bringing governance to an existing cloud at nasa’s jet propulsion laboratory (jpl): a case study
DESCRIPTION
Amazon Web Services provides JPL with a vast array of capabilities to store, process, and analyze mission data. JPLers were early to adopt AWS services to build complex solutions, but quickly grew to over 50 AWS accounts, 80 IAM users, and hundreds of resources. To deal with this complexity, a team of engineers inside JPL's Office of the CIO developed a cloud governance model. The true challenge was implementing it on existing deployments. Learn about their model and how they overcame the challenges.TRANSCRIPT
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Bringing Governance to an Existing Cloud at NASA’s Jet Propulsion Laboratory
Jonathan ChiangMatthew Derenski
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Introductions• Jonathan Chiang – IT Chief Engineer• Matthew Derenski – Cyber Security
Engineer
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Agenda• Provide a brief background of JPL• Detail why JPL uses Amazon Web Services• Understand JPL uses cases for AWS• Describe JPL’s early engagement with AWS• Review JPL’s implementation of its governance plan• Utilizing governance to achieve organizational efficiency• Measuring the value
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Who Is JPL?• We are a federally funded research
and development center (FFRDC) managed by Caltech
• We have 21 spacecraft and 9 instruments conducting active missions
• We manage NASA’s Deep Space Network (DSN)
• We “dare mighty things”
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Why Does JPL Use AWS?• Quick and easy to provision/deprovision• Reduce CapEx and large initial
investments• Pay as you go, only for what you use• Automation and reusability
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
How JPL Uses AWSHPC/data processing
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
How JPL Uses AWS
Mars Exploration ProgramMars.jpl.nasa.govEyes on the Solar SystemEyes.jpl.nasa.govNight Sky NetworkNightsky.jpl.nasa.gov
Public outreach
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
How JPL Uses AWSStorage, backup, and disaster recovery
Mars exploration rovers Station fires
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
How JPL Uses AWSCollaboration
Rapid development
Enterprise applications
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Early AWS Engagement• Issued 60+ root level AWS accounts to
various project teams• Added all accounts to consolidated billing• Associated a single project/task number
for charge back and bill back
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
The Problem
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Key Principles of JPL’s Governance Model
1. Understand your users and their use cases– Identify the services they will be utilizing– Do any of the services conflict with institutional
offerings? Do they interface with existing services?
2. Apply policy and accountability– Ensure roles and responsibilities are understood– Define and deploy a clear account management model– Identify training needs and opportunities– Create a hosting or provisioning account
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Key Principles of JPL’s Governance Model
3. Provide auditing and traceability– Create “describe” API roles in each account– Enforce tagging policy for shared accounts– Create a security response and forensics plan
4. Leverage an iterative implementation– The cloud is agile enough to conform to a changing governance
model– Don’t wait to implement all aspects of governance before using the
cloud
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Account Management
Resources
IAM accounts
AWS root – MFA, managed by IT Sec
Consolidated Billing Consolidated
Billing(No users or resources)
MSL account
IAM user 01auditing
IAM user 02MSL developer
AMI 1 AMI 2
MER account
IAM user 02MER developer
AMI 1 AMI 2
Hosting account
IAM user 01auditing
IAM user hosting
provisioning
AMI 1 AMI 2
+50 more
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 15
C&A Package
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Organizational Efficiency (DevOps)
• Automated configuration management
• Monitoring, notification, escalation
• Networking and security operations
• Verification and validation
Development
Quality AssuranceOperations
Dev Ops
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 17
AWS at JPL• All standard work loads are run in GovCloud
– Using GovCloud and VPC allows traffic to be inspected and protected by JPLs existing security systems
– Public AWS is reserved for unique deployments
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014 18
IAM Account Creations• Account for forensics
– Power User
• Account for asset tracking– Read only API access
• Account for account owners– Power User access – Cannot make changes to networking or IAM– Responsible for and maintains full access to all AWS resources and
resource creation
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Common Mistakes• Incorrect meta data• Instances left running• Default user accounts• Unpatched systems• Using the wrong cloud
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Measure the Value• Calculate the cost of implementing governance
along with the cost of cloud resources• Consider the benefits of organizational
efficiencies gained by cloud and governance• Compare agility and speed to market vs.
adoption of governance
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
AWS Government, Education, and Nonprofits Symposium Washington, DC | June 24, 2014 - June 26, 2014
Thank YouJonathan Chiang
Matthew Derenski