―If you think technology can solveyour security problems, then youdon’t understand the problems andyou don’t understand thetechnology.‖– Bruce Schneier
EVERYTHING OLD IS NEW AGAIN:Risk, Compliance, and ComplexityMe: Joshua McKentyTwitter: @jmckentyEmail: email@example.comFormer Chief Architect, NASA NebulaFounding Member, OpenStackOpenStack Project Policy BoardCEO, Piston Cloud Computing, Inc.
Step 1: Define Cloud―Self-service provisioning of multi-tenant ITinfrastructure and applications via HTTP.‖Step 2: Consider Your Cloud Options Public Cloud Community Cloud Hosted Private Cloud On-premise Private cloud
Step 3: Examine the risks Increased Insider Threat Complexity Risk Compliance Challenges Liability and Forensics ―…security and compliance costs continue to grow at a rate three times faster than that of IT budgets.‖ - IBM
Five-Actor Model Vendor End-User Operator DevOps Auditor User
Off Premise IT: A Matrix of Insiders Physical Host Access Guest Access Application Access AccessYour Employees X XYour Contractors X XManagedServices ? XProviderCloud Service X X XProvidersExternal Auditor X X XOther Cloud ? ?UsersDC Operators X ?
Complexity Risk―If we don’t understand the cross-cutting effects andinherent contradictions in all of the stringent standardsnow being written into final form, we risk doing realdamage to the sound, stable and — yes — profitablefinancial industry regulators say they support and theeconomies sorely need.‖ - Karen Petrou, Federal Financial Analytics―Complexity is holding our industry back right now. A lotof what is bought and paid for doesnt get implementedbecause of complexity. Maybe this is the industrysbiggest challenge.‖ - Ray Lane, Kleiner Perkins Caufield & Byers
YOUR VENDOR IS THE ENEMYTrivial Solution: Add a root kit Guest Agent == Root Kit SaaS Logging == Root Kit Cloud Orchestration Agent == Root Kit Monitoring Agent == Root KitReal Solution: Attack Complexity Cloud can be evolutionary (not revolutionary) Fight sprawl with strong standards Use automation and standards to reduce the number of privileged users and applications Limit choice – one hypervisor, two base O/S, three application stacks
Logging in Depth Network Host Operating System Guest Operating System User and application events Cloud Orchestration Application Layer
Audit in Depth, with Standards Audit at all layers Host Environment Cloud Management Guest Environment OrchestrationTrust no one – even in Test and Dev Data-at-rest encryption Data integrity validation Hardened base O/S images
The Stack of Concerns Application DevOps Application Server Guest OS Hypervisor Operator Storage Infrastructure Host OS Physical Server
Key Takeaways Complexity is the enemy Adding rootkits is the wrong solution Use automation to limit access Simplify services using Pareto’s Law
Piston Enterprise OS Secure Cloud Operating System Designed for Enterprise Private Clouds Built on OpenStackPiston Cloud Computing, Inc. Former NASA Researchers Developed first FISMA-certified Cloud Founders of OpenStack
Opinionated Software One hypervisor No host OS access One reference architecture
Questions?―We can only see a short distance ahead,but we can see plenty there that needs tobe done.‖ – Alan Turing