Your SlideShare is downloading. ×
WSTA Breakfast Seminar
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

WSTA Breakfast Seminar


Published on

Published in: Technology, Business

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • I have 30 minutes for a 2 hour talk, so I’ll cover this at a high level, and I’ll make myself available for more detailed questions afterwards.
  • Transcript

    • 1. ―If you think technology can solveyour security problems, then youdon’t understand the problems andyou don’t understand thetechnology.‖– Bruce Schneier
    • 2. EVERYTHING OLD IS NEW AGAIN:Risk, Compliance, and ComplexityMe: Joshua McKentyTwitter: @jmckentyEmail: joshua@pistoncloud.comFormer Chief Architect, NASA NebulaFounding Member, OpenStackOpenStack Project Policy BoardCEO, Piston Cloud Computing, Inc.
    • 3. Step 1: Define Cloud―Self-service provisioning of multi-tenant ITinfrastructure and applications via HTTP.‖Step 2: Consider Your Cloud Options Public Cloud Community Cloud Hosted Private Cloud On-premise Private cloud
    • 4. Step 3: Examine the risks Increased Insider Threat Complexity Risk Compliance Challenges Liability and Forensics ―…security and compliance costs continue to grow at a rate three times faster than that of IT budgets.‖ - IBM
    • 5. Five-Actor Model Vendor End-User Operator DevOps Auditor User
    • 6. Off Premise IT: A Matrix of Insiders Physical Host Access Guest Access Application Access AccessYour Employees X XYour Contractors X XManagedServices ? XProviderCloud Service X X XProvidersExternal Auditor X X XOther Cloud ? ?UsersDC Operators X ?
    • 7. Complexity Risk―If we don’t understand the cross-cutting effects andinherent contradictions in all of the stringent standardsnow being written into final form, we risk doing realdamage to the sound, stable and — yes — profitablefinancial industry regulators say they support and theeconomies sorely need.‖ - Karen Petrou, Federal Financial Analytics―Complexity is holding our industry back right now. A lotof what is bought and paid for doesnt get implementedbecause of complexity. Maybe this is the industrysbiggest challenge.‖ - Ray Lane, Kleiner Perkins Caufield & Byers
    • 8. YOUR VENDOR IS THE ENEMYTrivial Solution: Add a root kit Guest Agent == Root Kit SaaS Logging == Root Kit Cloud Orchestration Agent == Root Kit Monitoring Agent == Root KitReal Solution: Attack Complexity Cloud can be evolutionary (not revolutionary) Fight sprawl with strong standards Use automation and standards to reduce the number of privileged users and applications Limit choice – one hypervisor, two base O/S, three application stacks
    • 9. Logging in Depth Network Host Operating System Guest Operating System User and application events Cloud Orchestration Application Layer
    • 10. Audit in Depth, with Standards Audit at all layers Host Environment Cloud Management Guest Environment OrchestrationTrust no one – even in Test and Dev Data-at-rest encryption Data integrity validation Hardened base O/S images
    • 11. The Stack of Concerns Application DevOps Application Server Guest OS Hypervisor Operator Storage Infrastructure Host OS Physical Server
    • 12. Key Takeaways Complexity is the enemy Adding rootkits is the wrong solution Use automation to limit access Simplify services using Pareto’s Law
    • 13. Piston Enterprise OS Secure Cloud Operating System Designed for Enterprise Private Clouds Built on OpenStackPiston Cloud Computing, Inc. Former NASA Researchers Developed first FISMA-certified Cloud Founders of OpenStack
    • 14. Opinionated Software One hypervisor No host OS access One reference architecture
    • 15. Questions?―We can only see a short distanceahead, but we can see plenty there thatneeds to be done.‖ – Alan Turing