Sh*t my cloud evangelist         says... ...Just not to my CSO
About @Beaker:✤   I’m an a*hole with a blog (rationalsurvivability.com)✤   Global Chief Security Architect for a company w...
About @Beaker:✤   I’m an a*hole with a blog (rationalsurvivability.com)✤   Global Chief Security Architect for a company w...
Defining theproblem set
IT’S A TRAP!
Developer Priorities*            VS           Security Priorities                *Mark Curphey - The Great Security Divide...
Developer Priorities*              VS           Security Priorities1. Functions and features as                        1. ...
Developer Priorities*              VS           Security Priorities1. Functions and features as                        1. ...
Developer Priorities*              VS           Security Priorities1. Functions and features as                        1. ...
Developer Priorities*              VS           Security Priorities1. Functions and features as                        1. ...
Developer Priorities*                 VS           Security Priorities1. Functions and features as                        ...
Developer Priorities*                 VS           Security Priorities1. Functions and features as                        ...
Developer Priorities*                 VS           Security Priorities1. Functions and features as                        ...
@SMCES...   VS   ...SECURITY
@SMCES...                                     VS   ...SECURITY✤   Cloud is more secure; security is more integrated   ✤   ...
@SMCES...                                     VS   ...SECURITY✤   Cloud is more secure; security is more integrated   ✤   ...
@SMCES...                                     VS   ...SECURITY✤   Cloud is more secure; security is more integrated   ✤   ...
@SMCES...                                      VS   ...SECURITY✤   Cloud is more secure; security is more integrated    ✤ ...
@SMCES...                                      VS   ...SECURITY✤   Cloud is more secure; security is more integrated    ✤ ...
@SMCES...                                        VS   ...SECURITY✤   Cloud is more secure; security is more integrated    ...
What’s Missing?
What’s Missing? ✤   Instrumentation that is inclusive of security
What’s Missing? ✤   Instrumentation that is inclusive of security ✤   Intelligence and context shared between infrastructu...
What’s Missing? ✤   Instrumentation that is inclusive of security ✤   Intelligence and context shared between infrastructu...
What’s Missing? ✤   Instrumentation that is inclusive of security ✤   Intelligence and context shared between infrastructu...
What’s Missing? ✤   Instrumentation that is inclusive of security ✤   Intelligence and context shared between infrastructu...
What’s Missing? ✤   Instrumentation that is inclusive of security ✤   Intelligence and context shared between infrastructu...
Nasty bits
“Information Security” Sucks                                                                                              ...
“Information Security” Sucks                                                                                              ...
“Information Security” Sucks                                                                                              ...
Application Security: Meh
API Security Sucks Harder  ✤   Most Security Drones can’t spell XML  ✤   ...they rarely use SOAP  ✤   ...they don’t get RE...
Fool! You Fell Victim To One Ofthe Classic Blunders!
Fool! You Fell Victim To One Ofthe Classic Blunders!✤   Never Get Involved In    a Cloud War In Asia
Fool! You Fell Victim To One Ofthe Classic Blunders!✤   Never Get Involved In    a Cloud War In Asia✤   Never Go In Agains...
Fool! You Fell Victim To One Ofthe Classic Blunders!✤   Never Get Involved In    a Cloud War In Asia✤   Never Go In Agains...
Fool! You Fell Victim To One Ofthe Classic Blunders!✤   Never Get Involved In    a Cloud War In Asia✤   Never Go In Agains...
Sh*T My Cloud Evangelist Fails to say...        CE              NS                      OR                             ED ...
The 7 Dirty Words              ...Of Cloud Security
The 7 Dirty Words  1. Scalability                   ...Of Cloud Security
The 7 Dirty Words  1. Scalability  2. Portability                   ...Of Cloud Security
The 7 Dirty Words  1. Scalability  2. Portability  3. Fungibility                   ...Of Cloud Security
The 7 Dirty Words  1.   Scalability  2.   Portability  3.   Fungibility  4.   Compliance                     ...Of Cloud S...
The 7 Dirty Words  1.   Scalability  2.   Portability  3.   Fungibility  4.   Compliance  5.   Cost                     .....
The 7 Dirty Words  1.   Scalability  2.   Portability  3.   Fungibility  4.   Compliance  5.   Cost  6.   Manageability   ...
The 7 Dirty Words  1.   Scalability  2.   Portability  3.   Fungibility  4.   Compliance  5.   Cost  6.   Manageability  7...
Scalability
Scalability  ✤ Distributed Networked System problems are tough; Distributed      Networked System Security problems are to...
Scalability  ✤ Distributed Networked System problems are tough; Distributed      Networked System Security problems are to...
Scalability  ✤ Distributed Networked System problems are tough; Distributed      Networked System Security problems are to...
Scalability  ✤ Distributed Networked System problems are tough; Distributed      Networked System Security problems are to...
Security@Scale
Security@Scale ✤ It doesn’t. The MeatCloud giveth, the MeatCloud    taketh away...
Security@Scale ✤ It doesn’t. The MeatCloud giveth, the MeatCloud    taketh away... ✤ Beyond Gb/s, Connections/s, flows, etc...
Security@Scale ✤ It doesn’t. The MeatCloud giveth, the MeatCloud    taketh away... ✤ Beyond Gb/s, Connections/s, flows, etc...
Cloud: The Revengeof VPN and PKI
Cloud: The Revengeof VPN and PKIHINT: CLOUD SECURITY IS MORETHAN OVERLAY ENCRYPTION &MULTI-FACTOR AUTHENTICATIONMECHANISMS
He P’s On Everything...                Everything’s Connected
Do Not Poke the bear       If You Think A Noogie Is Bad, Try the Wedgie!
Portability
Portability  ✤ If we don’t have consistency in standards/formats for     workloads & stack insertion, we’re not going to h...
Portability  ✤ If we don’t have consistency in standards/formats for     workloads & stack insertion, we’re not going to h...
Portability  ✤ If we don’t have consistency in standards/formats for     workloads & stack insertion, we’re not going to h...
Portability✤   Dude, Where’s My IOS ACL    5-Tuple!?        Working with VMware vShield REST API in perl. Richard Park, So...
Portability✤   ...or this:                  AWS Security : A Practitioner’s Perspective. Jason Chan, Netflix
Fungibility
Fungibility ✤   Fundamentally, we need reusable and programmatic     security design patterns; Controls today are CLI/GUI ...
Fungibility ✤   Fundamentally, we need reusable and programmatic     security design patterns; Controls today are CLI/GUI ...
Fungibility ✤   Fundamentally, we need reusable and programmatic     security design patterns; Controls today are CLI/GUI ...
Fungibility ✤   Fundamentally, we need reusable and programmatic     security design patterns; Controls today are CLI/GUI ...
Fungibility ✤   Fundamentally, we need reusable and programmatic     security design patterns; Controls today are CLI/GUI ...
The Problem IsAlways Hamsters
The Hamster Sine Wave of Pain...*                                                               The Security Hamster Sine ...
The Hamster Sine Wave of Pain...*                                                              The Security Hamster Sine W...
The Hamster Sine Wave of Pain...*                                                              The Security Hamster Sine W...
The Hamster Sine Wave of Pain...*                                                              The Security Hamster Sine W...
Compliance
Compliance ✤ Security != Compliance and “security” doesn’t matter
Compliance ✤ Security != Compliance and “security” doesn’t matter ✤ Regulatory compliance and frameworks don’t address    ...
Compliance ✤ Security != Compliance and “security” doesn’t matter ✤ Regulatory compliance and frameworks don’t address    ...
Compliance ✤ Security != Compliance and “security” doesn’t matter ✤ Regulatory compliance and frameworks don’t address    ...
Mapping the Model to the Metal
Mapping the Model to the Metal        Cloud Model Presentation                  Presentation   Modality                   ...
Mapping the Model to the Metal        Cloud Model Presentation                  Presentation   Modality                   ...
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Shit My Cloud Evangelist Says...Just Not To My CSO
Upcoming SlideShare
Loading in …5
×

Shit My Cloud Evangelist Says...Just Not To My CSO

8,735 views

Published on

Actually, this is about the things a Cloud Evangelist DOESN'T say and correlates the experience, belief systems and issues of developers and security folks. It's a plea to have devs evangelize to and enroll security in their efforts as it relates to security of their platforms...

Published in: Technology, Business
2 Comments
17 Likes
Statistics
Notes
No Downloads
Views
Total views
8,735
On SlideShare
0
From Embeds
0
Number of Embeds
419
Actions
Shares
0
Downloads
208
Comments
2
Likes
17
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • Shit My Cloud Evangelist Says...Just Not To My CSO

    1. Sh*t my cloud evangelist says... ...Just not to my CSO
    2. About @Beaker:✤ I’m an a*hole with a blog (rationalsurvivability.com)✤ Global Chief Security Architect for a company who provides networking & security widgets to SP’s & Enterprises✤ Love Cloud & particularly fond of those that do my bidding in a manner commensurate with my OCD-driven need to manage outcomes in a reasonably predictable way
    3. About @Beaker:✤ I’m an a*hole with a blog (rationalsurvivability.com)✤ Global Chief Security Architect for a company who provides networking & security widgets to SP’s & Enterprises✤ Love Cloud & particularly fond of those that do my bidding in a manner commensurate with my OCD-driven need to manage outcomes in a reasonably predictable way << @SMCES
    4. Defining theproblem set
    5. IT’S A TRAP!
    6. Developer Priorities* VS Security Priorities *Mark Curphey - The Great Security Divide - Part 1 & John Wilander - Security People vs Developers
    7. Developer Priorities* VS Security Priorities1. Functions and features as 1. Security specified or envisioned *Mark Curphey - The Great Security Divide - Part 1 & John Wilander - Security People vs Developers
    8. Developer Priorities* VS Security Priorities1. Functions and features as 1. Security specified or envisioned2. Performance 2. Compliance *Mark Curphey - The Great Security Divide - Part 1 & John Wilander - Security People vs Developers
    9. Developer Priorities* VS Security Priorities1. Functions and features as 1. Security specified or envisioned2. Performance 2. Compliance3. Usability 3. Uptime *Mark Curphey - The Great Security Divide - Part 1 & John Wilander - Security People vs Developers
    10. Developer Priorities* VS Security Priorities1. Functions and features as 1. Security specified or envisioned2. Performance 2. Compliance3. Usability 3. Uptime4. Uptime 4. Performance *Mark Curphey - The Great Security Divide - Part 1 & John Wilander - Security People vs Developers
    11. Developer Priorities* VS Security Priorities1. Functions and features as 1. Security specified or envisioned2. Performance 2. Compliance3. Usability 3. Uptime4. Uptime 4. Performance5. Maintainability 5. Functions and features as specified or envisioned *Mark Curphey - The Great Security Divide - Part 1 & John Wilander - Security People vs Developers
    12. Developer Priorities* VS Security Priorities1. Functions and features as 1. Security specified or envisioned2. Performance 2. Compliance3. Usability 3. Uptime4. Uptime 4. Performance5. Maintainability 5. Functions and features as specified or envisioned6. Security 6. Usability/Maintainability *Mark Curphey - The Great Security Divide - Part 1 & John Wilander - Security People vs Developers
    13. Developer Priorities* VS Security Priorities1. Functions and features as 1. Security specified or envisioned2. Performance 2. Compliance3. Usability 3. Uptime4. Uptime 4. Performance5. Maintainability 5. Functions and features as specified or envisioned6. Security 6. Usability/Maintainability *Mark Curphey - The Great Security Divide - Part 1 & John Wilander - Security People vs Developers
    14. @SMCES... VS ...SECURITY
    15. @SMCES... VS ...SECURITY✤ Cloud is more secure; security is more integrated ✤ Cloud is less secure because developers can’t and it’s everyone’s responsibility detect & prevent basic threats, let alone complex, adaptive and emerging adversaries; See OWASP Top 10 vs APT
    16. @SMCES... VS ...SECURITY✤ Cloud is more secure; security is more integrated ✤ Cloud is less secure because developers can’t and it’s everyone’s responsibility detect & prevent basic threats, let alone complex, adaptive and emerging adversaries; See OWASP Top 10 vs APT✤ The Golden Rule: Design for fail ✤ Security is penalized severely for failure & is expected never to fail (even though it does)
    17. @SMCES... VS ...SECURITY✤ Cloud is more secure; security is more integrated ✤ Cloud is less secure because developers can’t and it’s everyone’s responsibility detect & prevent basic threats, let alone complex, adaptive and emerging adversaries; See OWASP Top 10 vs APT✤ The Golden Rule: Design for fail ✤ Security is penalized severely for failure & is expected never to fail (even though it does)✤ Cloud is more agile, costs less and delivers more ✤ Cloud encourages bypassing controls, promotes value, more quickly & flexibly and without capital reckless operations and will ultimately cost more costs to clean up the mess
    18. @SMCES... VS ...SECURITY✤ Cloud is more secure; security is more integrated ✤ Cloud is less secure because developers can’t and it’s everyone’s responsibility detect & prevent basic threats, let alone complex, adaptive and emerging adversaries; See OWASP Top 10 vs APT✤ The Golden Rule: Design for fail ✤ Security is penalized severely for failure & is expected never to fail (even though it does)✤ Cloud is more agile, costs less and delivers more ✤ Cloud encourages bypassing controls, promotes value, more quickly & flexibly and without capital reckless operations and will ultimately cost more costs to clean up the mess✤ The only “True Cloud” is Public, pay-per use, ✤ Private Clouds, extending in limited fashion to multi-tenant platforms. All else are “False Public clouds will provide a controllable, hybrid Clouds” architecture we can secure
    19. @SMCES... VS ...SECURITY✤ Cloud is more secure; security is more integrated ✤ Cloud is less secure because developers can’t and it’s everyone’s responsibility detect & prevent basic threats, let alone complex, adaptive and emerging adversaries; See OWASP Top 10 vs APT✤ The Golden Rule: Design for fail ✤ Security is penalized severely for failure & is expected never to fail (even though it does)✤ Cloud is more agile, costs less and delivers more ✤ Cloud encourages bypassing controls, promotes value, more quickly & flexibly and without capital reckless operations and will ultimately cost more costs to clean up the mess✤ The only “True Cloud” is Public, pay-per use, ✤ Private Clouds, extending in limited fashion to multi-tenant platforms. All else are “False Public clouds will provide a controllable, hybrid Clouds” architecture we can secure✤ Legacy IT organizational hierarchy and siloed ✤ Compliance will have the last laugh when you operations is dead. Long live Shadow IT and bypass security and bad things happen; DevOps...or NoOps Separation of Duties & Least Privilege
    20. @SMCES... VS ...SECURITY✤ Cloud is more secure; security is more integrated ✤ Cloud is less secure because developers can’t and it’s everyone’s responsibility detect & prevent basic threats, let alone complex, adaptive and emerging adversaries; See OWASP Top 10 vs APT✤ The Golden Rule: Design for fail ✤ Security is penalized severely for failure & is expected never to fail (even though it does)✤ Cloud is more agile, costs less and delivers more ✤ Cloud encourages bypassing controls, promotes value, more quickly & flexibly and without capital reckless operations and will ultimately cost more costs to clean up the mess✤ The only “True Cloud” is Public, pay-per use, ✤ Private Clouds, extending in limited fashion to multi-tenant platforms. All else are “False Public clouds will provide a controllable, hybrid Clouds” architecture we can secure✤ Legacy IT organizational hierarchy and siloed ✤ Compliance will have the last laugh when you operations is dead. Long live Shadow IT and bypass security and bad things happen; DevOps...or NoOps Separation of Duties & Least Privilege✤ Automation enables simplicity, scalability, agility, ✤ Abstraction yields “simplexity” and complex resiliency and better security; Availability is the System Failures due to automation in security will priority be catastrophic; Fail CLOSED
    21. What’s Missing?
    22. What’s Missing? ✤ Instrumentation that is inclusive of security
    23. What’s Missing? ✤ Instrumentation that is inclusive of security ✤ Intelligence and context shared between infrastructure and applistructure layers
    24. What’s Missing? ✤ Instrumentation that is inclusive of security ✤ Intelligence and context shared between infrastructure and applistructure layers ✤ Maturity of “automation mechanics” and frameworks
    25. What’s Missing? ✤ Instrumentation that is inclusive of security ✤ Intelligence and context shared between infrastructure and applistructure layers ✤ Maturity of “automation mechanics” and frameworks ✤ Standard interfaces, precise syntactical representation of elemental security constructs < We need the “EC2 API” of Security
    26. What’s Missing? ✤ Instrumentation that is inclusive of security ✤ Intelligence and context shared between infrastructure and applistructure layers ✤ Maturity of “automation mechanics” and frameworks ✤ Standard interfaces, precise syntactical representation of elemental security constructs < We need the “EC2 API” of Security ✤ An operational methodology that ensures a common understanding of outcomes & “Agile” culture in general
    27. What’s Missing? ✤ Instrumentation that is inclusive of security ✤ Intelligence and context shared between infrastructure and applistructure layers ✤ Maturity of “automation mechanics” and frameworks ✤ Standard interfaces, precise syntactical representation of elemental security constructs < We need the “EC2 API” of Security ✤ An operational methodology that ensures a common understanding of outcomes & “Agile” culture in general ✤ Sanitary Application Security Practices
    28. Nasty bits
    29. “Information Security” Sucks Figu re 21 . Hac king meth ods b y per cent Expl oitat of br ion o each f es w defa ult o ithin r gue Hack ssab ing le cr eden Use tials of st olen login cred Brut entia 9% Expl e for ls oitat ce an ion o d dic f bac tiona kdoo ry at r or c tack omm s and a Expl nd co 55% oitat ntrol ion o chan 40% f ins nel +# uffic 14% ient 29% auth – no lo entica 51% (e.g., gin r t equirion 25% ed) 6% –# SQL 3% 29% injec tion Rem 3%– ote fi le inclu sion 1% 14% Abus e of func 6% tiona <1% lity # Unkn 3% VGhhbmsgeW91IGZvciBwYXJ0aWNpcGF0aW5nIGluIHRoZSAyMDEyIFZlcml6b24gREJJUiBDb3Zl own 4% # ciBDaGFsbGVuZ2UuCldlIGhvcGUgeW91IGVuam95IHRoaXMgY2hhbGxlbmdlIGFzIG11Y2ggYXMg d2UgaGF2ZSBlbmpveWVkIGNyZWF0aW5nIGl0LiAgCgoKVGhlcmUgb25jZSB3YXMgYSBsYWR5IGZy b20gTmFudHVja2V0LApXaXRoIHRleHQgc28gd2lkZSB3ZSBjb3VsZCBncm9rIGl0Lgp3ZSBjaG9w cGVkIGFuZCBzbGljZWQgaXQgYWxsIGRheSBsb25nLApPbmx5IHRvIGZpbmQgc2hlIHdhc27igJl0 IGFsbCB3cm9uZy4KCldpdGggc2tpbGwgYW5kIGVhc2Ugd2UgYmF0dGxlZCB0aGlzIGZpZ2h0LApF king eGNlcHQgc2hlIHdhcyBub3QgdG90YWxseSByaWdodC4KVHdpc3RpbmcgYW5kIHR1cm5pbmcgd2Ug Hac a2VwdCBvbiBzdHJvbmcsCldlIHNob3VsZCBoYXZlIGJlZW4gc2luZ2luZyBhbGwgYWxvbmc6CgpN hin wit YXJ5IGhhZCBhIGxpdHRsZSBsYW1iLApsaXR0bGUgbGFtYiwgbGl0dGxlIGxhbWIsCk1hcnkgaGFk es 31% IGEgbGl0dGxlIGxhbWIsCndob3NlIGZsZWVjZSB3YXMgd2hpdGUgYXMgc25vdy4KCkFuZCBldmVy ch eXdoZXJlIHRoYXQgTWFyeSB3ZW50LApNYXJ5IHdlbnQsIE1hcnkgd2VudCwKYW5kIGV2ZXJ5d2hl rea wn of b cmUgdGhhdCBNYXJ5IHdlbnQsCnRoZSBsYW1iIHdhcyBzdXJlIHRvIGdvLgoKSXQgZm9sbG93ZWQg nt kno aGVyIHRvIHNjaG9vbCBvbmUgZGF5CnNjaG9vbCBvbmUgZGF5LCBzY2hvb2wgb25lIGRheSwKSXQg rce Un Zm9sbG93ZWQgaGVyIHRvIHNjaG9vbCBvbmUgZGF5LAp3aGljaCB3YXMgYWdhaW5zdCB0aGUgcnVs y pe ZXMuCgpJdCBtYWRlIHRoZSBjaGlsZHJlbiBsYXVnaCBhbmQgcGxheSwKbGF1Z2ggYW5kIHBsYXks rs b ion IGxhdWdoIGFuZCBwbGF5LAppdCBtYWRlIHRoZSBjaGlsZHJlbiBsYXVnaCBhbmQgcGxheQp0byBz vec to icat All O ZWUgYSBsYW1iIGF0IHNjaG9vbC4KCkFuZCBzbyB0aGUgdGVhY2hlciB0dXJuZWQgaXQgb3V0LAp0 ppl rgs ing ba dXJuZWQgaXQgb3V0LCB0dXJuZWQgaXQgb3V0LApBbmQgc28gdGhlIHRlYWNoZXIgdHVybmVkIGl0 ck r We IG91dCwKYnV0IHN0aWxsIGl0IGxpbmdlcmVkIG5lYXIsCgpBbmQgd2FpdGVkIHBhdGllbnRseSBh . Ha or o l Ym91dCwKcGF0aWVudGx5IGFib3V0LCBwYXRpZW50bHkgYWJvdXQsCkFuZCB3OGVkIHBhdGllbnRs 2 2 kdo nne Larg ure Bac ol cha eSBhYm91dAp0aWxsIE1hcnkgZGlkIGFwcGVhci4KCiJXaHkgZG9lcyB0aGUgbGFtYiBsb3ZlIE1h Fig er O cnkgc28/IgpMb3ZlIE1hcnkgc28/IExvdmUgTWFyeSBzbz8KIldoeSBkb2VzIHRoZSBsYW1iIGxv / tr rgs con dmUgTWFyeSBzbywiCnRoZSBlYWdlciBjaGlsZHJlbiBjcnkuCgoiV2h5LCBNYXJ5IGxvdmVzIHRo ess acc es ZSBsYW1iLCB5b3Uga25vdy4iClRoZSBsYW1iLCB5b3Uga25vdywgdGhlIGxhbWIsIHlvdSBrbm93 ote servic LAoiV2h5LCBNYXJ5IGxvdmVzIHRoZSBsYW1iLCB5b3Uga25vdywiCnRoZSB0ZWFjaGVyIGRpZCBy Remktop ZXBseS4KJHAK 4% des – 10% 25% 17% + 88% s Org 54% ger Lar rgs 34% All O 20%
    30. “Information Security” Sucks Figu re 21 . Hac king meth ods b y per cent Expl oitat of br ion o each f es w defa ult o ithin r gue Hack ssab ing le cr eden Use tials of st olen login cred Brut entia 9% Expl e for ls oitat ce an ion o d dic f bac tiona kdoo ry at r or c tack omm s and a Expl nd co 55% oitat ntrol ion o chan 40% f ins nel +# uffic 14% ient 29% auth – no lo entica 51% (e.g., gin r t equirion 25% ed) 6% –# SQL 3% 29% injec tion Rem 3%– ote fi le inclu sion 1% 14% Abus e of func 6% tiona <1% lity # Unkn 3% VGhhbmsgeW91IGZvciBwYXJ0aWNpcGF0aW5nIGluIHRoZSAyMDEyIFZlcml6b24gREJJUiBDb3Zl own 4% # ciBDaGFsbGVuZ2UuCldlIGhvcGUgeW91IGVuam95IHRoaXMgY2hhbGxlbmdlIGFzIG11Y2ggYXMg d2UgaGF2ZSBlbmpveWVkIGNyZWF0aW5nIGl0LiAgCgoKVGhlcmUgb25jZSB3YXMgYSBsYWR5IGZy b20gTmFudHVja2V0LApXaXRoIHRleHQgc28gd2lkZSB3ZSBjb3VsZCBncm9rIGl0Lgp3ZSBjaG9w cGVkIGFuZCBzbGljZWQgaXQgYWxsIGRheSBsb25nLApPbmx5IHRvIGZpbmQgc2hlIHdhc27igJl0 IGFsbCB3cm9uZy4KCldpdGggc2tpbGwgYW5kIGVhc2Ugd2UgYmF0dGxlZCB0aGlzIGZpZ2h0LApF king eGNlcHQgc2hlIHdhcyBub3QgdG90YWxseSByaWdodC4KVHdpc3RpbmcgYW5kIHR1cm5pbmcgd2Ug Hac a2VwdCBvbiBzdHJvbmcsCldlIHNob3VsZCBoYXZlIGJlZW4gc2luZ2luZyBhbGwgYWxvbmc6CgpN hin wit YXJ5IGhhZCBhIGxpdHRsZSBsYW1iLApsaXR0bGUgbGFtYiwgbGl0dGxlIGxhbWIsCk1hcnkgaGFk es 31% IGEgbGl0dGxlIGxhbWIsCndob3NlIGZsZWVjZSB3YXMgd2hpdGUgYXMgc25vdy4KCkFuZCBldmVy ch eXdoZXJlIHRoYXQgTWFyeSB3ZW50LApNYXJ5IHdlbnQsIE1hcnkgd2VudCwKYW5kIGV2ZXJ5d2hl rea wn of b cmUgdGhhdCBNYXJ5IHdlbnQsCnRoZSBsYW1iIHdhcyBzdXJlIHRvIGdvLgoKSXQgZm9sbG93ZWQg nt kno aGVyIHRvIHNjaG9vbCBvbmUgZGF5CnNjaG9vbCBvbmUgZGF5LCBzY2hvb2wgb25lIGRheSwKSXQg rce Un Zm9sbG93ZWQgaGVyIHRvIHNjaG9vbCBvbmUgZGF5LAp3aGljaCB3YXMgYWdhaW5zdCB0aGUgcnVs y pe ZXMuCgpJdCBtYWRlIHRoZSBjaGlsZHJlbiBsYXVnaCBhbmQgcGxheSwKbGF1Z2ggYW5kIHBsYXks rs b ion IGxhdWdoIGFuZCBwbGF5LAppdCBtYWRlIHRoZSBjaGlsZHJlbiBsYXVnaCBhbmQgcGxheQp0byBz vec to icat All O ZWUgYSBsYW1iIGF0IHNjaG9vbC4KCkFuZCBzbyB0aGUgdGVhY2hlciB0dXJuZWQgaXQgb3V0LAp0 ppl rgs ing ba dXJuZWQgaXQgb3V0LCB0dXJuZWQgaXQgb3V0LApBbmQgc28gdGhlIHRlYWNoZXIgdHVybmVkIGl0 ck r We IG91dCwKYnV0IHN0aWxsIGl0IGxpbmdlcmVkIG5lYXIsCgpBbmQgd2FpdGVkIHBhdGllbnRseSBh . Ha or o l Ym91dCwKcGF0aWVudGx5IGFib3V0LCBwYXRpZW50bHkgYWJvdXQsCkFuZCB3OGVkIHBhdGllbnRs 2 2 kdo nne Larg ure Bac ol cha eSBhYm91dAp0aWxsIE1hcnkgZGlkIGFwcGVhci4KCiJXaHkgZG9lcyB0aGUgbGFtYiBsb3ZlIE1h Fig er O cnkgc28/IgpMb3ZlIE1hcnkgc28/IExvdmUgTWFyeSBzbz8KIldoeSBkb2VzIHRoZSBsYW1iIGxv / tr rgs con dmUgTWFyeSBzbywiCnRoZSBlYWdlciBjaGlsZHJlbiBjcnkuCgoiV2h5LCBNYXJ5IGxvdmVzIHRo ess acc es ZSBsYW1iLCB5b3Uga25vdy4iClRoZSBsYW1iLCB5b3Uga25vdywgdGhlIGxhbWIsIHlvdSBrbm93 ote servic LAoiV2h5LCBNYXJ5IGxvdmVzIHRoZSBsYW1iLCB5b3Uga25vdywiCnRoZSB0ZWFjaGVyIGRpZCBy Remktop ZXBseS4KJHAK 4% des – 10% 25% 17% + 88% s Org 54% ger Lar rgs 34% All O 20%
    31. “Information Security” Sucks Figu re 21 . Hac king meth ods b y per cent Expl oitat of br ion o each f es w defa ult o ithin r gue Hack ssab ing le cr eden Use tials of st olen login cred Brut entia 9% Expl e for ls oitat ce an ion o d dic f bac tiona kdoo ry at r or c tack omm s and a Expl nd co 55% oitat ntrol ion o chan 40% f ins nel +# uffic 14% ient 29% auth – no lo entica 51% (e.g., gin r t equirion 25% ed) 6% –# SQL 3% 29% injec tion Rem 3%– ote fi le inclu sion 1% 14% Abus e of func 6% tiona <1% lity # Unkn 3% VGhhbmsgeW91IGZvciBwYXJ0aWNpcGF0aW5nIGluIHRoZSAyMDEyIFZlcml6b24gREJJUiBDb3Zl own 4% # ciBDaGFsbGVuZ2UuCldlIGhvcGUgeW91IGVuam95IHRoaXMgY2hhbGxlbmdlIGFzIG11Y2ggYXMg d2UgaGF2ZSBlbmpveWVkIGNyZWF0aW5nIGl0LiAgCgoKVGhlcmUgb25jZSB3YXMgYSBsYWR5IGZy b20gTmFudHVja2V0LApXaXRoIHRleHQgc28gd2lkZSB3ZSBjb3VsZCBncm9rIGl0Lgp3ZSBjaG9w cGVkIGFuZCBzbGljZWQgaXQgYWxsIGRheSBsb25nLApPbmx5IHRvIGZpbmQgc2hlIHdhc27igJl0 IGFsbCB3cm9uZy4KCldpdGggc2tpbGwgYW5kIGVhc2Ugd2UgYmF0dGxlZCB0aGlzIGZpZ2h0LApF king eGNlcHQgc2hlIHdhcyBub3QgdG90YWxseSByaWdodC4KVHdpc3RpbmcgYW5kIHR1cm5pbmcgd2Ug Hac a2VwdCBvbiBzdHJvbmcsCldlIHNob3VsZCBoYXZlIGJlZW4gc2luZ2luZyBhbGwgYWxvbmc6CgpN hin wit YXJ5IGhhZCBhIGxpdHRsZSBsYW1iLApsaXR0bGUgbGFtYiwgbGl0dGxlIGxhbWIsCk1hcnkgaGFk es 31% IGEgbGl0dGxlIGxhbWIsCndob3NlIGZsZWVjZSB3YXMgd2hpdGUgYXMgc25vdy4KCkFuZCBldmVy ch eXdoZXJlIHRoYXQgTWFyeSB3ZW50LApNYXJ5IHdlbnQsIE1hcnkgd2VudCwKYW5kIGV2ZXJ5d2hl rea wn of b cmUgdGhhdCBNYXJ5IHdlbnQsCnRoZSBsYW1iIHdhcyBzdXJlIHRvIGdvLgoKSXQgZm9sbG93ZWQg nt kno aGVyIHRvIHNjaG9vbCBvbmUgZGF5CnNjaG9vbCBvbmUgZGF5LCBzY2hvb2wgb25lIGRheSwKSXQg rce Un Zm9sbG93ZWQgaGVyIHRvIHNjaG9vbCBvbmUgZGF5LAp3aGljaCB3YXMgYWdhaW5zdCB0aGUgcnVs y pe ZXMuCgpJdCBtYWRlIHRoZSBjaGlsZHJlbiBsYXVnaCBhbmQgcGxheSwKbGF1Z2ggYW5kIHBsYXks rs b ion IGxhdWdoIGFuZCBwbGF5LAppdCBtYWRlIHRoZSBjaGlsZHJlbiBsYXVnaCBhbmQgcGxheQp0byBz vec to icat All O ZWUgYSBsYW1iIGF0IHNjaG9vbC4KCkFuZCBzbyB0aGUgdGVhY2hlciB0dXJuZWQgaXQgb3V0LAp0 ppl rgs ing ba dXJuZWQgaXQgb3V0LCB0dXJuZWQgaXQgb3V0LApBbmQgc28gdGhlIHRlYWNoZXIgdHVybmVkIGl0 ck r We IG91dCwKYnV0IHN0aWxsIGl0IGxpbmdlcmVkIG5lYXIsCgpBbmQgd2FpdGVkIHBhdGllbnRseSBh . Ha or o l Ym91dCwKcGF0aWVudGx5IGFib3V0LCBwYXRpZW50bHkgYWJvdXQsCkFuZCB3OGVkIHBhdGllbnRs 2 2 kdo nne Larg ure Bac ol cha eSBhYm91dAp0aWxsIE1hcnkgZGlkIGFwcGVhci4KCiJXaHkgZG9lcyB0aGUgbGFtYiBsb3ZlIE1h Fig er O cnkgc28/IgpMb3ZlIE1hcnkgc28/IExvdmUgTWFyeSBzbz8KIldoeSBkb2VzIHRoZSBsYW1iIGxv / tr rgs con dmUgTWFyeSBzbywiCnRoZSBlYWdlciBjaGlsZHJlbiBjcnkuCgoiV2h5LCBNYXJ5IGxvdmVzIHRo ess acc es ZSBsYW1iLCB5b3Uga25vdy4iClRoZSBsYW1iLCB5b3Uga25vdywgdGhlIGxhbWIsIHlvdSBrbm93 ote servic LAoiV2h5LCBNYXJ5IGxvdmVzIHRoZSBsYW1iLCB5b3Uga25vdywiCnRoZSB0ZWFjaGVyIGRpZCBy Remktop ZXBseS4KJHAK 4% des – 10% 25% 17% + 88% s Org 54% ger Lar rgs 34% All O 20%
    32. Application Security: Meh
    33. API Security Sucks Harder ✤ Most Security Drones can’t spell XML ✤ ...they rarely use SOAP ✤ ...they don’t get REST ✤ SSL and Firewalls: the breakfast of champions
    34. Fool! You Fell Victim To One Ofthe Classic Blunders!
    35. Fool! You Fell Victim To One Ofthe Classic Blunders!✤ Never Get Involved In a Cloud War In Asia
    36. Fool! You Fell Victim To One Ofthe Classic Blunders!✤ Never Get Involved In a Cloud War In Asia✤ Never Go In Against a Dutchman When APIs Are On the Line!
    37. Fool! You Fell Victim To One Ofthe Classic Blunders!✤ Never Get Involved In a Cloud War In Asia✤ Never Go In Against a Dutchman When APIs Are On the Line!
    38. Fool! You Fell Victim To One Ofthe Classic Blunders!✤ Never Get Involved In a Cloud War In Asia✤ Never Go In Against a Dutchman When APIs Are On the Line!* You Can Order Iocaine Powder On Amazon - Free Shipping With Prime!
    39. Sh*T My Cloud Evangelist Fails to say... CE NS OR ED As illustrated by George’s 7 Dirty Words
    40. The 7 Dirty Words ...Of Cloud Security
    41. The 7 Dirty Words 1. Scalability ...Of Cloud Security
    42. The 7 Dirty Words 1. Scalability 2. Portability ...Of Cloud Security
    43. The 7 Dirty Words 1. Scalability 2. Portability 3. Fungibility ...Of Cloud Security
    44. The 7 Dirty Words 1. Scalability 2. Portability 3. Fungibility 4. Compliance ...Of Cloud Security
    45. The 7 Dirty Words 1. Scalability 2. Portability 3. Fungibility 4. Compliance 5. Cost ...Of Cloud Security
    46. The 7 Dirty Words 1. Scalability 2. Portability 3. Fungibility 4. Compliance 5. Cost 6. Manageability ...Of Cloud Security
    47. The 7 Dirty Words 1. Scalability 2. Portability 3. Fungibility 4. Compliance 5. Cost 6. Manageability 7. Trust ...Of Cloud Security
    48. Scalability
    49. Scalability ✤ Distributed Networked System problems are tough; Distributed Networked System Security problems are tougher
    50. Scalability ✤ Distributed Networked System problems are tough; Distributed Networked System Security problems are tougher ✤ “Traditional” security doesn’t scale across distributed software-driven architecture; policies disconnected from workloads...more complicated as we go from IaaS > PaaS
    51. Scalability ✤ Distributed Networked System problems are tough; Distributed Networked System Security problems are tougher ✤ “Traditional” security doesn’t scale across distributed software-driven architecture; policies disconnected from workloads...more complicated as we go from IaaS > PaaS ✤ Unfortunate reconciliation of Metcalfe’s Law vs. Moores Law vs. HD Moore’s Law (Casual Attacker power grows at the rate of Metasploit)
    52. Scalability ✤ Distributed Networked System problems are tough; Distributed Networked System Security problems are tougher ✤ “Traditional” security doesn’t scale across distributed software-driven architecture; policies disconnected from workloads...more complicated as we go from IaaS > PaaS ✤ Unfortunate reconciliation of Metcalfe’s Law vs. Moores Law vs. HD Moore’s Law (Casual Attacker power grows at the rate of Metasploit) ✤ Security is not programmatic & leveragable automation across heterogenous systems in security is LULZ
    53. Security@Scale
    54. Security@Scale ✤ It doesn’t. The MeatCloud giveth, the MeatCloud taketh away...
    55. Security@Scale ✤ It doesn’t. The MeatCloud giveth, the MeatCloud taketh away... ✤ Beyond Gb/s, Connections/s, flows, etc., security requires the notion of context, policy, and potentially state...eventual consistency doesn’t work with security
    56. Security@Scale ✤ It doesn’t. The MeatCloud giveth, the MeatCloud taketh away... ✤ Beyond Gb/s, Connections/s, flows, etc., security requires the notion of context, policy, and potentially state...eventual consistency doesn’t work with security ✤ The Self-Defending {network | application} is complicated simultaneously with the concepts of “data gravity” and mobility
    57. Cloud: The Revengeof VPN and PKI
    58. Cloud: The Revengeof VPN and PKIHINT: CLOUD SECURITY IS MORETHAN OVERLAY ENCRYPTION &MULTI-FACTOR AUTHENTICATIONMECHANISMS
    59. He P’s On Everything... Everything’s Connected
    60. Do Not Poke the bear If You Think A Noogie Is Bad, Try the Wedgie!
    61. Portability
    62. Portability ✤ If we don’t have consistency in standards/formats for workloads & stack insertion, we’re not going to have consistency in security; Lack of consistent telemetry
    63. Portability ✤ If we don’t have consistency in standards/formats for workloads & stack insertion, we’re not going to have consistency in security; Lack of consistent telemetry ✤ Inconsistent policies and network topologies make security service, topology & device-specific...flatter means responses to “network” attacks must be dealt with by the application...or not
    64. Portability ✤ If we don’t have consistency in standards/formats for workloads & stack insertion, we’re not going to have consistency in security; Lack of consistent telemetry ✤ Inconsistent policies and network topologies make security service, topology & device-specific...flatter means responses to “network” attacks must be dealt with by the application...or not ✤ Abstraction has become a distraction
    65. Portability✤ Dude, Where’s My IOS ACL 5-Tuple!? Working with VMware vShield REST API in perl. Richard Park, Sourcefire
    66. Portability✤ ...or this: AWS Security : A Practitioner’s Perspective. Jason Chan, Netflix
    67. Fungibility
    68. Fungibility ✤ Fundamentally, we need reusable and programmatic security design patterns; Controls today are CLI/GUI based
    69. Fungibility ✤ Fundamentally, we need reusable and programmatic security design patterns; Controls today are CLI/GUI based ✤ Few are API-driven or feature capabilities for orchestration, provisioning as the workloads they protect
    70. Fungibility ✤ Fundamentally, we need reusable and programmatic security design patterns; Controls today are CLI/GUI based ✤ Few are API-driven or feature capabilities for orchestration, provisioning as the workloads they protect ✤ Each level of “the stack” means security controls can’t be reused and are “slice” specific (more on this in a minute)
    71. Fungibility ✤ Fundamentally, we need reusable and programmatic security design patterns; Controls today are CLI/GUI based ✤ Few are API-driven or feature capabilities for orchestration, provisioning as the workloads they protect ✤ Each level of “the stack” means security controls can’t be reused and are “slice” specific (more on this in a minute) ✤ If we’re having trouble digesting IaaS, guess what PaaS does to the conversation?
    72. Fungibility ✤ Fundamentally, we need reusable and programmatic security design patterns; Controls today are CLI/GUI based ✤ Few are API-driven or feature capabilities for orchestration, provisioning as the workloads they protect ✤ Each level of “the stack” means security controls can’t be reused and are “slice” specific (more on this in a minute) ✤ If we’re having trouble digesting IaaS, guess what PaaS does to the conversation?
    73. The Problem IsAlways Hamsters
    74. The Hamster Sine Wave of Pain...* The Security Hamster Sine Wave of Pain Network Centricity Control Deployment/Investment Focus User Centricity Information Centricity Application Centricity Host Centricity Time* With Apologies to Andy Jaquith & His Hamster...
    75. The Hamster Sine Wave of Pain...* The Security Hamster Sine Wave of Pain Network Centricity Control Deployment/Investment Focus User Centricity Information Centricity Cloud Application Centricity Host Centricity Time* With Apologies to Andy Jaquith & His Hamster...
    76. The Hamster Sine Wave of Pain...* The Security Hamster Sine Wave of Pain We Are Here Network Centricity Control Deployment/Investment Focus User Centricity Information Centricity Cloud Application Centricity Host Centricity Time* With Apologies to Andy Jaquith & His Hamster...
    77. The Hamster Sine Wave of Pain...* The Security Hamster Sine Wave of Pain We Are Here Network Centricity Control Deployment/Investment Focus User Centricity Information Centricity Cloud Application Centricity Host Centricity Deployment Is Here Time* With Apologies to Andy Jaquith & His Hamster...
    78. Compliance
    79. Compliance ✤ Security != Compliance and “security” doesn’t matter
    80. Compliance ✤ Security != Compliance and “security” doesn’t matter ✤ Regulatory compliance and frameworks don’t address emerging/disruptive innovation quickly enough - or at all
    81. Compliance ✤ Security != Compliance and “security” doesn’t matter ✤ Regulatory compliance and frameworks don’t address emerging/disruptive innovation quickly enough - or at all ✤ How do we demonstrate compliance against measurements that don’t exist?
    82. Compliance ✤ Security != Compliance and “security” doesn’t matter ✤ Regulatory compliance and frameworks don’t address emerging/disruptive innovation quickly enough - or at all ✤ How do we demonstrate compliance against measurements that don’t exist? ✤ Lack of automation for gathering audit/compliance artifacts
    83. Mapping the Model to the Metal
    84. Mapping the Model to the Metal Cloud Model Presentation Presentation Modality Platform APIs Applications Data Metadata Content Integration & Middleware APIs Core Connectivity & Delivery Software as a Service (SaaS) Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Abstraction Hardware Facilities
    85. Mapping the Model to the Metal Cloud Model Presentation Presentation Modality Platform APIs Security Control Model Applications SDLC, Binary Analysis, Applications Scanners, WebApp Firewalls, Transactional Sec. Data Metadata Content DLP, CMF, Database Activity Information Monitoring, Encryption Integration & Middleware GRC, IAM, VA/VM, Patch Management Management, Config. Management, Monitoring APIs Core Connectivity & Delivery NIDS/NIPS, Firewalls, DPI, Software as a Service (SaaS) Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Network Anti-DDoS, QoS, DNSSEC Abstraction Trusted Computing Hardware & Software RoT & API’s Host-based Firewalls, HIDS/ Hardware HIPS, Integrity & File/log Compute & Storage Management, Encryption, Masking Physical Plant Security, CCTV, Facilities Physical Guards

    ×