SlideShare a Scribd company logo

Open stack security emea launch

Download as PPTX, PDF
Joshua McKenty
Joshua McKenty
Technology
1 of 31
OpenStack Security A Primer
Me: Joshua McKenty Twitter: @jmckenty Email: joshua@pistoncloud.com Former Chief Architect, NASA Nebula Founding Member, OpenStack OpenStack Project Policy Board
“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” – Bruce Schneier
The Three Pillars of Security
“Bonus” Security Pillar Forensics
Real Security Assume everything goes wrong, even impossible things.
FIPS 199 Definition: Confidentiality Integrity Availability Defining Security
Defining Vulnerability
Build on “Shared Nothing” to achieve “Trust No One” Also known as “Defense in Depth” AUTOMATE EVERYTHING “Fat Fingers” == Plausible Deniability Automated == non-repudiable change control Build to the OSI 7-layer model
Layer 1
Lock your doors Do your background checks Use separate physical networks for admin Network model and management Use RFC 1918 address space when appropriate Use VLANs if necessary Firewall every machine (ebtables, iptables) Border firewalls (port and protocol level) Layer 1, 2 and 3
Never assume it’s bilateral
Control system access Best case: no host-based shell access AT ALL. Second-best: federated AUTH with 2-factor, keys only Worstcase: Host-level root login with passwords Run IDS – on hosts and guests Scan Continuously – hosts and guests, on all networks Proactively defend – Fail2Ban, etc. ( F2B-a-a-S) Layer 4, 5, 6 and 7
Don't trust the hypervisor (TXT / TPM) Conversely, don't trust the VM (blue-pill exploits, etc.) Host-based FW within the VM (CloudPassage "Halo") Access-control for VMs – same approaches apply (Auth-as-a-Service) Layer ‘V’
“Proof” and Policy In God We Trust – All Others, Bring Data.
Classic best practices – redundant, off-site log servers Log aggregation and analysis / event detection Logging-as-a-Service Log early, log often
Make and verify your assertions (Coming soon…) CloudAudit
Did you remember to delete his account?
Security Theatre “Given enough hand-waving, all systems are secure.”
Crypto is useless – if keys are stored with the data Private networks are useless – if doors aren’t locked Certification only proves that you’re doing, what you said you were going to do. You can still be wrong. Forget “Trust, but verify”. Just don’t trust. Don’t get confused!
Bonus: Forensics It’s not an “If” – it’s a “When”
Have a chaos-monkey of compromise Can you perform forensics and remediation, without impacting other users of your cloud? Spanning ports and extra storage “Graveyard” for recently deleted images, instances Bonus Section: Forensics
What’s in the CloudPipe? “We can only see a short distance ahead, but we can see plenty there that needs to be done.” – Alan Turing
The Machine Aka “Sneaky Monkey” Continuous Integration of penetration and vulnerability testing.
We’re doing “stuff” No… really. Hardening
Outfoxing the fox Intel is working with many companies within OpenStack, including Piston. Trusted Execution
Questions?
Matt Linton – Nebula CSO Jesse Andrews – AnsoLabs Founder Soo Choi – 7120.7 Nazi Matt Chew- Spence – FIPS 199 Guru Keith Shackleford and James Williams Chris Kemp Bobby Cates, Dave Swagger, E. Lopez, Grace De Leon, Guy with Gun #1, Guy with Gun #2… Credits

Recommended

Te chnical presentation networkexploits and security
Te chnical presentation networkexploits and securityTe chnical presentation networkexploits and security
Te chnical presentation networkexploits and securityKartik Rao
 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesMajor Hayden
 
How Not To Suck At Cloud security | Rohan Aggarwal
How Not To Suck At Cloud security | Rohan AggarwalHow Not To Suck At Cloud security | Rohan Aggarwal
How Not To Suck At Cloud security | Rohan AggarwalRohan Aggarwal
 
Log Forensics from CEIC 2007
Log Forensics from CEIC 2007Log Forensics from CEIC 2007
Log Forensics from CEIC 2007Anton Chuvakin
 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mindsblom
 
CONFidence 2007 Log Forensics TEASER Preso
CONFidence 2007 Log Forensics TEASER PresoCONFidence 2007 Log Forensics TEASER Preso
CONFidence 2007 Log Forensics TEASER PresoAnton Chuvakin
 
IPv6 Security - Where is the Challenge
IPv6 Security - Where is the ChallengeIPv6 Security - Where is the Challenge
IPv6 Security - Where is the ChallengeRIPE NCC
 
Don’t Fall Victim to Social Engineering Traps
Don’t Fall Victim to Social Engineering TrapsDon’t Fall Victim to Social Engineering Traps
Don’t Fall Victim to Social Engineering TrapsAventis Systems, Inc.
 

Recommended

Te chnical presentation networkexploits and security
Te chnical presentation networkexploits and securityTe chnical presentation networkexploits and security
Te chnical presentation networkexploits and securityKartik Rao
 
The New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesThe New Normal: Managing the constant stream of new vulnerabilities
The New Normal: Managing the constant stream of new vulnerabilitiesMajor Hayden
 
How Not To Suck At Cloud security | Rohan Aggarwal
How Not To Suck At Cloud security | Rohan AggarwalHow Not To Suck At Cloud security | Rohan Aggarwal
How Not To Suck At Cloud security | Rohan AggarwalRohan Aggarwal
 
Log Forensics from CEIC 2007
Log Forensics from CEIC 2007Log Forensics from CEIC 2007
Log Forensics from CEIC 2007Anton Chuvakin
 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mindsblom
 
CONFidence 2007 Log Forensics TEASER Preso
CONFidence 2007 Log Forensics TEASER PresoCONFidence 2007 Log Forensics TEASER Preso
CONFidence 2007 Log Forensics TEASER PresoAnton Chuvakin
 
IPv6 Security - Where is the Challenge
IPv6 Security - Where is the ChallengeIPv6 Security - Where is the Challenge
IPv6 Security - Where is the ChallengeRIPE NCC
 
Don’t Fall Victim to Social Engineering Traps
Don’t Fall Victim to Social Engineering TrapsDon’t Fall Victim to Social Engineering Traps
Don’t Fall Victim to Social Engineering TrapsAventis Systems, Inc.
 
7 cloud security tips
7 cloud security tips7 cloud security tips
7 cloud security tipsUnited Technology Group (UTG)
 
Top 10 Encryption Myths
Top 10 Encryption MythsTop 10 Encryption Myths
Top 10 Encryption MythsHighCloud Security
 
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...CODE BLUE
 
QAing the security way!
QAing the security way!QAing the security way!
QAing the security way!Amit Gundiyal
 
vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA
 
How to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareHow to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareKaspersky
 
Arista Piston Webinar
Arista Piston WebinarArista Piston Webinar
Arista Piston WebinarJoshua McKenty
 
The Space Penguin Odyssey
The Space Penguin OdysseyThe Space Penguin Odyssey
The Space Penguin OdysseyJoshua McKenty
 
OpenStackDC and Cloud Foundry Meetup -
OpenStackDC and Cloud Foundry Meetup -OpenStackDC and Cloud Foundry Meetup -
OpenStackDC and Cloud Foundry Meetup -Joshua McKenty
 
Scale-out Community: Lessons from OpenStack
Scale-out Community: Lessons from OpenStackScale-out Community: Lessons from OpenStack
Scale-out Community: Lessons from OpenStackJoshua McKenty
 
Cloud Power - The Early OpenStack Architecture
Cloud Power - The Early OpenStack ArchitectureCloud Power - The Early OpenStack Architecture
Cloud Power - The Early OpenStack ArchitectureJoshua McKenty
 
WSTA Breakfast Seminar
WSTA Breakfast SeminarWSTA Breakfast Seminar
WSTA Breakfast SeminarJoshua McKenty
 
But What About Docker?
But What About Docker?But What About Docker?
But What About Docker?Joshua McKenty
 
OpenStack: Cloud's Big Tent
OpenStack: Cloud's Big TentOpenStack: Cloud's Big Tent
OpenStack: Cloud's Big TentJoshua McKenty
 
MSST-2013 Openstack in the Land of Guilder
MSST-2013 Openstack in the Land of GuilderMSST-2013 Openstack in the Land of Guilder
MSST-2013 Openstack in the Land of GuilderJoshua McKenty
 
vGeek 2013 Tech Talk: Openstack-101
vGeek 2013 Tech Talk: Openstack-101vGeek 2013 Tech Talk: Openstack-101
vGeek 2013 Tech Talk: Openstack-101Joshua McKenty
 
Open Stack DC
Open Stack DCOpen Stack DC
Open Stack DCJoshua McKenty
 
OpenStack Foundation Transparency Committee Update - January 2014
OpenStack Foundation Transparency Committee Update - January 2014OpenStack Foundation Transparency Committee Update - January 2014
OpenStack Foundation Transparency Committee Update - January 2014Joshua McKenty
 
Wall-Street Technology Association (WSTA) Feb-2012
Wall-Street Technology Association (WSTA) Feb-2012Wall-Street Technology Association (WSTA) Feb-2012
Wall-Street Technology Association (WSTA) Feb-2012Joshua McKenty
 
OpenStack: The evolution of computing (Credit Suisse Technology Summit)
OpenStack: The evolution of computing (Credit Suisse Technology Summit)OpenStack: The evolution of computing (Credit Suisse Technology Summit)
OpenStack: The evolution of computing (Credit Suisse Technology Summit)Joshua McKenty
 
Open stack + Cloud Foundry: Palo Alto Meetup February 2015
Open stack + Cloud Foundry: Palo Alto Meetup February 2015Open stack + Cloud Foundry: Palo Alto Meetup February 2015
Open stack + Cloud Foundry: Palo Alto Meetup February 2015Joshua McKenty
 
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)Amazon Web Services
 

More Related Content

What's hot

Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...CODE BLUE
 
QAing the security way!
QAing the security way!QAing the security way!
QAing the security way!Amit Gundiyal
 
vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA
 
How to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareHow to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareKaspersky
 

What's hot (6)

7 cloud security tips
7 cloud security tips7 cloud security tips
7 cloud security tips
 
Top 10 Encryption Myths
Top 10 Encryption MythsTop 10 Encryption Myths
Top 10 Encryption Myths
 
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
 
QAing the security way!
QAing the security way!QAing the security way!
QAing the security way!
 
vodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security wayvodQA(Pune) 2018 - QAing the security way
vodQA(Pune) 2018 - QAing the security way
 
How to protect your business from Wannacry Ransomware
How to protect your business from Wannacry RansomwareHow to protect your business from Wannacry Ransomware
How to protect your business from Wannacry Ransomware
 

Viewers also liked

The Space Penguin Odyssey
The Space Penguin OdysseyThe Space Penguin Odyssey
The Space Penguin OdysseyJoshua McKenty
 
OpenStackDC and Cloud Foundry Meetup -
OpenStackDC and Cloud Foundry Meetup -OpenStackDC and Cloud Foundry Meetup -
OpenStackDC and Cloud Foundry Meetup -Joshua McKenty
 
Scale-out Community: Lessons from OpenStack
Scale-out Community: Lessons from OpenStackScale-out Community: Lessons from OpenStack
Scale-out Community: Lessons from OpenStackJoshua McKenty
 
Cloud Power - The Early OpenStack Architecture
Cloud Power - The Early OpenStack ArchitectureCloud Power - The Early OpenStack Architecture
Cloud Power - The Early OpenStack ArchitectureJoshua McKenty
 
WSTA Breakfast Seminar
WSTA Breakfast SeminarWSTA Breakfast Seminar
WSTA Breakfast SeminarJoshua McKenty
 
But What About Docker?
But What About Docker?But What About Docker?
But What About Docker?Joshua McKenty
 
OpenStack: Cloud's Big Tent
OpenStack: Cloud's Big TentOpenStack: Cloud's Big Tent
OpenStack: Cloud's Big TentJoshua McKenty
 
MSST-2013 Openstack in the Land of Guilder
MSST-2013 Openstack in the Land of GuilderMSST-2013 Openstack in the Land of Guilder
MSST-2013 Openstack in the Land of GuilderJoshua McKenty
 
vGeek 2013 Tech Talk: Openstack-101
vGeek 2013 Tech Talk: Openstack-101vGeek 2013 Tech Talk: Openstack-101
vGeek 2013 Tech Talk: Openstack-101Joshua McKenty
 
OpenStack Foundation Transparency Committee Update - January 2014
OpenStack Foundation Transparency Committee Update - January 2014OpenStack Foundation Transparency Committee Update - January 2014
OpenStack Foundation Transparency Committee Update - January 2014Joshua McKenty
 
Wall-Street Technology Association (WSTA) Feb-2012
Wall-Street Technology Association (WSTA) Feb-2012Wall-Street Technology Association (WSTA) Feb-2012
Wall-Street Technology Association (WSTA) Feb-2012Joshua McKenty
 
OpenStack: The evolution of computing (Credit Suisse Technology Summit)
OpenStack: The evolution of computing (Credit Suisse Technology Summit)OpenStack: The evolution of computing (Credit Suisse Technology Summit)
OpenStack: The evolution of computing (Credit Suisse Technology Summit)Joshua McKenty
 
Open stack + Cloud Foundry: Palo Alto Meetup February 2015
Open stack + Cloud Foundry: Palo Alto Meetup February 2015Open stack + Cloud Foundry: Palo Alto Meetup February 2015
Open stack + Cloud Foundry: Palo Alto Meetup February 2015Joshua McKenty
 

Viewers also liked (15)

Arista Piston Webinar
Arista Piston WebinarArista Piston Webinar
Arista Piston Webinar
 
The Space Penguin Odyssey
The Space Penguin OdysseyThe Space Penguin Odyssey
The Space Penguin Odyssey
 
OpenStackDC and Cloud Foundry Meetup -
OpenStackDC and Cloud Foundry Meetup -OpenStackDC and Cloud Foundry Meetup -
OpenStackDC and Cloud Foundry Meetup -
 
Scale-out Community: Lessons from OpenStack
Scale-out Community: Lessons from OpenStackScale-out Community: Lessons from OpenStack
Scale-out Community: Lessons from OpenStack
 
Cloud Power - The Early OpenStack Architecture
Cloud Power - The Early OpenStack ArchitectureCloud Power - The Early OpenStack Architecture
Cloud Power - The Early OpenStack Architecture
 
WSTA Breakfast Seminar
WSTA Breakfast SeminarWSTA Breakfast Seminar
WSTA Breakfast Seminar
 
But What About Docker?
But What About Docker?But What About Docker?
But What About Docker?
 
OpenStack: Cloud's Big Tent
OpenStack: Cloud's Big TentOpenStack: Cloud's Big Tent
OpenStack: Cloud's Big Tent
 
MSST-2013 Openstack in the Land of Guilder
MSST-2013 Openstack in the Land of GuilderMSST-2013 Openstack in the Land of Guilder
MSST-2013 Openstack in the Land of Guilder
 
vGeek 2013 Tech Talk: Openstack-101
vGeek 2013 Tech Talk: Openstack-101vGeek 2013 Tech Talk: Openstack-101
vGeek 2013 Tech Talk: Openstack-101
 
Open Stack DC
Open Stack DCOpen Stack DC
Open Stack DC
 
OpenStack Foundation Transparency Committee Update - January 2014
OpenStack Foundation Transparency Committee Update - January 2014OpenStack Foundation Transparency Committee Update - January 2014
OpenStack Foundation Transparency Committee Update - January 2014
 
Wall-Street Technology Association (WSTA) Feb-2012
Wall-Street Technology Association (WSTA) Feb-2012Wall-Street Technology Association (WSTA) Feb-2012
Wall-Street Technology Association (WSTA) Feb-2012
 
OpenStack: The evolution of computing (Credit Suisse Technology Summit)
OpenStack: The evolution of computing (Credit Suisse Technology Summit)OpenStack: The evolution of computing (Credit Suisse Technology Summit)
OpenStack: The evolution of computing (Credit Suisse Technology Summit)
 
Open stack + Cloud Foundry: Palo Alto Meetup February 2015
Open stack + Cloud Foundry: Palo Alto Meetup February 2015Open stack + Cloud Foundry: Palo Alto Meetup February 2015
Open stack + Cloud Foundry: Palo Alto Meetup February 2015
 

Similar to Open stack security emea launch

AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)Amazon Web Services
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...NoNameCon
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Processphanleson
 
Cloudtrust 091204053223 Phpapp01
Cloudtrust 091204053223 Phpapp01Cloudtrust 091204053223 Phpapp01
Cloudtrust 091204053223 Phpapp01mcguireb
 
Incident Response Automation @ Netflix Q12019
Incident Response Automation @ Netflix Q12019Incident Response Automation @ Netflix Q12019
Incident Response Automation @ Netflix Q12019MarcVilanova1
 
LF_APIStrat17_Don't Build a Death Star
LF_APIStrat17_Don't Build a Death StarLF_APIStrat17_Don't Build a Death Star
LF_APIStrat17_Don't Build a Death StarLF_APIStrat
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HIDNikhil Mittal
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedAlex Davies
 
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...AbundioTeca
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionKeet Sugathadasa
 
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton ChuvakinUsing Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton ChuvakinAnton Chuvakin
 
Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Jason Shen
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Claus Cramon Houmann
 

Similar to Open stack security emea launch (20)

AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)
 
Your First Guide to "secure Linux"
Your First Guide to "secure Linux"Your First Guide to "secure Linux"
Your First Guide to "secure Linux"
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Process
 
Cloud trust
Cloud trustCloud trust
Cloud trust
 
Cloudtrust 091204053223 Phpapp01
Cloudtrust 091204053223 Phpapp01Cloudtrust 091204053223 Phpapp01
Cloudtrust 091204053223 Phpapp01
 
In Cloud We Trust
In Cloud We TrustIn Cloud We Trust
In Cloud We Trust
 
Black ops 2012
Black ops 2012Black ops 2012
Black ops 2012
 
Incident Response Automation @ Netflix Q12019
Incident Response Automation @ Netflix Q12019Incident Response Automation @ Netflix Q12019
Incident Response Automation @ Netflix Q12019
 
LF_APIStrat17_Don't Build a Death Star
LF_APIStrat17_Don't Build a Death StarLF_APIStrat17_Don't Build a Death Star
LF_APIStrat17_Don't Build a Death Star
 
Hacking the future with USB HID
Hacking the future with USB HIDHacking the future with USB HID
Hacking the future with USB HID
 
BSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be HuntedBSides London 2017 - Hunt Or Be Hunted
BSides London 2017 - Hunt Or Be Hunted
 
Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)Broken by design (Danny Fullerton)
Broken by design (Danny Fullerton)
 
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...
 
Chaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in ProductionChaos Engineering - The Art of Breaking Things in Production
Chaos Engineering - The Art of Breaking Things in Production
 
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton ChuvakinUsing Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
 
Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Windows network security
Windows network securityWindows network security
Windows network security
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 

Recently uploaded

Motion for AI: Creating Empathy in Technology
Motion for AI: Creating Empathy in TechnologyMotion for AI: Creating Empathy in Technology
Motion for AI: Creating Empathy in TechnologyUXDXConf
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsPaul Groth
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureFemke de Vroome
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKUXDXConf
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Julian Hyde
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backElena Simperl
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomCzechDreamin
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupCatarinaPereira64715
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka DoktorováCzechDreamin
 
The architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdfThe architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdfalexjohnson7307
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsUXDXConf
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...CzechDreamin
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1DianaGray10
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101vincent683379
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024Stephanie Beckett
 
Intelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdfIntelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdfAnthony Lucente
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 

Recently uploaded (20)

Motion for AI: Creating Empathy in Technology
Motion for AI: Creating Empathy in TechnologyMotion for AI: Creating Empathy in Technology
Motion for AI: Creating Empathy in Technology
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureECS 2024 Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
The architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdfThe architecture of Generative AI for enterprises.pdf
The architecture of Generative AI for enterprises.pdf
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
Intelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdfIntelligent Gimbal FINAL PAPER Engineering.pdf
Intelligent Gimbal FINAL PAPER Engineering.pdf
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 

Open stack security emea launch

  • 2. Me: Joshua McKenty Twitter: @jmckenty Email: joshua@pistoncloud.com Former Chief Architect, NASA Nebula Founding Member, OpenStack OpenStack Project Policy Board
  • 3. “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” – Bruce Schneier
  • 4.
  • 5. The Three Pillars of Security
  • 7. Real Security Assume everything goes wrong, even impossible things.
  • 8. FIPS 199 Definition: Confidentiality Integrity Availability Defining Security
  • 10. Build on “Shared Nothing” to achieve “Trust No One” Also known as “Defense in Depth” AUTOMATE EVERYTHING “Fat Fingers” == Plausible Deniability Automated == non-repudiable change control Build to the OSI 7-layer model
  • 12. Lock your doors Do your background checks Use separate physical networks for admin Network model and management Use RFC 1918 address space when appropriate Use VLANs if necessary Firewall every machine (ebtables, iptables) Border firewalls (port and protocol level) Layer 1, 2 and 3
  • 13. Never assume it’s bilateral
  • 14. Control system access Best case: no host-based shell access AT ALL. Second-best: federated AUTH with 2-factor, keys only Worstcase: Host-level root login with passwords Run IDS – on hosts and guests Scan Continuously – hosts and guests, on all networks Proactively defend – Fail2Ban, etc. ( F2B-a-a-S) Layer 4, 5, 6 and 7
  • 15. Don't trust the hypervisor (TXT / TPM) Conversely, don't trust the VM (blue-pill exploits, etc.) Host-based FW within the VM (CloudPassage "Halo") Access-control for VMs – same approaches apply (Auth-as-a-Service) Layer ‘V’
  • 16. “Proof” and Policy In God We Trust – All Others, Bring Data.
  • 17.
  • 18. Classic best practices – redundant, off-site log servers Log aggregation and analysis / event detection Logging-as-a-Service Log early, log often
  • 19. Make and verify your assertions (Coming soon…) CloudAudit
  • 20. Did you remember to delete his account?
  • 21. Security Theatre “Given enough hand-waving, all systems are secure.”
  • 22.
  • 23. Crypto is useless – if keys are stored with the data Private networks are useless – if doors aren’t locked Certification only proves that you’re doing, what you said you were going to do. You can still be wrong. Forget “Trust, but verify”. Just don’t trust. Don’t get confused!
  • 24. Bonus: Forensics It’s not an “If” – it’s a “When”
  • 25. Have a chaos-monkey of compromise Can you perform forensics and remediation, without impacting other users of your cloud? Spanning ports and extra storage “Graveyard” for recently deleted images, instances Bonus Section: Forensics
  • 26. What’s in the CloudPipe? “We can only see a short distance ahead, but we can see plenty there that needs to be done.” – Alan Turing
  • 27. The Machine Aka “Sneaky Monkey” Continuous Integration of penetration and vulnerability testing.
  • 28. We’re doing “stuff” No… really. Hardening
  • 29. Outfoxing the fox Intel is working with many companies within OpenStack, including Piston. Trusted Execution
  • 31. Matt Linton – Nebula CSO Jesse Andrews – AnsoLabs Founder Soo Choi – 7120.7 Nazi Matt Chew- Spence – FIPS 199 Guru Keith Shackleford and James Williams Chris Kemp Bobby Cates, Dave Swagger, E. Lopez, Grace De Leon, Guy with Gun #1, Guy with Gun #2… Credits

Editor's Notes

  1. I have 30 minutes for a 2 hour talk, so I’ll cover this at a high level, and I’ll make myself available for more detailed questions afterwards.
  2. It’s not an “if” – it’s a “when”
  3. 80% of all security attacks come from current or former employees or contractors.Assume every host in your network is or will be compromised, and plan accordingly.
  4. (splunk, syslog-ng)