The document discusses the risks of technology and complexity in cloud computing. It argues that adding more technology alone cannot solve security problems, and may increase other risks around complexity and compliance. The key takeaways are that complexity is the enemy, adding "rootkits" is not the solution, automation should be used to limit access, and services should be simplified using Pareto's Law.

1. ―If you think technology can solve
your security problems, then you
don’t understand the problems and
you don’t understand the
technology.‖
– Bruce Schneier

2. EVERYTHING OLD IS NEW AGAIN:
Risk, Compliance, and Complexity
Me: Joshua McKenty
Twitter: @jmckenty
Email: joshua@pistoncloud.com
Former Chief Architect, NASA Nebula
Founding Member, OpenStack
OpenStack Project Policy Board
CEO, Piston Cloud Computing, Inc.

3. Step 1: Define Cloud
―Self-service provisioning of multi-tenant IT
infrastructure and applications via HTTP.‖
Step 2: Consider Your Cloud Options
Public Cloud
Community Cloud
Hosted Private Cloud
On-premise Private cloud

4. Step 3: Examine the risks
Increased Insider Threat
Complexity Risk
Compliance Challenges
Liability and Forensics
―…security and compliance costs
continue to grow at a rate three times
faster than that of IT budgets.‖
- IBM

5. Five-Actor Model
Vendor
End-User Operator
DevOps
Auditor
User

6. Off Premise IT: A Matrix of Insiders
Physical Host Access Guest Access Application
Access Access
Your Employees X X
Your Contractors X X
Managed
Services ? X
Provider
Cloud Service
X X X
Providers
External Auditor X X X
Other Cloud
? ?
Users
DC Operators X ?

7. Complexity Risk
―If we don’t understand the cross-cutting effects and
inherent contradictions in all of the stringent standards
now being written into final form, we risk doing real
damage to the sound, stable and — yes — profitable
financial industry regulators say they support and the
economies sorely need.‖
- Karen Petrou, Federal Financial Analytics
―Complexity is holding our industry back right now. A lot
of what is bought and paid for doesn't get implemented
because of complexity. Maybe this is the industry's
biggest challenge.‖
- Ray Lane, Kleiner Perkins Caufield & Byers

8. YOUR VENDOR IS THE ENEMY
Trivial Solution: Add a root kit
Guest Agent == Root Kit
SaaS Logging == Root Kit
Cloud Orchestration Agent == Root Kit
Monitoring Agent == Root Kit
Real Solution: Attack Complexity
Cloud can be evolutionary (not revolutionary)
Fight sprawl with strong standards
Use automation and standards to reduce the number of privileged
users and applications
Limit choice – one hypervisor, two base O/S, three application
stacks

9. Logging in Depth
Network
Host Operating System
Guest Operating System
User and application events
Cloud Orchestration
Application Layer

10. Audit in Depth, with Standards
Audit at all layers
Host Environment
Cloud Management
Guest Environment
Orchestration
Trust no one – even in Test and Dev
Data-at-rest encryption
Data integrity validation
Hardened base O/S images

11. The Stack of Concerns
Application
DevOps
Application Server
Guest OS
Hypervisor
Operator
Storage
Infrastructure
Host OS
Physical Server

12. Key Takeaways
Complexity is the enemy
Adding rootkits is the wrong solution
Use automation to limit access
Simplify services using Pareto’s Law

13. Piston Enterprise OS
Secure Cloud Operating System
Designed for Enterprise Private Clouds
Built on OpenStack
Piston Cloud Computing, Inc.
Former NASA Researchers
Developed first FISMA-certified Cloud
Founders of OpenStack

14. Opinionated Software
One hypervisor
No host OS access
One reference architecture

15. Questions?
―We can only see a short distance ahead,
but we can see plenty there that needs to
be done.‖
– Alan Turing