SlideShare a Scribd company logo

RSA 2015 Realities of Private Cloud Security

Scott Carlson
Scott Carlson

My 2015 Talk at the RSA US Conference on Private Cloud Security and ways that companies need to think about their cloud as they built it within their private data center

Technology
1 of 21
Download to read offline
SESSION ID: #RSAC Scott Carlson – PayPal Realities of Private Cloud Security CSV-F03 @relaxed137
#RSAC Cloud Design Principals, traditional Data Center Deploy from Templates Any Image, Anywhere Automatically scale up/down workloads Follow devops auto-deployments CI/CD Respond to intra-cloud events ELASTIC VIRTUAL PCI-DSS 2.0 and 3.0 Local Country RequirementsSECURE PayPal Cloud & Software Defined Data Center 2
#RSAC Compliance <> Security Secure Compliant PCI DSS HIPAA / HITECH SOX FedRAMP/FISMA ISO/IEC 27001-2005 NIST SP800-53
#RSAC @ http://xkcd.com used with permission under Creative commons License 4
#RSAC Compliance Requirements of PayPal ✔ ✔ 5 Compliant with PCI-DSS 2.0 Standards Non-US locations compliant with local country regulations
#RSAC Be patched, be compliant, be hardened, be layered, don’t let data leave your network Log it all; parse it all; sesame street logic; leave no stone unturnedDETECT PREVENT Quarantine; active defense; mitigate; high priority patches; bug fixes; block ports; kill data streams; sever connections RESPOND What is Secure 6
#RSAC Are there any Private Cloud Standards? … Hardly … Cloud Controls Matrix 3.0.1 – release date 7/2015 https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/ PCI DSS Virtualization Guidelines https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf PCI DSS Cloud Computing Guidelines https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf NIST Special Publication 800-144 http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf 7
#RSAC What about Public Cloud? A lot of vendors have been upping their game with security in the public cloud. If your organization does not have an Information Security organization, you do not run your own data center, or you just flat out don’t know where to begin, there are public cloud solutions that can meet most information security requirements today. … This talk is not about the Public Cloud … 8
#RSAC Our Methodology – Private Cloud Security 9  Don’t make it too hard – it’s just mostly infrastructure  Adapt FAST  Developers & “AAS” Washing changes the access paradigm (2FA + RBAC anyone?)  3rd-party applications sitting on a cloud are still just 3rd-party applications  Home-grown application sitting on a cloud are still just home-grown applications  Cross-managing “in-scope” and “out-of-scope” environments is fraught with peril. Tread Lightly…  The minute something is created in the cloud, it is subject to the requirements. Existence = production because it could be compromised, attacked, …
#RSAC Agile Quick and well-coordinated in movement; marked by an ability to think quickly; intellectual acuity  Consider everything dirty… examine it… spray the bad parts… clean it… use machines to do the dirty work  Run traffic over it… verify assumptions… send it back to the wash if needed… deliver to customer… use it yourself  Check your work… check new versions… talk to new people… find all of the new and exciting ways people are doing things 10
#RSAC Basic Methodology Just pretend it is infrastructure OpenStack has servers in it  Hardware configured and dedicated to the cloud  Hypervisor/Build Image meeting NIST/CIS standard templates  Vulnerability Scanning with third-party tooling  Patching 7-, 30-, 90-day windows with vendor provided patches  Configuration Management for important system files  Password Management – non-default, complex and unique! OpenStack has users in it  Do not use shared accounts for anything. Just don’t  Log everything (auth) about a user. Send it somewhere you can find it. Keep it a LONG time  Define a Role, Add People to the Role, Attest the Role  Multi-Factor Tokens!!!!  All cloud actions tied back to an individual user 11
#RSAC Basic Methodology Just pretend it is infrastructure Hypervisor Components  It’s just “Linux”. Treat it like hardened “Linux” and lock it down to standards (CIS, NIST)  Have a separate management interface from your production traffic (physical or virtual)  Do not combine security zones within a single hypervisor because then it’s ALL “in-scope”  Audit access, audit changes, be ready to show your work  Be ready to defend decisions to share ports for components OpenStack Software Stack  Limited vulnerability scanning in a programmatic way, have to build your own (Fortify, AppScan)  Getting code from Trunk = Open Source Happiness, but have your licenses reviewed!  You still need to code review if CDE passes through here  Avoid Avoid Avoid actual data getting put in your cloud stack (not guest VMs, those are ok) 12
#RSAC Basic Methodology Just pretend it is infrastructure Physical Network Components  Firewall rules around the cloud to limit ingress and egress (is iptables a firewall?)  Monitor what happens on your firewalls, send it somewhere, keep it a LONG time  Make sure the person building your network isn’t the person building your cloud (SOD)  Configuration guidelines exist for most physical installations (avoid virtual for now…)  Automation is fine, but make sure you log it and auto-ticket it Virtual Network Components  Too early in the testing process to rely on virtual versions of components at scale [ No standards, Auditor Support ]  Okay for intra-tenant traffic with minimal rule set  Same rules for physical apply to virtual. Has your third-party pen-tested and certified their thing? 13
#RSAC @ http://xkcd.com used with permission under Creative commons License 14
#RSAC Basic Methodology Just pretend it is infrastructure Data  If it’s card-holder data, controls become interesting very quickly  Encrypt your data PRIOR to writing it to databases/repositories  Storing things encrypted at rest in VMs mean you can’t use OpenStack components  HSM, crypto, key management required  User management, controls over data, logging, all of the standard stuff needed 15
#RSAC Basic Methodology Just pretend it is infrastructure “As a Service” Tooling  Role-based access  2FA to “in-scope” environments  TLS on EVERYTHING  Don’t pass your tokens around, expire them quickly  Don’t rely on credentials from the wrong environment!  Always check for software vulnerabilities in your code  NOTHING goes into production without passing the sanity test… NOTHING 16
#RSAC Basic Methodology Just pretend it is infrastructure Central Management Considerations  Make all of your management control planes trusted  It is NEVER okay to talk from a lower-trust environment into a higher-trust environment  It is better to expose a protected web front-end than keep the “manager” in an untrusted zone  If your control plane is compromised, your cloud is toast. Cloud expands the cascade of compromise across your whole environment depending on your control plane and availability zones  Deleting your cloud as an attack is just the same as a compromise sometimes 17
#RSAC Secure is not a permanent state 18
#RSAC Security can not work effectively unless you have agility 19
#RSAC How to apply this to your own environment?  Look into how you are using your cloud today  Verify the security controls and regulatory controls you need  Do the basics discussed here  Pen Test your cloud  Resolve the findings, and then start iterating and making more secure!  Get involved to fix industry standards so that private clouds are people too! 20
#RSAC For more information, please contact: Scott Carlson sccarlson@paypal.com @relaxed137

Recommended

Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesPriyanka Aash
 
Realities of Data Security
Realities of Data SecurityRealities of Data Security
Realities of Data SecurityPriyanka Aash
 
Applying Auto-Data Classification Techniques for Large Data Sets
Applying Auto-Data Classification Techniques for Large Data SetsApplying Auto-Data Classification Techniques for Large Data Sets
Applying Auto-Data Classification Techniques for Large Data SetsPriyanka Aash
 
Take It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security ArchitectureTake It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security ArchitecturePriyanka Aash
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryPriyanka Aash
 
Smart Megalopolises. How Safe and Reliable Is Your Data?
Smart Megalopolises. How Safe and Reliable Is Your Data?Smart Megalopolises. How Safe and Reliable Is Your Data?
Smart Megalopolises. How Safe and Reliable Is Your Data?Priyanka Aash
 
How to Implement Snowflake Security Best Practices with Panther
How to Implement Snowflake Security Best Practices with PantherHow to Implement Snowflake Security Best Practices with Panther
How to Implement Snowflake Security Best Practices with PantherPanther Labs
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Priyanka Aash
 

Recommended

Aspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesAspirin as a Service: Using the Cloud to Cure Security Headaches
Aspirin as a Service: Using the Cloud to Cure Security HeadachesPriyanka Aash
 
Realities of Data Security
Realities of Data SecurityRealities of Data Security
Realities of Data SecurityPriyanka Aash
 
Applying Auto-Data Classification Techniques for Large Data Sets
Applying Auto-Data Classification Techniques for Large Data SetsApplying Auto-Data Classification Techniques for Large Data Sets
Applying Auto-Data Classification Techniques for Large Data SetsPriyanka Aash
 
Take It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security ArchitectureTake It to the Cloud: The Evolution of Security Architecture
Take It to the Cloud: The Evolution of Security ArchitecturePriyanka Aash
 
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryCLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & Recovery
CLOUD SECURITY ESSENTIALS 2.0 Full Stack Hacking & RecoveryPriyanka Aash
 
Smart Megalopolises. How Safe and Reliable Is Your Data?
Smart Megalopolises. How Safe and Reliable Is Your Data?Smart Megalopolises. How Safe and Reliable Is Your Data?
Smart Megalopolises. How Safe and Reliable Is Your Data?Priyanka Aash
 
How to Implement Snowflake Security Best Practices with Panther
How to Implement Snowflake Security Best Practices with PantherHow to Implement Snowflake Security Best Practices with Panther
How to Implement Snowflake Security Best Practices with PantherPanther Labs
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Priyanka Aash
 
Crypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and BitcoinCrypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and BitcoinPriyanka Aash
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...centralohioissa
 
How Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without FirewallsHow Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without FirewallsPriyanka Aash
 
Incident response-in-the-cloud
Incident response-in-the-cloudIncident response-in-the-cloud
Incident response-in-the-cloudPriyanka Aash
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.Teri Radichel
 
BeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone ElseBeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone ElseIvan Dwyer
 
ITrust Security Operating Center (SOC) - Datasheet EN
ITrust Security Operating Center (SOC) - Datasheet ENITrust Security Operating Center (SOC) - Datasheet EN
ITrust Security Operating Center (SOC) - Datasheet ENITrust - Cybersecurity as a Service
 
Customer Story: Scaling Security With Detections-as-Code
Customer Story: Scaling Security With Detections-as-CodeCustomer Story: Scaling Security With Detections-as-Code
Customer Story: Scaling Security With Detections-as-CodePanther Labs
 
BeyondCorp: Closing the Adherence Gap
BeyondCorp: Closing the Adherence GapBeyondCorp: Closing the Adherence Gap
BeyondCorp: Closing the Adherence GapIvan Dwyer
 
SAP Cloud security overview 2.0
SAP Cloud security overview 2.0SAP Cloud security overview 2.0
SAP Cloud security overview 2.0Rasmi Swain
 
BeyondCorp and Zero Trust
BeyondCorp and Zero TrustBeyondCorp and Zero Trust
BeyondCorp and Zero TrustIvan Dwyer
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session Splunk
 
SBRC'17 discussion panel about NFV and SDN
SBRC'17 discussion panel about NFV and SDNSBRC'17 discussion panel about NFV and SDN
SBRC'17 discussion panel about NFV and SDNSébastien Tandel
 
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...RightScale
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019Fahad Al-Hasan
 
Log management principle and usage
Log management principle and usageLog management principle and usage
Log management principle and usageBikrant Gautam
 
Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Harry McLaren
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)Lancope, Inc.
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseSplunk
 
How to Make a Decent PowerPoint
How to Make a Decent PowerPointHow to Make a Decent PowerPoint
How to Make a Decent PowerPointAdam Fowler
 
Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?Wendy Nather
 

More Related Content

What's hot

Crypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and BitcoinCrypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and BitcoinPriyanka Aash
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...centralohioissa
 
How Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without FirewallsHow Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without FirewallsPriyanka Aash
 
Incident response-in-the-cloud
Incident response-in-the-cloudIncident response-in-the-cloud
Incident response-in-the-cloudPriyanka Aash
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.Teri Radichel
 
BeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone ElseBeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone ElseIvan Dwyer
 
Customer Story: Scaling Security With Detections-as-Code
Customer Story: Scaling Security With Detections-as-CodeCustomer Story: Scaling Security With Detections-as-Code
Customer Story: Scaling Security With Detections-as-CodePanther Labs
 
BeyondCorp: Closing the Adherence Gap
BeyondCorp: Closing the Adherence GapBeyondCorp: Closing the Adherence Gap
BeyondCorp: Closing the Adherence GapIvan Dwyer
 
SAP Cloud security overview 2.0
SAP Cloud security overview 2.0SAP Cloud security overview 2.0
SAP Cloud security overview 2.0Rasmi Swain
 
BeyondCorp and Zero Trust
BeyondCorp and Zero TrustBeyondCorp and Zero Trust
BeyondCorp and Zero TrustIvan Dwyer
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session Splunk
 
SBRC'17 discussion panel about NFV and SDN
SBRC'17 discussion panel about NFV and SDNSBRC'17 discussion panel about NFV and SDN
SBRC'17 discussion panel about NFV and SDNSébastien Tandel
 
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...RightScale
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019Fahad Al-Hasan
 
Log management principle and usage
Log management principle and usageLog management principle and usage
Log management principle and usageBikrant Gautam
 
Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Harry McLaren
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)Lancope, Inc.
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseSplunk
 

What's hot (20)

Crypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and BitcoinCrypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and Bitcoin
 
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
Ken Czekaj & Robert Wright - Leveraging APM NPM Solutions to Compliment Cyber...
 
How Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without FirewallsHow Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without Firewalls
 
Incident response-in-the-cloud
Incident response-in-the-cloudIncident response-in-the-cloud
Incident response-in-the-cloud
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.
 
BeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone ElseBeyondCorp - Google Security for Everyone Else
BeyondCorp - Google Security for Everyone Else
 
ITrust Security Operating Center (SOC) - Datasheet EN
ITrust Security Operating Center (SOC) - Datasheet ENITrust Security Operating Center (SOC) - Datasheet EN
ITrust Security Operating Center (SOC) - Datasheet EN
 
Customer Story: Scaling Security With Detections-as-Code
Customer Story: Scaling Security With Detections-as-CodeCustomer Story: Scaling Security With Detections-as-Code
Customer Story: Scaling Security With Detections-as-Code
 
BeyondCorp: Closing the Adherence Gap
BeyondCorp: Closing the Adherence GapBeyondCorp: Closing the Adherence Gap
BeyondCorp: Closing the Adherence Gap
 
SAP Cloud security overview 2.0
SAP Cloud security overview 2.0SAP Cloud security overview 2.0
SAP Cloud security overview 2.0
 
BeyondCorp and Zero Trust
BeyondCorp and Zero TrustBeyondCorp and Zero Trust
BeyondCorp and Zero Trust
 
Security Breakout Session
Security Breakout Session Security Breakout Session
Security Breakout Session
 
SBRC'17 discussion panel about NFV and SDN
SBRC'17 discussion panel about NFV and SDNSBRC'17 discussion panel about NFV and SDN
SBRC'17 discussion panel about NFV and SDN
 
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
PCI: Building Compliant Applications in the Public Cloud - RightScale Compute...
 
Annual OktCyberfest 2019
Annual OktCyberfest 2019Annual OktCyberfest 2019
Annual OktCyberfest 2019
 
Log management principle and usage
Log management principle and usageLog management principle and usage
Log management principle and usage
 
Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies Modern Security Operations & Common Roles/Competencies
Modern Security Operations & Common Roles/Competencies
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
 
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
 
Getting Started with Splunk Enterprise
Getting Started with Splunk EnterpriseGetting Started with Splunk Enterprise
Getting Started with Splunk Enterprise
 

Viewers also liked

How to Make a Decent PowerPoint
How to Make a Decent PowerPointHow to Make a Decent PowerPoint
How to Make a Decent PowerPointAdam Fowler
 
Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?Wendy Nather
 
Neira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf readyNeira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf readyNeira Jones
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareLeigh Honeywell
 
Distributed Denial Of Service Introduction
Distributed Denial Of Service IntroductionDistributed Denial Of Service Introduction
Distributed Denial Of Service Introductionwremes
 
AusCERT - Mikko Hypponen
AusCERT - Mikko HypponenAusCERT - Mikko Hypponen
AusCERT - Mikko HypponenMikko Hypponen
 
Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Scott Carlson
 
Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Dan Kaminsky
 
The InfoSec Avengers
The InfoSec AvengersThe InfoSec Avengers
The InfoSec AvengersTripwire
 
Security Configuration Management for Dummies
Security Configuration Management for DummiesSecurity Configuration Management for Dummies
Security Configuration Management for DummiesTripwire
 
RDF and other linked data standards — how to make use of big localization data
RDF and other linked data standards — how to make use of big localization dataRDF and other linked data standards — how to make use of big localization data
RDF and other linked data standards — how to make use of big localization dataDave Lewis
 
The RMF: New Emphasis on the Risk Management Framework for Government Organiz...
The RMF: New Emphasis on the Risk Management Framework for Government Organiz...The RMF: New Emphasis on the Risk Management Framework for Government Organiz...
The RMF: New Emphasis on the Risk Management Framework for Government Organiz...Tripwire
 
The dark side of the internet
The dark side of the internetThe dark side of the internet
The dark side of the internetBrian Honan
 
Data security brian honan
Data security brian honanData security brian honan
Data security brian honanBrian Honan
 

Viewers also liked (14)

How to Make a Decent PowerPoint
How to Make a Decent PowerPointHow to Make a Decent PowerPoint
How to Make a Decent PowerPoint
 
Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?Tactical Edge - How Much Security Do You Really Need?
Tactical Edge - How Much Security Do You Really Need?
 
Neira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf readyNeira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf ready
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure software
 
Distributed Denial Of Service Introduction
Distributed Denial Of Service IntroductionDistributed Denial Of Service Introduction
Distributed Denial Of Service Introduction
 
AusCERT - Mikko Hypponen
AusCERT - Mikko HypponenAusCERT - Mikko Hypponen
AusCERT - Mikko Hypponen
 
Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?Just Trust Everyone and We Will Be Fine, Right?
Just Trust Everyone and We Will Be Fine, Right?
 
Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)
 
The InfoSec Avengers
The InfoSec AvengersThe InfoSec Avengers
The InfoSec Avengers
 
Security Configuration Management for Dummies
Security Configuration Management for DummiesSecurity Configuration Management for Dummies
Security Configuration Management for Dummies
 
RDF and other linked data standards — how to make use of big localization data
RDF and other linked data standards — how to make use of big localization dataRDF and other linked data standards — how to make use of big localization data
RDF and other linked data standards — how to make use of big localization data
 
The RMF: New Emphasis on the Risk Management Framework for Government Organiz...
The RMF: New Emphasis on the Risk Management Framework for Government Organiz...The RMF: New Emphasis on the Risk Management Framework for Government Organiz...
The RMF: New Emphasis on the Risk Management Framework for Government Organiz...
 
The dark side of the internet
The dark side of the internetThe dark side of the internet
The dark side of the internet
 
Data security brian honan
Data security brian honanData security brian honan
Data security brian honan
 

Similar to RSA 2015 Realities of Private Cloud Security

Building and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security ProgramBuilding and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security ProgramPriyanka Aash
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or diePriyanka Aash
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSAShannon Lietz
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainPriyanka Aash
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.Priyanka Aash
 
Practical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityPractical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityKarthik Gaekwad
 
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPriyanka Aash
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...Aaron Rinehart
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjurconjur_inc
 
Architecting Secure Web Systems
Architecting Secure Web SystemsArchitecting Secure Web Systems
Architecting Secure Web SystemsInnoTech
 
Infrastructure as Code to Maintain your Sanity
Infrastructure as Code to Maintain your SanityInfrastructure as Code to Maintain your Sanity
Infrastructure as Code to Maintain your SanityDewey Sasser
 
Why the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsWhy the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsErnest Mueller
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfacePriyanka Aash
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformAshnikbiz
 
Security for AWS : Journey to Least Privilege (update)
Security for AWS : Journey to Least Privilege (update)Security for AWS : Journey to Least Privilege (update)
Security for AWS : Journey to Least Privilege (update)dhubbard858
 
Security for AWS: Journey to Least Privilege
Security for AWS: Journey to Least PrivilegeSecurity for AWS: Journey to Least Privilege
Security for AWS: Journey to Least PrivilegeLacework
 
RSA 2016 Realities of Data Security
RSA 2016 Realities of Data SecurityRSA 2016 Realities of Data Security
RSA 2016 Realities of Data SecurityScott Carlson
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure SecurityRicky Sanders
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowRecon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowPriyanka Aash
 

Similar to RSA 2015 Realities of Private Cloud Security (20)

Building and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security ProgramBuilding and Adopting a Cloud-Native Security Program
Building and Adopting a Cloud-Native Security Program
 
Cloud security : Automate or die
Cloud security : Automate or dieCloud security : Automate or die
Cloud security : Automate or die
 
Cloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSACloud Security Essentials 2.0 at RSA
Cloud Security Essentials 2.0 at RSA
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
 
SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.SDN and Security: A Marriage Made in Heaven. Or Not.
SDN and Security: A Marriage Made in Heaven. Or Not.
 
Practical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityPractical Approaches to Cloud Native Security
Practical Approaches to Cloud Native Security
 
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPragmatic Security Automation for Cloud
Pragmatic Security Automation for Cloud
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
 
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - ConjurQ Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
 
Architecting Secure Web Systems
Architecting Secure Web SystemsArchitecting Secure Web Systems
Architecting Secure Web Systems
 
Infrastructure as Code to Maintain your Sanity
Infrastructure as Code to Maintain your SanityInfrastructure as Code to Maintain your Sanity
Infrastructure as Code to Maintain your Sanity
 
Why the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systemsWhy the cloud is more secure than your existing systems
Why the cloud is more secure than your existing systems
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surfaceRed team-view-gaps-in-the-serverless-application-attack-surface
Red team-view-gaps-in-the-serverless-application-attack-surface
 
The Sysdig Secure DevOps Platform
The Sysdig Secure DevOps PlatformThe Sysdig Secure DevOps Platform
The Sysdig Secure DevOps Platform
 
Security for AWS : Journey to Least Privilege (update)
Security for AWS : Journey to Least Privilege (update)Security for AWS : Journey to Least Privilege (update)
Security for AWS : Journey to Least Privilege (update)
 
Security for AWS: Journey to Least Privilege
Security for AWS: Journey to Least PrivilegeSecurity for AWS: Journey to Least Privilege
Security for AWS: Journey to Least Privilege
 
RSA 2016 Realities of Data Security
RSA 2016 Realities of Data SecurityRSA 2016 Realities of Data Security
RSA 2016 Realities of Data Security
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Immutable Infrastructure Security
Immutable Infrastructure SecurityImmutable Infrastructure Security
Immutable Infrastructure Security
 
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon SnowRecon for the Defender: You Know Nothing (about Your Assets), Jon Snow
Recon for the Defender: You Know Nothing (about Your Assets), Jon Snow
 

More from Scott Carlson

What are Blockchain & Tokens and are they useful ?
What are Blockchain & Tokens and are they useful ?What are Blockchain & Tokens and are they useful ?
What are Blockchain & Tokens and are they useful ?Scott Carlson
 
RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?
RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?
RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?Scott Carlson
 
DCD Converged Brazil 2016
DCD Converged Brazil 2016 DCD Converged Brazil 2016
DCD Converged Brazil 2016 Scott Carlson
 
Trust But Control: Managing Privileges without killing productivity
Trust But Control: Managing Privileges without killing productivityTrust But Control: Managing Privileges without killing productivity
Trust But Control: Managing Privileges without killing productivityScott Carlson
 
Will Your Cloud Be Compliant? OpenStack Security
Will Your Cloud Be Compliant? OpenStack SecurityWill Your Cloud Be Compliant? OpenStack Security
Will Your Cloud Be Compliant? OpenStack SecurityScott Carlson
 
Interop Las Vegas Cloud Connect Summit 2014 - Software Defined Data Center
Interop Las Vegas Cloud Connect Summit 2014 - Software Defined Data CenterInterop Las Vegas Cloud Connect Summit 2014 - Software Defined Data Center
Interop Las Vegas Cloud Connect Summit 2014 - Software Defined Data CenterScott Carlson
 
Can Security & Agility Co-Exist
Can Security & Agility Co-ExistCan Security & Agility Co-Exist
Can Security & Agility Co-ExistScott Carlson
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011Scott Carlson
 
HP Enterprise Security Customer Case Study - Apollo Group
HP Enterprise Security Customer Case Study - Apollo GroupHP Enterprise Security Customer Case Study - Apollo Group
HP Enterprise Security Customer Case Study - Apollo GroupScott Carlson
 
Marriage of ESX and OpenStack - PayPal - VMWorld US 2013
Marriage of ESX and OpenStack - PayPal - VMWorld US 2013Marriage of ESX and OpenStack - PayPal - VMWorld US 2013
Marriage of ESX and OpenStack - PayPal - VMWorld US 2013Scott Carlson
 
McAfee Focus 2011 - Security in the Age of a Mobile Workforce and Mobile Devices
McAfee Focus 2011 - Security in the Age of a Mobile Workforce and Mobile DevicesMcAfee Focus 2011 - Security in the Age of a Mobile Workforce and Mobile Devices
McAfee Focus 2011 - Security in the Age of a Mobile Workforce and Mobile DevicesScott Carlson
 
Marriage of Openstack with KVM and ESX at PayPal OpenStack Summit Hong Kong F...
Marriage of Openstack with KVM and ESX at PayPal OpenStack Summit Hong Kong F...Marriage of Openstack with KVM and ESX at PayPal OpenStack Summit Hong Kong F...
Marriage of Openstack with KVM and ESX at PayPal OpenStack Summit Hong Kong F...Scott Carlson
 
High Availability OpenStack at PayPal - OpenStack Summit Fall Hong Kong 2013
High Availability OpenStack at PayPal - OpenStack Summit Fall Hong Kong 2013High Availability OpenStack at PayPal - OpenStack Summit Fall Hong Kong 2013
High Availability OpenStack at PayPal - OpenStack Summit Fall Hong Kong 2013Scott Carlson
 

More from Scott Carlson (13)

What are Blockchain & Tokens and are they useful ?
What are Blockchain & Tokens and are they useful ?What are Blockchain & Tokens and are they useful ?
What are Blockchain & Tokens and are they useful ?
 
RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?
RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?
RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?
 
DCD Converged Brazil 2016
DCD Converged Brazil 2016 DCD Converged Brazil 2016
DCD Converged Brazil 2016
 
Trust But Control: Managing Privileges without killing productivity
Trust But Control: Managing Privileges without killing productivityTrust But Control: Managing Privileges without killing productivity
Trust But Control: Managing Privileges without killing productivity
 
Will Your Cloud Be Compliant? OpenStack Security
Will Your Cloud Be Compliant? OpenStack SecurityWill Your Cloud Be Compliant? OpenStack Security
Will Your Cloud Be Compliant? OpenStack Security
 
Interop Las Vegas Cloud Connect Summit 2014 - Software Defined Data Center
Interop Las Vegas Cloud Connect Summit 2014 - Software Defined Data CenterInterop Las Vegas Cloud Connect Summit 2014 - Software Defined Data Center
Interop Las Vegas Cloud Connect Summit 2014 - Software Defined Data Center
 
Can Security & Agility Co-Exist
Can Security & Agility Co-ExistCan Security & Agility Co-Exist
Can Security & Agility Co-Exist
 
You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011You Can't Correlate what you don't have - ArcSight Protect 2011
You Can't Correlate what you don't have - ArcSight Protect 2011
 
HP Enterprise Security Customer Case Study - Apollo Group
HP Enterprise Security Customer Case Study - Apollo GroupHP Enterprise Security Customer Case Study - Apollo Group
HP Enterprise Security Customer Case Study - Apollo Group
 
Marriage of ESX and OpenStack - PayPal - VMWorld US 2013
Marriage of ESX and OpenStack - PayPal - VMWorld US 2013Marriage of ESX and OpenStack - PayPal - VMWorld US 2013
Marriage of ESX and OpenStack - PayPal - VMWorld US 2013
 
McAfee Focus 2011 - Security in the Age of a Mobile Workforce and Mobile Devices
McAfee Focus 2011 - Security in the Age of a Mobile Workforce and Mobile DevicesMcAfee Focus 2011 - Security in the Age of a Mobile Workforce and Mobile Devices
McAfee Focus 2011 - Security in the Age of a Mobile Workforce and Mobile Devices
 
Marriage of Openstack with KVM and ESX at PayPal OpenStack Summit Hong Kong F...
Marriage of Openstack with KVM and ESX at PayPal OpenStack Summit Hong Kong F...Marriage of Openstack with KVM and ESX at PayPal OpenStack Summit Hong Kong F...
Marriage of Openstack with KVM and ESX at PayPal OpenStack Summit Hong Kong F...
 
High Availability OpenStack at PayPal - OpenStack Summit Fall Hong Kong 2013
High Availability OpenStack at PayPal - OpenStack Summit Fall Hong Kong 2013High Availability OpenStack at PayPal - OpenStack Summit Fall Hong Kong 2013
High Availability OpenStack at PayPal - OpenStack Summit Fall Hong Kong 2013
 

Recently uploaded

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

RSA 2015 Realities of Private Cloud Security

  • 1. SESSION ID: #RSAC Scott Carlson – PayPal Realities of Private Cloud Security CSV-F03 @relaxed137
  • 2. #RSAC Cloud Design Principals, traditional Data Center Deploy from Templates Any Image, Anywhere Automatically scale up/down workloads Follow devops auto-deployments CI/CD Respond to intra-cloud events ELASTIC VIRTUAL PCI-DSS 2.0 and 3.0 Local Country RequirementsSECURE PayPal Cloud & Software Defined Data Center 2
  • 3. #RSAC Compliance <> Security Secure Compliant PCI DSS HIPAA / HITECH SOX FedRAMP/FISMA ISO/IEC 27001-2005 NIST SP800-53
  • 4. #RSAC @ http://xkcd.com used with permission under Creative commons License 4
  • 5. #RSAC Compliance Requirements of PayPal ✔ ✔ 5 Compliant with PCI-DSS 2.0 Standards Non-US locations compliant with local country regulations
  • 6. #RSAC Be patched, be compliant, be hardened, be layered, don’t let data leave your network Log it all; parse it all; sesame street logic; leave no stone unturnedDETECT PREVENT Quarantine; active defense; mitigate; high priority patches; bug fixes; block ports; kill data streams; sever connections RESPOND What is Secure 6
  • 7. #RSAC Are there any Private Cloud Standards? … Hardly … Cloud Controls Matrix 3.0.1 – release date 7/2015 https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/ PCI DSS Virtualization Guidelines https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf PCI DSS Cloud Computing Guidelines https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf NIST Special Publication 800-144 http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf 7
  • 8. #RSAC What about Public Cloud? A lot of vendors have been upping their game with security in the public cloud. If your organization does not have an Information Security organization, you do not run your own data center, or you just flat out don’t know where to begin, there are public cloud solutions that can meet most information security requirements today. … This talk is not about the Public Cloud … 8
  • 9. #RSAC Our Methodology – Private Cloud Security 9  Don’t make it too hard – it’s just mostly infrastructure  Adapt FAST  Developers & “AAS” Washing changes the access paradigm (2FA + RBAC anyone?)  3rd-party applications sitting on a cloud are still just 3rd-party applications  Home-grown application sitting on a cloud are still just home-grown applications  Cross-managing “in-scope” and “out-of-scope” environments is fraught with peril. Tread Lightly…  The minute something is created in the cloud, it is subject to the requirements. Existence = production because it could be compromised, attacked, …
  • 10. #RSAC Agile Quick and well-coordinated in movement; marked by an ability to think quickly; intellectual acuity  Consider everything dirty… examine it… spray the bad parts… clean it… use machines to do the dirty work  Run traffic over it… verify assumptions… send it back to the wash if needed… deliver to customer… use it yourself  Check your work… check new versions… talk to new people… find all of the new and exciting ways people are doing things 10
  • 11. #RSAC Basic Methodology Just pretend it is infrastructure OpenStack has servers in it  Hardware configured and dedicated to the cloud  Hypervisor/Build Image meeting NIST/CIS standard templates  Vulnerability Scanning with third-party tooling  Patching 7-, 30-, 90-day windows with vendor provided patches  Configuration Management for important system files  Password Management – non-default, complex and unique! OpenStack has users in it  Do not use shared accounts for anything. Just don’t  Log everything (auth) about a user. Send it somewhere you can find it. Keep it a LONG time  Define a Role, Add People to the Role, Attest the Role  Multi-Factor Tokens!!!!  All cloud actions tied back to an individual user 11
  • 12. #RSAC Basic Methodology Just pretend it is infrastructure Hypervisor Components  It’s just “Linux”. Treat it like hardened “Linux” and lock it down to standards (CIS, NIST)  Have a separate management interface from your production traffic (physical or virtual)  Do not combine security zones within a single hypervisor because then it’s ALL “in-scope”  Audit access, audit changes, be ready to show your work  Be ready to defend decisions to share ports for components OpenStack Software Stack  Limited vulnerability scanning in a programmatic way, have to build your own (Fortify, AppScan)  Getting code from Trunk = Open Source Happiness, but have your licenses reviewed!  You still need to code review if CDE passes through here  Avoid Avoid Avoid actual data getting put in your cloud stack (not guest VMs, those are ok) 12
  • 13. #RSAC Basic Methodology Just pretend it is infrastructure Physical Network Components  Firewall rules around the cloud to limit ingress and egress (is iptables a firewall?)  Monitor what happens on your firewalls, send it somewhere, keep it a LONG time  Make sure the person building your network isn’t the person building your cloud (SOD)  Configuration guidelines exist for most physical installations (avoid virtual for now…)  Automation is fine, but make sure you log it and auto-ticket it Virtual Network Components  Too early in the testing process to rely on virtual versions of components at scale [ No standards, Auditor Support ]  Okay for intra-tenant traffic with minimal rule set  Same rules for physical apply to virtual. Has your third-party pen-tested and certified their thing? 13
  • 14. #RSAC @ http://xkcd.com used with permission under Creative commons License 14
  • 15. #RSAC Basic Methodology Just pretend it is infrastructure Data  If it’s card-holder data, controls become interesting very quickly  Encrypt your data PRIOR to writing it to databases/repositories  Storing things encrypted at rest in VMs mean you can’t use OpenStack components  HSM, crypto, key management required  User management, controls over data, logging, all of the standard stuff needed 15
  • 16. #RSAC Basic Methodology Just pretend it is infrastructure “As a Service” Tooling  Role-based access  2FA to “in-scope” environments  TLS on EVERYTHING  Don’t pass your tokens around, expire them quickly  Don’t rely on credentials from the wrong environment!  Always check for software vulnerabilities in your code  NOTHING goes into production without passing the sanity test… NOTHING 16
  • 17. #RSAC Basic Methodology Just pretend it is infrastructure Central Management Considerations  Make all of your management control planes trusted  It is NEVER okay to talk from a lower-trust environment into a higher-trust environment  It is better to expose a protected web front-end than keep the “manager” in an untrusted zone  If your control plane is compromised, your cloud is toast. Cloud expands the cascade of compromise across your whole environment depending on your control plane and availability zones  Deleting your cloud as an attack is just the same as a compromise sometimes 17
  • 18. #RSAC Secure is not a permanent state 18
  • 19. #RSAC Security can not work effectively unless you have agility 19
  • 20. #RSAC How to apply this to your own environment?  Look into how you are using your cloud today  Verify the security controls and regulatory controls you need  Do the basics discussed here  Pen Test your cloud  Resolve the findings, and then start iterating and making more secure!  Get involved to fix industry standards so that private clouds are people too! 20
  • 21. #RSAC For more information, please contact: Scott Carlson sccarlson@paypal.com @relaxed137