Transcription
2013 AWS Worldwide Public Sector SummitWashington, D.C.Air Force Safety Center “MFOQA & ASAP”Integrated Safety Information SystemCharles Grimes, IA Security Solutionswww.iassecurity.net
MFOQA & ASAP MFOQA – Military Flight OperationsQuality Assurance– Routine analysis of flight datarecorder files– Proactive vs. Reactive– Integrated Safety InformationSystem – ISIS2013 AWS Worldwide Public Sector Summit
MFOQA & ASAP ASAP – Aviation Safety Action Program– Voluntary, text-based safety reports– Taxonomy provides data for trending2013 AWS Worldwide Public Sector Summit
Situation Small server rack – 15 serverstotalCorporate office building– Growth– Compliance2013 AWS Worldwide Public Sector Summit
Situation Growth– No room to expand Storage Processing– Redundancy2013 AWS Worldwide Public Sector Summit Compliance– DIACAP – Defense InformationAssurance Certification &Accreditation Program
Storage & Processing Growth becoming 20WeeklyBi-MonthlyC-17Avg FileSize (MB)Fleet Size15452302 GB217C-135RDaily15386C-130JDaily15145 ily1560F-15C/D/ETBDTBD104682013 AWS Worldwide Public Sector Summit
Storage & Processing Daily ProcessingRe-Runs2013 AWS Worldwide Public Sector Summit
DIACAP ISIS -- MAC III Sensitive2013 AWS Worldwide Public Sector Summit8
Tasking Determine most costeffective hosting solution– Collocated data center atAF Safety Center– DISA RACE– Amazon Web Services2013 AWS Worldwide Public Sector Summit
Tasking Complete DIACAP Certification &Accreditation––Authority to OperateAccredit using preferred host2013 AWS Worldwide Public Sector Summit
Actions Select hosting solution––Collocated not feasible – budgetconstraintsServers for peak load vs. steady state2013 AWS Worldwide Public Sector Summit
RACE vs. AWS Cost Comparison – Raw Cost2013 AWS Worldwide Public Sector Summit
RACE vs. AWS2013 AWS Worldwide Public Sector Summit
Result Dollar cost winsRACEAWSEstimated Annual Cost:Actual Average Annual Cost: 1,300,000Estimated Annual Savings: 1,175,0002013 AWS Worldwide Public Sector Summit 125,000
Result Processing wins Reruns – days vs. weeksEliminated processing bottlenecks2013 AWS Worldwide Public Sector Summit
Result DIACAP– Required for all DoD Information Systems– Includes Contractor Owned/Operated processing DoDinformation– “Cloud” system is officially an “Outsourced IT-Based Process(service provider shared)*– Only one speed bump 2013 AWS Worldwide Public Sector Summit
Result – DIACAP An Outsourced IT-Based Process ? The “Cloud” ?2013 AWS Worldwide Public Sector Summit
DIACAP DoDI 8510.01 (DIACAP)– Allows and provides basic guidance for outsourced IT-basedprocesses (i.e., the “cloud”)– Identical language in draft RMF for DoD IT DoDI 8582.-1 (Unclassified DoD Information on non-DoDInformation Systems)– Specifically excludes outsourced IT-based processes2013 AWS Worldwide Public Sector Summit
DIACAP ISIS DIACAP Team worked closely with– AWS Security & Compliance teams– Air Force Network Integration Center (AFNIC) Interesting hurdles such as dual SLAs– No contractual relationship between AWS and AF Safety Center Interesting questions such as why “Sensitive” informationin a commercial facility vs. DoD?2013 AWS Worldwide Public Sector Summit
DIACAP ATO granted after 18-months, including transitions from:– AF EITDR (IT Acquisition) system– AF C&A Workflow (subset of EITDR)– eMASS After transition to eMASS—6 months to ATO– Including AFNIC contractor funding/manning delays Team Win:– First evaluator had 1 ½ pages of minor question2013 AWS Worldwide Public Sector Summit
Outcome Smooth Transition to AWS Satisfied Customers Rapid Deployment of Code Changes / Re-runs– “Instantly” scalable– 1 & 10 10 & 1 HUGE cost savings over other options– Over 1 Million Annually– Dollars available for primary mission: analysis2013 AWS Worldwide Public Sector Summit
Outcome – Disaster Recovery2013 AWS Worldwide Public Sector Summit
Outcome – Disaster Recovery Traditional DR – Offsite DR recovery center Pilot Light DR2013 AWS Worldwide Public Sector Summit
Lessons Learned Is the transition hard?– Technically no– For C&A / A&A chain Think digital vs. analog– Ensure assessment team understands cloud Differences from physical datacenter model System vs. cloud host boundaries – common controls Use AWS services– Amazon SQS, Amazon SNS, Amazon SES, Amazon CloudFront2013 AWS Worldwide Public Sector Summit
2013 AWS Worldwide Public Sector Summit
Thank You
DoDI 8510.01 (DIACAP) -Allows and provides basic guidance for outsourced IT-based processes (i.e., the "cloud") -Identical language in draft RMF for DoD IT DoDI 8582.-1 (Unclassified DoD Information on non-DoD Information Systems) -Specifically excludes outsourced IT-based processes . 2013 AWS Worldwide Public Sector Summit
