AFTAC Review

A presentation at AFTAC/RedHat Offsite in February 2013 in Melbourne, FL, USA by Shawn Wells

Slide 1

Slide 1

UNCLASSIFIED AFTAC Review Shawn Wells (shawn@redhat.com / wellshaw@nro.ic.gov) Red Hat Public Sector UNCLASSIFIED 1

Slide 2

Slide 2

UNCLASSIFIED Challenges • Technology integration with Intelligence Community Cloud Hosting Data Standards Sharing à à à NSA MACHINESHOP/”IC GovCloud” DoD Discovery Metadata Services Distributed Common Ground System IC UNCLASSIFIED 2

Slide 3

Slide 3

UNCLASSIFIED Challenges • Technology integration with Intelligence Community Cloud Hosting Data Standards Sharing à à à NSA MACHINESHOP/”IC GovCloud” DoD Discovery Metadata Services Distributed Common Ground System IC • Organizational integration with Ground Enterprise Directorate Partnership with DODCS for dynamic, on-demand HPC to generate Phase 0 reporting UNCLASSIFIED 3

Slide 4

Slide 4

UNCLASSIFIED Challenges • Technology integration with Intelligence Community Cloud Hosting Data Standards Sharing à à à NSA MACHINESHOP/”IC GovCloud” DoD Discovery Metadata Services Distributed Common Ground System IC • Organizational integration with Ground Enterprise Directorate Partnership with DODCS for dynamic, on-demand HPC to generate Phase 0 reporting • Collaboration with DAA/ISSM to baseline next-generation technologies Operate under DoDIIS accreditation policies and procedures Certification & Accreditation reciprocity for DoD and IC ATO’s UNCLASSIFIED 4

Slide 5

Slide 5

UNCLASSIFIED Challenges • Technology integration with Intelligence Community Cloud Hosting Data Standards Sharing à à à NSA MACHINESHOP/”IC GovCloud” DoD Discovery Metadata Services Distributed Common Ground System IC • Organizational integration with Ground Enterprise Directorate Partnership with DODCS for dynamic, on-demand HPC to generate Phase 0 reporting • Collaboration with DAA/ISSM to baseline next-generation technologies Operate under DoDIIS accreditation policies and procedures Certification & Accreditation reciprocity for DoD and IC ATO’s • Technology Training Shift to integration services, cloud providers to handle infrastructure UNCLASSIFIED 5

Slide 6

Slide 6

UNCLASSIFIED Intelligence Community Cloud Integration UNCLASSIFIED 6

Slide 7

Slide 7

UNCLASSIFIED Intelligence Community Cloud Integration • NSA MACHINESHOP providing Intelligence Community hosting • • Handles scalability, elasticity, availability requirements for tenants Running Red Hat KVM hypervisor, managed through OpenStack UNCLASSIFIED 7

Slide 8

Slide 8

UNCLASSIFIED Intelligence Community Cloud Integration • NSA MACHINESHOP providing Intelligence Community hosting • • Handles scalability, elasticity, availability requirements for tenants Running Red Hat KVM hypervisor, managed through OpenStack • LS providing on-premise AFTAC hosting • • Requested through POWER process Running Xen hypervisor, managed through Citrix UNCLASSIFIED 8

Slide 9

Slide 9

UNCLASSIFIED Intelligence Community Cloud Integration • NSA MACHINESHOP providing Intelligence Community hosting • • Handles scalability, elasticity, availability requirements for tenants Running Red Hat KVM hypervisor, managed through OpenStack • LS providing on-premise AFTAC hosting • • Requested through POWER process Running Xen hypervisor, managed through Citrix • (future) MOOSE • • Developed through QinetiQ as next generation architecture Designed for ESXi hypervisor, managed through VMWare vCenter UNCLASSIFIED 9

Slide 10

Slide 10

UNCLASSIFIED Intelligence Community Cloud Integration • NSA MACHINESHOP providing Intelligence Community hosting • Handles scalability, elasticity, availability requirements for tenants • Running Red Hat KVM hypervisor, managed through OpenStack • LS providing on-premise AFTAC hosting • Requested through POWER process • Running Xen hypervisor, managed through Citrix • (future) MOOSE • Developed through QinetiQ as next generation architecture • Designed for ESXi hypervisor, managed through VMWare vCenter UNCLASSIFIED 10

Slide 11

Slide 11

UNCLASSIFIED IT As Manufacturing Consolidated Aircraft B-52 Liberator Incredibly sophisticated, ~500K parts, Assembled by unskilled labor. No Mfg. process. Parts were cast in rubber molds, every part was different. Ford Motor Co. brought a manufacturing process, went from 250 planes per year to 650 planes per month. Standardization remains our current challenge. UNCLASSIFIED 11

Slide 12

Slide 12

UNCLASSIFIED Application Application Platforms Operating System Virtualization Hardware Storage UNCLASSIFIED 12

Slide 13

Slide 13

UNCLASSIFIED UNCLASSIFIED 13

Slide 14

Slide 14

UNCLASSIFIED IaaS provider generates operating system images OS IMAGE OS IMAGE OS IMAGE MACHINESHOP (IC Classified) / C2S (IC Commercial) On-Premise (VMWare, Xen, KVM, Bare Metal) UNCLASSIFIED 14

Slide 15

Slide 15

UNCLASSIFIED SELinux subdivides the available computing resources using technology co-developed with the NSA OS IMAGE OS IMAGE MACHINESHOP (IC Classified) / C2S (IC Commercial) On-Premise (VMWare, Xen, KVM, Bare Metal) UNCLASSIFIED 15

Slide 16

Slide 16

UNCLASSIFIED Application Widget Developer creates “application widget,” defines the application manufacturing process. OS IMAGE OS IMAGE MACHINESHOP (IC Classified) / C2S (IC Commercial) On-Premise (VMWare, Xen, KVM, Bare Metal) UNCLASSIFIED 16

Slide 17

Slide 17

UNCLASSIFIED Application Widget Developer creates “application widget,” defines the application manufacturing process. OS IMAGE OS IMAGE MACHINESHOP (IC Classified) / C2S (IC Commercial) On-Premise (VMWare, Xen, KVM, Bare Metal) UNCLASSIFIED 17

Slide 18

Slide 18

UNCLASSIFIED UNCLASSIFIED 18

Slide 19

Slide 19

UNCLASSIFIED UNCLASSIFIED 19

Slide 20

Slide 20

UNCLASSIFIED Application Widget Refresh UNCLASSIFIED 20

Slide 21

Slide 21

UNCLASSIFIED Integrating with Ground Enterprise Directorate (GED) UNCLASSIFIED 21

Slide 22

Slide 22

UNCLASSIFIED Integrating with Ground Enterprise Directorate • HPC resources available through dynamic provisioning (private NRO GED cloud) • • • Resources available remotely for operations, prototypes, experiments, and disadvantaged users Dynamic resource pooling Currently accepting initial workloads Classified Testbed • • • Unclassified Testbed 1x SGI UV100 Intel Xeon Nahalem, 256 cores >1TFLOPS peak 10x TILEmpower boards Tilera TILEPro64, 640 cores >4 TFLOPS peak 3x TESLA 2050s Nvidia Fermi GPUs, 5376 cores > 4TFLOPS peak • 1x SGI UV100 Intel Xeon Nahalem, 128 cores • 10x TILEmpower boards Tilera TILEPro64, 640 cores • 3x TESLA 2050s Nvidia Fermi GPUs, 5376 cores • Commodity x86 cluster Intel Xeon Clovertown, 80 cores UNCLASSIFIED 22

Slide 23

Slide 23

UNCLASSIFIED Intelligence Data Sharing UNCLASSIFIED 23

Slide 24

Slide 24

UNCLASSIFIED DCGS-IC System Architecture Security Gateway DCGS-IC 2D Situation Awareness WMS/WFS UI Component Business Logic Component Data Access Component Web Browser GE Client Node Boundary Web UI Framework Workspace Mgr KML Export Infra Component Content Discovery Wrapper CDW (CD 1.3 compliant) Content Discovery Engine CDE (CD 1.3 compliant) Enterprise Content Discovery eCD (CD 1.3 compliant) DDMS DoD Discovery Metadata Specification (incl IC ISM) MDC DIB Metadata Catalog Data Source KML Search Standing Query Other Widgets Mashlets External System SIGINT Status SAVANT Chat Surfer ICES Chat GVS Syndication Manager Alert Mgmt & Subscription System Health & Status ECD Image Analyst other Systems Security Gateway RSS/GeoRSS Rules Engine Format Translation Emitter Correlation other eSvcs Faceted Filtering eCD Mashup Engine DDMS other NCES CD DDMS UDDI CDE GALE LT ASA ELINT SIGINT Events IPL Metrics Service CDW Exploited Imagery Multi-INT DDA FD/FI DDMS DDMS GSRP GeoTagger Chipping Service Metadata Services MDC DDMS Security Gateway AFWA Other GSRP IBS-N other IPL NDS(PDSE) IMINT Col Status PESO Virtualization Security OS Foundation A&A EIFIC, FINTEL CDWs CDWs CDWs CDWs CDWs CDWs CDWs CDWs CDWs CDW CDW CDW CDW CDW MIND DDA Security Gateway ICDL UNICORN AF Tac IMINT Status iVAP WIRE E-Space WARP IMINT Classified SIGINT IMINT MASINT Portal Reports CDW NTIPS SIGINT 4 PESO DB WebThreads WIDOW OSS CEDRIC ONI MIDB EIFIC, FINTEL HUMINT OPIR Classified COMEXT Seawatch Facilities UNCLASSIFIED MIND IMINT Col Plans other DCGS 24

Slide 25

Slide 25

UNCLASSIFIED DCGS-IC System Architecture Security Gateway DCGS-IC 2D Situation Awareness WMS/WFS UI Component Business Logic Component Data Access Component Web Browser GE Client Node Boundary Web UI Framework Workspace Mgr KML Export Infra Component Content Discovery Wrapper CDW (CD 1.3 compliant) Content Discovery Engine CDE (CD 1.3 compliant) Enterprise Content Discovery eCD (CD 1.3 compliant) DDMS DoD Discovery Metadata Specification (incl IC ISM) MDC DIB Metadata Catalog Data Source KML Search Standing Query Other Widgets Mashlets External System SIGINT Status SAVANT Chat Surfer ICES Chat GVS Syndication Manager Alert Mgmt & Subscription System Health & Status ECD Image Analyst other Systems Security Gateway RSS/GeoRSS Rules Engine Format Translation Emitter Correlation other eSvcs Faceted Filtering eCD Mashup Engine DDMS other NCES CD DDMS UDDI CDE GALE LT ASA ELINT SIGINT Events IPL Metrics Service CDW Exploited Imagery Multi-INT DDA FD/FI DDMS DDMS GSRP GeoTagger Chipping Service Metadata Services MDC DDMS Security Gateway AFWA Other GSRP IBS-N other IPL NDS(PDSE) IMINT Col Status PESO Virtualization Security OS Foundation A&A EIFIC, FINTEL CDWs CDWs CDWs CDWs CDWs CDWs CDWs CDWs CDWs CDW CDW CDW CDW CDW MIND DDA Security Gateway ICDL UNICORN AF Tac IMINT Status iVAP WIRE E-Space WARP IMINT Classified SIGINT IMINT MASINT Portal Reports CDW NTIPS SIGINT 4 PESO DB WebThreads WIDOW OSS CEDRIC ONI MIDB EIFIC, FINTEL HUMINT OPIR Classified COMEXT Seawatch Facilities UNCLASSIFIED MIND IMINT Col Plans other DCGS 25

Slide 26

Slide 26

UNCLASSIFIED Intelligence Community Data Standards • DoD Discovery Metadata Specification (DDMS) • Defines discovery metadata elements for all resources posted to community and organizational shared spaces • Mandated by DCGS, powers metadata catalog and the DGCS Integration Backbone (DIB) • Integrates with IC Trusted Data Format (TDF), supports: • IC-TDF • Information Security Metadata • Need-to-Know • IC-Commons • http://metadata.ces.mil/dse/irs/DDMS/ UNCLASSIFIED 26

Slide 27

Slide 27

UNCLASSIFIED Ozone Widget Framework UNCLASSIFIED 27

Slide 28

Slide 28

UNCLASSIFIED Ozone Widget Framework UNCLASSIFIED 28

Slide 29

Slide 29

UNCLASSIFIED Fused Product Generation UNCLASSIFIED 29

Slide 30

Slide 30

UNCLASSIFIED Security UNCLASSIFIED 30

Slide 31

Slide 31

UNCLASSIFIED Security CATEGORIZE (FIPS 199 / SP 800-60) MONITOR (SP 800-37 / SP 800-53A) SELECT CONTROLS (FIPS 200 / SP 800-53) AUTHORIZE (SP 800-37) IMPLIMENT CONTROLS (SP 800-70) ASSESS CONTROLS (SP 800-53A) UNCLASSIFIED 31

Slide 32

Slide 32

UNCLASSIFIED Security CATEGORIZE (FIPS 199 / SP 800-60) MONITOR (SP 800-37 / SP 800-53A) SELECT CONTROLS (FIPS 200 / SP 800-53) AUTHORIZE (SP 800-37) IMPLIMENT CONTROLS (SP 800-70) ASSESS CONTROLS (SP 800-53A) UNCLASSIFIED 32