Date post: | 15-Jan-2015 |
Category: |
Technology |
Upload: | amazon-web-services |
View: | 1,520 times |
Download: | 0 times |
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Deciphering the DoD Cloud Broker Process
Mark FoxDoD Sales Executive
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
DoD Commercial Cloud – Commonly Asked Questions
1. Can I run DoD workloads in the Commercial Cloud?– Are you FedRAMP Compliant? – What is the IA Process? (DIACAP/RMF…?)– How do I work with the DISA Cloud Broker? FOCUS OF TODAY’S
SESSION– Can I get a private cloud?
2. Where is/are your Data Center(s)?– How are they different than DoD Data Centers and DECC’s (CDC’s)?– How is AWS different from other “Cloud” providers? – Does my data stay in the US?
3. How much do you cost? Where is your “Rate Card”?
4. How do I get started using a CSP?
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Cloud Services ProviderDoD Cloud Security Model (CSM) - ATO Process
Increasing Security and
Operating Requirements
DoD Cloud Security Model(Administered via DISA)
14 FedRAMP Compliant CSP’s1
FedRAMP Authority to OperateCSM ATO Levels 1-2
(Public)
CSM ATO Levels 3-5
(NIPR)
CSM ATO Level 6 (SIPR)
12
34
56
Providers are a mix of IaaS, PaaS, SaaS(Initial Focus is on IaaS)
ProvisionalAuthorization
granted1
0 Provisional Authorization
granted2
100’s of Cloud Service Providers
(CSP)
System-Specific
ATO
John DoeDoD DAA
The DoD provisionally authorized
commercial CSP offering is eligible to be included in the Enterprise Cloud Service
Catalog
1 Source: http://www.gsa.gov/portal/content/131931
2 Provisional ATO granted as of 2/15/2014
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
DoD CSP – Useful LinksDoD Cloud Brokerhttp://www.disa.mil/Services/DoD-Cloud-Broker
DoD Cloud Security Modelhttp://iase.disa.mil/cloud_security/index.html
AWS FedRAMP Informationhttp://aws.amazon.com/compliance/fedramp-faqs/
DISA Cloud Broker [email protected]
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Commercial Platform
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
The following services are in the accreditation boundary for FedRAMP:
Enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups and use permissions to allow and deny their access to AWS resources.
Amazon EC2
Provides resizable compute capacity in the cloud. It is designed to make web-scale computing easier for developers.
Amazon VPC
Provides the ability for you to provision a logically isolated section of AWS where you can launch AWS resources in a virtual network that you define.
Amazon S3
Provides a simple web services interface that can be used to store and retrieve any amount of data, at any time, from anywhere on the web.
Amazon EBS
Provides highly available, highly reliable, predictable storage volumes that can be attached to a running Amazon EC2 instance and exposed as a device within the instance.
Amazon Redshift
A fast, fully managed, petabyte-scale data warehouse service that makes it simple and cost-effective to efficiently analyze all your data using your existing business intelligence tools.
IAM
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Global Infrastructure
10 Regions
consisting of
25 Availability Zones
and
51 Edge Locations (CDN)
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
CONUS REGIONS
Availability Zone A
Availability Zone B
GovCloud (OR)
Availability Zone A
Availability Zone B
Availability Zone C
Availability Zone D
US East (VA)
Availability Zone A
Availability Zone B
US West (CA)
Availability Zone A
Availability Zone B
Availability Zone C
US West (OR)
Customer Decides Where Applications and Data Reside
Note: Conceptual drawing only. The number of Availability Zones may vary.
AWS Regions & Availability Zones within FedRAMP Boundary
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Regional Construct View
- Independent/separate geographic areas
- Isolated from other Regions (security boundary)
- = ~50 mile radius “clustered” data center architecture
- Comprised of multiple Availability Zones
- Availability Zone = 1 or more “data center”
- Availability Zones connected through redundant low-latency links
- Customer chooses Region. Data stays within Region.
- Enables high-availability architecture
Sample US Region
Availability Zone A
Availability Zone C
Availability Zone B
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Availability Zone (AZ) View
- Multiple isolated locations within a Region
- Availability Zone = 1 or more “data center”
- Independent Failure Zone
- Physically separated
- On separate Low Risk Flood Plains
- Discrete UPS
- Onsite backup generation facilities
- Fed from different segments of utility provider
- Redundantly connected to multiple tier-1 ISP’s
- No “Disaster Recovery Datacenter”
- Built for Continuous Availability
- Customer decides Availability Zone for Compute
Sample US Region
~ DoD Data Center
Availability Zone A
Availability Zone B
Availability Zone C
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Security is a Shared Responsibility
Cross-service Controls
Service-specific Controls
Managed by AWS
Managed by Customer and/or
Partner
Cloud Service Provider Controls
Optimized Network/OS/App Controls
DoD Scope of a Cloud Service Provider (CSP)
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
DoD Cloud Consumer Cloud Service Request Process
Data Categorization
CSP Selection
Cloud Service Request
Form
Task Order Negotiations and Service
Level Agreement
(SLA)
Cloud Service Request Assessment and Recommendation
DoD Cloud Consumer Mission Assessment Contract Vehicle
Usage Cloud Service Request
(CSR)
Mission Security Moni-toring
Technical, Mission
Assurance, and Security
Assessments
Onboarding
System-Specific
ATO
Service Delivery and SLA Moni-toring
Transi-tion to Opera-tions
Mission Operations Support
Service DeskCSP List
Technical Matching
Assessment
Security Model Impact Level Assessment
• Mission Owner submit CSR
• ECSB assess CSR• ECSB connect Mission
Owner with CSP’s
• ECSB assess CSR
• ECSB connect Mission Owner with CSP’s
• Acquisition strategy and options
• ATO and • migration
• O&M• Continuous
Monitoring
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
DoD Cloud Broker - Cloud Service Request
http://www.disa.mil/Services/DoD-Cloud-Broker/~/media/Files/DISA/Services/Cloud-Broker/Service-Customer-Request.pdf
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Thank YouMark Fox
DoD Sales Executive