SlideShare una empresa de Scribd logo

Open stack security emea launch

Descargar como PPTX, PDF
Joshua McKenty
Joshua McKenty
Tecnología
1 de 31
OpenStack Security A Primer
Me: Joshua McKenty Twitter: @jmckenty Email: joshua@pistoncloud.com Former Chief Architect, NASA Nebula Founding Member, OpenStack OpenStack Project Policy Board
“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” – Bruce Schneier
The Three Pillars of Security
“Bonus” Security Pillar Forensics
Real Security Assume everything goes wrong, even impossible things.
FIPS 199 Definition: Confidentiality Integrity Availability Defining Security
Defining Vulnerability
Build on “Shared Nothing” to achieve “Trust No One” Also known as “Defense in Depth” AUTOMATE EVERYTHING “Fat Fingers” == Plausible Deniability Automated == non-repudiable change control Build to the OSI 7-layer model
Layer 1
Lock your doors Do your background checks Use separate physical networks for admin Network model and management Use RFC 1918 address space when appropriate Use VLANs if necessary Firewall every machine (ebtables, iptables) Border firewalls (port and protocol level) Layer 1, 2 and 3
Never assume it’s bilateral
Control system access Best case: no host-based shell access AT ALL. Second-best: federated AUTH with 2-factor, keys only Worstcase: Host-level root login with passwords Run IDS – on hosts and guests Scan Continuously – hosts and guests, on all networks Proactively defend – Fail2Ban, etc. ( F2B-a-a-S) Layer 4, 5, 6 and 7
Don't trust the hypervisor (TXT / TPM) Conversely, don't trust the VM (blue-pill exploits, etc.) Host-based FW within the VM (CloudPassage "Halo") Access-control for VMs – same approaches apply (Auth-as-a-Service) Layer ‘V’
“Proof” and Policy In God We Trust – All Others, Bring Data.
Classic best practices – redundant, off-site log servers Log aggregation and analysis / event detection Logging-as-a-Service Log early, log often
Make and verify your assertions (Coming soon…) CloudAudit
Did you remember to delete his account?
Security Theatre “Given enough hand-waving, all systems are secure.”
Crypto is useless – if keys are stored with the data Private networks are useless – if doors aren’t locked Certification only proves that you’re doing, what you said you were going to do. You can still be wrong. Forget “Trust, but verify”. Just don’t trust. Don’t get confused!
Bonus: Forensics It’s not an “If” – it’s a “When”
Have a chaos-monkey of compromise Can you perform forensics and remediation, without impacting other users of your cloud? Spanning ports and extra storage “Graveyard” for recently deleted images, instances Bonus Section: Forensics
What’s in the CloudPipe? “We can only see a short distance ahead, but we can see plenty there that needs to be done.” – Alan Turing
The Machine Aka “Sneaky Monkey” Continuous Integration of penetration and vulnerability testing.
We’re doing “stuff” No… really. Hardening
Outfoxing the fox Intel is working with many companies within OpenStack, including Piston. Trusted Execution
Questions?
Matt Linton – Nebula CSO Jesse Andrews – AnsoLabs Founder Soo Choi – 7120.7 Nazi Matt Chew- Spence – FIPS 199 Guru Keith Shackleford and James Williams Chris Kemp Bobby Cates, Dave Swagger, E. Lopez, Grace De Leon, Guy with Gun #1, Guy with Gun #2… Credits

Recomendados

Te chnical presentation networkexploits and security
Te chnical presentation networkexploits and securityTe chnical presentation networkexploits and security
Te chnical presentation networkexploits and security
Kartik Rao
 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilities
Major Hayden
 
How Not To Suck At Cloud security | Rohan Aggarwal
How Not To Suck At Cloud security | Rohan AggarwalHow Not To Suck At Cloud security | Rohan Aggarwal
How Not To Suck At Cloud security | Rohan Aggarwal
Rohan Aggarwal
 
Log Forensics from CEIC 2007
Log Forensics from CEIC 2007Log Forensics from CEIC 2007
Log Forensics from CEIC 2007
Anton Chuvakin
 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mind
sblom
 
CONFidence 2007 Log Forensics TEASER Preso
CONFidence 2007 Log Forensics TEASER PresoCONFidence 2007 Log Forensics TEASER Preso
CONFidence 2007 Log Forensics TEASER Preso
Anton Chuvakin
 
IPv6 Security - Where is the Challenge
IPv6 Security - Where is the ChallengeIPv6 Security - Where is the Challenge
IPv6 Security - Where is the Challenge
RIPE NCC
 
Don’t Fall Victim to Social Engineering Traps
Don’t Fall Victim to Social Engineering TrapsDon’t Fall Victim to Social Engineering Traps
Don’t Fall Victim to Social Engineering Traps
Aventis Systems, Inc.
 

Recomendados

Te chnical presentation networkexploits and security
Te chnical presentation networkexploits and securityTe chnical presentation networkexploits and security
Te chnical presentation networkexploits and security
Kartik Rao
 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilities
Major Hayden
 
How Not To Suck At Cloud security | Rohan Aggarwal
How Not To Suck At Cloud security | Rohan AggarwalHow Not To Suck At Cloud security | Rohan Aggarwal
How Not To Suck At Cloud security | Rohan Aggarwal
Rohan Aggarwal
 
Log Forensics from CEIC 2007
Log Forensics from CEIC 2007Log Forensics from CEIC 2007
Log Forensics from CEIC 2007
Anton Chuvakin
 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mind
sblom
 
CONFidence 2007 Log Forensics TEASER Preso
CONFidence 2007 Log Forensics TEASER PresoCONFidence 2007 Log Forensics TEASER Preso
CONFidence 2007 Log Forensics TEASER Preso
Anton Chuvakin
 
IPv6 Security - Where is the Challenge
IPv6 Security - Where is the ChallengeIPv6 Security - Where is the Challenge
IPv6 Security - Where is the Challenge
RIPE NCC
 
Don’t Fall Victim to Social Engineering Traps
Don’t Fall Victim to Social Engineering TrapsDon’t Fall Victim to Social Engineering Traps
Don’t Fall Victim to Social Engineering Traps
Aventis Systems, Inc.
 
7 cloud security tips
7 cloud security tips7 cloud security tips
7 cloud security tips
United Technology Group (UTG)
 
Top 10 Encryption Myths
Top 10 Encryption MythsTop 10 Encryption Myths
Top 10 Encryption Myths
HighCloud Security
 
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
CODE BLUE
 
QAing the security way!
QAing the security way!QAing the security way!
QAing the security way!
Amit Gundiyal
 
vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security way
vodQA
 
How to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareHow to protect your business from Wannacry Ransomware
How to protect your business from Wannacry Ransomware
Kaspersky
 
Arista Piston Webinar
Arista Piston WebinarArista Piston Webinar
Arista Piston Webinar
Joshua McKenty
 
The Space Penguin Odyssey
The Space Penguin OdysseyThe Space Penguin Odyssey
The Space Penguin Odyssey
Joshua McKenty
 
OpenStackDC and Cloud Foundry Meetup -
OpenStackDC and Cloud Foundry Meetup -OpenStackDC and Cloud Foundry Meetup -
OpenStackDC and Cloud Foundry Meetup -
Joshua McKenty
 
Scale-out Community: Lessons from OpenStack
Scale-out Community: Lessons from OpenStackScale-out Community: Lessons from OpenStack
Scale-out Community: Lessons from OpenStack
Joshua McKenty
 
Cloud Power - The Early OpenStack Architecture
Cloud Power - The Early OpenStack ArchitectureCloud Power - The Early OpenStack Architecture
Cloud Power - The Early OpenStack Architecture
Joshua McKenty
 
WSTA Breakfast Seminar
WSTA Breakfast SeminarWSTA Breakfast Seminar
WSTA Breakfast Seminar
Joshua McKenty
 
But What About Docker?
But What About Docker?But What About Docker?
But What About Docker?
Joshua McKenty
 
OpenStack: Cloud's Big Tent
OpenStack: Cloud's Big TentOpenStack: Cloud's Big Tent
OpenStack: Cloud's Big Tent
Joshua McKenty
 
MSST-2013 Openstack in the Land of Guilder
MSST-2013 Openstack in the Land of GuilderMSST-2013 Openstack in the Land of Guilder
MSST-2013 Openstack in the Land of Guilder
Joshua McKenty
 
vGeek 2013 Tech Talk: Openstack-101
vGeek 2013 Tech Talk: Openstack-101vGeek 2013 Tech Talk: Openstack-101
vGeek 2013 Tech Talk: Openstack-101
Joshua McKenty
 
Open Stack DC
Open Stack DCOpen Stack DC
Open Stack DC
Joshua McKenty
 
OpenStack Foundation Transparency Committee Update - January 2014
OpenStack Foundation Transparency Committee Update - January 2014OpenStack Foundation Transparency Committee Update - January 2014
OpenStack Foundation Transparency Committee Update - January 2014
Joshua McKenty
 
Wall-Street Technology Association (WSTA) Feb-2012
Wall-Street Technology Association (WSTA) Feb-2012Wall-Street Technology Association (WSTA) Feb-2012
Wall-Street Technology Association (WSTA) Feb-2012
Joshua McKenty
 
OpenStack: The evolution of computing (Credit Suisse Technology Summit)
OpenStack: The evolution of computing (Credit Suisse Technology Summit)OpenStack: The evolution of computing (Credit Suisse Technology Summit)
OpenStack: The evolution of computing (Credit Suisse Technology Summit)
Joshua McKenty
 
Open stack + Cloud Foundry: Palo Alto Meetup February 2015
Open stack + Cloud Foundry: Palo Alto Meetup February 2015Open stack + Cloud Foundry: Palo Alto Meetup February 2015
Open stack + Cloud Foundry: Palo Alto Meetup February 2015
Joshua McKenty
 
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
Amazon Web Services
 

Más contenido relacionado

La actualidad más candente

Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
CODE BLUE
 
How to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareHow to protect your business from Wannacry Ransomware
How to protect your business from Wannacry Ransomware
Kaspersky
 

La actualidad más candente (6)

7 cloud security tips
7 cloud security tips7 cloud security tips
7 cloud security tips
 
Top 10 Encryption Myths
Top 10 Encryption MythsTop 10 Encryption Myths
Top 10 Encryption Myths
 
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
 
QAing the security way!
QAing the security way!QAing the security way!
QAing the security way!
 
vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security way
 
How to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareHow to protect your business from Wannacry Ransomware
How to protect your business from Wannacry Ransomware
 

Destacado

OpenStackDC and Cloud Foundry Meetup -
OpenStackDC and Cloud Foundry Meetup -OpenStackDC and Cloud Foundry Meetup -
OpenStackDC and Cloud Foundry Meetup -
Joshua McKenty
 
WSTA Breakfast Seminar
WSTA Breakfast SeminarWSTA Breakfast Seminar
WSTA Breakfast Seminar
Joshua McKenty
 
OpenStack: Cloud's Big Tent
OpenStack: Cloud's Big TentOpenStack: Cloud's Big Tent
OpenStack: Cloud's Big Tent
Joshua McKenty
 
MSST-2013 Openstack in the Land of Guilder
MSST-2013 Openstack in the Land of GuilderMSST-2013 Openstack in the Land of Guilder
MSST-2013 Openstack in the Land of Guilder
Joshua McKenty
 
vGeek 2013 Tech Talk: Openstack-101
vGeek 2013 Tech Talk: Openstack-101vGeek 2013 Tech Talk: Openstack-101
vGeek 2013 Tech Talk: Openstack-101
Joshua McKenty
 
Wall-Street Technology Association (WSTA) Feb-2012
Wall-Street Technology Association (WSTA) Feb-2012Wall-Street Technology Association (WSTA) Feb-2012
Wall-Street Technology Association (WSTA) Feb-2012
Joshua McKenty
 
OpenStack: The evolution of computing (Credit Suisse Technology Summit)
OpenStack: The evolution of computing (Credit Suisse Technology Summit)OpenStack: The evolution of computing (Credit Suisse Technology Summit)
OpenStack: The evolution of computing (Credit Suisse Technology Summit)
Joshua McKenty
 

Destacado (15)

Arista Piston Webinar
Arista Piston WebinarArista Piston Webinar
Arista Piston Webinar
 
The Space Penguin Odyssey
The Space Penguin OdysseyThe Space Penguin Odyssey
The Space Penguin Odyssey
 
OpenStackDC and Cloud Foundry Meetup -
OpenStackDC and Cloud Foundry Meetup -OpenStackDC and Cloud Foundry Meetup -
OpenStackDC and Cloud Foundry Meetup -
 
Scale-out Community: Lessons from OpenStack
Scale-out Community: Lessons from OpenStackScale-out Community: Lessons from OpenStack
Scale-out Community: Lessons from OpenStack
 
Cloud Power - The Early OpenStack Architecture
Cloud Power - The Early OpenStack ArchitectureCloud Power - The Early OpenStack Architecture
Cloud Power - The Early OpenStack Architecture
 
WSTA Breakfast Seminar
WSTA Breakfast SeminarWSTA Breakfast Seminar
WSTA Breakfast Seminar
 
But What About Docker?
But What About Docker?But What About Docker?
But What About Docker?
 
OpenStack: Cloud's Big Tent
OpenStack: Cloud's Big TentOpenStack: Cloud's Big Tent
OpenStack: Cloud's Big Tent
 
MSST-2013 Openstack in the Land of Guilder
MSST-2013 Openstack in the Land of GuilderMSST-2013 Openstack in the Land of Guilder
MSST-2013 Openstack in the Land of Guilder
 
vGeek 2013 Tech Talk: Openstack-101
vGeek 2013 Tech Talk: Openstack-101vGeek 2013 Tech Talk: Openstack-101
vGeek 2013 Tech Talk: Openstack-101
 
Open Stack DC
Open Stack DCOpen Stack DC
Open Stack DC
 
OpenStack Foundation Transparency Committee Update - January 2014
OpenStack Foundation Transparency Committee Update - January 2014OpenStack Foundation Transparency Committee Update - January 2014
OpenStack Foundation Transparency Committee Update - January 2014
 
Wall-Street Technology Association (WSTA) Feb-2012
Wall-Street Technology Association (WSTA) Feb-2012Wall-Street Technology Association (WSTA) Feb-2012
Wall-Street Technology Association (WSTA) Feb-2012
 
OpenStack: The evolution of computing (Credit Suisse Technology Summit)
OpenStack: The evolution of computing (Credit Suisse Technology Summit)OpenStack: The evolution of computing (Credit Suisse Technology Summit)
OpenStack: The evolution of computing (Credit Suisse Technology Summit)
 
Open stack + Cloud Foundry: Palo Alto Meetup February 2015
Open stack + Cloud Foundry: Palo Alto Meetup February 2015Open stack + Cloud Foundry: Palo Alto Meetup February 2015
Open stack + Cloud Foundry: Palo Alto Meetup February 2015
 

Similar a Open stack security emea launch

AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
Amazon Web Services
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
NoNameCon
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Process
phanleson
 
Cloudtrust 091204053223 Phpapp01
Cloudtrust 091204053223 Phpapp01Cloudtrust 091204053223 Phpapp01
Cloudtrust 091204053223 Phpapp01
mcguireb
 
LF_APIStrat17_Don't Build a Death Star
LF_APIStrat17_Don't Build a Death StarLF_APIStrat17_Don't Build a Death Star
LF_APIStrat17_Don't Build a Death Star
LF_APIStrat
 

Similar a Open stack security emea launch (20)

AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
 
Your First Guide to "secure Linux"
Your First Guide to "secure Linux"Your First Guide to "secure Linux"
Your First Guide to "secure Linux"
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Process
 
Cloud trust
Cloud trustCloud trust
Cloud trust
 
Cloudtrust 091204053223 Phpapp01
Cloudtrust 091204053223 Phpapp01Cloudtrust 091204053223 Phpapp01
Cloudtrust 091204053223 Phpapp01
 
In Cloud We Trust
In Cloud We TrustIn Cloud We Trust
In Cloud We Trust
 
Black ops 2012
Black ops 2012Black ops 2012
Black ops 2012
 
Incident Response Automation @ Netflix Q12019
Incident Response Automation @ Netflix Q12019Incident Response Automation @ Netflix Q12019
Incident Response Automation @ Netflix Q12019
 
LF_APIStrat17_Don't Build a Death Star
LF_APIStrat17_Don't Build a Death StarLF_APIStrat17_Don't Build a Death Star
LF_APIStrat17_Don't Build a Death Star
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
 
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in Production
 
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton ChuvakinUsing Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
 
Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Windows network security
Windows network securityWindows network security
Windows network security
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 

Último

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Último (20)

Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Open stack security emea launch

  • 2. Me: Joshua McKenty Twitter: @jmckenty Email: joshua@pistoncloud.com Former Chief Architect, NASA Nebula Founding Member, OpenStack OpenStack Project Policy Board
  • 3. “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” – Bruce Schneier
  • 4.
  • 5. The Three Pillars of Security
  • 7. Real Security Assume everything goes wrong, even impossible things.
  • 8. FIPS 199 Definition: Confidentiality Integrity Availability Defining Security
  • 10. Build on “Shared Nothing” to achieve “Trust No One” Also known as “Defense in Depth” AUTOMATE EVERYTHING “Fat Fingers” == Plausible Deniability Automated == non-repudiable change control Build to the OSI 7-layer model
  • 12. Lock your doors Do your background checks Use separate physical networks for admin Network model and management Use RFC 1918 address space when appropriate Use VLANs if necessary Firewall every machine (ebtables, iptables) Border firewalls (port and protocol level) Layer 1, 2 and 3
  • 13. Never assume it’s bilateral
  • 14. Control system access Best case: no host-based shell access AT ALL. Second-best: federated AUTH with 2-factor, keys only Worstcase: Host-level root login with passwords Run IDS – on hosts and guests Scan Continuously – hosts and guests, on all networks Proactively defend – Fail2Ban, etc. ( F2B-a-a-S) Layer 4, 5, 6 and 7
  • 15. Don't trust the hypervisor (TXT / TPM) Conversely, don't trust the VM (blue-pill exploits, etc.) Host-based FW within the VM (CloudPassage "Halo") Access-control for VMs – same approaches apply (Auth-as-a-Service) Layer ‘V’
  • 16. “Proof” and Policy In God We Trust – All Others, Bring Data.
  • 17.
  • 18. Classic best practices – redundant, off-site log servers Log aggregation and analysis / event detection Logging-as-a-Service Log early, log often
  • 19. Make and verify your assertions (Coming soon…) CloudAudit
  • 20. Did you remember to delete his account?
  • 21. Security Theatre “Given enough hand-waving, all systems are secure.”
  • 22.
  • 23. Crypto is useless – if keys are stored with the data Private networks are useless – if doors aren’t locked Certification only proves that you’re doing, what you said you were going to do. You can still be wrong. Forget “Trust, but verify”. Just don’t trust. Don’t get confused!
  • 24. Bonus: Forensics It’s not an “If” – it’s a “When”
  • 25. Have a chaos-monkey of compromise Can you perform forensics and remediation, without impacting other users of your cloud? Spanning ports and extra storage “Graveyard” for recently deleted images, instances Bonus Section: Forensics
  • 26. What’s in the CloudPipe? “We can only see a short distance ahead, but we can see plenty there that needs to be done.” – Alan Turing
  • 27. The Machine Aka “Sneaky Monkey” Continuous Integration of penetration and vulnerability testing.
  • 28. We’re doing “stuff” No… really. Hardening
  • 29. Outfoxing the fox Intel is working with many companies within OpenStack, including Piston. Trusted Execution
  • 31. Matt Linton – Nebula CSO Jesse Andrews – AnsoLabs Founder Soo Choi – 7120.7 Nazi Matt Chew- Spence – FIPS 199 Guru Keith Shackleford and James Williams Chris Kemp Bobby Cates, Dave Swagger, E. Lopez, Grace De Leon, Guy with Gun #1, Guy with Gun #2… Credits

Notas del editor

  1. I have 30 minutes for a 2 hour talk, so I’ll cover this at a high level, and I’ll make myself available for more detailed questions afterwards.
  2. It’s not an “if” – it’s a “when”
  3. 80% of all security attacks come from current or former employees or contractors.Assume every host in your network is or will be compromised, and plan accordingly.
  4. (splunk, syslog-ng)