Leveraging OpenStack and Ceph for a Controlled-Access Data Cloud

TL;DR

This paper describes the design and deployment of Stratus, a secure, cloud-based environment using OpenStack and Ceph to meet modern researchers' needs for scalable, controlled-access compute and storage resources.

Contribution

It introduces a novel cloud environment, Stratus, that integrates OpenStack and Ceph to provide secure, scalable, and compliant access to controlled data for researchers.

Findings

Successful implementation of tiered secure storage with controlled-access cache

Integration of live-migration and two-factor authentication features

Enhanced security and compliance with NIH data policies

Abstract

While traditional HPC has and continues to satisfy most workflows, a new generation of researchers has emerged looking for sophisticated, scalable, on-demand, and self-service control of compute infrastructure in a cloud-like environment. Many also seek safe harbors to operate on or store sensitive and/or controlled-access data in a high capacity environment. To cater to these modern users, the Minnesota Supercomputing Institute designed and deployed Stratus, a locally-hosted cloud environment powered by the OpenStack platform, and backed by Ceph storage. The subscription-based service complements existing HPC systems by satisfying the following unmet needs of our users: a) on-demand availability of compute resources, b) long-running jobs (i.e., $> 30$ days), c) container-based computing with Docker, and d) adequate security controls to comply with controlled-access data requirements. This document provides an in-depth look at the design of Stratus with respect to security and compliance with the NIH's controlled-access data policy. Emphasis is placed on lessons learned while integrating OpenStack and Ceph features into a so-called "walled garden", and how those technologies influenced the security design. Many features of Stratus, including tiered secure storage with the introduction of a controlled-access data "cache", fault-tolerant live-migrations, and fully integrated two-factor authentication, depend on recent OpenStack and Ceph features.