2. Me: Joshua McKenty Twitter: @jmckenty Email: joshua@pistoncloud.com Former Chief Architect, NASA Nebula Founding Member, OpenStack OpenStack Project Policy Board
3. “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” – Bruce Schneier
10. Build on “Shared Nothing” to achieve “Trust No One” Also known as “Defense in Depth” AUTOMATE EVERYTHING “Fat Fingers” == Plausible Deniability Automated == non-repudiable change control Build to the OSI 7-layer model
12. Lock your doors Do your background checks Use separate physical networks for admin Network model and management Use RFC 1918 address space when appropriate Use VLANs if necessary Firewall every machine (ebtables, iptables) Border firewalls (port and protocol level) Layer 1, 2 and 3
14. Control system access Best case: no host-based shell access AT ALL. Second-best: federated AUTH with 2-factor, keys only Worstcase: Host-level root login with passwords Run IDS – on hosts and guests Scan Continuously – hosts and guests, on all networks Proactively defend – Fail2Ban, etc. ( F2B-a-a-S) Layer 4, 5, 6 and 7
15. Don't trust the hypervisor (TXT / TPM) Conversely, don't trust the VM (blue-pill exploits, etc.) Host-based FW within the VM (CloudPassage "Halo") Access-control for VMs – same approaches apply (Auth-as-a-Service) Layer ‘V’
23. Crypto is useless – if keys are stored with the data Private networks are useless – if doors aren’t locked Certification only proves that you’re doing, what you said you were going to do. You can still be wrong. Forget “Trust, but verify”. Just don’t trust. Don’t get confused!
25. Have a chaos-monkey of compromise Can you perform forensics and remediation, without impacting other users of your cloud? Spanning ports and extra storage “Graveyard” for recently deleted images, instances Bonus Section: Forensics
26. What’s in the CloudPipe? “We can only see a short distance ahead, but we can see plenty there that needs to be done.” – Alan Turing
27. The Machine Aka “Sneaky Monkey” Continuous Integration of penetration and vulnerability testing.
31. Matt Linton – Nebula CSO Jesse Andrews – AnsoLabs Founder Soo Choi – 7120.7 Nazi Matt Chew- Spence – FIPS 199 Guru Keith Shackleford and James Williams Chris Kemp Bobby Cates, Dave Swagger, E. Lopez, Grace De Leon, Guy with Gun #1, Guy with Gun #2… Credits
Hinweis der Redaktion
I have 30 minutes for a 2 hour talk, so I’ll cover this at a high level, and I’ll make myself available for more detailed questions afterwards.
It’s not an “if” – it’s a “when”
80% of all security attacks come from current or former employees or contractors.Assume every host in your network is or will be compromised, and plan accordingly.