Compliant Cloud+Campus Hybrid HPC Infrastructure
Total Page:16
File Type:pdf, Size:1020Kb
Compliant Cloud+Campus Hybrid HPC Infrastructure Brenden Judson Matt Vander Werf, Paul Brenner Computer Science and Engineering Center for Research Computing University of Notre Dame University of Notre Dame [email protected] fmvanderw,[email protected] Abstract—We present a hybrid cloud+campus model for implement an information security and protection program. deploying secure research cyberinfrastructure in line with a On November 4, 2010, President Barack Obama issued Ex- growing number of federally funded scientific research security ecutive Order 13556 with the goal of establishing an “open requirements. While the security mechanisms are inline with many regulations, we specifically focus on the NIST 800-171 CUI and uniform program for managing” controlled unclassified compliance that is now required by many US DARPA funded information (CUI) [4]. Federal agencies often contract with contracts. We discuss our architectural framework and rationale private organizations, resulting in some their sensitive data for leveraging shared ND services in AWS GovCloud in concert being housed externally. This led to the creation of NIST with CUI compliant HPC systems on our campus in a hybrid Special Publication (SP) 800-171 Rev. 1 in 2016, which set the fashion; allowing an individual CUI regulated research project to bridge two connected but distinct infrastructures. regulation standards for CUI [5] data resident in non federal Index Terms—CUI, FISMA, HPC, NIST, AWS GovCloud, IT infrastructure. Since then, a growing number of agencies NIST SP 800-171, Thin Client have been requiring companies and institutions housing their information to meet NIST SP 800-171 requirements, often I. INTRODUCTION referred to as CUI compliance. Specific to the research projects The widespread embrace of distributed and data-centric in this work, the Defense Advanced Research Projects Agency platforms such as the Internet of Things (IoT), cloud storage, (DARPA) requires CUI compliance for many of their projects. machine learning, etc. has been driving high performance Multiple federal grants at the University of Notre Dame (ND) computational research infrastructure, which has traditionally now have the requirement of CUI compliance. been computation-centric, toward data-centric models. World- As CUI compliance continues to become the norm when wide, the amount and diversity of data continues to grow working with certain federal agencies; many companies, uni- exponentially. A recent prediction, made by the International versities, and institutions look to make their information Data Corporation (IDC), claimed that by the year 2025, 163 systems CUI compliant. Recent work highlights this trend zettabytes of data will be created globally each year [1]. and how compliance has become such a relevant topic. For As such, it is getting increasingly difficult to contain and example, in the HPC Security & Compliance Workshop regulate. Recent news stories surrounding data privacy laws (PEARC18), Pennsylvania State University's Joseph Gridley such as Facebook's Zuckerburg hearing before congress [2], gave a presentation on the “Validation of CUI Environments “fake news” influence of democratic elections, and others like Using NIST 800-171A” [6] and Preston Smith outlined the them have brought the value, risk and power of leveraging University of Purdue's compliant environment in his presenta- data to the forefront of society's attention (including legisla- tion, “REED: from Service to Ecosystem” [7]. This workshop tors); making data regulation increasingly more important and featured many other relevant presentations that can be found commonplace. on their website [8]. Other work such as Kelly W. Bennett's While society's attention to data security has recently in- paper on a cloud-based security architecture [9] and the creased, the federal regulation of sensitive digital data is not University of Arizona's CUI compliant environment [10] are a new government focus. The Health Insurance Portability additional examples of other institution's work that pertains to and Accountability Act of 1996 (HIPAA) placed regulations compliance. Although there is a great deal of relevant work on medical information. Similarly, personally identifiable in- being done, there is very little documentation or published formation (PII) and classified information have been highly work on hybrid compliant environments. regulated for decades. Major strides towards regulation were As outlined by NIST SP 800-171, there are fourteen cate- taken in 2002 when the Federal Information Security Man- gories associated with being CUI complaint: agement Act (FISMA) became law, requiring federal agencies 1) Awareness and Training to develop, document, and implement an information security 2) Auditing and Accountability and protection program (revised on December 8, 2014) [3]. 3) Configuration Management FISMA tasked the National Institute of Standards and Tech- 4) Identification and Authentication nology (NIST) to create standards outlining how to properly 5) Incident Response 6) Maintenance can simplify your responsibility in meeting compliance, saving 7) Media Protection you time and money. Cloud services also help you avoid the 8) Personnel Security headaches that accompany having physical hardware on-site 9) Physical Protection (compliance audits, maintenance, deterioration, etc.). Instead, 10) Risk Assessment the cloud vendor assures you state-of-the-art hardware and 11) Security Assessment enhanced security measures. Large public clouds may also 12) System and Communication Protection have newer and more powerful individual servers than in the 13) System and Information Integrity average HPC environment (an optimized InfiniBand network is 14) Access Control a separate matter). One of the reasons for this is the fact that Each one of these categories is broken down into many many companies and organizations have been keeping their controls that specify the exact compliance requirements, for on-site HPC systems longer than ever before [16]. more details see [11]. Cloud technologies are also more elastic and scalable than In recognition of the expanding market for cloud services traditional on-campus HPC infrastructures. Being able to scale that meet various federal regulations, all three of the major with demand provides agility to your CUI environment that US public cloud vendors have taken strides to expand this has not been available in the past, providing users with aspect of their business [12] [13] [14]. The University of more options. For many customers, AWS allows them to Notre Dame's CUI environment utilizes the Amazon Web scale beyond what would be practical in their on-campus Services (AWS) GovCloud region to implement a compliant environments without the need for large capital investment. environment and therefore, AWS is the cloud vendor focused AWS also offers cost saving features such as spot instances, on for the remainder of this paper. AWS GovCloud (US) is which allow you to purchase spare compute capacity at steep an isolated AWS region designed to allow customers to move discounts. sensitive workloads into a cloud environment that addresses B. Campus CUI Environment their specific regulatory and compliance requirements. The region is operated exclusively by employees who are U.S. Today, most aspects of enterprise information technology citizens, only on U.S. soil, and is only accessible to vetted (IT) at ND have been widely migrated to the cloud. HPC is U.S. entities. While not all CUI regulated projects have a also gaining traction in cloud usage. Cloud spending by HPC US citizenship requirement, it is a common requirement to customers grew by 44 percent from 2016 to 2017 and it is meet certain federal regulations, including International Traf- projected to be the fastest-growing expense for HPC centers fic in Arms Regulations (ITAR) and Export Administration for the next five years, reaching nearly $3 billion by 2022 [16]. Regulations (EAR). These GovCloud features (along with All three major cloud providers now support some degree of others) allow AWS to help customers meet a variety of HPC [17] [18] [19] and the case for HPC in the cloud is compliance requirements such as HIPAA, ITAR, EAR, Federal growing ever stronger. However, all three lack the capability Risk and Authorization Management Program (FedRAMP), to cost effectively support the large scale (>1-10K tightly FISMA High Baselines and the DOD Security Requirements coupled cores) and high utilization rates typical of top-tier Guide. HPC centers operated by many research institutions such as Recent research grants that the University of Notre Dame Notre Dame. has become involved with, such as those sought by the HPC environments consistently have very high utilization ND Turbomachinery Laboratory (NDTL) [15], have provided percentages, much higher than general or enterprise IT sys- the unique opportunity to create a hybrid (cloud+campus) tems. Cloud services are priced based on their utilization and CUI environment that contains the necessary infrastructure thus, cloud cycles continue to be more expensive than in- to perform high performance computing (HPC). This paper house cycles for HPC [16]. Furthermore, hosting your secure continues by comparing the trade-offs between hosting a CUI infrastructure in the GovCloud region adds additional fees HPC environment in AWS GovCloud or with on-campus to AWS's standard fees. Many customers will find that their hardware. From there, we outline Notre Dame's hybrid CUI research computing