Wall-Street Technology Association (WSTA) Feb-2012
Click here to load reader
-
Upload
joshua-mckenty -
Category
Technology
-
view
988 -
download
0
Transcript of Wall-Street Technology Association (WSTA) Feb-2012
―If you think technology can solve
your security problems, then you
don’t understand the problems and
you don’t understand the
technology.‖
– Bruce Schneier
EVERYTHING OLD IS NEW AGAIN:
Risk, Compliance, and Complexity
Me: Joshua McKenty
Twitter: @jmckenty
Email: [email protected]
Former Chief Architect, NASA Nebula
Founding Member, OpenStack
OpenStack Project Policy Board
CEO, Piston Cloud Computing, Inc.
Step 2: Consider Your Cloud Options
Public Cloud
Community Cloud
Hosted Private Cloud
On-premise Private cloud
Step 1: Define Cloud
―Self-service provisioning of multi-tenant IT
infrastructure and applications via HTTP.‖
Step 3: Examine the risks
Increased Insider Threat
Complexity Risk
Compliance Challenges
Liability and Forensics
―…security and compliance costs continue to grow at a rate three times
faster than that of IT budgets.‖
- IBM
Five-Actor Model
Vendor
Operator
AuditorDevOps
User
End-User
Off Premise IT: A Matrix of Insiders
PhysicalAccess
Host Access Guest Access Application Access
Your Employees X X
Your Contractors X X
Managed Services Provider
? X
Cloud ServiceProviders
X X X
External Auditor X X X
Other Cloud Users
? ?
DC Operators X ?
Complexity Risk
―If we don’t understand the cross-cutting effects and inherent contradictions in all of the stringent standards now being written into final form, we risk doing real damage to the sound, stable and — yes — profitable financial industry regulators say they support and the economies sorely need.‖
- Karen Petrou, Federal Financial Analytics
―Complexity is holding our industry back right now. A lot of what is bought and paid for doesn't get implemented because of complexity. Maybe this is the industry's biggest challenge.‖
- Ray Lane, Kleiner Perkins Caufield & Byers
Trivial Solution: Add a root kit
Guest Agent == Root Kit
SaaS Logging == Root Kit
Cloud Orchestration Agent == Root Kit
Monitoring Agent == Root Kit
YOUR VENDOR IS THE ENEMY
Real Solution: Attack Complexity
Cloud can be evolutionary (not revolutionary)
Fight sprawl with strong standards
Use automation and standards to reduce the number of privileged
users and applications
Limit choice – one hypervisor, two base O/S, three application
stacks
Logging in Depth
Network
Host Operating System
Guest Operating System
User and application events
Cloud Orchestration
Application Layer
Audit in Depth, with Standards
Audit at all layers
Host Environment
Cloud Management
Guest Environment
Orchestration
Data-at-rest encryption
Data integrity validation
Hardened base O/S images
Trust no one – even in Test and Dev
The Stack of Concerns
Dev
Op
s Application
Application Server
Guest OS
Op
erat
or
Hypervisor
Storage Infrastructure
Host OS
Physical Server
Key Takeaways
Complexity is the enemy
Adding rootkits is the wrong solution
Use automation to limit access
Simplify services using Pareto’s Law
Piston Enterprise OS
Secure Cloud Operating System
Designed for Enterprise Private Clouds
Built on OpenStack
Former NASA Researchers
Developed first FISMA-certified Cloud
Founders of OpenStack
Piston Cloud Computing, Inc.
Opinionated Software
One hypervisor
No host OS access
One reference architecture
Questions?
―We can only see a short distance ahead,
but we can see plenty there that needs to
be done.‖
– Alan Turing