Security Topics in Open Cloud: Advanced Threats, 2015's Vulnerabilities …
iSpeech.org
Jason Cohen
https://linux.conf.au/schedule/30298/view_talk
This talk will present an assortment of security topics related to Open Source Cloud Computing technologies. Topics will include an overview of the most significant security flaws discovered over the last year in popular cloud platforms, the generic foundations of advance persistent threats, and some of the recent countermeasures of encryption, key management, and platform validation being introduced into OpenStack and Hadoop. A demo of Trusted Compute Pools will also be given and an explanation of what types of advanced threats it protects against will be provided.
It would seem that, despite the exponential growth in security products, security services, security companies, security certifications, and general interest in the security topic; we are still bombarded with a constant parade of security vulnerability disclosures on a seemingly daily basis. Knowing that complete protection from threats and vulnerabilities at the front end of the infrastructure is impossible and that advanced threats will find their way past our defenses, efforts to protect the data and the ‘keys to the castle’ being the last line of defense are even more critical.
The hardware enabling ‘trusted computing’ is referred to as a Trusted Platform Module (TPM), and is designed as a commodity chip that is integrated into motherboards, as well as appliances such as network switches, firewalls, and embedded devices. The TPM provides features that are useful in providing assurances about the state of a platform and protecting sensitive information. Essentially, the chip can be used to generate, store, and protect encryption keys. It also provides a mechanism to store information about the state of a platform through a traceable, cryptographic mechanism, which can be securely attested to a remote verifier. TPMs have been around for a while but have had a slow uptake in actual use until recently due to initial privacy concerns that have been mostly overcome. Many cloud deployments include hardware with a TPM, but it is rarely used. Championed by Intel and others, support for using the TPM and related Intel TXT to provide remote attestation has been included in OpenStack in the form of Trusted Compute Pools. This feature can detect systems within the cloud that have booted untrusted code and block guests from executing on them. This will be demo’ed on a live system. Of course, this boot time detection of untrusted code is beneficial, there are other ways a TPM could be utilized to better protect user or application data via strong and cheap protection of keys. Work being done in OpenStack to utilize the TPM for key protection will also be discussed. In addition, when configuring bare metal systems, there are many other ways to use the TPM such as with the IMA/EVM subsystem or by using the TPM to protect keys used in disk encryption, applications, or user data. Some of the common tools for using TPMs on bare metal systems will be enumerated. Lastly, although not necessarily a ‘cloud’ platform, Hadoop is a mainstay in the related field of big data. Until recently, the lack of block level encryption has been an issue for organizations looking to protect Hadoop data. We will discuss the architecture of the Hadoop encryption framework and considerations for key protection.
2016-02-06 23:48:24
source
Gloss