SlideShare a Scribd company logo

Open stack security emea launch

Download as PPTX, PDF
Joshua McKenty
Joshua McKenty
Technology
1 of 31
OpenStack Security A Primer
Me: Joshua McKenty Twitter: @jmckenty Email: joshua@pistoncloud.com Former Chief Architect, NASA Nebula Founding Member, OpenStack OpenStack Project Policy Board
“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” – Bruce Schneier
The Three Pillars of Security
“Bonus” Security Pillar Forensics
Real Security Assume everything goes wrong, even impossible things.
FIPS 199 Definition: Confidentiality Integrity Availability Defining Security
Defining Vulnerability
Build on “Shared Nothing” to achieve “Trust No One” Also known as “Defense in Depth” AUTOMATE EVERYTHING “Fat Fingers” == Plausible Deniability Automated == non-repudiable change control Build to the OSI 7-layer model
Layer 1
Lock your doors Do your background checks Use separate physical networks for admin Network model and management Use RFC 1918 address space when appropriate Use VLANs if necessary Firewall every machine (ebtables, iptables) Border firewalls (port and protocol level) Layer 1, 2 and 3
Never assume it’s bilateral
Control system access Best case: no host-based shell access AT ALL. Second-best: federated AUTH with 2-factor, keys only Worstcase: Host-level root login with passwords Run IDS – on hosts and guests Scan Continuously – hosts and guests, on all networks Proactively defend – Fail2Ban, etc. ( F2B-a-a-S) Layer 4, 5, 6 and 7
Don't trust the hypervisor (TXT / TPM) Conversely, don't trust the VM (blue-pill exploits, etc.) Host-based FW within the VM (CloudPassage "Halo") Access-control for VMs – same approaches apply (Auth-as-a-Service) Layer ‘V’
“Proof” and Policy In God We Trust – All Others, Bring Data.
Classic best practices – redundant, off-site log servers Log aggregation and analysis / event detection Logging-as-a-Service Log early, log often
Make and verify your assertions (Coming soon…) CloudAudit
Did you remember to delete his account?
Security Theatre “Given enough hand-waving, all systems are secure.”
Crypto is useless – if keys are stored with the data Private networks are useless – if doors aren’t locked Certification only proves that you’re doing, what you said you were going to do. You can still be wrong. Forget “Trust, but verify”. Just don’t trust. Don’t get confused!
Bonus: Forensics It’s not an “If” – it’s a “When”
Have a chaos-monkey of compromise Can you perform forensics and remediation, without impacting other users of your cloud? Spanning ports and extra storage “Graveyard” for recently deleted images, instances Bonus Section: Forensics
What’s in the CloudPipe? “We can only see a short distance ahead, but we can see plenty there that needs to be done.” – Alan Turing
The Machine Aka “Sneaky Monkey” Continuous Integration of penetration and vulnerability testing.
We’re doing “stuff” No… really. Hardening
Outfoxing the fox Intel is working with many companies within OpenStack, including Piston. Trusted Execution
Questions?
Matt Linton – Nebula CSO Jesse Andrews – AnsoLabs Founder Soo Choi – 7120.7 Nazi Matt Chew- Spence – FIPS 199 Guru Keith Shackleford and James Williams Chris Kemp Bobby Cates, Dave Swagger, E. Lopez, Grace De Leon, Guy with Gun #1, Guy with Gun #2… Credits

Recommended

Te chnical presentation networkexploits and security
Te chnical presentation networkexploits and securityTe chnical presentation networkexploits and security
Te chnical presentation networkexploits and securityKartik Rao
 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesMajor Hayden
 
How Not To Suck At Cloud security | Rohan Aggarwal
How Not To Suck At Cloud security | Rohan AggarwalHow Not To Suck At Cloud security | Rohan Aggarwal
How Not To Suck At Cloud security | Rohan AggarwalRohan Aggarwal
 
Log Forensics from CEIC 2007
Log Forensics from CEIC 2007Log Forensics from CEIC 2007
Log Forensics from CEIC 2007Anton Chuvakin
 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mindsblom
 
CONFidence 2007 Log Forensics TEASER Preso
CONFidence 2007 Log Forensics TEASER PresoCONFidence 2007 Log Forensics TEASER Preso
CONFidence 2007 Log Forensics TEASER PresoAnton Chuvakin
 
IPv6 Security - Where is the Challenge
IPv6 Security - Where is the ChallengeIPv6 Security - Where is the Challenge
IPv6 Security - Where is the ChallengeRIPE NCC
 
Don’t Fall Victim to Social Engineering Traps
Don’t Fall Victim to Social Engineering TrapsDon’t Fall Victim to Social Engineering Traps
Don’t Fall Victim to Social Engineering TrapsAventis Systems, Inc.
 

Recommended

Te chnical presentation networkexploits and security
Te chnical presentation networkexploits and securityTe chnical presentation networkexploits and security
Te chnical presentation networkexploits and securityKartik Rao
 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesMajor Hayden
 
How Not To Suck At Cloud security | Rohan Aggarwal
How Not To Suck At Cloud security | Rohan AggarwalHow Not To Suck At Cloud security | Rohan Aggarwal
How Not To Suck At Cloud security | Rohan AggarwalRohan Aggarwal
 
Log Forensics from CEIC 2007
Log Forensics from CEIC 2007Log Forensics from CEIC 2007
Log Forensics from CEIC 2007Anton Chuvakin
 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mindsblom
 
CONFidence 2007 Log Forensics TEASER Preso
CONFidence 2007 Log Forensics TEASER PresoCONFidence 2007 Log Forensics TEASER Preso
CONFidence 2007 Log Forensics TEASER PresoAnton Chuvakin
 
IPv6 Security - Where is the Challenge
IPv6 Security - Where is the ChallengeIPv6 Security - Where is the Challenge
IPv6 Security - Where is the ChallengeRIPE NCC
 
Don’t Fall Victim to Social Engineering Traps
Don’t Fall Victim to Social Engineering TrapsDon’t Fall Victim to Social Engineering Traps
Don’t Fall Victim to Social Engineering TrapsAventis Systems, Inc.
 
7 cloud security tips
7 cloud security tips7 cloud security tips
7 cloud security tipsUnited Technology Group (UTG)
 
Top 10 Encryption Myths
Top 10 Encryption MythsTop 10 Encryption Myths
Top 10 Encryption MythsHighCloud Security
 
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...CODE BLUE
 
QAing the security way!
QAing the security way!QAing the security way!
QAing the security way!Amit Gundiyal
 
vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA
 
How to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareHow to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareKaspersky
 
Arista Piston Webinar
Arista Piston WebinarArista Piston Webinar
Arista Piston WebinarJoshua McKenty
 
The Space Penguin Odyssey
The Space Penguin OdysseyThe Space Penguin Odyssey
The Space Penguin OdysseyJoshua McKenty
 
OpenStackDC and Cloud Foundry Meetup -
OpenStackDC and Cloud Foundry Meetup -OpenStackDC and Cloud Foundry Meetup -
OpenStackDC and Cloud Foundry Meetup -Joshua McKenty
 
Scale-out Community: Lessons from OpenStack
Scale-out Community: Lessons from OpenStackScale-out Community: Lessons from OpenStack
Scale-out Community: Lessons from OpenStackJoshua McKenty
 
Cloud Power - The Early OpenStack Architecture
Cloud Power - The Early OpenStack ArchitectureCloud Power - The Early OpenStack Architecture
Cloud Power - The Early OpenStack ArchitectureJoshua McKenty
 
WSTA Breakfast Seminar
WSTA Breakfast SeminarWSTA Breakfast Seminar
WSTA Breakfast SeminarJoshua McKenty
 
But What About Docker?
But What About Docker?But What About Docker?
But What About Docker?Joshua McKenty
 
OpenStack: Cloud's Big Tent
OpenStack: Cloud's Big TentOpenStack: Cloud's Big Tent
OpenStack: Cloud's Big TentJoshua McKenty
 
MSST-2013 Openstack in the Land of Guilder
MSST-2013 Openstack in the Land of GuilderMSST-2013 Openstack in the Land of Guilder
MSST-2013 Openstack in the Land of GuilderJoshua McKenty
 
vGeek 2013 Tech Talk: Openstack-101
vGeek 2013 Tech Talk: Openstack-101vGeek 2013 Tech Talk: Openstack-101
vGeek 2013 Tech Talk: Openstack-101Joshua McKenty
 
Open Stack DC
Open Stack DCOpen Stack DC
Open Stack DCJoshua McKenty
 
OpenStack Foundation Transparency Committee Update - January 2014
OpenStack Foundation Transparency Committee Update - January 2014OpenStack Foundation Transparency Committee Update - January 2014
OpenStack Foundation Transparency Committee Update - January 2014Joshua McKenty
 
Wall-Street Technology Association (WSTA) Feb-2012
Wall-Street Technology Association (WSTA) Feb-2012Wall-Street Technology Association (WSTA) Feb-2012
Wall-Street Technology Association (WSTA) Feb-2012Joshua McKenty
 
OpenStack: The evolution of computing (Credit Suisse Technology Summit)
OpenStack: The evolution of computing (Credit Suisse Technology Summit)OpenStack: The evolution of computing (Credit Suisse Technology Summit)
OpenStack: The evolution of computing (Credit Suisse Technology Summit)Joshua McKenty
 
Open stack + Cloud Foundry: Palo Alto Meetup February 2015
Open stack + Cloud Foundry: Palo Alto Meetup February 2015Open stack + Cloud Foundry: Palo Alto Meetup February 2015
Open stack + Cloud Foundry: Palo Alto Meetup February 2015Joshua McKenty
 
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)Amazon Web Services
 

More Related Content

What's hot

Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...CODE BLUE
 
QAing the security way!
QAing the security way!QAing the security way!
QAing the security way!Amit Gundiyal
 
vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA
 
How to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareHow to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareKaspersky
 

What's hot (6)

7 cloud security tips
7 cloud security tips7 cloud security tips
7 cloud security tips
 
Top 10 Encryption Myths
Top 10 Encryption MythsTop 10 Encryption Myths
Top 10 Encryption Myths
 
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
 
QAing the security way!
QAing the security way!QAing the security way!
QAing the security way!
 
vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security way
 
How to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareHow to protect your business from Wannacry Ransomware
How to protect your business from Wannacry Ransomware
 

Viewers also liked

The Space Penguin Odyssey
The Space Penguin OdysseyThe Space Penguin Odyssey
The Space Penguin OdysseyJoshua McKenty
 
OpenStackDC and Cloud Foundry Meetup -
OpenStackDC and Cloud Foundry Meetup -OpenStackDC and Cloud Foundry Meetup -
OpenStackDC and Cloud Foundry Meetup -Joshua McKenty
 
Scale-out Community: Lessons from OpenStack
Scale-out Community: Lessons from OpenStackScale-out Community: Lessons from OpenStack
Scale-out Community: Lessons from OpenStackJoshua McKenty
 
Cloud Power - The Early OpenStack Architecture
Cloud Power - The Early OpenStack ArchitectureCloud Power - The Early OpenStack Architecture
Cloud Power - The Early OpenStack ArchitectureJoshua McKenty
 
WSTA Breakfast Seminar
WSTA Breakfast SeminarWSTA Breakfast Seminar
WSTA Breakfast SeminarJoshua McKenty
 
But What About Docker?
But What About Docker?But What About Docker?
But What About Docker?Joshua McKenty
 
OpenStack: Cloud's Big Tent
OpenStack: Cloud's Big TentOpenStack: Cloud's Big Tent
OpenStack: Cloud's Big TentJoshua McKenty
 
MSST-2013 Openstack in the Land of Guilder
MSST-2013 Openstack in the Land of GuilderMSST-2013 Openstack in the Land of Guilder
MSST-2013 Openstack in the Land of GuilderJoshua McKenty
 
vGeek 2013 Tech Talk: Openstack-101
vGeek 2013 Tech Talk: Openstack-101vGeek 2013 Tech Talk: Openstack-101
vGeek 2013 Tech Talk: Openstack-101Joshua McKenty
 
OpenStack Foundation Transparency Committee Update - January 2014
OpenStack Foundation Transparency Committee Update - January 2014OpenStack Foundation Transparency Committee Update - January 2014
OpenStack Foundation Transparency Committee Update - January 2014Joshua McKenty
 
Wall-Street Technology Association (WSTA) Feb-2012
Wall-Street Technology Association (WSTA) Feb-2012Wall-Street Technology Association (WSTA) Feb-2012
Wall-Street Technology Association (WSTA) Feb-2012Joshua McKenty
 
OpenStack: The evolution of computing (Credit Suisse Technology Summit)
OpenStack: The evolution of computing (Credit Suisse Technology Summit)OpenStack: The evolution of computing (Credit Suisse Technology Summit)
OpenStack: The evolution of computing (Credit Suisse Technology Summit)Joshua McKenty
 
Open stack + Cloud Foundry: Palo Alto Meetup February 2015
Open stack + Cloud Foundry: Palo Alto Meetup February 2015Open stack + Cloud Foundry: Palo Alto Meetup February 2015
Open stack + Cloud Foundry: Palo Alto Meetup February 2015Joshua McKenty
 

Viewers also liked (15)

Arista Piston Webinar
Arista Piston WebinarArista Piston Webinar
Arista Piston Webinar
 
The Space Penguin Odyssey
The Space Penguin OdysseyThe Space Penguin Odyssey
The Space Penguin Odyssey
 
OpenStackDC and Cloud Foundry Meetup -
OpenStackDC and Cloud Foundry Meetup -OpenStackDC and Cloud Foundry Meetup -
OpenStackDC and Cloud Foundry Meetup -
 
Scale-out Community: Lessons from OpenStack
Scale-out Community: Lessons from OpenStackScale-out Community: Lessons from OpenStack
Scale-out Community: Lessons from OpenStack
 
Cloud Power - The Early OpenStack Architecture
Cloud Power - The Early OpenStack ArchitectureCloud Power - The Early OpenStack Architecture
Cloud Power - The Early OpenStack Architecture
 
WSTA Breakfast Seminar
WSTA Breakfast SeminarWSTA Breakfast Seminar
WSTA Breakfast Seminar
 
But What About Docker?
But What About Docker?But What About Docker?
But What About Docker?
 
OpenStack: Cloud's Big Tent
OpenStack: Cloud's Big TentOpenStack: Cloud's Big Tent
OpenStack: Cloud's Big Tent
 
MSST-2013 Openstack in the Land of Guilder
MSST-2013 Openstack in the Land of GuilderMSST-2013 Openstack in the Land of Guilder
MSST-2013 Openstack in the Land of Guilder
 
vGeek 2013 Tech Talk: Openstack-101
vGeek 2013 Tech Talk: Openstack-101vGeek 2013 Tech Talk: Openstack-101
vGeek 2013 Tech Talk: Openstack-101
 
Open Stack DC
Open Stack DCOpen Stack DC
Open Stack DC
 
OpenStack Foundation Transparency Committee Update - January 2014
OpenStack Foundation Transparency Committee Update - January 2014OpenStack Foundation Transparency Committee Update - January 2014
OpenStack Foundation Transparency Committee Update - January 2014
 
Wall-Street Technology Association (WSTA) Feb-2012
Wall-Street Technology Association (WSTA) Feb-2012Wall-Street Technology Association (WSTA) Feb-2012
Wall-Street Technology Association (WSTA) Feb-2012
 
OpenStack: The evolution of computing (Credit Suisse Technology Summit)
OpenStack: The evolution of computing (Credit Suisse Technology Summit)OpenStack: The evolution of computing (Credit Suisse Technology Summit)
OpenStack: The evolution of computing (Credit Suisse Technology Summit)
 
Open stack + Cloud Foundry: Palo Alto Meetup February 2015
Open stack + Cloud Foundry: Palo Alto Meetup February 2015Open stack + Cloud Foundry: Palo Alto Meetup February 2015
Open stack + Cloud Foundry: Palo Alto Meetup February 2015
 

Similar to Open stack security emea launch

AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)Amazon Web Services
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...NoNameCon
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Processphanleson
 
Cloudtrust 091204053223 Phpapp01
Cloudtrust 091204053223 Phpapp01Cloudtrust 091204053223 Phpapp01
Cloudtrust 091204053223 Phpapp01mcguireb
 
Incident Response Automation @ Netflix Q12019
Incident Response Automation @ Netflix Q12019Incident Response Automation @ Netflix Q12019
Incident Response Automation @ Netflix Q12019MarcVilanova1
 
LF_APIStrat17_Don't Build a Death Star
LF_APIStrat17_Don't Build a Death StarLF_APIStrat17_Don't Build a Death Star
LF_APIStrat17_Don't Build a Death StarLF_APIStrat
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HIDNikhil Mittal
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedAlex Davies
 
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...AbundioTeca
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionKeet Sugathadasa
 
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton ChuvakinUsing Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton ChuvakinAnton Chuvakin
 
Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Jason Shen
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Claus Cramon Houmann
 

Similar to Open stack security emea launch (20)

AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
 
Your First Guide to "secure Linux"
Your First Guide to "secure Linux"Your First Guide to "secure Linux"
Your First Guide to "secure Linux"
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Process
 
Cloud trust
Cloud trustCloud trust
Cloud trust
 
Cloudtrust 091204053223 Phpapp01
Cloudtrust 091204053223 Phpapp01Cloudtrust 091204053223 Phpapp01
Cloudtrust 091204053223 Phpapp01
 
In Cloud We Trust
In Cloud We TrustIn Cloud We Trust
In Cloud We Trust
 
Black ops 2012
Black ops 2012Black ops 2012
Black ops 2012
 
Incident Response Automation @ Netflix Q12019
Incident Response Automation @ Netflix Q12019Incident Response Automation @ Netflix Q12019
Incident Response Automation @ Netflix Q12019
 
LF_APIStrat17_Don't Build a Death Star
LF_APIStrat17_Don't Build a Death StarLF_APIStrat17_Don't Build a Death Star
LF_APIStrat17_Don't Build a Death Star
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
 
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in Production
 
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton ChuvakinUsing Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
 
Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Windows network security
Windows network securityWindows network security
Windows network security
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 

Recently uploaded

The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideStefan Dietze
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...ScyllaDB
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceSamy Fodil
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...panagenda
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdfMuhammad Subhan
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandIES VE
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Hiroshi SHIBATA
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfFIDO Alliance
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfFIDO Alliance
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGDSC PJATK
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingScyllaDB
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxFIDO Alliance
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfFIDO Alliance
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTopCSSGallery
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxjbellis
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Paige Cruz
 

Recently uploaded (20)

The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024Long journey of Ruby Standard library at RubyKaigi 2024
Long journey of Ruby Standard library at RubyKaigi 2024
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 

Open stack security emea launch

  • 2. Me: Joshua McKenty Twitter: @jmckenty Email: joshua@pistoncloud.com Former Chief Architect, NASA Nebula Founding Member, OpenStack OpenStack Project Policy Board
  • 3. “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” – Bruce Schneier
  • 4.
  • 5. The Three Pillars of Security
  • 7. Real Security Assume everything goes wrong, even impossible things.
  • 8. FIPS 199 Definition: Confidentiality Integrity Availability Defining Security
  • 10. Build on “Shared Nothing” to achieve “Trust No One” Also known as “Defense in Depth” AUTOMATE EVERYTHING “Fat Fingers” == Plausible Deniability Automated == non-repudiable change control Build to the OSI 7-layer model
  • 12. Lock your doors Do your background checks Use separate physical networks for admin Network model and management Use RFC 1918 address space when appropriate Use VLANs if necessary Firewall every machine (ebtables, iptables) Border firewalls (port and protocol level) Layer 1, 2 and 3
  • 13. Never assume it’s bilateral
  • 14. Control system access Best case: no host-based shell access AT ALL. Second-best: federated AUTH with 2-factor, keys only Worstcase: Host-level root login with passwords Run IDS – on hosts and guests Scan Continuously – hosts and guests, on all networks Proactively defend – Fail2Ban, etc. ( F2B-a-a-S) Layer 4, 5, 6 and 7
  • 15. Don't trust the hypervisor (TXT / TPM) Conversely, don't trust the VM (blue-pill exploits, etc.) Host-based FW within the VM (CloudPassage "Halo") Access-control for VMs – same approaches apply (Auth-as-a-Service) Layer ‘V’
  • 16. “Proof” and Policy In God We Trust – All Others, Bring Data.
  • 17.
  • 18. Classic best practices – redundant, off-site log servers Log aggregation and analysis / event detection Logging-as-a-Service Log early, log often
  • 19. Make and verify your assertions (Coming soon…) CloudAudit
  • 20. Did you remember to delete his account?
  • 21. Security Theatre “Given enough hand-waving, all systems are secure.”
  • 22.
  • 23. Crypto is useless – if keys are stored with the data Private networks are useless – if doors aren’t locked Certification only proves that you’re doing, what you said you were going to do. You can still be wrong. Forget “Trust, but verify”. Just don’t trust. Don’t get confused!
  • 24. Bonus: Forensics It’s not an “If” – it’s a “When”
  • 25. Have a chaos-monkey of compromise Can you perform forensics and remediation, without impacting other users of your cloud? Spanning ports and extra storage “Graveyard” for recently deleted images, instances Bonus Section: Forensics
  • 26. What’s in the CloudPipe? “We can only see a short distance ahead, but we can see plenty there that needs to be done.” – Alan Turing
  • 27. The Machine Aka “Sneaky Monkey” Continuous Integration of penetration and vulnerability testing.
  • 28. We’re doing “stuff” No… really. Hardening
  • 29. Outfoxing the fox Intel is working with many companies within OpenStack, including Piston. Trusted Execution
  • 31. Matt Linton – Nebula CSO Jesse Andrews – AnsoLabs Founder Soo Choi – 7120.7 Nazi Matt Chew- Spence – FIPS 199 Guru Keith Shackleford and James Williams Chris Kemp Bobby Cates, Dave Swagger, E. Lopez, Grace De Leon, Guy with Gun #1, Guy with Gun #2… Credits

Editor's Notes

  1. I have 30 minutes for a 2 hour talk, so I’ll cover this at a high level, and I’ll make myself available for more detailed questions afterwards.
  2. It’s not an “if” – it’s a “when”
  3. 80% of all security attacks come from current or former employees or contractors.Assume every host in your network is or will be compromised, and plan accordingly.
  4. (splunk, syslog-ng)