Secret Sharing (PSS), and AES block cipher.
 Attacking the SecureParser data security can be shown at a minimum to be as
difficult as attacking AES.
30 4/20/2009 12:58 PM Copyright 2005 Northrop Grumman Corporation