―If you think technology can solve

your security problems, then you

don’t understand the problems and

you don’t understand the

technology.‖

– Bruce Schneier

EVERYTHING OLD IS NEW AGAIN:

Risk, Compliance, and Complexity

Me: Joshua McKenty

Twitter: @jmckenty

Email: joshua@pistoncloud.com

Former Chief Architect, NASA Nebula

Founding Member, OpenStack

OpenStack Project Policy Board

CEO, Piston Cloud Computing, Inc.

Step 2: Consider Your Cloud Options

Public Cloud

Community Cloud

Hosted Private Cloud

On-premise Private cloud

Step 1: Define Cloud

―Self-service provisioning of multi-tenant IT

infrastructure and applications via HTTP.‖

Step 3: Examine the risks

Increased Insider Threat

Complexity Risk

Compliance Challenges

Liability and Forensics

―…security and compliance costs continue to grow at a rate three times

faster than that of IT budgets.‖

- IBM

Five-Actor Model

Vendor

Operator

AuditorDevOps

User

End-User

Off Premise IT: A Matrix of Insiders

PhysicalAccess

Host Access Guest Access Application Access

Your Employees X X

Your Contractors X X

Managed Services Provider

? X

Cloud ServiceProviders

X X X

External Auditor X X X

Other Cloud Users

? ?

DC Operators X ?

Complexity Risk

―If we don’t understand the cross-cutting effects and inherent contradictions in all of the stringent standards now being written into final form, we risk doing real damage to the sound, stable and — yes — profitable financial industry regulators say they support and the economies sorely need.‖

- Karen Petrou, Federal Financial Analytics

―Complexity is holding our industry back right now. A lot of what is bought and paid for doesn't get implemented because of complexity. Maybe this is the industry's biggest challenge.‖

- Ray Lane, Kleiner Perkins Caufield & Byers

Trivial Solution: Add a root kit

Guest Agent == Root Kit

SaaS Logging == Root Kit

Cloud Orchestration Agent == Root Kit

Monitoring Agent == Root Kit

YOUR VENDOR IS THE ENEMY

Real Solution: Attack Complexity

Cloud can be evolutionary (not revolutionary)

Fight sprawl with strong standards

Use automation and standards to reduce the number of privileged

users and applications

Limit choice – one hypervisor, two base O/S, three application

stacks

Logging in Depth

Network

Host Operating System

Guest Operating System

User and application events

Cloud Orchestration

Application Layer

Audit in Depth, with Standards

Audit at all layers

Host Environment

Cloud Management

Guest Environment

Orchestration

Data-at-rest encryption

Data integrity validation

Hardened base O/S images

Trust no one – even in Test and Dev

The Stack of Concerns

Dev

Op

s Application

Application Server

Guest OS

Op

erat

or

Hypervisor

Storage Infrastructure

Host OS

Physical Server

Key Takeaways

Complexity is the enemy

Adding rootkits is the wrong solution

Use automation to limit access

Simplify services using Pareto’s Law

Piston Enterprise OS

Secure Cloud Operating System

Designed for Enterprise Private Clouds

Built on OpenStack

Former NASA Researchers

Developed first FISMA-certified Cloud

Founders of OpenStack

Piston Cloud Computing, Inc.

Opinionated Software

One hypervisor

No host OS access

One reference architecture

Questions?

―We can only see a short distance ahead,

but we can see plenty there that needs to

be done.‖

– Alan Turing