Effective and Efficient Computing for the Government


Published on

Effective and Efficient Computing for the Government

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Effective and Efficient Computing for the Government

  1. 1. Effective and Efficient Computing for the Government Sri Vasireddy, Federal Solutions Architect
  2. 2. Agenda <ul><li>Benefits of Cloud Computing </li></ul><ul><li>Amazon Web Services Overview </li></ul><ul><li>Federal Customer Use Cases </li></ul><ul><li>Security and Certification </li></ul><ul><ul><li>FISMA A&A </li></ul></ul><ul><ul><li>Security Architecture </li></ul></ul>
  3. 3. Elastic and Pay-Per-Use Infrastructure Infrastructure Cost $ time Large Capital Expenditure Unable to serve constituents Predicted Demand Traditional Hardware Actual Demand Automated Virtualization
  4. 4. On-Demand Pricing
  5. 5. Business Agility / Innovation
  6. 6. Attributes of Cloud Computing <ul><ul><li>No capital expenditure </li></ul></ul><ul><ul><li>Pay as you go and pay only for what you use </li></ul></ul><ul><ul><li>True elastic capacity; Scale up and down </li></ul></ul><ul><ul><li>Improves time to market </li></ul></ul><ul><ul><li>Managed – You can focus on what differentiates your business instead of managing the undifferentiated heavy lifting of infrastructure </li></ul></ul>
  7. 7. Building Blocks
  8. 8. AWS Computing Platform
  9. 9. AWS Pace of Innovation » AWS Services in N. California » AWS Multi-Factor Authentication » AWS Management Console » AWS Economics Center » AWS in Education » AWS Security Center » SAS70 Type II Audit » More services in EU » Lower EC2 Pricing » Lower S3 Pricing » Lower pricing for Outbound Data Transfer » AWS Solution Provider Program » Amazon EC2 » Amazon S3 » Developer Portal & Forums » Amazon SQS » Amazon Mechanical Turk » Amazon SimpleDB » Amazon Flexible Payments Service » S3 in Europe » EC2 new instance types » AWS Start-Up Challenge » Amazon Simple Notification Service » RDS Multi-Availability Zone Support » S3 Reduced Redundancy Storage » New Locations and Features for CloudFront » S3 Bucket Policies » Cluster Instances for EC2 » Premium Support » Amazon CloudFront » EC2 Elastic IP addresses & Availability Zones » Windows Server, MySQL, Oracle, & JBoss on EC2 » Lower Data Transfer Costs » EC2 Reserved Instances » New SimpleDB Features » IBM on EC2 » Windows Server 2008 on EC2 » Amazon RDS » Amazon Virtual Private Cloud » Amazon Elastic MapReduce » EBS Shared Snapshots » Monitoring, Auto Scaling & Elastic Load Balancing for EC2 » AWS Import/Export » AWS Services in Singapore » RDS Reserved Database Instances » RDS Read Replicas & Lower Pricing » Lower Outbound Transfer Pricing » Data Transfer Usage Tiers » Consolidated Billing for AWS » Amazon S3 Versioning Feature » EC2 High Memory Instances » Micro Instances » Lower Pricing for EC2 High Mem Instances » Identity & Access Management » Amazon Linux AMI » Oracle on EC2 » New EC2 Features » SUSE Linux on EC2 » Public Data Sets » Elastic Block Store » EC2 SLA » EC2 in EU » S3 Tiered Pricing
  11. 12. Animoto and Amazon EC2 Number of EC2 Instances 4/12/2008 Launch of Facebook modification. Amazon EC2 easily scaled to handle additional traffic Peak of 5000 instances 4/14/2008 4/15/2008 4/16/2008 4/18/2008 4/19/2008 4/20/2008 4/17/2008 4/13/2008 Steady state of ~40 instances
  12. 14. Website Hosting / Application Hosting <ul><li>Challenge </li></ul><ul><li>The US Treasury needed to develop a new Treasury.gov website that could provide over 100 organizations within the Department the ability to manage and update their content. At the same time, they needed to roll out new Web 2.0 features to better engage with their constituents. </li></ul><ul><li>Solution </li></ul><ul><li>Treasury chose a cloud computing solution based on Amazon Web Services to support over 11 new websites from Treasury </li></ul><ul><li>Deployed capabilities: </li></ul><ul><ul><li>Microsoft Sharepoint for web Content Management </li></ul></ul><ul><ul><li>Multi-faceted Search </li></ul></ul><ul><ul><li>Integration with Social Networking tools </li></ul></ul><ul><li>Benefit </li></ul><ul><li>Avoided Capital expense, and added capacity to scale up and down based on demand </li></ul><ul><li>Time to deployment </li></ul>“ Treasury's decision to move its flagship site to a public cloud infrastructure reflects the Administration's commitment to closing the IT gap between the public and private sectors by leveraging the power of technology. Use of cloud computing increases cost effectiveness, improves efficiency and provides greater flexibility, as the private industry sector has proven. This is exactly the kind of game-changing technology required to do more with less.&quot; - Vivek Kundra, CIO, United States
  13. 15. Geo-location Services <ul><li>Challenge </li></ul><ul><li>USDA Food Nutrition Service was looking to build a service to help constituents locate nearest stores that would accept Supplemental Nutrition Assistance Program vouchers. Aggressive implementation schedule. </li></ul><ul><li>Solution </li></ul><ul><li>USDA FNS worked with ESRI to deploy a geo-location service, hosted on AWS. </li></ul><ul><li>Benefit </li></ul><ul><li>Avoided the need to procure servers </li></ul><ul><li>Fast time to market/time to implementation </li></ul>“ It’s a pretty complicated GIS solution and there’s lots of data involved. Instead of building the infrastructure to run this, we’re running it in the Amazon cloud. We were able to put it up there very quickly. We didn’t have to procure the servers. We were just buying a service from Amazon and it seems to be working very well. I think it’s a good model that we might follow again or other agencies can follow to host a fairly complex solution in a pretty short order.” - Jonathan Alboum, CIO, Food Nutrition Service (Federal News Radio Interview, July 28, 2010)
  14. 16. Mission Data Processing <ul><li>Challenge </li></ul><ul><li>Because of the latency of data transmission from and to Mars, during a 2 hour window, it took mission planners 90 minutes to process telemetry data from the Mars Rover, 20 mins to decide where to move the Rover to, and 10 mins to up load the data. </li></ul><ul><li>Solution </li></ul><ul><li>NASA-JPL, loading their custom software application on EC2, was able to horizontally scale the number of virtual machines supporting the data processing. </li></ul><ul><li>Benefit </li></ul><ul><li>Reduced data processing time from 90 minutes to 15 minutes using parallel processing </li></ul><ul><li>Increased mission planning time, resulting in high quality scientific observations </li></ul>
  15. 17. Common Use Cases <ul><li>Web site hosting </li></ul><ul><li>Application hosting/SaaS hosting </li></ul><ul><li>Internal IT application hosting </li></ul><ul><li>Content delivery and media distribution </li></ul><ul><li>High performance computing, batch data processing, and large scale analytics </li></ul><ul><li>Storage, backup, and disaster recovery </li></ul><ul><li>Development and test environments </li></ul>
  16. 18. SECURITY
  17. 19. AWS Cloud Security Model Overview <ul><li>Certifications & Accreditations </li></ul><ul><li>Sarbanes-Oxley (SOX) compliance </li></ul><ul><li>ISO 27001 Certification </li></ul><ul><li>PCI DSS Level I certification </li></ul><ul><li>HIPAA compliant architecture </li></ul><ul><li>SAS 70 Type II Audit </li></ul><ul><li>FISMA Low ATO </li></ul><ul><ul><li>Pursuing FISMA Moderate ATO </li></ul></ul><ul><ul><li>Pursuing DIACAP MAC II Sensitive </li></ul></ul><ul><ul><li>FedRAMP </li></ul></ul><ul><li>Service Health Dashboard </li></ul><ul><li>Shared Responsibility Model </li></ul><ul><li>Customer/SI Partner/ISV controls guest OS-level security, including patching and maintenance </li></ul><ul><li>Application level security, including password and role based access </li></ul><ul><li>Host-based firewalls, including Intrusion Detection/Prevention Systems </li></ul><ul><li>Encryption/Decryption of data. Hardware Security Modules </li></ul><ul><li>Separation of Access </li></ul><ul><li>Physical Security </li></ul><ul><li>Multi-level, multi-factor controlled access environment </li></ul><ul><li>Controlled, need-based access for AWS employees (least privilege) </li></ul><ul><li>Management Plane Administrative Access </li></ul><ul><li>Multi-factor, controlled ,need-based access to administrative host </li></ul><ul><li>All access logged, monitored, reviewed </li></ul><ul><li>AWS Administrators DO NOT have access inside a customer’s VMs, including applications and data </li></ul><ul><li>VM Security </li></ul><ul><li>Multi-factor access to Amazon Account </li></ul><ul><li>Instance Isolation </li></ul><ul><ul><li>Customer-controlled firewall at the hypervisor level </li></ul></ul><ul><ul><li>Neighboring instances prevented access </li></ul></ul><ul><ul><li>Virtualized disk management layer ensure only account owners can access storage disks (EBS) </li></ul></ul><ul><li>Support for SSL end point encryption for API calls </li></ul><ul><li>Network Security </li></ul><ul><li>Instance firewalls can be configured in security groups; </li></ul><ul><li>The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or Classless Inter-Domain Routing (CIDR) block). </li></ul><ul><li>Virtual Private Cloud (VPC) provides IPSec VPN access from existing enterprise data center to a set of logically isolated AWS resources </li></ul>
  18. 20. AWS Certifications <ul><li>Shared Responsibility Model </li></ul><ul><li>Sarbanes-Oxley (SOX) </li></ul><ul><li>SAS70 Type II Audit </li></ul><ul><li>PCI Data Security Standard compliance </li></ul><ul><li>Working on FISMA A&A </li></ul><ul><ul><li>NIST Low Approvals to Operate </li></ul></ul><ul><ul><li>Actively pursuing NIST Moderate </li></ul></ul><ul><ul><ul><li>ATOs in progress at several agencies </li></ul></ul></ul><ul><ul><ul><li>ST&E and Moderate Controls available now for incorporation into SSP </li></ul></ul></ul><ul><ul><li>Actively pursuing FedRAMP </li></ul></ul><ul><ul><ul><li>Includes DIACAP Mac II Sensitive </li></ul></ul></ul><ul><li>ISO 27001 Certification </li></ul><ul><li>Customers have deployed various compliant applications such as HIPAA (healthcare) </li></ul>
  19. 21. Amazon EC2 Instance Isolation Physical Interfaces Customer 1 Hypervisor Customer 2 Customer n … … Virtual Interfaces Firewall Customer 1 Security Groups Customer 2 Security Groups Customer n Security Groups
  20. 22. Multi-tier Security Architecture Web Tier Application Tier Database Tier EBS Volume Ports 80 and 443 only open to the Internet Engineering staff have ssh access to the App Tier, which acts as Bastion All other Internet ports blocked by default Authorized 3 rd parties can be granted ssh access to select AWS resources, such as the Database Tier Amazon EC2 Security Group Firewall AWS employs a private network with ssh support for secure access between tiers and is configurable to limit access between tiers
  21. 23. Amazon VPC Architecture Customer’s Network Amazon Web Services Cloud Secure VPN Connection over the Internet Subnets Customer’s isolated AWS resources Router VPN Gateway
  22. 24. Amazon EC2 Regions and Availability Zones Amazon EC2 Regions: US East (Northern Virginia) / US West (Northern California) / EU (Dublin) / Asia Pacific (Singapore) US West (Northern California) Availability Zone A Availability Zone B US East (Northern Virginia) Availability Zone A Availability Zone B Availability Zone C Availability Zone D
  23. 25. Network Traffic Confidentiality Amazon EC2 Instances Amazon EC2 Instance Encrypted File System Encrypted Swap File <ul><li>All traffic should be cryptographically controlled </li></ul><ul><li>Inbound and outbound traffic to corporate networks should be wrapped within industry standard VPN tunnels (option to use Amazon VPC) </li></ul>Corporate Network Internet Traffic VPN
  24. 26. Designing Applications for Reliability Region Availability Zone Availability Zone Amazon CloudWatch Provides monitoring for AWS cloud resources. Elastic Load Balancing Automatically distributes incoming application traffic across multiple Amazon EC2 instances. Auto Scaling Automatically scales Amazon EC2 capacity up or down according to pre-defined conditions.
  25. 28. <ul><li>Thank You </li></ul><ul><li>Sri Vasireddy </li></ul><ul><li>Federal Solutions Architect </li></ul><ul><li>Amazon Web Services </li></ul><ul><li>[email_address] </li></ul><ul><li>703-371-8274 </li></ul>