Jonathan, The folks from Boston University have done some work around this idea:
https://github.com/openstack/mixmatch/blob/master/doc/source/architecture.rst On Tue, Mar 21, 2017 at 7:33 PM, Jonathan Mills <jonmi...@gmail.com> wrote: > Friends, > > I’m reaching out for assistance from anyone who may have confronted the > issue of dealing with ITAR data in an OpenStack cloud being used in some > department of the Federal Gov. > > ITAR (https://www.pmddtc.state.gov/regulations_laws/itar.html) is a less > restrictive level of security than classified data, but it has some thorny > aspects to it, particularly where media is concerned: > > * you cannot co-mingle ITAR and non-ITAR data on the same physical hard > drives, and any drive, once it has been “tainted” with any ITAR data, is now > an ITAR drive > > * when ITAR data is destroyed, a DBAN is insufficient — instead, you > physically shred the drive. No need to elaborate on how destructive this > can get if you accidentally mingle ITAR with non-ITAR > > Certainly the multi-tenant model of OpenStack holds great promise in Federal > agencies for supporting both ITAR and non-ITAR worlds, but great care must > be taken that *somehow* things like Glance and Cinder don’t get mixed up. > One must ensure that the ITAR tenants can only access Glance/Cinder in ways > such that their backend storage is physically separate from any non-ITAR > tenants. Certainly I understand that Glance/Cinder can support multiple > storage backend types, such as File & Ceph, and maybe that is an avenue to > explore to achieving the physical separation. But what if you want to have > multiple different File backends? > > Do the ACLs exist to ensure that non-ITAR tenants can’t access ITAR > Glance/Cinder backends, and vice versa? > > Or…is it simpler to just build two OpenStack clouds….? > > Your thoughts will be most appreciated, > > > Jonathan Mills > > NASA Goddard Space Flight Center > > > _______________________________________________ > OpenStack-operators mailing list > OpenStack-operators@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators > -- Davanum Srinivas :: https://twitter.com/dims _______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
