• Like
Wall-Street Technology Association (WSTA) Feb-2012
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Wall-Street Technology Association (WSTA) Feb-2012



Published in Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • I have 30 minutes for a 2 hour talk, so I’ll cover this at a high level, and I’ll make myself available for more detailed questions afterwards.


  • 1. ―If you think technology can solveyour security problems, then youdon’t understand the problems andyou don’t understand thetechnology.‖– Bruce Schneier
  • 2. EVERYTHING OLD IS NEW AGAIN:Risk, Compliance, and ComplexityMe: Joshua McKentyTwitter: @jmckentyEmail: joshua@pistoncloud.comFormer Chief Architect, NASA NebulaFounding Member, OpenStackOpenStack Project Policy BoardCEO, Piston Cloud Computing, Inc.
  • 3. Step 1: Define Cloud―Self-service provisioning of multi-tenant ITinfrastructure and applications via HTTP.‖Step 2: Consider Your Cloud Options Public Cloud Community Cloud Hosted Private Cloud On-premise Private cloud
  • 4. Step 3: Examine the risks Increased Insider Threat Complexity Risk Compliance Challenges Liability and Forensics ―…security and compliance costs continue to grow at a rate three times faster than that of IT budgets.‖ - IBM
  • 5. Five-Actor Model Vendor End-User Operator DevOps Auditor User
  • 6. Off Premise IT: A Matrix of Insiders Physical Host Access Guest Access Application Access AccessYour Employees X XYour Contractors X XManagedServices ? XProviderCloud Service X X XProvidersExternal Auditor X X XOther Cloud ? ?UsersDC Operators X ?
  • 7. Complexity Risk―If we don’t understand the cross-cutting effects andinherent contradictions in all of the stringent standardsnow being written into final form, we risk doing realdamage to the sound, stable and — yes — profitablefinancial industry regulators say they support and theeconomies sorely need.‖ - Karen Petrou, Federal Financial Analytics―Complexity is holding our industry back right now. A lotof what is bought and paid for doesnt get implementedbecause of complexity. Maybe this is the industrysbiggest challenge.‖ - Ray Lane, Kleiner Perkins Caufield & Byers
  • 8. YOUR VENDOR IS THE ENEMYTrivial Solution: Add a root kit Guest Agent == Root Kit SaaS Logging == Root Kit Cloud Orchestration Agent == Root Kit Monitoring Agent == Root KitReal Solution: Attack Complexity Cloud can be evolutionary (not revolutionary) Fight sprawl with strong standards Use automation and standards to reduce the number of privileged users and applications Limit choice – one hypervisor, two base O/S, three application stacks
  • 9. Logging in Depth Network Host Operating System Guest Operating System User and application events Cloud Orchestration Application Layer
  • 10. Audit in Depth, with Standards Audit at all layers Host Environment Cloud Management Guest Environment OrchestrationTrust no one – even in Test and Dev Data-at-rest encryption Data integrity validation Hardened base O/S images
  • 11. The Stack of Concerns Application DevOps Application Server Guest OS Hypervisor Operator Storage Infrastructure Host OS Physical Server
  • 12. Key Takeaways Complexity is the enemy Adding rootkits is the wrong solution Use automation to limit access Simplify services using Pareto’s Law
  • 13. Piston Enterprise OS Secure Cloud Operating System Designed for Enterprise Private Clouds Built on OpenStackPiston Cloud Computing, Inc. Former NASA Researchers Developed first FISMA-certified Cloud Founders of OpenStack
  • 14. Opinionated Software One hypervisor No host OS access One reference architecture
  • 15. Questions?―We can only see a short distance ahead,but we can see plenty there that needs tobe done.‖ – Alan Turing