SlideShare a Scribd company logo

Standing on the clouds

Claudio Criscione
Claudio Criscione

The presentation I gave at SyScan 10 Singapore on Private Cloud Security in integral form excluding the exploit videos, outlining the security deltas between "classical" virtualization and private cloud security.

TechnologyBusiness
1 of 34
A journey in Private Cloud Security Claudio Criscione - @paradoxengine SyScan 10
/me Claudio Criscione
There are a lot of clouds very Fluffy Clouds…
...And less fluffy
A Taxonomy of clouds Cloud by the book - NIST On-demand self-service Broad network access Resource pooling Rapid elasticity Measured Service Public Community Hybrid Private IaaS PaaS SaaS On-Premise Off-Premise
Who plays the game? XEN – XenCloud VMware [And the VMware Express players] Ubuntu – Eucalyptus Red Hat – DeltaCloud, RHVM Amazon – Virtual Private Cloud … and many others
The Road to the Clouds Market and the technology are both moving toward cloud oriented architectures Your (new) datacenter is (will be) cloud based The build that syndrome
Quick, go!
A trojan horse Private Clouds are the “Trojan horse” of the Cloud Industry It’s just like standard virtualization! In the meantime, you get used to those small deltas…
Security Deltas Management Semantics Integration Network
Management The “Old Virtualization” Way ,[object Object],[object Object],[object Object],[object Object],The Private Cloud Way ,[object Object],[object Object]
Blackberry strikes back Last year this guy was managing his XEN farm using a bugged Web Interface with his Blackberry Now the Blackberry is back on Xen Cloud Platform!
By the way… introducing VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization security. Announcing Beta 0.2 SyScan10 Edition VASTO now knows some cloud tricks
Shortcuts Demo Time - 1
Security Deltas Management Semantics Integration Network
Integration Private cloud vendors push for integration with them “ Stock” virtual machines Management tools Updates This way they can make your cloud feel part of a common Sky. However, they should do it securely!
Eating the eucalyptus Demo Time - 2
Security Deltas Management Semantics Integration Network
Network ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Security Deltas Management Semantics Integration Network
Semantic of the cloud The Holy Roman Emperor Charles V was once asked which languages he typically used. "I speak Spanish to God," he explained, "Italian to women, French to men - and German to my horse.“ If you want to make it happen, you have to be able to state that what-the-cloud-undestands = what-the-cloud-can-do
Cloud Paradigm Thou shall not bypass the interface.
Security labeling We know that “escape from the VM attacks” will happen again To mitigate, we can define “zones” Even if virtualization solutions won’t let us do “host tagging”, admins can do it anyway. Not with Private cloud computing!
A possible solution Stating Security Requirements
Who has it, who has not Cloud Solution Version tested Result Eucalyptus 1.6.2 None DeltaCloud Portal 0.1.1 Could be RHEV NA – Public APIs None Abiquo 1.5 None XEN Cloud Platform 0.1.1 None Amazon Virtual Private Cloud NA – March None (redundancy) VMware vCloud Express NA – March None Svirt-LibVirt Library source Partial OpenNebula [Haizea] 1.0 Could be
“ The limits of your language are the limits of your world ” - Ludwig Wittgenstein
Time to make a stand As “the security community” it’s our role to make sure that new technologies are not simply taken for granted without a security debate. Private Cloud is a great risk and a great opportunity We need to make our voice heard!
 
Off-Premise solutions have to provide Trust and Security DO THEY?
Hate the Sin not the Sinner They’re not running in debug mode, are they?
Hate the Sin not the Sinner HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8g mod_wsgi/2.6 Python/2.6.2 Vary: Accept-Language,Cookie,Accept-Encoding Expires: -1 Content-Language: en Pragma: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Content-Length: 114 [["0", ["7810", “$ANYUSERNAME", "COMPLETED", "updateThumbs", "Task completed successfully", "2010/03/22 17:03:35"]]] What is everyone doing?
(re)Think about your Cloud strategy You need one! Check security of outsourcer Make your voice heard!
 
Claudio Criscione [email_address] Twitter @paradoxengine VASTO’s home is at nibblesec.org

Recommended

CloudSec , don't forget Security in the Cloud !
CloudSec , don't forget Security in the Cloud !CloudSec , don't forget Security in the Cloud !
CloudSec , don't forget Security in the Cloud !
Kris Buytaert
 
Virtualizing the Cloud! NOW!
Virtualizing the Cloud! NOW!Virtualizing the Cloud! NOW!
Virtualizing the Cloud! NOW!
Marian Marinov
 
Cloud party 2014 - Deploy your infrastructure with Saltstack - Salt Cloud wit...
Cloud party 2014 - Deploy your infrastructure with Saltstack - Salt Cloud wit...Cloud party 2014 - Deploy your infrastructure with Saltstack - Salt Cloud wit...
Cloud party 2014 - Deploy your infrastructure with Saltstack - Salt Cloud wit...
Corley S.r.l.
 
In Cloud We Trust
In Cloud We TrustIn Cloud We Trust
In Cloud We Trust
Andy Harjanto
 
The weather ahead: Clouds
The weather ahead: CloudsThe weather ahead: Clouds
The weather ahead: Clouds
zoopster
 
Introduction to Spinnaker – Global Continuous Delivery
Introduction to Spinnaker – Global Continuous DeliveryIntroduction to Spinnaker – Global Continuous Delivery
Introduction to Spinnaker – Global Continuous Delivery
TO THE NEW Pvt. Ltd.
 
Real Security in a Virtual Environment
Real Security in a Virtual EnvironmentReal Security in a Virtual Environment
Real Security in a Virtual Environment
Mattias Geniar
 
N cryptedcloud
N cryptedcloudN cryptedcloud
N cryptedcloud
davish107
 

Recommended

CloudSec , don't forget Security in the Cloud !
CloudSec , don't forget Security in the Cloud !CloudSec , don't forget Security in the Cloud !
CloudSec , don't forget Security in the Cloud !
Kris Buytaert
 
Virtualizing the Cloud! NOW!
Virtualizing the Cloud! NOW!Virtualizing the Cloud! NOW!
Virtualizing the Cloud! NOW!
Marian Marinov
 
Cloud party 2014 - Deploy your infrastructure with Saltstack - Salt Cloud wit...
Cloud party 2014 - Deploy your infrastructure with Saltstack - Salt Cloud wit...Cloud party 2014 - Deploy your infrastructure with Saltstack - Salt Cloud wit...
Cloud party 2014 - Deploy your infrastructure with Saltstack - Salt Cloud wit...
Corley S.r.l.
 
In Cloud We Trust
In Cloud We TrustIn Cloud We Trust
In Cloud We Trust
Andy Harjanto
 
The weather ahead: Clouds
The weather ahead: CloudsThe weather ahead: Clouds
The weather ahead: Clouds
zoopster
 
Introduction to Spinnaker – Global Continuous Delivery
Introduction to Spinnaker – Global Continuous DeliveryIntroduction to Spinnaker – Global Continuous Delivery
Introduction to Spinnaker – Global Continuous Delivery
TO THE NEW Pvt. Ltd.
 
Real Security in a Virtual Environment
Real Security in a Virtual EnvironmentReal Security in a Virtual Environment
Real Security in a Virtual Environment
Mattias Geniar
 
N cryptedcloud
N cryptedcloudN cryptedcloud
N cryptedcloud
davish107
 
Newt191 final project
Newt191 final projectNewt191 final project
Newt191 final project
BrianCooper73
 
Cloud computing- Introduction
Cloud computing- IntroductionCloud computing- Introduction
Cloud computing- Introduction
stevaaa
 
OSS Presentation by Stefano Maffulli
OSS Presentation by Stefano MaffulliOSS Presentation by Stefano Maffulli
OSS Presentation by Stefano Maffulli
OpenStorageSummit
 
The missing piece : when Docker networking and services finally unleashes so...
The missing piece : when Docker networking and services finally unleashes so... The missing piece : when Docker networking and services finally unleashes so...
The missing piece : when Docker networking and services finally unleashes so...
Adrien Blind
 
Top 10 Encryption Myths
Top 10 Encryption MythsTop 10 Encryption Myths
Top 10 Encryption Myths
HighCloud Security
 
FVCP 20191113
FVCP 20191113FVCP 20191113
FVCP 20191113
Lorin Olsen
 
Meetup Docker : From Zero to Hero
Meetup Docker : From Zero to HeroMeetup Docker : From Zero to Hero
Meetup Docker : From Zero to Hero
Laurent Grangeau
 
Web Werks Cloud Hosting FAQ
Web Werks Cloud Hosting FAQWeb Werks Cloud Hosting FAQ
Web Werks Cloud Hosting FAQ
Web Werks Data Centers
 
Zero to Nova: A VMware Admin's Month of Openstack
Zero to Nova: A VMware Admin's Month of OpenstackZero to Nova: A VMware Admin's Month of Openstack
Zero to Nova: A VMware Admin's Month of Openstack
Thom Greene
 
Enhance Virtual Machine Security in OpenStack Using Suricata IPS
Enhance Virtual Machine Security in OpenStack Using Suricata IPSEnhance Virtual Machine Security in OpenStack Using Suricata IPS
Enhance Virtual Machine Security in OpenStack Using Suricata IPS
Shila044184
 
Lessons Learned from an early Multi-Cloud journey
Lessons Learned from an early Multi-Cloud journeyLessons Learned from an early Multi-Cloud journey
Lessons Learned from an early Multi-Cloud journey
Hardway Hou
 
Journey to the cloud
Journey to the cloudJourney to the cloud
Journey to the cloud
Chris Avis
 
Data Centre Evolution: Securing Your Journey to the Cloud
Data Centre Evolution: Securing Your Journey to the CloudData Centre Evolution: Securing Your Journey to the Cloud
Data Centre Evolution: Securing Your Journey to the Cloud
Trend Micro (EMEA) Limited
 
soCloud: distributed multi-cloud platform for deploying, executing and managi...
soCloud: distributed multi-cloud platform for deploying, executing and managi...soCloud: distributed multi-cloud platform for deploying, executing and managi...
soCloud: distributed multi-cloud platform for deploying, executing and managi...
Fawaz Fernand PARAISO
 
Virtually Pwned
Virtually PwnedVirtually Pwned
Virtually Pwned
Claudio Criscione
 
[1] DOCTOR BOVE - HOME STAGING PROJECT - MARCH 2017
[1] DOCTOR BOVE - HOME STAGING PROJECT - MARCH 2017 [1] DOCTOR BOVE - HOME STAGING PROJECT - MARCH 2017
[1] DOCTOR BOVE - HOME STAGING PROJECT - MARCH 2017
Carolina Ruiz Amo
 
"INSTRUMENTOS FINANCIEROS PARA EMPRENDEDORES/AS"
"INSTRUMENTOS FINANCIEROS PARA EMPRENDEDORES/AS""INSTRUMENTOS FINANCIEROS PARA EMPRENDEDORES/AS"
"INSTRUMENTOS FINANCIEROS PARA EMPRENDEDORES/AS"
Carolina Ruiz Amo
 
Philip Hung Cao - Cloud security, the journey has begun
Philip Hung Cao - Cloud security, the journey has begunPhilip Hung Cao - Cloud security, the journey has begun
Philip Hung Cao - Cloud security, the journey has begun
Security Bootcamp
 
Security & Privacy in Cloud Computing
Security & Privacy in Cloud ComputingSecurity & Privacy in Cloud Computing
Security & Privacy in Cloud Computing
John D. Johnson
 
Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...
PRISMACLOUD Project
 
EL SUMO PONTIFICE ROMANO
EL SUMO PONTIFICE ROMANOEL SUMO PONTIFICE ROMANO
EL SUMO PONTIFICE ROMANO
Franc.J. Vasquez.M
 
Controladores de tensión AC
Controladores de tensión ACControladores de tensión AC
Controladores de tensión AC
David Sanchez Tomaselli
 

More Related Content

What's hot

Newt191 final project
Newt191 final projectNewt191 final project
Newt191 final project
BrianCooper73
 
Cloud computing- Introduction
Cloud computing- IntroductionCloud computing- Introduction
Cloud computing- Introduction
stevaaa
 
OSS Presentation by Stefano Maffulli
OSS Presentation by Stefano MaffulliOSS Presentation by Stefano Maffulli
OSS Presentation by Stefano Maffulli
OpenStorageSummit
 
The missing piece : when Docker networking and services finally unleashes so...
The missing piece : when Docker networking and services finally unleashes so... The missing piece : when Docker networking and services finally unleashes so...
The missing piece : when Docker networking and services finally unleashes so...
Adrien Blind
 
Top 10 Encryption Myths
Top 10 Encryption MythsTop 10 Encryption Myths
Top 10 Encryption Myths
HighCloud Security
 
FVCP 20191113
FVCP 20191113FVCP 20191113
FVCP 20191113
Lorin Olsen
 
Meetup Docker : From Zero to Hero
Meetup Docker : From Zero to HeroMeetup Docker : From Zero to Hero
Meetup Docker : From Zero to Hero
Laurent Grangeau
 
Web Werks Cloud Hosting FAQ
Web Werks Cloud Hosting FAQWeb Werks Cloud Hosting FAQ
Web Werks Cloud Hosting FAQ
Web Werks Data Centers
 
Zero to Nova: A VMware Admin's Month of Openstack
Zero to Nova: A VMware Admin's Month of OpenstackZero to Nova: A VMware Admin's Month of Openstack
Zero to Nova: A VMware Admin's Month of Openstack
Thom Greene
 
Enhance Virtual Machine Security in OpenStack Using Suricata IPS
Enhance Virtual Machine Security in OpenStack Using Suricata IPSEnhance Virtual Machine Security in OpenStack Using Suricata IPS
Enhance Virtual Machine Security in OpenStack Using Suricata IPS
Shila044184
 

What's hot (10)

Newt191 final project
Newt191 final projectNewt191 final project
Newt191 final project
 
Cloud computing- Introduction
Cloud computing- IntroductionCloud computing- Introduction
Cloud computing- Introduction
 
OSS Presentation by Stefano Maffulli
OSS Presentation by Stefano MaffulliOSS Presentation by Stefano Maffulli
OSS Presentation by Stefano Maffulli
 
The missing piece : when Docker networking and services finally unleashes so...
The missing piece : when Docker networking and services finally unleashes so... The missing piece : when Docker networking and services finally unleashes so...
The missing piece : when Docker networking and services finally unleashes so...
 
Top 10 Encryption Myths
Top 10 Encryption MythsTop 10 Encryption Myths
Top 10 Encryption Myths
 
FVCP 20191113
FVCP 20191113FVCP 20191113
FVCP 20191113
 
Meetup Docker : From Zero to Hero
Meetup Docker : From Zero to HeroMeetup Docker : From Zero to Hero
Meetup Docker : From Zero to Hero
 
Web Werks Cloud Hosting FAQ
Web Werks Cloud Hosting FAQWeb Werks Cloud Hosting FAQ
Web Werks Cloud Hosting FAQ
 
Zero to Nova: A VMware Admin's Month of Openstack
Zero to Nova: A VMware Admin's Month of OpenstackZero to Nova: A VMware Admin's Month of Openstack
Zero to Nova: A VMware Admin's Month of Openstack
 
Enhance Virtual Machine Security in OpenStack Using Suricata IPS
Enhance Virtual Machine Security in OpenStack Using Suricata IPSEnhance Virtual Machine Security in OpenStack Using Suricata IPS
Enhance Virtual Machine Security in OpenStack Using Suricata IPS
 

Viewers also liked

Lessons Learned from an early Multi-Cloud journey
Lessons Learned from an early Multi-Cloud journeyLessons Learned from an early Multi-Cloud journey
Lessons Learned from an early Multi-Cloud journey
Hardway Hou
 
Journey to the cloud
Journey to the cloudJourney to the cloud
Journey to the cloud
Chris Avis
 
Data Centre Evolution: Securing Your Journey to the Cloud
Data Centre Evolution: Securing Your Journey to the CloudData Centre Evolution: Securing Your Journey to the Cloud
Data Centre Evolution: Securing Your Journey to the Cloud
Trend Micro (EMEA) Limited
 
soCloud: distributed multi-cloud platform for deploying, executing and managi...
soCloud: distributed multi-cloud platform for deploying, executing and managi...soCloud: distributed multi-cloud platform for deploying, executing and managi...
soCloud: distributed multi-cloud platform for deploying, executing and managi...
Fawaz Fernand PARAISO
 
Virtually Pwned
Virtually PwnedVirtually Pwned
Virtually Pwned
Claudio Criscione
 
[1] DOCTOR BOVE - HOME STAGING PROJECT - MARCH 2017
[1] DOCTOR BOVE - HOME STAGING PROJECT - MARCH 2017 [1] DOCTOR BOVE - HOME STAGING PROJECT - MARCH 2017
[1] DOCTOR BOVE - HOME STAGING PROJECT - MARCH 2017
Carolina Ruiz Amo
 
"INSTRUMENTOS FINANCIEROS PARA EMPRENDEDORES/AS"
"INSTRUMENTOS FINANCIEROS PARA EMPRENDEDORES/AS""INSTRUMENTOS FINANCIEROS PARA EMPRENDEDORES/AS"
"INSTRUMENTOS FINANCIEROS PARA EMPRENDEDORES/AS"
Carolina Ruiz Amo
 
Philip Hung Cao - Cloud security, the journey has begun
Philip Hung Cao - Cloud security, the journey has begunPhilip Hung Cao - Cloud security, the journey has begun
Philip Hung Cao - Cloud security, the journey has begun
Security Bootcamp
 
Security & Privacy in Cloud Computing
Security & Privacy in Cloud ComputingSecurity & Privacy in Cloud Computing
Security & Privacy in Cloud Computing
John D. Johnson
 
Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...
PRISMACLOUD Project
 
EL SUMO PONTIFICE ROMANO
EL SUMO PONTIFICE ROMANOEL SUMO PONTIFICE ROMANO
EL SUMO PONTIFICE ROMANO
Franc.J. Vasquez.M
 
Controladores de tensión AC
Controladores de tensión ACControladores de tensión AC
Controladores de tensión AC
David Sanchez Tomaselli
 
135140 9th line
135140 9th line 135140 9th line
135140 9th line
Robert Porteous
 
Como hacer un libro
Como hacer un libroComo hacer un libro
Como hacer un libro
Andrea López Martínez
 
897 concession 10 & 11 cochrane
897 concession 10 & 11 cochrane897 concession 10 & 11 cochrane
897 concession 10 & 11 cochrane
Robert Porteous
 
Book presentation URBAN OASIS - DIARIO DE JEREZ
Book presentation URBAN OASIS - DIARIO DE JEREZ Book presentation URBAN OASIS - DIARIO DE JEREZ
Book presentation URBAN OASIS - DIARIO DE JEREZ
Carolina Ruiz Amo
 
Journey to the Cloud, Hype or Opportunity
Journey to the Cloud, Hype or OpportunityJourney to the Cloud, Hype or Opportunity
Journey to the Cloud, Hype or Opportunity
Capgemini
 
Dimension Data – Enabling the Journey to the Cloud: Real Examples
Dimension Data – Enabling the Journey to the Cloud: Real ExamplesDimension Data – Enabling the Journey to the Cloud: Real Examples
Dimension Data – Enabling the Journey to the Cloud: Real Examples
itnewsafrica
 
результаты деятельности доо
результаты деятельности доорезультаты деятельности доо
результаты деятельности доо
denchk
 
Security: Enabling the Journey to the Cloud
Security: Enabling the Journey to the CloudSecurity: Enabling the Journey to the Cloud
Security: Enabling the Journey to the Cloud
Capgemini
 

Viewers also liked (20)

Lessons Learned from an early Multi-Cloud journey
Lessons Learned from an early Multi-Cloud journeyLessons Learned from an early Multi-Cloud journey
Lessons Learned from an early Multi-Cloud journey
 
Journey to the cloud
Journey to the cloudJourney to the cloud
Journey to the cloud
 
Data Centre Evolution: Securing Your Journey to the Cloud
Data Centre Evolution: Securing Your Journey to the CloudData Centre Evolution: Securing Your Journey to the Cloud
Data Centre Evolution: Securing Your Journey to the Cloud
 
soCloud: distributed multi-cloud platform for deploying, executing and managi...
soCloud: distributed multi-cloud platform for deploying, executing and managi...soCloud: distributed multi-cloud platform for deploying, executing and managi...
soCloud: distributed multi-cloud platform for deploying, executing and managi...
 
Virtually Pwned
Virtually PwnedVirtually Pwned
Virtually Pwned
 
[1] DOCTOR BOVE - HOME STAGING PROJECT - MARCH 2017
[1] DOCTOR BOVE - HOME STAGING PROJECT - MARCH 2017 [1] DOCTOR BOVE - HOME STAGING PROJECT - MARCH 2017
[1] DOCTOR BOVE - HOME STAGING PROJECT - MARCH 2017
 
"INSTRUMENTOS FINANCIEROS PARA EMPRENDEDORES/AS"
"INSTRUMENTOS FINANCIEROS PARA EMPRENDEDORES/AS""INSTRUMENTOS FINANCIEROS PARA EMPRENDEDORES/AS"
"INSTRUMENTOS FINANCIEROS PARA EMPRENDEDORES/AS"
 
Philip Hung Cao - Cloud security, the journey has begun
Philip Hung Cao - Cloud security, the journey has begunPhilip Hung Cao - Cloud security, the journey has begun
Philip Hung Cao - Cloud security, the journey has begun
 
Security & Privacy in Cloud Computing
Security & Privacy in Cloud ComputingSecurity & Privacy in Cloud Computing
Security & Privacy in Cloud Computing
 
Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...
 
EL SUMO PONTIFICE ROMANO
EL SUMO PONTIFICE ROMANOEL SUMO PONTIFICE ROMANO
EL SUMO PONTIFICE ROMANO
 
Controladores de tensión AC
Controladores de tensión ACControladores de tensión AC
Controladores de tensión AC
 
135140 9th line
135140 9th line 135140 9th line
135140 9th line
 
Como hacer un libro
Como hacer un libroComo hacer un libro
Como hacer un libro
 
897 concession 10 & 11 cochrane
897 concession 10 & 11 cochrane897 concession 10 & 11 cochrane
897 concession 10 & 11 cochrane
 
Book presentation URBAN OASIS - DIARIO DE JEREZ
Book presentation URBAN OASIS - DIARIO DE JEREZ Book presentation URBAN OASIS - DIARIO DE JEREZ
Book presentation URBAN OASIS - DIARIO DE JEREZ
 
Journey to the Cloud, Hype or Opportunity
Journey to the Cloud, Hype or OpportunityJourney to the Cloud, Hype or Opportunity
Journey to the Cloud, Hype or Opportunity
 
Dimension Data – Enabling the Journey to the Cloud: Real Examples
Dimension Data – Enabling the Journey to the Cloud: Real ExamplesDimension Data – Enabling the Journey to the Cloud: Real Examples
Dimension Data – Enabling the Journey to the Cloud: Real Examples
 
результаты деятельности доо
результаты деятельности доорезультаты деятельности доо
результаты деятельности доо
 
Security: Enabling the Journey to the Cloud
Security: Enabling the Journey to the CloudSecurity: Enabling the Journey to the Cloud
Security: Enabling the Journey to the Cloud
 

Similar to Standing on the clouds

Why the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsWhy the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systems
Ernest Mueller
 
[Confidence0902] The Glass Cage - Virtualization Security
[Confidence0902] The Glass Cage - Virtualization Security[Confidence0902] The Glass Cage - Virtualization Security
[Confidence0902] The Glass Cage - Virtualization Security
Claudio Criscione
 
Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Brief
openfly
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information Exchange
Cybera Inc.
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 Recap
Patrick Chanezon
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig BaldingA Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig Balding
craigbalding
 
OpenCms Days 2012 - OpenCms on open clouds
OpenCms Days 2012 - OpenCms on open cloudsOpenCms Days 2012 - OpenCms on open clouds
OpenCms Days 2012 - OpenCms on open clouds
Alkacon Software GmbH & Co. KG
 
Keynote at Gluecon 2011 by Marten Mickos, CEO, Eucalyptus Systems
Keynote at Gluecon 2011 by Marten Mickos, CEO, Eucalyptus SystemsKeynote at Gluecon 2011 by Marten Mickos, CEO, Eucalyptus Systems
Keynote at Gluecon 2011 by Marten Mickos, CEO, Eucalyptus Systems
Marten Mickos
 
The Good The Bad The Virtual
The Good The Bad The VirtualThe Good The Bad The Virtual
The Good The Bad The Virtual
Claudio Criscione
 
How to Think Multi-Cloud
How to Think Multi-CloudHow to Think Multi-Cloud
How to Think Multi-Cloud
RightScale
 
VirtSec, and the Open Source impact
VirtSec, and the Open Source impactVirtSec, and the Open Source impact
VirtSec, and the Open Source impact
Kris Buytaert
 
Cloud Computing Platform-CloudStack
Cloud Computing Platform-CloudStackCloud Computing Platform-CloudStack
Cloud Computing Platform-CloudStack
Arcadian Learning
 
Confraria Security 17 June - Cloud Security
Confraria Security 17 June - Cloud SecurityConfraria Security 17 June - Cloud Security
Confraria Security 17 June - Cloud Security
Vitor Domingos
 
The Enterprise Cloud
The Enterprise CloudThe Enterprise Cloud
The Enterprise Cloud
Mark Masterson
 
Future of Cloud is Open John Engates Rackspace
Future of Cloud is Open John Engates RackspaceFuture of Cloud is Open John Engates Rackspace
Future of Cloud is Open John Engates Rackspace
Open Data Center Alliance
 
The Future of IT
The Future of ITThe Future of IT
The Future of IT
Simon May
 
Hybrid Cloud and Hyper Cloud
Hybrid Cloud and Hyper CloudHybrid Cloud and Hyper Cloud
Hybrid Cloud and Hyper Cloud
Eshed Gal-Or
 
Enterprise-Ready Private and Hybrid Cloud Computing Today
Enterprise-Ready Private and Hybrid Cloud Computing TodayEnterprise-Ready Private and Hybrid Cloud Computing Today
Enterprise-Ready Private and Hybrid Cloud Computing Today
RightScale
 
TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)
hannob
 
Virtualization Techniques & Cloud Compting
Virtualization Techniques & Cloud ComptingVirtualization Techniques & Cloud Compting
Virtualization Techniques & Cloud Compting
Ahmed Mekkawy
 

Similar to Standing on the clouds (20)

Why the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsWhy the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systems
 
[Confidence0902] The Glass Cage - Virtualization Security
[Confidence0902] The Glass Cage - Virtualization Security[Confidence0902] The Glass Cage - Virtualization Security
[Confidence0902] The Glass Cage - Virtualization Security
 
Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Brief
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information Exchange
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 Recap
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig BaldingA Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story Craig Balding
 
OpenCms Days 2012 - OpenCms on open clouds
OpenCms Days 2012 - OpenCms on open cloudsOpenCms Days 2012 - OpenCms on open clouds
OpenCms Days 2012 - OpenCms on open clouds
 
Keynote at Gluecon 2011 by Marten Mickos, CEO, Eucalyptus Systems
Keynote at Gluecon 2011 by Marten Mickos, CEO, Eucalyptus SystemsKeynote at Gluecon 2011 by Marten Mickos, CEO, Eucalyptus Systems
Keynote at Gluecon 2011 by Marten Mickos, CEO, Eucalyptus Systems
 
The Good The Bad The Virtual
The Good The Bad The VirtualThe Good The Bad The Virtual
The Good The Bad The Virtual
 
How to Think Multi-Cloud
How to Think Multi-CloudHow to Think Multi-Cloud
How to Think Multi-Cloud
 
VirtSec, and the Open Source impact
VirtSec, and the Open Source impactVirtSec, and the Open Source impact
VirtSec, and the Open Source impact
 
Cloud Computing Platform-CloudStack
Cloud Computing Platform-CloudStackCloud Computing Platform-CloudStack
Cloud Computing Platform-CloudStack
 
Confraria Security 17 June - Cloud Security
Confraria Security 17 June - Cloud SecurityConfraria Security 17 June - Cloud Security
Confraria Security 17 June - Cloud Security
 
The Enterprise Cloud
The Enterprise CloudThe Enterprise Cloud
The Enterprise Cloud
 
Future of Cloud is Open John Engates Rackspace
Future of Cloud is Open John Engates RackspaceFuture of Cloud is Open John Engates Rackspace
Future of Cloud is Open John Engates Rackspace
 
The Future of IT
The Future of ITThe Future of IT
The Future of IT
 
Hybrid Cloud and Hyper Cloud
Hybrid Cloud and Hyper CloudHybrid Cloud and Hyper Cloud
Hybrid Cloud and Hyper Cloud
 
Enterprise-Ready Private and Hybrid Cloud Computing Today
Enterprise-Ready Private and Hybrid Cloud Computing TodayEnterprise-Ready Private and Hybrid Cloud Computing Today
Enterprise-Ready Private and Hybrid Cloud Computing Today
 
TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)
 
Virtualization Techniques & Cloud Compting
Virtualization Techniques & Cloud ComptingVirtualization Techniques & Cloud Compting
Virtualization Techniques & Cloud Compting
 

Recently uploaded

LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
Sease
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
Enterprise Knowledge
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE RolesWhat is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
DianaGray10
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
Discover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched ContentDiscover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched Content
ScyllaDB
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
BibashShahi
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
zjhamm304
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
ScyllaDB
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Ukraine
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
HarpalGohil4
 

Recently uploaded (20)

LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
From Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMsFrom Natural Language to Structured Solr Queries using LLMs
From Natural Language to Structured Solr Queries using LLMs
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE RolesWhat is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
Discover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched ContentDiscover the Unseen: Tailored Recommendation of Unwatched Content
Discover the Unseen: Tailored Recommendation of Unwatched Content
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
 
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...QA or the Highway - Component Testing: Bridging the gap between frontend appl...
QA or the Highway - Component Testing: Bridging the gap between frontend appl...
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsGetting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
Getting the Most Out of ScyllaDB Monitoring: ShareChat's Tips
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)AWS Certified Solutions Architect Associate (SAA-C03)
AWS Certified Solutions Architect Associate (SAA-C03)
 

Standing on the clouds

  • 1. A journey in Private Cloud Security Claudio Criscione - @paradoxengine SyScan 10
  • 3. There are a lot of clouds very Fluffy Clouds…
  • 5. A Taxonomy of clouds Cloud by the book - NIST On-demand self-service Broad network access Resource pooling Rapid elasticity Measured Service Public Community Hybrid Private IaaS PaaS SaaS On-Premise Off-Premise
  • 6. Who plays the game? XEN – XenCloud VMware [And the VMware Express players] Ubuntu – Eucalyptus Red Hat – DeltaCloud, RHVM Amazon – Virtual Private Cloud … and many others
  • 7. The Road to the Clouds Market and the technology are both moving toward cloud oriented architectures Your (new) datacenter is (will be) cloud based The build that syndrome
  • 9. A trojan horse Private Clouds are the “Trojan horse” of the Cloud Industry It’s just like standard virtualization! In the meantime, you get used to those small deltas…
  • 10. Security Deltas Management Semantics Integration Network
  • 11.
  • 12. Blackberry strikes back Last year this guy was managing his XEN farm using a bugged Web Interface with his Blackberry Now the Blackberry is back on Xen Cloud Platform!
  • 13. By the way… introducing VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization security. Announcing Beta 0.2 SyScan10 Edition VASTO now knows some cloud tricks
  • 15. Security Deltas Management Semantics Integration Network
  • 16. Integration Private cloud vendors push for integration with them “ Stock” virtual machines Management tools Updates This way they can make your cloud feel part of a common Sky. However, they should do it securely!
  • 17. Eating the eucalyptus Demo Time - 2
  • 18. Security Deltas Management Semantics Integration Network
  • 19.
  • 20. Security Deltas Management Semantics Integration Network
  • 21. Semantic of the cloud The Holy Roman Emperor Charles V was once asked which languages he typically used. "I speak Spanish to God," he explained, "Italian to women, French to men - and German to my horse.“ If you want to make it happen, you have to be able to state that what-the-cloud-undestands = what-the-cloud-can-do
  • 22. Cloud Paradigm Thou shall not bypass the interface.
  • 23. Security labeling We know that “escape from the VM attacks” will happen again To mitigate, we can define “zones” Even if virtualization solutions won’t let us do “host tagging”, admins can do it anyway. Not with Private cloud computing!
  • 24. A possible solution Stating Security Requirements
  • 25. Who has it, who has not Cloud Solution Version tested Result Eucalyptus 1.6.2 None DeltaCloud Portal 0.1.1 Could be RHEV NA – Public APIs None Abiquo 1.5 None XEN Cloud Platform 0.1.1 None Amazon Virtual Private Cloud NA – March None (redundancy) VMware vCloud Express NA – March None Svirt-LibVirt Library source Partial OpenNebula [Haizea] 1.0 Could be
  • 26. The limits of your language are the limits of your world ” - Ludwig Wittgenstein
  • 27. Time to make a stand As “the security community” it’s our role to make sure that new technologies are not simply taken for granted without a security debate. Private Cloud is a great risk and a great opportunity We need to make our voice heard!
  • 28.  
  • 29. Off-Premise solutions have to provide Trust and Security DO THEY?
  • 30. Hate the Sin not the Sinner They’re not running in debug mode, are they?
  • 31. Hate the Sin not the Sinner HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8g mod_wsgi/2.6 Python/2.6.2 Vary: Accept-Language,Cookie,Accept-Encoding Expires: -1 Content-Language: en Pragma: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Content-Length: 114 [["0", ["7810", “$ANYUSERNAME", "COMPLETED", "updateThumbs", "Task completed successfully", "2010/03/22 17:03:35"]]] What is everyone doing?
  • 32. (re)Think about your Cloud strategy You need one! Check security of outsourcer Make your voice heard!
  • 33.  
  • 34. Claudio Criscione [email_address] Twitter @paradoxengine VASTO’s home is at nibblesec.org