Effective Date: December 19, 2013
Expiration Date: November 30, 2021
|| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | AppendixA | AppendixB | AppendixC | ALL ||
The Enterprise Target Architecture is comprised of six integrated core Infrastructure Services Domains: Host Computing, End-User Computing, Applications, Communication, Information, and Security. These domains make up the fundamental infrastructure that supports NASA's IT services.
Host Computing. The Host Computing Architecture and Services Domain encompasses all of the enterprise services necessary to ensure the efficient use of compute and storage assets. This domain includes the following service areas:
a. Housing Services. Internal NASA resources, as well as commercial capabilities, providing the data center infrastructure to ensure an appropriate environment for a user-to-host computing resources to meet business requirements.
b. Hosting Services. NASA resources, as well as commercial capabilities, providing the data center infrastructure, as well as the hosting resources (e.g., servers, storage, operating systems, databases, middleware) to ensure an appropriate hosting capability to support user applications to meet business requirements. Examples would include mainframes, high-performance computing environment, database services, etc.
c. Infrastructure as a Service. NASA or commercial provided resources provided as a service with appropriate service levels used for providing hosting services to the user. These services are traditionally abstracted from specific hardware and implemented as resources such as Central Processing Unit (CPU) cycles, Random Access Memory (RAM), storage capacity, and bandwidth. Pricing is based on pay per use pricing. All of the physical hardware used to implement the service is managed by the service provider, and the user is typically required to manage the entire application stack beginning with the operating system.
d. Platform as a Service. NASA or commercial provided resources provided as a service with appropriate service levels used for ensuring application hosting services for the customer. These services are traditionally based on a programming environment such as commercial capabilities like Google App Engine®, Microsoft Windows Azure®, PHP, Python, etc. Pricing is based on a pay per use and meet the characteristics defined earlier in this document. The service provider typically manages the infrastructure, as well as the application software, with the user managing the application itself.
e. Software as a Service. NASA or commercial provided resources provided as a service with appropriate service levels used for ensuring software capabilities as a service for the customer. These services are commonly utilized applications used by customers such as financial applications and mail systems. Pricing is based on a pay per use and meet the characteristics defined earlier in this document. The service provider typically manages the infrastructure, as well as the application software, with the user managing the application itself.
f. Storage Services. NASA or commercial provided resources for short-term as well as long-term storage of user data. Storage services can reside in all of the services defined above. Many cloud providers provide storage services to be used in conjunction with their compute resources. Due to the complexity and size of some of these requirements, this discussion has been separated into a separate service line item within our architecture.
g. Cloud Services Brokering (CSB). CSB is a form of cloud services intermediation and is a business model in which value is added value to one or more (generally public or hybrid, but possibly private) cloud services by an individual or group on behalf of one or more user organizations. In an internal private cloud scenario, the internal IT organization takes on the role of broker. Additional information is provided below after the definition of cloud computing.
End User Computing. The End User Computing Architecture and Services Domain is the infrastructure segment of IT's scope that is associated with the life-cycle support of devices that stakeholders physically possess and/or manipulate. This domain includes the following service areas:
a. Technology Evaluation Services. Track end user IT requirements and identify new end user IT trends and candidates for inclusion.
b. Integration/Validation Services. Perform service, system, and EA domain integration to validate and facilitate interoperability of new and existing end user IT.
c. Configuration Management Services. Ensure end user services are accessible through management, specification, and documentation of system settings and policies.
d. Provisioning Services. Make end user IT available, designate operational and deprecated standards for end user IT, and provide an asset inventory, device specification and software revision, and trending data to enable decision making.
e. Assessment/Testing Services. Interactively assess proposed end user IT.
Applications. The Applications Architecture and Services Domain is the infrastructure segment of IT's scope that is associated with the life-cycle support of selecting, developing, implementing, operating, and maintaining software solutions. This domain includes the following service areas:
a. Portfolio Management Services. Enable the Agency to have a better knowledge of existing capabilities in our current portfolio so that we can work with customers to evaluate existing solutions when new requirements arise. Transparency into the current inventory of applications and resource use is a primary goal of Application Portfolio Management (APM). It is common to find multiple applications at NASA that perform the same function, and many reasons may exist for this duplication (some valid and some not). Redundancy increases complexity and cost, and APM services aims to eliminate/reduce unnecessary application duplication in order to help focus scarce IT resources onto business priorities.
b. Interoperability Support Services. Enhance the ability of Agency software systems to interoperate. Interoperability is defined by IEEE Standard Glossary as: "The ability of two or more systems or components to exchange information and to use the information that has been exchanged." Integration is further defined as "the process of combining software components, hardware components, or both into an overall system." (IEEE Standard Glossary, 1990)
c. Development and Deployment Services. Enable the Agency to create and enhance software systems that are uniquely suited to supporting NASA's mission and mission support requirements. This Application Domain Reference Model identifies process areas of Development and Deployment Services and supplies best practice information on processes for effectively executing the activities associated with each process area. The best practices referenced in this document are not meant to circumvent or contradict the directives defined in NASA NPR 7150.2A, but are rather intended to provide additional clarifying insight into methods that can result in a more successful delivery of each process area.
Communications. The Communication Architecture and Service Domain is the infrastructure segment of IT's scope that is associated with establishing the reliable transfer of information between people and information technology assets. This domain includes the following service areas:
a. Transmission Services. Transmission services provide the physical medium to enable data transfer through NASA's communication infrastructure (LAN/FW/WAN/Internet). Examples include fiber, wire, wireless, and connectors.
b. Communication Application Services. Communication application services consist of the supporting services required for data to flow across the communications infrastructure such as DNS, NTP, DHCP, etc. For lack of a better place, Voice over IP is included here.
c. Communication Management Services. Communications management services consist of the devices and mechanisms used to manage the flow of data across the communications infrastructure (routers, switches, wireless access point management, global toolsets).
d. Boundary Management Services. Boundary management service provide the management and control of information flowing in and out of segments (intra, inter, extra, and other subdivisions) of the NASA communications infrastructure.
Information. Information domain is defined as governance of and policy for management of information and data. It is also the practice of putting in place measures to mitigate risk. This domain includes the following service areas:
a. Modeling/Classification Services. This service provides customers with the ability to model and classify data they produce, acquire, or synthesize so that information about the data is adequately identified to facilitate its use within the information life cycle. This service includes associating model attributes with security policy attributes for security policy enforcement.
b. Creation/Collection Services. This service provides customers with the ability to associate data they produce, acquire, or synthesize with meta-models to create information. This service also uses the "Storage/Archival Services" to persist the data over time.
c. Search/Query Services. This service provides customers with the ability to discover data based on its meta-models, meta-data, and/or the content of the data itself. It includes the enforcement of discovery based on security policies.
d. Access/Sharing Services. This service provides customers with the ability to access/retrieve, transform, and/or share data. This service includes the optimization of information delivery. It also includes the enforcement of security policies on the use of information.
e. Storage/Archiving Services. This service provides customers the ability to effectively and efficiently persist data over time. It works with the Access/Sharing Services to ensure that data delivery is optimized. This service includes the physical security required to protect data and the enforcement of security policies on "data at rest."
f. Management/QA Services. This service provides customers with full information life-cycle management services. It includes determining the appropriate storage mechanisms, locations, controls, etc., over time. It provides audits of information provenance and management to ensure that information is "fit" for use.
Security. The Security Architecture and Services Domain encompass all of the enterprise services necessary to assure secure computing and information exchange. The scope encompasses the development of a security specific architecture and supporting services that integrate and optimize the standards, policies, procedures, people, processes, and technology necessary to achieve an effective and efficient enterprise services environment. To accomplish that objective, the Security Architecture and Services Domain are dependent on the services of the other architecture and services domains in order to implement its specific scope. This domain includes the following service areas:
a. Policy Management Services. Policy management services provide the interface between security-policy decision makers and the infrastructure layers. Policies themselves reside in policy management authorities (PMAs) to make decisions-guided by security policy-about what to do in specific circumstances. Decisions are based on security policy and information about the current situation. Policy management services cause policy enforcement to occur in PEPs that exist within the infrastructure layers.
b. Identity Services. Identity services provide controls based on the identity attributes of subjects. For example, a user ID and password (or stronger authentication method) are normally required to access various repositories and applications within the infrastructure layers. Identity services involve a complex set of interacting mechanisms, including Policy Enforcement Points and Policy Decision Points, for authentication and authorization. Identity services are part of the overarching identity management functions of every enterprise.
c. Audit Services. Audit services collect and preserve data from sensors and provide select historical data to various recipients, including auditors and other security-related systems.
d. Detection and Response Services. Detection and response services receive data on the security state of the infrastructure layers from sensors and take actions, such as generating alerts with metrics of various sorts identifying severity, urgency, relevance, and criticality. Detection and response services may also take action (i.e., a response) through actuators to mitigate the event or to change the behavior of an infrastructure component.
e. Security Management Services. Security management services employ actuators to set configurations in various controls within the infrastructure layers. Security management services store security state data and produce actuator output to trigger security-related actions.
f. Security Enterprise Architecture Vision. NASA's IT security environment will enable collaborative interactions among all people who are participating in fulfilling NASA's mission while inherently protecting NASA assets. NASA's IT security infrastructure will support an efficient and adaptive risk managed framework. The infrastructure will enable seamless and location independent access to Agency resources. It will provide stakeholders with the tools, resources, and awareness they need to identify and manage risks. The framework will allow system owners to apply security controls commensurate with mission needs, information value, and associated threats.
| TOC | Preface | Chapter1 | Chapter2 | Chapter3 | Chapter4 | AppendixA | AppendixB | AppendixC | ALL |
|| NODIS Library | Legal Policies(2000s) | Search ||
This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.