SlideShare a Scribd company logo
1 of 34
A journey in Private Cloud Security Claudio Criscione - @paradoxengine SyScan 10
/me Claudio Criscione
There are a lot of clouds very Fluffy Clouds…
...And less fluffy
A Taxonomy of clouds Cloud by the book - NIST On-demand self-service Broad network access Resource pooling Rapid elasticity Measured Service Public Community Hybrid Private IaaS PaaS SaaS On-Premise Off-Premise
Who plays the game? XEN – XenCloud VMware [And the VMware Express players] Ubuntu – Eucalyptus Red Hat – DeltaCloud, RHVM Amazon – Virtual Private Cloud … and many others
The Road to the Clouds Market and the technology are both moving toward cloud oriented architectures Your (new) datacenter is (will be) cloud based The  build that  syndrome
Quick, go!
A trojan horse Private Clouds are the “Trojan horse” of the Cloud Industry  It’s just like standard virtualization! In the meantime, you get used to those small deltas…
Security Deltas Management  Semantics Integration Network
Management The “Old Virtualization” Way ,[object Object],[object Object],[object Object],[object Object],The Private Cloud Way ,[object Object],[object Object]
Blackberry strikes back Last year this guy was managing his XEN farm using a bugged Web Interface with his  Blackberry Now the Blackberry is back on Xen Cloud Platform!
By the way… introducing VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for  Metasploit  focusing on virtualization security. Announcing Beta 0.2 SyScan10 Edition VASTO now knows some cloud tricks
Shortcuts Demo Time  - 1
Security Deltas Management Semantics Integration Network
Integration Private cloud vendors push for integration with them “ Stock” virtual machines Management tools Updates This way they can make your cloud feel part of a common Sky. However, they should do it securely!
Eating the eucalyptus Demo Time - 2
Security Deltas Management Semantics Integration Network
Network ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Security Deltas Management Semantics Integration Network
Semantic of the cloud The Holy Roman Emperor Charles V was once asked which languages he typically used. "I speak Spanish to God," he explained, "Italian to women, French to men - and German to my horse.“ If you want to make it happen, you have to be able to state that what-the-cloud-undestands = what-the-cloud-can-do
Cloud Paradigm Thou shall not bypass the interface.
Security labeling We know that “escape from the VM attacks” will happen again To mitigate, we can define “zones” Even if virtualization solutions won’t let us do “host tagging”, admins can do it anyway. Not with Private cloud computing!
A possible solution Stating Security Requirements
Who has it, who has not Cloud Solution Version tested Result Eucalyptus 1.6.2 None DeltaCloud Portal 0.1.1 Could be RHEV NA – Public APIs None Abiquo 1.5 None XEN Cloud Platform 0.1.1 None Amazon Virtual Private Cloud NA – March None (redundancy) VMware vCloud Express NA – March None Svirt-LibVirt Library source Partial OpenNebula [Haizea] 1.0 Could be
“   The limits of your language  are the limits of your world  ”   - Ludwig Wittgenstein
Time to make a stand As “the security community” it’s our role to make sure that new technologies are not simply taken for granted without a security debate. Private Cloud is a great risk and a great opportunity We need to make our voice heard!
 
Off-Premise solutions have to provide  Trust and Security DO THEY?
Hate the Sin not the Sinner They’re not running in debug mode, are they?
Hate the Sin not the Sinner HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8g mod_wsgi/2.6 Python/2.6.2 Vary: Accept-Language,Cookie,Accept-Encoding Expires: -1 Content-Language: en Pragma: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Content-Length: 114 [["0", ["7810", “$ANYUSERNAME", "COMPLETED", "updateThumbs", "Task completed successfully", "2010/03/22 17:03:35"]]] What is everyone doing?
(re)Think about your Cloud strategy You need one! Check security of outsourcer Make your voice heard!
 
Claudio Criscione [email_address] Twitter @paradoxengine VASTO’s home is at nibblesec.org

More Related Content

What's hot

OSS Presentation by Stefano Maffulli
OSS Presentation by Stefano MaffulliOSS Presentation by Stefano Maffulli
OSS Presentation by Stefano Maffulli
OpenStorageSummit
 
The missing piece : when Docker networking and services finally unleashes so...
 The missing piece : when Docker networking and services finally unleashes so... The missing piece : when Docker networking and services finally unleashes so...
The missing piece : when Docker networking and services finally unleashes so...
Adrien Blind
 

What's hot (10)

Newt191 final project
Newt191 final projectNewt191 final project
Newt191 final project
 
Cloud computing- Introduction
Cloud computing- IntroductionCloud computing- Introduction
Cloud computing- Introduction
 
OSS Presentation by Stefano Maffulli
OSS Presentation by Stefano MaffulliOSS Presentation by Stefano Maffulli
OSS Presentation by Stefano Maffulli
 
The missing piece : when Docker networking and services finally unleashes so...
 The missing piece : when Docker networking and services finally unleashes so... The missing piece : when Docker networking and services finally unleashes so...
The missing piece : when Docker networking and services finally unleashes so...
 
Top 10 Encryption Myths
Top 10 Encryption MythsTop 10 Encryption Myths
Top 10 Encryption Myths
 
FVCP 20191113
FVCP 20191113FVCP 20191113
FVCP 20191113
 
Meetup Docker : From Zero to Hero
Meetup Docker : From Zero to HeroMeetup Docker : From Zero to Hero
Meetup Docker : From Zero to Hero
 
Web Werks Cloud Hosting FAQ
Web Werks Cloud Hosting FAQWeb Werks Cloud Hosting FAQ
Web Werks Cloud Hosting FAQ
 
Zero to Nova: A VMware Admin's Month of Openstack
Zero to Nova: A VMware Admin's Month of OpenstackZero to Nova: A VMware Admin's Month of Openstack
Zero to Nova: A VMware Admin's Month of Openstack
 
Enhance Virtual Machine Security in OpenStack Using Suricata IPS
Enhance Virtual Machine Security in OpenStack Using Suricata IPSEnhance Virtual Machine Security in OpenStack Using Suricata IPS
Enhance Virtual Machine Security in OpenStack Using Suricata IPS
 

Viewers also liked

Journey to the cloud
Journey to the cloudJourney to the cloud
Journey to the cloud
Chris Avis
 
soCloud: distributed multi-cloud platform for deploying, executing and managi...
soCloud: distributed multi-cloud platform for deploying, executing and managi...soCloud: distributed multi-cloud platform for deploying, executing and managi...
soCloud: distributed multi-cloud platform for deploying, executing and managi...
Fawaz Fernand PARAISO
 

Viewers also liked (20)

Lessons Learned from an early Multi-Cloud journey
Lessons Learned from an early Multi-Cloud journeyLessons Learned from an early Multi-Cloud journey
Lessons Learned from an early Multi-Cloud journey
 
Journey to the cloud
Journey to the cloudJourney to the cloud
Journey to the cloud
 
Data Centre Evolution: Securing Your Journey to the Cloud
Data Centre Evolution: Securing Your Journey to the CloudData Centre Evolution: Securing Your Journey to the Cloud
Data Centre Evolution: Securing Your Journey to the Cloud
 
soCloud: distributed multi-cloud platform for deploying, executing and managi...
soCloud: distributed multi-cloud platform for deploying, executing and managi...soCloud: distributed multi-cloud platform for deploying, executing and managi...
soCloud: distributed multi-cloud platform for deploying, executing and managi...
 
Virtually Pwned
Virtually PwnedVirtually Pwned
Virtually Pwned
 
[1] DOCTOR BOVE - HOME STAGING PROJECT - MARCH 2017
[1] DOCTOR BOVE - HOME STAGING PROJECT - MARCH 2017 [1] DOCTOR BOVE - HOME STAGING PROJECT - MARCH 2017
[1] DOCTOR BOVE - HOME STAGING PROJECT - MARCH 2017
 
"INSTRUMENTOS FINANCIEROS PARA EMPRENDEDORES/AS"
"INSTRUMENTOS FINANCIEROS PARA EMPRENDEDORES/AS""INSTRUMENTOS FINANCIEROS PARA EMPRENDEDORES/AS"
"INSTRUMENTOS FINANCIEROS PARA EMPRENDEDORES/AS"
 
Philip Hung Cao - Cloud security, the journey has begun
Philip Hung Cao - Cloud security, the journey has begunPhilip Hung Cao - Cloud security, the journey has begun
Philip Hung Cao - Cloud security, the journey has begun
 
Security & Privacy in Cloud Computing
Security & Privacy in Cloud ComputingSecurity & Privacy in Cloud Computing
Security & Privacy in Cloud Computing
 
Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...Privacy and security in the cloud Challenges and solutions for our future inf...
Privacy and security in the cloud Challenges and solutions for our future inf...
 
EL SUMO PONTIFICE ROMANO
EL SUMO PONTIFICE ROMANOEL SUMO PONTIFICE ROMANO
EL SUMO PONTIFICE ROMANO
 
Controladores de tensión AC
Controladores de tensión ACControladores de tensión AC
Controladores de tensión AC
 
135140 9th line
135140 9th line 135140 9th line
135140 9th line
 
Como hacer un libro
Como hacer un libroComo hacer un libro
Como hacer un libro
 
897 concession 10 & 11 cochrane
897 concession 10 & 11 cochrane897 concession 10 & 11 cochrane
897 concession 10 & 11 cochrane
 
Book presentation URBAN OASIS - DIARIO DE JEREZ
Book presentation URBAN OASIS - DIARIO DE JEREZ Book presentation URBAN OASIS - DIARIO DE JEREZ
Book presentation URBAN OASIS - DIARIO DE JEREZ
 
Journey to the Cloud, Hype or Opportunity
Journey to the Cloud, Hype or OpportunityJourney to the Cloud, Hype or Opportunity
Journey to the Cloud, Hype or Opportunity
 
Dimension Data – Enabling the Journey to the Cloud: Real Examples
Dimension Data – Enabling the Journey to the Cloud: Real ExamplesDimension Data – Enabling the Journey to the Cloud: Real Examples
Dimension Data – Enabling the Journey to the Cloud: Real Examples
 
результаты деятельности доо
результаты деятельности доорезультаты деятельности доо
результаты деятельности доо
 
Security: Enabling the Journey to the Cloud
Security: Enabling the Journey to the CloudSecurity: Enabling the Journey to the Cloud
Security: Enabling the Journey to the Cloud
 

Similar to Standing on the clouds

The Future of IT
The Future of ITThe Future of IT
The Future of IT
Simon May
 
Virtualization Techniques & Cloud Compting
Virtualization Techniques & Cloud ComptingVirtualization Techniques & Cloud Compting
Virtualization Techniques & Cloud Compting
Ahmed Mekkawy
 

Similar to Standing on the clouds (20)

Why the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsWhy the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systems
 
[Confidence0902] The Glass Cage - Virtualization Security
[Confidence0902] The Glass Cage - Virtualization Security[Confidence0902] The Glass Cage - Virtualization Security
[Confidence0902] The Glass Cage - Virtualization Security
 
Shmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security BriefShmoocon 2013 - OpenStack Security Brief
Shmoocon 2013 - OpenStack Security Brief
 
OpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information ExchangeOpenStack - Security Professionals Information Exchange
OpenStack - Security Professionals Information Exchange
 
Weave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 RecapWeave User Group Talk - DockerCon 2017 Recap
Weave User Group Talk - DockerCon 2017 Recap
 
A Cloud Security Ghost Story Craig Balding
A Cloud Security Ghost Story   Craig BaldingA Cloud Security Ghost Story   Craig Balding
A Cloud Security Ghost Story Craig Balding
 
OpenCms Days 2012 - OpenCms on open clouds
OpenCms Days 2012 - OpenCms on open cloudsOpenCms Days 2012 - OpenCms on open clouds
OpenCms Days 2012 - OpenCms on open clouds
 
Keynote at Gluecon 2011 by Marten Mickos, CEO, Eucalyptus Systems
Keynote at Gluecon 2011 by Marten Mickos, CEO, Eucalyptus SystemsKeynote at Gluecon 2011 by Marten Mickos, CEO, Eucalyptus Systems
Keynote at Gluecon 2011 by Marten Mickos, CEO, Eucalyptus Systems
 
The Good The Bad The Virtual
The Good The Bad The VirtualThe Good The Bad The Virtual
The Good The Bad The Virtual
 
How to Think Multi-Cloud
How to Think Multi-CloudHow to Think Multi-Cloud
How to Think Multi-Cloud
 
VirtSec, and the Open Source impact
VirtSec,  and the Open Source impactVirtSec,  and the Open Source impact
VirtSec, and the Open Source impact
 
Cloud Computing Platform-CloudStack
Cloud Computing Platform-CloudStackCloud Computing Platform-CloudStack
Cloud Computing Platform-CloudStack
 
Confraria Security 17 June - Cloud Security
Confraria Security 17 June - Cloud SecurityConfraria Security 17 June - Cloud Security
Confraria Security 17 June - Cloud Security
 
The Enterprise Cloud
The Enterprise CloudThe Enterprise Cloud
The Enterprise Cloud
 
Future of Cloud is Open John Engates Rackspace
Future of Cloud is Open John Engates RackspaceFuture of Cloud is Open John Engates Rackspace
Future of Cloud is Open John Engates Rackspace
 
The Future of IT
The Future of ITThe Future of IT
The Future of IT
 
Hybrid Cloud and Hyper Cloud
Hybrid Cloud and Hyper CloudHybrid Cloud and Hyper Cloud
Hybrid Cloud and Hyper Cloud
 
Enterprise-Ready Private and Hybrid Cloud Computing Today
Enterprise-Ready Private and Hybrid Cloud Computing TodayEnterprise-Ready Private and Hybrid Cloud Computing Today
Enterprise-Ready Private and Hybrid Cloud Computing Today
 
TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)TLS Interception considered harmful (Chaos Communication Camp 2015)
TLS Interception considered harmful (Chaos Communication Camp 2015)
 
Virtualization Techniques & Cloud Compting
Virtualization Techniques & Cloud ComptingVirtualization Techniques & Cloud Compting
Virtualization Techniques & Cloud Compting
 

Recently uploaded

Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 

Recently uploaded (20)

PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
 

Standing on the clouds

  • 1. A journey in Private Cloud Security Claudio Criscione - @paradoxengine SyScan 10
  • 3. There are a lot of clouds very Fluffy Clouds…
  • 5. A Taxonomy of clouds Cloud by the book - NIST On-demand self-service Broad network access Resource pooling Rapid elasticity Measured Service Public Community Hybrid Private IaaS PaaS SaaS On-Premise Off-Premise
  • 6. Who plays the game? XEN – XenCloud VMware [And the VMware Express players] Ubuntu – Eucalyptus Red Hat – DeltaCloud, RHVM Amazon – Virtual Private Cloud … and many others
  • 7. The Road to the Clouds Market and the technology are both moving toward cloud oriented architectures Your (new) datacenter is (will be) cloud based The build that syndrome
  • 9. A trojan horse Private Clouds are the “Trojan horse” of the Cloud Industry It’s just like standard virtualization! In the meantime, you get used to those small deltas…
  • 10. Security Deltas Management Semantics Integration Network
  • 11.
  • 12. Blackberry strikes back Last year this guy was managing his XEN farm using a bugged Web Interface with his Blackberry Now the Blackberry is back on Xen Cloud Platform!
  • 13. By the way… introducing VASTO The Virtualization ASsessment TOolkit It is an “exploit pack” for Metasploit focusing on virtualization security. Announcing Beta 0.2 SyScan10 Edition VASTO now knows some cloud tricks
  • 15. Security Deltas Management Semantics Integration Network
  • 16. Integration Private cloud vendors push for integration with them “ Stock” virtual machines Management tools Updates This way they can make your cloud feel part of a common Sky. However, they should do it securely!
  • 17. Eating the eucalyptus Demo Time - 2
  • 18. Security Deltas Management Semantics Integration Network
  • 19.
  • 20. Security Deltas Management Semantics Integration Network
  • 21. Semantic of the cloud The Holy Roman Emperor Charles V was once asked which languages he typically used. "I speak Spanish to God," he explained, "Italian to women, French to men - and German to my horse.“ If you want to make it happen, you have to be able to state that what-the-cloud-undestands = what-the-cloud-can-do
  • 22. Cloud Paradigm Thou shall not bypass the interface.
  • 23. Security labeling We know that “escape from the VM attacks” will happen again To mitigate, we can define “zones” Even if virtualization solutions won’t let us do “host tagging”, admins can do it anyway. Not with Private cloud computing!
  • 24. A possible solution Stating Security Requirements
  • 25. Who has it, who has not Cloud Solution Version tested Result Eucalyptus 1.6.2 None DeltaCloud Portal 0.1.1 Could be RHEV NA – Public APIs None Abiquo 1.5 None XEN Cloud Platform 0.1.1 None Amazon Virtual Private Cloud NA – March None (redundancy) VMware vCloud Express NA – March None Svirt-LibVirt Library source Partial OpenNebula [Haizea] 1.0 Could be
  • 26. The limits of your language are the limits of your world ” - Ludwig Wittgenstein
  • 27. Time to make a stand As “the security community” it’s our role to make sure that new technologies are not simply taken for granted without a security debate. Private Cloud is a great risk and a great opportunity We need to make our voice heard!
  • 28.  
  • 29. Off-Premise solutions have to provide Trust and Security DO THEY?
  • 30. Hate the Sin not the Sinner They’re not running in debug mode, are they?
  • 31. Hate the Sin not the Sinner HTTP/1.1 200 OK Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8g mod_wsgi/2.6 Python/2.6.2 Vary: Accept-Language,Cookie,Accept-Encoding Expires: -1 Content-Language: en Pragma: no-cache Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 Content-Length: 114 [["0", ["7810", “$ANYUSERNAME", "COMPLETED", "updateThumbs", "Task completed successfully", "2010/03/22 17:03:35"]]] What is everyone doing?
  • 32. (re)Think about your Cloud strategy You need one! Check security of outsourcer Make your voice heard!
  • 33.  
  • 34. Claudio Criscione [email_address] Twitter @paradoxengine VASTO’s home is at nibblesec.org