wsta breakfast seminar
TRANSCRIPT
![Page 1: WSTA Breakfast Seminar](https://reader037.vdocuments.us/reader037/viewer/2022100605/559ca33e1a28abd9758b4678/html5/thumbnails/1.jpg)
―If you think technology can solve
your security problems, then you
don’t understand the problems and
you don’t understand the
technology.‖
– Bruce Schneier
![Page 2: WSTA Breakfast Seminar](https://reader037.vdocuments.us/reader037/viewer/2022100605/559ca33e1a28abd9758b4678/html5/thumbnails/2.jpg)
EVERYTHING OLD IS NEW AGAIN:
Risk, Compliance, and Complexity
Me: Joshua McKenty
Twitter: @jmckenty
Email: [email protected]
Former Chief Architect, NASA Nebula
Founding Member, OpenStack
OpenStack Project Policy Board
CEO, Piston Cloud Computing, Inc.
![Page 3: WSTA Breakfast Seminar](https://reader037.vdocuments.us/reader037/viewer/2022100605/559ca33e1a28abd9758b4678/html5/thumbnails/3.jpg)
Step 2: Consider Your Cloud Options
Public Cloud
Community Cloud
Hosted Private Cloud
On-premise Private cloud
Step 1: Define Cloud
―Self-service provisioning of multi-tenant IT
infrastructure and applications via HTTP.‖
![Page 4: WSTA Breakfast Seminar](https://reader037.vdocuments.us/reader037/viewer/2022100605/559ca33e1a28abd9758b4678/html5/thumbnails/4.jpg)
Step 3: Examine the risks
Increased Insider Threat
Complexity Risk
Compliance Challenges
Liability and Forensics
―…security and compliance costs continue to grow at a rate three times
faster than that of IT budgets.‖
- IBM
![Page 5: WSTA Breakfast Seminar](https://reader037.vdocuments.us/reader037/viewer/2022100605/559ca33e1a28abd9758b4678/html5/thumbnails/5.jpg)
Five-Actor Model
Vendor
Operator
AuditorDevOps
User
End-User
![Page 6: WSTA Breakfast Seminar](https://reader037.vdocuments.us/reader037/viewer/2022100605/559ca33e1a28abd9758b4678/html5/thumbnails/6.jpg)
Off Premise IT: A Matrix of Insiders
PhysicalAccess
Host Access Guest Access Application Access
Your Employees X X
Your Contractors X X
Managed Services Provider
? X
Cloud ServiceProviders
X X X
External Auditor X X X
Other Cloud Users
? ?
DC Operators X ?
![Page 7: WSTA Breakfast Seminar](https://reader037.vdocuments.us/reader037/viewer/2022100605/559ca33e1a28abd9758b4678/html5/thumbnails/7.jpg)
Complexity Risk
―If we don’t understand the cross-cutting effects and inherent contradictions in all of the stringent standards now being written into final form, we risk doing real damage to the sound, stable and — yes — profitable financial industry regulators say they support and the economies sorely need.‖
- Karen Petrou, Federal Financial Analytics
―Complexity is holding our industry back right now. A lot of what is bought and paid for doesn't get implemented because of complexity. Maybe this is the industry's biggest challenge.‖
- Ray Lane, Kleiner Perkins Caufield & Byers
![Page 8: WSTA Breakfast Seminar](https://reader037.vdocuments.us/reader037/viewer/2022100605/559ca33e1a28abd9758b4678/html5/thumbnails/8.jpg)
Trivial Solution: Add a root kit
Guest Agent == Root Kit
SaaS Logging == Root Kit
Cloud Orchestration Agent == Root Kit
Monitoring Agent == Root Kit
YOUR VENDOR IS THE ENEMY
Real Solution: Attack Complexity
Cloud can be evolutionary (not revolutionary)
Fight sprawl with strong standards
Use automation and standards to reduce the number of privileged
users and applications
Limit choice – one hypervisor, two base O/S, three application
stacks
![Page 9: WSTA Breakfast Seminar](https://reader037.vdocuments.us/reader037/viewer/2022100605/559ca33e1a28abd9758b4678/html5/thumbnails/9.jpg)
Logging in Depth
Network
Host Operating System
Guest Operating System
User and application events
Cloud Orchestration
Application Layer
![Page 10: WSTA Breakfast Seminar](https://reader037.vdocuments.us/reader037/viewer/2022100605/559ca33e1a28abd9758b4678/html5/thumbnails/10.jpg)
Audit in Depth, with Standards
Audit at all layers
Host Environment
Cloud Management
Guest Environment
Orchestration
Data-at-rest encryption
Data integrity validation
Hardened base O/S images
Trust no one – even in Test and Dev
![Page 11: WSTA Breakfast Seminar](https://reader037.vdocuments.us/reader037/viewer/2022100605/559ca33e1a28abd9758b4678/html5/thumbnails/11.jpg)
The Stack of Concerns
Dev
Op
s Application
Application Server
Guest OS
Op
erat
or
Hypervisor
Storage Infrastructure
Host OS
Physical Server
![Page 12: WSTA Breakfast Seminar](https://reader037.vdocuments.us/reader037/viewer/2022100605/559ca33e1a28abd9758b4678/html5/thumbnails/12.jpg)
Key Takeaways
Complexity is the enemy
Adding rootkits is the wrong solution
Use automation to limit access
Simplify services using Pareto’s Law
![Page 13: WSTA Breakfast Seminar](https://reader037.vdocuments.us/reader037/viewer/2022100605/559ca33e1a28abd9758b4678/html5/thumbnails/13.jpg)
Piston Enterprise OS
Secure Cloud Operating System
Designed for Enterprise Private Clouds
Built on OpenStack
Former NASA Researchers
Developed first FISMA-certified Cloud
Founders of OpenStack
Piston Cloud Computing, Inc.
![Page 14: WSTA Breakfast Seminar](https://reader037.vdocuments.us/reader037/viewer/2022100605/559ca33e1a28abd9758b4678/html5/thumbnails/14.jpg)
Opinionated Software
One hypervisor
No host OS access
One reference architecture
![Page 15: WSTA Breakfast Seminar](https://reader037.vdocuments.us/reader037/viewer/2022100605/559ca33e1a28abd9758b4678/html5/thumbnails/15.jpg)
Questions?
―We can only see a short distance
ahead, but we can see plenty there that
needs to be done.‖
– Alan Turing