This session will discuss the DoD Enterprise Cloud Services Broker model and the process for engagement with DISA in their role as the ECSB. This session will also review the DoD Cloud Security Model (CSM) and its security container levels.
A Beginners Guide to Building a RAG App Using Open Source Milvus
DoD Enterprise Cloud Services Broker - AWS Symposium 2014 - Washington D.C.
1. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Deciphering the DoD Cloud
Broker Process
Mark Fox
DoD Sales Executive
markfox@amazon.com
2. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
DoD Commercial Cloud – Commonly Asked Questions
1. Can I run DoD workloads in the Commercial Cloud?
– Are you FedRAMP Compliant?
– What is the IA Process? (DIACAP/RMF…?)
– How do I work with the DISA Cloud Broker? FOCUS OF TODAY’S SESSION
– Can I get a private cloud?
2. Where is/are your Data Center(s)?
– How are they different than DoD Data Centers and DECC’s (CDC’s)?
– How is AWS different from other “Cloud” providers?
– Does my data stay in the US?
3. How much do you cost? Where is your “Rate Card”?
4. How do I get started using a CSP?
3. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Cloud Services Provider
DoD Cloud Security Model (CSM) - ATO Process
Increasing
Security and
Operating
Requirements
DoD Cloud Security Model
(Administered via DISA)
14 FedRAMP
Compliant CSP’s1
FedRAMP Authority to Operate
CSM ATO
Levels 1-2
(Public)
CSM ATO
Levels 3-5
(NIPR)
CSM ATO
Level 6
(SIPR)
1
2
3
4
5
6
Providers are a mix of
IaaS, PaaS, SaaS
(Initial Focus is on IaaS)
Provisional
Authorization
granted1
0 Provisional
Authorization
granted2
100’s of Cloud
Service Providers
(CSP)
System-
Specific
ATO
John Doe
DoD DAA
The DoD
provisionally
authorized
commercial CSP
offering is eligible
to be included in
the Enterprise
Cloud Service
Catalog
1 Source: http://www.gsa.gov/portal/content/131931
2 Provisional ATO granted as of 2/15/2014
4. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
DoD CSP – Useful Links
DoD Cloud Broker
http://www.disa.mil/Services/DoD-Cloud-Broker
DoD Cloud Security Model
http://iase.disa.mil/cloud_security/index.html
AWS FedRAMP Information
http://aws.amazon.com/compliance/fedramp-faqs/
DISA Cloud Broker mailbox
disa.meade.cae.mbx.cloud-broker@mail.mil
5. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Commercial Platform
6. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
The following services are in the accreditation boundary for FedRAMP:
Enables you to
securely control
access to AWS
services and
resources for your
users. Using IAM,
you can create
and manage AWS
users and groups
and use
permissions to
allow and deny
their access to
AWS resources.
Amazon EC2
Provides resizable
compute capacity in
the cloud. It is
designed to make
web-scale
computing easier
for developers.
Amazon VPC
Provides the ability for
you to provision a
logically isolated
section of AWS where
you can launch AWS
resources in a virtual
network that you define. Amazon S3
Provides a simple web
services interface that
can be used to store and
retrieve any amount of
data, at any time, from
anywhere on the web.
Amazon EBS
Provides highly available,
highly reliable, predictable
storage volumes that can be
attached to a running Amazon
EC2 instance and exposed as
a device within the instance.
Amazon Redshift
A fast, fully managed,
petabyte-scale data
warehouse service that
makes it simple and
cost-effective to
efficiently analyze all
your data using your
existing business
intelligence tools.
IAM
7. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Global Infrastructure
10 Regions
consisting of
25 Availability Zones
and
51 Edge Locations (CDN)
8. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
CONUS REGIONS
Availability
Zone A
Availability
Zone B
GovCloud (OR)
Availability
Zone A
Availability
Zone B
Availability
Zone C
Availability
Zone D
US East (VA)
Availability
Zone A
Availability
Zone B
US West (CA)
Availability
Zone A
Availability
Zone B
Availability
Zone C
US West (OR)
Customer Decides Where
Applications and Data Reside
Note: Conceptual drawing only. The number of Availability Zones may vary.
AWS Regions & Availability Zones within FedRAMP Boundary
9. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Regional Construct View
- Independent/separate geographic areas
- Isolated from other Regions (security boundary)
- = ~50 mile radius “clustered” data center architecture
- Comprised of multiple Availability Zones
- Availability Zone = 1 or more “data center”
- Availability Zones connected through redundant low-
latency links
- Customer chooses Region. Data stays within Region.
- Enables high-availability architecture
Sample US Region
Availability
Zone A
Availability
Zone C
Availability
Zone B
10. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Availability Zone (AZ) View
- Multiple isolated locations within a Region
- Availability Zone = 1 or more “data center”
- Independent Failure Zone
- Physically separated
- On separate Low Risk Flood Plains
- Discrete UPS
- Onsite backup generation facilities
- Fed from different segments of utility provider
- Redundantly connected to multiple tier-1 ISP’s
- No “Disaster Recovery Datacenter”
- Built for Continuous Availability
- Customer decides Availability Zone for Compute
Sample US Region
~ DoD Data Center
Availability
Zone A
Availability
Zone B
Availability
Zone C
11. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Security is a Shared Responsibility
Cross-service Controls
Service-specific Controls
Managed by
AWS
Managed by
Customer and/or
Partner
Cloud Service Provider
Controls
Optimized Network/OS/App
Controls
DoD Scope of a
Cloud Service
Provider (CSP)
12. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
DoD Cloud Consumer Cloud
Service Request Process
Data
Categorization
CSP
Selection
Cloud
Service
Request
Form
Task Order
Negotiations
and Service
Level
Agreement
(SLA)
Cloud Service Request Assessment and
Recommendation
DoD Cloud Consumer
Mission Assessment Contract Vehicle
Usage
Cloud Service Request
(CSR)
Mission
Security
Moni-
toring
Technical,
Mission
Assurance, and
Security
Assessments
Onboarding
System-
Specific
ATO
Service
Delivery
and SLA
Moni-
toring
Transi-
tion to
Opera-
tions
Mission Operations
Support
Service
DeskCSP List
Technical
Matching
Assessment
Security Model
Impact Level
Assessment
• Mission Owner
submit CSR
• ECSB assess CSR
• ECSB connect Mission
Owner with CSP’s
• ECSB assess
CSR
• ECSB connect
Mission Owner
with CSP’s
• Acquisition
strategy
and options
• ATO and
• migration
• O&M
• Continuous
Monitoring
13. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
DoD Cloud Broker - Cloud Service
Request
http://www.disa.mil/Services/DoD-Cloud-Broker/~/media/Files/DISA/Services/Cloud-Broker/Service-
Customer-Request.pdf
14. AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium
Washington, DC | June 24, 2014 - June 26, 2014
Thank You
Mark Fox
DoD Sales Executive
markfox@amazon.com
Notas do Editor
Yes
Slide to follow. Focus of presentation.
Yes
Links below.
http://www.disa.mil/Services/DoD-Cloud-Broker
http://calculator.s3.amazonaws.com/calc5.html
http://www.awsnow.info/
Our data center footprint is global, spanning 5 continents with highly redundant clusters of data centers in each region. Our footprint is expanding continuously as we increase capacity, redundancy and add locations to meet the needs of our customers around the world.
There’s a shared responsibility to accomplish security and compliance objectives in AWS cloud. There are some elements that AWS takes responsibility for, and others that the customer must address. The outcome of the collaborative approach is positive results seen by customers around the world.
Since AWS and its customers share control over the IT environment, both parties have responsibility for managing the IT environment. AWS’ part in this shared responsibility includes providing its services on a highly secure and controlled platform and providing a wide array of security features customers can use. The customers’ responsibility includes configuring their IT environments in a secure and controlled manner for their purposes. While customers don’t communicate their use and configurations to AWS, AWS does communicate its security and control environment relevant to customers. AWS does this by doing the following:
• Obtaining industry certifications and independent third party attestations described in this document
• Publishing information about the AWS security and control practices in whitepapers and web site content
• Providing certificates, reports, and other documentation directly to AWS customers under NDA (as required)