SlideShare a Scribd company logo

Nebula Webinar | Private Cloud Security: Practical Solutions for a Challenging Problem

N
NebulaInc

Join Nebula's Director of Security Research, Dr. Bryan Payne, as he discusses why deploying a secure private cloud matters and how to mitigate and protect against malicious activities occurring on your network. During this webinar Bryan will provide insight on: * Why security even matters in a private cloud * Steps to deploy a secure private cloud * Mitigation strategies to prevent attacks

Technology
1 of 19
Download to read offline
© 2015 Nebula, Inc. All rights reserved. (cloud) Computing for the Enterprise Private Cloud Security Practical Solutions for a Challenging Problem Bryan D. Payne March 18, 2015
© 2015 Nebula, Inc. All rights reserved. “Why  Security  Ma/ers  In  A  Private  Cloud”  
© 2015 Nebula, Inc. All rights reserved. Public   Private  
© 2015 Nebula, Inc. All rights reserved. Private  Network  Internet   Storage   Email   LDAP  NTP   VLAN  Tunnels   SIEM   DNS  PKI  
© 2015 Nebula, Inc. All rights reserved. Storage   Email   LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI  
© 2015 Nebula, Inc. All rights reserved. Storage   Email   LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI   1   2   3  
© 2015 Nebula, Inc. All rights reserved. Intelligence   Services   Serious  Organized  Crime   Highly  Capable  Groups   MoFvated  Individuals   Script  Kiddies   Likelihood  of  A,ack   Sophis2ca2on  &   Likelihood  of   Exploita2on   Source:  OpenStack  Security  Guide  
© 2015 Nebula, Inc. All rights reserved. Compromise   User  System   VM  Breakout   API  Vuln   Dashboard   Vuln   Access  Cloud   As  Admin   Access  Cloud   As  Outsider   Access  Cloud   As  User   View  Other   Instances   Abuse  Cloud   Resources   View  Data  In   Cloud   View  Data  In   Cloud   Modify  LDAP   View   External  Data   Follow  VLANs   into  Corp  Net   Spear   Phishing   IniMal  Access   Touch  Cloud   Exploit  Cloud   Exploit  Enterprise   Compromise   Instance  
© 2015 Nebula, Inc. All rights reserved. Known  hardware   and  soIware   OrchestraFon   +   =   Security   Opportunity  
© 2015 Nebula, Inc. All rights reserved. API Endpoints Web Dashboard Compute Node Compute Node Storage Node Storage Node Guest ManagementData Management and Control Plane Services Cloud Users / Administrators Cloud Operators Instance Instance Instance Instance External
© 2015 Nebula, Inc. All rights reserved. OpenStack  Projects   “The  Glue”  
© 2015 Nebula, Inc. All rights reserved. Cloud  A/ack  Vectors   MiFgaFon  Strategies   API  Endpoints   Service  hardening,  mandatory  access  controls,  code  audits   Web  Dashboard   CSP,  expected  domains,  HTTPS,  HSTS,  allowed  referrers   InformaMon  Leakage   SSL/TLS,  disable  memory  dedup,  randomize  resource  assign   VM  Breakout   Service  hardening,  mandatory  access  controls,  code  audits   Hardware  Sharing   Avoid  bare  metal  instances,  avoid  device  pass-­‐through   Default  Images   Secure  and  maintain  default  images   Secondary  AYacks   Least  priv,  mandatory  access  controls,  SSL/TLS,  strong  auth  
© 2015 Nebula, Inc. All rights reserved. Threat: Information Leakage •  TLS for network services –  API endpoints –  Web dashboard –  Log feeds –  AD / LDAP –  External Storage •  Cross-VM attacks (timing, cache effects, etc)
© 2015 Nebula, Inc. All rights reserved. Threat: VM Breakout •  Mandatory access controls –  SELinux + KVM (SVirt) •  Build hardening –  Remove unused device models from QEMU –  Compiler hardening flags •  General Node Hardening –  De-privilege node, with respect to cloud –  Boot + Runtime attestation, SELinux, etc
© 2015 Nebula, Inc. All rights reserved. Threat: Control Plane Compromise •  Layers of Security –  Firewall (bi-directional on control plane) –  Limit propagation of sensitive data –  Unique secrets everywhere –  Audit network service interface bindings –  TLS, SELinux, boot + runtime attestation •  Primary Focus: Limit damage from a bad actor on the control plane
© 2015 Nebula, Inc. All rights reserved. Threat: Vulnerabilities Upstream •  Targeted security audits –  Work closely with OpenStack and Linux communities •  Aggressive security update policies –  Cloud-specific triage process –  Be prepared to test and rollout quickly
© 2015 Nebula, Inc. All rights reserved. Threat: Poor Entropy for Instances •  Mix entropy from multiple sources –  Hardware generated from multiple vendors •  Distribute securely / fairly –  Entropy stream distributed throughout cloud –  Available to all instances, using RNG Tools
© 2015 Nebula, Inc. All rights reserved. Storage   Email   LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI  
© 2015 Nebula, Inc. All rights reserved. Email:  bryan.payne@nebula.com   TwiYer:  @bdpsecurity  

Recommended

Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework
 
All Your Containers Are Belong To Us
All Your Containers Are Belong To UsAll Your Containers Are Belong To Us
All Your Containers Are Belong To UsLacework
 
Presentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesPresentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesOscar Romano
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...Lacework
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 
Azure network and infrastructure
Azure network and infrastructureAzure network and infrastructure
Azure network and infrastructurePhi Huynh
 
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...Lacework
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 

Recommended

Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework Kubernetes Meetup | August 28, 2018
Lacework Kubernetes Meetup | August 28, 2018Lacework
 
All Your Containers Are Belong To Us
All Your Containers Are Belong To UsAll Your Containers Are Belong To Us
All Your Containers Are Belong To UsLacework
 
Presentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesPresentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesOscar Romano
 
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...
AWS Security Week | Getting to Continuous Security and Compliance Monitoring ...Lacework
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 
Azure network and infrastructure
Azure network and infrastructureAzure network and infrastructure
Azure network and infrastructurePhi Huynh
 
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...
DerbyCon 2019: Prepare to be Boarded! A Tale of Kubernetes, Plunder, and Cryp...Lacework
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
Lacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework
 
Pxosys Webinar Amplify your Security
Pxosys Webinar Amplify your SecurityPxosys Webinar Amplify your Security
Pxosys Webinar Amplify your Security🏆Ruben Cocheno💭
 
Security at the Speed of the Network
Security at the Speed of the NetworkSecurity at the Speed of the Network
Security at the Speed of the NetworkHantzley Tauckoor
 
Collaboration d’équipe de nouvelle génération (Partie 1 de 2)
Collaboration d’équipe de nouvelle génération (Partie 1 de 2)Collaboration d’équipe de nouvelle génération (Partie 1 de 2)
Collaboration d’équipe de nouvelle génération (Partie 1 de 2)Cisco Canada
 
Migration to cisco next generation firewall
Migration to cisco next generation firewallMigration to cisco next generation firewall
Migration to cisco next generation firewallIT Tech
 
Hillstone-Corporate-Overview-EN-V3.0
Hillstone-Corporate-Overview-EN-V3.0Hillstone-Corporate-Overview-EN-V3.0
Hillstone-Corporate-Overview-EN-V3.0Shamal Abeyrathne
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherLancope, Inc.
 
How to Quickly Implement a Secure Cloud for Government and Military | Webinar
How to Quickly Implement a Secure Cloud for Government and Military | WebinarHow to Quickly Implement a Secure Cloud for Government and Military | Webinar
How to Quickly Implement a Secure Cloud for Government and Military | WebinarPLUMgrid
 
Azure for Auditors
Azure for AuditorsAzure for Auditors
Azure for AuditorsTeri Radichel
 
Networking deep dive
Networking deep diveNetworking deep dive
Networking deep diveJeroen Niesen
 
Inherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV DeploymentsInherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV DeploymentsOPNFV
 
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabNSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabCisco Canada
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtubeDhruv Sharma
 
Security hardening of core AWS services
Security hardening of core AWS servicesSecurity hardening of core AWS services
Security hardening of core AWS servicesRuncy Oommen
 
'Moon' Security Management System for OPNFV
'Moon' Security Management System for OPNFV'Moon' Security Management System for OPNFV
'Moon' Security Management System for OPNFVOPNFV
 
Putting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallPutting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallCisco Canada
 
Lacework for AWS Security Overview
Lacework for AWS Security OverviewLacework for AWS Security Overview
Lacework for AWS Security OverviewLacework
 
CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practiceswalk2talk srl
 
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, GcpPriyanka Aash
 
Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your CloudTeri Radichel
 
NGN Brochure May 2014
NGN Brochure May 2014NGN Brochure May 2014
NGN Brochure May 2014Thembelihle Nxumalo
 
หน่วยที่ 2
หน่วยที่ 2หน่วยที่ 2
หน่วยที่ 2ratiporn555
 

More Related Content

What's hot

Lacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework
 
Pxosys Webinar Amplify your Security
Pxosys Webinar Amplify your SecurityPxosys Webinar Amplify your Security
Pxosys Webinar Amplify your Security🏆Ruben Cocheno💭
 
Security at the Speed of the Network
Security at the Speed of the NetworkSecurity at the Speed of the Network
Security at the Speed of the NetworkHantzley Tauckoor
 
Collaboration d’équipe de nouvelle génération (Partie 1 de 2)
Collaboration d’équipe de nouvelle génération (Partie 1 de 2)Collaboration d’équipe de nouvelle génération (Partie 1 de 2)
Collaboration d’équipe de nouvelle génération (Partie 1 de 2)Cisco Canada
 
Migration to cisco next generation firewall
Migration to cisco next generation firewallMigration to cisco next generation firewall
Migration to cisco next generation firewallIT Tech
 
Hillstone-Corporate-Overview-EN-V3.0
Hillstone-Corporate-Overview-EN-V3.0Hillstone-Corporate-Overview-EN-V3.0
Hillstone-Corporate-Overview-EN-V3.0Shamal Abeyrathne
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherLancope, Inc.
 
How to Quickly Implement a Secure Cloud for Government and Military | Webinar
How to Quickly Implement a Secure Cloud for Government and Military | WebinarHow to Quickly Implement a Secure Cloud for Government and Military | Webinar
How to Quickly Implement a Secure Cloud for Government and Military | WebinarPLUMgrid
 
Networking deep dive
Networking deep diveNetworking deep dive
Networking deep diveJeroen Niesen
 
Inherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV DeploymentsInherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV DeploymentsOPNFV
 
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabNSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabCisco Canada
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtubeDhruv Sharma
 
Security hardening of core AWS services
Security hardening of core AWS servicesSecurity hardening of core AWS services
Security hardening of core AWS servicesRuncy Oommen
 
'Moon' Security Management System for OPNFV
'Moon' Security Management System for OPNFV'Moon' Security Management System for OPNFV
'Moon' Security Management System for OPNFVOPNFV
 
Putting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallPutting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallCisco Canada
 
Lacework for AWS Security Overview
Lacework for AWS Security OverviewLacework for AWS Security Overview
Lacework for AWS Security OverviewLacework
 
CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practiceswalk2talk srl
 
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, GcpPriyanka Aash
 
Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your CloudTeri Radichel
 

What's hot (20)

Lacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud ScaleLacework Overview: Security Redefined for Cloud Scale
Lacework Overview: Security Redefined for Cloud Scale
 
Pxosys Webinar Amplify your Security
Pxosys Webinar Amplify your SecurityPxosys Webinar Amplify your Security
Pxosys Webinar Amplify your Security
 
Security at the Speed of the Network
Security at the Speed of the NetworkSecurity at the Speed of the Network
Security at the Speed of the Network
 
Collaboration d’équipe de nouvelle génération (Partie 1 de 2)
Collaboration d’équipe de nouvelle génération (Partie 1 de 2)Collaboration d’équipe de nouvelle génération (Partie 1 de 2)
Collaboration d’équipe de nouvelle génération (Partie 1 de 2)
 
Migration to cisco next generation firewall
Migration to cisco next generation firewallMigration to cisco next generation firewall
Migration to cisco next generation firewall
 
Hillstone-Corporate-Overview-EN-V3.0
Hillstone-Corporate-Overview-EN-V3.0Hillstone-Corporate-Overview-EN-V3.0
Hillstone-Corporate-Overview-EN-V3.0
 
Cisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better TogetherCisco, Sourcefire and Lancope - Better Together
Cisco, Sourcefire and Lancope - Better Together
 
How to Quickly Implement a Secure Cloud for Government and Military | Webinar
How to Quickly Implement a Secure Cloud for Government and Military | WebinarHow to Quickly Implement a Secure Cloud for Government and Military | Webinar
How to Quickly Implement a Secure Cloud for Government and Military | Webinar
 
Azure for Auditors
Azure for AuditorsAzure for Auditors
Azure for Auditors
 
Networking deep dive
Networking deep diveNetworking deep dive
Networking deep dive
 
Inherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV DeploymentsInherent Security Design Patterns for SDN/NFV Deployments
Inherent Security Design Patterns for SDN/NFV Deployments
 
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabNSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtube
 
Security hardening of core AWS services
Security hardening of core AWS servicesSecurity hardening of core AWS services
Security hardening of core AWS services
 
'Moon' Security Management System for OPNFV
'Moon' Security Management System for OPNFV'Moon' Security Management System for OPNFV
'Moon' Security Management System for OPNFV
 
Putting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallPutting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation Firewall
 
Lacework for AWS Security Overview
Lacework for AWS Security OverviewLacework for AWS Security Overview
Lacework for AWS Security Overview
 
CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practices
 
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
(SACON) Madhu Akula - Automated Defense Using Cloud Service Aws, Azure, Gcp
 
Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your Cloud
 

Viewers also liked

หน่วยที่ 2
หน่วยที่ 2หน่วยที่ 2
หน่วยที่ 2ratiporn555
 
DVSM Annual Report 20142015 low res web
DVSM Annual Report 20142015 low res webDVSM Annual Report 20142015 low res web
DVSM Annual Report 20142015 low res webGillian Cohen
 
Katalog Oriflame Februari 2015
Katalog Oriflame Februari 2015Katalog Oriflame Februari 2015
Katalog Oriflame Februari 2015Chatarina Avi
 
CV of Sanga Tolamo
CV of Sanga TolamoCV of Sanga Tolamo
CV of Sanga TolamoSanga Tolamo
 
Katalog Oriflame Maret 2015
Katalog Oriflame Maret 2015Katalog Oriflame Maret 2015
Katalog Oriflame Maret 2015Chatarina Avi
 
person_leader
person_leaderperson_leader
person_leaderTon Voogt
 
Risk and Insurance Management Society
Risk and Insurance Management SocietyRisk and Insurance Management Society
Risk and Insurance Management SocietyAlan Reisch
 
Myke hall BDX Slides
Myke hall BDX SlidesMyke hall BDX Slides
Myke hall BDX SlidesBDX Events
 
Bridging the diversity gap in Clinical Trials
Bridging the diversity gap in Clinical TrialsBridging the diversity gap in Clinical Trials
Bridging the diversity gap in Clinical TrialsNassim Azzi, MBA
 

Viewers also liked (20)

NGN Brochure May 2014
NGN Brochure May 2014NGN Brochure May 2014
NGN Brochure May 2014
 
หน่วยที่ 2
หน่วยที่ 2หน่วยที่ 2
หน่วยที่ 2
 
DVSM Annual Report 20142015 low res web
DVSM Annual Report 20142015 low res webDVSM Annual Report 20142015 low res web
DVSM Annual Report 20142015 low res web
 
Katalog Oriflame Februari 2015
Katalog Oriflame Februari 2015Katalog Oriflame Februari 2015
Katalog Oriflame Februari 2015
 
Dougs Resume. (1)
Dougs Resume. (1)Dougs Resume. (1)
Dougs Resume. (1)
 
CV of Sanga Tolamo
CV of Sanga TolamoCV of Sanga Tolamo
CV of Sanga Tolamo
 
Katalog Oriflame Maret 2015
Katalog Oriflame Maret 2015Katalog Oriflame Maret 2015
Katalog Oriflame Maret 2015
 
Fuel Switching pg14 MRJuly15
Fuel Switching pg14 MRJuly15Fuel Switching pg14 MRJuly15
Fuel Switching pg14 MRJuly15
 
person_leader
person_leaderperson_leader
person_leader
 
Risk and Insurance Management Society
Risk and Insurance Management SocietyRisk and Insurance Management Society
Risk and Insurance Management Society
 
Media Evaluation
Media EvaluationMedia Evaluation
Media Evaluation
 
PCDD – A Roadmap
PCDD – A RoadmapPCDD – A Roadmap
PCDD – A Roadmap
 
Myke hall BDX Slides
Myke hall BDX SlidesMyke hall BDX Slides
Myke hall BDX Slides
 
CV
CVCV
CV
 
Tefl (english teacher)
Tefl (english teacher)Tefl (english teacher)
Tefl (english teacher)
 
CAMM_04252013
CAMM_04252013CAMM_04252013
CAMM_04252013
 
Safe Manning JCowan pg38 MP March15
Safe Manning JCowan pg38 MP March15Safe Manning JCowan pg38 MP March15
Safe Manning JCowan pg38 MP March15
 
Behavioral therapy jupiter fl
Behavioral therapy jupiter flBehavioral therapy jupiter fl
Behavioral therapy jupiter fl
 
rowan 2016-2
rowan 2016-2rowan 2016-2
rowan 2016-2
 
Bridging the diversity gap in Clinical Trials
Bridging the diversity gap in Clinical TrialsBridging the diversity gap in Clinical Trials
Bridging the diversity gap in Clinical Trials
 

Similar to Nebula Webinar | Private Cloud Security: Practical Solutions for a Challenging Problem

2022 Q1 Webinar Securite du Cloud public (1).pdf
2022 Q1 Webinar Securite du Cloud public (1).pdf2022 Q1 Webinar Securite du Cloud public (1).pdf
2022 Q1 Webinar Securite du Cloud public (1).pdfYounesChafi1
 
Network Security Best Practices - Reducing Your Attack Surface
Network Security Best Practices - Reducing Your Attack SurfaceNetwork Security Best Practices - Reducing Your Attack Surface
Network Security Best Practices - Reducing Your Attack SurfaceSkybox Security
 
The Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecurityThe Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecuritySkycure
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureSonatype
 
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...Amazon Web Services
 
Extend Enterprise Application-level Security to Your AWS Environment
Extend Enterprise Application-level Security to Your AWS EnvironmentExtend Enterprise Application-level Security to Your AWS Environment
Extend Enterprise Application-level Security to Your AWS EnvironmentImperva
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessPuma Security, LLC
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)ClubHack
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeCybera Inc.
 
Proteja seus clientes - Gerenciamento dos Serviços de Segurança
Proteja seus clientes - Gerenciamento dos Serviços de SegurançaProteja seus clientes - Gerenciamento dos Serviços de Segurança
Proteja seus clientes - Gerenciamento dos Serviços de SegurançaCisco do Brasil
 
Scalable, Secure, Programmable – Cloud Connectivity for the Future
Scalable, Secure, Programmable – Cloud Connectivity for the FutureScalable, Secure, Programmable – Cloud Connectivity for the Future
Scalable, Secure, Programmable – Cloud Connectivity for the FutureADVA
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present DangersPeter Wood
 
SafeNet ProtectV Data Protection for Virtual Infrastructure
SafeNet ProtectV Data Protection for Virtual InfrastructureSafeNet ProtectV Data Protection for Virtual Infrastructure
SafeNet ProtectV Data Protection for Virtual InfrastructureLETA IT-company
 
Privileged Access Management for the Software-Defined Network
Privileged Access Management for the Software-Defined NetworkPrivileged Access Management for the Software-Defined Network
Privileged Access Management for the Software-Defined NetworkCA Technologies
 
Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Rishabh Dangwal
 
From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman
From 0 to Secure in 1 Minute - Securing laaS - Nir ValtmanFrom 0 to Secure in 1 Minute - Securing laaS - Nir Valtman
From 0 to Secure in 1 Minute - Securing laaS - Nir ValtmanEC-Council
 

Similar to Nebula Webinar | Private Cloud Security: Practical Solutions for a Challenging Problem (20)

2022 Q1 Webinar Securite du Cloud public (1).pdf
2022 Q1 Webinar Securite du Cloud public (1).pdf2022 Q1 Webinar Securite du Cloud public (1).pdf
2022 Q1 Webinar Securite du Cloud public (1).pdf
 
Network Security Best Practices - Reducing Your Attack Surface
Network Security Best Practices - Reducing Your Attack SurfaceNetwork Security Best Practices - Reducing Your Attack Surface
Network Security Best Practices - Reducing Your Attack Surface
 
The Four Horsemen of Mobile Security
The Four Horsemen of Mobile SecurityThe Four Horsemen of Mobile Security
The Four Horsemen of Mobile Security
 
There is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless ArchitectureThere is No Server: Immutable Infrastructure and Serverless Architecture
There is No Server: Immutable Infrastructure and Serverless Architecture
 
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
 
Extend Enterprise Application-level Security to Your AWS Environment
Extend Enterprise Application-level Security to Your AWS EnvironmentExtend Enterprise Application-level Security to Your AWS Environment
Extend Enterprise Application-level Security to Your AWS Environment
 
Encryption in the Cloud
Encryption in the CloudEncryption in the Cloud
Encryption in the Cloud
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
Scenatio based hacking - enterprise wireless security (Vivek Ramachandran)
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information Exchange
 
OpenStack Murano
OpenStack MuranoOpenStack Murano
OpenStack Murano
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
 
Proteja seus clientes - Gerenciamento dos Serviços de Segurança
Proteja seus clientes - Gerenciamento dos Serviços de SegurançaProteja seus clientes - Gerenciamento dos Serviços de Segurança
Proteja seus clientes - Gerenciamento dos Serviços de Segurança
 
Scalable, Secure, Programmable – Cloud Connectivity for the Future
Scalable, Secure, Programmable – Cloud Connectivity for the FutureScalable, Secure, Programmable – Cloud Connectivity for the Future
Scalable, Secure, Programmable – Cloud Connectivity for the Future
 
Network Security - Real and Present Dangers
Network Security - Real and Present DangersNetwork Security - Real and Present Dangers
Network Security - Real and Present Dangers
 
SafeNet ProtectV Data Protection for Virtual Infrastructure
SafeNet ProtectV Data Protection for Virtual InfrastructureSafeNet ProtectV Data Protection for Virtual Infrastructure
SafeNet ProtectV Data Protection for Virtual Infrastructure
 
Privileged Access Management for the Software-Defined Network
Privileged Access Management for the Software-Defined NetworkPrivileged Access Management for the Software-Defined Network
Privileged Access Management for the Software-Defined Network
 
Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...Corporate Security Issues and countering them using Unified Threat Management...
Corporate Security Issues and countering them using Unified Threat Management...
 
From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman
From 0 to Secure in 1 Minute - Securing laaS - Nir ValtmanFrom 0 to Secure in 1 Minute - Securing laaS - Nir Valtman
From 0 to Secure in 1 Minute - Securing laaS - Nir Valtman
 

Recently uploaded

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 

Recently uploaded (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 

Nebula Webinar | Private Cloud Security: Practical Solutions for a Challenging Problem

  • 1. © 2015 Nebula, Inc. All rights reserved. (cloud) Computing for the Enterprise Private Cloud Security Practical Solutions for a Challenging Problem Bryan D. Payne March 18, 2015
  • 2. © 2015 Nebula, Inc. All rights reserved. “Why  Security  Ma/ers  In  A  Private  Cloud”  
  • 3. © 2015 Nebula, Inc. All rights reserved. Public   Private  
  • 4. © 2015 Nebula, Inc. All rights reserved. Private  Network  Internet   Storage   Email   LDAP  NTP   VLAN  Tunnels   SIEM   DNS  PKI  
  • 5. © 2015 Nebula, Inc. All rights reserved. Storage   Email   LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI  
  • 6. © 2015 Nebula, Inc. All rights reserved. Storage   Email   LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI   1   2   3  
  • 7. © 2015 Nebula, Inc. All rights reserved. Intelligence   Services   Serious  Organized  Crime   Highly  Capable  Groups   MoFvated  Individuals   Script  Kiddies   Likelihood  of  A,ack   Sophis2ca2on  &   Likelihood  of   Exploita2on   Source:  OpenStack  Security  Guide  
  • 8. © 2015 Nebula, Inc. All rights reserved. Compromise   User  System   VM  Breakout   API  Vuln   Dashboard   Vuln   Access  Cloud   As  Admin   Access  Cloud   As  Outsider   Access  Cloud   As  User   View  Other   Instances   Abuse  Cloud   Resources   View  Data  In   Cloud   View  Data  In   Cloud   Modify  LDAP   View   External  Data   Follow  VLANs   into  Corp  Net   Spear   Phishing   IniMal  Access   Touch  Cloud   Exploit  Cloud   Exploit  Enterprise   Compromise   Instance  
  • 9. © 2015 Nebula, Inc. All rights reserved. Known  hardware   and  soIware   OrchestraFon   +   =   Security   Opportunity  
  • 10. © 2015 Nebula, Inc. All rights reserved. API Endpoints Web Dashboard Compute Node Compute Node Storage Node Storage Node Guest ManagementData Management and Control Plane Services Cloud Users / Administrators Cloud Operators Instance Instance Instance Instance External
  • 11. © 2015 Nebula, Inc. All rights reserved. OpenStack  Projects   “The  Glue”  
  • 12. © 2015 Nebula, Inc. All rights reserved. Cloud  A/ack  Vectors   MiFgaFon  Strategies   API  Endpoints   Service  hardening,  mandatory  access  controls,  code  audits   Web  Dashboard   CSP,  expected  domains,  HTTPS,  HSTS,  allowed  referrers   InformaMon  Leakage   SSL/TLS,  disable  memory  dedup,  randomize  resource  assign   VM  Breakout   Service  hardening,  mandatory  access  controls,  code  audits   Hardware  Sharing   Avoid  bare  metal  instances,  avoid  device  pass-­‐through   Default  Images   Secure  and  maintain  default  images   Secondary  AYacks   Least  priv,  mandatory  access  controls,  SSL/TLS,  strong  auth  
  • 13. © 2015 Nebula, Inc. All rights reserved. Threat: Information Leakage •  TLS for network services –  API endpoints –  Web dashboard –  Log feeds –  AD / LDAP –  External Storage •  Cross-VM attacks (timing, cache effects, etc)
  • 14. © 2015 Nebula, Inc. All rights reserved. Threat: VM Breakout •  Mandatory access controls –  SELinux + KVM (SVirt) •  Build hardening –  Remove unused device models from QEMU –  Compiler hardening flags •  General Node Hardening –  De-privilege node, with respect to cloud –  Boot + Runtime attestation, SELinux, etc
  • 15. © 2015 Nebula, Inc. All rights reserved. Threat: Control Plane Compromise •  Layers of Security –  Firewall (bi-directional on control plane) –  Limit propagation of sensitive data –  Unique secrets everywhere –  Audit network service interface bindings –  TLS, SELinux, boot + runtime attestation •  Primary Focus: Limit damage from a bad actor on the control plane
  • 16. © 2015 Nebula, Inc. All rights reserved. Threat: Vulnerabilities Upstream •  Targeted security audits –  Work closely with OpenStack and Linux communities •  Aggressive security update policies –  Cloud-specific triage process –  Be prepared to test and rollout quickly
  • 17. © 2015 Nebula, Inc. All rights reserved. Threat: Poor Entropy for Instances •  Mix entropy from multiple sources –  Hardware generated from multiple vendors •  Distribute securely / fairly –  Entropy stream distributed throughout cloud –  Available to all instances, using RNG Tools
  • 18. © 2015 Nebula, Inc. All rights reserved. Storage   Email   LDAP   NTP   VLAN  Tunnels   SIEM   DNS   PKI  
  • 19. © 2015 Nebula, Inc. All rights reserved. Email:  bryan.payne@nebula.com   TwiYer:  @bdpsecurity