Cloud Enclaves, Multitenancy and FISMA

Los Alamos National Labs (LANL) is a security research institution responsible for American nuclear deterrence. They have invested in security management practices and moved from a federal regulatory concern to an award-winning (see below) leader in security and compliance.

How did the Lab get to this point? A major effort to measure risk, apply National Institute of Standards and Technology controls, certify the use of those controls, and arrive at standard and supported system configurations for Lab systems consumed much of 2008.

A Solutions Architect now discusses on a podcast by The Virtualization Practice how they handled the NIST Certification and Accreditation (C&A) process and received authority to operate at FISMA moderate with VMware vCloud.

At a site like LANL, workloads that cross-domains, security enclaves, or classification levels are important to understand from the beginning, not after the Cloud is deployed. The reason is that this complicates any configuration of work-loads as cross-domain traffic would need to be ensured to only come from specific locations while denying all other locations. Into this falls tools like vShield App which can keep all VMs from talking to each other, but also allow cross-talk across domains as necessary by specific VMs.

The details of the architecture also will be presented October 11th in Washington DC when LANL receives a Cloud Initiatives in Government award from SANS.

LANL’s Infrastructure on Demand features an innovative cloud security and automation architecture, leveraging VMware’s vShield and LANL-written active defense on behalf of the workload clients. Key features include:

  1. Automated provisioning of workloads into secure enterprise enclaves.
  2. Mapping physical security into a virtual security model using VMware vShield.
  3. Employing automated remediation features to offline non-compliant workloads.
  4. Extension of a private cloud security framework into a secure hybrid cloud.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.