Secure Cloud Computing Architecture (SCCA) - disa.mil

UNCLASSIFIED 1 UNCLASSIFIED UNITED IN SERVICE TO OUR NATION UNITED IN SERVICE TO OUR NATION Secure Cloud Computing Architecture (SCCA) Susan Casson...

10 downloads 612 Views 420KB Size
UNCLASSIFIED

Secure Cloud Computing Architecture (SCCA) Susan Casson PM, SCCA December 12, 2017

UNCLASSIFIED

UNITED UNITEDININSERVICE SERVICE TO TOOUR OURNATION NATION

1

UNCLASSIFIED

Unclassified DoD Commercial Cloud Deployment Approach Cyber Command C2 Operations Off Premise Level 2 Approved Vendors

On Premise Level 1-5 Cloud Providers Internet-based User

OMS IBM CMSG NIPR-based User

Internet Access Points

Big Data Analytics

Internet

Boundary Protection for Internet Traffic

Internal Cloud Access Points Joint Regional Security Stacks

Secure Cloud Computing Architecture (SCCA) Global Content Delivery System (Commercial Caching)

DISN

Global Content Delivery System (Commercial Caching)

DoD Controlled Environment

Vendors named within are approved or under contract to provide specified services to DISA or DOD

UNCLASSIFIED

Salesforce

Off Premise Level 4/5 Approved Vendors

AWS

Cloud Access Points Boundary Protection for Impact Level 4 & 5

AWS East/West

Azure

GovCloud

Meet-Me Point Central Location for DoD and Cloud Connections

Salesforce

Oracle

O365

Commercial Controlled Environment w/DoD Oversight UNITED IN SERVICE TO OUR NATION

2

UNCLASSIFIED

Secure Cloud Computing Architecture (SCCA) •

Session Objectives  Define the SCCA portfolio and requirements to obtain services  Outline how SCCA can enable cloud migration  Connect attendees with technical and functional DISA experts  Collect attendee feedback to influence future roadmap priorities

Connect: Access DoD approved level 4/5 cloud services Secure: Extend application and data-level security services to cloud environments

Manage: Consume custom analytics and intelligence data along with host based security and access control capabilities

Vendors named within are approved or under contract to provide specified services to DISA or DOD

UNCLASSIFIED

UNITED IN SERVICE TO OUR NATION

3

UNCLASSIFIED

Capability Overview •

Cloud Access Points: Provides connectivity to approved cloud providers, and protects the DISN from cloud originating attacks



Virtual Data Center Security Stack: Virtual Network Enclave Security to protect application and data



Virtual Data Center Managed Services: Application Host Security, including HBSS/ACAS, patching, configuration, and management



Trusted Cloud Credential Manager: Cloud Credential Manager for Role Based Access Control (RBAC) and least privileged access

Vendors named within are approved or under contract to provide specified services to DISA or DOD

UNCLASSIFIED

UNITED IN SERVICE TO OUR NATION

4

UNCLASSIFIED

Cloud Management Roles and Responsibilities DISA Cloud Connection Approval Onboarding Checklist

 Approved cloud vendor  System Network Approval Process (SNAP) Registration  Internet Protocol Registration  Cybersecurity Service Provider  Authority to Operate

DISA or Mission Partner Managed

Cloud Service Provider Managed

Infrastructure

Software

Applications

Applications

Data

Data

Runtime

Runtime

Middleware

Middleware

O/S

O/S

Virtualization

Virtualization

Servers

Servers

Storage

Storage

Networking

Networking

Shared Management

Cloud Service Provider Managed

Vendors named within are approved or under contract to provide specified services to DISA or DOD

UNCLASSIFIED

UNITED IN SERVICE TO OUR NATION

5

UNCLASSIFIED

Cloud Access Points; Accessibility Versus Application Security •

SCCA Boundary CAP (BCAP)     



Support IaaS and SaaS clouds Protect DoD Networks from cloud originated attacks Scale up to 10G capacity per site Strategically located Included in DISN subscription rate

BCAPs Do Not  Break and inspect  Provide application level security

Vendors named within are approved or under contract to provide specified services to DISA or DOD

UNCLASSIFIED

UNITED IN SERVICE TO OUR NATION

6

UNCLASSIFIED

Cloud Security and Managed Services VDSS 



Traditional network security features for public facing web applications Next Generation Firewall for protecting cloud hosted workloads

 

Web Application Firewall Next Generation Firewall

VDMS 

 

Cloud connected management and security tools Cloud privileged user access and account management Central search and display of CAP and Cloud logs via Splunk

    

HBSS ACAS Operating System Patching Recursive DNS Caching Cloud Visibility

Vendors named within are approved or under contract to provide specified services to DISA or DOD

UNCLASSIFIED

UNITED IN SERVICE TO OUR NATION

7

UNCLASSIFIED

Boundary CAP (BCAP) 1.0 Overview

Level 4/5 Approved Vendors

Vendors named within are approved or under contract to provide specified services to DISA or DOD

UNCLASSIFIED

UNITED IN SERVICE TO OUR NATION

8

UNCLASSIFIED

VDSS and VDMS

CSP

VDSS

VDMS Extension VDMS Core CSP

VDSS VDMS Core VDMS Extension

Vendors named within are approved or under contract to provide specified services to DISA or DOD

UNCLASSIFIED

UNITED IN SERVICE TO OUR NATION

9

UNCLASSIFIED

Our Evolution of Cloud Security Does Not End With SCCA • • •

Leaner and faster Templates, tools, and integration points Hybrid security solutions

Automation

Optimization Migration Security Vendors named within are approved or under contract to provide specified services to DISA or DOD

UNCLASSIFIED

UNITED IN SERVICE TO OUR NATION

10

UNITED IN SERVICE TO OUR NATION UNCLASSIFIED

11