AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

speaker@company.com

Bringing Governance to an Existing Cloud at NASA’s Jet Propulsion Laboratory

Jonathan ChiangMatthew Derenski

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Introductions• Jonathan Chiang – IT Chief Engineer• Matthew Derenski – Cyber Security

Engineer

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Agenda• Provide a brief background of JPL• Detail why JPL uses Amazon Web Services• Understand JPL uses cases for AWS• Describe JPL’s early engagement with AWS• Review JPL’s implementation of its governance plan• Utilizing governance to achieve organizational efficiency• Measuring the value

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Who Is JPL?• We are a federally funded research

and development center (FFRDC) managed by Caltech

• We have 21 spacecraft and 9 instruments conducting active missions

• We manage NASA’s Deep Space Network (DSN)

• We “dare mighty things”

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Why Does JPL Use AWS?• Quick and easy to provision/deprovision• Reduce CapEx and large initial

investments• Pay as you go, only for what you use• Automation and reusability

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

How JPL Uses AWSHPC/data processing

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

How JPL Uses AWS

Mars Exploration ProgramMars.jpl.nasa.govEyes on the Solar SystemEyes.jpl.nasa.govNight Sky NetworkNightsky.jpl.nasa.gov

Public outreach

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

How JPL Uses AWSStorage, backup, and disaster recovery

Mars exploration rovers Station fires

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

How JPL Uses AWSCollaboration

Rapid development

Enterprise applications

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Early AWS Engagement• Issued 60+ root level AWS accounts to

various project teams• Added all accounts to consolidated billing• Associated a single project/task number

for charge back and bill back

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

The Problem

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Key Principles of JPL’s Governance Model

1. Understand your users and their use cases– Identify the services they will be utilizing– Do any of the services conflict with institutional

offerings? Do they interface with existing services?

2. Apply policy and accountability– Ensure roles and responsibilities are understood– Define and deploy a clear account management model– Identify training needs and opportunities– Create a hosting or provisioning account

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Key Principles of JPL’s Governance Model

3. Provide auditing and traceability– Create “describe” API roles in each account– Enforce tagging policy for shared accounts– Create a security response and forensics plan

4. Leverage an iterative implementation– The cloud is agile enough to conform to a changing governance

model– Don’t wait to implement all aspects of governance before using the

cloud

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Account Management

Resources

IAM accounts

AWS root – MFA, managed by IT Sec

Consolidated Billing Consolidated

Billing(No users or resources)

MSL account

IAM user 01auditing

IAM user 02MSL developer

AMI 1 AMI 2

MER account

IAM user 02MER developer

AMI 1 AMI 2

Hosting account

IAM user 01auditing

IAM user hosting

provisioning

AMI 1 AMI 2

+50 more

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 15

C&A Package

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Organizational Efficiency (DevOps)

• Automated configuration management

• Monitoring, notification, escalation

• Networking and security operations

• Verification and validation

Development

Quality AssuranceOperations

Dev Ops

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 17

AWS at JPL• All standard work loads are run in GovCloud

– Using GovCloud and VPC allows traffic to be inspected and protected by JPLs existing security systems

– Public AWS is reserved for unique deployments

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 18

IAM Account Creations• Account for forensics

– Power User

• Account for asset tracking– Read only API access

• Account for account owners– Power User access – Cannot make changes to networking or IAM– Responsible for and maintains full access to all AWS resources and

resource creation

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Common Mistakes• Incorrect meta data• Instances left running• Default user accounts• Unpatched systems• Using the wrong cloud

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Measure the Value• Calculate the cost of implementing governance

along with the cost of cloud resources• Consider the benefits of organizational

efficiencies gained by cloud and governance• Compare agility and speed to market vs.

adoption of governance

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014

Thank YouJonathan Chiang

Matthew Derenski