Your SlideShare is downloading. ×
Open stack security   emea launch
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Open stack security emea launch


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • I have 30 minutes for a 2 hour talk, so I’ll cover this at a high level, and I’ll make myself available for more detailed questions afterwards.
  • It’s not an “if” – it’s a “when”
  • 80% of all security attacks come from current or former employees or contractors.Assume every host in your network is or will be compromised, and plan accordingly.
  • (splunk, syslog-ng)
  • Transcript

    • 1. OpenStack Security
      A Primer
    • 2. Me: Joshua McKenty
      Twitter: @jmckenty
      Former Chief Architect, NASA Nebula
      Founding Member, OpenStack
      OpenStack Project Policy Board
    • 3. “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” – Bruce Schneier
    • 4.
    • 5. The Three Pillars of Security
    • 6. “Bonus” Security Pillar
    • 7. Real Security
      Assume everything goes wrong, even impossible things.
    • 8. FIPS 199 Definition:
      Defining Security
    • 9. Defining Vulnerability
    • 10. Build on “Shared Nothing” to achieve “Trust No One”
      Also known as “Defense in Depth”
      “Fat Fingers” == Plausible Deniability
      Automated == non-repudiable change control
      Build to the OSI 7-layer model
    • 11. Layer 1
    • 12. Lock your doors
      Do your background checks
      Use separate physical networks for admin
      Network model and management
      Use RFC 1918 address space when appropriate
      Use VLANs if necessary
      Firewall every machine (ebtables, iptables)
      Border firewalls (port and protocol level)
      Layer 1, 2 and 3
    • 13. Never assume it’s bilateral
    • 14. Control system access
      Best case: no host-based shell access AT ALL.
      Second-best: federated AUTH with 2-factor, keys only
      Worstcase: Host-level root login with passwords
      Run IDS – on hosts and guests
      Scan Continuously – hosts and guests, on all networks
      Proactively defend – Fail2Ban, etc. ( F2B-a-a-S)
      Layer 4, 5, 6 and 7
    • 15. Don't trust the hypervisor (TXT / TPM)
      Conversely, don't trust the VM (blue-pill exploits, etc.)
      Host-based FW within the VM (CloudPassage "Halo")
      Access-control for VMs – same approaches apply (Auth-as-a-Service)
      Layer ‘V’
    • 16. “Proof” and Policy
      In God We Trust – All Others, Bring Data.
    • 17.
    • 18. Classic best practices – redundant, off-site log servers
      Log aggregation and analysis / event detection
      Log early, log often
    • 19. Make and verify your assertions
      (Coming soon…)
    • 20. Did you remember to delete his account?
    • 21. Security Theatre
      “Given enough hand-waving, all systems are secure.”
    • 22.
    • 23. Crypto is useless – if keys are stored with the data
      Private networks are useless – if doors aren’t locked
      Certification only proves that you’re doing, what you said you were going to do. You can still be wrong.
      Forget “Trust, but verify”. Just don’t trust.
      Don’t get confused!
    • 24. Bonus: Forensics
      It’s not an “If” – it’s a “When”
    • 25. Have a chaos-monkey of compromise
      Can you perform forensics and remediation, without impacting other users of your cloud?
      Spanning ports and extra storage
      “Graveyard” for recently deleted images, instances
      Bonus Section: Forensics
    • 26. What’s in the CloudPipe?
      “We can only see a short distance ahead, but we can see plenty there that needs to be done.” – Alan Turing
    • 27. The Machine
      Aka “Sneaky Monkey”
      Continuous Integration of penetration and vulnerability testing.
    • 28. We’re doing “stuff”
      No… really.
    • 29. Outfoxing the fox
      Intel is working with many companies within OpenStack, including Piston.
      Trusted Execution
    • 30. Questions?
    • 31. Matt Linton – Nebula CSO
      Jesse Andrews – AnsoLabs Founder
      Soo Choi – 7120.7 Nazi
      Matt Chew- Spence – FIPS 199 Guru
      Keith Shackleford and James Williams
      Chris Kemp
      Bobby Cates, Dave Swagger, E. Lopez, Grace De Leon, Guy with Gun #1, Guy with Gun #2…