SlideShare una empresa de Scribd logo
1 de 21
Descargar para leer sin conexión
SESSION ID:
#RSAC
Scott Carlson – PayPal
Realities of Private Cloud
Security
CSV-F03
@relaxed137
#RSAC
Cloud Design Principals, traditional Data Center
Deploy from Templates
Any Image, Anywhere
Automatically scale up/down workloads
Follow devops auto-deployments CI/CD
Respond to intra-cloud events
ELASTIC
VIRTUAL
PCI-DSS 2.0 and 3.0
Local Country RequirementsSECURE
PayPal Cloud & Software Defined Data Center
2
#RSAC
Compliance <> Security
Secure Compliant
PCI DSS
HIPAA / HITECH
SOX
FedRAMP/FISMA
ISO/IEC 27001-2005
NIST SP800-53
#RSAC
@ http://xkcd.com used with permission under Creative commons License
4
#RSAC
Compliance Requirements of PayPal
✔
✔
5
Compliant with PCI-DSS 2.0 Standards
Non-US locations compliant with local country regulations
#RSAC
Be patched, be compliant, be
hardened, be layered, don’t let data
leave your network
Log it all; parse it all; sesame street logic;
leave no stone unturnedDETECT
PREVENT
Quarantine; active defense; mitigate;
high priority patches; bug fixes; block
ports; kill data streams; sever
connections
RESPOND
What is Secure
6
#RSAC
Are there any Private Cloud Standards?
… Hardly …
Cloud Controls Matrix 3.0.1 – release date 7/2015
https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/
PCI DSS Virtualization Guidelines
https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf
PCI DSS Cloud Computing Guidelines
https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf
NIST Special Publication 800-144
http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf
7
#RSAC
What about Public Cloud?
A lot of vendors have been upping their game with security in the
public cloud. If your organization does not have an Information
Security organization, you do not run your own data center, or you
just flat out don’t know where to begin, there are public cloud
solutions that can meet most information security requirements today.
… This talk is not about the Public Cloud …
8
#RSAC
Our Methodology – Private Cloud Security
9
 Don’t make it too hard – it’s just mostly infrastructure
 Adapt FAST
 Developers & “AAS” Washing changes the access paradigm (2FA + RBAC anyone?)
 3rd-party applications sitting on a cloud are still just 3rd-party applications
 Home-grown application sitting on a cloud are still just home-grown applications
 Cross-managing “in-scope” and “out-of-scope” environments is fraught with peril. Tread
Lightly…
 The minute something is created in the cloud, it is subject to the requirements.
Existence = production because it could be compromised, attacked, …
#RSAC
Agile
Quick and well-coordinated in movement; marked by an ability to think quickly; intellectual acuity
 Consider everything dirty… examine it… spray the bad
parts… clean it… use machines to do the dirty work
 Run traffic over it… verify assumptions… send it back to
the wash if needed… deliver to customer… use it yourself
 Check your work… check new versions… talk to new
people… find all of the new and exciting ways people are
doing things
10
#RSAC
Basic Methodology
Just pretend it is infrastructure
OpenStack has servers in it
 Hardware configured and dedicated to the cloud
 Hypervisor/Build Image meeting NIST/CIS standard templates
 Vulnerability Scanning with third-party tooling
 Patching 7-, 30-, 90-day windows with vendor provided patches
 Configuration Management for important system files
 Password Management – non-default, complex and unique!
OpenStack has users in it
 Do not use shared accounts for anything. Just don’t
 Log everything (auth) about a user. Send it somewhere you
can find it. Keep it a LONG time
 Define a Role, Add People to the Role, Attest the Role
 Multi-Factor Tokens!!!!
 All cloud actions tied back to an individual user
11
#RSAC
Basic Methodology
Just pretend it is infrastructure
Hypervisor Components
 It’s just “Linux”. Treat it like hardened “Linux” and lock it
down to standards (CIS, NIST)
 Have a separate management interface from your production
traffic (physical or virtual)
 Do not combine security zones within a single hypervisor
because then it’s ALL “in-scope”
 Audit access, audit changes, be ready to show your work
 Be ready to defend decisions to share ports for components
OpenStack Software Stack
 Limited vulnerability scanning in a programmatic way, have
to build your own (Fortify, AppScan)
 Getting code from Trunk = Open Source Happiness, but have
your licenses reviewed!
 You still need to code review if CDE passes through here
 Avoid Avoid Avoid actual data getting put in your cloud
stack
(not guest VMs, those are ok)
12
#RSAC
Basic Methodology
Just pretend it is infrastructure
Physical Network Components
 Firewall rules around the cloud to limit ingress and egress
(is iptables a firewall?)
 Monitor what happens on your firewalls, send it somewhere,
keep it a LONG time
 Make sure the person building your network isn’t the person
building your cloud (SOD)
 Configuration guidelines exist for most physical installations
(avoid virtual for now…)
 Automation is fine, but make sure you log it and auto-ticket it
Virtual Network Components
 Too early in the testing process to rely on virtual versions of
components at scale [ No standards, Auditor Support ]
 Okay for intra-tenant traffic with minimal rule set
 Same rules for physical apply to virtual. Has your third-party
pen-tested and certified their thing?
13
#RSAC
@ http://xkcd.com used with permission under Creative commons License
14
#RSAC
Basic Methodology
Just pretend it is infrastructure
Data
 If it’s card-holder data, controls become interesting very quickly
 Encrypt your data PRIOR to writing it to databases/repositories
 Storing things encrypted at rest in VMs mean you can’t use OpenStack components
 HSM, crypto, key management required
 User management, controls over data, logging, all of the standard stuff needed
15
#RSAC
Basic Methodology
Just pretend it is infrastructure
“As a Service” Tooling
 Role-based access
 2FA to “in-scope” environments
 TLS on EVERYTHING
 Don’t pass your tokens around, expire them quickly
 Don’t rely on credentials from the wrong environment!
 Always check for software vulnerabilities in your code
 NOTHING goes into production without passing the sanity test… NOTHING
16
#RSAC
Basic Methodology
Just pretend it is infrastructure
Central Management Considerations
 Make all of your management control planes trusted
 It is NEVER okay to talk from a lower-trust environment into a higher-trust environment
 It is better to expose a protected web front-end than keep the “manager” in an untrusted
zone
 If your control plane is compromised, your cloud is toast. Cloud expands the cascade
of compromise across your whole environment depending on your control plane and
availability zones
 Deleting your cloud as an attack is just the same as a compromise sometimes
17
#RSAC
Secure is not a permanent state
18
#RSAC
Security can not work effectively unless you have agility
19
#RSAC
How to apply this to your own environment?
 Look into how you are using your cloud today
 Verify the security controls and regulatory controls you need
 Do the basics discussed here
 Pen Test your cloud
 Resolve the findings, and then start iterating and making more
secure!
 Get involved to fix industry standards so that private clouds are
people too!
20
#RSAC
For more information, please contact:
Scott Carlson
sccarlson@paypal.com
@relaxed137

Más contenido relacionado

La actualidad más candente

Crypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and BitcoinCrypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and BitcoinPriyanka Aash
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...centralohioissa
 
How Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate  Security Perimeter without FirewallsHow Google Protects Its Corporate  Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without FirewallsPriyanka Aash
 
Incident response-in-the-cloud
Incident response-in-the-cloudIncident response-in-the-cloud
Incident response-in-the-cloudPriyanka Aash
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.Teri Radichel
 
BeyondCorp - Google Security for Everyone Else
BeyondCorp  - Google Security for Everyone ElseBeyondCorp  - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone ElseIvan Dwyer
 
Customer Story: Scaling Security With Detections-as-Code
Customer Story: Scaling Security With Detections-as-CodeCustomer Story: Scaling Security With Detections-as-Code
Customer Story: Scaling Security With Detections-as-CodePanther Labs
 
BeyondCorp: Closing the Adherence Gap
BeyondCorp: Closing the Adherence GapBeyondCorp: Closing the Adherence Gap
BeyondCorp: Closing the Adherence GapIvan Dwyer
 
SAP Cloud security overview 2.0
SAP Cloud security overview 2.0SAP Cloud security overview 2.0
SAP Cloud security overview 2.0Rasmi Swain
 
BeyondCorp and Zero Trust
BeyondCorp and Zero TrustBeyondCorp and Zero Trust
BeyondCorp and Zero TrustIvan Dwyer
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session Splunk
 
SBRC'17 discussion panel about NFV and SDN
SBRC'17 discussion panel about NFV and SDNSBRC'17 discussion panel about NFV and SDN
SBRC'17 discussion panel about NFV and SDNSébastien Tandel
 
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...RightScale
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019Fahad Al-Hasan
 
Log management principle and usage
Log management principle and usageLog management principle and usage
Log management principle and usageBikrant Gautam
 
Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Harry McLaren
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)Lancope, Inc.
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseSplunk
 

La actualidad más candente (20)

Crypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and BitcoinCrypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and Bitcoin
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
 
How Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate  Security Perimeter without FirewallsHow Google Protects Its Corporate  Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without Firewalls
 
Incident response-in-the-cloud
Incident response-in-the-cloudIncident response-in-the-cloud
Incident response-in-the-cloud
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.
 
BeyondCorp - Google Security for Everyone Else
BeyondCorp  - Google Security for Everyone ElseBeyondCorp  - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone Else
 
ITrust Security Operating Center (SOC) - Datasheet EN
ITrust Security Operating Center (SOC) - Datasheet ENITrust Security Operating Center (SOC) - Datasheet EN
ITrust Security Operating Center (SOC) - Datasheet EN
 
Customer Story: Scaling Security With Detections-as-Code
Customer Story: Scaling Security With Detections-as-CodeCustomer Story: Scaling Security With Detections-as-Code
Customer Story: Scaling Security With Detections-as-Code
 
BeyondCorp: Closing the Adherence Gap
BeyondCorp: Closing the Adherence GapBeyondCorp: Closing the Adherence Gap
BeyondCorp: Closing the Adherence Gap
 
SAP Cloud security overview 2.0
SAP Cloud security overview 2.0SAP Cloud security overview 2.0
SAP Cloud security overview 2.0
 
BeyondCorp and Zero Trust
BeyondCorp and Zero TrustBeyondCorp and Zero Trust
BeyondCorp and Zero Trust
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
SBRC'17 discussion panel about NFV and SDN
SBRC'17 discussion panel about NFV and SDNSBRC'17 discussion panel about NFV and SDN
SBRC'17 discussion panel about NFV and SDN
 
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019
 
Log management principle and usage
Log management principle and usageLog management principle and usage
Log management principle and usage
 
Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 

Destacado

How to Make a Decent PowerPoint
How to Make a Decent PowerPointHow to Make a Decent PowerPoint
How to Make a Decent PowerPointAdam Fowler
 
Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?Wendy Nather
 
Neira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf readyNeira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf readyNeira Jones
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareLeigh Honeywell
 
Distributed Denial Of Service Introduction
Distributed Denial Of Service IntroductionDistributed Denial Of Service Introduction
Distributed Denial Of Service Introductionwremes
 
AusCERT - Mikko Hypponen
AusCERT - Mikko HypponenAusCERT - Mikko Hypponen
AusCERT - Mikko HypponenMikko Hypponen
 
Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Scott Carlson
 
Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Dan Kaminsky
 
The InfoSec Avengers
The InfoSec AvengersThe InfoSec Avengers
The InfoSec AvengersTripwire
 
Security Configuration Management for Dummies
Security Configuration Management for DummiesSecurity Configuration Management for Dummies
Security Configuration Management for DummiesTripwire
 
RDF and other linked data standards — how to make use of big localization data
RDF and other linked data standards — how to make use of big localization dataRDF and other linked data standards — how to make use of big localization data
RDF and other linked data standards — how to make use of big localization dataDave Lewis
 
The RMF: New Emphasis on the Risk Management Framework for Government Organiz...
The RMF: New Emphasis on the Risk Management Framework for Government Organiz...The RMF: New Emphasis on the Risk Management Framework for Government Organiz...
The RMF: New Emphasis on the Risk Management Framework for Government Organiz...Tripwire
 
The dark side of the internet
The dark side of the internetThe dark side of the internet
The dark side of the internetBrian Honan
 
Data security brian honan
Data security   brian honanData security   brian honan
Data security brian honanBrian Honan
 

Destacado (14)

How to Make a Decent PowerPoint
How to Make a Decent PowerPointHow to Make a Decent PowerPoint
How to Make a Decent PowerPoint
 
Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?
 
Neira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf readyNeira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf ready
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure software
 
Distributed Denial Of Service Introduction
Distributed Denial Of Service IntroductionDistributed Denial Of Service Introduction
Distributed Denial Of Service Introduction
 
AusCERT - Mikko Hypponen
AusCERT - Mikko HypponenAusCERT - Mikko Hypponen
AusCERT - Mikko Hypponen
 
Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?
 
Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)
 
The InfoSec Avengers
The InfoSec AvengersThe InfoSec Avengers
The InfoSec Avengers
 
Security Configuration Management for Dummies
Security Configuration Management for DummiesSecurity Configuration Management for Dummies
Security Configuration Management for Dummies
 
RDF and other linked data standards — how to make use of big localization data
RDF and other linked data standards — how to make use of big localization dataRDF and other linked data standards — how to make use of big localization data
RDF and other linked data standards — how to make use of big localization data
 
The RMF: New Emphasis on the Risk Management Framework for Government Organiz...
The RMF: New Emphasis on the Risk Management Framework for Government Organiz...The RMF: New Emphasis on the Risk Management Framework for Government Organiz...
The RMF: New Emphasis on the Risk Management Framework for Government Organiz...
 
The dark side of the internet
The dark side of the internetThe dark side of the internet
The dark side of the internet
 
Data security brian honan
Data security   brian honanData security   brian honan
Data security brian honan
 

Similar a RSA 2015 Realities of Private Cloud Security

Building and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security ProgramBuilding and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security ProgramPriyanka Aash
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or diePriyanka Aash
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSAShannon Lietz
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainPriyanka Aash
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.Priyanka Aash
 
Practical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityPractical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityKarthik Gaekwad
 
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPriyanka Aash
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...Aaron Rinehart
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 
Architecting Secure Web Systems
Architecting Secure Web SystemsArchitecting Secure Web Systems
Architecting Secure Web SystemsInnoTech
 
Infrastructure as Code to Maintain your Sanity
Infrastructure as Code to Maintain your SanityInfrastructure as Code to Maintain your Sanity
Infrastructure as Code to Maintain your SanityDewey Sasser
 
Why the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsWhy the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsErnest Mueller
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfacePriyanka Aash
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformAshnikbiz
 
Security for AWS : Journey to Least Privilege (update)
Security for AWS : Journey to Least Privilege (update)Security for AWS : Journey to Least Privilege (update)
Security for AWS : Journey to Least Privilege (update)dhubbard858
 
Security for AWS: Journey to Least Privilege
Security for AWS: Journey to Least PrivilegeSecurity for AWS: Journey to Least Privilege
Security for AWS: Journey to Least PrivilegeLacework
 
RSA 2016 Realities of Data Security
RSA 2016 Realities of Data SecurityRSA 2016 Realities of Data Security
RSA 2016 Realities of Data SecurityScott Carlson
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure SecurityRicky Sanders
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowRecon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowPriyanka Aash
 

Similar a RSA 2015 Realities of Private Cloud Security (20)

Building and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security ProgramBuilding and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security Program
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or die
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSA
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.
 
Practical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityPractical Approaches to Cloud Native Security
Practical Approaches to Cloud Native Security
 
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPragmatic Security Automation for Cloud
Pragmatic Security Automation for Cloud
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 
Architecting Secure Web Systems
Architecting Secure Web SystemsArchitecting Secure Web Systems
Architecting Secure Web Systems
 
Infrastructure as Code to Maintain your Sanity
Infrastructure as Code to Maintain your SanityInfrastructure as Code to Maintain your Sanity
Infrastructure as Code to Maintain your Sanity
 
Why the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsWhy the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systems
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surface
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
 
Security for AWS : Journey to Least Privilege (update)
Security for AWS : Journey to Least Privilege (update)Security for AWS : Journey to Least Privilege (update)
Security for AWS : Journey to Least Privilege (update)
 
Security for AWS: Journey to Least Privilege
Security for AWS: Journey to Least PrivilegeSecurity for AWS: Journey to Least Privilege
Security for AWS: Journey to Least Privilege
 
RSA 2016 Realities of Data Security
RSA 2016 Realities of Data SecurityRSA 2016 Realities of Data Security
RSA 2016 Realities of Data Security
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowRecon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
 

Más de Scott Carlson

What are Blockchain & Tokens and are they useful ?
What are Blockchain & Tokens and are they useful ?What are Blockchain & Tokens and are they useful ?
What are Blockchain & Tokens and are they useful ?Scott Carlson
 
RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?
RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?
RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?Scott Carlson
 
DCD Converged Brazil 2016
DCD Converged Brazil 2016 DCD Converged Brazil 2016
DCD Converged Brazil 2016 Scott Carlson
 
Trust But Control: Managing Privileges without killing productivity
Trust But Control:  Managing Privileges without killing productivityTrust But Control:  Managing Privileges without killing productivity
Trust But Control: Managing Privileges without killing productivityScott Carlson
 
Will Your Cloud Be Compliant? OpenStack Security
Will Your Cloud Be Compliant?  OpenStack SecurityWill Your Cloud Be Compliant?  OpenStack Security
Will Your Cloud Be Compliant? OpenStack SecurityScott Carlson
 
Interop Las Vegas Cloud Connect Summit 2014 - Software Defined Data Center
Interop Las Vegas Cloud Connect Summit 2014 - Software Defined Data CenterInterop Las Vegas Cloud Connect Summit 2014 - Software Defined Data Center
Interop Las Vegas Cloud Connect Summit 2014 - Software Defined Data CenterScott Carlson
 
Can Security & Agility Co-Exist
Can Security & Agility Co-ExistCan Security & Agility Co-Exist
Can Security & Agility Co-ExistScott Carlson
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011Scott Carlson
 
HP Enterprise Security Customer Case Study - Apollo Group
HP Enterprise Security Customer Case Study - Apollo GroupHP Enterprise Security Customer Case Study - Apollo Group
HP Enterprise Security Customer Case Study - Apollo GroupScott Carlson
 
Marriage of ESX and OpenStack - PayPal - VMWorld US 2013
Marriage of ESX and OpenStack - PayPal - VMWorld US 2013Marriage of ESX and OpenStack - PayPal - VMWorld US 2013
Marriage of ESX and OpenStack - PayPal - VMWorld US 2013Scott Carlson
 
McAfee Focus 2011 - Security in the Age of a Mobile Workforce and Mobile Devices
McAfee Focus 2011 - Security in the Age of a Mobile Workforce and Mobile DevicesMcAfee Focus 2011 - Security in the Age of a Mobile Workforce and Mobile Devices
McAfee Focus 2011 - Security in the Age of a Mobile Workforce and Mobile DevicesScott Carlson
 
Marriage of Openstack with KVM and ESX at PayPal OpenStack Summit Hong Kong F...
Marriage of Openstack with KVM and ESX at PayPal OpenStack Summit Hong Kong F...Marriage of Openstack with KVM and ESX at PayPal OpenStack Summit Hong Kong F...
Marriage of Openstack with KVM and ESX at PayPal OpenStack Summit Hong Kong F...Scott Carlson
 
High Availability OpenStack at PayPal - OpenStack Summit Fall Hong Kong 2013
High Availability OpenStack at PayPal - OpenStack Summit Fall Hong Kong 2013High Availability OpenStack at PayPal - OpenStack Summit Fall Hong Kong 2013
High Availability OpenStack at PayPal - OpenStack Summit Fall Hong Kong 2013Scott Carlson
 

Más de Scott Carlson (13)

What are Blockchain & Tokens and are they useful ?
What are Blockchain & Tokens and are they useful ?What are Blockchain & Tokens and are they useful ?
What are Blockchain & Tokens and are they useful ?
 
RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?
RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?
RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?
 
DCD Converged Brazil 2016
DCD Converged Brazil 2016 DCD Converged Brazil 2016
DCD Converged Brazil 2016
 
Trust But Control: Managing Privileges without killing productivity
Trust But Control:  Managing Privileges without killing productivityTrust But Control:  Managing Privileges without killing productivity
Trust But Control: Managing Privileges without killing productivity
 
Will Your Cloud Be Compliant? OpenStack Security
Will Your Cloud Be Compliant?  OpenStack SecurityWill Your Cloud Be Compliant?  OpenStack Security
Will Your Cloud Be Compliant? OpenStack Security
 
Interop Las Vegas Cloud Connect Summit 2014 - Software Defined Data Center
Interop Las Vegas Cloud Connect Summit 2014 - Software Defined Data CenterInterop Las Vegas Cloud Connect Summit 2014 - Software Defined Data Center
Interop Las Vegas Cloud Connect Summit 2014 - Software Defined Data Center
 
Can Security & Agility Co-Exist
Can Security & Agility Co-ExistCan Security & Agility Co-Exist
Can Security & Agility Co-Exist
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011
 
HP Enterprise Security Customer Case Study - Apollo Group
HP Enterprise Security Customer Case Study - Apollo GroupHP Enterprise Security Customer Case Study - Apollo Group
HP Enterprise Security Customer Case Study - Apollo Group
 
Marriage of ESX and OpenStack - PayPal - VMWorld US 2013
Marriage of ESX and OpenStack - PayPal - VMWorld US 2013Marriage of ESX and OpenStack - PayPal - VMWorld US 2013
Marriage of ESX and OpenStack - PayPal - VMWorld US 2013
 
McAfee Focus 2011 - Security in the Age of a Mobile Workforce and Mobile Devices
McAfee Focus 2011 - Security in the Age of a Mobile Workforce and Mobile DevicesMcAfee Focus 2011 - Security in the Age of a Mobile Workforce and Mobile Devices
McAfee Focus 2011 - Security in the Age of a Mobile Workforce and Mobile Devices
 
Marriage of Openstack with KVM and ESX at PayPal OpenStack Summit Hong Kong F...
Marriage of Openstack with KVM and ESX at PayPal OpenStack Summit Hong Kong F...Marriage of Openstack with KVM and ESX at PayPal OpenStack Summit Hong Kong F...
Marriage of Openstack with KVM and ESX at PayPal OpenStack Summit Hong Kong F...
 
High Availability OpenStack at PayPal - OpenStack Summit Fall Hong Kong 2013
High Availability OpenStack at PayPal - OpenStack Summit Fall Hong Kong 2013High Availability OpenStack at PayPal - OpenStack Summit Fall Hong Kong 2013
High Availability OpenStack at PayPal - OpenStack Summit Fall Hong Kong 2013
 

Último

Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesDavid Newbury
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 

Último (20)

Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Linked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond OntologiesLinked Data in Production: Moving Beyond Ontologies
Linked Data in Production: Moving Beyond Ontologies
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 

RSA 2015 Realities of Private Cloud Security

  • 1. SESSION ID: #RSAC Scott Carlson – PayPal Realities of Private Cloud Security CSV-F03 @relaxed137
  • 2. #RSAC Cloud Design Principals, traditional Data Center Deploy from Templates Any Image, Anywhere Automatically scale up/down workloads Follow devops auto-deployments CI/CD Respond to intra-cloud events ELASTIC VIRTUAL PCI-DSS 2.0 and 3.0 Local Country RequirementsSECURE PayPal Cloud & Software Defined Data Center 2
  • 3. #RSAC Compliance <> Security Secure Compliant PCI DSS HIPAA / HITECH SOX FedRAMP/FISMA ISO/IEC 27001-2005 NIST SP800-53
  • 4. #RSAC @ http://xkcd.com used with permission under Creative commons License 4
  • 5. #RSAC Compliance Requirements of PayPal ✔ ✔ 5 Compliant with PCI-DSS 2.0 Standards Non-US locations compliant with local country regulations
  • 6. #RSAC Be patched, be compliant, be hardened, be layered, don’t let data leave your network Log it all; parse it all; sesame street logic; leave no stone unturnedDETECT PREVENT Quarantine; active defense; mitigate; high priority patches; bug fixes; block ports; kill data streams; sever connections RESPOND What is Secure 6
  • 7. #RSAC Are there any Private Cloud Standards? … Hardly … Cloud Controls Matrix 3.0.1 – release date 7/2015 https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/ PCI DSS Virtualization Guidelines https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf PCI DSS Cloud Computing Guidelines https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf NIST Special Publication 800-144 http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf 7
  • 8. #RSAC What about Public Cloud? A lot of vendors have been upping their game with security in the public cloud. If your organization does not have an Information Security organization, you do not run your own data center, or you just flat out don’t know where to begin, there are public cloud solutions that can meet most information security requirements today. … This talk is not about the Public Cloud … 8
  • 9. #RSAC Our Methodology – Private Cloud Security 9  Don’t make it too hard – it’s just mostly infrastructure  Adapt FAST  Developers & “AAS” Washing changes the access paradigm (2FA + RBAC anyone?)  3rd-party applications sitting on a cloud are still just 3rd-party applications  Home-grown application sitting on a cloud are still just home-grown applications  Cross-managing “in-scope” and “out-of-scope” environments is fraught with peril. Tread Lightly…  The minute something is created in the cloud, it is subject to the requirements. Existence = production because it could be compromised, attacked, …
  • 10. #RSAC Agile Quick and well-coordinated in movement; marked by an ability to think quickly; intellectual acuity  Consider everything dirty… examine it… spray the bad parts… clean it… use machines to do the dirty work  Run traffic over it… verify assumptions… send it back to the wash if needed… deliver to customer… use it yourself  Check your work… check new versions… talk to new people… find all of the new and exciting ways people are doing things 10
  • 11. #RSAC Basic Methodology Just pretend it is infrastructure OpenStack has servers in it  Hardware configured and dedicated to the cloud  Hypervisor/Build Image meeting NIST/CIS standard templates  Vulnerability Scanning with third-party tooling  Patching 7-, 30-, 90-day windows with vendor provided patches  Configuration Management for important system files  Password Management – non-default, complex and unique! OpenStack has users in it  Do not use shared accounts for anything. Just don’t  Log everything (auth) about a user. Send it somewhere you can find it. Keep it a LONG time  Define a Role, Add People to the Role, Attest the Role  Multi-Factor Tokens!!!!  All cloud actions tied back to an individual user 11
  • 12. #RSAC Basic Methodology Just pretend it is infrastructure Hypervisor Components  It’s just “Linux”. Treat it like hardened “Linux” and lock it down to standards (CIS, NIST)  Have a separate management interface from your production traffic (physical or virtual)  Do not combine security zones within a single hypervisor because then it’s ALL “in-scope”  Audit access, audit changes, be ready to show your work  Be ready to defend decisions to share ports for components OpenStack Software Stack  Limited vulnerability scanning in a programmatic way, have to build your own (Fortify, AppScan)  Getting code from Trunk = Open Source Happiness, but have your licenses reviewed!  You still need to code review if CDE passes through here  Avoid Avoid Avoid actual data getting put in your cloud stack (not guest VMs, those are ok) 12
  • 13. #RSAC Basic Methodology Just pretend it is infrastructure Physical Network Components  Firewall rules around the cloud to limit ingress and egress (is iptables a firewall?)  Monitor what happens on your firewalls, send it somewhere, keep it a LONG time  Make sure the person building your network isn’t the person building your cloud (SOD)  Configuration guidelines exist for most physical installations (avoid virtual for now…)  Automation is fine, but make sure you log it and auto-ticket it Virtual Network Components  Too early in the testing process to rely on virtual versions of components at scale [ No standards, Auditor Support ]  Okay for intra-tenant traffic with minimal rule set  Same rules for physical apply to virtual. Has your third-party pen-tested and certified their thing? 13
  • 14. #RSAC @ http://xkcd.com used with permission under Creative commons License 14
  • 15. #RSAC Basic Methodology Just pretend it is infrastructure Data  If it’s card-holder data, controls become interesting very quickly  Encrypt your data PRIOR to writing it to databases/repositories  Storing things encrypted at rest in VMs mean you can’t use OpenStack components  HSM, crypto, key management required  User management, controls over data, logging, all of the standard stuff needed 15
  • 16. #RSAC Basic Methodology Just pretend it is infrastructure “As a Service” Tooling  Role-based access  2FA to “in-scope” environments  TLS on EVERYTHING  Don’t pass your tokens around, expire them quickly  Don’t rely on credentials from the wrong environment!  Always check for software vulnerabilities in your code  NOTHING goes into production without passing the sanity test… NOTHING 16
  • 17. #RSAC Basic Methodology Just pretend it is infrastructure Central Management Considerations  Make all of your management control planes trusted  It is NEVER okay to talk from a lower-trust environment into a higher-trust environment  It is better to expose a protected web front-end than keep the “manager” in an untrusted zone  If your control plane is compromised, your cloud is toast. Cloud expands the cascade of compromise across your whole environment depending on your control plane and availability zones  Deleting your cloud as an attack is just the same as a compromise sometimes 17
  • 18. #RSAC Secure is not a permanent state 18
  • 19. #RSAC Security can not work effectively unless you have agility 19
  • 20. #RSAC How to apply this to your own environment?  Look into how you are using your cloud today  Verify the security controls and regulatory controls you need  Do the basics discussed here  Pen Test your cloud  Resolve the findings, and then start iterating and making more secure!  Get involved to fix industry standards so that private clouds are people too! 20
  • 21. #RSAC For more information, please contact: Scott Carlson sccarlson@paypal.com @relaxed137