1 / 25

Neeraj Chauhan: OTech CalCloud Project Director Jan K. Gravesen : IBM Architect Dave Langston: OTech - IT Security

CalCloud Service Overview March 2014. Neeraj Chauhan: OTech CalCloud Project Director Jan K. Gravesen : IBM Architect Dave Langston: OTech - IT Security Architect. Overview of OTech.

aaralyn
Download Presentation

Neeraj Chauhan: OTech CalCloud Project Director Jan K. Gravesen : IBM Architect Dave Langston: OTech - IT Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CalCloud Service Overview March 2014 Neeraj Chauhan: OTech CalCloud Project Director Jan K. Gravesen: IBM Architect Dave Langston: OTech - IT Security Architect

  2. Overview of OTech California Department of Technology (OTech) provides information technology services to many state, county, federal and local government entities throughout California. Through the use of a scalable, reliable and secure statewide network, combined with expertise in voice and data technologies, OTech delivers comprehensive, cost-effective computing, networking, electronic messaging and training solutions to benefit the people of California. Company Profile • More than 700 Employees • Support Approx. 3,000 Sites, in All 58 California Counties. • Two Tier III Data Centers • Main Services: Network, Email, Application Hosting, Equipment hosting, Server Based Computing.. 2 2

  3. A B Overview of CalCloud • Service hosted on State data centers and behind State network (LAN/WAN). • Provided by a cloud service vendor (IBM). • CalCloud Vendor provides hardware, software, portal and OS administration (patching). • Usage based with no initial cost to the state. • Self-Service business model (via web portal) and Low cost service offering. • Small, Medium, Large and X-Large VMs • RedHat Linux, Windows, AIX, and Linux for z • Multiple disaster recovery and backup/restore tiers CalCloud Control Multiple technology platforms Flexibility Security and isolation CompetitivePay-as-you-go CalCloud CalCloud Dedicated virtual private cloud Shared cloud services • Security designed for ISeC and FEDRAMP – multiple levels of isolation (network, storage, computing) • Inside CGEN security firewalls • Security tiered 10gb network. • Load balancing and firewall. • Infrastructure monitoring via the portal. • Performance and capacity reports via the portal • CalCloud go live in June 2014. 3 3

  4. Cloud Service Provider Platform The CalCloud will be a Contractor Owned Contractor Operated (COCO) “super cloud” providing scale and cost efficiencies for government, education and healthcare organizations in California – the world’s 10th largest economy State departments Small Businesses Cities Consortia Counties CalCloud TOM Public healthcare organizations School systems Universities

  5. CalCloud Services 5 5

  6. CalCloud “Shopping Cart” The CalCloud self-service web portal will provide user a “shopping cart” experience. 6 6

  7. CalCloud R&R 7 7

  8. CalCloud Server Rates • All rates have volume discounts. The table below has volume one (<500 servers) pricing. 8 8

  9. CalCloud Extra Rates • All rates have volume discounts. 9 9

  10. CalCloud Service Roadmap Cloud Services Roadmap IaaS/PaaS (RedHat, Windows and AIX) SaaS/AaaS FY 13/14 FY 14/15 FY 15/16 DaaS/PaaS/STaaS (SQL,DB2,Oracle..)

  11. CalCloud architectural decisions The CalCloud is engineered for flexible, secure, cost efficient enterprise class workloads The Usability model provides an intuitive, relevant, role-based and customizable user interface Personalization A Flexible Self-service model, which adapts to departmental needs and is able to bring future services on-board Flexible Self-Service Extensibility CalCloud is Extensible with other hypervisors and OS, other storage solutions, and other compute tiers CalCloud supports multiple Security standards and models and is a highly secure multi-tenancy architecture Security &Isolation Control CalCloud supports flexible dashboards, reporting services and service catalogs- state cloud service consumers will feel in Control CalCloud TOM Low-Cost Accommodation Enterprise-Class Scalability The CalCloud provides Enterprise-Class availability and backup/restore and disaster recovery capabilities CalCloud is designed to support the need for Low-cost Accommodation – the ability to combine low cost with the flexibility to accommodate a wide range of diverse government requirements Cloud Service Provider Platform

  12. CalCloud flexibility Management & AutomationLayer Physical ResourceLayer User Access Layer Resource Abstraction &Control Layer Department Virtual Private Cloud StandardCalCloudServices My Templates My User Roles My ShoppingCart My ApprovalProcess + My Reports My Dashboards My TroubleTickets My BillingStatus Agency Virtual Private Cloud StandardCalCloudServices My Templates My User Roles My ShoppingCart My ApprovalProcess Open to the entirepublic sector in California + My Reports My Dashboards My TroubleTickets My BillingStatus Municipality Virtual Private Cloud StandardCalCloud Services My Templates My User Roles My ShoppingCart My ApprovalProcess + My Reports My Dashboards My TroubleTickets My BillingStatus Standard Cloud Services Campus LDAP w/ Standard user roles Provisioning Modifications Two-FactorAuthentication Service Catalog Multi-tiered IDR Backup/Restore Usage & Accounting Standard Dashboards Standard Approval Processes Standard Reports

  13. CalCloud logical architecture diagram CalCloud Managed Services ** Departmentof Technology/Departmental Interfaces Management & AutomationLayer Physical ResourceLayer User Access Layer Resource Abstraction &Control Layer Physical ResourceLayer Authentication Documentation Service Catalog ShoppingCart Dept of Technology ManagedzLinux /DS8000 Compute Nodes (Windows/RHEL x86) Service Automation Management LDAP VMware Provisioning ImageLifecycleMgmt Monitoring Compute Nodes (AIX onPOWER) POWER VM Remedy Tenant Managed AIX Environments ReportingServices EventsDashboard Usage and Accounting *z/VM Network Billing Backup/Restore IDR *Solaris Zones Reporting Warehouse CommonCloud Storage LogLogic(SIEM) *Xen/KVM(open source) Storage and BackupManagement TroubleTickets BillingStatus Backup Storage ** Physicalenvironments notmanaged by CalCloud Managed Services CalCloud Managed Security

  14. CalCloud Managed Services ** Departmentof Technology/Departmental Interfaces User Access Layer Management & AutomationLayer Resource Abstraction &Control Layer Physical ResourceLayer Tivoli Identity Manager Authentication / Authorization IBM Service Delivery Manager VMware IBM Flex System Jazz/DASH Portal CalCloud Portal and Management VMs HA/DRS vSRM LDAP ConsumerDashboard TroubleTickets Service Automation Management CalCloud Tenant VMs (x86 and POWER) vCenter vSphere Remedy Monitoring SmartCloud Control Desk Service Catalog ShoppingCart IBM Flex Fiber ChannelInterconnect Usage & Accounting Billing PowerVM Provision-ing LifecycleMgmt PowerVM PowerHA Reporting Warehouse NetApp ONTAP Common CloudStorage LogLogicSIEM Live Partition Mobility PowerSC Tivoli Common Reporting Reporting Tivoli Storage Manager VTL Backup Storage Arrays DeviceMgmt StorageMgmt TSM for VE SmartCloud Managed Backup Backup Archive Agent Policies StoragePools Instant Backup Scheduled Backup CalCloud Managed Security CalCloud logical architecture diagram

  15. CalCloud Storage Services Optimized, scalable and dynamic Deep integration with VMware Encryption at Rest Encryption at rest storage services using the Brocade Encryption Blade (BEB) with the SAN Directors • NetApp and VMware are deeply integrated in terms of Research & Development • Optimized for multi-tenant cloud storage environments Multi-tenant encryption key management Customers will manage their own encryption keys Grows clusters non-disruptively Storage arrays can be added incrementally Highly scalable High Availability • Provides RAID-Dual Parity (DP) without performance penalty • Ability to recover from two simultaneous disk failures • Rich set of intelligent storage optimization features for cloud service provider benefits the growth/cost curve for CalCloud as more and more consumers are on-boarded IntelligentStorage Optimization Virtual Storage Tiering (VST) • Supports multiple virtual storage tiers: Moves data in an automated between different tiers based on a data driven, real time and self-managed approach • Efficiently leverages Flash technology Replication • NetApp SnapMirroring for Tier 1 data replication between Gold Camp and Vacaville sites • Integrated with VMware SRM • POWER HA mirroring for AIX virtual machines

  16. CalCloud Storage Services Optimized, scalable and dynamic Data Growth with Traditional Storage Intelligent Storage Optimization FlashCache/FlashPools RAID-DP Thin provisioning Snapshot In-line Compression $ FlexClone® Thin Replication Data Growth with Efficient Storage TB Change the cost/growth curve for cloud computing

  17. CalCloud Security Goals • Provide a service that is equally or more secure to that which can be provided with a physical, dedicated infrastructure • Support both mission-critical and non-mission-critical systems • Provide an infrastructure that can meet the operational and compliance requirements of the State and supported agencies

  18. CalCloud Security Policy Pyramid State Policy CalTech Policy Customer Policy Data Center Standards CalCloud Standards CalCloud Customer Application

  19. CalCloud Security Stack CalCloud provides a comprehensive and tiered security model Workload Specific Security (HIPAA) Workload Specific Security(PCI DSS) Workload Specific Security(IRS 1075) Workload Specific Security (SSA) Workload Specific Security (other) Support Available Upon CustomerRequest The Federal Risk and Authorization Management Program(FEDRAMP – Includes NIST 800-53) IBM + California Dept of Technology Security Controls (ISeC)(CalCloud Information Security Controls) Base Level Security Profile Hosted inside the California Dept of Technology’s data centers and inside OTech firewall(s)

  20. CalCloud Security Controls • A formal security control program is in place (based on IBM ISeC processes and cloud experience) • Final set in works - exceeds 1500 individual controls • Base set of controls derived from ISO/IEC 27002 and FEDRamp • Compliance support to other authorities available (infrastructure controls only) • CalCloudISeCs can be shared with customer security personnel under strict confidentiality agreement

  21. Select CalCloud Security Features Encrypted Two-Factor Authenticated Sessions • Encrypted, two-factor authenticated sessions for all remote administrative access (portal, OS, infrastructure) • Separate tokens • Ability to authenticate with customer managed “LDAPs” using TFIM Encryption at Rest • Encryption at rest storage services are optionally available via Brocade Encryption Blade (BEB) configured with the SAN Directors Log of Administrative Actions Tenant Isolation • Department of Technology’s SIEM will capture and log administrative actions that change the configuration state of the CalCloud infrastructure, including the physical and hypervisor layers • Each tenant in the CalCloud environment will have their workloads running on dedicated and isolated virtual machines, virtual storage / file systems, and virtual networks. • Tenant administrators will have the option to set up and configure n-tier architectures for their web, application, database, and utility workloads using firewall and load balancer appliances • OTech SIEM logs source event data, performs immediate correlation, identifies false positives • OTech SIEM supports NIST Log Management Security Standards Tamper ResistantLog Streams Isolated SecurityTiers (network) • CalCloud Information Security Controls Documents (ISeC) defines security controls/configuration • Hardening of the hypervisor is provided via access/authority control including limited access to the hypervisor and hypervisor console. • All OSs patched via standardized patching processes • CalCloud physically resides inside the State’s data centers in Rancho Cordova and Vacaville • Physical firewalls and managed intrusion detection service by OTech • Inside the California Government Enterprise Network InfrastructureHardening Cloud Border Security

  22. Other CalCloud Security Facts • Coordinated Security Incident Handling • Coordinated Change Control • OTech Managed Vulnerability Scanning • Data are Property of the State (VMs, virtual disks, data sets..) • Vendor(s) Background Checked • Security Awareness Including IRS Disclosure • Least Privilege and Separation of Duties • Admin Access Only from Territorial U.S. • NO SHARED CREDENTIALS(non-repudiation for all infrastructure config changes)

  23. CalCloud Security Advisory Council (CalCloud SAC) • Purpose • Advises on Security standards / requirements • Advises on compliance requirements and directions • Reviews vendor assessment & monitor summaries • Advises on larger security community needs • Membership from a range of CalCloud customers (large, small, non-State…) • Limit to 16 members for effectiveness • 12 annually rotating customer members • 4 permanent members • Meets bi-monthly (or as needed)

  24. CalCloud Security Communication • In addition to the CalCloud SAC… • Conduct 2 Security Forums per year for broad community attendance on CalCloud security • First Security Forum planned for June 2014 • Subsequent forums in December and May • Focus on • Customer adoption and experiences • Security status and stats • Changes to environment, if any • SAC actions • Compliance • Q&A

  25. Thank You!!!

More Related