real security in a virtual environment
DESCRIPTION
A general overview on the pitfalls in cloud security and everything that surrounds it.TRANSCRIPT
Real Security in a Virtual EnvironmentBy Mattias GeniarSystem Engineer @Nucleus
Mattias Geniar
System Engineer at Nucleus(Cloud) Hosting provider
http://mattiasgeniar.be@mattiasgeniar
So ... Who am I?
root@mattias:~#
My comfort zone.
Not this.
Now what’s this about?
First: what is cloud computing?
Infrastructure-as-a-Service
Software-as-a-Service
Platform-as-a-Service
Hey dude, security?!
Preventing this cloud ...
From becoming this one.
Whatcha talking ‘bout fool?
Quote
Every security system that hasever been breached was oncethought infallible.
“
It’s about layers. Many layers.
A secure location.
With sufficient power.
And cooling.
That is secure.
But that’s just the bottom layer.
Don’t forget this.
How virtual is ‘virtual’?
The heart: storage.
Seperate network.
But in a good way.
Should it be encrypted?
On your storage itself?
Or within your VM?
Key management.
Redundant storage. Good x 2.
RAIDs
Have backups. Lots of them.
The kidneys: connectivity.
Walls of fire.
Subnet example
This is youIP: 10.0.0.100Subnet: 255.255.255.0Gateway: 10.0.0.1
This is evil meIP: 10.0.0.105Subnet: 255.255.255.0Gateway: 10.0.0.1
The firewall: 10.0.0.1
Firewall your firewall?
Secure connections.
Know what goes on.
Find intruders.
IDS & IPS
We like graphs. And IDS.
And boxes. With info.
Even when the cloud ‘moves’.
# diff ‘os-virt’ ‘hardware-virt’
Oh hai root.root@srv:~# hostnamesrv.domain.be
root@srv:~# vzlist --allCTID NPROC STATUS IP_ADDR HOSTNAME 101 74 running 10.0.2.1 topsecret-srv
root@srv:~# vzctl enter 101-bash-3.1# hostnametopsecret-srv.domain.be-bash-3.1# iduid=0(root) gid=0(root)
Who’s this?
Quote
The weakest link in any security system, is the person holding the information
“
Developers that care.
That don’t do stupid things.
With secure API’s.
And management.
No no. Real management.
Quote
Geeks don’t have interests.They have passions.
“
So. Layers you said?
Q & A