Case Study Automation & Orchestration Continuous Compliance Financial Management Cloud Enablement Government
Last updated on February 1st, 2023 at 2:37pm
When you’re collecting land, atmosphere, ocean dynamics, cryosphere, and human dimensions data across multiple scientific missions, volume is just one of the challenges. One mission within NASA’s Earth Observing System Data and Information System (EOSDIS) generates approximately 80 TBs of data each day.
Earth science data comes from satellites, aircraft, field measurements, and various other programs. The task of processing this data falls to the Earth Science Data & Information System (ESDIS) team. ESDIS captures and cleans, processes, archives, subsets, and distributes the data to users in support of research, applications, and education. To do so, ESDIS uses the Amazon Web Services (AWS) cloud to help store and process much of their data.
As NASA field centers look to manage a growing amount of Earth science data as new satellites launch over the next several years the challenge is how to best manage and scale in the public cloud to achieve their mission of managing this data as a national asset.
The infrastructure required to manage the EOSDIS data collections leverages a multi-account, Infrastructure-as-a-Service (IaaS) cloud platform operating on AWS to provide shared cloud services and controls. As the manager of this commercial cloud, ESDIS looked to more effectively manage and scale usage to support increasing demands for agility and efficiency. A controlled, distributed, account approach with automation was required to overcome some of the networking and resource limitations facing the cloud implementation at NASA.
NASA had several objectives for their cloud operations:
- Maximize autonomy by providing users a platform, not a gate
- Maximize flexibility to give users the freedom to achieve their mission
- Deliver shared services and controls that would reduce duplication, complexity, and cost
- Streamlining access and delivering governance
NASA chose Kion (at the time branded as cloudtamer.io) to provide continuous compliance, user authentication, user authorization, spend monitoring, and budget control. Kion features help organizations overcome adoption and management hurdles that arise when taking a decentralized approach to cloud management responsibilities:
- Continuous compliance and security features allow organizations to hierarchically enforce policies that restrict access to cloud services and configurations based on compliance frameworks. This ensures project AWS accounts stay within established frameworks based on their mission. Multiple earth science data customers have AWS accounts. Kion allows these customers to create and manage their own funding sources and set thresholds for spend alerting. From a policy perspective, Kion delivers enforcement to restrict access to host websites from S3 buckets, limit the number of AWS services in use due to FedRAMP/NASA approvals, and restrict RI and Marketplace purchases. These policies are central to establishing a governance model and account structure for users across NASA.
- Account management features allow users to create and control access to their own project AWS accounts through a self-service workflow and automatically align it to the broader organization structure.
- Budget enforcement features allow budgets to be set per AWS project based on allocations and funding sources available within the organization. Enforcement actions are managed to ensure that budgets can’t be exceeded, which could potentially violate regulations like the Antideficiency Act (ADA).
The impact of Kion at NASA
Kion is a key element of the innovative cloud management methodology used at NASA ESDIS. Kion has helped ESDIS:
- Create and manage projects with different security boundaries enforced through Kion’s cloud rules. The cloud rules apply the security scanning rules across all of the AWS accounts to ensure they are set up according to best practices and security standards
- Successfully onboard selected customer AWS accounts with different budgets/spend plans, security boundaries, and user access boundaries for individuals
- Enforce project budgets via Kion budget enforcement actions to ensure Antideficiency Act (ADA) compliance
After implementing Kion, the team was able to:
- Grant uniform access and experience to end users from multiple identity management systems (SAML/Internal directory/Active Directory).
- Create new security policies easily using the open source compliance language that scans cloud resources for non-secure configurations and then applies them to groups of accounts. It also allowed them to easily make changes to compliance needs as new requirement arose.
- Enforce and validate minimum authentication levels via two-factor authentication.
- Ensure that users only have access commensurate to the authentication type.
- Control who views finances, who accesses AWS resources, and who manages finance.
- Manage AWS IAM roles and policies at an organization level.
- Enforce individual AWS account-level budget through “budget caps” to ensure ADA compliance.
- Provide account alert spend monitoring and budget control actions.
- Allow for flexible access levels at the management/business team and admin/developer levels.
By implementing Kion, NASA can satisfy more diverse mission requirements and have a more scalable approach to overcome some of the resource bottlenecks facing the expansion of data and users. Kion streamlines end user access to AWS while making it simpler for individual teams to refine their own governance model.