Open stack security emea launch

•Download as PPTX, PDF•

1 like•543 views

This document provides an overview of OpenStack security best practices. It discusses the three pillars of security - confidentiality, integrity, and availability. It emphasizes building security using a "defense in depth" approach across all layers of the OSI model from physical to application. Specific recommendations include controlling system access, continuous monitoring, logging, and assuming breaches will occur so systems can be forensically analyzed without impacting other users. Automation and "chaos monkey" testing are presented as ways to strengthen security.

Technology

Me: Joshua McKenty Twitter: @jmckenty Email: joshua@pistoncloud.com Former Chief Architect, NASA Nebula Founding Member, OpenStack OpenStack Project Policy Board

“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” – Bruce Schneier

Real Security Assume everything goes wrong, even impossible things.

FIPS 199 Definition: Confidentiality Integrity Availability Defining Security

Build on “Shared Nothing” to achieve “Trust No One” Also known as “Defense in Depth” AUTOMATE EVERYTHING “Fat Fingers” == Plausible Deniability Automated == non-repudiable change control Build to the OSI 7-layer model

Lock your doors Do your background checks Use separate physical networks for admin Network model and management Use RFC 1918 address space when appropriate Use VLANs if necessary Firewall every machine (ebtables, iptables) Border firewalls (port and protocol level) Layer 1, 2 and 3

Control system access Best case: no host-based shell access AT ALL. Second-best: federated AUTH with 2-factor, keys only Worstcase: Host-level root login with passwords Run IDS – on hosts and guests Scan Continuously – hosts and guests, on all networks Proactively defend – Fail2Ban, etc. ( F2B-a-a-S) Layer 4, 5, 6 and 7

Don't trust the hypervisor (TXT / TPM) Conversely, don't trust the VM (blue-pill exploits, etc.) Host-based FW within the VM (CloudPassage "Halo") Access-control for VMs – same approaches apply (Auth-as-a-Service) Layer ‘V’

“Proof” and Policy In God We Trust – All Others, Bring Data.

Classic best practices – redundant, off-site log servers Log aggregation and analysis / event detection Logging-as-a-Service Log early, log often

Make and verify your assertions (Coming soon…) CloudAudit

Security Theatre “Given enough hand-waving, all systems are secure.”

Crypto is useless – if keys are stored with the data Private networks are useless – if doors aren’t locked Certification only proves that you’re doing, what you said you were going to do. You can still be wrong. Forget “Trust, but verify”. Just don’t trust. Don’t get confused!

Bonus: Forensics It’s not an “If” – it’s a “When”

Have a chaos-monkey of compromise Can you perform forensics and remediation, without impacting other users of your cloud? Spanning ports and extra storage “Graveyard” for recently deleted images, instances Bonus Section: Forensics

What’s in the CloudPipe? “We can only see a short distance ahead, but we can see plenty there that needs to be done.” – Alan Turing

The Machine Aka “Sneaky Monkey” Continuous Integration of penetration and vulnerability testing.

We’re doing “stuff” No… really. Hardening

Outfoxing the fox Intel is working with many companies within OpenStack, including Piston. Trusted Execution

Matt Linton – Nebula CSO Jesse Andrews – AnsoLabs Founder Soo Choi – 7120.7 Nazi Matt Chew- Spence – FIPS 199 Guru Keith Shackleford and James Williams Chris Kemp Bobby Cates, Dave Swagger, E. Lopez, Grace De Leon, Guy with Gun #1, Guy with Gun #2… Credits

The modern web-scale network is a pretty complicated place. Modern techniques in Systems Management have made it trivial to create, destroy and repurpose any number of instance types. These instances can span the range from bare metal machines sitting in a datacenter, to 3rd party virtual machines on demand, and now these new containers and microservices seem to be all the rage. Instances are cattle, they are no longer pets. All of this perpetual churn and flexibility is exactly what you want in a constantly changing, highly available, and efficient infrastructure. The ability to create or destroy nodes on demand, or continuously and automatically scale up, down, and re-deploy applications as part of a continuous integration pipeline, have become necessary and an integral part of daily operations. However these systems can generate terabytes of network logs a day. And if your job is detecting, correlating, and alerting on the correct anomaly in all that data, the analogy of the needle in the haystack really doesn’t do it justice, something closer would be akin to finding a needle in the windstorm. How do you begin to collect, store, analyze, and alert on this much data without costing the company a small fortune? What are some practical steps you can take to reduce your overall risk and begin to gain more insight, visibility, and confidence into what is actually taking place on your network? This talk aims to give the attendee a solid understanding of the problem space, as well as recommendations and practical advice from someone who built their own ‘big data’ network and security monitor. It really is easier than it sounds.

QAing the security way!

Amit Gundiyal

vodQA(Pune) 2018 - QAing the security way

vodQA

How to protect your business from Wannacry Ransomware

Kaspersky

Kaspersky Lab is teaming up with Comae Technologies to present an emergency webinar for businesses to help them understand and defend against the WannaCry ransomware. The malware has primarily affected business networks, and has claimed victims around the world in a wide range of industries. Juan Andres Guerrero-Saade, senior security researcher in Kaspersky Lab’s Global Research and Analysis Team, will be joined by Matt Suiche from Comae Technologies to present the very latest information on how the ransomware breaches defenses and the subsequent stages of attack. They will independently explain how organizations can determine if they have been infected and the critical actions they need to take to secure networks and endpoints against this threat. Full blog: https://blog.kaspersky.com/wannacry-windows-update/16593/

Arista Piston WebinarJoshua McKenty

The Space Penguin Odyssey

Joshua McKenty

OpenStackDC and Cloud Foundry Meetup -Joshua McKenty

Scale-out Community: Lessons from OpenStack

Joshua McKenty

Cloud Power - The Early OpenStack Architecture

Joshua McKenty

WSTA Breakfast SeminarJoshua McKenty

But What About Docker?

Joshua McKenty

OpenStack: Cloud's Big TentJoshua McKenty

MSST-2013 Openstack in the Land of GuilderJoshua McKenty

vGeek 2013 Tech Talk: Openstack-101Joshua McKenty

Open Stack DCJoshua McKenty

OpenStack Foundation Transparency Committee Update - January 2014

Joshua McKenty

Wall-Street Technology Association (WSTA) Feb-2012Joshua McKenty

OpenStack: The evolution of computing (Credit Suisse Technology Summit)Joshua McKenty

Open stack + Cloud Foundry: Palo Alto Meetup February 2015

Joshua McKenty

AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)

Amazon Web Services

In this session, you’ll learn how to setup your AWS environment to avoid a cyber security attack and how to build a cloud specific incident response plan if your organization is breached. Cyber security expert and founder of Alert Logic Misha Govshteyn will share lessons learned from organizations that have protected themselves in AWS and from those that have been breached but quickly resolved their issues and implemented strong controls as a result. Joining Misha will be Sven Skoog, Senior Manager IT Security at Monotype who will discuss the cyber security posture they implemented within the AWS cloud and how they have built a robust process to ensure ongoing protection. Session sponsored by Alert Logic. AWS Competency Partner

What's hot

7 cloud security tips

United Technology Group (UTG)

Top 10 Encryption Myths

HighCloud Security

Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...

CODE BLUE

QAing the security way!

Amit Gundiyal

vodQA(Pune) 2018 - QAing the security way

vodQA

How to protect your business from Wannacry Ransomware

Kaspersky

What's hot (6)

7 cloud security tips

Top 10 Encryption Myths

Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...

QAing the security way!

vodQA(Pune) 2018 - QAing the security way

How to protect your business from Wannacry Ransomware

Viewers also liked

Arista Piston WebinarJoshua McKenty

The Space Penguin Odyssey

Joshua McKenty

OpenStackDC and Cloud Foundry Meetup -Joshua McKenty

Scale-out Community: Lessons from OpenStack

Joshua McKenty

Cloud Power - The Early OpenStack Architecture

Joshua McKenty

WSTA Breakfast SeminarJoshua McKenty

But What About Docker?

Joshua McKenty

OpenStack: Cloud's Big TentJoshua McKenty

MSST-2013 Openstack in the Land of GuilderJoshua McKenty

vGeek 2013 Tech Talk: Openstack-101Joshua McKenty

Open Stack DCJoshua McKenty

OpenStack Foundation Transparency Committee Update - January 2014

Joshua McKenty

Wall-Street Technology Association (WSTA) Feb-2012Joshua McKenty

OpenStack: The evolution of computing (Credit Suisse Technology Summit)Joshua McKenty

Open stack + Cloud Foundry: Palo Alto Meetup February 2015

Joshua McKenty

Viewers also liked (15)

Arista Piston Webinar

The Space Penguin Odyssey

OpenStackDC and Cloud Foundry Meetup -

Scale-out Community: Lessons from OpenStack

Cloud Power - The Early OpenStack Architecture

WSTA Breakfast Seminar

But What About Docker?

OpenStack: Cloud's Big Tent

MSST-2013 Openstack in the Land of Guilder

vGeek 2013 Tech Talk: Openstack-101

Open Stack DC

OpenStack Foundation Transparency Committee Update - January 2014

Wall-Street Technology Association (WSTA) Feb-2012

OpenStack: The evolution of computing (Credit Suisse Technology Summit)

Open stack + Cloud Foundry: Palo Alto Meetup February 2015

Similar to Open stack security emea launch

AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)

Amazon Web Services

Your First Guide to "secure Linux"

Toshiharu Harada, Ph.D

Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...

NoNameCon

3.Secure Design Principles And Processphanleson

Cloud trustAvinash Killamsetty

Cloudtrust 091204053223 Phpapp01mcguireb

In Cloud We Trust

Andy Harjanto

Black ops 2012Dan Kaminsky

Incident Response Automation @ Netflix Q12019

MarcVilanova1

Automation is key to enable our incident responders to focus on high leverage decisions, provide a consistent experience to our internal customers, and ensure our team meets the needs of a rapidly growing Netflix. The SIRT team is investing a lot of engineering resources in automating Crisis Management, Incident Response, and Digital Forensics. The following slides summarize the reasons why we have decided to invest in these areas, the technologies that we’re using to automate and orchestrate decisions that don’t matter, and showcase some of the workflows that we have successfully automated.

LF_APIStrat17_Don't Build a Death Star

LF_APIStrat

"Have you been tasked to build the most powerful weapon in the universe? No? How about an enterprise website which both consumes external and provides its own APIs? Whatever your task is, secure architecture is key. And while putting an exhaust port on the reactor core seems like a good idea, trust me when I say it'll blow up in your face later. Web development is no different. What seems like a simple decision at the outset, or an overlooked detail may turn out to cause severe issues later on. During this session we’ll take a look at how to architect for success and security when building a website which connects to external systems and while providing access to data. By building security in from the beginning you can help prevent a young Jedi shooting a proton torpedo through a hole the size of a wamp rat and destroying your hard work. We’ll cover: • Overview of common API authentication and security methods • Using capabilities instead of roles to define security • How to store and access keys and tokens in your website • Providing an API to access your website data • Common mistakes developers make when creating APIs A session for developers of all skills and abilities, this will be an interactive time filled with lessons learned and examples from the real world, including some recent examples of how a single exposed API can prove catastrophic. Just promise that afterwards you’ll use what you learn for the good of the galaxy and that you won't go build a planet sized weapon of mass destruction."

Hacking the future with USB HID

Nikhil Mittal

BSides London 2017 - Hunt Or Be Hunted

Alex Davies

Over the last few years threat hunting has risen from being a grassroots hands-on defensive technique to all-out hype as security vendors have jumped on the bandwagon. In this talk I wanted to strip away the marketing and talk about real-life threat hunting at scale and how it differs from traditional security monitoring. I'll cover the key datasets, different analytical approaches, cutting-edge TTPs and the people/skills needed to make it happen. I'll also share some real-world compromises that would have been missed by traditional detection but were found through hands-on threat hunting.

Broken by design (Danny Fullerton)

Hackfest Communication

If I take a letter, lock it in a safe, hide the safe somewhere in New York, then tell you to read the letter, that’s not security. That’s obscurity. On the other hand, if I take a letter and lock it in a safe, and then give you the safe along with the design specifications and a hundred identical safes with their combinations so that the world’s best safecrackers can study it and you still can’t open the safe, that’s security.

How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...

AbundioTeca

In this guide, we are going to offer you a package of measures to solve security problems common to all the Interneticians: Navigation (anonymity on the Web), protection of data (files), malicious hacking, protection of the computer, communications in the Network 100 % Secure, etc. All the tools and information that we offer below are free, free, and legitimate, however, its use and application is your decision.

Chaos Engineering - The Art of Breaking Things in Production

Keet Sugathadasa

Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin

Anton Chuvakin

Stanford Cybersecurity January 2009

Jason Shen

Ethical Hacking

Keith Brooks

Windows network securityInformation Technology

Presentation infra and_datacentrre_dialogue_v2

Claus Cramon Houmann

Similar to Open stack security emea launch (20)

AWS re:Invent 2016: Cyber Resiliency – surviving the breach (SAC321)

Your First Guide to "secure Linux"

Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...

3.Secure Design Principles And Process

Cloud trust

Cloudtrust 091204053223 Phpapp01

In Cloud We Trust

Black ops 2012

Incident Response Automation @ Netflix Q12019

LF_APIStrat17_Don't Build a Death Star

Hacking the future with USB HID

BSides London 2017 - Hunt Or Be Hunted

Broken by design (Danny Fullerton)

How to Avoid the Spying of EEUU & other Practical Solutions Computing: Protec...

Chaos Engineering - The Art of Breaking Things in Production

Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin

Stanford Cybersecurity January 2009

Ethical Hacking

Windows network security

Presentation infra and_datacentrre_dialogue_v2

Recently uploaded

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Prayukth K V

The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development. The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers: State of global ICS asset and network exposure Sectoral targets and attacks as well as the cost of ransom Global APT activity, AI usage, actor and tactic profiles, and implications Rise in volumes of AI-powered cyberattacks Major cyber events in 2024 Malware and malicious payload trends Cyberattack types and targets Vulnerability exploit attempts on CVEs Attacks on counties – USA Expansion of bot farms – how, where, and why In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East Why are attacks on smart factories rising? Cyber risk predictions Axis of attacks – Europe Systemic attacks in the Middle East Download the full report from here: https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/

The Art of the Pitch: WordPress Relationships and Sales

Laura Byrne

Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes? All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

UiPathCommunity

💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™: See how to accelerate model training and optimize model performance with active learning Learn about the latest enhancements to out-of-the-box document processing – with little to no training required Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath. Speakers: 👨‍🏫 Andras Palfi, Senior Product Manager, UiPath 👩‍🏫 Lenka Dulovicova, Product Program Manager, UiPath

When stars align: studies in data quality, knowledge graphs, and machine lear...

Elena Simperl

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

Product School

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Thierry Lestable

Essentials of Automations: Optimizing FME Workflows with Parameters

Safe Software

Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place. Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects. Here’s what you’ll gain: - Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows. - Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy. - Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency. - Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity. We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic. Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

BookNet Canada

The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more. Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/ Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...

Product School

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

Monitoring Java Application Security with JDK Tools and JFR Events

Ana-Maria Mihalceanu

Elevating Tactical DDD Patterns Through Object Calisthenics

Dorra BARTAGUIZ

After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!

GraphRAG is All You need? LLM & Knowledge Graph

Guy Korland

Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs. 1. Unifying Large Language Models and Knowledge Graphs: A Roadmap. https://arxiv.org/abs/2306.08302 2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs: https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

91mobiles

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...

Sri Ambati

Mission to Decommission: Importance of Decommissioning Products to Increase E...

Product School

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Ramesh Iyer

In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

Paul Groth

Recently uploaded (20)