How the Recovery Board gathered its multiple clouds
The Recovery Accountability and Transparency Board has deployed a cloud hub that lets the organization securely integrate and manage a variety of cloud services from multiple providers.
Launched in October, the cloud hub allows the RATB to use multiple cloud providers in conjunction with its own internal private cloud infrastructure, according to agency CIO Shawn Kingsberry. The cloud hub provides a technology stack that includes a firewall between the agency’s enterprise operations and the cloud service provider, a router for virtual private network services, and computing services that include integrated security and service management, Kingsberry said.
Best known for the Recovery.gov website, RATB is a non-partisan government agency created by the American Recovery and Reinvestment Act of 2009 to provide transparency of Recovery Act-related funds and to detect and prevent fraud, waste and mismanagement.
The move of Recovery.gov, the stimulus tracking website, to Amazon’s Elastic Compute Cloud infrastructure-as-a-service platform was the agency’s first step toward a multiple cloud strategy, Kingsberry said. RATB has since moved e-mail and office automation systems to Microsoft’s Office 365 Government Community Cloud.
FederalReporting.gov, the data collection system for federal agencies and recipients of stimulus funds to fulfill reporting obligations, is hosted in CGI’s secure federal cloud.
FederalAccountability.gov, the portal for agencies and inspectors general to perform risk assessments of individuals and organizations that have applied for or received funds, is hosted in RATB’s private analytics cloud at the agency’s headquarters in Washington, D.C. Plans are underway to move big data analytics using Hadoop to a private cloud.
RATB synthesized all of the best practices that industry and agencies have derived to deal with the challenges of cloud deployment into RATB’s cloud hub architecture, Kingsberry said. Those best practices focus on issues such as compliance, data flow and protection, security and visibility of information.
Now, “we are our own cloud broker,” he said.
A critical component of the hub is the ability to control, monitor and audit access to systems and information within a hybrid cloud infrastructure. As a result, RATB has deployed Xceedium’s Xsuite software, which provides a single point of policy management for controlling privileged access to information and applications.
“Xceedium is actually in our cloud hub stack, handling access control between all of our systems,” Kingsberry explained. The software provides auditing and the ability to control access because users go through one central point to access systems, including those in the cloud. “In essence, I can go through one interface to manage Amazon and Microsoft 365,” he said.
Xsuite also gives RATB the ability to enforce separation of duties and record sessions of all administrators accessing its internal server stack as well as its managed service offering to other federal agencies. The software will protect servers running on the agency’s internal private cloud, based on VMware virtualization technology, and infrastructure running on Amazon Elastic Compute Cloud and the company’s Simple Storage Service.
Xsuite software can run on a physical appliance residing in a data center or across that facility, or as a virtualized appliance within a cloud provider’s infrastructure, such as Amazon, said Ken Ammon, Xceedium’s chief strategy officer.
Additionally, RATB managers will be able to deploy Personal Identity Verification (PIV) cards for system administrators working with Recovery.gov, providing multi-factor authentication before they are granted access to critical systems and cloud management consoles. RATB will implement PIV cards for administrative access to servers wherever they reside, without having to change how the agency manages passwords and other credentials on its systems.
There are other security features that RATB’s cloud hub architecture provides, Kingsberry said. Because RATB has implemented Microsoft Active Directory Federation Services 2.0, the agency is able to lock down the devices that sync with its network. “We can say only RATB-issued devices can connect and sync with us,” he said.
“But the cool thing about that is, our architecture can support bring–your-own-device,” Kingsberry added. If RATB can get the unique information from each user’s mobile device, then managers can say, “Only connect with this device,” and access will be permitted for smart phones by model, serial number and telephone number.
“We thought about a lot of that as we architected our cloud hub,” he said. It wasn’t easy, but Kingsberry credited his colleagues at RATB with making it work.