Monitoring and securing a geo-dispersed data center with Elasticsearch

About Hill AFB

Hill Enterprise Data Center (HEDC) provides hosting services for more than 100 information systems of the US Air Force logistics center at Hill Air Force Base (AFB), Utah. As Doug Babb, Chief Architect at Hill AFB, explains, the amount of data these logistic centers produce in their responsibility for the maintenance of aircraft and intercontinental ballistic missiles “is just beyond belief.”

The HEDC team collects, monitors, and analyzes logs from Hill AFB’s numerous information systems — as well as its overarching supporting infrastructure — to provide National Institute of Standards and Technology (NIST)-compliant monitoring of their multi-tenant hosting platform in real time. They need to continuously innovate their own Platform as a Service (PaaS) to deliver logging and Department of Defense (DoD) compliance monitoring for the lifecycle of their hosted information systems. They accomplish all this with support from Elastic Cloud Enterprise (ECE).

Log aggregation

Log aggregation takes on a whole new meaning at HEDC. Through building Portable Operating Databases (PODs), their private cloud can be linked across more than a dozen separate sites, which they use to communicate with other PODs at bases around the US. This results in a lot of data transfer and aggregation. The team needed a way to correlate all their systems of record. ECE has all the backings of Elastic Cloud, but is self deployed to operate on any public or private infrastructure. This was the clear choice for HEDC in their need to connect geo-distanced PODs with remote access.

For HEDC, it all starts with an effective ingest process. Raw data streams in through established information system partitions — each comprised of a collection of servers. Filebeat ships the data from these individual information systems through a load balancer and then to Logstash, where it receives node designation. Once Logstash has applied a translate filter through a memcache plugin, the bundled and polished data is dropped into HEDC’s corresponding Info Sys cluster within ECE. A catch-all HEDC infrastructure cluster collects raw logs to function as a backend that the team can use for systems of record in the event that they need to comprehensively correlate data together to capture a picture in time.

And with that, their data is ready for the analytical power of Elasticsearch. HEDC can then perform all their necessary analytics, metrics findings, and compliance upkeep — displaying these reports through Kibana dashboards. But these dashboards only serve their purpose if they can be readily and securely shared across other PODs and within the DoD. That’s where feature parity and security across these multiple systems becomes a major priority.

Seamless role-based authentication

Authorization through role-based access control (RBAC) is an essential function for HEDC to securely grant access — from data to dashboards — to the appropriate PODs and DoD users. An included security feature within Elastic’s Gold and Platinum subscriptions (ECE comes with Platinum features), RBAC revolves around 5 constructs:

  • Secured Resource: the resource to which access is restricted (i.e., indices, documents, fields, or clusters)
  • Privilege: a specified course of action a user can execute against a selected resource
  • Permissions: a set of one or more permissions against a secured resource
  • Role: a named set of permissions
  • User: the authenticated alias

RBAC provides the team with a consistent, cloud-shared UI that allows them to seamlessly access and corroborate data across different privileges and locations. HEDC can customize roles to be very specific. They may provide certain levels of information system access (with necessary machine learning plugins) for an engineer, application administration access, or create an access role with specific functions for the information system security manager (ISSM) — a DoD requirement.

“[Role-based authentication] is a requirement of NIST … rather than using some kind of index or tag to split out people’s data and deliver it to them within an index, which we don’t want to do.” - Nate Benson, Cloud Hosting SME | Hill AFB

This role-based authentication also extends into their PaaS infrastructure deployment. “We can allow our security compliance engineers and all engineers [into] infrastructure-based roles,” Cloud Hosting SME at Hill AFB Nate Benson explains. Now analysts in SecOps, operations, hyper_infra, etc. can all have different levels of access to HEDC’s vast data store.

The Elastic benefit

So why go through all this trouble? Why the hefty ingest routing and role designation? “We’re doing this because again and again, we see people in the DoD frustrated,” Benson explains. “They’re frustrated with paper compliance — the inefficacy of it. They’re frustrated that they get all these silos and it doesn’t mesh or talk … there’s no way to actually time sequence it well together.”

ECE provides HEDC with a streamlined ingestion process, secure data transfer and permissions protocol, and a (compliance mandated) correlated sequence of record. Providing all of this cloud-based data transfer and access across PODs is a task that ECE is uniquely qualified to handle quickly, securely, and at scale.

Want to learn more about how ECE helped HEDC securely monitor and secure its geo-dispersed data center? Check out their Elastic{ON} Tour Washington, D.C. presentation from October 2018.

Watch "Monitoring and Securing a Geo-Dispersed Data Center at Hill AFB