Build on “Shared Nothing” to achieve “Trust No One” Also known as “Defense in Depth” AUTOMATE EVERYTHING “Fat Fingers” == Plausible Deniability Automated == non-repudiable change control Build to the OSI 7-layer model
Lock your doors Do your background checks Use separate physical networks for admin Network model and management Use RFC 1918 address space when appropriate Use VLANs if necessary Firewall every machine (ebtables, iptables) Border firewalls (port and protocol level) Layer 1, 2 and 3
Control system access Best case: no host-based shell access AT ALL. Second-best: federated AUTH with 2-factor, keys only Worstcase: Host-level root login with passwords Run IDS – on hosts and guests Scan Continuously – hosts and guests, on all networks Proactively defend – Fail2Ban, etc. ( F2B-a-a-S) Layer 4, 5, 6 and 7
Don't trust the hypervisor (TXT / TPM) Conversely, don't trust the VM (blue-pill exploits, etc.) Host-based FW within the VM (CloudPassage "Halo") Access-control for VMs – same approaches apply (Auth-as-a-Service) Layer ‘V’
“Proof” and Policy In God We Trust – All Others, Bring Data.
Crypto is useless – if keys are stored with the data Private networks are useless – if doors aren’t locked Certification only proves that you’re doing, what you said you were going to do. You can still be wrong. Forget “Trust, but verify”. Just don’t trust. Don’t get confused!
Bonus: Forensics It’s not an “If” – it’s a “When”
Have a chaos-monkey of compromise Can you perform forensics and remediation, without impacting other users of your cloud? Spanning ports and extra storage “Graveyard” for recently deleted images, instances Bonus Section: Forensics
What’s in the CloudPipe? “We can only see a short distance ahead, but we can see plenty there that needs to be done.” – Alan Turing
The Machine Aka “Sneaky Monkey” Continuous Integration of penetration and vulnerability testing.
Matt Linton – Nebula CSO Jesse Andrews – AnsoLabs Founder Soo Choi – 7120.7 Nazi Matt Chew- Spence – FIPS 199 Guru Keith Shackleford and James Williams Chris Kemp Bobby Cates, Dave Swagger, E. Lopez, Grace De Leon, Guy with Gun #1, Guy with Gun #2… Credits